Laravel is a popular web development framework written in PHP, which powers many websites worldwide. But in recent times, it has been observed that apps based on Laravel have been the target of several credential stuffing attacks and accidental credential exposure.
Spammers have one goal, to send as much spam as cheaply as possible with good IPs that are not blocked, and we've been hearing more and more reports of Laravel apps getting their SMTP credentials hacked and then the attackers using those to send junk. On further investigation, it was found that the actual problem arises when the web applications go live with the debug mode turned on.
Developers usually use the debug mode to build apps with relaxed security restrictions to allow for better error analysis and bug fixes. This mode is supposed to be turned on only when the app is under development, as it inherently exposes private information for better data access and program flow analysis. When you launch a web app with its debug mode still on, it presents an opportunity for hackers to access sensitive data exposed by default in the debug mode.
How to test if debug mode is on:
Try to access “https://youdomain-name.com/.env” , if the debug mode is enabled you should be able to see all your sensitive data exposed in this url. The sensitive data exposed could include passwords, keys, database information and more that should be hidden from the user
Here is a sample of how the .env page looks like:
How to turn off debug mode:
When you install a brand new Laravel app, debug mode is turned on for local development. Debug mode is beneficial for providing extra debugging tools and increased logs to help you develop new features and uncover potential problems. Then once you are ready to deploy, you need to change this setting and turn it off. It's helpful to have separate configuration files for your production environments, including leaning on configuring environment variables where you deem appropriate instead of adding config to a .env file.