« back to schedule

Looting the Symfony profiler with EOS

Based on https://www.synacktiv.com/posts/pentest/looting-symfony-with-eos.html. Symfony is a popular open source PHP framework to create web applications. When configured with development parameters, Symfony exposes a sensitive component: the web profiler. This interface implements debug features to help developers identifying bugs while working on the application. However, as an attacker, multiple pieces of information are available to loot: configuration files, user credentials and even the application source code.

Exposing such features in a production environment is very dangerous and to gather all this intel, Synacktiv recently developed an open source tool named EOS (https://github.com/synacktiv/eos).

In this presentation, I would like to describe the different features provided by the profiler and how EOS exploits them to extract the valuable information.



Matthieu Barjole (Synacktiv)


Security Ninja @ Synacktiv

« back to schedule