Skip to content

Commit d8b6deb

Browse files
author
[email protected]
committed
Issue 42
git-svn-id: http://webgoat.googlecode.com/svn/trunk@470 4033779f-a91e-0410-96ef-6bf7bf53c507
1 parent 6d4476d commit d8b6deb

File tree

1 file changed

+13
-19
lines changed

1 file changed

+13
-19
lines changed

webgoat/src/main/java/org/owasp/webgoat/lessons/HttpSplitting.java

Lines changed: 13 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@ public void handleRequest(WebSession s)
6565
// Setting a special action to be able to submit to redirect.jsp
6666
Form form = new Form(s.getRequest().getContextPath() + "/lessons/General/redirect.jsp?" + "Screen=" + String.valueOf(getScreenId())
6767
+ "&menu=" + getDefaultCategory().getRanking().toString(), Form.POST).setName("form").setEncType("");
68-
68+
6969
form.addElement(createContent(s));
7070

7171
setContent(form);
@@ -86,25 +86,15 @@ protected Element doHTTPSplitting(WebSession s)
8686

8787
if (lang.length() != 0 && fromRedirect.length() != 0)
8888
{
89-
// Split by the line separator line.separator is platform independant
90-
String lineSep = System.getProperty("line.separator");
91-
String[] arrTokens = lang.toString().toUpperCase().split(lineSep);
92-
93-
// Check if the user ended the first request and wrote the second malacious reply
89+
90+
91+
String[] arrTokens = lang.toString().toUpperCase().split("\r\n");
9492

95-
if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0
96-
&& Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0)
93+
// Check if the user ended the first request and wrote the second malicious reply
94+
if (arrTokens.length > 1)
9795
{
9896
HttpServletResponse res = s.getResponse();
9997
res.setContentType("text/html");
100-
PrintWriter out = new PrintWriter(res.getOutputStream());
101-
String message = lang.substring(lang.indexOf("<html>"));
102-
103-
out.print(message);
104-
out.flush();
105-
out.close();
106-
107-
getLessonTracker(s).setStage(2);
10898

10999
StringBuffer msg = new StringBuffer();
110100

@@ -115,6 +105,10 @@ protected Element doHTTPSplitting(WebSession s)
115105
msg.append("the reply and replace it with a 304 reply.");
116106

117107
s.setMessage(msg.toString());
108+
getLessonTracker(s).setStage(2);
109+
110+
111+
//makeSuccess(s);
118112

119113
}
120114
}
@@ -189,11 +183,11 @@ protected Element doCachePoisining(WebSession s) throws Exception
189183
String fromRedirect = s.getParser().getStringParameter(REDIRECT, "");
190184

191185
if (lang.length() != 0 && fromRedirect.length() != 0)
192-
{
193-
String lineSep = System.getProperty("line.separator");
186+
{
187+
String lineSep = "\r\n";
194188
String dateStr = lang.substring(lang.indexOf("Last-Modified:") + "Last-Modified:".length(), lang
195189
.indexOf(lineSep, lang.indexOf("Last-Modified:")));
196-
if (dateStr.length() != 0)
190+
if (dateStr.length() > 0)
197191
{
198192
Calendar cal = Calendar.getInstance();
199193

0 commit comments

Comments
 (0)