dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
WebGoat/main/project/WebContent/lesson_plans/English/HttpSplitting.html
mjawurek 1dc6c799a7 A first attempt at internationalization of WebGoat. For complete internationalization WebGoat needs two things: 
1. Every text passage/label that appears in lessons must independent of the current language set for WebGoat.
2. Every lesson plan and solutions must be translated for each supported language.
Number 1 is achieved by using webgoat/util/WebgoatI18N.java and by having every output routed through this piece of code. You no longer say hints.add("Lesson Hint 1"); or ....addElement("Shopping Cart")) but you in the lesson you say hints.add(WebGoatI18N.get("Lesson Hint1")) or ....addElement(WebGoatI18N.get("Shopping Cart"). Then WebGoatI18N looks up the corresponding string for the language set as the current lanuage and returns it.
Number 2 is achieved by having subdirectories in lesson_plans corresponding to every language. That means, a lesson that has been translated to Spanish and German will be found in lesson_plans/English and lesson_plans/Spanish and lesson_plans/German.

This is how WebGoat finds out about available languages: in Course.java in loadResources() it looks for lesson plans.
Unlike before, now a lesson plan can be found multiple times in different "language" directories. So for every directory the lesson plan is found in, WebGoat associates this language with the lesson and also lets WebGoatI18N load the appropriate WebGoatLabels_$LANGAUGE$.properties file which contains the translations of labels.
So this is what you have to do for a new language:
First of all, you have to copy and translate every lesson plan that you need in the new language, and then you also have to create a WebGoatLabels_$LANGUAGE$.properties file with that labels that will be used in these lessons. Atm WebGoat crashes throws an exception when a label is missing but this can be sorted out quickly. 

git-svn-id: http://webgoat.googlecode.com/svn/trunk/webgoat@389 4033779f-a91e-0410-96ef-6bf7bf53c507
2009-10-26 15:58:15 +00:00

35 lines
2.3 KiB
HTML
Raw Blame History

<div align="Center">
<p><b>Lesson Plan Title:</b> How to Perform HTTP Splitting </p>
</div>
<p><b>Concept / Topic To Teach:</b> </p>
This lesson teaches how to perform HTTP Splitting attacks.
<br />
<div align="Left">
<p>
<b>How the attack works:</b>
</p>
<p>The attacker passes malicious code to the web server together with normal input.
A victim application will not be checking for CR (carriage return, also given by %0d or \r)
and LF (line feed, also given by %0a or \n) characters. These characters not only give attackers control
of the remaining headers and body of the response the application intends to send,
but they also allows them to create additional responses entirely under their control.</p>
<p>The effect of an HTTP Splitting attack is maximized when accompanied with a Cache Poisoning. The goal of
Cache Poisoning attack is to poison the cache of the victim by fooling the cache into believing that the page
hijacked using the HTTP splitting is an authentic version of the server's copy.</p>
<p>The attack works by using the HTTP Splitting attack plus adding the <b>Last-Modified:</b> header and setting it
to a future date. This forces the browser to send an incorrect <b>If-Modified-Since</b> request header on future requests.
Because of this, the server will always report that the (poisoned) page has not changed, and the victim's browser
will continue to display the attacked version of the page.</p>
<p>A sample of a 304 response is:
<blockquote>HTTP/1.1 304 Not Modified <br />
Date: Fri, 30 Dec 2005 17:32:47 GMT</blockquote>
</p>
</div>
<p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->
<p>This lesson has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poisoning.</p>
<p>Enter a language for the system to search by. You will notice that the application is redirecting your request to another resource on the server. You should be able to use the CR (%0d) and LF (%0a) characters to exploit the attack. Your goal should be to force the server to send a 200 OK. If the screen changed as an effect to your attack, just go back to the homepage. After stage 2 is exploited successfully, you will find the green check in the left menu.</p>
<!-- Stop Instructions -->
Reference in New Issue View Git Blame Copy Permalink