webgoat / webgoat Goto Github PK
View Code? Open in Web Editor NEWWebGoat is a deliberately insecure application
Home Page: https://owasp.org/www-project-webgoat/
License: Other
WebGoat is a deliberately insecure application
Home Page: https://owasp.org/www-project-webgoat/
License: Other
We need to extract the css in a separate file just like the other lessons.
Lesson works.
You kind of get a blank screen with just the menus on the side. Seems like you should default to go to the Http Basics lesson, which is what previous WebGoat used to do.
The stack trace is ...
2015-08-23 00:33:28,276 DEBUG - HH Entering Session_id: 10593521B908AFB0D490A02640CA96DB
2015-08-23 00:33:28,276 ERROR - Error handling request
java.lang.NumberFormatException: For input string: "null"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Integer.parseInt(Integer.java:580)
at java.lang.Integer.parseInt(Integer.java:615)
at org.owasp.webgoat.session.ParameterParser.getIntParameter(ParameterParser.java:377)
at org.owasp.webgoat.session.WebSession.update(WebSession.java:845)
at org.owasp.webgoat.HammerHead.updateSession(HammerHead.java:403)
at org.owasp.webgoat.HammerHead.doPost(HammerHead.java:132)
at org.owasp.webgoat.HammerHead.doGet(HammerHead.java:107)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
...
When I change the URL from:
http://localhost:8080/WebGoat/start.mvc#attack/152/200
to
http://localhost:8080/WebGoat/start.mvc#attack/152/200/0
... it appears to work (since support was added for the stage param), but has 'Stage 2' above in the view.
@nbaars or @WebGoat you may be able to decipher a little better than me what's going on.
I've written 2 new custom lessons (really just test cases, not lessons), and put them in a brand new category.
And sometimes when I start WebGoat, 1 shows up, and other times both show up. And then I added a 3rd lesson, and I have the config file set up like this:
category.MYNEW.ranking=7
lesson.MYNEW_Lesson1.ranking=10
lesson.MYNEW_Lesson2.ranking=15
lesson.MYNEW_File_Lesson.ranking=20
and this time 2 out of the 3 showed up. (The 1st and 3rd one).
And when I restarted and tried again, I only got 1. (The 2nd one) :-)
As a developer, I would like a button to force the reloading of all plugins.
Sometimes WebGoat launches fine (this is on a Mac). But sometimes it only shows the Admin menus and in the webgoat log it has a stack trace with this info in it.
I've seen a similar error on Windows but the failure is far more consistent there (I reported this issue earlier). Maybe there is a threading problem or something? This in intermittent on Mac, where most often WebGoat starts fine, but sometimes this occurs and it doesn't start properly.
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.nio.file.NoSuchFileException: /Users/dwichers/git/Webgoat-Workspace/WebGoat/webgoat-container/target/webgoat-container-7.0-SNAPSHOT/plugin_extracted/plugin/i18n/WebGoatLabels_fr.properties
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:55)
at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:144)
at java.nio.file.Files.readAttributes(Files.java:1684)
at java.nio.file.Files.size(Files.java:2273)
at java.nio.file.Files.readAllBytes(Files.java:2957)
at org.owasp.webgoat.plugins.Plugin.copyProperties(Plugin.java:90)
... 79 more
Towards the end of the launch it eventually displays the following message. But its still 'starting'. Can you add a line that indicates: WebGoat 'started' when its actually up and running?
____________________ Starting WebGoat using the embedded Tomcat ___________________
AbstractLesson needs some error handling...
This method in this class is making a bunch of assumptions, like the properties file exists, and certain properties are in it.
Can you add some error handling so if the property doesn't exist, it doesn't simply throw a null pointer without explaining the problem? Like can't find property X in file Y (or something)? (See where I marked it throwing a null pointer exception because I didn't have my configuration right).
Also - can you explain somewhere what properties I have to create, what names, where to put them, and what goes in them so someone can make a new lesson work?
public void update(WebgoatProperties properties) {
String className = getClass().getName();
className = className.substring(className.lastIndexOf(".") + 1);
setRanking(new Integer(properties.getIntProperty("lesson." + className + ".ranking", getDefaultRanking()
.intValue())));
String categoryRankingKey = "category." + getDefaultCategory().getName() + ".ranking";
// System.out.println("Category ranking key: " + categoryRankingKey);
Category tempCategory = Category.getCategory(getDefaultCategory().getName());
tempCategory.setRanking(new Integer(properties.getIntProperty(categoryRankingKey, getDefaultCategory()
.getRanking().intValue()))); <--- null pointer here when this 'int' property doesn't exist.
category = tempCategory;
setHidden(properties.getBooleanProperty("lesson." + className + ".hidden", getDefaultHidden()));
// System.out.println(className + " in " + tempCategory.getName() + "
// (Category Ranking: " + tempCategory.getRanking() + " Lesson ranking:
// " + getRanking() + ", hidden:" + hidden +")");
}
Stages will never get past stage 1 currently. Client-side routing does not support that parameter. Support/route needs to be added.
Navigate to this lesson and the following stacktrace will appear. Also note that when this error occurs you automatically solved the lesson.
[INFO] PARM MAP: {Screen=[Ljava.lang.String;@2a652319, menu=[Ljava.lang.String;@41f7af11, stage=[Ljava.lang.String;@f2f8ebf}
java.io.FileNotFoundException: \src\main\webapp\WEB-INF\classes\New Lesson Instructions.txt (The system cannot find the path specified)
at java.io.FileInputStream.open0(Native Method)
at java.io.FileInputStream.open(FileInputStream.java:195)
at java.io.FileInputStream.<init>(FileInputStream.java:138)
at java.io.FileInputStream.<init>(FileInputStream.java:93)
[INFO] Role: user at java.io.FileReader.<init>(FileReader.java:58)
at org.owasp.webgoat.lessons.LessonAdapter.createContent(LessonAdapter.java:82)
[INFO] Role: user at org.owasp.webgoat.lessons.AbstractLesson.handleRequest(AbstractLesson.java:737)
[INFO] Role: user at org.owasp.webgoat.HammerHead.makeScreen(HammerHead.java:304)
at org.owasp.webgoat.HammerHead.doPost(HammerHead.java:152)
[INFO] Role: user
at org.owasp.webgoat.HammerHead.doGet(HammerHead.java:107)[INFO] Role: user
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
[INFO] Role: user
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
[INFO] Role: user
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
[INFO] Role: user
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
[INFO] Role: user
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
[INFO] Role: user at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
[INFO] Role: user at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
[INFO] Role: user at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)[INFO] Role: user
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)[INFO] Role: user
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
[INFO] Role: user
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
[INFO] Role: user
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
[INFO] Role: user at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
[INFO] Role: user at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
[INFO] Role: user at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)[INFO] Checking if challenge authorized for: ShowHints
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
[INFO] authorized: false at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
[INFO] Checking if challenge authorized for: ShowHints at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
[INFO] authorized: false
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Sep 04, 2015 8:30:05 AM org.apache.catalina.core.ApplicationContext log
INFO: WebGoat: Fri Sep 04 08:30:05 CEST 2015 | 127.0.0.1:127.0.0.1 | org.owasp.webgoat.plugin.CsrfTokenByPass | [Screen=127,menu=900,stage=null]
This is more of a placeholder for something I think I noted last night and I need to play with some more. Some lessons, even though they are in separate *.jar's, have (I believe) legacy inter-dependencies. Don't know if we can/want to introspect a lesson *.jar when unpacking and determine that, but we may want to as I was getting the 'invalid session' last night which came back to a NoClassDefFound error (related to CSRF lessons). I didn't grab the details at the moment, but some info may still be in my terminal scrollback. Will update once I can verify more about this.
The error message is supposed to say something like:
'Whoops you entered an invalid 3 digit code CODE.' Or something like that.
Instead it displays: * ReflectedXSSWhoops1111testReflectedXSSWhoops2
where 111test is what I entered in the last field of the lesson.
It can take a moment to run/load (at least locally). On initial menu load, implement spinner while menu loads.
Would be better to operate ID-less and that may happen in a refactor of the MenuView later, but for now, need to improve uniqueness of menu item id's (e.g. we have two 'Stage 1: Stored XSS' lessons and the ID is made deterministically from the name (only) currently.
