Skip to main content

🗂️PortSwigger Lab Writeup: Information Disclosure in Error Messages

PortSwigger lab description page for Information Disclosure in Error Messages

🎯 Objective

The objective of this lab is to discover an information disclosure vulnerability in a web application where it returns verbose error messages on supplying invalid user input, and our goal is to extract the version of a vulnerable third-party framework from error message.

  • Lab URL: https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-in-error-messages
  • Category: Information Disclosure
  • Difficulty: Apprentice

💉 Payloads Used

  • Used as a value for the productid parameter for causing error - ✅
s

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Initial inspection of the shopping website layout
    Individual product page screenshot showing normal product content and the integer productid parameter
  • At first glance, the website seems to be a shopping website with very unique and unrelated products. In the URL, we can see that different products are being loaded using productid parameter which could be the vulnerable endpoint revealing error messages.

🧰Step 2: Cause an Error

  • Based on my initial observation, productid parameter seems to be vulnerable. Therefore I will send an invalid input as a value for the parameter to see if it reveals any error messages.
  • Since the application is always sending integer values to productid parameter, we will try sending a character value - s Product listing page screenshot with the productid query parameter set to s
  • Hence, our payload executed successfully returning verbose error messages and revealing the version of vulnerable third-party framework.

🚀Step 3: Submit the version

  • Copy the version from error message and paste it in the Submit solution to complete the lab.
  • And Finally, the Lab is solved. PortSwigger Lab solved confirmation after submitting version

🧠 Conclusion

  • This lab demonstrated how a verbose error message can disclose sensitive details about the underlying technology. By supplying an invalid value (s) in the productid parameter, we triggered an error that revealed the version of a third-party framework.
  • Such information can be extremely useful for attackers, as it helps in crafting version-specific exploits and targeting known vulnerabilities.
  • This highlights the importance of suppressing detailed error messages in production, validating input types, and ensuring only generic error responses are returned to users while detailed logs remain server-side.