Commit 66f94e42 authored by Jona Löffler's avatar Jona Löffler
Browse files

Update readme

parent 877d21b5
## #ddev-generated
## Description: Provisioning of the web container
## Usage: provision
## Example: "ddev provision"
cd $DOCROOT && composer install
cd $DOCROOT && cp .env.example .env
cd $DOCROOT && php artisan key:generate
cd $DOCROOT && php artisan migrate:fresh
......@@ -9,11 +9,11 @@ LOG_DEPRECATIONS_CHANNEL=null
......@@ -3,18 +3,24 @@
This repository contains the code for demonstrating a SSRF vulnerability in a close-to real-world scenario.
The demonstration is written in PHP and makes use of the [Laravel framework](
To get started, set up the project on a web server (e.g. NGINX, Apache) and connect it to a database (MySQL, MariaSQL).
To get started, clone the project and set it up on a web server with PHP 8.0 (e.g. NGINX, Apache), as well as connecting it to a database (MySQL, MariaSQL).
The webserver needs to be pointed to the entry point of the application, which is `public/index.php`.
Make sure the values are correctly set in the .env file.
For more information on this, click [here]( and also [here](
There are many options that aim to simplify this process, for example:
- [DDEV](
Install the PHP dependency manager Composer and run `composer install`.
For more information on the installation steps, click [here]( and also [here](
There are many options that aim to simplify the setup process, for example:
- [DDEV]( (This is probably the easiest way if you have Docker
installed, and also what I use to run this project. After the DDEV
installation, simply run `ddev provision && ddev launch profile` inside the
project directory.)
- [Laravel Homestead](
- [Laravel Sail](
- [Laradock](
With the project running, visit `/profile`.
With the project running, visit `<domain>/profile` in your browser.
This page will provide a minimal input form, in to which an URI can be entered.
After clicking `Save`, the input will be persisted to the database.
After clicking `Save`, the input will be persisted to the database.
When a valid URI pointing to an image was provided, that image will now be diplayed on the page.
Other valid URIs will be rendered as broken `<img>` tags, but the content corresponding content is visible in the Browser's Dev Tools.
......@@ -27,5 +33,5 @@ Possible inputs
* file:///var/www/html/routes/web.php
* http://localhost/admin
* file:///var/www/html/.env
* file:///usr/passwd
\ No newline at end of file
* file:///etc/passwd
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment