Write-up: Information disclosure on debug page @ PortSwigger Academy
This write-up for the lab Information disclosure on debug page is part of my walkthrough series for PortSwigger’s Web Security Academy.
Learning path: Server-side topics → Information disclosure
Python script: script.py
Lab description
Steps
The lab application is a shop website that is already well-known from other labs. Looking at the page does not reveal anything interesting.
Below, I show finding the target file using both the commercial Burp Professional as well as free tools outside of Burp.
Using free tools
When I try to avoid using features from Burp Professional, several good free tools allow for content discovery. The one I use here is ffuf together with the great wordlists provided by SecLists.
First, I search for common directories within the web root of the application with
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -u https://0aeb000b03ce98ffc09d247e001c00a4.web-security-academy.net/FUZZ
I can now search within this directory for common files with
ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u https://0aeb000b03ce98ffc09d247e001c00a4.web-security-academy.net/cgi-bin/FUZZ
Using Burp Professional
With the Burp Content Discovery feature, it is just as easy to find the file.
I use the default options and start the discovery run. Burp quickly shows the phpinfo.php
file in the site map:
Finding the secret
I open this file in the browser, scroll through the content and quickly find the answer:
After submitting the solution, the lab updates to