🗂️PortSwigger Lab Writeup: Information Disclosure on Debug Page
🎯 Objective
The objective of this lab is to discover an information disclosure vulnerability in a web application where it still has debug page in production, and our goal is to obtain the SECRET_KEY from debug page.
- Lab URL:
https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-on-debug-page - Category: Information Disclosure
- Difficulty: Apprentice
🧪 Exploitation Steps
🕵️Step 1: Observe the Website
- Firstly open the lab URL in your browser, and observe what it is about and how it works.
- At first glance, the website seems to be a shopping website with very unique and unrelated products. In the lab description, it is mentioned that there is a debug page turned on and we need to find that page.
🧰Step 2: Finding Debug Page
- Open the source code of the website because there may be links to debug page left by developer.
- Hence, a comment in source code reveals the link to debug page.
- Now, Open the debug page to retrieve the
SECRET_KEY
- Hence, we successfully retrieve the
SECRET_KEYfrom the debug page of the website.
🚀Step 3: Submit the Key
- Copy the key value from debug page and paste it in the
Submit solutionto complete the lab. - And Finally, the Lab is solved.
🧠 Conclusion
- This lab demonstrated how an information disclosure caused by a debug page left enabled in production can leak secrets. By inspecting the page source we found a dev comment pointing to the debug page, opened it, and retrieved the
SECRET_KEY. - This highlights the importance of disabling debug pages in production, removing dev comments from HTML, and keeping secrets out of source/output (and rotating them if they leak).