How Laravel’s EncryptCookies middleware prevented me from hacking our application

--

Today I tried to hack into our Laravel application trough a blind SQLi vulnerability I discovered in our code. I was able to retrieve the session table with sqlmap.

session table

My approach was to hijack the session of a logged in user/admin. So I took a look into the Laravel session/cookie management. I noticed that we are using Laravel’s EncryptCookies middleware.

EncryptCookies middleware

Instead of putting the session token directly into the HTTP header, Laravel encrypts this cookie for us. If a client tries to send an unencrypted cookie, Laravel ignores it. So I guess it is not possible to hijack a session this way.

The HTTP request header with an encrypted session cookie looks like this:

HTTP request with encrypted session cookie

If we decode this cookie with base64, it looks like this:

decoded session cookie (still enrypted)

=> Nice job Laravel! ❤️

Of course, it is still possible to crack weak user/admin password hashes or read other sensitive data from the database if an SQLi vulnerability is present. So you should definitely avoid SQLi vulnerabilities everywhere in your code!

Hijacking an admin session would have been a smart move if it were possible. Thanks to the Laravel EncryptCookies middleware, it’s not possible without access to the Laravel encryption key.

Do you know of a way to bypass this EncryptCookies middleware for session tokens? Or get Laravel to encrypt session tokens for you? Or another way to hijack a user with a SQLi vulnerability? Please share your thoughts in the comments.

--

--

Stefan K ⚡️🔋 🌍 🚀 👾
Stefan K ⚡️🔋 🌍 🚀 👾

Written by Stefan K ⚡️🔋 🌍 🚀 👾

I ❤️ #Technology 👨‍💻 CTO @ soft.fact 👶 Dad 🐶 Dog owner 🌍 Traveler 🚀 #Bitcoin $BTC 🔋 #Tesla $TSLA 👾 #CyberSecurity #InfoSec | https://x.com/KreutiX

Responses (2)