Friday, July 29, 2011

WebGoat - HTTP Response Splitting

Didn't filter "\r (%0A; LF)" and "\n (%0D; CR)" from user input which will be used in HTTP Header.

Vulnerable HTTP Code:
3xx (Redirection)

Vulnerable HTTP Header:
"Set-Cookie" and "Location".

Based on RFC_2616, each HTTP Header need to be followed by CRLF. In other words, CRLF can be used to create new HTTP Header. If attacker can inject CRLF into HTTP Header from user input, then this will give attacker a chance to do more attacks (such as Cache Poisoning, Web Page Defacement, etc)
There is a pretty good explanation on the Internet [1] and a whitepaper [2]. [List in Reference]

Example in WebGoat 5.3 (Web Page Defacement):

The expected parameter is "en". and the constructed parameter as follow:
en                                                                // add CRLF after "en"
Content-length: 0

HTTP/1.1 200 OK                                       // here is the new response created by attacker
Content-Type: text/html
Content-length: 33

<html>Hacked by F4l13n5n0w</html>     // page defacement content
The yellow part is used to terminal 302 request (create an empty request); the red part is malicious HTTP response created by attacker.

use URL-encoding and replace %0A to %0D%0A, the result as follow:

the encoder website:

This vulnerability has been fixed by Tomcat Team in Tomcat 6.0.18 Revision 673834 against CVE-2008-1232.

That's why we can't play it in OWASPBWA server...


Monday, July 25, 2011

Web App Pen-testing Learning

Learning LAB:
OWASP Broken Web Applications Project

Intentionally Vulnerable Applications:
  • OWASP WebGoat version 5.3.x(Java)
  • OWASP Vicnum version 1.4 (PHP/Perl)
  • Mutillidae version 1.5 (PHP)
  • Damn Vulnerable Web Application version 1.07.x (PHP)
  • Ghost (PHP)
  • Peruggia version 1.2 (PHP)
  • OWASP CSRFGuard Test Application version 2.2 (Java)
  • OWASP AppSensor Demo Application (Java)
  • Mandiant Struts Forms (Java/Struts)
  • Simple ASP.NET Forms (ASP.NET/C#)
  • Simple Form with DOM Cross Site Scripting (HTML/JavaScript)
Old Versions of Real Applications:
  • WordPress 2.0.0 (PHP, released December 31, 2005, downloaded from
  • phpBB 2.0.0 (PHP, released April 4, 2002, downloaded from
  • Yazd version 1.0 (Java, released February 20, 2002)
  • gtd-php version 0.7 (PHP, released September 30, 2006)
  • OrangeHRM version 2.4.2 (PHP, released May 7, 2009)
  • GetBoo version 1.04 (PHP, released April 7, 2008) 

Project download:

download and unzip... Run in VMWare Player/Workstation
the main page: