Insecure.inc - cwe89.jsp

Question

Insecure.inc - cwe89.jsp

Closed this issue 2 years ago · 6 comments

In the latest insecure.inc docker image published at dockerhub
DIGEST:sha256:87b47ae592a0c3dfa627cacac866279f24bef9ae856a0f94f1d6b71e7e7739c7

At the insecure.inc cwe89.jsp page
[Brown Belt : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')]
The page failes with error 500

HTTP Status 500 – Internal Server Error
Type Exception Report

Message An exception occurred processing [/cwe89.jsp] at line [18]

Description The server encountered an unexpected condition that prevented it from fulfilling the request.

Exception

org.apache.jasper.JasperException: An exception occurred processing [/cwe89.jsp] at line [18]

15: EmbeddedDB db = (EmbeddedDB)session.getAttribute("cwe89db");
16: if(db==null){
17: db = new EmbeddedDB();
18: db.createDB();
19: session.setAttribute("cwe89db",db);
20: }
21: usr = usr.replace("-","");

java.lang.NoClassDefFoundError: Could not initialize class org.apache.derby.jdbc.AutoloadedDriver40

It seems the JDBC drivers is missing.

--
This same error is present in the previous sha256:4f604ad6 image as well.
The even older image sha256:cae16284 works fine.

Answer 1 · 2022-07-01T03:18:25.000Z

Got the same issue here, but I don't have older images to test.

Answer 2 · 2022-07-25T13:34:16.000Z

Got the same issue in the image built from the script build/insecureinc/buildImage.sh (commit 710a395)

Answer 3 · 2022-08-07T19:34:29.000Z

I have found removing derby.jar from insecureinc/src/main/webapp/WEB-INF/lib/ before building, resolves the issue

Answer 4 · 2022-08-16T14:58:16.000Z

I tried the suggestion from bajb and while it removes the original error message we still can't proceed past that lesson, it keeps saying we got the wrong answer or we get a "connection was reset" message in the browser. Did this option work for anyone else?

Answer 5 · 2022-09-17T15:34:27.000Z

Commit bccc234 should hopefully address this issue.

Note that I could not reproduce the problem. Both my local environment and the OWASP hosted instance of the dojo worked fine with DIGEST:sha256:87b47ae592a0c3dfa627cacac866279f24bef9ae856a0f94f1d6b71e7e7739c7 . Perhaps this was an intermittent issue caused by derby being both defined in the pom.xml and also being present in the lib folder.

A new container image was published today which includes bccc234 under the latest tag with digest sha256:17bf86117b76bd59da00dc0dc02e2d86822030ef8c04e3d650586716d0f23fa0

It is deployed and running at the following url where the SQLi challenge was tested and works fine.
http://13.59.135.221:8080/cwe89.jsp

Thanks everyone for your inputs.

Answer 6 · 2024-05-07T11:45:33.000Z

Got the same problem (err_connection_reset) which unfortunately prevents me from continuing the challenges. It also gives me a wrong "solution" as the first option:
admin'-- (this is wrong as "-" is filtered, it even says so: There's some deny listing involved so the payload above (which is admin'--) won't work.)

At the insecure.inc cwe89.jsp page [Brown Belt : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')] The page failes with error 500

15: EmbeddedDB db = (EmbeddedDB)session.getAttribute("cwe89db"); 16: if(db==null){ 17: db = new EmbeddedDB(); 18: db.createDB(); 19: session.setAttribute("cwe89db",db); 20: } 21: usr = usr.replace("-","");

At the insecure.inc cwe89.jsp page
[Brown Belt : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')]
The page failes with error 500

15: EmbeddedDB db = (EmbeddedDB)session.getAttribute("cwe89db");
16: if(db==null){
17: db = new EmbeddedDB();
18: db.createDB();
19: session.setAttribute("cwe89db",db);
20: }
21: usr = usr.replace("-","");