A modern, guided security lab targeting real-world Laravel stack exploits.
Built for OSWE prep, AppSec training, and Laravel developers who want to understand
what production vulnerabilities actually look like, and how they chain together.
DVWA and similar tools demonstrate generic, early-era web vulnerabilities on outdated PHP. DVLA targets the real attack surface of a modern Laravel stack.
PHP 8.2, Laravel 12, Livewire 3, Docker Compose, Redis & Horizon. The same stack running in production today, not CGI-era PHP.
Vulnerabilities chain into a complete host compromise: .env leak -> APP_KEY RCE -> Redis job injection -> docker.sock escape.
Every exploit module has a companion post right here with source code walkthroughs, proof-of-concept steps, and side-by-side remediation.
Five individually defensible shortcuts that compound into a full host compromise.
.env exposed, readable via HTTP
APP_KEY extracted from .env
docker.sock mounted -> host escape
Nine intentional misconfigurations across the full stack. Explore each one in your own local instance, then check the companion blog series below for the full walkthrough.
Nginx misconfiguration serves the .env file over HTTP, exposing APP_KEY, database credentials, and all secrets.
Debug mode enabled in production leaks file paths, environment variables, and database credentials in exception stack traces.
Eloquent model lacks $fillable, so the registration endpoint accepts is_admin=1 and grants admin on signup.
Custom auth uses == instead of ===, so magic hash values like 0e... bypass authentication entirely.
No ownership check on /users/{id}/data, so any authenticated user can access any other user's records just by changing the ID.
Component trusts MIME type over extension. Upload a .php shell as image/png and it lands in public/storage/ ready to execute.
Extracted APP_KEY forges a signed session cookie. Laravel deserializes it and you get full RCE as www-data with no authentication needed.
Unauthenticated Redis exposed on all interfaces. Push a serialized Laravel job directly and the Horizon worker picks it up and executes it.
docker.sock mounted in the app and Horizon containers. From container RCE you can spawn a privileged container and mount the host filesystem.
Full write-ups for every module above. Each post includes source code review, step-by-step exploit, and remediation.
Clone, build, and stand up the full Docker lab in under fifteen minutes.