Information Disclosure is a security vulnerability where a system or application unintentionally exposes sensitive or internal information to users. This means that information is visible that is not intended for normal users to see.

Hey me dear reader…..

in this lab from the PortSwigger Web Security Academy, the goal is to identify sensitive information exposed through a debug page. Debug pages are commonly used during development to help developers troubleshoot issues. However, if these pages remain accessible in production environments, they can reveal sensitive internal details about the application.

This lab demonstrates how attackers can access debugging information that should normally be restricted.

A debug page is a special interface that developers use to inspect application behavior.

It may display information such as:

• Application configuration
• Framework details
• Debug logs
• Environment variables
• Internal server information

If such a page is publicly accessible, it becomes an information disclosure vulnerability.

First, we visited some products and captured them in Burp Suite, changed the product ID, and tried to find out if there was any information leak, but nothing was found there.

Next we try to find the comment using burp suite and there we find a path (php.info ). Although we can also see it with ffuf/or other tools

And when we search by adding that path, we end up in the php.info site of that site.

Finally we got our desired secret key and through it our lab was solved.