{"id":10503,"date":"2025-07-14T12:38:32","date_gmt":"2025-07-14T05:38:32","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10503"},"modified":"2026-02-05T12:38:39","modified_gmt":"2026-02-05T05:38:39","slug":"app_key-trong-laravel-bi-lo-hang-tram-ung-dung-co-nguy-co-bi-chiem-quyen-dieu-khien","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/14\/app_key-trong-laravel-bi-lo-hang-tram-ung-dung-co-nguy-co-bi-chiem-quyen-dieu-khien\/","title":{"rendered":"APP_KEY trong Laravel b\u1ecb l\u1ed9: H\u00e0ng tr\u0103m \u1ee9ng d\u1ee5ng c\u00f3 nguy c\u01a1 b\u1ecb chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n"},"content":{"rendered":"<p><b>M\u1ed9t nguy c\u01a1 kh\u00e1 nghi\u00eam tr\u1ecdng \u0111ang \u00e2m th\u1ea7m t\u1ed3n t\u1ea1i trong c\u1ed9ng \u0111\u1ed3ng s\u1eed d\u1ee5ng Laravel (framework PHP ph\u1ed5 bi\u1ebfn tr\u00ean to\u00e0n th\u1ebf gi\u1edbi). Ch\u1ec9 c\u1ea7n \u0111\u1ec3 l\u1ed9 m\u00e3 APP_KEY (kh\u00f3a b\u1ea3o m\u1eadt \u0111\u01b0\u1ee3c Laravel s\u1eed d\u1ee5ng \u0111\u1ec3 m\u00e3 h\u00f3a d\u1eef li\u1ec7u), tin t\u1eb7c c\u00f3 th\u1ec3 d\u1ec5 d\u00e0ng chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n m\u00e1y ch\u1ee7 c\u1ee7a ng\u01b0\u1eddi d\u00f9ng t\u1eeb xa.<\/b><\/p>\n<div style=\"text-align: center\"><a class=\"js-lbImage\" style=\"cursor: pointer\" href=\"https:\/\/whitehat.vn\/attachments\/b913f23a3ddd8b83d2cc-jpg.17305\/\" target=\"_blank\" rel=\"noopener\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-fancybox=\"lb-thread-18560\" data-caption=\"&lt;h4&gt;b913f23a3ddd8b83d2cc.jpg&lt;\/h4&gt;&lt;p&gt;&lt;a href=&quot;https:&amp;#x2F;&amp;#x2F;whitehat.vn&amp;#x2F;threads&amp;#x2F;app_key-trong-laravel-bi-lo-hang-tram-ung-dung-co-nguy-co-bi-chiem-quyen-dieu-khien.18560&amp;#x2F;#post-44067&quot; class=&quot;js-lightboxCloser&quot;&gt;WhiteHat Team \u00b7 14&amp;#x2F;07&amp;#x2F;2025 l\u00fac 4:46 PM&lt;\/a&gt;&lt;\/p&gt;\"><img fetchpriority=\"high\" decoding=\"async\" class=\"bbImage \" title=\"b913f23a3ddd8b83d2cc.jpg\" src=\"https:\/\/whitehat.vn\/data\/attachments\/17\/17640-2aa4c1b3e156a9be2df5a7908cc749f1.jpg\" alt=\"b913f23a3ddd8b83d2cc.jpg\" width=\"800\" height=\"400\" \/><\/a>\u200b<\/div>\n<p>\u0110i\u1ec1u \u0111\u00e1ng lo ng\u1ea1i h\u01a1n l\u00e0 h\u00e0ng tr\u0103m ng\u00e0n kh\u00f3a APP_KEY \u0111\u00e3 b\u1ecb r\u00f2 r\u1ec9 c\u00f4ng khai tr\u00ean GitHub, trong \u0111\u00f3 c\u00f3 \u00edt nh\u1ea5t 600 \u1ee9ng d\u1ee5ng Laravel \u0111ang ho\u1ea1t \u0111\u1ed9ng b\u1ecb x\u00e1c \u0111\u1ecbnh l\u00e0 c\u00f3 th\u1ec3 khai th\u00e1c \u0111\u01b0\u1ee3c.