Write-up: Information disclosure in error messages @ PortSwigger Academy

This write-up for the lab Information disclosure in error messages is part of my walkthrough series for PortSwigger’s Web Security Academy.

Learning path: Server-side topics → Information disclosure

Lab: Information disclosure in error messages | Web Security Academy

Python script: script.py

Lab description

Steps

The lab application is a webshop. Some, mainly older, frameworks added their comment to the HTML source providing useful information.

In this case, however, the HTML source of the page does not reveal anything of interest.

Browsing around a bit, not many options are noticeable to provide input. In fact, only the productId parameter when viewing product details is apparent.

What happens when I modify it?

Modifying parameter

First I try to use a productId that does not exist:

Testing with invalid productId

The application gently tells me that it did not find anything. So retry it again with some non-numeric value of the parameter:

Testing with non-numeric productId

The application does not handle this error gracefully and reveals the full exception including the vulnerable version of Apache Struts 2.

After submitting the solution, the lab updates to

Originally published at https://github.com.

New to Medium? Become a Medium member to access all stories on the platform and support me at no extra cost for you!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!