- Added HTTP lesson together with its lesson plan and goals.

- Files added:
   HttpSplitting.html
   HttpSplitting.java
   redirect.jsp
- Files Changed:
   webgoat-class.properties
   webgoat-lmc.properties

git-svn-id: http://webgoat.googlecode.com/svn/trunk@23 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java

@@ -0,0 +1,116 @@
+package org.owasp.webgoat.lessons;
+import java.util.*;
+import java.net.URLDecoder;
+import java.io.UnsupportedEncodingException;
+
+import org.apache.ecs.*;
+import org.apache.ecs.html.*;
+import org.owasp.webgoat.session.ECSFactory;
+import org.owasp.webgoat.session.WebSession;
+
+/**
+ *  Copyright (c) 2002 Free Software Foundation developed under the 
+ *  custody of the Open Web Application Security Project 
+ *  (http://www.owasp.org) This software package is published by OWASP
+ *  under the GPL. You should read and accept the LICENSE before you 
+ *  use, modify and/or redistribute this software.
+ *
+ * @author     sherif@macadamian.com
+ * @created    September 30, 2006
+ */
+
+public class HttpSplitting extends LessonAdapter {
+	
+	private final static String URL = "url";
+	/**
+	 * Description of the Method
+	 * 
+	 * @param s Description of the Parameter
+	 */
+	public void handleRequest( WebSession s )
+	{
+		// call createContent first so messages will go somewhere
+
+		Form form = new Form( "/WebGoat/lessons/General/redirect.jsp?" +
+				        "Screen=" + String.valueOf(getScreenId()) +
+				        "&menu=" + getDefaultCategory().getRanking().toString()
+				        , Form.POST ).setName( "form" ).setEncType( "" );
+
+		form.addElement( createContent( s ) );
+
+        setContent(form);
+	}
+	
+	protected Element createContent(WebSession s)
+	{
+		ElementContainer ec = new ElementContainer();
+		StringBuffer url = null;
+		
+		try
+		{
+			ec.addElement( new StringElement( "Search by country : " ) );
+
+			url = new StringBuffer( s.getParser().getStringParameter( URL, "" ) );
+			
+			Input input = new Input( Input.TEXT, URL, url.toString() );
+			ec.addElement( input );
+	
+			Element b = ECSFactory.makeButton( "Go!" );
+			
+			ec.addElement( b );
+						
+		}
+		catch (Exception e)
+		{
+			s.setMessage( "Error generating " + this.getClass().getName() );
+			e.printStackTrace();
+		}
+		
+		String fromRedirect = s.getParser().getStringParameter ( "fromRedirect" , "");
+		if ( url.length() != 0 && fromRedirect.length() != 0 )
+		{	
+			String[] arrTokens = url.toString().split(System.getProperty("line.separator"));
+			if (Arrays.binarySearch(arrTokens, "Content-Length: 0") >= 0 &&
+					Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0 )	
+			{	
+				makeSuccess( s );
+			}
+		}
+		return ( ec );	
+	}
+
+	public Category getCategory()
+	{
+		return LessonAdapter.GENERAL;
+	}
+
+	protected List getHints()
+	{
+		List hints = new ArrayList();
+		hints.add( "Enter a language for the system to search by." );
+		hints.add( "Use CR (%0d) and LF (%0a) for a new line" );
+		hints.add( "The Content-Length: 0 will tell the server that the first request is over." );
+		hints.add( "A 200 OK message looks like this: HTTP/1.1 200 OK" );
+
+		return hints;
+		
+	}
+
+	private final static Integer DEFAULT_RANKING = new Integer(10);
+
+	protected Integer getDefaultRanking()
+	{
+		return DEFAULT_RANKING;
+	}
+
+	/**
+	 *  Gets the title attribute of the HelloScreen object
+	 *
+	 * @return    The title value
+	 */
+	public String getTitle()
+	{
+		return ( "HTTP Splitting" );
+	}
+
+}

webgoat/main/project/WebContent/WEB-INF/webgoat-class.properties

@@ -1,6 +1,7 @@
 category.General.ranking=11
 lesson.HttpBasics.ranking=10
-lesson.ThreadSafetyProblem.ranking=20
+lesson.HttpSplitting.ranking=20
+lesson.ThreadSafetyProblem.ranking=30
 
 category.Broken\ Authentication\ and\ Session\ Management.ranking=21
 lesson.BasicAuthentication.ranking=10

webgoat/main/project/WebContent/WEB-INF/webgoat-lmc.properties

@@ -1,6 +1,7 @@
 category.General.ranking=11
 lesson.HttpBasics.ranking=10
-lesson.ThreadSafetyProblem.ranking=20
+lesson.HttpSplitting.ranking=20
+lesson.ThreadSafetyProblem.ranking=30
 
 category.Broken\ Authentication\ and\ Session\ Management.ranking=21
 lesson.BasicAuthentication.ranking=10

webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html

@@ -0,0 +1,24 @@
+<div align="Center"> 
+<p><b>Lesson Plan Title:</b> Http Splitting </p>
+ </div>
+ 
+<p><b>Concept / Topic To Teach:</b> </p>
+ This lesson teaches how to perform HTPP Splitting attacks.
+ <br> 
+<div align="Left"> 
+<p>
+<b>How the attacks works:</b>
+</p>
+The attacker passes malacious code to the web server together with normal input. 
+A victim application will not be checking for CR (carriage return, also given by %0d or \r) 
+and LF (line feed, also given by %0a or \n)characters. These characters not only give attackers control 
+of the remaining headers and body of the response the application intends to send, 
+but also allows them to create additional responses entirely under their control
+</div>
+<p><b>General Goal(s):</b> </p>
+<!-- Start Instructions -->
+* Enter a language for the system to search by.<br> 
+* You notice that the application is redirecting your request to another resource on the server.<br>
+* You should be able to use the CR (%0d) and LF (%0a) to exploit the attack.<br>
+* Your excercise should be to force the server to send a 200 OK. 
+<!-- Stop Instructions -->

webgoat/main/project/WebContent/lessons/General/redirect.jsp

@@ -0,0 +1,16 @@
+<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
+    pageEncoding="ISO-8859-1"%>
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>HTTP Splitting</title>
+</head>
+<body>
+<% response.sendRedirect("/WebGoat/attack?" +
+		        "Screen=" + request.getParameter("Screen") +
+		        "&menu=" + request.getParameter("menu") +
+		        "&fromRedirect=yes&url=" + request.getParameter("url")); 
+%>
+</body>
+</html>