| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Information Disclosure — Verbose Error Messages |
| Difficulty | Apprentice |
| Objective | Obtain and submit the version number of the vulnerable third-party framework |
Information Disclosure in Error Messages¶
Navigating to a product:
GET /product?productId=1 HTTP/2
Passing a non-numeric value to productId:
GET /product?productId=teto HTTP/2
Internal Server Error: java.lang.NumberFormatException: For input string: "teto"
at java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:67)
(...)
Apache Struts 2 2.3.31
Sending unexpected input types is one of the cheapest ways to trigger error messages that leak framework details — the exception handler outputs whatever it has, which includes full stack traces and version strings. Apache Struts 2 2.3.31 is a notably dangerous disclosure: it's affected by CVE-2017-5638, the vulnerability behind the 2017 Equifax breach, so this "harmless" error message directly enables a critical exploit chain.
Submitting the version string
Get's the lab solved