When loading any of the labs with Stages 1 through N I get stack traces like this:
Error Message: javax.servlet.ServletException: File "/plugin_extracted/plugin/CrossSiteScripting/jsp/CrossSiteScripting.jsp" not found
org.apache.jasper.JasperException: javax.servlet.ServletException: File "/plugin_extracted/plugin/CrossSiteScripting/jsp/CrossSiteScripting.jsp" not found
at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:585)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:455)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
Need to investigate a bit more but it seems like the properties in the folder webgoat-container\src\main\webapp\plugin_extracted\i18n
are added over and over whenever plugins are loaded
It displays this: WeakAuthenticationCookiePleaseSignIn - which isn't right. Probably should just say: Please Sign In.
And when you try to sign in, it doesn't anything like invalid login, or whatever when the credentials don't work.
These instructions download, build, and deploy instructions worked like a champ. I love it when things like this 'just work'.
However, when I actually start running WebGoat, using: Option #1: Using the Maven-Tomcat Plugin
The maven tomcat7:run-war goal runs the project in an embedded tomcat:
cd WebGoat
mvn -pl webgoat-container tomcat7:run-war
I get the following error. I don't understand how this could be a permissions error because I installed and built and ran all this with the same user ID. Am I doing something wrong? Or is there a bug in WebGoat?
Thanks, Dave
[INFO] Initializing main webgoat servlet
[ERROR] Loading plugins failed
org.owasp.webgoat.plugins.PluginLoadingFailure: Property file detected, but unable to copy the properties
at org.owasp.webgoat.plugins.Plugin.copyProperties(Plugin.java:96)
at org.owasp.webgoat.plugins.Plugin.loadFiles(Plugin.java:80)
at org.owasp.webgoat.plugins.PluginsLoader.processPlugins(PluginsLoader.java:86)
at org.owasp.webgoat.plugins.PluginsLoader.loadPlugins(PluginsLoader.java:49)
at org.owasp.webgoat.plugins.PluginsLoader.run(PluginsLoader.java:113)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.nio.file.NoSuchFileException: C:\dwichers\WebGoat\webgoat-container\target\webgoat-container-7.0-SNAPSHOT\plugin_extracted\plugin\i18n\WebGoatLabels_ru.properties
at sun.nio.fs.WindowsException.translateToIOException(WindowsException.java:79)
at sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:97)
at sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:102)
at sun.nio.fs.WindowsFileSystemProvider.newByteChannel(WindowsFileSystemProvider.java:230)
at java.nio.file.Files.newByteChannel(Files.java:317)
at java.nio.file.Files.newByteChannel(Files.java:363)
at java.nio.file.Files.readAllBytes(Files.java:2981)
at org.owasp.webgoat.plugins.Plugin.copyProperties(Plugin.java:90)
... 11 more
Sep 14, 2015 2:58:49 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Sep 14, 2015 3:00:45 PM org.apache.jasper.compiler.TldLocationsCache tldScanJar
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Which I think is then causing this error:
[ERROR] Loading plugins failed
org.owasp.webgoat.plugins.PluginLoadingFailure: Property file detected, but unable to copy the properties
at org.owasp.webgoat.plugins.Plugin.copyProperties(Plugin.java:96)
at org.owasp.webgoat.plugins.Plugin.loadFiles(Plugin.java:80)
at org.owasp.webgoat.plugins.PluginsLoader.processPlugins(PluginsLoader.java:86)
at org.owasp.webgoat.plugins.PluginsLoader.loadPlugins(PluginsLoader.java:49)
at org.owasp.webgoat.plugins.PluginsLoader.run(PluginsLoader.java:113)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.nio.file.NoSuchFileException: C:\dwichers\WebGoat\webgoat-container\target\webgoat-container-7.0-SNAPSHOT\plugin_extracted\plugin\i18n\WebGoatLabels_fr.properties
at sun.nio.fs.WindowsException.translateToIOException(WindowsException.java:79)
at sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:97)
at sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:102)
at sun.nio.fs.WindowsFileSystemProvider.newByteChannel(WindowsFileSystemProvider.java:230)
at java.nio.file.Files.newByteChannel(Files.java:317)
at java.nio.file.Files.newByteChannel(Files.java:363)
at java.nio.file.Files.readAllBytes(Files.java:2981)
at org.owasp.webgoat.plugins.Plugin.copyProperties(Plugin.java:90)
... 11 more
by the way.
