Laravel/Passport - Is that security hole?

0
votes

Regarding to:

Let's assume that Access-Control-Allow-Origin: *

So we have this scenario: I'm authorized as myself getting laravel_token set in into my cookies and csrfToken provided to the frontend framework.

Please tell me why I could not easily create new laravel_token using already provided csrfToken, put it into my cookie and send it to the backend being authorized as different user? 

Route::get('/token', function(\Laravel\Passport\ApiTokenCookieFactory $factory, Request $request) {

    $cookie = $factory->make(
        25665, // different user's ID to be attacked
        $providedVisibleCSRFToken
    );

    return response()->json(['X-CSRF-TOKEN' => $providedVisibleCSRFToken, 'JWT-TOKEN' => $cookie->getValue()]);
});

From now on, when I change the cookie to have my hijacked JWT with different user wouldn't I be logged as him, right?

1
laravelsecuritysessioncookieslaravel-passport
I am not sure on your question, but as a side note most libraries (including Laravel) ask that you send possible security vulnerabilities directly to the owner (in this case Taylor) in case they could be exploited. See his note github.com/laravel/laravelJeff
How would a third party generate that token? That is generated on the server side...Devon

1 Answers

0
votes

This is not a security hole. Because to generate a valid cookie you need the application's encryption key which is stored server side and should not be exposed to your front-end.

If you created this fake cookie and sent it up, the application would try and decrypt the cookie using the encryption key and fail at that point.