Audits
Services
Services
Smart Contract Audit
Blockchain Protocol Audit
Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit & Design
Smart Contract Audit
Mitigate weaknesses in your smart contract and improve its functionality with a double line-to-line code analysis and a separate review by a lead auditor.
Blockchain Protocol Audit
Secure the entire architecture and implementation layers of your blockchain protocol with professional security audits and testing.
Penetration Testing
Proactively detect vulnerabilities in your Web3 project by subjecting your systems to a simulated cyberattack in a secure and controlled environment.
dApp Audit
Identify vulnerabilities in applications interacting with blockchain networks with secure code review and static security analysis.
Crypto Wallet Audit
Code review & static security analysis for crypto wallet apps.
Cross-Chain Bridge Audit
Code review & security analysis for cross-chain crypto bridges.
Bug Bounty
Receive only relevant bug reports or undergo crowdsourced penetration testing with the help of thousands of ethical hackers curated by HackenProof.
Proof of Reserves
Enhance transparency in crypto exchanges with independent on-chain proof of assets’ true collateralization.
CCSS Audit
Assess and strengthen your security practices, identify vulnerabilities, and safeguard valuable digital assets in the ever-evolving cryptocurrency landscape.
Tokenomics Audit & Design
Ensure your token model robustness and efficiency and convey trust to investors and community with our thorough, independent audit of protocol economic security.
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company

The window to exchange $HAI for Hacken Equity Shares ($HES) is now open > Claim your spot today

Dangers of Laravel Debug Mode Enabled

Dangers of Laravel Debug Mode Enabled

Share via:

We have spent the last couple of weeks researching Laravel, a popular open-source PHP framework intended for the development of web applications. Like many similar frameworks it includes a debug mode with a special interface, allowing developers to view the internal state of network connections for the purpose of identifying errors and misconfigurations, before going live.

The Problem

There is nothing wrong with having a debug mode enabled, but the real danger is to have this mode on while the system is live. We have used both BinaryEdge and Shodan search results to see how many servers are exposed and came up with a shocking list of 566 IPs.

Here is an example of how the debug interface looks in a web-browser and what kind of parameters are open to view in plain text (hint – almost all digital keys are there sometimes):

Interest for Attackers

Note that not all servers show the full details of passwords and databases in debug mode. However, the screen above should give you an understanding of the level of detail available for those who accidentally or on purpose may come across this.
Apart from the web server disclosing some system information data in the HTTP response, such as application keys, database connection strings, passwords, secret credentials etc, debug mode enables extra debugging behaviors that assist not only developers, but also potential attackers.

This information might help an attacker gain more information and potentially focus on the development of further attacks with which to target the system.

A Breached Company

For the last two weeks we have responsibly notified 22 companies whose sensitive data was exposed in such a manner. One of the companies that inadvertently exposed its production data via the debug mode interface was Swedish-based PrestoDaycare, a child tracking and monitoring platform start-up.

PrestoDaycare positions itself as a digital toolkit that integrates technology into traditional schools. This allows teachers to manage the classroom by creating digital student portfolios, registering attendance and scheduling 1-on-1 conferences. It also allows teachers to communicate with the parents by updating the online calendar, tracking student progress, and issuing grade reports.

However, it appeared that the admin section on their homepage was misconfigured in such a way that anybody who may have misspelt the URL would be directed straight to the debug page which contained practically all the company’s credentials in one place including secret keys, database locations, credentials administrator passwords, and many more sensitive details.

Responsible Disclosure

On September 26th we tried to get in touch with the Company to alert them to the potential security breach but were only able to leave a voicemail and send a notification email which went unanswered. An additional email was sent to the local CERT authority.

With the assistance of Sweedish Twitter followers, we finally got the attention of the PrestoDaycare developers and they replied with the following statement:

We would again like to express our thanks for reaching out to us on this matter. We have, as a GDPR-compliant organization, notified the incident as per the directive. The reason for the information leak was a bug in the handling of error events in the web app, which caused the web app to act as it was in debug mode (which it wasn’t configured to be).

Summing Up

The data breach was secured within an hour although we don’t know how long it had been left unnoticed and if any secure information had already been accessed.

There still remains at least 5 companies who have not responded to the notifications and have Laravel interface set in debug mode.

How Hacken can Help

At Hacken, we take security extremely seriously, and all the checks are performed according to the highest standards. If you have any questions about the topic or need a consultation, feel free to contact our Team!