The Code Log

Welcome to my blog, a space where I share insights, lessons, and best practices from building secure, scalable web applications and SaaS solutions. From tackling complex development challenges to exploring modern tools, frameworks, and security techniques, this is where I document what works, what doesn’t, and how to create high-performance digital products that deliver real business impact.

Nginx Misconfiguration to RCE: Exploiting an Exposed .env File and Laravel APP_KEY

Two config mistakes chain into an unauthenticated shell. With APP_KEY in hand, forge a two-cookie session containing a PHP gadget chain, encrypt it with the real key, send it. Laravel's session handler calls unserialize() on your payload. RCE as www-data. Ten minutes from first curl to shell.

Jul 10, 2026

Mass Assignment in Laravel Eloquent: Turning a Missing $fillable into Instant Admin

A missing whitelist on your user model turns a registration form into an instant admin account. No credentials needed, no exploit tools, just knowing what column names your database expects

Jul 5, 2026

Getting Started with DVLA: Run a Vulnerable Laravel Security Lab Locally with Docker

Set up DVLA, a deliberately vulnerable Laravel 12 app, locally in under 15 minutes. This guide covers the Docker environment, credentials, and the eight vulnerability modules you'll exploit throughout the ArtisanBreach series.

Jul 4, 2026

Stop Leaking Secrets: Audit Your .env Files with VaultCheck

Most .env problems go unnoticed until something breaks or worse, leaks. VaultCheck is a PHP CLI tool that audits your environment files and git history for exposed secrets, missing keys, and bad permissions. Run one command and get a prioritized list of what to fix.

Apr 2, 2026