looting the symfony profjler with eos
play

Looting the Symfony Profjler with EOS Pass The Salt 2020 Matthieu - PowerPoint PPT Presentation

Jan 21, 2024 •926 likes •1.17k views

Looting the Symfony Profjler with EOS Pass The Salt 2020 Matthieu Barjole (@__aevy__) Synacktiv French IT security company Focus on offensive security 3 teams Paris Rennes Pentest Reverse engineering Lyon

  1. Looting the Symfony Profjler with EOS Pass The Salt 2020 Matthieu Barjole (@__aevy__)

  2. Synacktiv  French IT security company Focus on offensive security  3 teams  Paris Rennes Pentest  Reverse engineering  Lyon Development  Remote friendly !  Toulouse apply@synacktiv.com  2 / 22

  3. Context popular PHP framework for web applications  Debug features exposed during assessments: web profjler  Wanna loot  Wanna automate  3 / 22

  4. Context > Disclaimer Not a Symfony vulnerability  " The profjler is a powerful development tool that gives detailed information about the execution of any request. Never enable the profjler in production " environments as it will lead to major security vulnerabilities in your project. 4 / 22

  5. Loot > Profjler Version dependent Kernel instantiation  web/app.php + web/app_dev.php  public/index.php  5 / 22

  6. Loot > Profjler Toolbar 6 / 22

  7. Loot > Phpinfo 7 / 22

  8. Loot > Requests > Routes 8 / 22

  9. Loot > Requests > Credentials 9 / 22

  10. Loot > Requests > Remember Me Cookies Not enabled by default  protected function generateCookieHash(string $class, string $username, int $expires, string $password) { return hash_hmac( 'sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER. $expires.self::COOKIE_DELIMITER.$password, $this->getSecret()); } 10 / 22

  11. Loot > Requests > Remember Me Cookies base64(hmac("App\\Entity\\User:amFuZV9hZG1pbg==:1620664267:c05a2...e9b8b")) 11 / 22

  12. Loot > Files 12 / 22

  13. Loot > Files > Confjg 13 / 22

  14. Loot > Files > Source code No directory listing  Only previously hit code paths appear on the Profjler  → Cache fjles 14 / 22

  15. Loot > Files > Source code var/cache/%env%/%filename%.xml   env: deployed environment, probably dev  filename: Kernel cache container fjle name 15 / 22

  16. Loot > Files > Source code 2.0 – 4.1 : srcDevDebugProjectContainer.xml  4.2 – 4.4 : srcApp_KernelDevDebugContainer.xml  5.0 – 5.x : App_KernelDevDebugContainer.xml  16 / 22

  17. Loot > Files > Source code 17 / 22

  18. Automate 18 / 22

  19. Automate 19 / 22

  20. Demo target 20 / 22

  21. Conclusion Basic tasks but now automated :)  Do not expose debug features in prod :(  21 / 22

  22. QUESTIONS ? Thanks for your attention !

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Symfony Framework YOUR FREE NEW TOOLKIT Hallo! > Lead contributor to the Symfony

The Symfony Framework YOUR FREE NEW TOOLKIT Hallo! > Lead contributor to the Symfony

The Symfony Framework YOUR FREE NEW TOOLKIT Hallo! > Lead contributor to the Symfony documentation > KnpLabs US - Symfony consulting, training & kumbaya > Writer for KnpUniversity.com awesome amazing PHP Tutorials!!! >

1.51k views • 101 slides
Data Data Serialization Serialization with with Symfony Symfony & & Drupal Drupal

Data Data Serialization Serialization with with Symfony Symfony & & Drupal Drupal

Data Data Serialization Serialization with with Symfony Symfony & & Drupal Drupal SensioLabs Hugo Hamon Hugo Hamon Head of training at SensioLabs Book author Speaker at Conferences Symfony contributor Travel lover @hhamon

1.32k views • 110 slides
Behat BDD, FUNCTIONAL TESTS & SELENIUM (IN DRUPAL!) s Hallo! > Lead of the Symfony

Behat BDD, FUNCTIONAL TESTS & SELENIUM (IN DRUPAL!) s Hallo! > Lead of the Symfony

Behat BDD, FUNCTIONAL TESTS & SELENIUM (IN DRUPAL!) s Hallo! > Lead of the Symfony documentation team > KnpLabs US - Symfony consulting, training & kumbaya > Writer for KnpUniversity.com: PHP & Symfony

1.52k views • 120 slides
with your friend @weaverryan Its-a me, Ryan! > Lead of the Symfony documentation team

with your friend @weaverryan Its-a me, Ryan! > Lead of the Symfony documentation team

with your friend @weaverryan Its-a me, Ryan! > Lead of the Symfony documentation team > Writer for KnpUniversity.com > Symfony fanboy/evangelist > Husband of the much more talented @leannapelham > Father to my more

