From 1d67443b227aebb3cf26544b611d55659dc8e2d4 Mon Sep 17 00:00:00 2001 From: "sherif.fathy" Date: Fri, 22 Dec 2006 00:20:31 +0000 Subject: [PATCH] Removed some commented code and added more description to the HTTP Splitting lesson git-svn-id: http://webgoat.googlecode.com/svn/trunk@38 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../org/owasp/webgoat/lessons/HttpSplitting.java | 3 --- .../org/owasp/webgoat/lessons/XMLInjection.java | 11 ----------- .../WebContent/lesson_plans/HttpSplitting.html | 1 + 3 files changed, 1 insertion(+), 14 deletions(-) diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java index ca612fc88..a064f77b8 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java @@ -83,9 +83,6 @@ public class HttpSplitting extends LessonAdapter { { try { - //ec.addElement("HTTP/1.1 200 OK" + System.getProperty("line.separator") + "test"); - //s.getResponse().setContentType("text/html"); - //s.getResponse().setHeader("Cache-Control", "no-cache"); PrintWriter out = new PrintWriter(s.getResponse().getOutputStream()); out.print(lang.substring(lang.indexOf("HTTP/1.1"))); out.flush(); diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java index 60e031a8f..834d24142 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/XMLInjection.java @@ -11,7 +11,6 @@ import org.apache.ecs.html.Form; import org.apache.ecs.html.H1; import org.apache.ecs.html.Input; import org.apache.ecs.html.TD; -import org.apache.ecs.html.TH; import org.apache.ecs.html.TR; import org.apache.ecs.html.Table; import org.apache.ecs.html.Div; @@ -102,17 +101,7 @@ public class XMLInjection extends LessonAdapter { " }" + lineSep + " strHTML = '' + strHTML + '
';" + lineSep + " rewardsDiv.innerHTML = strHTML;"+ lineSep + - //" if (rewards.childNodes.length>3){" + lineSep + - //" makeSuccess();" + lineSep + - //" }" + lineSep + " }}}" + lineSep + - //"function makeSuccess(){" + lineSep + - //"var url = '/WebGoat/attack?Screen=" + String.valueOf(getScreenId()) + - //"&menu=" + getDefaultCategory().getRanking().toString() + - //"&from=ajax&done=yes';" + lineSep + - //" req.open('GET', url, true);" + lineSep + - //" req.send(null);" + lineSep + - //"}" + lineSep + "" + lineSep; if (!isDone) diff --git a/ webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html b/ webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html index 755a6b40f..404d14bc5 100644 --- a/ webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html +++ b/ webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html @@ -21,4 +21,5 @@ but also allows them to create additional responses entirely under their control * You notice that the application is redirecting your request to another resource on the server.
* You should be able to use the CR (%0d) and LF (%0a) to exploit the attack.
* Your excercise should be to force the server to send a 200 OK. +* If the screen changed as an effect to your attack, just go back to the homepage where you will find the lesson completed if you successfully exploited the attack.