WAF Testing Framework
Benchmark Results
Table of Contents
-Methodology
-Summary Charts
-False Negatives
-False Positives
Methodology
This report details the results of running the Web Application Firewall Testing Framework by
Imperva against a Web Application Firewall (WAF) of your choice. These results can be used to
improve the effectiveness of your WAF by tuning its policies to reduce the number of false positive
and false negatives documented in this report. Unlike other WAF testing tools that focus exclusively
on generating attack traffic, the Web Application Firewall Testing Framework generates both attack
traffic and legitimate traffic. This approach makes it possible to test the ability of a WAF to detect
malicious traffic and also to DISTINGUISH malicious traffic from good traffic. It provides a REAL
WORLD testing scenario in which the WAF must block attack traffic and avoid blocking good traffic
(i.e., generating false positives).
Attacks and Evasion Techniques
The following attack and evasion techniques are included in testing:
- SQL Injection: a technique that takes advantage of non-validated input vulnerabilities to pass SQL
commands through a Web application for execution by a back-end database. Attackers exploit the
fact that programmers often chain together SQL commands with user-provided parameters. When
applications are developed this way, attackers can embed SQL commands inside these parameters in
order to run SQL queries and/or commands on the back-end database server, giving them access to
sensitive data.
- Cross Site Scripting (XSS): an attack that takes advantage of a Web site vulnerability in which the
site displays content that includes un-sanitized (i.e., potentially malicious) user-provided data. For
example, an attacker might place a hyperlink with an embedded malicious script into an online
discussion forum. When the hyperlink is selected, the malicious script launches an attack. For
example, the script could copy user cookies containing sensitive, personal or other important data
and then send those cookies to the attacker.
- Remote File Inclusion (RFI): an attack that targets the computer servers running Web sites and
their applications. RFI exploits are most often attributed to the PHP programming language, which
is used by many large firms including Facebook and SugarCRM. RFI works by exploiting
applications that dynamically retrieve external scripts. Attackers cause these applications to include
a malicious script hosted on a remote server, thereby giving the attacker control over server and data
resources. The executed scripts can be used for temporary data theft or manipulation, or for a long
term takeover of the vulnerable server.
- HTTP Parameter Pollution (HPP): an evasion technique in which an attack vector in an HTTP
request is split between multiple instances of a parameter with the same name. None of the relevant
RFCs define the semantics of such manipulation, and therefore each web application delivery
platform may deal with it differently. In particular, some environments process such requests by
concatenating the values taken from all instances of the same parameter name within the request.
This behavior is abused by attackers to bypass pattern-based security mechanisms.
False Positives
False positives are cases where the WAF classifies legitimate traffic as an attack. This happens when
the WAF is not sensitive enough to distinguish good traffic from bad. For example, if a WAF
considers every request with the single quote character (‘) in it to be SQL injection, as many WAFs
do, then a request containing the value “O’Henry” would trigger a false positive.
The following elements are included in the testing:
- Tokens: certain tokens may trigger a false positive alert. For example, the presence of the tokens
”select” and ”from” may trigger a SQL Injection alert.
- Special Characters: characters such as quotes and ampersands may trigger false positive alerts in
WAFs that are too strictly tuned.
- Arbitrarily Text: sentences or paragraphs. These are common in forum and blog posts, but may be
too long or complex for some WAF detection rules, especially if the text contains elements that
could appear in attacks (but are in fact harmless when embedded as text in the case of a forum or
blog post). In this case, the WAF may issue an alert even though no attack is taking place.
- Multiple Lines: the presence of multiple lines in conjunction with certain characters may trigger a
false positive “response splitting” alert.
- External Links: external links in parameter values along with certain parameter names may trigger
a false positive “remote file include” alert. An example of such a parameter is “reditect_uri” which
is used by the Facebook API.
False Negatives and False Positives
100
90
Failure Rate (%)
80
70
60
50
40
30
20
10
0
False Negatives
Test Type
False Negatives
False Positives
Total Requests
67
148
False Positives
Misclassified
0
148
%
0
100
- False Negatives: Attacks which the WAF should have identified and stopped, but did not
- False Positives: Legitimate traffic was incorrectly identified as an attack by the WAF
Failure Rate (%)
False Negatives by Type
0.0000000
RFI
SQL Injection
XSS
Attack Type
Total Attacks
Misclassified
%
RFI
26
0
0
SQL Injection
19
0
0
XSS
22
0
0
- For each attack type:The percentage of attacks that should have been blocked and was not
False Negatives
False Positives
ID
216
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Body
title=&message=select one item from these funny things =)&SUBMIT=Submit
Comment
The tokens “select” and “from” might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
217
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=select one item from these funny things :)&SUBMIT=Submit
Comment
The tokens “select” and “from” might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
218
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=select something "nice" from the basket&SUBMIT=Submit
Comment
The tokens “select” and “from” might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
219
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Item #3 seems a better choice from all the items we can select&SUBMIT=Submit
Comment
The tokens “select” and “from” might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
220
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=from all the items we can select, I think that #3 would be better&SUBMIT=Submit
Comment
The tokens “select” and “from” might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
221
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I think it better to select one from this basket (as this one is bigger)&SUBMIT=Submit
Comment
The tokens “select” and “from” might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
222
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=We have a wide selection to choose from :)&SUBMIT=Submit
Comment
The tokens “select” and “from” might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
223
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=nice selection of fromage (although they stink) &SUBMIT=Submit
Comment
The tokens “select” and “from” might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
224
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I had no such selection wherefrom I arrived =)&SUBMIT=Submit
Comment
The tokens “select” and “from” might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
225
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I had no such selection wherefrom I arrived (and I like it)&SUBMIT=Submit
Comment
The tokens “select” and “from” might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
226
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Select a new chinstrap for your bike helmet; it could save your life&SUBMIT=Submit
Comment
The token “select” and "instr" might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
227
Method
POST
Attack Type
Not an Attack
Blocked
Yes
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=A select few private pilots can fly under instrument flight rules ("IFR"); meaning they can fly an airplane using instruments
only&SUBMIT=Submit
Comment
The tokens “select” and “instr” might cause some WAFs to issue a false positive alert
ID
228
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=nice selection of ascii art works&SUBMIT=Submit
Comment
The tokens “select” and “ascii” might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
ID
229
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I would like to select something whenever it is possible (but before the trip to Athens) &SUBMIT=Submit
Comment
The tokens “select” and “then” might cause some WAFs to issue a false positive alert
Yes
Yes
ID
230
Method
POST
Attack Type
Not an Attack
Blocked
Yes
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=based on a credit report from transunion, I was preselected for a credit card (although I did not want it)&SUBMIT=Submit
Comment
The tokens “select” and “union” might cause some WAFs to issue a false positive alert
ID
231
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Dropping the project is not acceptable; we inverted too many resources in it&SUBMIT=Submit
Comment
The tokens “drop” and “table” might cause some WAFs to issue a false positive alert
Yes
ID
232
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I had to drop the plan (as there is no chance that it will be functional)&SUBMIT=Submit
Comment
The tokens “drop” and “function” might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
233
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=this is not good; drop the item you are holding!&SUBMIT=Submit
Comment
The token “drop” might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
234
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=this is not good; dropping the plan is our only option&SUBMIT=Submit
Comment
The token “drop” might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
235
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=it does not look good; shutdown the system!&SUBMIT=Submit
Comment
The token “shutdown” might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
236
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=The artwork was dropped by Frank Teschemacher (a great artist btw)&SUBMIT=Submit
Comment
The tokens “drop” and "schema" might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
237
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I consider dropping this schematic; It is not so good&SUBMIT=Submit
Comment
The tokens “drop” and "schema" might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
238
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Have you seen the hydropower plant schematics? (they are very impractical)&SUBMIT=Submit
Comment
The tokens “drop” and "schema" might cause some WAFs to issue a false positive alert
Yes
Not an Attack
ID
239
Method
POST
Attack Type
Not an Attack
Blocked
Yes
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=We dropped a million Deutschemark to get the schematic (and it was not worth it)&SUBMIT=Submit
Comment
The tokens “drop” and "schema" might cause some WAFs to issue a false positive alert
ID
240
Method
POST
Attack Type
Not an Attack
Blocked
Yes
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Just be selective about where you drop your garbage in Germany (the exchange rate makes Deutschemark fines
painful)&SUBMIT=Submit
Comment
The tokens “drop” and "schema" might cause some WAFs to issue a false positive alert
ID
241
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I have selected an instrument (a new one) for today&SUBMIT=Submit
Comment
The tokens “select” and "instr" might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
242
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I have selected an instrument for today; I hope the show will be ok&SUBMIT=Submit
Comment
The tokens “select” and "instr" might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
243
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=This is not good (to say the least). I prefer to delete this item from the file&SUBMIT=Submit
Comment
The tokens “delete” and "from" might cause some WAFs to issue a false positive alert
Yes
ID
244
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I am going to cross the border by passing gate #3 &SUBMIT=Submit
Comment
The tokens “order” and "by" might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
245
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I am going to cross the border by passing gate #3 &SUBMIT=Submit
Comment
The tokens “order” and "by" might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
246
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I have preselected the characters 0x22 and 0x20 for my sequence&SUBMIT=Submit
Comment
Hexadecimal representation of characters might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
247
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I have preselected the characters to concat (as it is a better option)&SUBMIT=Submit
Comment
The tokens “select” and "concat" might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
248
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I have preselected the items to count (as it is a better option)&SUBMIT=Submit
Comment
The tokens “select” and "count" might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
249
Method
POST
Attack Type
Not an Attack
Blocked
Yes
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=We need to check the bulkhead of the ship; we might need to insert some sealing to close it out (we can take it from
behind)&SUBMIT=Submit
Comment
The tokens “bulk” and "insert" might cause some WAFs to issue a false positive alert
ID
250
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=g or 1234567&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
251
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=g and 1234567&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
252
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=send me a check or 100000$ cash&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
253
Method
POST
Attack Type
Not an Attack
Blocked
Yes
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=It seems that they will not negotiate with us and 100000 dollars is not something we can afford&SUBMIT=Submit
ID
255
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Body
title=&message=In the beginning God created the heaven and the earth.
And the earth was without form, and void; and darkness was
upon the face of the deep. And the Spirit of God moved upon
the face of the waters.
And God said, Let there be light: and there was light.
And God saw the light, that it was good: and God divided the
light from the darkness.
And God called the light Day, and the darkness he called
Night. And the evening and the morning were the first day.
And God said, Let there be a firmament in the midst of the
waters, and let it divide the waters from the waters.
And God made the firmament, and divided the waters which were
under the firmament from the waters which were above the
firmament: and it was so.
And God called the firmament Heaven. And the evening and the
morning were the second day.
And God said, Let the waters under the heaven be gathered
together unto one place, and let the dry land appear: and it
was so.
And God called the dry land Earth; and the gathering together
of the waters called he Seas: and God saw that it was good.
&SUBMIT=Submit
Comment
The Bible, Book of Genesis
Not an Attack
Blocked
Yes
ID
256
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=PERSONS REPRESENTED.
Claudius, King of Denmark.
Hamlet, Son to the former, and Nephew to the present King.
Polonius, Lord Chamberlain.
Horatio, Friend to Hamlet.
Laertes, Son to Polonius.
Voltimand, Courtier.
Cornelius, Courtier.
Rosencrantz, Courtier.
Guildenstern, Courtier.
Osric, Courtier.
A Gentleman, Courtier.
A Priest.
Marcellus, Officer.
Bernardo, Officer.
Francisco, a Soldier
Reynaldo, Servant to Polonius.
Players.
Two Clowns, Grave-diggers.
Fortinbras, Prince of Norway.
A Captain.
English Ambassadors.
Ghost of Hamlet's Father.
Gertrude, Queen of Denmark, and Mother of Hamlet.
Ophelia, Daughter to Polonius.
Lords, Ladies, Officers, Soldiers, Sailors, Messengers, and other
Attendants.
SCENE. Elsinore.
ACT I.
Scene I. Elsinore. A platform before the Castle.
[Francisco at his post. Enter to him Bernardo.]
Ber.
Who's there?
Fran.
Nay, answer me: stand, and unfold yourself.
Ber.
Long live the king!
Fran.
Bernardo?
Ber.
He.
Fran.
You come most carefully upon your hour.
Ber.
'Tis now struck twelve. Get thee to bed, Francisco.
Fran.
For this relief much thanks: 'tis bitter cold,
And I am sick at heart.
Ber.
Have you had quiet guard?
Fran.
Not a mouse stirring.
&SUBMIT=Submit
Comment
HAMLET, PRINCE OF DENMARK, by William Shakespeare
Not an Attack
Blocked
Yes
ID
257
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=ADVENTURE I. A SCANDAL IN BOHEMIA
I.
To Sherlock Holmes she is always THE woman. I have seldom heard
him mention her under any other name. In his eyes she eclipses
and predominates the whole of her sex. It was not that he felt
any emotion akin to love for Irene Adler. All emotions, and that
one particularly, were abhorrent to his cold, precise but
admirably balanced mind. He was, I take it, the most perfect
reasoning and observing machine that the world has seen, but as a
lover he would have placed himself in a false position. He never
spoke of the softer passions, save with a gibe and a sneer. They
were admirable things for the observer--excellent for drawing the
veil from men's motives and actions. But for the trained reasoner
to admit such intrusions into his own delicate and finely
adjusted temperament was to introduce a distracting factor which
might throw a doubt upon all his mental results. Grit in a
sensitive instrument, or a crack in one of his own high-power
lenses, would not be more disturbing than a strong emotion in a
nature such as his. And yet there was but one woman to him, and
that woman was the late Irene Adler, of dubious and questionable
memory.
I had seen little of Holmes lately. My marriage had drifted us
away from each other. My own complete happiness, and the
home-centred interests which rise up around the man who first
finds himself master of his own establishment, were sufficient to
absorb all my attention, while Holmes, who loathed every form of
society with his whole Bohemian soul, remained in our lodgings in
Baker Street, buried among his old books, and alternating from
week to week between cocaine and ambition, the drowsiness of the
drug, and the fierce energy of his own keen nature. He was still,
as ever, deeply attracted by the study of crime, and occupied his
immense faculties and extraordinary powers of observation in
following out those clues, and clearing up those mysteries which
had been abandoned as hopeless by the official police. From time
to time I heard some vague account of his doings: of his summons
to Odessa in the case of the Trepoff murder, of his clearing up
of the singular tragedy of the Atkinson brothers at Trincomalee,
and finally of the mission which he had accomplished so
delicately and successfully for the reigning family of Holland.
Beyond these signs of his activity, however, which I merely
shared with all the readers of the daily press, I knew little of
my former friend and companion.
One night--it was on the twentieth of March, 1888--I was
returning from a journey to a patient (for I had now returned to
civil practice), when my way led me through Baker Street. As I
passed the well-remembered door, which must always be associated
in my mind with my wooing, and with the dark incidents of the
Study in Scarlet, I was seized with a keen desire to see Holmes
again, and to know how he was employing his extraordinary powers.
His rooms were brilliantly lit, and, even as I looked up, I saw
his tall, spare figure pass twice in a dark silhouette against
the blind. He was pacing the room swiftly, eagerly, with his head
sunk upon his chest and his hands clasped behind him. To me, who
knew his every mood and habit, his attitude and manner told their
own story. He was at work again. He had risen out of his
drug-created dreams and was hot upon the scent of some new
problem. I rang the bell and was shown up to the chamber which
had formerly been in part my own.
&SUBMIT=Submit
Comment
The Adventures of Sherlock Holmes
Not an Attack
Blocked
Yes
ID
258
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=PREFACE.
In the literature of all countries there will be found a certain number
of works treating especially of love. Everywhere the subject is dealt
with differently, and from various points of view. In the present
publication it is proposed to give a complete translation of what is
considered the standard work on love in Sanscrit literature, and which
is called the 'Vatsyayana Kama Sutra,' or Aphorisms on Love, by
Vatsyayana.
While the introduction will bear with the evidence concerning the date
of the writing, and the commentaries written upon it, the chapters
following the introduction will give a translation of the work itself.
It is, however, advisable to furnish here a brief analysis of works of
the same nature, prepared by authors who lived and wrote years after
Vatsya had passed away, but who still considered him as a great
authority, and always quoted him as the chief guide to Hindoo erotic
literature.
Besides the treatise of Vatsyayana the following works on the same
subject are procurable in India:-1. The Ratirahasya, or secrets of love.
2. The Panchasakya, or the five arrows.
3. The Smara Pradipa, or the light of love.
4. The Ratimanjari, or the garland of love.
5. The Rasmanjari, or the sprout of love.
6. The Anunga Runga, or the stage of love; also called
Kamaledhiplava, or a boat in the ocean of love.
The author of the 'Secrets of Love' (No. 1) was a poet named Kukkoka. He
composed his work to please one Venudutta, who was perhaps a king. When
writing his own name at the end of each chapter he calls himself "Siddha
patiya pandita," _i.e._, an ingenious man among learned men. The work
was translated into Hindi years ago, and in this the author's name was
written as Koka. And as the same name crept into all the translations
into other languages in India, the book became generally known, and the
subject was popularly called Koka Shastra, or doctrines of Koka, which
is identical with the Kama Shastra, or doctrines of love, and the words
Koka Shastra and Kama Shastra are used indiscriminately.&SUBMIT=Submit
Comment
THE KAMA SUTRA OF VATSYAYANA
Not an Attack
Blocked
Yes
ID
259
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=It is a truth universally acknowledged, that a single man in possession
of a good fortune, must be in want of a wife.
However little known the feelings or views of such a man may be on his
first entering a neighbourhood, this truth is so well fixed in the minds
of the surrounding families, that he is considered the rightful property
of some one or other of their daughters.
"My dear Mr. Bennet," said his lady to him one day, "have you heard that
Netherfield Park is let at last?"
Mr. Bennet replied that he had not.
"But it is," returned she; "for Mrs. Long has just been here, and she
told me all about it."
Mr. Bennet made no answer.
"Do you not want to know who has taken it?" cried his wife impatiently.
"_You_ want to tell me, and I have no objection to hearing it."
This was invitation enough.
"Why, my dear, you must know, Mrs. Long says that Netherfield is taken
by a young man of large fortune from the north of England; that he came
down on Monday in a chaise and four to see the place, and was so much
delighted with it, that he agreed with Mr. Morris immediately; that he
is to take possession before Michaelmas, and some of his servants are to
be in the house by the end of next week."
"What is his name?"
"Bingley."
"Is he married or single?"
"Oh! Single, my dear, to be sure! A single man of large fortune; four or
five thousand a year. What a fine thing for our girls!"
"How so? How can it affect them?"
"My dear Mr. Bennet," replied his wife, "how can you be so tiresome! You
must know that I am thinking of his marrying one of them."
"Is that his design in settling here?"
"Design! Nonsense, how can you talk so! But it is very likely that he
_may_ fall in love with one of them, and therefore you must visit him as
soon as he comes."
"I see no occasion for that. You and the girls may go, or you may send
them by themselves, which perhaps will be still better, for as you are
as handsome as any of them, Mr. Bingley may like you the best of the
party."
