Having access to your target’s source code is obviously an invaluable advantage of white-box penetration testing.

This article will help you leverage that benefit in the context of PHP applications and using the Xdebug PHP debugger.

Specifically, you will learn how to set up a PHP web application within a docker environment; how to set up 

; how to detect PHP vulnerabilities using Xdebug; common PHP vulnerabilities; and how to leverage your white-box pentest findings to enhance future black-box testing.

Follow these steps to not only unearth vulnerabilities during white-box engagements, but to also craft custom payloads you can unleash to great effect in future black-box tests.

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CWE-624: Executable Regular Expression Error

CWE-434: Unrestricted Upload of File with Dangerous Type

Improve future black-box testing with code analysis

Visual Studio Code (VS Code) (or your preferred IDE)

Once you have installed Visual Studio Code, you can install the Xdebug extension from the extension tab on the left-hand side. Simply search for "

For our demonstration, we will use a vulnerable PHP code snippet from YesWeHack’s 

 Github repository (which also contains snippets written in a variety of other programming languages).

If you are completely new to using Xdebug, we recommend using the same snippet: 

. Otherwise, feel free to take a different code snippet that better suits your preferences.

Our project will use the following file structure: 

Certain files are extra-important and must be added or modified, including:

This will be the Xdebug listener configuration that is used inside Visual Studio Code on our host system.

This file contains the configurations for our vulnerable web application, which is running inside a docker container.

As well as building the docker image, the Dockerfile installs and activates PHP Xdebug inside the docker container.

To this file we will add our host’s hostname to enable our docker container to communicate with Xdebug, which will be hosted by our host system in Visual Studio Code.

 folder provided, we will create a new file in 

, we will add the code below immediately under the first line (which is: 

). This will allow us to install and enable Xdebug in our vulnerable docker container.

 file will be used to set up services for the docker container to run and make the PHP web application accessible via port 

 parameter and the value we give it is used to enable the docker container to communicate with our host system, where the Xdebug listener is running in our Visual Studio Code IDE.

Take note that we added two final lines to the 

Now our setup is ready, we can start debugging our vulnerable web application.

To make sure our debugger works, we will open Visual Studio Code on our host system and set a couple of breakpoints in the vulnerable code snippet. You can do this by simply clicking on the left side of the line number identifiers. This will make red dots appear, as you can see in the image below. This red dot represents a breakpoint that our debugger will stop at.

When a HTTP request is sent by a client to the vulnerable web application, our debugger will stop at our first breakpoint (

) and display all necessary debugging information.

We can trigger the Xdebug listener in Visual Studio Code by sending a HTTP request to our vulnerable web application with curl:

If you want to debug a HTTP request in Visual Studio Code, make sure you include the cookie 

 before you send it. This tells our Xdebug listener to start debugging. It will stop debugging at the first breakpoint, which is triggered by our HTTP request.

Xdebug is a great tool to use both for development and white box penetration testing. By providing a detailed overview of debugging results generated from each code section encountered, this utility means you, as a penetration tester, can more easily see where your input is used and how the payload is modified.

By using our previously described setup (see ‘

’), we can now start analysing our vulnerable code.

Let’s start by sending another HTTP request with curl, this time with a simple SQL injection payload (

After sending this HTTP request we can see that it hit our source code and, in the left sidebar, that our 

 parameter’s value has been determined by our payload.

Next, by pressing the curved blue arrow (second blue icon from the left) in the debug bar (on the top-left of Visual Studio Code by default), we will jump to the second breakpoint we set in the source code.

Continue pressing the arrow until you reach line 

 as shown in the image below. Then right click on the 

Once added to the Watch section, these two variables will appear at the bottom left under the debug sidebar.

We are now monitoring these two variables because 

 is the character to be escaped. If our payload contains the value presented in the variable 

, a backslash will be added before all characters within the payload (this backslash is the 

Continue pressing the blue debug arrow until the 

). This indicates that this character should be escaped in the next loop, and our payload should be modified by the filter.

Press the blue debug arrow again and you will see that our payload was modified by the filter, as shown in the image below:

 character, which it just used to escape our single quote (

) character. This means that, for the next loop, it should escape the backslash character in our payload.

As you can see below, this is exactly what happens. The backslash character 

 replace the backslash character that was previously used to escape our single quote. This makes our current backslash escape itself in the payload, leaving the single quote character unescaped.

By pressing the blue debug arrow one more time, we can see that we have jumped outside the filter and that our final payload remains as:

Finally, we stop the debugging process by pressing the red square in the debug field. We can then see that our curl contains the results from the 

Below are three of the most common weaknesses associated with the PHP programming language.

Source: https://cwe.mitre.org/data/definitions/98.html

The application uses input data that can be controlled by the user. This input value is then later used within an include, require or similar function. 

An attacker can exploit this by creating a specific value that dupes the application into including an unintended file, which can then be used to obtain arbitrary file reads or, in most cases, a remote code execution (RCE). This vulnerability is mainly known as Local/Remote File Inclusion.

White-box penetration testing with Xdebug: Debugging for PHP vulnerabilities

The world’s largest cosmetics and personal care company is the latest illustrious brand to enjoy the benefits of a live Bug Bounty with YesWeHack.

Websites, APIs and mobile apps belonging to L'Oréal are now significantly hardened thanks to the discovery of 71 vulnerabilities during an 18-hour event at the LeHack conference last week.

The live hacking event in Paris began at 10am on day two of LeHack (7 July) and concluded at 4am the following morning after some intensive triaging. The rewards grid went up to €5,000.

The scopes comprised a representative sample of L’Oréal’s most business-critical assets, including:

E-commerce websites for various brands and markets, built on different core technologies

Technologies highly specific to L’Oréal that process sensitive customer data

Impressed by the initial findings, L’Oréal’s security team extended the scope early in the evening to maximise the talent and unique opportunity available – a decision vindicated by the submission of some invaluable findings as the event drew to a close. Most notably, credentials were available for one added scope – an uncommon move for a live hacking event – which allowed hunters to dig deep into a new application and make some intriguing discoveries.

More than 50 YesWeHack-registered hunters kicked off the event and around 100 took part overall, with 31 making it onto the leaderboard.

 by a huge margin in his first-ever live hacking event (although he 

 until the second half of the event). He notched 142 points via nine bug reports.

In second place, ‘Borgi’ accrued 49 points from six vulnerabilities, while third on the podium was ‘cosades’, who scored 45 points from three reports.

However, the leaderboard is only one part of the story of live Bug Bounties, which are as much about (if not more so) collaboration and community.

“It was really nice to meet [fellow hunters] again and to discuss with some managers of programs I'm used to hunting on,” said ‘Aituglo’, one of the participants, in a 

Aituglo said his own pre-event automation work and the support of his peers paid dividends for L’Oréal. A custom plugin helped him “get a hit for an XSS” within five minutes of starting his hunt, then “with the help of some friends, I got a nice PoC to steal the password of the user”.

Despite the generous bounties on offer, Aituglo said that making “a lot of money” was not the overriding incentive. It’s “more to discuss and see your friends, hunt together and so on”.

“Thank you for this wonderful event. It was a pleasant surprise and an honour to top the leaderboard. This motivates me to continue learning and improving.

“It was my first in-person event in cybersecurity, and it was really exciting. The other participants were all friendly and warm. The event was well structured, with responsive support. A very positive and enriching experience.”

The event was also “an enriching experience for another hunter, @dropn0w, who 

 on X: “We learned many valuable lessons and measured our skills against the best hackers in France.”

Guillaume Kermarrec, threat and vulnerability manager at L'Oréal’s CyberDefence Center, and in charge of L'Oréal’s Bug Bounty Programs, said:

“The key benefits were meeting the security researchers, meeting the triage team, and working together to find and fix some complex vulnerabilities. We focused on our most critical websites, both global websites and from different regions, B2B and B2C, and some uncovered assets like APIs and mobile applications. Thanks to this live event we could test some new scopes with very specific configurations that couldn’t be added to our continuous program. We have found some interesting vulnerabilities at the live hacking event.”

Fabio Bührer, global application security manager at L'Oréal’s CyberDefence Center:

“The scopes have been tested in the past and now there’s a lot of good people here going through the scopes to see if there’s anything that needs to be taken care of. It’s good to meet the people who work on the program virtually and and see that they actually exist – they’re not just an avatar or AI! YesWeHack did a great job of organising this.”

From YesWeHack, a sincere and heartfelt thanks to all participants for helping to secure the digital assets of L'Oréal, the personal data of L'Oréal customers, and the global internet as a whole.

The L'Oréal event follows a recent Live Bug Bounty held for a similarly glamorous and legendary French brand: Louis Vuitton, which was more than satisfied with the outcome of 

YesWeHack’s second ‘Hack Me I'm Famous’ event

. This in turn came hot on the heels of a 

 in the scopes of Groupe Caisse des Dépôts (CDC), a French public financial institution, at InCyber Forum (FIC) Europe. The targets for LeHack 2023, meanwhile, were provided by the

 French Red Cross and retail distribution giant Les Mousquetaires Group

 and also yielded an impressive bug haul.

