Quality

laravel-security

Runs OWASP security audits and fixes vulnerabilities

Overview

The laravel-security agent performs comprehensive security audits based on OWASP guidelines. It identifies vulnerabilities like SQL injection, XSS, CSRF issues, and provides fixes following Laravel security best practices.

Responsibilities

  • OWASP Audit - Check against OWASP Top 10 vulnerabilities
  • SQL Injection Detection - Find raw queries and unsafe bindings
  • XSS Prevention - Identify unescaped output in Blade templates
  • CSRF Verification - Ensure proper token usage
  • Mass Assignment - Check for unprotected fillable properties
  • Security Headers - Configure proper HTTP security headers

Security Audit Process

┌─────────────────────────────────────────────────────────────┐
│                    Security Audit Flow                       │
├─────────────────────────────────────────────────────────────┤
│  1. Scan Controllers                                        │
│     → Check for raw queries                                 │
│     → Verify authorization calls                            │
│     → Validate input handling                               │
├─────────────────────────────────────────────────────────────┤
│  2. Scan Blade Templates                                    │
│     → Find {!! !!} usage (unescaped output)                │
│     → Check @csrf in forms                                  │
│     → Verify @method for non-GET forms                      │
├─────────────────────────────────────────────────────────────┤
│  3. Scan Models                                             │
│     → Check $fillable vs $guarded                          │
│     → Review relationship security                          │
├─────────────────────────────────────────────────────────────┤
│  4. Check Configuration                                     │
│     → APP_DEBUG setting                                     │
│     → Session security options                              │
│     → CORS configuration                                    │
└─────────────────────────────────────────────────────────────┘

Vulnerability Detection Examples

// VULNERABILITY: SQL Injection
$users = DB::select("SELECT * FROM users WHERE name = '$name'");

// FIX: Parameterized query
$users = DB::select("SELECT * FROM users WHERE name = ?", [$name]);

// VULNERABILITY: XSS (unescaped output)
{!! $userInput !!}

// FIX: Escaped output


// VULNERABILITY: Mass Assignment
$user = User::create($request->all());

// FIX: Explicit fields
$user = User::create($request->only(['name', 'email']));

Security Headers Middleware

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;

class SecurityHeaders
{
    public function handle(Request $request, Closure $next)
    {
        $response = $next($request);

        // Prevent MIME type sniffing
        $response->headers->set('X-Content-Type-Options', 'nosniff');

        // Prevent clickjacking
        $response->headers->set('X-Frame-Options', 'SAMEORIGIN');

        // Enable XSS filter
        $response->headers->set('X-XSS-Protection', '1; mode=block');

        // Control referrer information
        $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');

        // Content Security Policy
        $response->headers->set('Content-Security-Policy', "default-src 'self'");

        return $response;
    }
}

Audit Report Format

Severity Issue File Action
CRITICAL SQL Injection UserController.php:45 Use parameterized query
HIGH XSS Vulnerability show.blade.php:23 Use not {!! !!}
MEDIUM Missing CSRF create.blade.php:12 Add @csrf directive
LOW Debug Mode On .env Set APP_DEBUG=false

Password Validation Setup

use Illuminate\Validation\Rules\Password;

// In a Form Request or controller
$request->validate([
    'password' => [
        'required',
        'confirmed',
        Password::min(8)
            ->mixedCase()
            ->numbers()
            ->symbols()
            ->uncompromised(), // Check against breach databases
    ],
]);

Invoked By Commands

OWASP Top 10 Coverage

OWASP What's Checked
A01: Broken Access Control Authorization calls, policy usage, route protection
A02: Cryptographic Failures Password hashing, token generation, encryption usage
A03: Injection SQL, command, LDAP injection patterns
A05: Security Misconfiguration APP_DEBUG, session settings, headers
A07: Authentication Failures Rate limiting, lockout, password policies

False Positive Filtering

The agent validates findings using a confidence pipeline:

  1. Code Exists? - Verify the pattern actually exists in code
  2. Context OK? - Check if in test file, constant, or framework-handled
  3. Confidence ≥80%? - Only report high-confidence issues

Philosophy: "When in doubt, leave it out."

Package Integration

Integrates with security packages:

  • spatie/laravel-csp - Content Security Policy configuration
  • spatie/crypto - RSA encryption and digital signatures
  • enlightn/enlightn - Comprehensive security analysis
  • grazulex/laravel-devtoolbox - Unprotected route detection

Guardrails

The security agent enforces strict rules:

  • NEVER commit secrets or credentials
  • NEVER disable CSRF for web routes
  • NEVER trust user input without validation
  • ALWAYS use parameterized queries
  • ALWAYS escape output in views
  • ALWAYS validate and sanitize uploads
  • NEVER report issues with confidence < 80%

See Also