Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Laravel

Laravel Telescope Enabled In Production

PreviousDebug Mode Enabled

Last updated 12 months ago

Was this helpful?

Description:

Laravel Telescope is a debugging tool often only enabled in local environments to help developers debug Laravel applications. Telescope can help developers look at incoming HTTP requests, view exceptions, logs, database queries and much more. It can sometimes happens that Telescope is enabled on production.

Testing:

Navigate to the following app route:

/telescope/requests

Remediation:

Telescope is a feature intended for development purposes only, it should be disabled in production environments. , when installing Laravel Telescope, make sure to pass the --dev CLI flag to only install it locally (or in your development environment):

composer require laravel/telescope --dev

Afterwards, it is required to only register Telescope service in local environments:

/**
 * Register any application services.
**/
public function register(): void
{
    if ($this->app->environment('local')) {
        $this->app->register(\Laravel\Telescope\TelescopeServiceProvider::class);
        $this->app->register(TelescopeServiceProvider::class);
    }
}

Potential Impact:

Laravel Telescope prints provides several debugging features including logs and database queries for example that may contain sensitive information. This information can be used against a company in further attacks (think about sensitive tokens and app secrets being logged).

References:

Just as the official documentation states
https://laravel.com/docs/10.x/telescope
https://laravel.com/docs/10.x/telescope#local-only-installation