Skip to content

Latest commit

 

History

History
28 lines (21 loc) · 1.26 KB

README.md

File metadata and controls

28 lines (21 loc) · 1.26 KB

Vulnerable Laravel App

This application was used in anamus' conference presentations to demonstrate the following vulnerabilities that are usually caused by poor development practises or mistakes in your code.

One of the talks recording is available at YouTube.

This application contains critical security vulnerabilities, DO NOT deploy or run this application outside of your localhost (or expose your localhost while running this)

Requirements

  • Docker
  • Docker Compose
  • PHP (>v7.1 preferably) & Composer

Installation

  • composer install
  • docker-compose up -d
  • docker exec vuln-app php artisan migrate --seed

Vulnerabilities & tips

SQL Injection

  • There's a vulnerable API endpoint at http://localhost:1234/api/events?sort=id (assuming you're running this in docker)
  • There are many ways to exploit this, if you attended the talk you'll know one very specific tool for this

Object Injection

Privilege Escalation

  • This project's docker compose setup intentionally configures Laravel scheduler to run as root, that's all you need to know ;)