Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Information disclosure in error messages

APPRENTICE

This lab's verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework.

ACCESS THE LAB

Solution

  1. With Burp running, open one of the product pages.
  2. In Burp, go to "Proxy" > "HTTP history" and notice that the GET request for product pages contains a productID parameter. Send the GET /product?productId=1 request to Burp Repeater. Note that your productId might be different depending on which product page you loaded.

  3. In Burp Repeater, change the value of the productId parameter to a non-integer data type, such as a string. Send the request:

    GET /product?productId="example"
  4. The unexpected data type causes an exception, and a full stack trace is displayed in the response. This reveals that the lab is using Apache Struts 2 2.3.31.
  5. Go back to the lab, click "Submit solution", and enter 2 2.3.31 to solve the lab.

Community solutions

Michael Sommer
Popo Hack

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find information disclosure vulnerabilities using Burp Suite

Try for free