dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed HttpSplitting and CSRF per Bruce's requests

Browse Source 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@57 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
sherif.fathy
2006-12-31 06:32:32 +00:00
parent ae225126ae
commit c469a8b0a1
3 changed files with 53 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
webgoat/main/project/WebContent/lesson_plans/HttpSplitting.html
View File

@ -23,15 +23,9 @@ the chance to intercept the server's reply and replace it with a '304 Not Modifi
HTTP/1.1 304 Not Modified
Date: Fri, 30 Dec 2005 17:32:47 GMT
</div>
<p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->
* Enter a language for the system to search by.<br>
* You notice that the application is redirecting your request to another resource on the server.<br>
* You should be able to use the CR (%0d) and LF (%0a) to exploit the attack.<br>
* Your excercise should be to force the server to send a 200 OK. <br>
* If the screen changed as an effect to your attack, just go back to the homepage where you will find the lesson completed if you successfully exploited the attack.
This lesson has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poisoning.<br>
Enter a language for the system to search by. You will notice that the application is redirecting your request to another resource on the server. You should be able to use the CR (%0d) and LF (%0a) to exploit the attack. Your excercise should be to force the server to send a 200 OK. If the screen changed as an effect to your attack, just go back to the homepage where you will find the lesson completed if you successfully exploited the attack.
<!-- Stop Instructions -->