Information disclosure in error messages
In this post we will walk step by step through how to solve Information disclosure in error messages on PortSwigger. This lab’s difficulty is Apprentice and it is the first lab on Information disclosure on Portswigger.
Link to lab:https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-in-error-messages
To start the lab click ‘Access the Lab’.
As we begin the lab we encounter a shop page showcasing different products. It’s worth noting that the products may differ from the screenshot as PortSwigger Labs can vary the content with each lab session. So, don’t worry if your products look different.
Viewing a product we can make some assumptions about how we can solve the lab. Knowing we are looking to trigger an error we can attempt to see if the application would fail if we inject a single quote into the productId parameter as if we were looking for SQL Injection.
Sure enough, the application does not properly handle the single quote and we are presented with an error page.
At the bottom we are able to get the version of the framework needed to solve the lab.
Submitting the version means we have successfully solved the lab!
That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!
Jarrod