When I attempt the DOM injection exercise in WebGoat Ajax Security section I get a 408 Request Time-out response. What I've done is type a character in the WebGoat textbox and intercept the response with ZAP. I then, using ZAP, replace the body of the response with document.forms[0].submit.disabled=false; The WebGoat application contains eval() and I had expected that eval would process my code to enable a disabled button on the application's page - which is the point of the exercise. All I get back in ZAP id the timeout response. Any help appreciated. Thanks. P.S. For those who might not know, WebGoat is an deliberately insecure system from OWASP, the purpose of which is to learn security vulnerabilities with a view to hardening working applications against such vulnerabilities. I know that the vulnerability in the exercise in question is eval(), yet the Tomcat server in the WebGoat suite times out, preventing the predicted demonstration of an eval() vulnerability.
Aucun commentaire:
Enregistrer un commentaire