YesWeHack also welcomed a steady stream of ethical hackers, security researchers and other security professionals at our LeHack booth, in Cité des sciences et de l'industrie.

 CTF training platforms, we gave away countless t-shirts and other swag. Other sought-after merch was exclusively available to anyone who managed to take on our claw machine (pictured) and triumph.

Finally, many thanks to our tech ambassador, BitK, for the CTF he created exclusively for LeHack attendees (the ‘Pandemic CTF’).

L'Oréal lauds live Bug Bounty success at LeHack 2024

 has recounted how an attack on his own home network led him to uncover how an attacker could have breached 

The US telco that supplied the modems, Cox Communications, said it found no history of abuse of the relevant attack vector, patched the issue rapidly and promised a comprehensive security review, according to Curry.

“This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could've executed commands and modified the settings of millions of modems, accessed any business customer's PII, and gained essentially the same permissions of an ISP support team,” wrote Curry in his latest 

Curry’s latest tour de force was the lead story in our latest 

, a monthly LinkedIn roundup of notable security research, new hunting opportunities, and hacking advice and inspiration.

The next story saw the Federation of American Scientists (FAD) urge Congress to establish 

 and create a safe harbour for research on generative AI platforms.

“While Congress encourages companies to provide bug bounties and protections for security research, this is not yet the case for AI safety research,” 

. AI companies were criticised for “implicitly threatening to ban independent researchers that demonstrate safety flaws in their systems,” and failing to “adequately test their models after they are deployed as part of an evolving product or service”.

Meanwhile, a patch was issued for a remote code execution vulnerability in PHP CGI that affects XAMPP for Windows by default, allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences, reveals a 

“This vulnerability is incredibly simple, but that’s also what makes it interesting,” 

said renowned DEVCORE researcher Orange Tsai on his blog

. “Who would have thought that a patch, which has been reviewed and proven secure for the past 12 years, could be bypassed due to a minor Windows feature? I believe this feature could lead to more potential vulnerabilities.” Watchtowr Labs 

 the vulnerability and its implications further.

 secure communications suite has resurfaced, zombie-like, to 

expose an estimated 700,000 Linux-based systems

 to the risk of “full system compromise”. Downstream vendors are have been rushing out patches for the aptly dubbed 'RegreSSHion' RCE (CVE-2024-6387), which is a signal handler race condition in OpenSSH’s server (sshd). The OpenSSH team seemingly reintroduced a long-ago patched flaw (CVE-2006-5051) by mistake in a 2020 software update.

While the high severity (CVSS 8.1) issue’s impact is potentially enormous, exploitation could potentially take “approximately 10,000 attempts on average to succeed," 

, co-founder and CTO at Contrast Security, reassuringly. The issue was 

. In a recent development, it has emerged that a circulating proof-of-concept (PoC) purporting to be an exploit for CVE-2024-6387 is in reality a “trap” for security researchers, 

Nearly 30 popular apps (and potentially more as yet untested apps) and an iOS feature were vulnerable to an attack in which any installed 

 from the Apple App Store could perform a user account takeover, according to 

: “This vulnerability exploits the nuances of the OAuth protocol and iOS’s handling of Custom URL Schemes and Safari browser sessions to steal OAuth Authentication Codes from vulnerable OAuth implementations, thereby allowing an attacker to gain access to a victim’s account.” He also notes: “Unless Apple changes the behavior of ASWebAuthenticationSession, the onus is on developers to mitigate this".

A vulnerability in the Lua implementation of 

) construction and management simulation game, potentially allowed a malicious server to obtain arbitrary execution on clients, according to a researcher. Now patched, the bug is dissected in a post 

 as “one of the best exploit development write ups I've read” by one infosec redditor, which concludes with a gamified challenge to practice the techniques explored.

, Soroush Dalili, who assisted with PortSwigger’s 

, explores a scenario where the “aggregate” function in MongoDB is exposed and vulnerable to NoSQL injection attacks, increasing the impact by allowing adding or updated data, or reading data from, other collections.

A developer recently made popular open source project 'ip' read-only after “someone filed a dubious CVE about my 

” and being inundated with messages about the bug. 

 that this reflects an uptick in open source developers “receiving debatable or, in some cases, outright bogus CVE reports filed for their projects without confirmation”.

 allegedly targeted hundreds of thousands of its own customers with malware in a bid to stop them using torrenting sites, in a story first reported by a local media outlets.

 from Shubham Shah of AssetNote which will contextually insert “junk data” into your HTTP request inside the repeater tab. You can select from a preset amount of junk data you want inserted, or you can insert an arbitrary amount of junk data by selecting the "Custom" option.

, there are some Bug Bounty disclosures with unusual twists involving 

crypto exchange, as well as a new Bug Bounty Program for large language models (LLMs), and an interesting report on the growing role of 

 in capture-the-flag competitions and Bug Bounty Programs.

We’ve handcrafted some of our own hacker-focused content, as per usual, so behold: our latest bug hunter interview below (Swedish bug hunter Eldar Zeynalli, aka ‘

‘The Art of Bypassing WAFs’ from NahamCon 2024 (watch below)

, delivered by our very own in-house hunter, 

, which awards YesWeHack swag to the three best write-ups, is 

Submit your solution by 2 August to participate.

Congratulations to the winners of last month’s ‘

’ challenge: ‘Memset’, ‘Weac’ and ‘Kix29’. Kudos also to ‘lr04d’ for the first valid critical report within a mobile scope on a public program – leaving just one achievement (prize: exclusive swag pack) on our 

: discovering a valid critical bug on YesWeHack’s public program.

For Bug Bounty hunting proper, we’ve a pair of new public programs to flag, both operated by

 one of India’s leading crypto exchanges

 and offering $2,000 for critical vulnerabilities: for the

 crypto exchange platform and CoinDCX’s orchestration layer of Web3, 

 of our latest Live Bug Bounty marathon, this time with L’Oreal, which took place at LeHack in Paris over the weekend.

Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to 

Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, 

 – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Sam Curry modem masterclass, PHP threat to Windows Servers, Calls for AI safety Bug Bounties – ethical hacker news roundup

YesWeHack has migrated its platform architecture to a private cloud service that is fully compliant with SecNumCloud, a super-stringent security qualification overseen by France’s cybersecurity agency.

This effectively means YesWeHack now enjoys protections for sensitive data, and against downtime, at elevated levels intended for government agencies and critical infrastructure.

Moreover, our customers’ data will continue to be stored only within the EU thanks to SecNumCloud’s rigorous rules around data sovereignty.

The SecNumCloud-qualified service is now provided by Infrastructure-as-a-Service (IaaS) specialist OVHcloud, which was named the European leader in the hosted private cloud market in 2020 by market research firm Forrester.

The SecNumCloud initiative was launched in 2013 by ANSSI, the French cybersecurity agency, to protect the data being outsourced to third parties in increasing volumes by government entities and critical national infrastructure.

have been instructed to choose only SecNumCloud (or other European equivalent)-qualified providers

 when seeking commercial cloud storage for highly sensitive data.

As such, the qualification has extremely demanding criteria that offers high levels of assurance to any customer, whatever their sector or risk profile.

SecNumCloud could soon be succeeded by an equivalent EU-wide scheme, the proposed EUCS (European Cybersecurity Certification Scheme for Cloud Services). However, since the EUCS has been partly modelled on the French scheme, SecNumCloud-qualified providers will have a huge head start on non-qualified providers in gaining EUCS qualification.

 (PDF) comprises 360 security requirements, covering areas such as information security and risk management, encryption mechanisms, incident response and business continuity.

A multi-stage qualification process begins with a rigorous audit of security policies and controls. The cloud provider must then implement any recommendations made after the audit. Qualification is attained following a final audit and ANSSI validation.

This exhaustive process must be repeated every three years to renew qualification, with annual audits in between validating ongoing compliance. 

Only six providers have achieved qualification so far

SecNumCloud prescribes that providers must be headquartered, and store and process data, within the EU. It also precludes majority foreign-owned providers from being SecNumCloud-qualified.

YesWeHack’s own strict compliance with the EU’s strict security and data privacy laws offers strong assurance to EU- and non-EU customers alike. YesWeHack also recently gained 

CREST accreditation for pentesting services

 and ISO/IEC 27017, the cloud security certification.

Founded in France in 1999, OVHcloud provides secure, reliable and eco-friendly cloud services in 140 countries.

 study, OVHcloud notched the highest possible scores in role-based access control and several criteria specific to hosted private clouds. As a 

, it offers strict EU data sovereignty, a zero-trust model and round-the-clock uptime through a disaster recovery plan.

YesWeHack's partnership with OVHcloud is not new since we already used other services provided by the company. Our positive experience with OVHcloud helped to make them the standout candidate among SecNumCloud-qualified providers.

While using a SecNumCloud-qualified service was not mandatory for YesWeHack, migrating our platform architecture to one aligns with our foundational commitment to trust.

“The YesWeHack platform processes and stores sensitive information about digital assets and vulnerabilities for customers in a wide range of industries, including government entities and critical infrastructure. Moreover, the modern threat landscape dictates that your supply chain must be as secure as your internally controlled infrastructure,” says YesWeHack CEO and founder Guillaume Vassault-Houlière.

