Lab: Information disclosure in error messages
This lab's verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework.
- With Burp running, open one of the product pages.
In Burp, go to "Proxy" > "HTTP history" and notice that the
GETrequest for product pages contains a
productIDparameter. Send the
GET /product?productId=1request to Burp Repeater. Note that your
productIdmight be different depending on which product page you loaded.
In Burp Repeater, change the value of the
productIdparameter to a non-integer data type, such as a string. Send the request:
- The unexpected data type causes an exception, and a full stack trace is displayed in the response. This reveals that the lab is using Apache Struts 2 2.3.31.
- Go back to the lab, click "Submit solution", and enter 2 2.3.31 to solve the lab.