Clicking on the JavaSource Button Generates a
SyntaxError: missing ; before statement " + lineSep + "function validate() {" + lineSep
in the javascript console.

Remove https://github.com/OWASP/WebGoat contents and replace it with a link to WebGoat/WebGoat/README or homepage

Some wonky rendering is occurring when loading this lesson. The web goat financials portion of the screen does not get rendered until the "select user" is clicked. Tested on Safari and Firefox

Initial render:

After clicking on the select user:

The stack trace is ...
2015-08-23 00:33:28,276 DEBUG - HH Entering Session_id: 10593521B908AFB0D490A02640CA96DB
2015-08-23 00:33:28,276 ERROR - Error handling request
java.lang.NumberFormatException: For input string: "null"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.lang.Integer.parseInt(Integer.java:580)
at java.lang.Integer.parseInt(Integer.java:615)
at org.owasp.webgoat.session.ParameterParser.getIntParameter(ParameterParser.java:377)
at org.owasp.webgoat.session.WebSession.update(WebSession.java:845)
at org.owasp.webgoat.HammerHead.updateSession(HammerHead.java:403)
at org.owasp.webgoat.HammerHead.doPost(HammerHead.java:132)
at org.owasp.webgoat.HammerHead.doGet(HammerHead.java:107)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
...

When I change the URL from:
http://localhost:8080/WebGoat/start.mvc#attack/152/200
to
http://localhost:8080/WebGoat/start.mvc#attack/152/200/0
... it appears to work (since support was added for the stage param), but has 'Stage 2' above in the view.

@nbaars or @WebGoat you may be able to decipher a little better than me what's going on.

Need to investigate a bit more but it seems like the properties in the folder webgoat-container\src\main\webapp\plugin_extracted\i18n are added over and over whenever plugins are loaded

Tested FF and Chrome, but only noticed this in FF.

Anyone else noticing this?

No other hints on this so far, just noticed it happening when trying to reproduce the DOM Injection issue.

This is more of a placeholder for something I think I noted last night and I need to play with some more. Some lessons, even though they are in separate *.jar's, have (I believe) legacy inter-dependencies. Don't know if we can/want to introspect a lesson *.jar when unpacking and determine that, but we may want to as I was getting the 'invalid session' last night which came back to a NoClassDefFound error (related to CSRF lessons). I didn't grab the details at the moment, but some info may still be in my terminal scrollback. Will update once I can verify more about this.

Rebuilt from GIT on CentOS 7; most recent commit at time of clone was b2316c6

Error Message: null java.lang.NullPointerException at org.owasp.webgoat.util.LabelManagerImpl.get(LabelManagerImpl.java:66) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317) at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150) at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:132) at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:120) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at com.sun.proxy.$Proxy9.get(Unknown Source) at org.owasp.webgoat.lessons.LessonAdapter.makeSuccess(LessonAdapter.java:225) at org.owasp.webgoat.plugin.HowToWork.createContent(HowToWork.java:53) at org.owasp.webgoat.lessons.AbstractLesson.handleRequest(AbstractLesson.java:737) at org.owasp.webgoat.HammerHead.makeScreen(HammerHead.java:304) at org.owasp.webgoat.HammerHead.doPost(HammerHead.java:152) at org.owasp.webgoat.HammerHead.doGet(HammerHead.java:107) at javax.servlet.http.HttpServlet.service(HttpServlet.java:621) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

https://github.com/WebGoat/WebGoat/wiki/Installation-(WebGoat-7.0)

See the Webgoat 6.0.1 release for how it should behave, how it was set up. The 'user' icon should show the 'current user' (usually just 'guest' still) and the log out link. Image included below.

AbstractLesson needs some error handling...

This method in this class is making a bunch of assumptions, like the properties file exists, and certain properties are in it.

Can you add some error handling so if the property doesn't exist, it doesn't simply throw a null pointer without explaining the problem? Like can't find property X in file Y (or something)? (See where I marked it throwing a null pointer exception because I didn't have my configuration right).

