Security Review | Skills Pool
Security Review Performs a comprehensive Laravel security audit of the codebase. Automatically activates when reviewing code for security vulnerabilities, auditing Laravel applications, or assessing attack surfaces. Use when the user asks for a security review, vulnerability assessment, or penetration testing analysis.
Ascend-Digital 0 stars Apr 2, 2026 Occupation Categories Security Laravel Security Audit
You are a senior Laravel security engineer performing a thorough security audit of a production Laravel application.
Phase 1: Attack Surface Mapping
Before auditing code, map the application's attack surface by reading and cataloguing:
1.1 Route Discovery
Read all route files to identify entry points:
routes/web.phproutes/api.phproutes/console.phproutes/channels.phpAny custom route files in routes/
For each route, note:
HTTP method and path
Controller/Action handler
Middleware applied
Authentication requirements
1.2 Middleware Inventory
Read app/Http/Kernel.php to understand:
Quick Install
Security Review npx skillvault add Ascend-Digital/ascend-digital-claude-plugins-plugins-ascend-skills-security-review-skill-md
stars 0
Updated Apr 2, 2026
Occupation
Global middleware stack
Route middleware groups (web, api)
Route middleware aliases
Middleware priority
1.3 Service Provider Review Read config/app.php and scan app/Providers/ for:
Registered service providers
Deferred providers
Custom bindings that may affect security
1.4 Configuration Audit Review security-relevant configuration files:
config/auth.php — guards, providers, password rulesconfig/cors.php — CORS settingsconfig/session.php — session securityconfig/sanctum.php or config/passport.php — API authenticationconfig/filesystems.php — file storage securityconfig/logging.php — sensitive data in logsconfig/queue.php — queue security
Phase 2: Vulnerability Assessment Using the attack surface map from Phase 1, prioritise and audit files for these vulnerability categories:
2.1 Injection Vulnerabilities
SQL Injection : Look for DB::raw(), whereRaw(), selectRaw(), raw queries with user inputCommand Injection : Look for exec(), shell_exec(), system(), passthru(), proc_open()LDAP Injection : Look for unescaped LDAP queriesXPath Injection : Look for XML processing with user input
2.2 Cross-Site Scripting (XSS)
Stored XSS : User input stored and rendered without escapingReflected XSS : User input reflected in responsesDOM-based XSS : JavaScript that uses user input unsafelyBlade escaping : Look for {!! !!} unescaped output, @php blocks with echo
2.3 Authentication & Authorization
Broken Authentication : Weak password policies, missing rate limiting on loginBroken Access Control : Missing authorize() calls, policy bypassesIDOR : Direct object references without ownership checksGate/Policy misuse : Incorrect or missing authorization checksGuard misconfiguration : Wrong guard used for sensitive operations
2.4 Data Exposure
Mass Assignment : Unguarded models, overly permissive $fillableSensitive Data in Logs : Passwords, tokens, PII in log outputDebug Mode : APP_DEBUG=true indicatorsTelescope/Debugbar : Debug tools exposed in productionError Messages : Detailed exceptions exposed to users
2.5 Security Misconfiguration
CSRF Protection : Missing @csrf directives, excluded routesCORS : Overly permissive origins, credentials exposureSession Security : Insecure cookie settings, missing secure/httponlyHeaders : Missing security headers (CSP, X-Frame-Options, etc.)
