SLIDE 1
Matthieu Barjole (@__aevy__)
2 / 22
Synacktiv
French IT security company
Focus on offensive security
3 teams
Pentest
Reverse engineering
Development
Remote friendly !
apply@synacktiv.com
Paris Rennes Lyon Toulouse
Looting the Symfony Profjler with EOS Pass The Salt 2020 Matthieu - - PowerPoint PPT Presentation
Looting the Symfony Profjler with EOS Pass The Salt 2020 Matthieu - - PowerPoint PPT Presentation
Looting the Symfony Profjler with EOS Pass The Salt 2020 Matthieu Barjole (@__aevy__) Synacktiv French IT security company Focus on offensive security 3 teams Paris Rennes Pentest Reverse engineering Lyon
SLIDE 2
SLIDE 3
3 / 22
Context
popular PHP framework for web applications
Debug features exposed during assessments: web profjler
Wanna loot
Wanna automate
SLIDE 4
4 / 22
Context > Disclaimer
Not a Symfony vulnerability
The profjler is a powerful development tool that gives detailed information about the execution of any request. Never enable the profjler in production environments as it will lead to major security vulnerabilities in your project.
" "
SLIDE 5
5 / 22
Loot > Profjler
Version dependent Kernel instantiation
web/app.php + web/app_dev.php
public/index.php
SLIDE 6
6 / 22
Loot > Profjler Toolbar
SLIDE 7
7 / 22
Loot > Phpinfo
SLIDE 8
8 / 22
Loot > Requests > Routes
SLIDE 9
9 / 22
Loot > Requests > Credentials
SLIDE 10
10 / 22
Loot > Requests > Remember Me Cookies
protected function generateCookieHash(string $class, string $username, int $expires, string $password) { return hash_hmac( 'sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER. $expires.self::COOKIE_DELIMITER.$password, $this->getSecret()); }
Not enabled by default
SLIDE 11
11 / 22
Loot > Requests > Remember Me Cookies
base64(hmac("App\\Entity\\User:amFuZV9hZG1pbg==:1620664267:c05a2...e9b8b"))
SLIDE 12
12 / 22
Loot > Files
SLIDE 13
13 / 22
Loot > Files > Confjg
SLIDE 14
14 / 22
Loot > Files > Source code
No directory listing
Only previously hit code paths appear on the Profjler
→ Cache fjles
SLIDE 15
15 / 22
Loot > Files > Source code
var/cache/%env%/%filename%.xml
env: deployed environment, probably dev filename: Kernel cache container fjle name
SLIDE 16
16 / 22
Loot > Files > Source code
2.0 – 4.1 : srcDevDebugProjectContainer.xml
4.2 – 4.4 : srcApp_KernelDevDebugContainer.xml
5.0 – 5.x : App_KernelDevDebugContainer.xml
SLIDE 17
17 / 22
Loot > Files > Source code
SLIDE 18
18 / 22
Automate
SLIDE 19
19 / 22
Automate
SLIDE 20
20 / 22
Demo target
SLIDE 21
21 / 22
Conclusion
Basic tasks but now automated :)
Do not expose debug features in prod :(
SLIDE 22
Thanks for your attention !