Information disclosure on debug page

https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-on-debug-page

If we go to Target > Site map, we can see a request for /cgi-bin/phpinfo.php.

Let's forward that request to the Repeater and send it.

When the response is returned to us, we can search for the following string:

SECRET_KEY

As we can see, the secret is revealed by the server in the response.

We can now submit the secret key as the answer:

08py31h0x95q3hfiieipk0q5i3xch7d9

We have solved the lab.

Last updated 2 years ago