Auth Bypass in Laravel
How Auth Bypass Manifests in Laravel
Auth bypass in Laravel typically exploits the framework's middleware and authentication system. The most common patterns involve:
- Middleware misconfiguration where
authmiddleware is not applied to routes that should be protected - Session fixation or manipulation through Laravel's session handling
- Token validation bypass in API authentication
- Model binding vulnerabilities that allow unauthorized access to resources
A typical Laravel auth bypass occurs when developers forget to apply the auth middleware to controller methods. For example:
class UserController extends Controller
{
public function __construct()
{
// Missing middleware for updateProfile method
$this->middleware('auth')->except(['showProfile']);
}
public function showProfile()
{
// Authenticated users only
return view('profile');
}
public function updateProfile(Request $request)
{
// This should be protected but isn't!
$user = Auth::user();
$user->update($request->all());
return back();
}
}
Another common pattern is bypassing API token validation. Laravel's Sanctum or Passport tokens can be bypassed if the token verification logic is improperly implemented:
// Vulnerable: Missing token validation
Route::get('/api/user-data', function () {
return User::find(1);
});
// Secure: Proper Sanctum authentication
Route::get('/api/user-data', function () {
return auth()->user();
})->middleware('auth:sanctum');
Model binding vulnerabilities also create auth bypass opportunities. When using implicit route model binding without proper authorization checks:
// Vulnerable: No authorization check
Route::get('/posts/{post}', function (Post $post) {
return $post;
});
// Secure: Authorize before access
Route::get('/posts/{post}', function (Post $post) {
abort_unless(Auth::user()->can('view', $post), 403);
return $post;
});
Laravel-Specific Detection
Detecting auth bypass in Laravel requires examining both code structure and runtime behavior. Here are Laravel-specific detection methods:
Code Analysis
Review your routes and controllers for missing middleware. In Laravel, check:
# Find routes without auth middleware
php artisan route:list --middleware=auth
# Check controller constructors for missing middleware
grep -r "middleware('auth'" app/Http/Controllers/
Examine your middleware stack in app/Http/Kernel.php to ensure the auth middleware is properly registered and applied.
Runtime Testing
Test unauthenticated access to protected endpoints:
# Test API endpoints without tokens
curl -X GET https://yourapp.com/api/protected-endpoint
# Test web routes without session
curl -X GET -c cookies.txt https://yourapp.com/dashboard
curl -X GET -b cookies.txt https://yourapp.com/dashboard
middleBrick API Scanning
middleBrick provides specialized Laravel auth bypass detection through its black-box scanning approach:
# Scan your Laravel API endpoints
middlebrick scan https://yourapp.com/api
# Scan specific Laravel routes
middlebrick scan https://yourapp.com/admin/dashboard
middleBrick tests for:
- Missing
authmiddleware on protected routes - Session fixation vulnerabilities
- API token bypass attempts
- Model binding authorization gaps
- CSRF protection bypass
The scanner provides a security score (A-F) and specific findings with Laravel-contextual remediation guidance, mapping issues to OWASP API Top 10 categories.
Laravel-Specific Remediation
Fixing auth bypass in Laravel involves proper middleware usage and authorization patterns. Here are Laravel-specific remediation techniques:
Middleware Application
Always apply auth middleware at the controller level:
class UserController extends Controller
{
public function __construct()
{
$this->middleware('auth');
// Or apply to specific methods
// $this->middleware('auth')->only(['updateProfile', 'deleteAccount']);
}
public function updateProfile(Request $request)
{
$user = Auth::user();
$user->update($request->validate([
'name' => 'required|string|max:255',
'email' => 'required|email|max:255',
]));
return back();
}
}
API Authentication
Use Laravel Sanctum for API authentication:
// routes/api.php
Route::middleware('auth:sanctum')->group(function () {
Route::get('/user', function (Request $request) {
return $request->user();
});
Route::post('/posts', [PostController::class, 'store']);
});
Policy-Based Authorization
Implement Laravel policies for fine-grained access control:
// app/Policies/PostPolicy.php
class PostPolicy
{
public function view(User $user, Post $post)
{
return $user->id === $post->user_id;
}
public function update(User $user, Post $post)
{
return $user->id === $post->user_id;
}
}
// Register policy in AuthServiceProvider
protected $policies = [
Post::class => PostPolicy::class,
];
// Use in controller
public function update(Request $request, Post $post)
{
$this->authorize('update', $post);
$post->update($request->all());
return response()->json($post);
}
CSRF Protection
Ensure CSRF protection is enabled for web routes:
// In VerifyCsrfToken middleware
protected $except = [
// Only exclude specific routes, not entire API
'stripe/*',
];
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |
Frequently Asked Questions
How does Laravel's default auth middleware prevent bypass?
auth middleware checks for an authenticated user in the session (web routes) or validates API tokens (Sanctum/Passport). It automatically redirects unauthenticated users to the login page for web routes or returns a 401 response for API routes. The middleware is applied globally to routes that require protection.