doc
java
resources
scripts
tomcatconf
webapp
META-INF
WEB-INF
css
database
images
javascript
lesson_plans
English
German
de
en
AccessControlMatrix.html
BackDoors.html
BasicAuthentication.html
BlindSqlInjection.html
BufferOverflow.html
CSRF.html
ChallengeScreen.html
ClientSideFiltering.html
ClientSideValidation.html
CommandInjection.html
ConcurrencyCart.html
CrossSiteScripting.html
CsrfPromptByPass.html
CsrfTokenByPass.html
DBCrossSiteScripting.html
DBSQLInjection.html
DOMInjection.html
DOMXSS.html
DOS_Login.html
DangerousEval.html
Encoding.html
FailOpenAuthentication.html
ForcedBrowsing.html
ForgotPassword.html
HiddenFieldTampering.html
HowToWork.html
HtmlClues.html
HttpBasics.html
HttpOnly.html
HttpSplitting.html
InsecureLogin.html
JSONInjection.html
JavaScriptValidation.html
Lesson_Plan_Template.html
LogSpoofing.html
MultiLevelLogin1.html
MultiLevelLogin2.html
NewLesson.html
PasswordStrength.html
PathBasedAccessControl.html
Phishing.html
ReflectedXSS.html
RemoteAdminFlaw.html
RoleBasedAccessControl.html
SQLInjection.html
SameOriginPolicyProtection.html
SessionFixation.html
SilentTransactions.html
SoapRequest.html
SqlNumericInjection.html
SqlStringInjection.html
StoredXss.html
ThreadSafetyProblem.html
TomcatSetup.html
TraceXSS.html
UncheckedEmail.html
UsefulTools.html
WSDLScanning.html
WeakAuthenticationCookie.html
WeakSessionID.html
WelcomeScreeen.html
WsSAXInjection.html
WsSqlInjection.html
XMLInjection.html
XPATHInjection.html
ru
lesson_solutions
lessons
users
main.jsp
reportBug.jsp
sideWindow.jsp
webgoat.jsp
webgoat_challenge.jsp
.classpath
.project
README.txt
build.xml
pom.xml
webgoat for SQL Server.bat
webgoat.bat
webgoat.sh
webgoat_8080.bat
webscarab.bat
6a96547ef0
git-svn-id: http://webgoat.googlecode.com/svn/branches/webgoat-6.0@485 4033779f-a91e-0410-96ef-6bf7bf53c507
35 lines
2.3 KiB
HTML
35 lines
2.3 KiB
HTML
<div align="Center">
|
|
<p><b>Lesson Plan Title:</b> How to Perform HTTP Splitting </p>
|
|
</div>
|
|
|
|
<p><b>Concept / Topic To Teach:</b> </p>
|
|
This lesson teaches how to perform HTTP Splitting attacks.
|
|
<br />
|
|
<div align="Left">
|
|
<p>
|
|
<b>How the attack works:</b>
|
|
</p>
|
|
<p>The attacker passes malicious code to the web server together with normal input.
|
|
A victim application will not be checking for CR (carriage return, also given by %0d or \r)
|
|
and LF (line feed, also given by %0a or \n) characters. These characters not only give attackers control
|
|
of the remaining headers and body of the response the application intends to send,
|
|
but they also allows them to create additional responses entirely under their control.</p>
|
|
<p>The effect of an HTTP Splitting attack is maximized when accompanied with a Cache Poisoning. The goal of
|
|
Cache Poisoning attack is to poison the cache of the victim by fooling the cache into believing that the page
|
|
hijacked using the HTTP splitting is an authentic version of the server's copy.</p>
|
|
<p>The attack works by using the HTTP Splitting attack plus adding the <b>Last-Modified:</b> header and setting it
|
|
to a future date. This forces the browser to send an incorrect <b>If-Modified-Since</b> request header on future requests.
|
|
Because of this, the server will always report that the (poisoned) page has not changed, and the victim's browser
|
|
will continue to display the attacked version of the page.</p>
|
|
<p>A sample of a 304 response is:
|
|
<blockquote>HTTP/1.1 304 Not Modified <br />
|
|
Date: Fri, 30 Dec 2005 17:32:47 GMT</blockquote>
|
|
</p>
|
|
</div>
|
|
<p><b>General Goal(s):</b> </p>
|
|
<!-- Start Instructions -->
|
|
<p>This lesson has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poisoning.</p>
|
|
<p>Enter a language for the system to search by. You will notice that the application is redirecting your request to another resource on the server. You should be able to use the CR (%0d) and LF (%0a) characters to exploit the attack. Your goal should be to force the server to send a 200 OK. If the screen changed as an effect to your attack, just go back to the homepage. After stage 2 is exploited successfully, you will find the green check in the left menu.</p>
|
|
<!-- Stop Instructions -->
|
|
|