Web Security Academy: Information disclosure — Debug page
Greetings and welcome to another great and fun Information Disclosure lab provided by PortSwigger’s Web Security Academy. Today we will be exploiting another web application that is vulnerable to Information Disclosure via a debug page we’ll need to get our hands on.
The briefing is also mentioning that we’ll have to put our reading glasses on too, as that debug page will contain an environment variable called SECRET_KEY and our task is to grab its value.
For this lab I think we will be needing some sort of tool that would help us enumerate (discover) some “hidden” files and / or directories — that could be directly accessed, but are not specifically referenced by the web application via URL links or anything like that. To that end, while you guys can use whatever software tool you feel you’re most comfortable with, I will be using FeroxBuster. Its installation is pretty straightforward and quite simple, no matter the operating system you’re on — the extensive documentation on installing it covers Linux, MacOS and even Windows.
Also, an enumeration tool like that cannot work without a comprehensive word list. A great resource in that aspect is the Seclists repository, courtesy of Daniel Miessler. Of all those files contained in that repo, I found this list to be very helpful for this task.
How FeroxBuster (and pretty much any enumeration / discovery tool, for that matter) will work together with the aforementioned word list is FeroxBuster will try to build URLs using the base URL of the web application and combining that with every single string in that word list, then it’s going to test each resulting URL. If, for example, the response code is a 200, then that URL is accessible and we can further call that URL from the browser and go from there.
Having said that, it’s time we tried it on our target website using the following command:
We’ve specified the word list file via -w, the URL of the target web application using -u and the status codes we’re interested — in this case 200 — using -s. The result is as follows:
Looking at the bottom of the results, we can see a cgi-bin directory that stands out from the pack, maybe we should give that a try:
Very interesting, indeed. Let’s try to open this phpinfo.php file:
This file seems to contain quite a lot of data. If we look very carefully, we’ll be able to spot the SECRET_KEY environment variable value:
And with that, our lab is nearly complete. We just need to grab that string and paste it in the lab page and we’re done.
See you at the next! Stay safe and, as always, happy hacking!
Deck is a software engineer, mentor, writer, cybersecurity enthusiast and sometimes even a teacher. One of his hobbies is doing CTF challenges; there’s always something to learn from them and he very much enjoys sharing the knowledge to people who look forward to sharpening their cybersecurity skills. You can reach Deck on Linkedin, Facebook, Twitter, and Discord: Deck451#6188, as well as follow his writing here on Medium.
