http/misconfiguration/php-debugbar-exposure.yaml

id: php-debugbar-exposure

info:
  name: Php Debug Bar - Exposure
  author: ritikchaddha,pdteam,DhiyaneshDk,geeknik
  severity: high
  description: |
    The DebugBar integrates easily into projects and can display profiling data from any part of your application.This template detects exposed PHP Debug Bars by looking for known response bodies and the `phpdebugbar-id` in headers.
  reference:
    - https://hackerone.com/reports/1883806
    - http://phpdebugbar.com/
    - https://github.com/maximebf/php-debugbar
  metadata:
    verified: true
    max-request: 2
    shodan-query: html:"phpdebugbar"
  tags: misconfig,php,phpdebug,exposure,debug

http:
  - method: GET
    path:
      - "{{BaseURL}}"
      - "{{BaseURL}}/_debugbar/open"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "phpdebugbar", "widget") && status_code == 200'
          - 'contains(header, "phpdebugbar-id")'
          - 'contains_all(body, "\"utime\"","\"datetime\"","{\"id") && contains(content_type, "application/json")'
        condition: or
# digest: 4b0a00483046022100afe19a0354e51a6998d9b6479572ee8033beafb6545c6255b40aca4d88ad4b76022100f8e4f12d81bb172eb43aa7dc994a02cc43e64f28250a521dfdd0574162c539df:922c64590222798bb761d5b6d8e72950
Create php-debugbar-exposure.yaml 2023-08-25 17:05:04 +05:30			`id: php-debugbar-exposure`

			`info:`
			`name: Php Debug Bar - Exposure`
Update php-debugbar-exposure.yaml (#10968) * Update php-debugbar-exposure.yaml Obliterating false negatives. * chore: remove trailing spaces Signed-off-by: Dwi Siswanto <git@dw1.io> * fix-template * simplified matchers --------- Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2024-12-30 03:35:18 -06:00			`author: ritikchaddha,pdteam,DhiyaneshDk,geeknik`
Update php-debugbar-exposure.yaml 2024-04-05 10:33:06 +05:30			`severity: high`
Create php-debugbar-exposure.yaml 2023-08-25 17:05:04 +05:30			`description: \|`
Update php-debugbar-exposure.yaml (#10968) * Update php-debugbar-exposure.yaml Obliterating false negatives. * chore: remove trailing spaces Signed-off-by: Dwi Siswanto <git@dw1.io> * fix-template * simplified matchers --------- Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2024-12-30 03:35:18 -06:00			The DebugBar integrates easily into projects and can display profiling data from any part of your application.This template detects exposed PHP Debug Bars by looking for known response bodies and the `phpdebugbar-id` in headers.
Create php-debugbar-exposure.yaml 2023-08-25 17:05:04 +05:30			`reference:`
			`- https://hackerone.com/reports/1883806`
			`- http://phpdebugbar.com/`
			`- https://github.com/maximebf/php-debugbar`
			`metadata:`
			`verified: true`
templateman update 2023-10-14 16:57:55 +05:30			`max-request: 2`
Create php-debugbar-exposure.yaml 2023-08-25 17:05:04 +05:30			`shodan-query: html:"phpdebugbar"`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00			`tags: misconfig,php,phpdebug,exposure,debug`
Create php-debugbar-exposure.yaml 2023-08-25 17:05:04 +05:30
			`http:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}"`
			`- "{{BaseURL}}/_debugbar/open"`

Update php-debugbar-exposure.yaml (#10968) * Update php-debugbar-exposure.yaml Obliterating false negatives. * chore: remove trailing spaces Signed-off-by: Dwi Siswanto <git@dw1.io> * fix-template * simplified matchers --------- Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2024-12-30 03:35:18 -06:00			`stop-at-first-match: true`
Create php-debugbar-exposure.yaml 2023-08-25 17:05:04 +05:30			`matchers:`
			`- type: dsl`
			`dsl:`
Update php-debugbar-exposure.yaml (#10968) * Update php-debugbar-exposure.yaml Obliterating false negatives. * chore: remove trailing spaces Signed-off-by: Dwi Siswanto <git@dw1.io> * fix-template * simplified matchers --------- Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2024-12-30 03:35:18 -06:00			`- 'contains_all(body, "phpdebugbar", "widget") && status_code == 200'`
			`- 'contains(header, "phpdebugbar-id")'`
			`- 'contains_all(body, "\"utime\"","\"datetime\"","{\"id") && contains(content_type, "application/json")'`
chore: sign templates 🤖 2024-12-30 09:35:40 +00:00			`condition: or`
			`# digest: 4b0a00483046022100afe19a0354e51a6998d9b6479572ee8033beafb6545c6255b40aca4d88ad4b76022100f8e4f12d81bb172eb43aa7dc994a02cc43e64f28250a521dfdd0574162c539df:922c64590222798bb761d5b6d8e72950`