View on GitHub
Local educational use only. Never deploy on a public-facing server.

Damn Vulnerable Laravel Application

A modern, guided security lab targeting real-world Laravel stack exploits.
Built for OSWE prep, AppSec training, and Laravel developers who want to understand
what production vulnerabilities actually look like, and how they chain together.

Why DVLA?

DVWA and similar tools demonstrate generic, early-era web vulnerabilities on outdated PHP. DVLA targets the real attack surface of a modern Laravel stack.

Modern Stack

PHP 8.2, Laravel 12, Livewire 3, Docker Compose, Redis & Horizon. The same stack running in production today, not CGI-era PHP.

Full Kill Chain

Vulnerabilities chain into a complete host compromise: .env leak -> APP_KEY RCE -> Redis job injection -> docker.sock escape.

Blog-Guided

Every exploit module has a companion post right here with source code walkthroughs, proof-of-concept steps, and side-by-side remediation.

The Kill Chain

Five individually defensible shortcuts that compound into a full host compromise.

1
Nginx
.env exposed, readable via HTTP
2
Credentials
APP_KEY extracted from .env
3
Laravel App
Forged cookie -> deserialization RCE
4
Redis
No-auth queue backend -> job injection
5
Docker
docker.sock mounted -> host escape

Vulnerability Modules

Nine intentional misconfigurations across the full stack. Explore each one in your own local instance, then check the companion blog series below for the full walkthrough.

Easy
.env Exposure

Nginx misconfiguration serves the .env file over HTTP, exposing APP_KEY, database credentials, and all secrets.

APP_DEBUG Stack Traces

Debug mode enabled in production leaks file paths, environment variables, and database credentials in exception stack traces.

Mass Assignment

Eloquent model lacks $fillable, so the registration endpoint accepts is_admin=1 and grants admin on signup.

Medium
PHP Type Juggling

Custom auth uses == instead of ===, so magic hash values like 0e... bypass authentication entirely.

IDOR via Route Binding

No ownership check on /users/{id}/data, so any authenticated user can access any other user's records just by changing the ID.

Livewire File Upload Bypass

Component trusts MIME type over extension. Upload a .php shell as image/png and it lands in public/storage/ ready to execute.

Hard
APP_KEY -> RCE

Extracted APP_KEY forges a signed session cookie. Laravel deserializes it and you get full RCE as www-data with no authentication needed.

Redis Job Injection

Unauthenticated Redis exposed on all interfaces. Push a serialized Laravel job directly and the Horizon worker picks it up and executes it.

docker.sock Escape

docker.sock mounted in the app and Horizon containers. From container RCE you can spawn a privileged container and mount the host filesystem.

Companion Blog Series

Full write-ups for every module above. Each post includes source code review, step-by-step exploit, and remediation.

Start Here: Getting DVLA Running Locally

Clone, build, and stand up the full Docker lab in under fifteen minutes.