Skip to main content

Information disclosure in error messages

1

Let's click on the first product and view it.

2

Since we are proxying the traffic through Burp Suite, we can view this request in the Proxy > HTTP History.

3

Let's forward this request to the Repeater for further modification.

Once in the Repeater, we have to set the productId parameter to a not-integer value as follows and send the request to the server:

"string"

4

2 2.3.31

As we can see, the server discloses the Apache version in the response.

We can not submit this as the answer.

6

We have solved the lab.

7