Symfony Debug Mode

What is the "Symfony Debug Mode?"

The "Symfony Debug Mode" module is designed to detect misconfigurations in Symfony installations. It specifically targets the "debug" interface, which, when enabled, can potentially disclose and execute arbitrary code. This module has a high severity level and was authored by organiccrap and pdteam.

Impact

Enabling the "Symfony Debug Mode" can lead to the exposure of sensitive information and the execution of unauthorized code. This can pose a significant security risk to the Symfony application and its underlying infrastructure.

How the module works?

The "Symfony Debug Mode" module works by analyzing the HTTP responses of the target application. It uses specific matching conditions to identify if the "debug" interface is enabled. The module checks for the presence of the following patterns:

Header: x-debug-token-link: /_profiler/
Body: debug mode</a> is enabled.

If any of these patterns are found in the HTTP response, the module flags the Symfony installation as having the "debug" interface enabled.

Here is an example of an HTTP request that the module may send:

GET / HTTP/1.1
Host: example.com

The module then evaluates the response headers and body to determine if the "debug" interface is enabled.

It's important to note that the "Symfony Debug Mode" module is just one test case within the Vidoc platform, which utilizes multiple modules to perform comprehensive scanning and detection of vulnerabilities, misconfigurations, and software fingerprints.

For more information and references, you can visit the following link: https://github.com/synacktiv/eos