looting the symfony profjler with eos
play

Looting the Symfony Profjler with EOS Pass The Salt 2020 Matthieu - PowerPoint PPT Presentation

Looting the Symfony Profjler with EOS Pass The Salt 2020 Matthieu Barjole (@__aevy__) Synacktiv French IT security company Focus on offensive security 3 teams Paris Rennes Pentest Reverse engineering Lyon


  1. Looting the Symfony Profjler with EOS Pass The Salt 2020 Matthieu Barjole (@__aevy__)

  2. Synacktiv  French IT security company Focus on offensive security  3 teams  Paris Rennes Pentest  Reverse engineering  Lyon Development  Remote friendly !  Toulouse apply@synacktiv.com  2 / 22

  3. Context popular PHP framework for web applications  Debug features exposed during assessments: web profjler  Wanna loot  Wanna automate  3 / 22

  4. Context > Disclaimer Not a Symfony vulnerability  " The profjler is a powerful development tool that gives detailed information about the execution of any request. Never enable the profjler in production " environments as it will lead to major security vulnerabilities in your project. 4 / 22

  5. Loot > Profjler Version dependent Kernel instantiation  web/app.php + web/app_dev.php  public/index.php  5 / 22

  6. Loot > Profjler Toolbar 6 / 22

  7. Loot > Phpinfo 7 / 22

  8. Loot > Requests > Routes 8 / 22

  9. Loot > Requests > Credentials 9 / 22

  10. Loot > Requests > Remember Me Cookies Not enabled by default  protected function generateCookieHash(string $class, string $username, int $expires, string $password) { return hash_hmac( 'sha256', $class.self::COOKIE_DELIMITER.$username.self::COOKIE_DELIMITER. $expires.self::COOKIE_DELIMITER.$password, $this->getSecret()); } 10 / 22

  11. Loot > Requests > Remember Me Cookies base64(hmac("App\\Entity\\User:amFuZV9hZG1pbg==:1620664267:c05a2...e9b8b")) 11 / 22

  12. Loot > Files 12 / 22

  13. Loot > Files > Confjg 13 / 22

  14. Loot > Files > Source code No directory listing  Only previously hit code paths appear on the Profjler  → Cache fjles 14 / 22

  15. Loot > Files > Source code var/cache/%env%/%filename%.xml   env: deployed environment, probably dev  filename: Kernel cache container fjle name 15 / 22

  16. Loot > Files > Source code 2.0 – 4.1 : srcDevDebugProjectContainer.xml  4.2 – 4.4 : srcApp_KernelDevDebugContainer.xml  5.0 – 5.x : App_KernelDevDebugContainer.xml  16 / 22

  17. Loot > Files > Source code 17 / 22

  18. Automate 18 / 22

  19. Automate 19 / 22

  20. Demo target 20 / 22

  21. Conclusion Basic tasks but now automated :)  Do not expose debug features in prod :(  21 / 22

  22. QUESTIONS ? Thanks for your attention !

Recommend


More recommend