Security Concepts

What Is Attack Surface?

In Laravel Applications

In a Laravel application, the attack surface includes all registered routes, exposed debug tools (Telescope, Ignition, Horizon), .env files, storage directories, DNS records, security headers, and open ports on the server.

Example

A Laravel app with 50 routes, an exposed Telescope dashboard, and an open Redis port has a larger attack surface than one with 50 routes, Telescope disabled, and Redis firewalled.

Related Terms

Attack Vector

A specific method or path an attacker uses to exploit a vulnerability and gain unauthorized access to a system. While the attack surface is the total collection of entry points, an attack vector is the specific technique used against one of those entry points.

External Attack Surface Management (EASM)

The continuous process of discovering, monitoring, and managing all internet-facing assets and their security posture from an external perspective. EASM tools scan your applications the way an attacker would, identifying exposed services, misconfigurations, and vulnerabilities visible from the outside.

Vulnerability

A weakness in a system that can be exploited by an attacker to perform unauthorized actions. Vulnerabilities can exist in code, configuration, infrastructure, or processes. They range in severity from informational to critical.

Related Articles

Laravel Is Now on the Same Federal Vulnerability List as Apple. Here Is What That Means.

CISA added the Livewire RCE vulnerability (CVE-2025-54068) to the Known Exploited Vulnerabilities catalog, linking it to active exploitation by Iranian APT MuddyWater. A Laravel ecosystem package is now on the same US government list as Apple and Microsoft. Here is what that changes for your team.

Composer's Hidden Attack Surface: How Two Command Injection Flaws Put Every PHP Project at Risk

Two command injection vulnerabilities in Composer's Perforce driver (CVE-2026-40261 and CVE-2026-40176) can be exploited even if Perforce is not installed on your system. Malicious package metadata from any Composer repository can trigger arbitrary shell command execution. Update to Composer 2.9.6 immediately.

The Intercom PHP Hack: How a Composer Plugin Stole Credentials From Thousands of Developers

On April 30, 2026, attackers compromised intercom/intercom-php on Packagist (20.7 million lifetime installs). The malicious version auto-executed as a Composer plugin, downloading Bun and exfiltrating GitHub tokens, SSH keys, and environment variables. Here is what happened and how to protect yourself.