Why does Web Application Vulnerability Scan matter for Laravel security?

Failing to address web application vulnerability scan can leave your Laravel application vulnerable to attacks. StackShield continuously monitors for this issue so you can catch it before attackers do.

How do I fix a Web Application Vulnerability Scan issue?

This is rated as an hard fix, typically taking 1-3 hours. See the full documentation above for step-by-step instructions.

How to Fix Web Application Vulnerabilities Found by Wapiti in Laravel

What This Check Detects

Scans web applications for XSS, XXE, SSRF, and other OWASP vulnerabilities using Wapiti. Requires domain verification.

Full Documentation

What is Wapiti?

Wapiti is a web application vulnerability scanner that crawls your application and tests for XSS (cross-site scripting), XXE (XML external entities), SSRF (server-side request forgery), command injection, file inclusion, and other OWASP Top 10 vulnerabilities.

Security Impact

Severity: Critical

XSS: Session hijacking, credential theft, defacement
XXE: Server-side file reading, SSRF, denial of service
SSRF: Internal network scanning, cloud metadata access
Command injection: Full server compromise
File inclusion: Source code disclosure, remote code execution

How to Fix

1. Cross-Site Scripting (XSS)

Laravel's Blade templating automatically escapes output. Ensure you use it correctly:

{{-- SAFE - Blade auto-escapes --}}
{{ $user->name }}

{{-- VULNERABLE - Raw output, avoid unless content is trusted --}}
{!! $user->bio !!}

{{-- If you must use raw output, sanitize first --}}
{!! clean($user->bio) !!}

Install HTMLPurifier for sanitizing rich content:

composer require mews/purifier

// Sanitize user HTML input
use Mews\Purifier\Facades\Purifier;

$clean = Purifier::clean($request->input('bio'));

2. XML External Entity (XXE)

Disable external entity loading when processing XML:

// Disable external entities globally
libxml_disable_entity_loader(true);

// When using DOMDocument
$dom = new DOMDocument();
$dom->loadXML($xml, LIBXML_NOENT | LIBXML_NONET);

// When using SimpleXML
$xml = simplexml_load_string($data, 'SimpleXMLElement', LIBXML_NOENT | LIBXML_NONET);

3. Server-Side Request Forgery (SSRF)

Validate and restrict URLs that your application fetches:

// Validate URL input
$validated = $request->validate([
    'url' => ['required', 'url', 'regex:/^https?:\/\//'],
]);

// Block internal IPs
function isInternalUrl(string $url): bool
{
    $host = parse_url($url, PHP_URL_HOST);
    $ip = gethostbyname($host);

    $internalRanges = [
        '10.0.0.0/8',
        '172.16.0.0/12',
        '192.168.0.0/16',
        '127.0.0.0/8',
        '169.254.0.0/16',
    ];

    foreach ($internalRanges as $range) {
        if (ip_in_range($ip, $range)) {
            return true;
        }
    }
    return false;
}

// Reject internal URLs
if (isInternalUrl($validated['url'])) {
    abort(422, 'Internal URLs are not allowed');
}

4. Command Injection

Never pass user input to shell commands:

// VULNERABLE
exec("ping -c 1 " . $request->host);

// SAFE - Use escapeshellarg
exec("ping -c 1 " . escapeshellarg($request->host));

// SAFER - Use Laravel's Process class (Laravel 10+)
use Illuminate\Support\Facades\Process;

$result = Process::run(['ping', '-c', '1', $validated['host']]);

// SAFEST - Avoid shell commands entirely, use PHP functions
$ip = gethostbyname($validated['host']);

5. File Inclusion

Prevent path traversal and arbitrary file inclusion:

// VULNERABLE
$page = $request->input('page');
include("pages/{$page}.php");

// SAFE - Whitelist allowed values
$allowed = ['home', 'about', 'contact'];
$page = in_array($request->page, $allowed) ? $request->page : 'home';

// SAFE - Use Laravel's view system
return view('pages.' . $page); // Laravel validates view names

6. Input Validation Best Practices

// Always validate at the controller level
$validated = $request->validate([
    'name' => 'required|string|max:255',
    'email' => 'required|email:rfc,dns',
    'url' => 'nullable|url|max:2048',
    'content' => 'required|string|max:10000',
    'file' => 'nullable|file|mimes:pdf,doc,docx|max:10240',
]);

7. Content Security Policy

Add CSP headers to prevent XSS execution even if injected:

// app/Http/Middleware/SecurityHeaders.php
$response->headers->set(
    'Content-Security-Policy',
    "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.bunny.net; font-src 'self' https://fonts.bunny.net; img-src 'self' data:; connect-src 'self'"
);

Verification

After applying fixes, Wapiti should report significantly fewer or no vulnerabilities. Focus on eliminating all critical and high severity findings first.

Related Issues

Automated OWASP ZAP Scan
SQL Injection Scan
Nikto Web Server Scan

Related Security Checks

Nikto Web Server Scan

Scans web servers for dangerous files, outdated software, and misconfigurations using Nikto. Requires domain verificatio...

Medium fix 30 minutes

SQL Injection Scan

Automated SQL injection detection and testing using SQLMap. Requires domain verification.

Hard fix 1-2 hours