dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed HttpSplitting and CSRF per Bruce's requests

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@57 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
sherif.fathy 2006-12-31 06:32:32 +00:00
parent ae225126ae
commit c469a8b0a1
3 changed files with 53 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java
View File

@ -153,7 +153,6 @@ public class CSRF extends LessonAdapter {
for ( int i = 0; results.next(); i++ )
{
A a = ECSFactory.makeLink( results.getString( TITLE_COL ), NUMBER, results.getInt( NUM_COL ) );
String link = "<a href='attack?" + NUMBER + "=" + results.getInt( NUM_COL ) +
"&Screen=" + String.valueOf(getScreenId()) +
"&menu=" + getDefaultCategory().getRanking().toString() +

83
webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java
View File

@ -5,6 +5,8 @@ import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.*;
import javax.servlet.http.HttpServletResponse;
import org.apache.ecs.*;
import org.apache.ecs.html.*;
import org.owasp.webgoat.session.ECSFactory;
@ -55,44 +57,48 @@ public class HttpSplitting extends LessonAdapter {
ec.addElement(createAttackEnvironment(s));
lang = URLDecoder.decode(s.getParser().getRawParameter( LANGUAGE, "" ), "UTF-8") ;
//Check if we are coming from the redirect page
String fromRedirect = s.getParser().getStringParameter ( "fromRedirect" , "");
if ( lang.length() != 0 && fromRedirect.length() != 0 )
{
//Split by the line separator line.separator is platform independant
String lineSep = System.getProperty("line.separator");
String[] arrTokens = lang.toString().toUpperCase().split(lineSep);
//Check if we are coming from the redirect page
String fromRedirect = s.getParser().getStringParameter ( "fromRedirect" , "");
//Check if the user ended the first request and wrote the second malacious reply
if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0 &&
Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0 )
if ( lang.length() != 0 && fromRedirect.length() != 0 )
{
PrintWriter out = new PrintWriter(s.getResponse().getOutputStream());
out.print(lang.substring(lang.indexOf("HTTP/1.1")));
out.flush();
out.close();
//Split by the line separator line.separator is platform independant
String lineSep = System.getProperty("line.separator");
String[] arrTokens = lang.toString().toUpperCase().split(lineSep);
//we gotta set it manually here so that we don't throw an exception
getLessonTracker(s).setCompleted(true);
//makeSuccess( s );
getLessonTracker(s).setStage(2);
StringBuffer msg = new StringBuffer();
msg.append("Good Job! ");
msg.append("This lesson has detected your successfull attack, ");
msg.append("time to elevate your attack to a higher level. ");
msg.append("Try again and add Last-Modified header, intercept");
msg.append("the reply and replace it with a 304 reply.");
s.setMessage(msg.toString());
//Check if the user ended the first request and wrote the second malacious reply
if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0 &&
Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0 )
{
HttpServletResponse res = s.getResponse();
res.setContentType( "text/html" );
PrintWriter out = new PrintWriter( res.getOutputStream() );
String message = lang.substring(lang.indexOf("<html>"));
out.print(message);
out.flush();
out.close();
//we gotta set it manually here so that we don't throw an exception
getLessonTracker(s).setCompleted(true);
//makeSuccess( s );
getLessonTracker(s).setStage(2);
StringBuffer msg = new StringBuffer();
msg.append("Good Job! ");
msg.append("This lesson has detected your successfull attack, ");
msg.append("time to elevate your attack to a higher level. ");
msg.append("Try again and add Last-Modified header, intercept");
msg.append("the reply and replace it with a 304 reply.");
s.setMessage(msg.toString());
}
}
}
}
catch (Exception e)
{
s.setMessage( "Error generating " + this.getClass().getName() );
@ -120,6 +126,14 @@ public class HttpSplitting extends LessonAdapter {
ElementContainer ec = new ElementContainer();
String lang = null;
if (getLessonTracker(s).getStage() == 1)
{
ec.addElement( new H3( "Stage 1: HTTP Splitting:<br>" ) );
}
else
{
ec.addElement( new H3( "Stage 2: Cache Poisoning:<br>" ) );
}
ec.addElement( new StringElement( "Search by country : " ) );
lang = URLDecoder.decode(s.getParser().getRawParameter( LANGUAGE, "" ), "UTF-8") ;
@ -187,12 +201,17 @@ public class HttpSplitting extends LessonAdapter {
protected List getHints()
{
List<String> hints = new ArrayList<String>();
hints.add( "Enter a language for the system to search by." );
hints.add( "Use CR (%0d) and LF (%0a) for a new line" );
hints.add( "The Content-Length: 0 will tell the server that the first request is over." );
hints.add( "A 200 OK message looks like this: HTTP/1.1 200 OK" );
hints.add( "Try: language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Insert undesireable content here&lt;/html&gt;" );
hints.add( "Cache Poisoning starts with including 'Last-Modified' header in the hijacked page and setting it to a future date." );
hints.add( "Try language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a&lt;html&gt;Insert undesireable content here&lt;/html&gt;" );
hints.add( "'Last-Modified' header forces the browser to send a 'If-Modified-Since' header. Some cache servers will take the bait and keep serving the hijacked page");
hints.add( "Try to intercept the reply and add HTTP/1.1 304 Not Modified0d%0aDate:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT");
return hints;
}

10
webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html
View File

@ -23,15 +23,9 @@ the chance to intercept the server's reply and replace it with a '304 Not Modifi
HTTP/1.1 304 Not Modified
Date: Fri, 30 Dec 2005 17:32:47 GMT
</div>
<p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->
* Enter a language for the system to search by.<br>
* You notice that the application is redirecting your request to another resource on the server.<br>
* You should be able to use the CR (%0d) and LF (%0a) to exploit the attack.<br>
* Your excercise should be to force the server to send a 200 OK. <br>
* If the screen changed as an effect to your attack, just go back to the homepage where you will find the lesson completed if you successfully exploited the attack.
This lesson has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poisoning.<br>
Enter a language for the system to search by. You will notice that the application is redirecting your request to another resource on the server. You should be able to use the CR (%0d) and LF (%0a) to exploit the attack. Your excercise should be to force the server to send a 200 OK. If the screen changed as an effect to your attack, just go back to the homepage where you will find the lesson completed if you successfully exploited the attack.
<!-- Stop Instructions -->