July 14, 2026
PortSwigger Lab Solution: Information Disclosure on Debug Page Walkthrough (Apprentice)
Learn how to identify exposed debug pages, discover hidden HTML comments, and extract sensitive information using Burp Suite in theβ¦

By Rahul M S
3 min read
Learn how to identify exposed debug pages, discover hidden HTML comments, and extract sensitive information using Burp Suite in the PortSwigger Web Security Academy.
Debug pages are valuable during development because they help developers troubleshoot applications. However, if these pages remain accessible in production, they can expose sensitive information such as environment variables, secret keys, server configuration, framework versions, and other internal implementation details. Attackers frequently search for these pages during reconnaissance because they often provide valuable intelligence for further exploitation.
In this walkthrough, we'll solve the Information Disclosure on Debug Page lab from the PortSwigger Web Security Academy using Burp Suite. You'll learn how to identify hidden debug references, access exposed development endpoints, extract sensitive information, understand the security risks, and apply best practices to prevent information disclosure vulnerabilities.
π Lab Information
Difficulty: Apprentice
Category: Information Disclosure
Objective: Find an exposed debug page that reveals a secret key and submit it to solve the lab.
Lab URL: https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-on-debug-page
π― What You'll Learn
By completing this lab, you'll learn how to:
β Discover hidden debug references inside HTML source code.
β Identify exposed development endpoints using Burp Suite.
β
Extract sensitive information from a publicly accessible phpinfo() page.
β Understand why debug pages create serious information disclosure risks.
β Implement security best practices to protect production environments.
π Understanding the Vulnerability
Information disclosure occurs when an application unintentionally exposes internal implementation details that should never be available to end users.
One of the most common causes is leaving development or debugging functionality enabled after deployment.
Examples of exposed debug resources include:
β’ phpinfo.php
β’ /debug
β’ /status
β’ /actuator
These endpoints may reveal:
β’ Environment variables
β’ Secret keys
β’ PHP and framework versions
β’ Installed modules
β’ Server configuration
β’ Internal file paths
Although intended for debugging, this information significantly helps attackers fingerprint an application and identify potential attack vectors.
π― Identifying the Attack Surface
Browse the application and open any product page.
Inspect the response using Burp Suite Repeater or view the page source.
Inside the HTML response, you'll notice the following comment:
<!-- <a href="/cgi-bin/phpinfo.php">Debug</a> --><!-- <a href="/cgi-bin/phpinfo.php">Debug</a> -->Although HTML comments are hidden from normal page rendering, they remain visible in the source code. Developers sometimes leave debugging references inside comments without realizing that anyone can view them.
The comment reveals the existence of the following endpoint:
/cgi-bin/phpinfo.php/cgi-bin/phpinfo.phpβοΈ How the Vulnerability Occurs
The vulnerability occurs because development artifacts were left accessible in the production environment.
HTML Comment
β
βΌ
Attacker Views Source Code
β
βΌ
Hidden Debug Endpoint Discovered
β
βΌ
Debug Page Accessed
β
βΌ
Sensitive Information ExposedHTML Comment
β
βΌ
Attacker Views Source Code
β
βΌ
Hidden Debug Endpoint Discovered
β
βΌ
Debug Page Accessed
β
βΌ
Sensitive Information ExposedThis happens because:
β’ Debug endpoints were not removed before deployment.
β’ HTML comments expose internal application resources.
β’ The debug page is publicly accessible without authentication.
β’ phpinfo() reveals sensitive environment information.
π Exploitation Steps
Step 1: Browse the Application
Open the lab and browse the target application.
Click on any product page.
Step 2: Inspect the Response
Locate the request in Proxy β HTTP History.
Right-click the request and select Send to Repeater.
Click Send and inspect the HTML response.
Step 3: Locate the Hidden Debug Reference
Search the response body for HTML comments.
You'll discover:
<!-- <a href="/cgi-bin/phpinfo.php">Debug</a> --><!-- <a href="/cgi-bin/phpinfo.php">Debug</a> -->This confirms that a debug page exists.
Step 4: Access the Debug Page
Request the following resource:
GET /cgi-bin/phpinfo.php HTTP/1.1
Host: <lab-id>.web-security-academy.netGET /cgi-bin/phpinfo.php HTTP/1.1
Host: <lab-id>.web-security-academy.netClick Send.
Step 5: Retrieve the Secret Key
The response displays the output of phpinfo().
Search for:
SECRET_KEYSECRET_KEYThe corresponding value is the answer required to complete the lab.
Note:_ Every PortSwigger lab instance generates a unique secret key, so your value will be different._
β οΈ Security Impact
If exposed in a real-world application, debug pages can allow attackers to:
β’ Retrieve secret keys and environment variables.
β’ Identify PHP versions and installed modules.
β’ Discover server configuration details.
β’ Reveal internal file paths.
β’ Collect valuable reconnaissance information for future attacks.
π‘οΈ Remediation
Developers should follow these security best practices:
β Remove all debug pages before deploying to production.
β
Never expose phpinfo() on publicly accessible servers.
β Remove HTML comments containing sensitive information.
β Store secrets securely using environment variables and never expose them through debugging tools.
β Restrict access to administrative and development endpoints.
π Key Takeaways
Debug pages and development artifacts should never remain accessible in production environments.
β HTML comments can unintentionally expose hidden functionality.
β Publicly accessible debug pages may leak sensitive application information.
β Attackers actively search for forgotten development resources during reconnaissance.
β Secure deployment practices help prevent information disclosure vulnerabilities.
π References
PortSwigger Web Security Academy
https://portswigger.net/web-security/information-disclosure
OWASP Top 10
https://owasp.org/www-project-top-ten/
π€ Connect with Me
If you enjoy practical cybersecurity content and hands-on PortSwigger Web Security Academy walkthroughs, feel free to connect with me.
π Portfolio https://rahulms.qzz.io/
π» GitHub https://github.com/1amrahul
πΌ LinkedIn https://linkedin.com/in/rahul-m-s-372b631a2
If this walkthrough helped you, consider following this publication for more PortSwigger Web Security Academy lab solutions, Burp Suite tutorials, web application penetration testing (VAPT) guides, and practical web application security content.