search

factionsecurity / faction

Pen Test Report Generation and Assessment Collaboration
https://www.factionsecurity.com/
GNU General Public License v2.0
411 stars 27 forks source link

Assessors not showing during assessment creation #39

Closed eduardoestevao closed 5 months ago

eduardoestevao commented 7 months ago

Hi,

I am using version 1.1.25 , self hosted.

When I try to create an assessment it does not show any assessor, so I am unable to save the assessment. I have an admin user and another user which is an assessor.

error

Any tips or help?

summitt commented 7 months ago

Have you selected dates yet? It searches to see who is free at the times you specify.

Wvdhouven commented 6 months ago

I am experiencing the same problem. Cannot create a first assessment and do not have any OOO planned. Created a new user, same issue remains.

eduardoestevao commented 6 months ago

Have you selected dates yet? It searches to see who is free at the times you specify.

Yes, I selected different dates for 2 different users. No one is OOO.

summitt commented 6 months ago

@eduardoestevao @Wvdhouven do all users have the 'assessor' permission?

eduardoestevao commented 6 months ago

screenshot Yes, all users in my case have assessor permissions (checked this on mongodb as well).

summitt commented 6 months ago

Oh! .. Your user is "inActive". Disable that setting and it should work.

@Wvdhouven is this the same problem you have?

summitt commented 6 months ago

Once thats set correctly you should see this: image

eduardoestevao commented 6 months ago

Disabled (screenshot attached), but still same thing:

disabledInActive stillno

summitt commented 6 months ago

Are your assessors on the 'Hacking Team'? You may need to select a different team when scheduling.

eduardoestevao commented 6 months ago

They are in the 'Hacking team' and I selected the right team

summitt commented 6 months ago

@eduardoestevao Can you check the browser console to see if there is an error? Also,can you check if one of the XHR requests to /portal/Engagement is returning an error or stack trace on this page.

I've so far been unable to reproduce so there must be something I'm missing.

n13c commented 6 months ago

Hi, Also noticed the same issue, i have users that work ok and others that sometimes the POST request to portal/Engagement return 500, or return 200 but the server response is 500 error with a stack trace.

An example stack trace of one of these requests: No result defined for action com.fuse.actions.scheduling.Engagement and result input at com.opensymphony.xwork2.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:378) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:279) at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(ValidationInterceptor.java:263) at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:49) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.doIntercept(ConversionErrorInterceptor.java:142) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:140) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:140) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:201) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:67) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at org.apache.struts2.interceptor.DateTextFieldInterceptor.intercept(DateTextFieldInterceptor.java:133) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:89) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:243) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:101) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:142) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:160) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:175) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at org.apache.struts2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:121) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:167) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:228) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:196) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249) at org.apache.struts2.factory.StrutsActionProxy.execute(StrutsActionProxy.java:48) at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:574) at org.apache.struts2.dispatcher.ExecuteOperations.executeAction(ExecuteOperations.java:79) at org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:141) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) at java.base/java.lang.Thread.run(Unknown Source)

All users have the same permissions setup.

summitt commented 6 months ago

Would it be possible for you to generate this error again and send me a har file from your browser. You can send it to develop [at] factionsecurity [dot] com. I'm still unable to generate the error. 😩

cv3tomuzika commented 5 months ago

Same problem on Version 1.2.0. Assessors are visible only when connecting via browser from the Faction server itself. Not from remote hosts.

summitt commented 5 months ago

@cv3tomuzika would it be possible to send me a HAR file of this happening (email me at develop [at] factionsecurity [dot] com.) I've tried several configurations and have been unable to recreate this issue. I really want to figure out why it happens in some instances and not in others.

cv3tomuzika commented 5 months ago

@summitt Done. I tried deploying on different virtualisations, including those without docker containers. The problem persists.

summitt commented 5 months ago

thanks @cv3tomuzika . I'm able to recreate it now. It's an issue with the Accept-Language header. Working on a fix now. This issue seems systemic throughout the app.

summitt commented 5 months ago

@cv3tomuzika @n13c @Wvdhouven @eduardoestevao I've created release 1.2.1 that i hope will mitigate this issue. Let me know if the problem persists.

cv3tomuzika commented 5 months ago

@summitt Thanks for the quick response. At first glance everything seems to be working.