Removed space from " webgoat" directory name
git-svn-id: http://webgoat.googlecode.com/svn/trunk@272 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
@ -0,0 +1,24 @@
|
||||
<div align="Center">
|
||||
<p><b>Lesson Plan Title:</b> How to Perform Silent Transactions Attacks. </p>
|
||||
</div>
|
||||
|
||||
<p><b>Concept / Topic To Teach:</b> </p>
|
||||
This lesson teaches how to perform silent transactions attacks.
|
||||
<br>
|
||||
<div align="Left">
|
||||
<p>
|
||||
<b>How the attacks works:</b>
|
||||
</p>
|
||||
Any system that silently processes transactions using a single submission is dangerous to the client.
|
||||
For example, if a normal web application allows a simple URL submission, a preset session attack will
|
||||
allow the attacker to complete a transaction without the user<65>s authorization.
|
||||
In Ajax, it gets worse: the transaction is silent; it happens with no user feedback on the page,
|
||||
so an injected attack script may be able to steal money from the client without authorization.<br>
|
||||
</div>
|
||||
<p><b>General Goal(s):</b> </p>
|
||||
<!-- Start Instructions -->
|
||||
* This is a sample internet banking application - money transfer page.<br>
|
||||
* It shows below your balance, the account you are transferring to and amount you will transfer.<br>
|
||||
* The application uses AJAX to submit the transaction after doing some basic client side validations.<br>
|
||||
* Your goal is to try to bypass the user's authorization and silently execute the transaction.<br>
|
||||
<!-- Stop Instructions -->
|
Reference in New Issue
Block a user