Portswigger - Information Disclosure - Lab #2 Information disclosure on debug page

Hello Hackers, in this video of Information disclosure on debug page you will see how to exploit, discover and find senstive information to leak for potential attacks from Burp Suite in a lab from Web Security Academy powered by Portswigger

⚠️ Subscribe to my channel ➡️ @popo_hack ⚠️

0:00 - About the Lab
0:34 - Map the application
1:42 - Find hidden comment
2:25 - Discover phpinfo.php file
3:28 - Find a SERECT_KEY

🔍 About the Lab
Lab: Information disclosure on debug page
Level: Apprentice
This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the SECRET_KEY environment variable.

✅ What to do ?
1. With Burp running, browse to the home page.

2. Go to the "Target" then "Site Map" tab. Right-click on the top-level entry for the lab and select "Engagement tools" then "Find comments". Notice that the home page contains an HTML comment that contains a link called "Debug". This points to /cgi-bin/phpinfo.php.

3. In the site map, right-click on the entry for /cgi-bin/phpinfo.php and select "Send to Repeater".

4. In Burp Repeater, send the request to retrieve the file. Notice that it reveals various debugging information, including the SECRET_KEY environment variable.

5. Go back to the lab, click "Submit solution", and enter the SECRET_KEY to solve the lab.

Thank you for watching my video, if you have any questions or any topics recommendation feel free to write them on the comment below 🙋

#WebSecurityAcademy #portswigger #leakinfo #vulnerability