README

A Laravel package that helps developers ensure their applications follow OWASP Top 10 security guidelines.

Features

• Automated security audits based on OWASP Top 10 guidelines (2025)
• Comprehensive security checks across multiple categories:
  • A01: Broken Access Control
  • A02: Security Misconfiguration
  • A03: Software Supply Chain Failures
  • A04: Cryptographic Failures
  • A05: Injection
  • A06: Insecure Design
  • A07: Authentication Failures
  • A08: Software or Data Integrity Failures
  • A09: Security Logging and Alerting Failures
  • A10: Mishandling of Exceptional Conditions
• Multiple report formats (Console, JSON, HTML)
• Configurable security checks and thresholds
• Integration with Laravel's notification system for security alerts
• Interactive command-line interface with detailed OWASP information

Installation

You can install the package via composer:

composer require dgtlss/owaspadvisor --dev

After installation, publish the configuration file:

php artisan vendor:publish --provider="Dgtlss\OWASPAdvisor\OWASPAdvisorServiceProvider" --tag=config

To publish the views:

php artisan vendor:publish --provider="Dgtlss\OWASPAdvisor\OWASPAdvisorServiceProvider" --tag=views

Usage

Learning About OWASP Top 10

To learn more about the OWASP Top 10 security risks and get detailed descriptions:

php artisan owasp:info

This interactive command will:

• Display information about each OWASP Top 10 category
• Provide descriptions and context for each security risk
• Offer the option to run a security audit immediately
• Link to the official OWASP documentation

Running a Security Audit

To perform a quick OWASP security audit of your Laravel application, use:

# Run a basic security audit with console output php artisan owasp:audit # Generate a JSON report php artisan owasp:audit --format=json # Generate and save an HTML report php artisan owasp:audit --format=html --save

OWASP Security Checks

The package performs comprehensive checks in the following categories:

1. Broken Access Control (A01:2025)

   • Authorization middleware usage
   • Role-based access control implementation
   • CORS configuration validation
   • Server-Side Request Forgery (SSRF) protection

2. Security Misconfiguration (A02:2025)

   • Debug mode settings
   • Security headers
   • Error handling configuration
   • Environment-specific configurations

3. Software Supply Chain Failures (A03:2025)

   • Dependency vulnerability scanning
   • Package integrity verification
   • Build pipeline security
   • Third-party component management

4. Cryptographic Failures (A04:2025)

   • HTTPS configuration
   • Encryption at rest
   • Password hashing algorithms and settings
   • Key management practices

5. Injection (A05:2025)

   • SQL injection prevention
   • XSS vulnerabilities
   • CSRF protection
   • Command injection prevention

6. Insecure Design (A06:2025)

   • Threat modeling documentation
   • Secure design patterns
   • Business logic validation
   • Defense in depth implementation

7. Authentication Failures (A07:2025)

   • Password policies
   • Session security
   • Rate limiting implementation
   • Multi-factor authentication

8. Software or Data Integrity Failures (A08:2025)

   • CI/CD pipeline integrity
   • Code signing verification
   • Database integrity checks
   • Update mechanism security

9. Security Logging and Alerting Failures (A09:2025)

   • Security event logging
   • Alerting mechanisms
   • Log retention policies
   • Monitoring integration

10. Mishandling of Exceptional Conditions (A10:2025)

    • Exception handling best practices
    • Resource cleanup
    • Timeout handling
    • Circuit breaker patterns

Security Reports

Reports can be generated in three formats:

Console Output

BROKEN ACCESS CONTROL (A01:2025) --------------------------------- ✓ Authorization Middleware: Properly configured ⚠ Role Permissions: Some endpoints lack role checks ✓ CORS Configuration: Secure configuration detected ✓ SSRF Protection: External request validation found SECURITY MISCONFIGURATION (A02:2025) ------------------------------------ ⚠ Debug Mode: Debug mode enabled in non-production ✓ Security Headers: All recommended headers configured ✓ Error Handling: Custom exception handler implemented SOFTWARE SUPPLY CHAIN (A03:2025) ---------------------------------- ✓ Dependency Audit: Security scanning tools configured ⚠ Package Signing: Git commit signing not configured ✓ Build Pipeline: CI/CD integrity checks in place CRYPTOGRAPHIC FAILURES (A04:2025) ------------------------------- ✓ HTTPS Only: Enforced ✓ Encryption at Rest: Using AES-256 ⚠ Password Hashing: Using default algorithm 

JSON Format

{ "access_control": { "status": "warning", "checks": { "middleware_usage": { "status": "success", "message": "Authorization middleware properly configured" }, "ssrf_protection": { "status": "success", "message": "External request validation implemented" } } }, "supply_chain": { "status": "warning", "checks": { "dependency_audit": { "status": "success", "message": "Security scanning tools configured" } } } }

HTML Report

A detailed HTML report that can be saved to your storage directory.

Configuration

The package configuration file (config/owaspadvisor.php) allows you to customize:

• Security check thresholds
• Report storage location
• Notification settings
• Security headers configuration
• Password requirements
• Rate limiting rules

Contributing

Please see CONTRIBUTING.md for details.