When trying Option #2 I get a different error:
SEVERE: Exception fixing docBase for context [/WebGoat] java.io.FileNotFoundException: C:\dwichers\WebGoat\webgoat-container\target.extract\webapps\WebGoat.war (The system cannot find the file specified)
And indeed, that file is not in that directory.
p.s. The quick start using the .sh script for Mac worked like a champ.
Once the lesson plan, solution, and java source buttons are pressed, it can't be turned off. The content always shows.
Also, there are some "[]" characters in the "Java [Source]" and "Lesson Plan]" buttons
As part of the property loading in the label manager, it would be nice to set a flag that allowed a user to see which rendered text on a screen was served via i8n properties. This can be a hidden parameter much like debug=true is.
Due to:
[INFO] PARM MAP: {stage=[Ljava.lang.String;@7683034d, Screen=[Ljava.lang.String;@5e50edd8, menu=[Ljava.lang.String;@14883b86}
java.util.MissingResourceException: Can't find resource for bundle java.util.PropertyResourceBundle, key EnterYourName
[INFO] Role: user at java.util.ResourceBundle.getObject(ResourceBundle.java:450)
Did a check for the key and it is indeed missing from the WebGoat.properties. This key was available in my local workspace but after a rm plugins_extracted
it also started failing.
Clicking on the JavaSource Button Generates a
SyntaxError: missing ; before statement " + lineSep + "function validate() {" + lineSep
in the javascript console.
in: webgoat_developer_bootstrap.sh
You might want to fix the 3 spelling / grammar errors in this:
Starting WebGoat using the embbebed Tomcat ___________________
Embedded, browser, and 'and navigate to...'
If the request is aborted, or there is an error in the response, that is not handled currently. This should be handled/presented to the user accordingly.
When routed to a lesson e.g. #/attack/2/3
The title is not easily pulled from scope. The LessonInfo Service (Issue #23 ) will provide that. A call should be added to consume/use that.
There is no clean indication of lesson completion, but content reloads. That even can be used to reload/update the menu for completed lessons. The menu load can be hooked there. It will need to support keeping the current category/lesson/stage open. Despite the menuView needing a good refactoring (longer term). There is some initial work started on this.
No other hints on this so far, just noticed it happening when trying to reproduce the DOM Injection issue.
Expose a service/endpoint to provide basic Lesson information. Longer-term this will enable lazy loading of helps. Shorter-term, we need this to aid in getting the lesson title via the client-side routing (and generally).
{
lessonTitle:_TITLE_,
numberHints:_#_,
hasSource: T||F,
hasSolution: T||F,
hasPlan: T||F
}```
Its not hard, but figuring this out yourself with no instructions is a pain.
Showing them how to update the Category class and then update the configuration file(s) to add the new lesson(s) so they show up in the left hand menu would be very helpful.
If there is an error like the following, it keeps chugging along and tries to run WebGoat anyway. Can you add some kind of error handling to detect Maven errors at each stage and stop if there was an error?
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project FOO: Compilation failure
Whatever the error was
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR] mvn -rf :FOO
____________________ Starting WebGoat using the embedded Tomcat ___________________
When I import the webgoat-container project into Eclipse, I get this error:
No marketplace entries found to handle Execution create-jar, in /webgoat-container/pom.xml in Eclipse. Please see Help for more information.
Rebuilt from GIT on CentOS 7; most recent commit at time of clone was b2316c6
Error Message: null java.lang.NullPointerException at org.owasp.webgoat.util.LabelManagerImpl.get(LabelManagerImpl.java:66) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:132) at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:120) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy9.get(Unknown Source) at org.owasp.webgoat.lessons.LessonAdapter.makeSuccess(LessonAdapter.java:225) at org.owasp.webgoat.plugin.HowToWork.createContent(HowToWork.java:53) at org.owasp.webgoat.lessons.AbstractLesson.handleRequest(AbstractLesson.java:737) at org.owasp.webgoat.HammerHead.makeScreen(HammerHead.java:304) at org.owasp.webgoat.HammerHead.doPost(HammerHead.java:152) at org.owasp.webgoat.HammerHead.doGet(HammerHead.java:107) at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
hello~
i want to use netbeans IDE built webgoat on mac os x . how can i do it?
