[Esapi-dev] java.lang.NoClassDefFoundError

Kevin W. Wall kevin.w.wall at gmail.com
Tue Dec 6 21:27:23 EST 2011

On Tue, Dec 6, 2011 at 10:32 AM, Emmanouil Prekas <grad1107 at di.uoa.gr> wrote:
> The full server log file for the command
>  String dataResult1=request.getParameter("attackstring");
>        boolean attackDetected =
> org.owasp.appsensor.AttackDetectorUtils.verifyXSSAttack(dataResult1);
> when the input is <scrip>alert("lol");</script>
> is:
> INFO: Loading ESAPI.properties via file io failed.
> INFO: Attempting to load ESAPI.properties via the classpath.
> INFO: Successfully loaded ESAPI.properties via the classpath! BOO-YA!
> INFO: Successfully loaded ESAPI.properties via the classpath! BOO-YA!

Well, one thing that I've noticed from the 'BOO-YA' on your log messages
is that your are NOT using the latest version of ESAPI 2.0. Please download
the latest version and try again. I do believe that they were other changes
in the DefaultSecurityConfigurator class other than simply removing the

If you can do that and repost your results. Also read the doc; I think
the ESAPI.properties moved. Well, I know it did, just not sure on what
release candidate that it changed.

Note: The other thing you can try if you don't really care *where* you place
your ESAPI.properties file, is to try placing it under a '.esapi'
folder immediately
under your user.home Java property. That is, in your case, try placing it in:


Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the Esapi-dev mailing list