Description: This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the SECRET_KEY environment variable.

Upon accessing the lab, we have a shopping website present:

On clicking throuhgh view details for productId and going back and even checking through the Network Tab in chrome devtools, nothing interesting really popped up:

Even when changing productId to non-integers, the response was:

"Invalid product ID"

Next, I decided to use burp suite:

I opened Burp Suite CE -> Start Temporary Task -> Turn intercept off in proxy tab

After all this, I repeated the actions of going to the lab website and clicking a product.

This time, when checking the site map in Target tab, it showed this:

The cgi-bin detected by the Burp Suite CE is an interesting directory since the /cgi-bin/ directory is a directory where a web developer would put executable files in to make their website have more features than just plain HTML (Locust377).

In our case, it might mean that it has extra features like debug page.

In cgi-bin directory, the detected page is https://0a34000504f0107984aad1a000ea00ce.web-security-academy.net/cgi-bin/phpinfo.php

According to php.net, phpinfo.php includes information about PHP compilation options and extensions, the PHP version, server information and environment (if compiled as a module), the PHP environment, OS version information, paths, master and local values of configuration options, HTTP headers, and the PHP License.

Using CTRL+F, we can find SECRET_KEY which will be the lab solution.

IMPORTANT: This phpinfo.php is important as it can often tell what outdated / old software is being run on the website, which can allow them to use relevant Public CVEs against the website. Additionally, the phpinfo.php contains lots of information about different directories including internal ones which could assist hackers in causing harm by exploiting path traversal attacks or other vulnerabilities if present.