Web Security

PortSwigger Academy - Information Disclosure in Error Messages

This lab's verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework.

L0WK3Y
· 5 min read
Send by email

Lab Overview


This lab's verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework.

Instructions

To solve the lab:

  1. Obtain and submit the version number of this framework.

Initial Exploration

We began by scanning for directories using tools like Dirbuster and Gobuster, but no significant findings emerged. Next, we shifted our focus to the application’s functionality, specifically the product pages.

img

Upon clicking the "View details" button for a product, we observed a query parameter added to the URL, as shown below:

https://0aba008d0441c60a8ae1056600f00075.web-security-academy.net/product?productId=1

The query parameter productId=1 appears to specify which product is being displayed. This hinted at an opportunity to manipulate the productId parameter to observe how the application responds to unexpected input.

Testing Query Parameter Manipulation

To probe the application’s behavior, we began by altering the productId parameter.

  1. Changing the productId to an invalid value:
    • Input: productId=A
    • Result: A "Not Found" error was displayed.
  2. Using a large integer:
    • Input: productId=99999
    • Result: Still a "Not Found" error.
  3. Pushing the limits:
    • Input: Increasing the number of digits in the productId parameter.
    • At productId=9999999999, the application returned a verbose error message:
Internal Server Error: java.lang.NumberFormatException: For input string: "9999999999"
	at java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:67)
	at java.base/java.lang.Integer.parseInt(Integer.java:665)
	at java.base/java.lang.Integer.parseInt(Integer.java:777)
	at lab.e.b.g.e.E(Unknown Source)
	at lab.q.je.k.z.O(Unknown Source)
	at lab.q.je.d.h.c.Y(Unknown Source)
	at lab.q.je.d.p.lambda$handleSubRequest$0(Unknown Source)
	at d.o.k.o.lambda$null$3(Unknown Source)
	at d.o.k.o.b(Unknown Source)
	at d.o.k.o.lambda$uncheckedFunction$4(Unknown Source)
	at java.base/java.util.Optional.map(Optional.java:260)
	at lab.q.je.d.p.n(Unknown Source)
	at lab.server.k.p.y.L(Unknown Source)
	at lab.q.je.a.J(Unknown Source)
	at lab.q.je.a.L(Unknown Source)
	at lab.server.k.p.b.x.j(Unknown Source)
	at lab.server.k.p.b.q.lambda$handle$0(Unknown Source)
	at lab.e.a.n.q.S(Unknown Source)
	at lab.server.k.p.b.q.V(Unknown Source)
	at lab.server.k.p.a.E(Unknown Source)
	at d.o.k.o.lambda$null$3(Unknown Source)
	at d.o.k.o.b(Unknown Source)
	at d.o.k.o.lambda$uncheckedFunction$4(Unknown Source)
	at lab.server.gv.D(Unknown Source)
	at lab.server.k.p.a.N(Unknown Source)
	at lab.server.k.s.f.L(Unknown Source)
	at lab.server.k.r.C(Unknown Source)
	at lab.server.k.x.C(Unknown Source)
	at lab.server.gy.b(Unknown Source)
	at lab.server.gy.t(Unknown Source)
	at lab.x.l.lambda$consume$0(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1583)

Apache Struts 2 2.3.31

Breaking Down the Vulnerability

The error message provided several important insights into the vulnerability:

  1. Input Validation Failure:
    The application attempts to process the productId parameter using Java’s Integer.parseInt() method. However, Java's int type has a maximum value of 2,147,483,647 (231 - 1), which means any number larger than this limit cannot be parsed as a 32-bit integer.
  2. Verbose Error Messages:
    Instead of gracefully handling the error or returning a user-friendly message, the application discloses:
    • Internal implementation details (e.g., specific methods and stack traces).
    • The framework being used (Apache Struts 2 2.3.31).
  3. Framework Version Disclosure:
    The framework version is revealed at the end of the error message, which is critical information for attackers. This specific version of Apache Struts is known to have vulnerabilities, such as remote code execution (RCE).

Understanding the Error

The issue arises because the application tries to parse the productId as an integer using Integer.parseInt(). Here’s a simplified explanation:

  1. Valid Input:
    When productId is within the acceptable range (e.g., productId=1), the application processes the request without issues.
  2. Out-of-Range Input:
    For a value like 9999999999, the number exceeds the maximum value for a 32-bit integer. This triggers a NumberFormatException, leading to the verbose error message.
  3. Disclosure in Error Handling:
    Instead of sanitizing or suppressing the error, the application exposes internal details, including the framework version, which attackers can exploit.

The Impact

This vulnerability has several implications:

  1. Information Disclosure:
    Revealing the framework version (Apache Struts 2 2.3.31) allows attackers to:
    • Identify known vulnerabilities in this version.
    • Craft specific exploits (e.g., RCE) to compromise the server.
  2. Reconnaissance for Attackers:
    Stack traces provide insights into the application’s architecture, such as:
    • Programming language (Java).
    • Libraries and methods used (Integer.parseInt()).
    • Application logic and error handling mechanisms.
  3. Potential Exploitation:
    If the disclosed framework version is vulnerable, attackers can launch targeted attacks to:
    • Execute arbitrary code on the server.
    • Steal sensitive data or disrupt the application.

Written by L0WK3Y

Your friendly neighborhood malware analyst.

Keep reading