July 14, 2026
PortSwigger Lab Solution: Information Disclosure in Error Messages Walkthrough (Apprentice)
Learn how to identify and exploit information disclosure through verbose error messages using Burp Suite in the PortSwigger Web Securityβ¦

By Rahul M S
3 min read
Learn how to identify and exploit information disclosure through verbose error messages using Burp Suite in the PortSwigger Web Security Academy.
Error messages are useful for developers during testing, but when exposed in production, they can reveal sensitive information about an application's internal implementation. Attackers often leverage these details during reconnaissance to identify technologies, framework versions, and potential attack vectors.
In this walkthrough, we'll solve the Information Disclosure in Error Messages lab from the PortSwigger Web Security Academy and understand why this vulnerability exists, how it can be exploited, and how developers can prevent it.
π Lab Information
Difficulty: Apprentice
Category: Information Disclosure
Objective: Trigger an error message that reveals a framework version number and submit it to solve the lab.
π― What You'll Learn
By completing this lab, you'll learn how to:
β Identify parameters suitable for information disclosure testing.
β Trigger verbose server-side error messages.
β Extract sensitive information from application responses.
β Understand the security risks of verbose error handling.
β Apply secure error-handling best practices.
π Understanding the Vulnerability
Information disclosure occurs when an application unintentionally exposes internal information that should never be accessible to users.
Verbose error messages can reveal:
β’ Technology stack (Apache Struts, Spring Boot, ASP.NET, etc.)
β’ Framework versions
β’ Database queries and SQL errors
β’ File paths and directory structures
β’ Stack traces
β’ Internal server information
Although this information may not immediately compromise the application, it provides valuable intelligence that attackers can use during reconnaissance.
π― Identifying the Attack Surface
While browsing the application, clicking on any product generates the following request:
GET /product?productId=1GET /product?productId=1The productId parameter is an ideal candidate for testing because:
β It accepts user-controlled input.
β It references a database record.
β Numeric parameters commonly interact with SQL queries.
β Invalid input may trigger backend exceptions.
A simple way to test this parameter is by replacing the expected numeric value with unexpected characters and observing how the application responds.
βοΈ How the Vulnerability Occurs
When the application receives malformed input, it attempts to process it without proper validation.
User Input (productId=')
β
βΌ
Application Processes Input
β
βΌ
Input Breaks SQL Query
β
βΌ
Database Throws Exception
β
βΌ
Application Returns Detailed Error
β
βΌ
Sensitive Information is DisclosedUser Input (productId=')
β
βΌ
Application Processes Input
β
βΌ
Input Breaks SQL Query
β
βΌ
Database Throws Exception
β
βΌ
Application Returns Detailed Error
β
βΌ
Sensitive Information is DisclosedThis happens because:
β’ User input is not properly validated.
β’ Backend exceptions are exposed directly to users.
β’ Detailed error messages are enabled instead of generic error pages.
π Exploitation Steps
Step 1: Browse the Application
Open the lab and browse the target application.
Click on any product and observe the following request:
GET /product?productId=1GET /product?productId=1Step 2: Send the Request to Burp Repeater
Locate the request in Proxy β HTTP History.
Right-click the request.
Select Send to Repeater.
Step 3: Modify the Parameter
Replace:
productId=1productId=1with:
productId='productId='The modified request becomes:
GET /product?productId=' HTTP/1.1
Host: <lab-id>.web-security-academy.netGET /product?productId=' HTTP/1.1
Host: <lab-id>.web-security-academy.netClick Send.
Step 4: Analyze the Response
The application returns a 500 Internal Server Error containing a verbose exception similar to:
HTTP/1.1 500 Internal Server Error
java.sql.SQLException
...
Apache Struts 2 2.3.31HTTP/1.1 500 Internal Server Error
java.sql.SQLException
...
Apache Struts 2 2.3.31The response exposes the framework version running on the server.
β Lab Answer
Apache Struts 2 2.3.31Apache Struts 2 2.3.31β οΈ Security Impact
An attacker can use the disclosed information to:
β’ Fingerprint the application's technology stack.
β’ Identify publicly known vulnerabilities (CVEs).
β’ Understand the backend implementation.
β’ Build more targeted attacks.
Even though this lab only reveals a framework version, similar vulnerabilities often expose database queries, configuration files, file paths, and other sensitive information.
π‘οΈ Remediation
Developers should implement the following security best practices:
β Display generic error pages to users.
β Log detailed exceptions only on the server.
β Disable debug mode in production.
β Validate and sanitize all user input.
β Implement centralized exception handling.
π Key Takeaways
Verbose error messages should never be exposed in production environments.
β A single malformed input can reveal valuable backend information.
β Framework version disclosure helps attackers identify known vulnerabilities.
β Proper exception handling is a critical part of secure application development.
π References
PortSwigger Web Security Academy
https://portswigger.net/web-security/information-disclosure
OWASP Top 10
https://owasp.org/www-project-top-ten/
π€ Connect with Me
If you enjoy practical cybersecurity content and hands-on PortSwigger Web Security Academy walkthroughs, feel free to connect with me.
π Portfolio https://rahulms.qzz.io/
π» GitHub https://github.com/1amrahul
πΌ LinkedIn https://linkedin.com/in/rahul-m-s-372b631a2
If this walkthrough helped you, consider following this publication for more PortSwigger Web Security Academy lab solutions, Burp Suite tutorials, and practical web application security content.