1.1k views • 98 slides
Documenting Nazi Cultural Looting and Postwar Retrieval: Surviving Archives of the Einsatzstab

Documenting Nazi Cultural Looting and Postwar Retrieval: Surviving Archives of the Einsatzstab

Documenting Nazi Cultural Looting and Postwar Retrieval: Surviving Archives of the Einsatzstab Reichsleiter Rosenberg (ERR) * Patricia Kennedy Grimsted International Institute of Social History (Amsterdam); Ukrainian Research Institute, and

248 views • 12 slides
The State of Hooking into Drupal Track: Symfony The State of Hooking into Drupal who am I?

The State of Hooking into Drupal Track: Symfony The State of Hooking into Drupal who am I?

The State of Hooking into Drupal Track: Symfony The State of Hooking into Drupal who am I? Nida Ismail Shah Developer at Acquia drupal.org: nidaismailshah twitter: @nidaismailshah nidashah.com Overview Hooks - What,

924 views • 60 slides
Creating a modern web application using Symfony API Platform, ReactJS and Redux by Jesus Manuel

Creating a modern web application using Symfony API Platform, ReactJS and Redux by Jesus Manuel

Creating a modern web application using Symfony API Platform, ReactJS and Redux by Jesus Manuel Olivas & Eduardo Garcia @jmolivas | @enzolutions Who We Are? Jesus Manuel Olivas jmolivas@weknowinc.com jmolivas jmolivas

749 views • 59 slides
What is Drupal Haydn? Bill Bohling, M.C. sunset_bill, D.O. Welcome to What is Drupal Haydn. Im

What is Drupal Haydn? Bill Bohling, M.C. sunset_bill, D.O. Welcome to What is Drupal Haydn. Im

What is Drupal Haydn? Bill Bohling, M.C. sunset_bill, D.O. Welcome to What is Drupal Haydn. Im your host, Bill Bohling. My Drupal id is sunset_bill. I am not a Symfony developer, I do Drupal at Turner. I first heard about Symfony and Drupal

1k views • 68 slides
Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development

Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development

Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development Who am I, and what do I do? Ian P. Christian (aka. pookey) Coding PHP for about 8 years Work for VoIP.co.uk Involved with symfony and

1.13k views • 51 slides
Constraining the symmetry energy of the EoS in relativistic energy of the EoS in relativistic

Constraining the symmetry energy of the EoS in relativistic energy of the EoS in relativistic

Constraining the symmetry energy of the EoS in relativistic energy of the EoS in relativistic heavy-ion reactions A. Krasznahorkay, ATOMKI, Debrecen Introduction The neutronskin thickness ( r )

872 views • 30 slides
Core-Collapse Supernova Overview Christian D. Ott Sherman TAPIR, Caltech Fairchild Foundation

Core-Collapse Supernova Overview Christian D. Ott Sherman TAPIR, Caltech Fairchild Foundation

Core-Collapse Supernova Overview Christian D. Ott Sherman TAPIR, Caltech Fairchild Foundation Collaborators: E. Abdikamalov, S. Couch, P. Diener, J. Fedrow, R. Haas, K. Kiuchi, J. Lippuner, P. Msta, H. Nagakura, E. OConnor, D. Radice,

1.21k views • 73 slides
EOS WG proposal Wes Hardaker <hardaker@tislabs.com> draft-hardaker-eos-oops-00.txt

EOS WG proposal Wes Hardaker <hardaker@tislabs.com> draft-hardaker-eos-oops-00.txt

EOS WG proposal Wes Hardaker <hardaker@tislabs.com> draft-hardaker-eos-oops-00.txt 2002.Jul.18 Agenda Overview: motivations and PDU definitions Examples Benifits Known Issues and Questions Motivations Solve the problems recently

438 views • 21 slides
PatManQL: A language to manipulate patterns and data in hierarchical catalogs Panagiotis Bouros,

PatManQL: A language to manipulate patterns and data in hierarchical catalogs Panagiotis Bouros,

PatManQL: A language to manipulate patterns and data in hierarchical catalogs Panagiotis Bouros, Theodore Dalamagas, Timos Sellis, Manolis Terrovitis Knowledge and Database Systems Lab School of Electrical and Computer Engineering National

540 views • 37 slides
CS519: Computer Networks Lecture 5, Part 2: Mar 8, 2004 Transport: TCP mechanics ( RFCs: 793,

CS519: Computer Networks Lecture 5, Part 2: Mar 8, 2004 Transport: TCP mechanics ( RFCs: 793,

