How does Livewire checksum prevents from fraudulent actions?

I mean, what prevents an attacker from changing the payload, generating new checksum for it, and send it to the server?

I can't understand how this scheme works. From what I have read and watched in the video - the checksum (hash) is just taken from the fields and then is checked whether it matches the checksum that was sent from the front end.

So, once again, if the attacker generates this checksum by himself, how would this prevent the fraudulent actions?

bvfi-dev

1 year ago

Best Answer

Level 3

Its not that simple, its not exactly how it works. Livewure uses you APP_KEY to get a signature that only the server alone can reproduce. Thats the difference, an attacker could create a plain hash of fields, but not a server-side signed hash, unless they know your secret key, which is why its called a secret key.

Workflow:

Livewire gets component data like properties and stuff
LW then signs that data with the server secret key (Which also is the same one that Laravel uses to encrypt cookeis for example)
The signed checksum is sent to the client with the component data
Client sends data back on the next Livewire request
Live verifies the signature against the apps secret key => If somethings not right, an error is thrown

1 like

Vyshnia

1 year ago

Level 4

@bvfi-dev Yes, thank you!

Please or to participate in this conversation.