dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Build cleanup in order to create a complete developer distribution. More menu cleanup

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@217 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
mayhew64
2008-01-03 21:09:17 +00:00
parent f6e0cb7ed0
commit 23e7fe1f4f
9 changed files with 88 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
webgoat/main/project/WebContent/lesson_plans/HttpOnly.html
View File

@ -1,9 +1,25 @@
<div align="Center">
<p><b>Lesson Plan Title:</b> HttpOnly Test</p>
</div>
<p><b>Concept / Topic To Teach:</b> </p>
<p><b>Concept / Topic To Teach:</b></p>
<!-- Start Instructions -->
To help mitigate the cross site scripting threat, Microsoft has introduced a new cookie attribute entitled 'HttpOnly.' If this flag is set, then the browser should not allow client-side script to access the cookie. Since the attribute is relatively new, several browsers neglect to handle the new attribute properly.
<p><b>General Goal(s):</b> </p>
The purpose of this lesson is to test whether your browser supports the HTTPOnly cookie flag. Note the value of the unique2u cookie. If your browser supports HTTPOnly, and you enable it for a cookie, client side code should NOT be able to read OR write to that cookie, but the browser can still send its value to the server. Some browsers only prevent client side read access, but don't prevent write access.
To help mitigate the cross site scripting threat, Microsoft has
introduced a new cookie attribute entitled 'HttpOnly.' If this flag is
set, then the browser should not allow client-side script to access the
cookie. Since the attribute is relatively new, several browsers neglect
to handle the new attribute properly.
<p><b>General Goal(s):</b></p>
The purpose of this lesson is to test whether your browser supports the
HTTPOnly cookie flag. Note the value of the
<strong>unique2u</strong>
cookie. If your browser supports HTTPOnly, and you enable it for a
cookie, client side code should NOT be able to read OR write to that
cookie, but the browser can still send its value to the server. Some
browsers only prevent client side read access, but don't prevent write
access.
<br />
<br />
With the HTTPOnly attribute turned on, type
"javascript:alert(document.cookie)" in the browser address bar. Notice
all cookies are displayed except the unique2u cookie.
<!-- Stop Instructions -->