Listen to this Post
If you happen to find a Symfony Web Framework with Symfony profiler debug mode enabled, fuzz the following endpoints:
– `/app_dev.php`
– `/app_dev.php/_profiler/phpinfo`
– `/app_dev.php/_profiler`
– Look for “profiler token” in phpinfo()
You Should Know:
1. Fuzzing Endpoints with cURL:
Use cURL to manually fuzz the endpoints and check for sensitive information leakage.
curl -X GET http://target.com/app_dev.php/_profiler/phpinfo curl -X GET http://target.com/app_dev.php/_profiler
2. Automating with FFUF:
Use FFUF (a fast web fuzzer) to automate the process of discovering hidden endpoints.
ffuf -w /path/to/wordlist.txt -u http://target.com/FUZZ
3. Extracting Profiler Tokens:
Once you identify the profiler token, use it to access detailed debugging information.
curl -X GET http://target.com/app_dev.php/_profiler/{TOKEN}
4. Checking for Misconfigurations:
Use tools like `nmap` to scan for open ports and services that might expose Symfony debug mode.
nmap -sV --script=http-title target.com
5. Exploiting PHPInfo:
If `phpinfo()` is exposed, look for sensitive information such as environment variables, database credentials, or server configurations.
curl -X GET http://target.com/app_dev.php/_profiler/phpinfo | grep -i "DATABASE"
6. Securing Symfony Applications:
If you are a developer, ensure that Symfony profiler debug mode is disabled in production environments.
<h1>In Symfony, set the following in .env file:</h1> APP_ENV=prod APP_DEBUG=0
7. Using Burp Suite:
Use Burp Suite to intercept and analyze requests to the Symfony profiler endpoints.
<h1>Configure Burp Suite to intercept traffic and analyze responses.</h1>
8. Linux Commands for Log Analysis:
Use Linux commands like grep, awk, and `sed` to analyze server logs for suspicious activities.
grep "app_dev.php" /var/log/apache2/access.log | awk '{print $1}'
9. Windows Commands for Network Analysis:
Use `netstat` to check for open ports and connections on a Windows server.
netstat -an | findstr "80"
10. Preventing Debug Mode Exposure:
Regularly audit your web applications to ensure debug mode is not accidentally enabled.
<h1>Use grep to search for debug mode in configuration files:</h1> grep -r "APP_DEBUG=1" /var/www/html/
What Undercode Say:
Symfony profiler debug mode can be a goldmine for bug bounty hunters if left enabled in production environments. By fuzzing endpoints like `/app_dev.php` and /app_dev.php/_profiler, you can uncover sensitive information such as profiler tokens, database credentials, and server configurations. Tools like cURL, FFUF, and Burp Suite are essential for automating and analyzing these vulnerabilities. Developers must ensure that debug mode is disabled in production to prevent such exposures. Always use secure coding practices and regularly audit your applications to avoid unintended information leakage.
For further reading, check out the official Symfony documentation on debug mode.
References:
Reported By: Deepak Saini – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
