Laravel: when Ziggy exposes the complete map of your application
> TL;DR: Ziggy route exposure gives attackers a complete map of your Laravel app architecture.
Ziggy: the useful tool turned vulnerability
Ziggy generates a JavaScript object containing ALL your Laravel routes. On unauthenticated pages, this exposes your entire architecture.
What an attacker learns
Key Takeaways
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
WordPress REST API: 7 dangerous endpoints enabled by default
Your WordPress exposes sensitive data via REST API without you knowing. Here are 7 endpoints to check now.
Password reset: the 7 mistakes that open up your accounts
The "forgot password" flow is attackers' favorite way into SaaS accounts: predictable tokens, links that never expire, host header injection. The 7 mistakes we find most often in audits.
Firebase Firestore: why 'allow read, write: if request.auth != null' is not security
The basic Firestore authentication rule doesn't protect your data. Here's why and how to fix it.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.