| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Information Disclosure — Debug Page Left in Production |
| Difficulty | Apprentice |
| Objective | Obtain and submit the SECRET_KEY environment variable |
Information Disclosure on Debug Page¶
Navigating to a product returned a normal 200 OK.
Passing a non-numeric productId returned a generic "Invalid product ID" — no stack trace, no useful leak.
Switching to passive recon — checking Burp's Target > Sitemap, which collects URLs from every response it proxies including links and references that appear in page source, often surfacing paths not obviously navigable from the UI:
Burp had captured a GET to /cgi-bin/phpinfo.php — a debug page left accessible in production. phpinfo() pages are one of the most common debug artifacts left deployed; they dump the entire PHP configuration including environment variables, loaded modules, file paths, and compilation options.
Ctrl+F through the phpinfo output for SECRET_KEY:
Found. Submitting it:
Lab solved o.o