“In this context, continuing to partner with OVHcloud was a no-brainer. OVHcloud’s Secnumcloud qualification and peerless reputation for security, uptime, agility and innovation significantly strengthens our security posture and validates the trust customers place in us.”

Will there be any disruption for YesWeHack customers?

 was sufficient to carry out the migration with minimal disruption to users, thanks to our Infrastructure-as-Code (IaC) and real-time data replication processes, which allowed every component supporting our platform to be quickly respawned and set up in the IaaS. Everything is now running normally.

Would you like to know more about the YesWeHack Bug Bounty and Vulnerability Management Platform? Feel free to 

Critical infrastructure-level protections for YesWeHack cloud after switch to SecNumCloud-qualified service

’s reported decision not to pay out for several significant zero-days was one of three Bug Bounty disclosures with unexpected twists we spotted in the media recently.

The quartet of iOS bugs were apparently linked to a zero-click exploit allegedly used to spy on employees of the company reporting the vulnerabilities, as well as diplomats from a particular country.

The plot thickens when that country turns out to be Russia and the reporter of the bugs is 

, Kaspersky said Apple cited “the dedicated policy” with no further explanation for not paying out for the firm's Bug Bounty submission. 

The head of research at Kaspersky, whose antivirus software has been 

 amid US-Russia geopolitical tensions, said the company would have donated the rewards to charity.

This, by the way, is our inaugural monthly roundup of offensive security insights curated for CISOs, security teams and security-conscious devs (this was first published on our 

Another interesting Bug Bounty disclosure – but with no geopolitical dimension this time – is a ‘vulnerability’ in 

 for which the tech giant paid a reward, but then decided did not quite meet the threshold qualifying it as a vulnerability after all.

The issue “allows an attacker to bypass firewall rules based on Azure Service Tags by forging requests from trusted services”, 

, Tenable said Microsoft initially developed a “comprehensive fix”, but later decided the issue centred on the “inherent risk in using Service Tags as a single mechanism for vetting secure network traffic” and was best resolved with an 

The third, and most bizarre, disclosure saw Web3 security outfit 

after the cryptocurrency exchange’s CSO 

 an unnamed “security researcher” of extortion, and said it was “coordinating with law enforcement agencies” over the issue.

After unmasking itself as the reporter of a related vulnerability to Kraken’s Bug Bounty Program, Certik insisted its researchers had acted as good-faith white hats and 

 of events that left Kraken (named after a mythical giant octopus) apparently unhappy about Certik's conduct.

In other Bug Bounty news of note, Firefox developer 

 program focusing on large language models (LLMs) and other deep learning technologies. And 

 in capture-the-flag competitions and Bug Bounty Programs and how the Chinese government could leverage their endeavours.

did not foresee the backlash to a new AI feature that 

 of your PC in order to create an instantly searchable database of everything you’ve ever done on your computer.

 from the launch of its Copilot+ PCs – it will now only be rolled out for devs and techies to play with as part of its Windows Insiders Program. It’s a serious misstep by Microsoft, which has mostly outflanked its rivals in the LLM arms race since it unleashed ChatGPT in 2022.

On the vulnerability front, a security flaw in the 

 file transfer tool is worth paying attention to after its severity was 

elevated from ‘high’ to ‘critical’

The YesWeHack Blog

White-box penetration testing with Xdebug: Debugging for PHP vulnerabilities

White-box penetration testing with Xdebug: Debugging for PHP vulnerabilities

L'Oréal lauds live Bug Bounty success at LeHack 2024

Sam Curry modem masterclass, PHP threat to Windows Servers, Calls for AI safety Bug Bounties – ethical hacker news roundup

White-box penetration testing with Xdebug: Debugging for PHP vulnerabilities

Critical infrastructure-level protections for YesWeHack cloud after switch to SecNumCloud-qualified service

Apple declines to pay Kaspersky vuln reward, Bug Bounty ‘extortion’ dispute, Microsoft Recall backlash – OffSec roundup for CISOs

Dojo challenge #33 winners!

Critical infrastructure-level protections for YesWeHack cloud after switch to SecNumCloud-qualified service

Countdown to NIS 2 compliance: Key insights and implications for your SecOps strategy

YesWeHack lève 26 millions d'euros pour accélérer sa croissance et son expansion internationale

YesWeHack raises 26 million euros to accelerate its growth and international expansion

Countdown to NIS 2 compliance: Key insights and implications for your SecOps strategy

DON'T WAIT FOR THE THREATS TO STRIKE

Products

Researchers

Resources

Company

Follow us