How Secure is laravel

“No technology that's connected to the internet is unhackable.”
Abhijit Naskar,

No, the above quote is not by me though the names are same. But the quoto so true. Security can be measured in two ways. One is security of the server and another one is application security.
Laravel is a framework. It is a tool for building your project. It can not secure the application you are developing.
On the other hand security of the server basically depends on the server maintenance. Like which server is used, how the network setup is, whether ssl certificate is used or not, The security is mostly depends on the developer. How the database is set up. Who has the admin acces, who has database access.
Also security depends on some others aspects such as most developers use cloudfare as ddos protection.
I ran a variety of penetration tests, OWASP ZAP scanner, sqlsus and 5+ tools including bbqsql and similar things for DB pen tests, nmap for port scanning, then switched ZAP to attack mode to perform various XSS and CSRFs and found no vulnerabilities from Laravel itself - just a couple of things from my server itself which I patched up. It's important to say that no application is 100% secure as it depends a lot on how you do things. However, Laravel does do a pretty good job out of the box by protecting you from
Laravel has pretty good protection from some of the common vulnerabilities like ddos, xss, sql-injection, csrf. Explained a bit better below :

• DDoS: A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. Laravel takes care of simple ddos attacks. Laravel automatically blocks suspicious requests. And the developer also can limit the number of requests
• XSS: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. It can deny the default CORS block of laravel as the scripts are executed from the registered domain. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. Laravel double brace syntax ( {{}} ) usually prevents the scripts from automatically being executed. Sanitise user input. Variables are not escaped using the blade syntax {!! !!}, which resolves to inside your HTML code, whereas {{ }} escapes the data.
• Sql-Injection: SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures. They can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database. By default, Laravel will protect you against this type of attack since both the query builder and Eloquent use PHP Data Objects (PDO) class behind the scenes. PDO uses prepared statements, which allows you to safely pass any parameters without having to escape and sanitize them. if you use Eloquent queries these will keep you safe. But you will be vulnerable if you use DB::raw() queries as these can open you up to injection.
• CSRF: Laravel takes care of this with CSRF tokens that it checks on each POST request so make sure you use them, essentially this protects you from someone changing the nature of the request, i.e from POST to GET.

This is a pretty short overview of Laravel security. Once you start opening yourself up with file uploads etc it can be a little bit more tricky In short, I've found Laravel to be secure from all the attacks I've ever run by using Eloquent and sanitising input where required, along with the correct use of blade syntax and the CSRF token.

Tags : Laravel, Laravel Security, Security, Hacking, PHP

Keywords : Laravel, XSS, DDoS