Also - can you explain somewhere what properties I have to create, what names, where to put them, and what goes in them so someone can make a new lesson work?

public void update(WebgoatProperties properties) {
    String className = getClass().getName();
    className = className.substring(className.lastIndexOf(".") + 1);
    setRanking(new Integer(properties.getIntProperty("lesson." + className + ".ranking", getDefaultRanking()
            .intValue())));
    String categoryRankingKey = "category." + getDefaultCategory().getName() + ".ranking";
    // System.out.println("Category ranking key: " + categoryRankingKey);
    Category tempCategory = Category.getCategory(getDefaultCategory().getName());
    tempCategory.setRanking(new Integer(properties.getIntProperty(categoryRankingKey, getDefaultCategory()
            .getRanking().intValue())));   <--- null pointer here when this 'int' property doesn't exist.
    category = tempCategory;
    setHidden(properties.getBooleanProperty("lesson." + className + ".hidden", getDefaultHidden()));
    // System.out.println(className + " in " + tempCategory.getName() + "
    // (Category Ranking: " + tempCategory.getRanking() + " Lesson ranking:
    // " + getRanking() + ", hidden:" + hidden +")");
}

Expose a service/endpoint to provide basic Lesson information. Longer-term this will enable lazy loading of helps. Shorter-term, we need this to aid in getting the lesson title via the client-side routing (and generally).

{
  lessonTitle:_TITLE_,
  numberHints:_#_,
  hasSource: T||F,
  hasSolution: T||F,
  hasPlan: T||F
}```

I've written 2 new custom lessons (really just test cases, not lessons), and put them in a brand new category.

And sometimes when I start WebGoat, 1 shows up, and other times both show up. And then I added a 3rd lesson, and I have the config file set up like this:

category.MYNEW.ranking=7
lesson.MYNEW_Lesson1.ranking=10
lesson.MYNEW_Lesson2.ranking=15
lesson.MYNEW_File_Lesson.ranking=20

and this time 2 out of the 3 showed up. (The 1st and 3rd one).
And when I restarted and tried again, I only got 1. (The 2nd one) :-)

https://github.com/WebGoat/WebGoat/wiki/How-to-create-lesson-(WebGoat-7.0)

You kind of get a blank screen with just the menus on the side. Seems like you should default to go to the Http Basics lesson, which is what previous WebGoat used to do.

Sometimes WebGoat launches fine (this is on a Mac). But sometimes it only shows the Admin menus and in the webgoat log it has a stack trace with this info in it.

I've seen a similar error on Windows but the failure is far more consistent there (I reported this issue earlier). Maybe there is a threading problem or something? This in intermittent on Mac, where most often WebGoat starts fine, but sometimes this occurs and it doesn't start properly.

    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:744)

Caused by: java.nio.file.NoSuchFileException: /Users/dwichers/git/Webgoat-Workspace/WebGoat/webgoat-container/target/webgoat-container-7.0-SNAPSHOT/plugin_extracted/plugin/i18n/WebGoatLabels_fr.properties
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:55)
at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:144)
at java.nio.file.Files.readAttributes(Files.java:1684)
at java.nio.file.Files.size(Files.java:2273)
at java.nio.file.Files.readAllBytes(Files.java:2957)
at org.owasp.webgoat.plugins.Plugin.copyProperties(Plugin.java:90)
... 79 more

There is no clean indication of lesson completion, but content reloads. That even can be used to reload/update the menu for completed lessons. The menu load can be hooked there. It will need to support keeping the current category/lesson/stage open. Despite the menuView needing a good refactoring (longer term). There is some initial work started on this.

Navigate to this lesson and the following stacktrace will appear. Also note that when this error occurs you automatically solved the lesson.

[INFO] PARM MAP: {Screen=[Ljava.lang.String;@2a652319, menu=[Ljava.lang.String;@41f7af11, stage=[Ljava.lang.String;@f2f8ebf}
java.io.FileNotFoundException: \src\main\webapp\WEB-INF\classes\New Lesson Instructions.txt (The system cannot find the path specified)
        at java.io.FileInputStream.open0(Native Method)
        at java.io.FileInputStream.open(FileInputStream.java:195)
        at java.io.FileInputStream.<init>(FileInputStream.java:138)
        at java.io.FileInputStream.<init>(FileInputStream.java:93)
[INFO] Role: user       at java.io.FileReader.<init>(FileReader.java:58)

        at org.owasp.webgoat.lessons.LessonAdapter.createContent(LessonAdapter.java:82)
[INFO] Role: user       at org.owasp.webgoat.lessons.AbstractLesson.handleRequest(AbstractLesson.java:737)

[INFO] Role: user       at org.owasp.webgoat.HammerHead.makeScreen(HammerHead.java:304)

        at org.owasp.webgoat.HammerHead.doPost(HammerHead.java:152)
[INFO] Role: user
        at org.owasp.webgoat.HammerHead.doGet(HammerHead.java:107)[INFO] Role: user

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
[INFO] Role: user
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
[INFO] Role: user
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
[INFO] Role: user
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
[INFO] Role: user
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
[INFO] Role: user       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

[INFO] Role: user       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

[INFO] Role: user       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)[INFO] Role: user

        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)[INFO] Role: user

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
[INFO] Role: user
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
[INFO] Role: user
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
[INFO] Role: user       at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)

[INFO] Role: user       at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

[INFO] Role: user       at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)[INFO] Checking if challenge authorized for: ShowHints

        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
[INFO] authorized: false        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)

[INFO] Checking if challenge authorized for: ShowHints  at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)

        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
[INFO] authorized: false
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Sep 04, 2015 8:30:05 AM org.apache.catalina.core.ApplicationContext log
INFO: WebGoat: Fri Sep 04 08:30:05 CEST 2015 | 127.0.0.1:127.0.0.1 | org.owasp.webgoat.plugin.CsrfTokenByPass | [Screen=127,menu=900,stage=null]

Following the README instructions from a clean system. The following error occurs and the lessons do not load. WebGoat will start and the login screen appears, after login there is no content.

INFO: WebGoat is starting
Aug 21, 2015 8:45:28 AM org.apache.catalina.session.StandardManager doLoad
SEVERE: IOException while loading persisted sessions: java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.owasp.webgoat.util.LabelManagerImpl
java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.owasp.webgoat.util.LabelManagerImpl
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1355)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1993)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1918)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1993)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1918)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
at org.apache.catalina.session.StandardSession.readObject(StandardSession.java:1595)
at org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1060)
at org.apache.catalina.session.StandardManager.doLoad(StandardManager.java:284)
at org.apache.catalina.session.StandardManager.load(StandardManager.java:204)
at org.apache.catalina.session.StandardManager.startInternal(StandardManager.java:491)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5300)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.NotSerializableException: org.owasp.webgoat.util.LabelManagerImpl
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)
at org.apache.catalina.session.StandardSession.writeObject(StandardSession.java:1671)
at org.apache.catalina.session.StandardSession.writeObjectData(StandardSession.java:1077)
at org.apache.catalina.session.StandardManager.doUnload(StandardManager.java:432)
at org.apache.catalina.session.StandardManager.unload(StandardManager.java:353)
at org.apache.catalina.session.StandardManager.stopInternal(StandardManager.java:518)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5479)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1575)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1564)
... 4 more

