dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
webgoat
main
project
JavaSource
WebContent
META-INF
WEB-INF
css
database
images
javascript
lesson_plans
AccessControlMatrix.html
BackDoors.html
BasicAuthentication.html
BlindSqlInjection.html
BufferOverflow.html
CSRF.html
ChallengeScreen.html
CommandInjection.html
CrossSiteScripting.html
DBCrossSiteScripting.html
DBSQLInjection.html
DOMInjection.html
DOS_Login.html
Encoding.html
FailOpenAuthentication.html
ForcedBrowsing.html
ForgotPassword.html
HiddenFieldTampering.html
HtmlClues.html
HttpBasics.html
HttpOnly.html
HttpSplitting.html
JSONInjection.html
JavaScriptValidation.html
Lesson_Plan_Template.html
LogSpoofing.html
NewLesson.html
PathBasedAccessControl.html
ReflectedXSS.html
RemoteAdminFlaw.html
RoleBasedAccessControl.html
SilentTransactions.html
SoapRequest.html
SqlNumericInjection.html
SqlStringInjection.html
StoredXss.html
ThreadSafetyProblem.html
TraceXSS.html
UncheckedEmail.html
WSDLScanning.html
WeakAuthenticationCookie.html
WeakSessionID.html
WelcomeScreeen.html
WsSAXInjection.html
WsSqlInjection.html
XMLInjection.html
XPATHInjection.html
lesson_template
lessons
users
main.jsp
sideWindow.jsp
webgoat.jsp
webgoat_challenge.jsp
doc
build.xml
HOW TO create the WebGoat workspace.txt
WAR Installation Instructions.txt
build.xml
eclipse.bat
readme.txt
webgoat.bat
webgoat.sh
webgoat_8080.bat
webscarab.bat
7af27f7d1bf948acaa8fed782d4d25b4cb4291c0
WebGoat/ webgoat/main/project/WebContent/lesson_plans/HttpOnly.html
mayhew64 98949c00d8 Moved remotely 
git-svn-id: http://webgoat.googlecode.com/svn/trunk@15 4033779f-a91e-0410-96ef-6bf7bf53c507
2006-09-30 13:41:26 +00:00

9 lines
936 B
HTML
Raw Blame History

<div align="Center">
<p><b>Lesson Plan Title:</b> HttpOnly Test</p>
</div>
<p><b>Concept / Topic To Teach:</b> </p>
<!-- Start Instructions -->
To help mitigate the cross site scripting threat, Microsoft has introduced a new cookie attribute entitled 'HttpOnly.' If this flag is set, then the browser should not allow client-side script to access the cookie. Since the attribute is relatively new, several browsers neglect to handle the new attribute properly.
<p><b>General Goal(s):</b> </p>
The purpose of this lesson is to test whether your browser supports the HTTPOnly cookie flag. Note the value of the unique2u cookie. If your browser supports HTTPOnly, and you enable it for a cookie, client side code should NOT be able to read OR write to that cookie, but the browser can still send its value to the server. Some browsers only prevent client side read access, but don't prevent write access.
<!-- Stop Instructions -->
Reference in New Issue View Git Blame Copy Permalink