Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Laravel framework weak secret key - Vulnerability Database

Laravel framework weak secret key

Description

Each Laravel framework based web application contains a secret key which used to sign and encrypt the session cookie for protection against cookie data tampering. It's very important that an attacker doesn't know the value of this secret key. Your application is using a weak/known secret key and Invicti managed to guess this key.

Remediation

Change the value of the secret key (APP_KEY) to a long random string.

References

APP_KEY And You
Laravel APP_KEY rotation policy for app security

Related Vulnerabilities

ASP.NET ViewState Weak Validation Key Critical
Common tags: Default Credentials Weak Credentials
Apache Tapestry weak secret key High
Common tags: Default Credentials Weak Credentials
Express cookie-session weak secret key Medium
Common tags: Default Credentials Weak Credentials
Express express-session weak secret key Information
Common tags: Default Credentials Weak Credentials
Weak Secret is Used to Sign JWT High
Common tags: Default Credentials Weak Credentials

Severity

Medium

Classification

CWE-693
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Default Credentials
Weak Credentials