search

OWASP / SecurityShepherd

Web and mobile application security training platform
https://owasp.org/www-project-security-shepherd/
GNU General Public License v3.0
1.35k stars 459 forks source link

Potential Bug in Session Management Challenge 5 #475

Open Elmeche opened 5 years ago

Elmeche commented 5 years ago

Hello

I have problem with “Session Management Challenge 5”. I have checked with other Students who have solved this challenge and the told me, that it worked for them this way

  1. Passwort Reset request «admin»
  2. The subUserName, newPassword and resetPasswordToken (“TimaeStamp” in base64) send to the ChangePass URL with OWASP ZAP
  3. Receive the following request: a.

    Password change request success.

  4. Try to login as admin, a. Receive: incorrect password for admin

I’ve made a video doing these steps

Here is the link to the video: https://youtu.be/dUB1tuF_VP8

Before I posted the Issue here, I spoke to my teacher about this Issue an she told me, I should post this Issue here.

Greetings

markdenihan commented 5 years ago

@Elmeche Can you include tomcat logs from the Security Shepherd server for this issue you're seeing?

Elmeche commented 5 years ago

Good Day,

Sorry for the delay. Here are the logs distributed from my teacher:

02-Apr-2019 18:09:56.406 INFO [https-jsse-nio-0.0.0.0-443-exec-37] org.apache.tomcat.util.http.Parameters.processParameters Invalid chunk starting at byte [0] and ending at byte [1] with a value of [=] ignored Note: further occurrences of Parameter errors will be logged at DEBUG level. 02-Apr-2019 21:02:55.411 INFO [https-jsse-nio-0.0.0.0-443-exec-30] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:427) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:687) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1463) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)

markdenihan commented 5 years ago

Do you have the catalina.out logs by any chance? I'm not seeing the same behaviour in my environment and I'd like to see what's going on with that environment causing this issue

On Wed, Apr 17, 2019 at 3:42 PM Elmeche notifications@github.com wrote:

Good Day,

Sorry for the delay. Here are the logs distributed from my teacher:

02-Apr-2019 18:09:56.406 INFO [https-jsse-nio-0.0.0.0-443-exec-37] org.apache.tomcat.util.http.Parameters.processParameters Invalid chunk starting at byte [0] and ending at byte [1] with a value of [=] ignored Note: further occurrences of Parameter errors will be logged at DEBUG level. 02-Apr-2019 21:02:55.411 INFO [https-jsse-nio-0.0.0.0-443-exec-30] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level. java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:427) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:687) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:800) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1463) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OWASP/SecurityShepherd/issues/475#issuecomment-484120009, or mute the thread https://github.com/notifications/unsubscribe-auth/ADUqnnZ9gAkC7LEHwSVd91phf53AoEufks5vhzLlgaJpZM4cj35x .

-- Regards,

Mark Denihan

Elmeche commented 5 years ago

Good Day,

I have send you the Log via E-Mail.

shredstick commented 1 year ago

I am having the exact same Issue. Have you found a solution?