Kike: "Thank you Punyapal. The thing is… can you target..." / Pinkary

Kike

@kikedop

My dear Livewire believers, I need your help. Yesterday, one of my projects was attacked by what I believe were automated bots.

The issue is that the scripts were targeting (among other things) the "livewire/update" route. They were attempting to call methods that clearly don't exist or trying to access properties.

I suspect they might have bypassed the checksum check, but I'm not sure.

Has anyone seen anything like this before?

3 • •

192

1mo ago •

Punyapal Shah ☁️🦹

@MrPunyapal

Btw it is totally possible

Even I can copy component id from snapshot and call any method or property I want with using.

Livewire.find('componentId').call('method', { parameters });

Always Authorize and use #[Locked] where needed.

Don't trust on user like me 😅

1 • •

163

1mo ago •

Kike

@kikedop

In response to @MrPunyapal

Thank you Punyapal. The thing is… can you target livewire/update being a post route overriding cors middleware and livewire’s internal checksum check?

I mean they were using a Guzzle client targeting the route directly.

If so, then the route should be auth protected meaning you couldn’t use livewire component in a public page.

Also that using livewire is a big liability.

1 • •

127

1mo ago •

Punyapal Shah ☁️🦹

@MrPunyapal

That doesn't seem posible (bypassing checksum).

Brw you can use Livewire component anywhere just be careful of sensitive data. And use it wise as much as possible 🙌

• •

111

1mo ago •

Delete Question

Delete Question

Delete Question

Delete Question