Skip to content

Vulnerable Laravel application used in various PHP/Laravel security presentations by @anamus_ during 2019-2020.

Notifications You must be signed in to change notification settings

appelsiini/vulnerable-laravel-app

Repository files navigation

Vulnerable Laravel App

This application was used in anamus' conference presentations to demonstrate the following vulnerabilities that are usually caused by poor development practises or mistakes in your code.

One of the talks recording is available at YouTube.

This application contains critical security vulnerabilities, DO NOT deploy or run this application outside of your localhost (or expose your localhost while running this)

Requirements

  • Docker
  • Docker Compose
  • PHP (>v7.1 preferably) & Composer

Installation

  • composer install
  • docker-compose up -d
  • docker exec vuln-app php artisan migrate --seed

Vulnerabilities & tips

SQL Injection

  • There's a vulnerable API endpoint at http://localhost:1234/api/events?sort=id (assuming you're running this in docker)
  • There are many ways to exploit this, if you attended the talk you'll know one very specific tool for this

Object Injection

Privilege Escalation

  • This project's docker compose setup intentionally configures Laravel scheduler to run as root, that's all you need to know ;)

About

Vulnerable Laravel application used in various PHP/Laravel security presentations by @anamus_ during 2019-2020.

Resources

Stars

Watchers

Forks