Why does Directory Bruteforce Scan matter for Laravel security?

Failing to address directory bruteforce scan can leave your Laravel application vulnerable to attacks. StackShield continuously monitors for this issue so you can catch it before attackers do.

How do I fix a Directory Bruteforce Scan issue?

This is rated as an medium fix, typically taking 20-30 minutes. See the full documentation above for step-by-step instructions.

How to Protect Against Directory Bruteforce Attacks in Laravel

What This Check Detects

Discovers hidden directories and files using dictionary-based brute forcing with Gobuster. Requires domain verification.

Full Documentation

What is Directory Bruteforce?

Gobuster and similar tools use dictionary-based brute forcing to discover hidden directories and files on web servers. They systematically request common file and directory names to find content not linked from the main application, such as backup files, admin panels, or configuration files.

Security Impact

Severity: High

Discovery of backup files containing sensitive data
Access to admin panels or internal tools
Exposure of configuration files
Discovery of development or staging endpoints
Access to unprotected API documentation

How to Fix

1. Remove Unnecessary Files from Public Directory

# Audit your public directory
ls -la public/

# Remove any files that shouldn't be publicly accessible
rm public/*.bak
rm public/*.old
rm public/*.sql
rm public/*.zip

2. Block Common Attack Patterns

# Nginx - block common bruteforce targets
location ~ \.(bak|old|sql|zip|tar|gz|log|env|ini|conf|swp)$ {
    deny all;
    return 404;
}

# Block hidden files
location ~ /\. {
    deny all;
    return 404;
}

# Block common admin paths if not used
location ~ ^/(admin|administrator|wp-admin|phpmyadmin|cpanel) {
    deny all;
    return 404;
}

3. Implement Rate Limiting

Slow down bruteforce attempts with rate limiting:

# Nginx - limit request rate
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;

server {
    location / {
        limit_req zone=general burst=20 nodelay;
    }
}

4. Use Laravel's Route Configuration

Ensure only defined routes respond:

// routes/web.php - Laravel automatically returns 404 for undefined routes
// Make sure you don't have catch-all routes that might serve unintended content

// Avoid this pattern unless intentional:
// Route::any('{any}', function() { ... })->where('any', '.*');

5. Set Proper File Permissions

# Restrict public directory permissions
find public/ -type f -exec chmod 644 {} \;
find public/ -type d -exec chmod 755 {} \;

# Ensure storage and bootstrap/cache are not web-accessible
chmod -R 775 storage/
chmod -R 775 bootstrap/cache/

6. Monitor and Alert on Bruteforce Attempts

// Detect bruteforce patterns in your logs
// Look for rapid 404 responses from the same IP
// Consider using fail2ban or similar tools

// fail2ban filter for Nginx
// /etc/fail2ban/filter.d/nginx-bruteforce.conf
// [Definition]
// failregex = ^<HOST> .* "(GET|POST|HEAD) .* HTTP/.*" 404

Verification

After applying these fixes, a Gobuster scan should find significantly fewer results. Critical files like backups, configs, and admin panels should return 404.

Related Issues

Directory & File Exposure
Sensitive Laravel Files
Exposed .env Files