Lab: Information disclosure on debug page

APPRENTICE

This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the SECRET_KEY environment variable.

Access the lab

Solution

With Burp running, browse to the home page.
Go to the "Target" > "Site Map" tab. Right-click on the top-level entry for the lab and select "Engagement tools" > "Find comments". Notice that the home page contains an HTML comment that contains a link called "Debug". This points to /cgi-bin/phpinfo.php.
In the site map, right-click on the entry for /cgi-bin/phpinfo.php and select "Send to Repeater".
In Burp Repeater, send the request to retrieve the file. Notice that it reveals various debugging information, including the SECRET_KEY environment variable.
Go back to the lab, click "Submit solution", and enter the SECRET_KEY to solve the lab.

Want to track your progress and have a more personalized learning experience? (It's free!)

In this topic

Information disclosure Find and exploit information disclosure

Find information disclosure vulnerabilities using Burp Suite

The benefits of working through PortSwigger's Web Security Academy

Get started with the Web Security Academy where you can practise exploiting vulnerabilities on realistic targets .. and its free!

^{Already got an account?
Login here}

Lab: Information disclosure on debug page

Solution

In this topic

All topics

Find information disclosure vulnerabilities using Burp Suite

Find information disclosure vulnerabilities using Burp Suite