โ ~ brew install maven
==> Downloading http://www.apache.org/dyn/closer.cgi?path=maven/maven-3/3.2.3/bi
==> Best Mirror http://mirror.bit.edu.cn/apache/maven/maven-3/3.2.3/binaries/apa
curl: (22) The requested URL returned error: 404 Not Found
Error: Failed to download resource "maven"
Download failed: http://mirror.bit.edu.cn/apache/maven/maven-3/3.2.3/binaries/apache-maven-3.2.3-bin.tar.gz
Tested FF and Chrome, but only noticed this in FF.
Anyone else noticing this?
Challenge needs hints turned off. This special case needs to be moved from LessonMenuService to the LessonInfoModel/Service.
See comments in #94
Following the README instructions from a clean system. The following error occurs and the lessons do not load. WebGoat will start and the login screen appears, after login there is no content.
INFO: WebGoat is starting
Aug 21, 2015 8:45:28 AM org.apache.catalina.session.StandardManager doLoad
SEVERE: IOException while loading persisted sessions: java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.owasp.webgoat.util.LabelManagerImpl
java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.owasp.webgoat.util.LabelManagerImpl
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1355)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1993)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1918)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1993)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1918)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
at org.apache.catalina.session.StandardSession.readObject(StandardSession.java:1595)
at org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1060)
at org.apache.catalina.session.StandardManager.doLoad(StandardManager.java:284)
at org.apache.catalina.session.StandardManager.load(StandardManager.java:204)
at org.apache.catalina.session.StandardManager.startInternal(StandardManager.java:491)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5300)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.NotSerializableException: org.owasp.webgoat.util.LabelManagerImpl
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)
at org.apache.catalina.session.StandardSession.writeObject(StandardSession.java:1671)
at org.apache.catalina.session.StandardSession.writeObjectData(StandardSession.java:1077)
at org.apache.catalina.session.StandardManager.doUnload(StandardManager.java:432)
at org.apache.catalina.session.StandardManager.unload(StandardManager.java:353)
at org.apache.catalina.session.StandardManager.stopInternal(StandardManager.java:518)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5479)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1575)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1564)
... 4 more
Aug 21, 2015 8:45:28 AM org.apache.catalina.session.StandardManager startInternal
SEVERE: Exception loading sessions from persistent storage
java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.owasp.webgoat.util.LabelManagerImpl
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1355)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1993)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1918)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1993)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1918)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
at org.apache.catalina.session.StandardSession.readObject(StandardSession.java:1595)
at org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1060)
at org.apache.catalina.session.StandardManager.doLoad(StandardManager.java:284)
at org.apache.catalina.session.StandardManager.load(StandardManager.java:204)
at org.apache.catalina.session.StandardManager.startInternal(StandardManager.java:491)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5300)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.NotSerializableException: org.owasp.webgoat.util.LabelManagerImpl
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)
at org.apache.catalina.session.StandardSession.writeObject(StandardSession.java:1671)
at org.apache.catalina.session.StandardSession.writeObjectData(StandardSession.java:1077)
at org.apache.catalina.session.StandardManager.doUnload(StandardManager.java:432)
at org.apache.catalina.session.StandardManager.unload(StandardManager.java:353)
at org.apache.catalina.session.StandardManager.stopInternal(StandardManager.java:518)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5479)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1575)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1564)
... 4 more
Aug 21, 2015 8:45:28 AM org.apache.catalina.core.ApplicationContext log
INFO: Initializing Spring FrameworkServlet 'mvc-dispatcher'
[INFO] FrameworkServlet 'mvc-dispatcher': initialization started
The window close works but not the close button. Firefox on a Mac.
I recommend you search around the OWASP Wiki and look for articles like this and either delete them, update them, or point them to where the latest information of this type exists.
Remove https://github.com/OWASP/WebGoat contents and replace it with a link to WebGoat/WebGoat/README or homepage
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.