{"id":16465573,"url":"https://github.com/peterfox/laravel-secure-redirect","last_synced_at":"2026-05-11T13:33:46.941Z","repository":{"id":237439153,"uuid":"644623083","full_name":"peterfox/laravel-secure-redirect","owner":"peterfox","description":null,"archived":false,"fork":false,"pushed_at":"2023-05-23T23:10:22.000Z","size":74,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-10T13:51:27.556Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/peterfox.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-23T23:09:51.000Z","updated_at":"2023-05-23T23:10:28.000Z","dependencies_parsed_at":null,"dependency_job_id":"0abee655-16d2-4e80-9ff4-1d617d8340c7","html_url":"https://github.com/peterfox/laravel-secure-redirect","commit_stats":null,"previous_names":["peterfox/laravel-secure-redirect"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peterfox%2Flaravel-secure-redirect","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peterfox%2Flaravel-secure-redirect/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peterfox%2Flaravel-secure-redirect/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/peterfox%2Flaravel-secure-redirect/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/peterfox","download_url":"https://codeload.github.com/peterfox/laravel-secure-redirect/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241026469,"owners_count":19896639,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-11T11:34:28.791Z","updated_at":"2026-05-11T13:33:46.894Z","avatar_url":"https://github.com/peterfox.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Laravel Secure Redirect Back\n\nThe purpose of this repo is to highlight how you can protect against abuse\nof the `Referer` HTTP header.\n\n# The Exploit\n\nThe exploit itself is fairly simple in that the `Referer` header of an HTTP Request can be written\nto be a different domain, causing the application code to use this as the URL to redirect\nto when the `back()` method is called using the `Redirector` class commonly used via the\n`redirect()` helper.\n\nThe exploit helps those performing phishing style attacks where the user is on the legitimate\ndomain and then submits a form with invalid validation and then sends the user to a different website\nwhich looks the same as the original, allowing the attacker to trick a user into potentially handing over\naccount login details for the original site or other information.\n\nThis has been documented before https://github.com/laravel/framework/issues/14642\n\n# The Fix\n\nTo resolve this problem, there should be a quick URL check to make sure the URL is either the App URL\n(`app.url` in the config) or is in a list of whitelisted domains. In this demo it's just the\nApp URL.\n\nThe code to change this involves overriding the `Redirector` class so the `back()` method is resolved\nand that the `App/Exceptions/Handler` class overrides the `invalid()` method so that it will\navoid using the previous url as per the `UrlGenerator` class.\n\n# Tests\n\nTests are provided to show the two scenarios working to block the altered `Referer` header.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpeterfox%2Flaravel-secure-redirect","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpeterfox%2Flaravel-secure-redirect","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpeterfox%2Flaravel-secure-redirect/lists"}