We would like to tell you how to reproduce the QID 150022 Verbose Error Message from a web application scan, using the information provided in the report details. We'll focus on two injection points: the Query-String and Form Inputs.
When looking at the vulnerability report, you'll find the reported URL and either the presence or absence of a "Form Entry Point". The Form Entry Point, when present, tells us that this was a form our service was testing, and the Form can be found at the URL provided within the Form Entry Point.
The absence of a Form Entry Point tells us that the payload can be replayed through the URL and most likely the URL provided already contains one of the payloads used to trigger the reporting.
Form Entry Point: http://www.example.com/
By the presence of the Form Entry Point, we know that this was a Form our service was testing. The form can be found at the Form Entry Point. The injected point is the "username" field, and we can see in the Payload that the payload used for the "username" field was "%22%3E%3Cqss%3E".
If you navigate to the page Form Entry Point you should find at least one form on the page. Most of the time it's a straight forward process to determine which form field you should be injecting the payload into, but if you're unsure you can review the source and identify which <input> has the same name that was reported in "Params" from your report.
At this point you can attempt to inject the provided payload into the form field and submit. If the form you're testing contains multiple form fields, we recommend that you attempt to fill out all other form fields correctly.