<\/p>\n<p>T\u1eeb n\u0103m 2018 \u0111\u1ebfn th\u00e1ng 5\/2025, c\u00e1c chuy\u00ean gia \u0111\u00e3 tr\u00edch xu\u1ea5t h\u01a1n 260.000 kh\u00f3a APP_KEY t\u1eeb GitHub. Ph\u00e1t hi\u1ec7n h\u01a1n 600 \u1ee9ng d\u1ee5ng d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng v\u1edbi h\u01a1n 10.000 kh\u00f3a l\u00e0 duy nh\u1ea5t v\u00e0 \u00edt nh\u1ea5t 400 kh\u00f3a c\u00f2n s\u1eed d\u1ee5ng \u0111\u01b0\u1ee3c.<\/p>\n<p>Trong Laravel, APP_KEY l\u00e0 m\u1ed9t chu\u1ed7i 32 byte ng\u1eabu nhi\u00ean \u0111\u01b0\u1ee3c t\u1ea1o ra khi c\u00e0i \u0111\u1eb7t \u1ee9ng d\u1ee5ng, th\u01b0\u1eddng n\u1eb1m trong file .env. N\u00f3 d\u00f9ng \u0111\u1ec3:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">M\u00e3 h\u00f3a\/gi\u1ea3i m\u00e3 d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m,<\/li>\n<li data-xf-list-type=\"ul\">K\u00fd v\u00e0 x\u00e1c th\u1ef1c session cookie,<\/li>\n<li data-xf-list-type=\"ul\">T\u1ea1o token \u0111\u0103ng nh\u1eadp v\u00e0 x\u1eed l\u00fd c\u00e1c ch\u1ee9c n\u0103ng b\u1ea3o m\u1eadt kh\u00e1c.<\/li>\n<\/ul>\n<p>N\u1ebfu tin t\u1eb7c l\u1ea5y \u0111\u01b0\u1ee3c APP_KEY, ch\u00fang c\u00f3 th\u1ec3:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">T\u1ea1o ho\u1eb7c gi\u1ea3i m\u00e3 session cookie, gi\u1ea3 m\u1ea1o quy\u1ec1n truy c\u1eadp.<\/li>\n<li data-xf-list-type=\"ul\">Khai th\u00e1c l\u1ed7i deserialization trong h\u00e0m decrypt() c\u1ee7a Laravel \u0111\u1ec3 th\u1ef1c thi m\u00e3 \u0111\u1ed9c t\u1eeb xa (RCE \u2013 Remote Code Execution).<\/li>\n<\/ul>\n<h4>Tin t\u1eb7c \u0111\u00e3 th\u1ef1c hi\u1ec7n t\u1ea5n c\u00f4ng nh\u01b0 th\u1ebf n\u00e0o?\u200b<\/h4>\n<ol>\n<li data-xf-list-type=\"ol\">Tin t\u1eb7c t\u00ecm ki\u1ebfm APP_KEY b\u1ecb r\u00f2 r\u1ec9 tr\u00ean GitHub (ho\u1eb7c c\u00e1c n\u1ec1n t\u1ea3ng c\u00f4ng khai).<\/li>\n<li data-xf-list-type=\"ol\">K\u1ebft h\u1ee3p v\u1edbi th\u00f4ng tin v\u1ec1 APP_URL (c\u0169ng hay b\u1ecb l\u1ed9 trong file .env), ch\u00fang c\u00f3 th\u1ec3 truy c\u1eadp tr\u1ef1c ti\u1ebfp v\u00e0o \u1ee9ng d\u1ee5ng \u0111ang ch\u1ea1y.<\/li>\n<li data-xf-list-type=\"ol\">G\u1eedi payload ch\u1ee9a d\u1eef li\u1ec7u m\u00e3 h\u00f3a nguy hi\u1ec3m (gadget chain) t\u1edbi m\u00e1y ch\u1ee7.<\/li>\n<li data-xf-list-type=\"ol\">Laravel t\u1ef1 \u0111\u1ed9ng gi\u1ea3i m\u00e3 v\u00e0 deserialize payload, d\u1eabn \u0111\u1ebfn vi\u1ec7c th\u1ef1c thi m\u00e3 t\u1eeb xa m\u00e0 kh\u00f4ng c\u1ea7n v\u01b0\u1ee3t qua logic \u1ee9ng d\u1ee5ng hay \u0111\u0103ng nh\u1eadp.<\/li>\n<\/ol>\n<p>\u0110i\u1ec1u n\u00e0y cho ph\u00e9p tin t\u1eb7c v\u01b0\u1ee3t qua m\u1ecdi l\u1edbp b\u1ea3o v\u1ec7 logic \u1ee9ng d\u1ee5ng v\u00e0 chi\u1ebfm to\u00e0n quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n h\u1ec7 th\u1ed1ng web server.