Error when logging in with webgoat on Kali

admin

Administrator
Staff member
I've installed tomcat7 on the Linux distribution Kali (via apt-get) and downloaded the latest webgoat release from: <a href="https://github.com/WebGoat/WebGoat/releases/download/7.0.1/webgoat-container-7.0.1.war" rel="nofollow">https://github.com/WebGoat/WebGoat/releases/download/7.0.1/webgoat-container-7.0.1.war</a>
into the webapp directory.

Besides I've added the tomcat user for webgoat as described here: <a href="https://deepakdevanand.wordpress.com/2015/05/25/installing-webgoat-on-kali-linux/" rel="nofollow">https://deepakdevanand.wordpress.com/2015/05/25/installing-webgoat-on-kali-linux/</a>

Following the URL localhost:8080/webgoat-container-7.0.1/attack leads to the start page where I can login with the user webgoat.
Btw. the tutorial says I should use my own configured tomcat user with username "webgoat" and password "Sec3rt" but the webpage shows that the default admin username is "webgoat" with the password "webgoat".

When logging in there appears an error message:

Code:
Error Message: Could not initialize class org.owasp.webgoat.session.UserTracker
java.lang.NoClassDefFoundError: Could not initialize class org.owasp.webgoat.session.UserTracker
at org.owasp.webgoat.session.Screen.getLessonTracker(Screen.java:117)
at org.owasp.webgoat.lessons.LessonAdapter.makeSuccess(LessonAdapter.java:251)
at org.owasp.webgoat.plugin.HowToWork.createContent(HowToWork.java:53)
at org.owasp.webgoat.lessons.AbstractLesson.handleRequest(AbstractLesson.java:868)
at org.owasp.webgoat.HammerHead.makeScreen(HammerHead.java:332)
at org.owasp.webgoat.HammerHead.doPost(HammerHead.java:148)
at org.owasp.webgoat.HammerHead.doGet(HammerHead.java:104)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

The tomcat logfile lists the same error:

Code:
INFO: No Spring WebApplicationInitializer types detected on classpath
Apr 08, 2016 8:27:44 AM org.apache.catalina.core.ApplicationContext log
INFO: Initializing Spring root WebApplicationContext
Apr 08, 2016 8:27:47 AM org.apache.catalina.core.ApplicationContext log
INFO: WebGoat is starting
Apr 08, 2016 8:27:47 AM org.apache.catalina.core.ApplicationContext log
INFO: Adding extra mappings for lessions
Apr 08, 2016 8:27:49 AM org.apache.catalina.core.ApplicationContext log
INFO: Initializing Spring FrameworkServlet 'mvc-dispatcher'
Apr 08, 2016 8:43:43 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [mvc-dispatcher] in context with path [/webgoat-container-7.0.1] threw exception [Handler processing failed; nested exception is java.lang.NoClassDefFoundError: Could not initialize class org.owasp.webgoat.session.UserTracker] with root cause
java.lang.NoClassDefFoundError: Could not initialize class org.owasp.webgoat.session.UserTracker