dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
WebGoat/ webgoat/main/project/WebContent/lesson_plans/SilentTransactions.html
sherif.fathy 5e061d5bad Added JSONInjection, SilentTransactions 
Modified The install guide

git-svn-id: http://webgoat.googlecode.com/svn/trunk@48 4033779f-a91e-0410-96ef-6bf7bf53c507
2006-12-28 15:35:10 +00:00

25 lines
1.2 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<div align="Center">
<p><b>Lesson Plan Title:</b> How to Perform Silent Transactions Attacks. </p>
</div>
<p><b>Concept / Topic To Teach:</b> </p>
This lesson teaches how to perform silent transactions attacks.
<br>
<div align="Left">
<p>
<b>How the attacks works:</b>
</p>
Any system that silently processes transactions using a single submission is dangerous to the client.
For example, if a normal web application allows a simple URL submission, a preset session attack will
allow the attacker to complete a transaction without the users authorization.
In Ajax, it gets worse: the transaction is silent; it happens with no user feedback on the page,
so an injected attack script may be able to steal money from the client without authorization.
</div>
<p><b>General Goal(s):</b> </p>
<!-- Start Instructions -->
* This is a sample internet banking application - money transfers page.<br>
* It shows below your balance, the account you are transferring to and amount you will transfer.<br>
* The application uses AJAX to submit the transaction after doing some basic client side validations.<br>
* Your goal is to try to bypass the user's authorization and silently execute the transaction<br>
<!-- Stop Instructions -->
Reference in New Issue View Git Blame Copy Permalink