Information disclosure in error messages
Let's click on the first product and view it.
Since we are proxying the traffic through Burp Suite, we can view this request in the Proxy > HTTP History
.
Let's forward this request to the Repeater
for further modification.
Once in the Repeater
, we have to set the productId
parameter to a not-integer value as follows and send the request to the server:
"string"
2 2.3.31
As we can see, the server discloses the Apache version in the response.
We can not submit this as the answer.
We have solved the lab.