PortSwigger's "Information disclosure on debug page" Walkthrough

This is a short walkthrough of the second of five information disclosure labs (four of which are Apprentice-level).

Before we get started, you’ll need a Portswigger Academy account. Log in and then view the lab at https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-on-debug-page. This is accessible from the “all labs” view.

Challenge Information

Click the “Access the Lab” button and you will be taken to a temporary website that is created for your account. This will be in format https://<random string here>.web-security-academy.net/.

The goal of this challenge is to get the value of the SECRET_KEY environment variable from a debug page. First, we’ll need to find the debug view.

Here’s what the website looks like:

Lab Solution

We first need to find the debug page. To do so, right-click anywhere on the page and select View Page Source. This should show you the HTML for the page, at:

view-source:https://<random-string>.web-security-academy.net/

Use control-F to search for “debug” in the page. There are a few matches up top in the challenge description. Keep iteration through until you get all the way through the page.

At the bottom of the HTML, there’s a commented-out link to a debug page:

Go to endpoing /cgi-bin/phpinfo.php using this full URL:

https://<random-string>.web-security-academy.net/cgi-bin/phpinfo.php

This displays a phpinfo page, which has a host of environmental, version, and other information about the webserver.

Again, use control-F to search, this time for value SECRET_KEY.

There’s our result, khu5r8qih2q8jjc5v8ndt7j3fho89gox.

Go back to the web homepage, click “Submit Solution” and enter the value.

And that concludes the walkthrough: