WebGoat（一）——HTTPSplitting（Http拆分攻击）

题目：This lesson has two stages. Stage 1 teaches you how to do HTTP Splitting attacks while stage 2 builds on that to teach you how to elevate HTTP Splitting to Cache Poisoning.Enter a language for the system to search by. You will notice that the application is redirecting your request to another resource on the server. You should be able to use the CR (%0d) and LF (%0a) to exploit the attack. Your exercise should be to force the server to send a 200 OK. If the screen changed as an effect to your attack, just go back to the homepage and after stage 2 is exploited successfully you will find the green check in the left menu.
这节课分为两个步骤，第一个步骤教你如何进行Http拆分攻击，第二个步骤教你如何利用Http拆分结合缓存毒化。输入一种语言，你会发现应用重定向你的请求至服务器中的另一个资源。你应当能够使用换行和回车来实现这次攻击。你的练习需要使服务器返回200 OK的信息。若你的攻击奏效使屏幕发生改变，返回主页面即可。步骤二也完成之后，你会发现左边菜单栏中出现绿色对勾的符号。
一、原理
攻击者在向 Web 服务器正常输入的请求中加入恶意代码，受到攻击的应用不会检查CR（回车，也可表示为%0d或\r）和LF（换行，也可表示为%0a或\n）。这些字符不仅使攻击者控制应用程序打算发送的响应头和响应体，而且还使他们能够完全在其