Aug 21, 2015 8:45:28 AM org.apache.catalina.session.StandardManager startInternal
SEVERE: Exception loading sessions from persistent storage
java.io.WriteAbortedException: writing aborted; java.io.NotSerializableException: org.owasp.webgoat.util.LabelManagerImpl
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1355)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1993)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1918)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1993)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1918)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1801)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1351)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:371)
at org.apache.catalina.session.StandardSession.readObject(StandardSession.java:1595)
at org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1060)
at org.apache.catalina.session.StandardManager.doLoad(StandardManager.java:284)
at org.apache.catalina.session.StandardManager.load(StandardManager.java:204)
at org.apache.catalina.session.StandardManager.startInternal(StandardManager.java:491)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5300)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559)
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.NotSerializableException: org.owasp.webgoat.util.LabelManagerImpl
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1184)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1548)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1509)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)
at org.apache.catalina.session.StandardSession.writeObject(StandardSession.java:1671)
at org.apache.catalina.session.StandardSession.writeObjectData(StandardSession.java:1077)
at org.apache.catalina.session.StandardManager.doUnload(StandardManager.java:432)
at org.apache.catalina.session.StandardManager.unload(StandardManager.java:353)
at org.apache.catalina.session.StandardManager.stopInternal(StandardManager.java:518)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5479)
at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1575)
at org.apache.catalina.core.ContainerBase$StopChild.call(ContainerBase.java:1564)
... 4 more

Aug 21, 2015 8:45:28 AM org.apache.catalina.core.ApplicationContext log
INFO: Initializing Spring FrameworkServlet 'mvc-dispatcher'
[INFO] FrameworkServlet 'mvc-dispatcher': initialization started

https://github.com/WebGoat/WebGoat/wiki

As part of the property loading in the label manager, it would be nice to set a flag that allowed a user to see which rendered text on a screen was served via i8n properties. This can be a hidden parameter much like debug=true is.

This should be updated and re-enabled with the changes in Backbone. Should be pretty straightforward to re-enable. See image below

Its not hard, but figuring this out yourself with no instructions is a pain.

Showing them how to update the Category class and then update the configuration file(s) to add the new lesson(s) so they show up in the left hand menu would be very helpful.

As a developer, I would like a button to force the reloading of all plugins.

When I import the webgoat-container project into Eclipse, I get this error:
No marketplace entries found to handle Execution create-jar, in /webgoat-container/pom.xml in Eclipse. Please see Help for more information.

Due to:

[INFO] PARM MAP: {stage=[Ljava.lang.String;@7683034d, Screen=[Ljava.lang.String;@5e50edd8, menu=[Ljava.lang.String;@14883b86}
java.util.MissingResourceException: Can't find resource for bundle java.util.PropertyResourceBundle, key EnterYourName
[INFO] Role: user       at java.util.ResourceBundle.getObject(ResourceBundle.java:450)

Did a check for the key and it is indeed missing from the WebGoat.properties. This key was available in my local workspace but after a rm plugins_extracted it also started failing.

It seems like the order of the buttons (Lesson source, Hints, etc) change after a submit. See screenshots the lesson opens correctly after a submit the order is different. After entering a url and clicking submit the order changes.

Environment: Windows 10, Firefox browser

Towards the end of the launch it eventually displays the following message. But its still 'starting'. Can you add a line that indicates: WebGoat 'started' when its actually up and running?

____________________ Starting WebGoat using the embedded Tomcat ___________________

Open a web browser and navigate to http://localhost:8080/WebGoat/

STDOUT and STDERR logs are captured in ./webgoat_developer_bootstrap.log

To stop the Tomcat execution, press CTRL + C

If you close this terminal window, Tomcat and WebGoat will stop running

############################### HAPPY HACKING!

Just noticed when I was fixing an issue so I made a side by side comparison. All point to localhost and I used FireFox(left) Edge (middle) and Chrome(right) and Chrome has one more lesson displayed in the menu.

Edge and Firefox each miss a different lesson.

Stages will never get past stage 1 currently. Client-side routing does not support that parameter. Support/route needs to be added.

Given @nbaars PR99 (#99) is merged sucessfully, this effectively eliminates webgoat-classloader.

With this, we can move webgoat-container UP one directory again. It will make a lot easier to maintain and release.

