looting the symfony profjler with eos
play

Looting the Symfony Profjler with EOS Pass The Salt 2020 Matthieu - PowerPoint PPT Presentation

Jan 21, 2024 •926 likes •1.17k views

Looting the Symfony Profjler with EOS Pass The Salt 2020 Matthieu Barjole (@__aevy__) Synacktiv French IT security company Focus on offensive security 3 teams Paris Rennes Pentest Reverse engineering Lyon

  1. Looting the Symfony Profjler with EOS Pass The Salt 2020 Matthieu Barjole (@__aevy__)

  2. Synacktiv  French IT security company Focus on offensive security  3 teams  Paris Rennes Pentest  Reverse engineering  Lyon Development  Remote friendly !  Toulouse apply@synacktiv.com  2 / 22

  3. Context popular PHP framework for web applications  Debug features exposed during assessments: web profjler  Wanna loot  Wanna automate  3 / 22

  4. Context > Disclaimer Not a Symfony vulnerability  " The profjler is a powerful development tool that gives detailed information about the execution of any request. Never enable the profjler in production " environments as it will lead to major security vulnerabilities in your project. 4 / 22

  5. Loot > Profjler Version dependent Kernel instantiation  web/app.php + web/app_dev.php  public/index.php  5 / 22

  6. Loot > Profjler Toolbar 6 / 22

  7. Loot > Phpinfo 7 / 22

  8. Loot > Requests > Routes 8 / 22

  9. Loot > Requests > Credentials 9 / 22

  10. Loot > Requests > Remember Me Cookies Not enabled by default  protected function generateCookieHash(string $class, string $username, int $expires, string $password) { return hash_hmac( 'sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER. $expires.self::COOKIE_DELIMITER.$password, $this->getSecret()); } 10 / 22

  11. Loot > Requests > Remember Me Cookies base64(hmac("App\\Entity\\User:amFuZV9hZG1pbg==:1620664267:c05a2...e9b8b")) 11 / 22

  12. Loot > Files 12 / 22

  13. Loot > Files > Confjg 13 / 22

  14. Loot > Files > Source code No directory listing  Only previously hit code paths appear on the Profjler  → Cache fjles 14 / 22

  15. Loot > Files > Source code var/cache/%env%/%filename%.xml   env: deployed environment, probably dev  filename: Kernel cache container fjle name 15 / 22

  16. Loot > Files > Source code 2.0 – 4.1 : srcDevDebugProjectContainer.xml  4.2 – 4.4 : srcApp_KernelDevDebugContainer.xml  5.0 – 5.x : App_KernelDevDebugContainer.xml  16 / 22

  17. Loot > Files > Source code 17 / 22

  18. Automate 18 / 22

  19. Automate 19 / 22

  20. Demo target 20 / 22

  21. Conclusion Basic tasks but now automated :)  Do not expose debug features in prod :(  21 / 22

  22. QUESTIONS ? Thanks for your attention !

Recommend

The Symfony Framework YOUR FREE NEW TOOLKIT Hallo! > Lead contributor to the Symfony

The Symfony Framework YOUR FREE NEW TOOLKIT Hallo! > Lead contributor to the Symfony

The Symfony Framework YOUR FREE NEW TOOLKIT Hallo! > Lead contributor to the Symfony documentation > KnpLabs US - Symfony consulting, training & kumbaya > Writer for KnpUniversity.com awesome amazing PHP Tutorials!!! >

1.51k views • 101 slides
Data Data Serialization Serialization with with Symfony Symfony & & Drupal Drupal

Data Data Serialization Serialization with with Symfony Symfony & & Drupal Drupal

Data Data Serialization Serialization with with Symfony Symfony & & Drupal Drupal SensioLabs Hugo Hamon Hugo Hamon Head of training at SensioLabs Book author Speaker at Conferences Symfony contributor Travel lover @hhamon

1.32k views • 110 slides
Behat BDD, FUNCTIONAL TESTS & SELENIUM (IN DRUPAL!) s Hallo! > Lead of the Symfony

Behat BDD, FUNCTIONAL TESTS & SELENIUM (IN DRUPAL!) s Hallo! > Lead of the Symfony

Behat BDD, FUNCTIONAL TESTS & SELENIUM (IN DRUPAL!) s Hallo! > Lead of the Symfony documentation team > KnpLabs US - Symfony consulting, training & kumbaya > Writer for KnpUniversity.com: PHP & Symfony

1.52k views • 120 slides
with your friend @weaverryan Its-a me, Ryan! > Lead of the Symfony documentation team

with your friend @weaverryan Its-a me, Ryan! > Lead of the Symfony documentation team

with your friend @weaverryan Its-a me, Ryan! > Lead of the Symfony documentation team > Writer for KnpUniversity.com > Symfony fanboy/evangelist > Husband of the much more talented @leannapelham > Father to my more

1.1k views • 98 slides
Documenting Nazi Cultural Looting and Postwar Retrieval: Surviving Archives of the Einsatzstab

Documenting Nazi Cultural Looting and Postwar Retrieval: Surviving Archives of the Einsatzstab

Documenting Nazi Cultural Looting and Postwar Retrieval: Surviving Archives of the Einsatzstab Reichsleiter Rosenberg (ERR) * Patricia Kennedy Grimsted International Institute of Social History (Amsterdam); Ukrainian Research Institute, and

248 views • 12 slides
The State of Hooking into Drupal Track: Symfony The State of Hooking into Drupal who am I?

The State of Hooking into Drupal Track: Symfony The State of Hooking into Drupal who am I?

The State of Hooking into Drupal Track: Symfony The State of Hooking into Drupal who am I? Nida Ismail Shah Developer at Acquia drupal.org: nidaismailshah twitter: @nidaismailshah nidashah.com Overview Hooks - What,

924 views • 60 slides
Creating a modern web application using Symfony API Platform, ReactJS and Redux by Jesus Manuel

Creating a modern web application using Symfony API Platform, ReactJS and Redux by Jesus Manuel

Creating a modern web application using Symfony API Platform, ReactJS and Redux by Jesus Manuel Olivas & Eduardo Garcia @jmolivas | @enzolutions Who We Are? Jesus Manuel Olivas jmolivas@weknowinc.com jmolivas jmolivas

749 views • 59 slides
What is Drupal Haydn? Bill Bohling, M.C. sunset_bill, D.O. Welcome to What is Drupal Haydn. Im

What is Drupal Haydn? Bill Bohling, M.C. sunset_bill, D.O. Welcome to What is Drupal Haydn. Im

What is Drupal Haydn? Bill Bohling, M.C. sunset_bill, D.O. Welcome to What is Drupal Haydn. Im your host, Bill Bohling. My Drupal id is sunset_bill. I am not a Symfony developer, I do Drupal at Turner. I first heard about Symfony and Drupal

1k views • 68 slides
Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development

Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development

Admin Generator It's RAD baby! Admin Generator It's RAD baby! Rapid Application Development Who am I, and what do I do? Ian P. Christian (aka. pookey) Coding PHP for about 8 years Work for VoIP.co.uk Involved with symfony and

1.13k views • 51 slides

More recommend