Description: This lab's verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework.

Upon accessing the lab, we have a shopping website present:

On accessing a product like the first 'Pet Experience Days' one, the link is:

https://0ab800f604eb1ce282cb425d00da00f3.web-security-academy.net/product?productId=1

On changing the parameter productId=1 to productId=2, we obtain the next shopping product which is the umbrella.

To see if there's any error message present, we could try to make productId=0 or productId=1000, both which likely do not refer to any product and could be out of bounds.

On productId=0 and productId=1000:

Response is simply: "Not Found"

Also, the productId is likely used to retrive back end database data using numeric IDs which represent different products.

Thus, productId=2' might cause some sort of error:

None

Verbose error messages can also provide information about different technologies being used by the website. For example, they might explicitly name a template engine, database type, or server that the website is using, along with its version number (Portswigger).

Here, we come to know various Java Modules which are being used in the background and most importantly, we get to know Apache Struts 2 2.3.31 (which is the solution of the lab) is being used, which could perhaps help us find a public CVE on this Apache version, allowing us to easily find a vulnerability.

Additionally, the code for this may resemble something like:

select * from products where id = "productId";

Thus, normal query would be:

select * from products where id = "2";

If we were to make productId=2' instead of just productId=2:

select * from products where id = "2'";

And since the db expects to have a integer as an input, the 2' would not be an integer but be interpreted as a string resulting in the error: java.lang.NumberFormatException: For input string: "2'"

IMPORTANT: Since this is a NumberFormatException, putting productId=abc would also cause the error. Even putting 5.5 would cause an error. Thus, trying out all kinds of values other than integers like strings, double or char might result in an error like the one shown above.

Thus, other successful inputs for the parameter productId to obtain error messages would be:

  • abc
  • a
  • 0.6
  • 5.5
  • 43vg5.5jhg
  • many more…