I propose this to be done before release 7.0

https://github.com/WebGoat/WebGoat/wiki/Plugin-Architecture

in: webgoat_developer_bootstrap.sh

You might want to fix the 3 spelling / grammar errors in this:

Starting WebGoat using the embbebed Tomcat ___________________

Open a web broser an navigate to http://localhost:8080/WebGoat/

Embedded, browser, and 'and navigate to...'

It displays this: WeakAuthenticationCookiePleaseSignIn - which isn't right. Probably should just say: Please Sign In.

And when you try to sign in, it doesn't anything like invalid login, or whatever when the credentials don't work.

When loading any of the labs with Stages 1 through N I get stack traces like this:

Error Message: javax.servlet.ServletException: File "/plugin_extracted/plugin/CrossSiteScripting/jsp/CrossSiteScripting.jsp" not found
org.apache.jasper.JasperException: javax.servlet.ServletException: File "/plugin_extracted/plugin/CrossSiteScripting/jsp/CrossSiteScripting.jsp" not found
at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:585)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:455)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)

Another item to re-enable from WebGoat 6.0.1. The button to the right of the logo should toggle the menu/navigation. See below.

I recommend you search around the OWASP Wiki and look for articles like this and either delete them, update them, or point them to where the latest information of this type exists.

Challenge needs hints turned off. This special case needs to be moved from LessonMenuService to the LessonInfoModel/Service.

See comments in #94

It can take a moment to run/load (at least locally). On initial menu load, implement spinner while menu loads.

These instructions download, build, and deploy instructions worked like a champ. I love it when things like this 'just work'.

However, when I actually start running WebGoat, using: Option #1: Using the Maven-Tomcat Plugin

The maven tomcat7:run-war goal runs the project in an embedded tomcat:

cd WebGoat
mvn -pl webgoat-container tomcat7:run-war

I get the following error. I don't understand how this could be a permissions error because I installed and built and ran all this with the same user ID. Am I doing something wrong? Or is there a bug in WebGoat?

Thanks, Dave

[INFO] Initializing main webgoat servlet
[ERROR] Loading plugins failed
org.owasp.webgoat.plugins.PluginLoadingFailure: Property file detected, but unable to copy the properties
at org.owasp.webgoat.plugins.Plugin.copyProperties(Plugin.java:96)
at org.owasp.webgoat.plugins.Plugin.loadFiles(Plugin.java:80)
at org.owasp.webgoat.plugins.PluginsLoader.processPlugins(PluginsLoader.java:86)
at org.owasp.webgoat.plugins.PluginsLoader.loadPlugins(PluginsLoader.java:49)
at org.owasp.webgoat.plugins.PluginsLoader.run(PluginsLoader.java:113)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.nio.file.NoSuchFileException: C:\dwichers\WebGoat\webgoat-container\target\webgoat-container-7.0-SNAPSHOT\plugin_extracted\plugin\i18n\WebGoatLabels_ru.properties
at sun.nio.fs.WindowsException.translateToIOException(WindowsException.java:79)
at sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:97)
at sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:102)
at sun.nio.fs.WindowsFileSystemProvider.newByteChannel(WindowsFileSystemProvider.java:230)
at java.nio.file.Files.newByteChannel(Files.java:317)
at java.nio.file.Files.newByteChannel(Files.java:363)
at java.nio.file.Files.readAllBytes(Files.java:2981)
at org.owasp.webgoat.plugins.Plugin.copyProperties(Plugin.java:90)
... 11 more
Sep 14, 2015 2:58:49 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Sep 14, 2015 3:00:45 PM org.apache.jasper.compiler.TldLocationsCache tldScanJar
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.

