Home / Docs / Analyzers

Framework Analyzers

HAVOC ships with 9 Laravel-specific security analyzers. Each is an AST-based analysis — not regex matching — so they understand your code's structure and context.

All analyzers run by default. Disable or configure them in .havoc.yml.

1. Authorization Coverage

authorization-coverage HAVOC-001 series
HIGH

Tracks which controller methods have an explicit authorization check. Reports authorization coverage as a percentage across your entire application. Missing checks on public-facing routes are flagged as findings.

What counts as "covered"

  • $this->authorize('action', $model)
  • Gate::authorize('action') or Gate::allows()
  • $user->can('action') or auth()->user()->can()
  • Route middleware: middleware('can:action')
  • Policy invocations: $this->authorizeResource()

What is excluded by default

  • Methods named __construct, middleware
  • Controllers in app/Http/Controllers/Auth/ (handled by Fortify/Breeze)
  • Methods marked with // @havoc-ignore authorization-coverage
# Example finding
HAVOC-001: Missing authorization gate
  File: app/Http/Controllers/ProjectController.php
  Line: 87
  Method: bulkArchive()
  
  No authorization check found. This method modifies resources
  but does not call authorize(), Gate::, or use auth middleware.
  
  Suggestion: $this->authorize('bulkArchive', Project::class);

2. Mass Assignment

mass-assignment HAVOC-101 series
HIGH

Detects Eloquent models with insufficient $fillable or $guarded protection. Flags controllers passing raw $request->all() or $request->input() directly to create() or update().

Detects

  • Models with $guarded = [] (completely unguarded)
  • Model::create($request->all()) without validation
  • $model->update($request->all())
  • Sensitive field names in $fillable: role, is_admin, permissions, email_verified_at
# Vulnerable
$user = User::create($request->all());

# Safe
$user = User::create($request->validated());
// or
$user = User::create($request->only(['name', 'email', 'password']));

3. XSS / Blade Output

xss-blade HAVOC-201 series
MEDIUM

Finds unescaped Blade output ({!! !!}) where user-controlled data may flow. Uses data flow analysis to trace whether the variable originates from user input.

Detects

  • {!! $variable !!} where $variable may be user-controlled
  • Variables passed from controller request data rendered unescaped
  • HTML stored in DB and rendered without sanitization
{{-- Safe: auto-escaped --}}
{{ $user->name }}

{{-- Risky: only if content is truly safe HTML --}}
{!! $article->rendered_html !!}
{{-- HAVOC flags this unless $article->rendered_html is sanitized --}}

4. SQL Injection

sql-injection HAVOC-301 series
CRITICAL

Detects raw database queries that interpolate user input without parameterization.

Detects

  • DB::statement("SELECT ... WHERE id = $id")
  • DB::select("... WHERE name = '" . $request->name . "'")
  • whereRaw() with string interpolation
  • orderByRaw() with unsanitized user input
# Vulnerable
DB::select("SELECT * FROM users WHERE email = '$email'");

# Safe
DB::select("SELECT * FROM users WHERE email = ?", [$email]);
// or
User::where('email', $email)->get();

5. Insecure Direct Object Reference (IDOR)

idor HAVOC-401 series
HIGH

Detects controller methods that fetch models by ID from request input without verifying ownership or authorization. Understands Laravel's implicit route model binding.

# Vulnerable: user can access any project by ID
public function show(Request $request) {
    $project = Project::find($request->project_id);
    return view('projects.show', compact('project'));
}

# Safe: scoped to authenticated user's projects
public function show(Request $request) {
    $project = auth()->user()->projects()->findOrFail($request->project_id);
    return view('projects.show', compact('project'));
}

6. Policy Parity

policy-parity HAVOC-501 series
MEDIUM

Checks that model Policies implement all expected actions. If your controller has update, delete, and create actions, the Policy should have corresponding update(), delete(), and create() methods.

7. Privilege Escalation

privilege-escalation HAVOC-601 series
HIGH

Detects code paths where a user can assign roles or permissions to themselves or others without adequate authorization checks. Understands Spatie Laravel-Permission's role/permission APIs.

8. State Machine Bypass

state-machine HAVOC-701 series
MEDIUM

Flags status/state fields that can be updated without validating the current state. Catches cases where an invoice can jump from "draft" to "paid" without going through "approved".

9. Credential Exposure

credential-exposure HAVOC-801 series
CRITICAL

Detects API keys, tokens, passwords, and other secrets hardcoded in PHP source files (not .env files, which are git-ignored). Uses entropy analysis and pattern matching for common secret formats.

Detects

  • Hardcoded passwords in source files
  • AWS keys, Stripe keys, GitHub tokens matching known patterns
  • High-entropy strings that look like secrets
  • Credentials committed in config files tracked by git