This application was used in my Laracon EU 2019 Amsterdam and PHPCon Poland 2019 presentations to demonstrate the following vulnerabilities that are usually caused by poor development practises or mistakes in your code.

A record of the talk is available on YouTube.

This application contains critical security vulnerabilities, DO NOT deploy or run this application outside of your localhost (or expose your localhost while running this)

• Docker
• Docker Compose
• PHP (>v7.1 preferably) & Composer

• composer install
• docker-compose up -d
• docker exec vuln-app php artisan migrate --seed

• There's a vulnerable API endpoint at http://localhost:1234/api/events?sort=id (assuming you're running this in docker)
• There are many ways to exploit this, if you attended the talk you'll know one very specific tool for this

• The tool used in the presentation is PHPGGC (https://github.com/ambionics/phpggc)
• API endpoints used can be found at /api/uploads & /api/file-details?fileName=xxx

• This project's docker compose setup intentionally configures Laravel scheduler to run as root, that's all you need to know ;)