<\/p>\n<h4>\u1ea2nh h\u01b0\u1edfng th\u1ef1c t\u1ebf: Kh\u00f4ng ch\u1ec9 Laravel\u200b<\/h4>\n<ul>\n<li data-xf-list-type=\"ul\">63% c\u00e1c APP_KEY b\u1ecb l\u1ed9 xu\u1ea5t ph\u00e1t t\u1eeb file .env, th\u01b0\u1eddng ch\u1ee9a th\u00eam nhi\u1ec1u th\u00f4ng tin nh\u1ea1y c\u1ea3m kh\u00e1c nh\u01b0:\n<ul>\n<li data-xf-list-type=\"ul\">Th\u00f4ng tin k\u1ebft n\u1ed1i c\u01a1 s\u1edf d\u1eef li\u1ec7u<\/li>\n<li data-xf-list-type=\"ul\">Token d\u1ecbch v\u1ee5 \u0111\u00e1m m\u00e2y (AWS, Google Cloud\u2026)<\/li>\n<li data-xf-list-type=\"ul\">API key li\u00ean quan \u0111\u1ebfn chatbot, AI, h\u1ed7 tr\u1ee3 kh\u00e1ch h\u00e0ng, th\u01b0\u01a1ng m\u1ea1i \u0111i\u1ec7n t\u1eed&#8230;<\/li>\n<\/ul>\n<\/li>\n<li data-xf-list-type=\"ul\">H\u01a1n 28.000 c\u1eb7p APP_KEY + APP_URL b\u1ecb l\u1ed9 c\u00f9ng l\u00fac v\u00e0 trong \u0111\u00f3 c\u00f3 \u00edt nh\u1ea5t 10% h\u1ee3p l\u1ec7, \u0111\u1ee7 \u0111i\u1ec1u ki\u1ec7n khai th\u00e1c tr\u1ef1c ti\u1ebfp.<\/li>\n<\/ul>\n<h4>Nh\u1eefng \u0111i\u1ec3m \u0111\u1eb7c bi\u1ec7t c\u1ea7n l\u01b0u \u00fd\u200b<\/h4>\n<ul>\n<li data-xf-list-type=\"ul\">Laravel kh\u00f4ng c\u00f2n l\u1ed7i n\u00e0y trong m\u1eb7c \u0111\u1ecbnh, nh\u01b0ng l\u1ed7i quay l\u1ea1i n\u1ebfu dev d\u00f9ng SESSION_DRIVER=cookie v\u00e0 x\u1eed l\u00fd decrypt() kh\u00f4ng c\u1ea9n th\u1eadn.<\/li>\n<li data-xf-list-type=\"ul\">L\u1ed7i li\u00ean quan \u0111\u1ebfn PHP object deserialization, v\u1ed1n \u0111\u00e3 b\u1ecb khai th\u00e1c r\u1ed9ng r\u00e3i v\u1edbi c\u00e1c c\u00f4ng c\u1ee5 nh\u01b0 phpggc \u2013 gi\u00fap k\u1ebb t\u1ea5n c\u00f4ng t\u1ea1o ra c\u00e1c \u201cgadget chain\u201d t\u00f9y ch\u1ec9nh \u0111\u1ec3 ch\u00e8n m\u00e3 \u0111\u1ed9c.<\/li>\n<\/ul>\n<h4><b>Khuy\u1ebfn ngh\u1ecb b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng Laravel v\u00e0 c\u00e1c \u1ee9ng d\u1ee5ng li\u00ean quan<\/b>\u200b<\/h4>\n<ol>\n<li data-xf-list-type=\"ol\">Kh\u00f4ng bao gi\u1edd commit file &#8220;.env&#8221; l\u00ean GitHub ho\u1eb7c b\u1ea5t k\u1ef3 kho m\u00e3 ngu\u1ed3n c\u00f4ng khai n\u00e0o.<\/li>\n<li data-xf-list-type=\"ol\">N\u1ebfu ph\u00e1t hi\u1ec7n \u0111\u00e3 l\u1ed9 APP_KEY:\n<ul>\n<li data-xf-list-type=\"ul\">Kh\u00f4ng ch\u1ec9 x\u00f3a kh\u1ecfi repo.<\/li>\n<li data-xf-list-type=\"ul\">Ph\u1ea3i xoay v\u00f2ng (rotate) kh\u00f3a APP_KEY ngay l\u1eadp t\u1ee9c.<\/li>\n<li data-xf-list-type=\"ul\">C\u1eadp nh\u1eadt to\u00e0n b\u1ed9 h\u1ec7 th\u1ed1ng \u0111ang d\u00f9ng key c\u0169 b\u1eb1ng key m\u1edbi.