PortSwigger Academy - Information Disclosure on Debug Page
This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the SECRET_KEY environment variable.

Lab Overview
❓ This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the SECRET_KEY
environment variable.
Instructions
To solve the lab:
- Obtain and submit the
SECRET_KEY
environment variable.
Debugging tools and scripts can be invaluable during development, but when left exposed in production, they often become a treasure trove for attackers. In this case, we explore how a publicly accessible debug page (phpinfo.php
) inadvertently disclosed sensitive environment variables, including the application’s SECRET_KEY
. Let’s walk through the steps taken to identify and exploit this vulnerability, understand its risks, and discuss how to mitigate it.
Initial Discovery
While inspecting the source code of the homepage, a commented-out anchor tag pointing to a phpinfo.php
script was discovered:
<a href="/cgi-bin/phpinfo.php">
Although this link wasn’t visible on the rendered page, it was easily found in the source code. Clicking on the link led to a debug page that runs the phpinfo()
function, which provides a wealth of information about the server’s PHP configuration.
Exploring the phpinfo.php
Debug Page
Navigating to /cgi-bin/phpinfo.php
, the page displayed detailed information about the server’s PHP environment, including:
- PHP version
- Loaded modules
- Server configuration
- Environment variables
Using the browser’s search functionality, we searched for the keyword SECRET_KEY
and found the following environment variable exposed:
This environment variable could potentially be used for signing cookies, encrypting sensitive data, or other critical application functions. With this information, we completed the lab by submitting the SECRET_KEY
value.
Why It's Vulnerable
1. Sensitive Information Disclosure
The phpinfo()
function dumps detailed server information, including:
- Environment Variables: These often contain sensitive data like API keys, database credentials, or application secrets.
- Server Configuration: Information about PHP versions, installed modules, and file paths helps attackers identify potential attack vectors.
- Debugging Data: Includes internal paths and other technical details that can assist in crafting exploits.
2. Commented-Out Code Is Still Exposed
The link to /cgi-bin/phpinfo.php
was commented out in the HTML, but it remained discoverable in the source code. Commenting out sensitive functionality is a poor practice because attackers routinely inspect page sources or use automated tools to find these hidden clues.
3. Publicly Accessible cgi-bin
Directory
The cgi-bin
directory is a common target for penetration testers and attackers because it often contains old, leftover, or misconfigured scripts. When publicly accessible, it provides an easy entry point into sensitive server functionality.
The Impact
Exposing a debug page like phpinfo.php
can have far-reaching consequences:
- Compromise of Sensitive Data
Attackers can retrieve environment variables like theSECRET_KEY
in this scenario, which might be used for:- Signing or verifying authentication tokens.
- Encrypting or decrypting sensitive data.
- Accessing APIs or other backend systems.
- Facilitation of Further Attacks
Details about PHP versions, installed modules, and server configurations allow attackers to:- Identify known vulnerabilities in the software stack.
- Tailor their exploits to the server’s specific setup.
- Loss of Control and Trust
Once sensitive data like theSECRET_KEY
environment variable is compromised, attackers can impersonate users, tamper with application data, or escalate their access, leading to significant reputational and financial damages.