Information disclosure in error messages
Description
This lab’s verbose error messages reveal that it is using a vulnerable version of a third-party framework.
Reproduction and proof of concept
With Burp running, open one of the product pages.
In Burp, go to Proxy > HTTP history and notice that the
GET
request for product pages contains aproductID
parameter. Send theGET /product?productId=1
request to Burp Repeater. Note that yourproductId
might be different depending on which product page you loaded.In Burp Repeater, change the value of the
productId
parameter to a non-integer data type, such as a string. Send the request.GET /product?productId="example"
The unexpected data type causes an exception, and a full stack trace is displayed in the response. This reveals that the lab is using
Apache Struts 2 2.3.31
.Go back to the lab, click “Submit solution”, and enter 2 2.3.31 to solve the lab.
Exploitability
An attacker will need to obtain and submit the version number of this framework.