CS519: Computer Networks Lecture 5, Part 2: Mar 8, 2004 Transport: TCP mechanics ( RFCs: 793, 1122, 1323, 2018, 2581) TCP as seen from above the socket CS519 The TCP socket interface consists of: Commands to start the connection

483 views • 27 slides
33

33

33

893 views • 46 slides
AI AICP CPA Bu Business a and I Industry Econo nomic O Outlook ok S Survey Detailed

AI AICP CPA Bu Business a and I Industry Econo nomic O Outlook ok S Survey Detailed

AI AICP CPA Bu Business a and I Industry Econo nomic O Outlook ok S Survey Detailed Survey Results: 3Q 2017 Survey B Backgr ckgrou ound Conducted between August 1-16, 2017 Quarterly Survey CPA decision makers (primarily

571 views • 39 slides
Satellite monitoring of the 2010 Russian Wildfires: Capitalizing

Satellite monitoring of the 2010 Russian Wildfires: Capitalizing

Satellite monitoring of the 2010 Russian Wildfires: Capitalizing on NASAs EOS plaAorm and A-Train constellaEon Jacquie Wi*e (SSAI and NASA/GSFC) Anne

193 views • 17 slides
A Data Throughput Prediction and Optimization Service for Widely Distributed Many-Task Computing

A Data Throughput Prediction and Optimization Service for Widely Distributed Many-Task Computing

A Data Throughput Prediction and Optimization Service for Widely Distributed Many-Task Computing Dengpan Yin, Esma Yildirim and Tevfik Kosar* Department of Computer Science Center for Computation && Technology Louisiana State

658 views • 26 slides
Neutron Star Merger with Tabulated EOS and Spin Wolfgang Kastaun MICRA, Stockholm, Aug. 2015

Neutron Star Merger with Tabulated EOS and Spin Wolfgang Kastaun MICRA, Stockholm, Aug. 2015

Neutron Star Merger with Tabulated EOS and Spin Wolfgang Kastaun MICRA, Stockholm, Aug. 2015 Topics Part 1: A recent merger simulation Gauge independent measures Structure of post-merger fluid flow Nature of hot spots Structure

1.13k views • 50 slides
Moving the EOS namespace to persistent memory Tobias Kapp e (IT-DSS-DT) tkappe@cern.ch

Moving the EOS namespace to persistent memory Tobias Kapp e (IT-DSS-DT) tkappe@cern.ch

Moving the EOS namespace to persistent memory Tobias Kapp e (IT-DSS-DT) tkappe@cern.ch Supervised by Elvin Alin Sindrilaru August 26, 2015 Moving the EOS namespace to persistent memory 1 EOS . . . . . . provides reliable and fast

439 views • 11 slides
1 EoS: Voting approach ( Balog06, MacDonald09 ) Markov Random Fields for IR (Metzler & Croft

1 EoS: Voting approach ( Balog06, MacDonald09 ) Markov Random Fields for IR (Metzler & Croft

A Ranking Framework for Entity Oriented Search using Markov Random Fields Hadas Hadas Raviv, David Carmel Oren Kurland IBM Research Haifa Lab , Faculty of IE and Management Israel Technion, Israel David Oren IBM Research - Haifa

260 views • 4 slides
Equation of State Effects on the Birth of Compact Objects Andr da Silva Schneider E.

Equation of State Effects on the Birth of Compact Objects Andr da Silva Schneider E.

. . . . . . . . . . . . . . Introduction EOS BH formation Summary Equation of State Effects on the Birth of Compact Objects Andr da Silva Schneider E. OConnor, A. Betranhandy and S. Zha (Stockholm University) Compact

457 views • 28 slides
USQCD and thermodynamics: where we are and where we are going ? Peter Petreczky, BNL Defining

USQCD and thermodynamics: where we are and where we are going ? Peter Petreczky, BNL Defining

USQCD and thermodynamics: where we are and where we are going ? Peter Petreczky, BNL Defining questions of nuclear physics research in US: Nuclear Science Advisory Committee (NSAC) The Frontiers of Nuclear Science, 2007 Long Range Plan

378 views • 8 slides
Bareos Python Plugins Introduction Stephan Dhr Feb 3, 2017 Agenda Bareos architecture and

Bareos Python Plugins Introduction Stephan Dhr Feb 3, 2017 Agenda Bareos architecture and

Bareos Python Plugins Introduction Stephan Dhr Feb 3, 2017 Agenda Bareos architecture and terminology Introduction Plugin overview (FD, SD, DIR) Detailed View at FileDaemon Plugins FD Plugin Examples Discussion of Plugin

437 views • 43 slides

More recommend