我在Linux发行版Kali上安装了tomcat7(通过apt-get)并从以下网址下载了最新的webgoat版本:https://github.com/WebGoat/WebGoat/releases/download/7.0.1/webgoat-container-7.0.1.war 进入webapp目录。
除此之外,我已经为webgoat添加了tomcat用户,如下所述:https://deepakdevanand.wordpress.com/2015/05/25/installing-webgoat-on-kali-linux/
在URL localhost:8080 / webgoat-container-7.0.1 / attack之后进入开始页面,我可以使用webgoat登录。 顺便说一句。教程说我应该使用我自己配置的tomcat用户,用户名为“webgoat”,密码为“Sec3rt”,但网页显示默认管理员用户名为“webgoat”,密码为“webgoat”。
登录时会出现错误消息:
Error Message: Could not initialize class org.owasp.webgoat.session.UserTracker
java.lang.NoClassDefFoundError: Could not initialize class org.owasp.webgoat.session.UserTracker
at org.owasp.webgoat.session.Screen.getLessonTracker(Screen.java:117)
at org.owasp.webgoat.lessons.LessonAdapter.makeSuccess(LessonAdapter.java:251)
at org.owasp.webgoat.plugin.HowToWork.createContent(HowToWork.java:53)
at org.owasp.webgoat.lessons.AbstractLesson.handleRequest(AbstractLesson.java:868)
at org.owasp.webgoat.HammerHead.makeScreen(HammerHead.java:332)
at org.owasp.webgoat.HammerHead.doPost(HammerHead.java:148)
at org.owasp.webgoat.HammerHead.doGet(HammerHead.java:104)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
tomcat日志文件列出了同样的错误:
INFO: No Spring WebApplicationInitializer types detected on classpath
Apr 08, 2016 8:27:44 AM org.apache.catalina.core.ApplicationContext log
INFO: Initializing Spring root WebApplicationContext
Apr 08, 2016 8:27:47 AM org.apache.catalina.core.ApplicationContext log
INFO: WebGoat is starting
Apr 08, 2016 8:27:47 AM org.apache.catalina.core.ApplicationContext log
INFO: Adding extra mappings for lessions
Apr 08, 2016 8:27:49 AM org.apache.catalina.core.ApplicationContext log
INFO: Initializing Spring FrameworkServlet 'mvc-dispatcher'
Apr 08, 2016 8:43:43 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [mvc-dispatcher] in context with path [/webgoat-container-7.0.1] threw exception [Handler processing failed; nested exception is java.lang.NoClassDefFoundError: Could not initialize class org.owasp.webgoat.session.UserTracker] with root cause
java.lang.NoClassDefFoundError: Could not initialize class org.owasp.webgoat.session.UserTracker
答案 0 :(得分:0)
我自己挣扎了一段时间。您可能缺少编写用户数据库文件的权限。如果您的日志条目显示如下:
Caused by: java.io.FileNotFoundException: /var/lib/tomcat7/UserDatabase.mv.db (Permission denied)
然后,将授予您对所列文件夹的tomcat用户权限。