search

MathiasDeWeerdt / webgoat

Automatically exported from code.google.com/p/webgoat
0 stars 0 forks source link

LAB: Role Based Access Control - exception #17

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
1. http://localhost:9090/WebGoat/attack
2. Start Web Goat
3. Click on "LAB: Role Based Access Control"
4. Login for example by John the Admin.
5. Click on CreateProfile.

What is the expected output? What do you see instead?
As a result webgoat HR application forcefully expires my session by John
the Admin and present blank page with "Login" button.
The Tomcat console reports the following error:

Wed Oct 08 09:11:56 MSD 2008 | 127.0.0.1:127.0.0.1 |
org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl
| [Screen=37,password=john,action=Login,employee_id=111,menu=200]
org.owasp.webgoat.session.ParameterNotFoundException: employee_id not
found
        at
org.owasp.webgoat.session.ParameterParser.getStringParameter(ParameterPa
rser.java:679)
        at
org.owasp.webgoat.session.ParameterParser.getIntParameter(ParameterParse
r.java:462)
        at
org.owasp.webgoat.lessons.RoleBasedAccessControl.EditProfile.handleReque
st(EditProfile.java:59)
        at
org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl.
handleRequest(RoleBasedAccessControl.java:243)
        at org.owasp.webgoat.HammerHead.makeScreen(HammerHead.java:324)
        at org.owasp.webgoat.HammerHead.doPost(HammerHead.java:146)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:237)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:157)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:214)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:178)
        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
Base.java:482)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:126)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:105)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:107)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:1
48)
        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:82
5)
        at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC
onnection(Http11Protocol.java:731)
        at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint
.java:526)
        at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollow
erWorkerThread.java:80)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:684)
        at java.lang.Thread.run(Thread.java:619)
- WebGoat: Wed Oct 08 09:11:58 MSD 2008 | 127.0.0.1:127.0.0.1 |
org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl
| [Screen=37,action=CreateProfile,menu=200]
Wed Oct 08 09:11:58 MSD 2008 | 127.0.0.1:127.0.0.1 |
org.owasp.webgoat.lessons.RoleBasedAccessControl.RoleBasedAccessControl
| [Screen=37,action=CreateProfile,menu=200]

What version of the product are you using? On what operating system?
WebGoat-5.2, downloaded from google code as a zip archive.
OS: Windows Vista.

Please provide any additional information below.

Original issue reported on code.google.com by petandr on 8 Oct 2008 at 11:58

GoogleCodeExporter commented 9 years ago

Original comment by mayhe...@gmail.com on 8 Oct 2008 at 11:59

GoogleCodeExporter commented 9 years ago 
This problem was solved by disabled the CreateProfile button, since it is both 
incomplete and not used in any lesson. However, it's also possible to get this 
same error by clicking "View Profile" without selecting an employee. This 
problem has been fixed for the next release.

Original comment by X71...@gmail.com on 10 Aug 2011 at 3:39

GoogleCodeExporter commented 9 years ago

Original comment by mayhe...@gmail.com on 23 Apr 2012 at 7:21