Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logging in sometimes goes to report card and misses category-menu #114

Closed
span opened this issue Oct 22, 2015 · 7 comments
Closed

Logging in sometimes goes to report card and misses category-menu #114

span opened this issue Oct 22, 2015 · 7 comments
Assignees
@dougmorato

Comments

@span
Copy link

span commented Oct 22, 2015

I have been having issues trying to log in as guest or webgoat. The left menu does not render as expected with the categories but rather with the admin menu and displays the report card. Manually entering a URL-hash like #attack/152/900 will load that page but still with the wrong menu.

I get stuck in this mode and logging out and logging in again puts me on the same page, even when I clear the cookies for localhost. I am able to get around it by clearing cookies, restarting the application and then reloading the login page.

I end up in this state both when running the mvn -pl webgoat-container tomcat7:run-war command and when running the app as a standalone jar using java -jar webgoat-container-7.0-SNAPSHOT-war-exec.jar http://localhost:8080/WebGoat. It does not act consistently to my understanding and I have been unable to reproduce at will.

screen shot 2015-10-22 at 08 06 58
@span span changed the title Logging in sometimes goes to report card (only) and misses menu Logging in sometimes goes to report card and misses category-menu Oct 22, 2015
@dougmorato
Copy link
Member

I am using the developer bootstrap, which calls the mvn -pl webgoat-container tomcat7:run-war goal and I face this intermittent issue as well.

Whenever there is a fail when loading the plugins, no lessons are shown.

Here is the plugin that fail intermittently:

015-10-22 17:31:00,274 INFO  - Loading courses: /
 362 2015-10-22 17:31:00,274 DEBUG - Loading plugins into cache
 363 2015-10-22 17:31:00,733 ERROR - Loading plugins failed
 364 java.util.concurrent.ExecutionException: org.owasp.webgoat.plugins.PluginLoadingFailure: Class org.owasp.webgoat.plugin.BlindScript listed in jar but unable to load the class.
 365   at java.util.concurrent.FutureTask.report(FutureTask.java:122)
....

@span
Copy link
Author

span commented Oct 22, 2015

I have the same failure in my logs when this occurs. I did some further testing, in a more structured way with the following conclusions.

After running mvn clean compile install and launching with mvn -pl ... the first launch would always get the error. Cancelling with ctrl+c and relaunching with the same command would always launch the application without the error.

I got the same results when building with mvn clean compile install and then mvn package and running the application with java -jar .... First launch always ends up in the error state and second launch works fine.

I had a look at when the plugin with BlindNumericSqlInjection is loaded and it seems that when it is not loaded as the first file, it loads fine:

2015-10-22 22:08:07,644 INFO  - Loading courses: /
2015-10-22 22:08:07,644 DEBUG - Loading plugins into cache
2015-10-22 22:08:07,944 DEBUG - Setting source file of lesson Malicious Code to: /Users/daniel-op/security/WebGoat/webgoat-container/target/.extract/webapps/WebGoat/plugin_extracted/org/owasp/webgoat/plugin/BlindScript.java
2015-10-22 22:08:07,944 DEBUG - Setting source file of lesson Blind Numeric SQL Injection to: /Users/daniel-op/security/WebGoat/webgoat-container/target/.extract/webapps/WebGoat/plugin_extracted/org/owasp/webgoat/plugin/BlindNumericSqlInjection.java
2015-10-22 22:08:07,944 DEBUG - Setting source file of lesson Blind String SQL Injection to: /Users/daniel-op/security/WebGoat/webgoat-container/target/.extract/webapps/WebGoat/plugin_extracted/org/owasp/webgoat/plugin/BlindStringSqlInjection.java

However, when it crashes it seems the class is loaded as the first class (or at least the output makes me believe so):

2015-10-22 23:53:50,902 INFO  - Loading courses: /
2015-10-22 23:53:50,902 DEBUG - Loading plugins into cache
2015-10-22 23:53:51,161 ERROR - Loading plugins failed
java.util.concurrent.ExecutionException: org.owasp.webgoat.plugins.PluginLoadingFailure: Class org.owasp.webgoat.plugin.BlindNumericSqlInjection listed in jar but unable to load the class.

The root cause is always a ClassNotFoundException: ...Caused by: java.lang.ClassNotFoundException: org.owasp.webgoat.plugin.BlindNumericSqlInjection.

When trying to reload the plugins by going to http://localhost:8080/WebGoat/service/reloadplugins.mvc I get another error:

2015-10-23 00:21:47,078 DEBUG - Loading plugins into cache
2015-10-23 00:21:47,078 DEBUG - Loading plugins into cache
2015-10-23 00:21:47,085 ERROR - Loading plugins failed
java.util.concurrent.ExecutionException: org.owasp.webgoat.plugins.PluginLoadingFailure: Class org.owasp.webgoat.plugin.BlindScript listed in jar but unable to load the class.
    at java.util.concurrent.FutureTask.report(FutureTask.java:122)
    at java.util.concurrent.FutureTask.get(FutureTask.java:192)
    at org.owasp.webgoat.plugins.PluginsLoader.processPlugins(PluginsLoader.java:126)
    at org.owasp.webgoat.plugins.PluginsLoader.loadPlugins(PluginsLoader.java:88)
    at org.owasp.webgoat.session.Course.loadLessonFromPlugin(Course.java:338)
    at org.owasp.webgoat.service.PluginReloadService.reloadPlugins(PluginReloadService.java:71)

I tried to refresh the page with the scorecard and ended up with a stack trace printed to the screen:

Error Message: Index: 0, Size: 0
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
at java.util.ArrayList.rangeCheck(ArrayList.java:653)
at java.util.ArrayList.get(ArrayList.java:429)
at org.owasp.webgoat.session.Course.getFirstLesson(Course.java:187)
at org.owasp.webgoat.HammerHead.doPost(HammerHead.java:139)
at org.owasp.webgoat.HammerHead.doGet(HammerHead.java:106)
...

@nbaars
Copy link
Collaborator

nbaars commented Oct 23, 2015

I was able to reproduce this on a Linux machine seems to work fine on a Windows platform, also directly after a clean checkout and build. Changed how the jars are loaded also works on the Linux image now.

Pull request is available

nbaars added a commit that referenced this issue Oct 23, 2015
@nbaars
Merge pull request #117 from nbaars/master
7648369 
 Logging in sometimes goes to report card and misses category-menu #114
@nbaars
Copy link
Collaborator

nbaars commented Oct 23, 2015

The Travis build for JDK7 is green the JDK 8 build fails with an IO error(made another ticket for this one)

Before closing the issue can you do a verification on your machine?

@span
Copy link
Author

span commented Oct 23, 2015

I have made new builds on my local machine that had the issue and I am no longer able to reproduce the issue. I am using JDK8 on OS X.

Java version: 1.8.0_45, vendor: Oracle Corporation
Default locale: en_US, platform encoding: UTF-8
OS name: "mac os x", version: "10.10.5", arch: "x86_64", family: "mac"

@dougmorato
Copy link
Member

Fixed by Nanne on commit nbaars@060b0cd

Now working on Linux, Windows and Mac 💯

@MFPaul
Copy link

MFPaul commented Feb 26, 2018
edited
Loading

I know this ticket is close (it's been 2 years :-))
Unfortunatly I have the same the problem and unable to resolve it.

I am running java version 7.1 (school assignment) ... And have the most recent version fo WebGoat for Windows.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dougmorato dougmorato

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dougmorato @nbaars @span @MFPaul