SecureCodingDojo icon indicating copy to clipboard operation
SecureCodingDojo copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Insecure.inc - cwe89.jsp

Open anonymous-commits opened this issue 3 years ago • 4 comments

In the latest insecure.inc docker image published at dockerhub DIGEST:sha256:87b47ae592a0c3dfa627cacac866279f24bef9ae856a0f94f1d6b71e7e7739c7

At the insecure.inc cwe89.jsp page [Brown Belt : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')] The page failes with error 500

HTTP Status 500 – Internal Server Error Type Exception Report

Message An exception occurred processing [/cwe89.jsp] at line [18]

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

org.apache.jasper.JasperException: An exception occurred processing [/cwe89.jsp] at line [18]

15: EmbeddedDB db = (EmbeddedDB)session.getAttribute("cwe89db"); 16: if(db==null){ 17: db = new EmbeddedDB(); 18: db.createDB(); 19: session.setAttribute("cwe89db",db); 20: } 21: usr = usr.replace("-","");

java.lang.NoClassDefFoundError: Could not initialize class org.apache.derby.jdbc.AutoloadedDriver40

It seems the JDBC drivers is missing.

-- This same error is present in the previous sha256:4f604ad6 image as well. The even older image sha256:cae16284 works fine.

anonymous-commits avatar Jun 27 '22 09:06 anonymous-commits

Got the same issue here, but I don't have older images to test.

GasparMDQ avatar Jul 01 '22 03:07 GasparMDQ

Got the same issue in the image built from the script build/insecureinc/buildImage.sh (commit 710a39516537734a889bc31120b511e13838a052)

hubertwslin avatar Jul 25 '22 13:07 hubertwslin

I have found removing derby.jar from insecureinc/src/main/webapp/WEB-INF/lib/ before building, resolves the issue

bajb avatar Aug 07 '22 19:08 bajb

I tried the suggestion from bajb and while it removes the original error message we still can't proceed past that lesson, it keeps saying we got the wrong answer or we get a "connection was reset" message in the browser. Did this option work for anyone else?

bcrooker avatar Aug 16 '22 14:08 bcrooker

Commit bccc234 should hopefully address this issue.

Note that I could not reproduce the problem. Both my local environment and the OWASP hosted instance of the dojo worked fine with DIGEST:sha256:87b47ae592a0c3dfa627cacac866279f24bef9ae856a0f94f1d6b71e7e7739c7 . Perhaps this was an intermittent issue caused by derby being both defined in the pom.xml and also being present in the lib folder.

A new container image was published today which includes bccc234 under the latest tag with digest sha256:17bf86117b76bd59da00dc0dc02e2d86822030ef8c04e3d650586716d0f23fa0

It is deployed and running at the following url where the SQLi challenge was tested and works fine. http://13.59.135.221:8080/cwe89.jsp

Thanks everyone for your inputs.

paul-ion avatar Sep 17 '22 15:09 paul-ion