<\/li>\n<\/ul>\n<\/li>\n<li data-xf-list-type=\"ol\">Kh\u00f4ng s\u1eed d\u1ee5ng SESSION_DRIVER=cookie tr\u1eeb khi hi\u1ec3u r\u00f5 r\u1ee7i ro.<\/li>\n<li data-xf-list-type=\"ol\">Tri\u1ec3n khai gi\u00e1m s\u00e1t b\u00ed m\u1eadt li\u00ean t\u1ee5c trong CI\/CD, container, Docker image, log pipeline\u2026<\/li>\n<li data-xf-list-type=\"ol\">S\u1eed d\u1ee5ng c\u00e1c c\u00f4ng c\u1ee5 qu\u00e9t b\u1ea3o m\u1eadt b\u00ed m\u1eadt nh\u01b0 GitGuardian ho\u1eb7c c\u00e1c n\u1ec1n t\u1ea3ng t\u1ef1 \u0111\u1ed9ng ph\u00e1t hi\u1ec7n secrets \u0111\u1ec3 theo d\u00f5i repo v\u00e0 h\u1ea1 t\u1ea7ng.<\/li>\n<\/ol>\n<p>C\u00e2u chuy\u1ec7n Laravel ch\u1ec9 l\u00e0 ph\u1ea7n n\u1ed5i c\u1ee7a t\u1ea3ng b\u0103ng ch\u00ecm. Trong b\u1ed1i c\u1ea3nh CI\/CD, Docker, AI v\u00e0 microservices b\u00f9ng n\u1ed5, vi\u1ec7c b\u1ea3o v\u1ec7 th\u00f4ng tin nh\u1ea1y c\u1ea3m (secret management) c\u1ea7n \u0111\u01b0\u1ee3c coi l\u00e0 tr\u1ee5 c\u1ed9t b\u1ea3o m\u1eadt ch\u1ee9 kh\u00f4ng c\u00f2n l\u00e0 b\u01b0\u1edbc ph\u1ee5 trong quy tr\u00ecnh ph\u00e1t tri\u1ec3n ph\u1ea7n m\u1ec1m. Vi\u1ec7c r\u00f2 r\u1ec9 APP_KEY hay b\u1ea5t k\u1ef3 token n\u00e0o. Kh\u00f4ng c\u00f2n l\u00e0 \u201cl\u1ed7i nh\u1ecf\u201d m\u00e0 l\u00e0 m\u1ed9t m\u1ed1i \u0111e d\u1ecda tr\u1ef1c ti\u1ebfp \u0111\u1ebfn d\u1eef li\u1ec7u, kh\u00e1ch h\u00e0ng v\u00e0 h\u1ea1 t\u1ea7ng doanh nghi\u1ec7p.<\/p>\n<div style=\"text-align: right\"><b><i>Theo The Hacker News<\/i><\/b>\u200b<\/div>\n<div style=\"text-align: right;margin-top: 16px\"><i>Theo: <a href=\"https:\/\/whitehat.vn\/threads\/app_key-trong-laravel-bi-lo-hang-tram-ung-dung-co-nguy-co-bi-chiem-quyen-dieu-khien.18560\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/whitehat.vn\/threads\/app_key-trong-laravel-bi-lo-hang-tram-ung-dung-co-nguy-co-bi-chiem-quyen-dieu-khien.18560\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"<p>M\u1ed9t nguy c\u01a1 kh\u00e1 nghi\u00eam tr\u1ecdng \u0111ang \u00e2m th\u1ea7m t\u1ed3n t\u1ea1i trong c\u1ed9ng \u0111\u1ed3ng s\u1eed d\u1ee5ng Laravel (framework PHP ph\u1ed5 bi\u1ebfn tr\u00ean to\u00e0n th\u1ebf gi\u1edbi). Ch\u1ec9 c\u1ea7n \u0111\u1ec3 l\u1ed9 m\u00e3 APP_KEY (kh\u00f3a b\u1ea3o m\u1eadt \u0111\u01b0\u1ee3c Laravel s\u1eed d\u1ee5ng \u0111\u1ec3 m\u00e3 h\u00f3a d\u1eef li\u1ec7u), tin t\u1eb7c c\u00f3 th\u1ec3 d\u1ec5 d\u00e0ng chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n m\u00e1y ch\u1ee7 [&hellip;]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10503","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10503"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10503\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}