Tìm những bug trên Symfony

Cre:How I was able to find multiple vulnerabilities of a Symfony Web Framework web application | by Abid Ahmad | Jan, 2022 | Medium

Hello . Today I’ll explain how I found multiple vulnerabilites on a web app that used the Symfony Web Framwork where Symfony prolier/debug mode was enabled

**Understanding Symfony profiler & Debug component

Symfony web framework has a feature called Symfony ProfilerThis profiler component can only be used when the debug mode is enabled (twist)The Symfony web framework is much more secure , but enabling debug mode will make this framework extremely vulnerableThe symfony web proiler component expose sensitive information of the web application

— Why do devs enable Debug Component ?

The Debug component provided tools ease debugging PHP codeSymfony provides three environemts by default called dev,test, and prodSymfony highly recommends disabling profiler tools in the production environment

How I found vulns (Step by step)

Let’s assume the target site is https://test.com . But the bug is of the subdomainFirst check what web technologiesUse WappalyzerThen I proceed FFUF . I tried to fuzz the target using FFUF. I have found an interesting file which is “app_dev.php”(it indicates there might be Debug mode for Symfony is enabled)Let’s check it on the browser. Whenever I browsed “https://sub.test.com/app_dev.php” , found debug mode is enabled and got a profiler token to access Symfony Profiler. Also , I got the phpinfo file locationUntil now , the severity of my findings is Medium. I knew Symfony Debug toolbar allow reading files that couldSo I find an endpoint app/config/parameters.yml. I found Symfony version 3.4 version . It containts mail server and database

IMPACT:

The impact of exposed credentials has a wide range of consequenses because those credentials can be used in data breaches

Mitigation

Disable the debug mode by setting APP_DEBUG to false . Debug mode should be disabled in the production environment