Secure Legion Labs
Misconfiguration Lab
Debug Mode Exposure
This room simulates a production application where internal troubleshooting endpoints were left exposed after deployment. Your goal is to reach the debug route, trigger verbose output, and identify the leaked secret material.
What an assessor already knows
The engineering team used a lightweight debug switch during staging and claimed it was turned off before launch.
A JavaScript bundle still references internal routes starting with /__debug/.
If diagnostics are still reachable in production, the response may expose framework traces, environment values, and internal implementation details.
What to try
- Probe
internal debug-style routes - Probe
verbose or diagnostics switches - Goal
expose a sensitive production trace
Probe the debug route
Adjust the endpoint and the verbose switch. The intended production leak only appears when the right route and debug mode are both active.
GET /?verbose={ "status": "idle" }Response trace
Once verbose debug mode is reachable in production, a normal request turns into an internal leak of implementation details and secrets.
Status: waiting for a request.
Challenge flag
The flag appears after you expose the intended debug leak.
Validate completion
Submit the unlocked flag to complete the room.
Flag is locked until you trigger the exposed debug trace.
How the weakness works here
The tester finds a likely debug endpoint through source clues or predictable naming.
A debug switch that should be disabled in production still returns detailed traces.
The application exposes stack details and signing data that should never leave the server.