PHP Security-testing Resources

FilterGuard FilterGuard is a simple PHP library for data sanitization. It provides methods to sanitize strings, integers, floats, boolean values, arra

Introduction This package allows you as a developer to restrict who can and cannot run artisan commands, especially in a production environment. For e

Raven - How to test your API documentation and behavior. This library was written to allow testing OpenAPI documentation easily. It also allows verify

PT Phone Home As penetration testers, we often come up with creative methods to deliver and execute our payloads, such as staged payloads. A staged pa

Installation composer require amirrezam75/laravel-assertions I was working on a project and in order to test oauth2 redirection, I ended up with somet

BjyAuthorize - Acl security for ZF2 Deprecated This package is now officially deprecated and will not receive any future updates or bug fixes. As long

Cigar A smoke testing tool inspired by symm/vape Similar tools include: Blackfire Player Installation Install via composer: composer require brunty/ci

PHP Reverse Shell Just a little refresh on the popular PHP reverse shell script pentestmonkey/php-reverse-shell. Credits to the original author! Works

Shopsys HTTP Smoke Testing This package enables you to do simple HTTP smoke testing of your Symfony application. Basically, it generates a HTTP reques

login.php What is a login system? login (derived from the English log in) or logon or signin, is the process to access a restricted computer system ma

google-api-php-client-mock A small scale intelligent mock of the Google API PHP Client for unit and functional testing. Overview This is intended to m

Application with SQL Injection vulnerability and possible privilege escalation. Free vulnerable app for ethical hacking / penetration testing training.

FIG - Log Test Testing utilities for the psr/log package that backs the PSR-3 specification. Psr\Log\Test\LoggerInterfaceTest provides a base test cla

PHPUnit Exercise Running PHPUnit ./vendor/bin/phpunit # with filter which tests to run ./vendor/bin/phpunit --filter pattern Running Pint ./vendor/

Laravel Dusk Fakes Support this package! ❤️ We proudly support the community by developing Laravel packages and giving them away for free. If this pac

A Laravel package to scrub sensitive information that breaks operational security policies from being leaked on accident or not by developers.

PSpec PSpec is a testing framework for PHP, influenced by RSpec and jest. This project is experimental and still needs a lot of work. Example // src/C

🔒 Laravel Password Exposed Validation Rule This package provides a Laravel validation rule that checks if a password has been exposed in a data breac

ABRouter-Compose 📟 ABRouter is the open-source tool to perform and track A/B tests which is also known as the experiments. Additionally, feature flag

Laravel Arkitect Laravel Arkitect lets you test and enforce your architectural rules in your Laravel applications, and it's a PHPArkitect wrapper for

wp-cli/shell-command Opens an interactive PHP console for running and testing PHP code. Quick links: Using | Installing | Contributing | Support Using

⚡ Php8 FPM Nginx Fast, Scripts, Pearls & Treasures 🚀 Want to run and test asap ? docker-compose up -d phpgit_php8;ip=$(docker-machine ip default);ech

security-checker-action This action checks your composer.lock for known vulnerabilities in your package dependencies. Inputs lock optional The path to

Snake web application Project of the web application where you can interact via API with Snake game which is available to download on it. Application

Jasny PHPUnit extension Additional functionality for PHPUnit. Callback mock - assert that callback is called with correct arguments. Safe mocks - disa

laminas-crypt 🇷🇺 Русским гражданам Мы, участники Laminas, родились и живем в разных странах. У многих из нас есть друзья, родственники и коллеги как

Removes final keywords from source code on-the-fly and allows mocking of final methods and classes. It can be used together with any test tool such as PHPUnit or Mockery.

TYPO3 HTML Sanitizer ℹ️ Common safe HTML tags & attributes as given in \TYPO3\HtmlSanitizer\Builder\CommonBuilder still might be adjusted, extended or

Fix Major Security Vulnerability on PrestaShop Websites 🚀 CVE-2022-31101 detector and fixer! A newly found exploit could allow remote attackers to ta

Incognito-Confessions A laravel test build by Incline Start-up Agency. Testing Git and framework functions. Description A laravel starter for future t

In your project, you might store sensitive personal data in your database. Should an unauthorised person get access to your DB, all sensitive can be read which is obviously not good.

