Due to popular demand, I’ve decided to create a blog post on how I set up my PHP debugging environment for hacking PHP applications. In this guide, I will walk you through my setup, which includes using an Ubuntu VPS for the web server and Xdebug. Additionally, I use VSCode as my debugging tool and Burp Suite for testing. Let’s get started!

You can get a $200 free credit on DigitalOcean by using this link. Alternatively, you can set up your own Ubuntu server: https://try.digitalocean.com/freetrialoffer/

We then create an Ubuntu server and set up our SSH public key.

Installing PHP, Apache2 and Xdebug

We will need to install PHP and the Apache2 web server to host our testing application.

sudo apt update
sudo apt upgrade
sudo apt install apache2 php libapache2-mod-php php-xdebug

Next, we create our testing PHP file in the /var/www/html/ directory.

<?php

echo "test";

Verify that everything is installed by running php -v.

Next, we need to set up our Xdebug configuration in /etc/php/8.3/mods-available/xdebug.ini.

zend_extension=xdebug.so
xdebug.mode = debug
xdebug.start_with_request = yes
xdebug.client_port = 9000
xdebug.client_host = 164.90.218.170

Be sure to replace 192.168.1.52 with the IP address of your Linux machine.

Bringing it all together..

In your VSCode, install the following plugin. This will allow us to connect to our Linux server and control it via VSCode.

Once it is installed it is the time to add our VPS server:

Once the plugin is added, you will find your server listed in the plugin menu. If it doesn’t appear, try refreshing the menu. Go ahead and connect to your server.

Once you are connected, install the following plugin to add support for Xdebug in our VSCode.

Now open the application path. In my case, it is /var/www/html since that is where we created the testing PHP file.

Next, navigate to the Debug menu and create the launch.json file, which will be stored in /var/www/html/.vscode.

This file will contain our VSCode debug configuration, which will be used to connect to our Xdebug.

{
    "version": "0.2.0",
    "configurations": [
      {
        "name": "Listen for XDebug",
        "type": "php",
        "request": "launch",
        "hostname": "164.90.218.170",
        "port": 9000,
        "pathMappings": {
          "/var/www/html/": "${workspaceFolder}/",
        }
      }
    ]
}

Make sure to replace hostname with your machine’s IP address and add the PHP application path to PathMappings.

Now that everything is set up, all that’s left is to set our breakpoints and start the debugger.

We set the breakpoint at line 3 where the echo is. Once we visit the page, we can see that the breakpoint is triggered.

Thanks for reading, and happy hacking!