&SUBMIT=Submit
Comment
PRIDE AND PREJUDICE By Jane Austen
Not an Attack
Blocked
Yes
ID
260
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=INTRODUCTION
This volume does not aim to contain all "the best American humorous
short stories"; there are many other stories equally as good, I
suppose, in much the same vein, scattered through the range of
American literature. I have tried to keep a certain unity of aim and
impression in selecting these stories. In the first place I determined
that the pieces of brief fiction which I included must first of all be
not merely good stories, but good short stories. I put myself in the
position of one who was about to select the best short stories in the
whole range of American literature,[1] but who, just before he started
to do this, was notified that he must refrain from selecting any of
the best American short stories that did not contain the element of
humor to a marked degree. But I have kept in mind the wide boundaries
of the term humor, and also the fact that the humorous standard should
be kept second--although a close second--to the short story standard.
In view of the necessary limitations as to the volume's size, I could
not hope to represent all periods of American literature adequately,
nor was this necessary in order to give examples of the best that has
been done in the short story in a humorous vein in American
literature. Probably all types of the short story of humor are
included here, at any rate. Not only copyright restrictions but in a
measure my own opinion have combined to exclude anything by Joel
Chandler Harris--_Uncle Remus_--from the collection. Harris is
primarily--in his best work--a humorist, and only secondarily a short
story writer. As a humorist he is of the first rank; as a writer of
short stories his place is hardly so high. His humor is not mere
funniness and diversion; he is a humorist in the fundamental and large
sense, as are Cervantes, Rabelais, and Mark Twain.&SUBMIT=Submit
Comment
The Best American Humorous Short Stories, by Various
Not an Attack
Blocked
Yes
ID
261
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=-- I -Stately, plump Buck Mulligan came from the stairhead, bearing a bowl of
lather on which a mirror and a razor lay crossed. A yellow dressinggown,
ungirdled, was sustained gently behind him on the mild morning air. He
held the bowl aloft and intoned:
--_Introibo ad altare Dei_.
Halted, he peered down the dark winding stairs and called out coarsely:
--Come up, Kinch! Come up, you fearful jesuit!
Solemnly he came forward and mounted the round gunrest. He faced about
and blessed gravely thrice the tower, the surrounding land and the
awaking mountains. Then, catching sight of Stephen Dedalus, he bent
towards him and made rapid crosses in the air, gurgling in his throat
and shaking his head. Stephen Dedalus, displeased and sleepy, leaned
his arms on the top of the staircase and looked coldly at the shaking
gurgling face that blessed him, equine in its length, and at the light
untonsured hair, grained and hued like pale oak.
Buck Mulligan peeped an instant under the mirror and then covered the
bowl smartly.
--Back to barracks! he said sternly.&SUBMIT=Submit
Comment
Ulysses, by James Joyce
Not an Attack
Blocked
Yes
ID
262
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Sun Wu and his Book
------------------Ssu-ma Ch`ien gives the following biography of Sun Tzu: [1]
-Sun Tzu Wu was a native of the Ch`i State. His ART OF
WAR brought him to the notice of Ho Lu, [2] King of Wu. Ho
Lu said to him: "I have carefully perused your 13 chapters.
May I submit your theory of managing soldiers to a slight
test?"
Sun Tzu replied: "You may."
Ho Lu asked: "May the test be applied to women?"
The answer was again in the affirmative, so arrangements
were made to bring 180 ladies out of the Palace. Sun Tzu
divided them into two companies, and placed one of the King's
favorite concubines at the head of each. He then bade them
all take spears in their hands, and addressed them thus: "I
presume you know the difference between front and back, right
hand and left hand?"
The girls replied: Yes.
Sun Tzu went on: "When I say "Eyes front," you must
look straight ahead. When I say "Left turn," you must face
towards your left hand. When I say "Right turn," you must
face towards your right hand. When I say "About turn," you
must face right round towards your back."
Again the girls assented. The words of command having
been thus explained, he set up the halberds and battle-axes
in order to begin the drill. Then, to the sound of drums, he
gave the order "Right turn." But the girls only burst out
laughing. Sun Tzu said: "If words of command are not clear
and distinct, if orders are not thoroughly understood, then
the general is to blame."
