dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed comments by Bruce

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@59 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
sherif.fathy
2007-01-11 05:14:09 +00:00
parent 2fdf823259
commit 036964495b
12 changed files with 52 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html
View File

@ -14,18 +14,18 @@ A victim application will not be checking for CR (carriage return, also given by
and LF (line feed, also given by %0a or \n)characters. These characters not only give attackers control
of the remaining headers and body of the response the application intends to send,
but also allows them to create additional responses entirely under their control.<br>
The effect of an HTTP Splitting attack is maximized when accompanied with a Cache Poisining. The goal of<br>
Cache Poisining attack is to poison the cache of the victim by fooling the cache to believe that the page<br>
The effect of an HTTP Splitting attack is maximized when accompanied with a Cache Poisining. The goal of
Cache Poisining attack is to poison the cache of the victim by fooling the cache to believe that the page
hijacked using the HTTP splitting is a good one and it is indeed the server's copy.<br>
The attack happens using the HTTP Splitting attack plus adding the <b>Last-Modified:</b> header and setting it<br>
to a future date. This will force the browser to send <b>If-Modified-Since</b> request header, which gives the attacker<br>
The attack happens using the HTTP Splitting attack plus adding the <b>Last-Modified:</b> header and setting it
to a future date. This will force the browser to send <b>If-Modified-Since</b> request header, which gives the attacker
the chance to intercept the server's reply and replace it with a '304 Not Modified' reply. A sample of a 304 response is:<br>
HTTP/1.1 304 Not Modified
HTTP/1.1 304 Not Modified <br>
Date: Fri, 30 Dec 2005 17:32:47 GMT
</div>
<p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->
This lesson has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poisoning.<br>
Enter a language for the system to search by. You will notice that the application is redirecting your request to another resource on the server. You should be able to use the CR (%0d) and LF (%0a) to exploit the attack. Your excercise should be to force the server to send a 200 OK. If the screen changed as an effect to your attack, just go back to the homepage where you will find the lesson completed if you successfully exploited the attack.
Enter a language for the system to search by. You will notice that the application is redirecting your request to another resource on the server. You should be able to use the CR (%0d) and LF (%0a) to exploit the attack. Your excercise should be to force the server to send a 200 OK. If the screen changed as an effect to your attack, just go back to the homepage and after stage 2 is exploited successfully you will find the green check in the left menu.
<!-- Stop Instructions -->

2
webgoat/main/project/WebContent/lesson_plans/SilentTransactions.html
View File

@ -13,7 +13,7 @@ Any system that silently processes transactions using a single submission is dan
For example, if a normal web application allows a simple URL submission, a preset session attack will
allow the attacker to complete a transaction without the user<65>s authorization.
In Ajax, it gets worse: the transaction is silent; it happens with no user feedback on the page,
so an injected attack script may be able to steal money from the client without authorization.
so an injected attack script may be able to steal money from the client without authorization.<br>
</div>
<p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->

4
webgoat/main/project/WebContent/webgoat.jsp
View File

@ -51,7 +51,7 @@
<td height="25" valign="bottom"><div align="center"><span class="style1">Documentation Contributer</span></div></td>
</tr>
<tr>
<td><div align="center" class="style2">Sherif Kousa<br /></div>
<td><div align="center" class="style2">Sherif Koussa<br /></div>
</td>
<td><div align="center" class="style2">Robert Sullivan<br />
(http://www.unitedhealthgroup.com/) </div></td>
@ -59,7 +59,7 @@
<tr>
<td><div align="center" class="style2">OWASP Autumn of Code<br />
(http://www.owasp.org/) </div></td>
<td><div align="center" class="style2">Sherif Kousa<br /></div>
<td><div align="center" class="style2">Sherif Koussa<br /></div>
</td>
</tr>
<tr>