From dd801febe49d7b8540c6de9b1fd2958e300e6677 Mon Sep 17 00:00:00 2001
From: SirBroccoli <carlospolop@gmail.com>
Date: Sun, 7 Sep 2025 23:13:38 +0200
Subject: [PATCH] Update laravel.md

---
 .../pentesting-web/laravel.md                       | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/network-services-pentesting/pentesting-web/laravel.md b/src/network-services-pentesting/pentesting-web/laravel.md
index d0810d74f..9a85749ac 100644
--- a/src/network-services-pentesting/pentesting-web/laravel.md
+++ b/src/network-services-pentesting/pentesting-web/laravel.md
@@ -89,7 +89,18 @@ curl -H "Cookie: laravel_session=<orig>; <cookie_name>=$(cat forged.txt)" https:
 ```
 
 
----
+## Mass APP_KEY discovery via cookie brute-force
+
+Because every fresh Laravel response sets at least 1 encrypted cookie (`XSRF-TOKEN` and usually `laravel_session`), **public internet scanners (Shodan, Censys, …) leak millions of ciphertexts** that can be attacked offline.
+
+Key findings of the research published by Synacktiv (2024-2025):
+* Dataset July 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k)
+* Dataset May 2025 » 625 k tokens, **3.56 % keys cracked**
+* >1 000 servers still vulnerable to legacy CVE-2018-15133 because tokens directly contain serialized data.
+* Huge key reuse – the Top-10 APP_KEYs are hard-coded defaults shipped with commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …).
+
+The private Go tool **nounours** pushes AES-CBC/GCM bruteforce throughput to ~1.5 billion tries/s, reducing full dataset cracking to <2 minutes.
+
 
 ## CVE-2024-52301 – HTTP argv/env override → auth bypass