[Owasp-cincinnati] WebGoat HTTP Splitting Attack Question

Zhou, Yan yzhou at medplus.com
Mon Jul 21 16:49:56 EDT 2008

Thanks Marco for the documentation, I enjoyed reading the white paper in

After debugging through WebGoat, I seem to understand a little better
how the HTTP Splitting lesson is implemented. 

WebGoat does decode the input parameter (which I used %0d%0f for CRLF).
But WebScarab does not decode them, so it reads like %0d%0f on screen
rather than a new line. 

In addition, the HTTP Splitting lesson is designed to look for the
<html> tag in the injected parameter and display everything after it so
that the user gets the sense of it. 

But in the real world, an attacker would issue two requests, with the
2nd request gets matched by the injected response, thus creating an
opportunity to poison the cache. 


Confidentiality Notice: The information contained in this electronic transmission is confidential and may be legally privileged. It is intended only for the addressee(s) named above. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by telephone (513) 229-5500 or by email (postmaster at MedPlus.com). After replying, please erase it from your computer system.

More information about the Owasp-cincinnati mailing list