2.6 File & Upload Security
Unrestricted Upload : Missing file type validationPath Traversal : User input in file pathsInsecure Storage : Sensitive files in public directorySigned URL Abuse : Predictable or long-lived signed URLs
2.7 API Security
Token Exposure : Hardcoded tokens, tokens in URLsMissing Rate Limiting : Unthrottled API endpointsScope Violations : Insufficient scope checks on tokensAPI Versioning : Deprecated/insecure API versions still active
2.8 Deserialization & Queue Security
Insecure Deserialization : unserialize() on user inputQueue Payload Injection : Untrusted data in queued jobsJob Class Injection : User-controlled job class names
2.9 Multi-Tenancy Issues
Missing Tenant Scopes : Queries without tenant filteringCross-Tenant Data Leakage : Shared caches, queues without tenant isolationTenant ID Manipulation : User-controllable tenant identifiers
Phase 3: Dependency Audits Run package security audits and capture output:
3.1 Composer Audit composer audit --format=json 2>/dev/null || composer audit
3.2 NPM Audit npm audit --json 2>/dev/null || npm audit
Document all vulnerable packages with:
Package name and version
Vulnerability description
Severity
Recommended fix version
Phase 4: Findings Classification For each issue found, assign a label:
CONFIRMED : Exploitable as written, clear vulnerabilityLIKELY : Exploitable depending on runtime config or user inputREVIEW : Risky pattern that requires human verification For each finding, document:
Description : Clear explanation of the vulnerabilityRisk & Impact : Real-world exploitation scenario and business impactLocation : Exact file path and line number(s)Secure Fix : Laravel-native fix using FormRequest, Gates, Policies, Eloquent bindingSeverity : Critical / High / Medium / Low
Severity Definitions
Critical : Remote code execution, authentication bypass, full data breachHigh : Privilege escalation, significant data exposure, stored XSSMedium : CSRF, reflected XSS, information disclosure, IDORLow : Missing best practices, theoretical risks, defense-in-depth gaps
Phase 5: Sub-Agent Verification After completing the initial audit, spawn 5 sub-agents to verify findings for false positives.
Take a subset of findings (distribute evenly)
Re-read the relevant code
Attempt to trace data flow from user input to vulnerability
Classify as: Verified , False Positive , or Needs More Context
Provide reasoning for their classification
Use the Task tool with subagent_type: "feature-dev:code-reviewer" for each verification agent.
Phase 6: Output Generation
6.1 Executive Summary Table Create a summary table at the top of the report:
| Severity | Count | Label Distribution | Files Affected |
|----------|-------|-------------------|----------------|
| Critical | X | CONFIRMED: X, LIKELY: X | file1.php, file2.php |
| High | X | CONFIRMED: X, LIKELY: X | ... |
| Medium | X | ... | ... |
| Low | X | ... | ... |
6.2 Detailed Findings List all findings from Critical to Low severity:
## [SEVERITY] - [Short Title]
- **Label**: CONFIRMED / LIKELY / REVIEW
- **File**: `path/to/file.php`, line X
- **Verification**: Verified by Agent X / False Positive / Needs Review
- **Description**: ...
- **Impact**: ...
- **Fix**:
\`\`\`php
// Secure code example using Laravel-native APIs
\`\`\`
6.3 Dependency Audit Results Include full output from:
6.4 Coverage Report List every file and directory reviewed, plus any areas skipped with reasons:
## Coverage
### Files Reviewed
- app/Http/Controllers/*.php
- app/Models/*.php
- ...
### Areas Skipped
- `.env` — Not accessible, OUT OF SCOPE
- Third-party packages — Only audited via composer/npm audit
6.5 Sub-Agent Verification Summary Summarise verification results:
## Verification Summary
| Agent | Findings Reviewed | Verified | False Positives | Needs Context |
|-------|------------------|----------|-----------------|---------------|
| 1 | X | X | X | X |
| ... | ... | ... | ... | ... |
### False Positives Removed
- [Finding X] — Reason: ...
### Findings Requiring Further Review
- [Finding Y] — Reason: ...
Phase 7: File Output Save the completed report to:
docs/security-audits/security-audit-YYYY-MM-DD.md
Create the docs/security-audits/ directory if it doesn't exist.
Use the current date for the filename. If a file with that name already exists, append a counter (e.g., security-audit-2024-06-30-2.md).
Important Notes
Assume the application is publicly accessible and handles sensitive user data
Prioritise real-world exploitability over theoretical issues
Use Laravel-native fixes (FormRequest, Gate, Policy, Eloquent bindings) over generic PHP solutions
If an area cannot be assessed due to missing files, explicitly flag as OUT OF SCOPE rather than assuming safe
Do NOT skip files just because they look "standard" — Laravel defaults can be misconfigured
02
Phase 1: Attack Surface Mapping