Which I think is then causing this error:

[ERROR] Loading plugins failed
org.owasp.webgoat.plugins.PluginLoadingFailure: Property file detected, but unable to copy the properties
at org.owasp.webgoat.plugins.Plugin.copyProperties(Plugin.java:96)
at org.owasp.webgoat.plugins.Plugin.loadFiles(Plugin.java:80)
at org.owasp.webgoat.plugins.PluginsLoader.processPlugins(PluginsLoader.java:86)
at org.owasp.webgoat.plugins.PluginsLoader.loadPlugins(PluginsLoader.java:49)
at org.owasp.webgoat.plugins.PluginsLoader.run(PluginsLoader.java:113)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.nio.file.NoSuchFileException: C:\dwichers\WebGoat\webgoat-container\target\webgoat-container-7.0-SNAPSHOT\plugin_extracted\plugin\i18n\WebGoatLabels_fr.properties
at sun.nio.fs.WindowsException.translateToIOException(WindowsException.java:79)
at sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:97)
at sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:102)
at sun.nio.fs.WindowsFileSystemProvider.newByteChannel(WindowsFileSystemProvider.java:230)
at java.nio.file.Files.newByteChannel(Files.java:317)
at java.nio.file.Files.newByteChannel(Files.java:363)
at java.nio.file.Files.readAllBytes(Files.java:2981)
at org.owasp.webgoat.plugins.Plugin.copyProperties(Plugin.java:90)
... 11 more

by the way.

When trying Option #2 I get a different error:

SEVERE: Exception fixing docBase for context [/WebGoat] java.io.FileNotFoundException: C:\dwichers\WebGoat\webgoat-container\target.extract\webapps\WebGoat.war (The system cannot find the file specified)

And indeed, that file is not in that directory.

p.s. The quick start using the .sh script for Mac worked like a champ.

hello~
i want to use netbeans IDE built webgoat on mac os x . how can i do it?

➜ ~ brew install maven
==> Downloading http://www.apache.org/dyn/closer.cgi?path=maven/maven-3/3.2.3/bi
==> Best Mirror http://mirror.bit.edu.cn/apache/maven/maven-3/3.2.3/binaries/apa

curl: (22) The requested URL returned error: 404 Not Found
Error: Failed to download resource "maven"
Download failed: http://mirror.bit.edu.cn/apache/maven/maven-3/3.2.3/binaries/apache-maven-3.2.3-bin.tar.gz

The error message is supposed to say something like:

'Whoops you entered an invalid 3 digit code CODE.' Or something like that.

Instead it displays: * ReflectedXSSWhoops1111testReflectedXSSWhoops2

where 111test is what I entered in the last field of the lesson.

Once the lesson plan, solution, and java source buttons are pressed, it can't be turned off. The content always shows.

Also, there are some "[]" characters in the "Java [Source]" and "Lesson Plan]" buttons

The window close works but not the close button. Firefox on a Mac.

If the request is aborted, or there is an error in the response, that is not handled currently. This should be handled/presented to the user accordingly.

When routed to a lesson e.g. #/attack/2/3 The title is not easily pulled from scope. The LessonInfo Service (Issue #23 ) will provide that. A call should be added to consume/use that.

We need to extract the css in a separate file just like the other lessons.
Lesson works.

If there is an error like the following, it keeps chugging along and tries to run WebGoat anyway. Can you add some kind of error handling to detect Maven errors at each stage and stop if there was an error?

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project FOO: Compilation failure

Whatever the error was

[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR] mvn -rf :FOO

____________________ Starting WebGoat using the embedded Tomcat ___________________

Open a web browser and navigate to http://localhost:8080/WebGoat/

STDOUT and STDERR logs are captured in ./webgoat_developer_bootstrap.log

To stop the Tomcat execution, press CTRL + C

If you close this terminal window, Tomcat and WebGoat will stop running

############################### HAPPY HACKING!

Would be better to operate ID-less and that may happen in a refactor of the MenuView later, but for now, need to improve uniqueness of menu item id's (e.g. we have two 'Stage 1: Stored XSS' lessons and the ID is made deterministically from the name (only) currently.