How Laravel’s EncryptCookies middleware prevented me from hacking our application
Today I tried to hack into our Laravel application trough a blind SQLi vulnerability I discovered in our code. I was able to retrieve the session table with sqlmap.
My approach was to hijack the session of a logged in user/admin. So I took a look into the Laravel session/cookie management. I noticed that we are using Laravel’s EncryptCookies middleware.
Instead of putting the session token directly into the HTTP header, Laravel encrypts this cookie for us. If a client tries to send an unencrypted cookie, Laravel ignores it. So I guess it is not possible to hijack a session this way.
The HTTP request header with an encrypted session cookie looks like this:
If we decode this cookie with base64, it looks like this:
=> Nice job Laravel! ❤️
Of course, it is still possible to crack weak user/admin password hashes or read other sensitive data from the database if an SQLi vulnerability is present. So you should definitely avoid SQLi vulnerabilities everywhere in your code!
Hijacking an admin session would have been a smart move if it were possible. Thanks to the Laravel EncryptCookies middleware, it’s not possible without access to the Laravel encryption key.
Do you know of a way to bypass this EncryptCookies middleware for session tokens? Or get Laravel to encrypt session tokens for you? Or another way to hijack a user with a SQLi vulnerability? Please share your thoughts in the comments.