PHP Version Audit PHP Version Audit is a convenience tool to easily check a given PHP version against a regularly updated list of CVE exploits, new re

WordPress Login Locker Disable direct access to your sites /wp-login.php script plus user notifications based on actions. Package Installation (via Co

Request Factories Test requests in Laravel without all the boilerplate. 💡 Psst. Although our examples use Pest PHP, this works just as well in PHPUni

An effort to make testing PHP code as easy and fun as its JavaScript equivalent when using the excellent Jasmine, from which syntax and general usage is shamelessly borrowed.

Slim Test Helpers Integration testing helpers for the Slim Framework 3 For a full example, please see the companion repo at there4/slim-unit-testing-e

Eloquent Scope Assertion This package allows you to assert that the scope of a model is called in your tests. Installation You can install the package

Web page performance/seo/security/accessibility analysis, browser-less for PHP

PHPUnit Polyfills Set of polyfills for changed PHPUnit functionality to allow for creating PHPUnit cross-version compatible tests. Requirements Instal

CrimeFlare is a useful tool for bypassing websites protected by CloudFlare WAF, with this tool you can easily see the real IP of websites that have been protected by CloudFlare. The resulting information is certainly very useful for conducting further penetration testing, and analyzing websites with the same server.

File Upload Vulnerability Scenarios (Challenges) This repository is a dockerized PHP application containing some file upload vulnerability challenges

Humbug is a Mutation Testing framework for PHP to measure the real effectiveness of your test suites and assist in their improvement. It eats Code Coverage for breakfast.

Added Laravel functionality to Enlightn Security Checker. Adds a command to check for, and optionally emails you, vulnerabilities when they affect you.

PHPArch What is this? Installation Simple Namespace validation Available Validators Defining an architecture Syntactic sugar: Bulk definition of compo

PHP library for Two Factor Authentication PHP library for two-factor (or multi-factor) authentication using TOTP and QR-codes. Inspired by, based on b

This package can create URLs with a limited lifetime. This is done by adding an expiration date and a signature to the URL.

Passbolt - Open source password manager for teams

Security Component The Security component provides a complete security system for your web application. It ships with facilities for authenticating us

Snuffleupagus is a PHP 7+ and 8+ module designed to drastically raise the cost of attacks against websites, by killing entire bug classes

Laravel TestBench Laravel TestBench was created by, and is maintained by Graham Campbell, and provides some testing functionality for Laravel. It util

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

laminas-barcode 🇷🇺 Русским гражданам Мы, участники Laminas, родились и живем в разных странах. У многих из нас есть друзья, родственники и коллеги к

wp-cli/secure-command Official website: Hackthewp.com Manages common security aspects of WordPress. Supports nginx and Apache. Basic Usage This packag

CI/CD example This repository aims to build a fairly complete CI/CD example using GitHub workflows and actions. Keep in mind that the toolset used in

Secure Headers Add security related headers to HTTP response. The package includes Service Providers for easy Laravel integration. Version Installatio

laminas-console This package is abandoned and will receive no further development! We recommend using laminas/laminas-cli. Laminas\Console is a compon

Laravel Security Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campb

PHPStan PHPUnit extensions and rules PHPStan PHPUnit This extension provides following features: createMock(), getMockForAbstractClass() and getMockFr

CSRF Cookie Bundle This Symfony bundle provides Cross Site Request Forgery (CSRF or XSRF) protection for client-side applications requesting endpoints

Google2FA for Laravel Google Two-Factor Authentication Package for Laravel Google2FA is a PHP implementation of the Google Two-Factor Authentication M

MISP is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threats about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reversers to support their day-to-day operations to share structured information efficiently.

Damn Vulnerable PHP Application (DVPA) - It is Lab Written in The PHP lang, Which Contains PHP Type Juggling - RCE Challenges

An utility component for XML usage and best practices in PHP

Regexp Security Cheatsheet Research was done to find "weak places" in regular expressions of Web Application Firewalls (WAFs). Repository contains SAS

A Fully Featured home-hosted Cloud Storage platform and Personal Assistant that Converts files, OCR's images & documents, Creates archives, Scans for viruses, Protects your server, Keeps itself up-to-date, and Runs your own AppLauncher!

A laboratory for learning secure web and mobile development in a practical manner. Build your lab By provisioning local environments via docker-compos

Create and update progress bars in different environments

laminas-text This package is considered feature-complete, and is now in security-only maintenance mode, following a decision by the Technical Steering

laminas-xml2json This package is considered feature-complete, and is now in security-only maintenance mode, following a decision by the Technical Stee

laminas-math This package is considered feature-complete, and is now in security-only maintenance mode, following a decision by the Technical Steering

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new testing box and have access to every type of list that may be needed.

Analyses and produces a report with testability issues of a php codebase

Crawlzone is a fast asynchronous internet crawling framework aiming to provide open source web scraping and testing solution. It can be used for a wide range of purposes, from extracting and indexing structured data to monitoring and automated testing. Available for PHP 7.3, 7.4, 8.0.

CommandHelper CommandHelper - is a very useful thing for quick code testing and more! Examples: Code: require_once('commandhelper.php');

🔒 Password Exposed Helper Function This PHP package provides a password_exposed helper function, that uses the haveibeenpwned.com API to check if a p

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.

laminas-servicemanager-di This package is considered feature-complete, and is now in security-only maintenance mode, following a decision by the Techn

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.

PHP Secure Configuration Checker Check current PHP configuration for potential security flaws. Simply access this file from your webserver or run on C

The Phoronix Test Suite is the most comprehensive testing and benchmarking platform available for Linux, Solaris, macOS, Windows, and BSD operating systems.

PHPStan Symfony Framework extensions and rules PHPStan This extension provides following features: Provides correct return type for ContainerInterface

Log-killer Log Killer is tool for [Linux/Windows] Servers This tool will delete all your logs just download the tool and run it on the server if your

laminas-config This package is considered feature-complete, and is now in security-only maintenance mode, following a decision by the Technical Steeri

Memory objects (memory containers) are generated by the memory manager, and transparently swapped/loaded when required.

This plugin allows you to secure your WordPress login with two factor authentication. The users will have to enter a one time password every time they log in.

JBZoo / CI-Report-Converter Why? Installing Using as GitHub Action Example GitHub Action workflow Available Directions Help description in terminal Co

laminas-soap This package is considered feature-complete, and is now in security-only maintenance mode, following a decision by the Technical Steering

phpspec Laravel Extension phpspec extension for testing Laravel applications. Versions Depending on the version of Laravel and/or Phpspec you're using

Doctrine extensions for PHPStan PHPStan Doctrine This extension provides following features: DQL validation for parse errors, unknown entity classes a

Security Component - CSRF The Security CSRF (cross-site request forgery) component provides a class CsrfTokenManager for generating and validating CSR

🐘 🎯 Hexagonal Architecture, DDD & CQRS in PHP Example of a PHP application using Domain-Driven Design (DDD) and Command Query Responsibility Segrega

F3 development bench This is a dockerized environment for testing and developing things on the fatfree-core. It uses Docker to spin up multiple contai

Magento 2 Security extension FREE. Security extension gives store owners the ability to detect the IP addresses that are intentionally attacking their store at any given time. Therefore, they have timely measures to prevent this issue such as blocking those IP addresses or sending warning emails to store owners.

Laravel Nova Ban Introduction Behind the scenes cybercog/laravel-ban is used. Contents Installation Usage Prepare bannable model Prepare bannable mode

sqlscan sqlscan is quick web scanner for find an sql inject point. not for educational, this is for hacking. use sitemap for best result Simple to use

The Guard component brings many layers of authentication together, making it much easier to create complex authentication systems where you have total control.

Simple template Simple PHP templating system for user editable templates. Idea Most applications need to render templates that insert safely treated v

svg-sanitizer This is my attempt at building a decent SVG sanitizer in PHP. The work is laregely borrowed from DOMPurify. Installation Either require

The objective of ParaTest is to support parallel testing in PHPUnit. Provided you have well-written PHPUnit tests, you can drop paratest in your project and start using it with no additional bootstrap or configurations!

SimpleTest SimpleTest is a framework for unit testing, web site testing and mock objects for PHP. Installation Downloads All downloads are stored on G