Laravel Clockwork Sensitive Information Exposure Detection Scanner

Scanner is a web application debugging tool primarily used with the Laravel PHP framework. It's designed to offer developers comprehensive insight into application execution by exposing detailed request profiles. While beneficial in development environments, enabling Clockwork in production can lead to the exposure of sensitive information. It's predominantly used by developers and system administrators for debugging and performance tuning.

Exposure occurs when Clockwork is left enabled and publicly accessible in a production environment. This scenario allows unauthorized users to view detailed application internals, including SQL queries, request data, and session information. Such exposure can pose significant security risks, providing insider insight into system architecture and potentially sensitive business logic.

Clockwork exposure is typically found when the application path /__clockwork' is accessible and returns JSON data containing specific structure and keys like "__meta" and "toolbar". The vulnerability can be leveraged to gain unauthorized insights into server-side operations, potentially revealing sensitive operational data.

When exploited, the exposure could lead to unintended disclosure of application internals and vulnerabilities in business logic. This information might be used by attackers to craft targeted attacks, such as SQL injection or cross-site scripting, depending on the information revealed through exposure.

REFERENCES

• https://github.com/itsgoingd/clockwork
• https://underground.works/clockwork/