So he started drilling them again, and this time gave
the order "Left turn," whereupon the girls once more burst
into fits of laughter. Sun Tzu: "If words of command are
not clear and distinct, if orders are not thoroughly
understood, the general is to blame. But if his orders ARE
clear, and the soldiers nevertheless disobey, then it is the
fault of their officers."&SUBMIT=Submit
Comment
The Art of War, by Sun Tzu
Not an Attack
Blocked
Yes
ID
263
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Human Analysis--The X-Ray
Not an Attack
Blocked
Yes
Not an Attack
Blocked
Yes
_Modern science has proved that the fundamental traits of every
individual are indelibly stamped in the shape of his body, head, face
and hands--an X-ray by which you can read the characteristics of any
person on sight._
The most essential thing in the world to any individual is to understand
_himself_. The next is to understand the other fellow. For life is
largely a problem of running your own car as it was built to be run,
plus getting along with the other drivers on the highway.
From this book you are going to learn which type of car you are and the
main reasons why you have not been getting the maximum of service out of
yourself.
Also you are going to learn the makes of other human cars, and how to
get the maximum of co-operation out of them. This co-operation is vital
to happiness and success. We come in contact with our fellowman in all
the activities of our lives and what we get out of life depends, to an
astounding degree, on our relations with him.&SUBMIT=Submit
Comment
How to Analyze People on Sight, by Elsie Lincoln Benedict and Ralph Paine Benedict
ID
264
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=CHAPTER I.
YOU don't know about me without you have read a book by the name of The
Adventures of Tom Sawyer; but that ain't no matter. That book was made
by Mr. Mark Twain, and he told the truth, mainly. There was things which
he stretched, but mainly he told the truth. That is nothing. I never
seen anybody but lied one time or another, without it was Aunt Polly, or
the widow, or maybe Mary. Aunt Polly--Tom's Aunt Polly, she is--and
Mary, and the Widow Douglas is all told about in that book, which is
mostly a true book, with some stretchers, as I said before.
Now the way that the book winds up is this: Tom and me found the money
that the robbers hid in the cave, and it made us rich. We got six
thousand dollars apiece--all gold. It was an awful sight of money when
it was piled up. Well, Judge Thatcher he took it and put it out at
interest, and it fetched us a dollar a day apiece all the year round
--more than a body could tell what to do with. The Widow Douglas she took
me for her son, and allowed she would sivilize me; but it was rough
living in the house all the time, considering how dismal regular and
decent the widow was in all her ways; and so when I couldn't stand it no
longer I lit out. I got into my old rags and my sugar-hogshead again,
and was free and satisfied. But Tom Sawyer he hunted me up and said he
was going to start a band of robbers, and I might join if I would go back
to the widow and be respectable. So I went back.&SUBMIT=Submit
Comment
Adventures of Huckleberry Finn, by Mark Twain (Samuel Clemens)
ID
265
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=CHAPTER I
Not an Attack
Blocked
Yes
Not an Attack
Blocked
Yes
"Well, Prince, so Genoa and Lucca are now just family estates of the
Buonapartes. But I warn you, if you don't tell me that this means war,
if you still try to defend the infamies and horrors perpetrated by that
Antichrist--I really believe he is Antichrist--I will have nothing more
to do with you and you are no longer my friend, no longer my 'faithful
slave,' as you call yourself! But how do you do? I see I have frightened
you--sit down and tell me all the news."
It was in July, 1805, and the speaker was the well-known Anna Pavlovna
Scherer, maid of honor and favorite of the Empress Marya Fedorovna. With
these words she greeted Prince Vasili Kuragin, a man of high rank and
importance, who was the first to arrive at her reception. Anna Pavlovna
had had a cough for some days. She was, as she said, suffering from la
grippe; grippe being then a new word in St. Petersburg, used only by the
elite.
All her invitations without exception, written in French, and delivered
by a scarlet-liveried footman that morning, ran as follows:
"If you have nothing better to do, Count (or Prince), and if the
prospect of spending an evening with a poor invalid is not too terrible,
I shall be very charmed to see you tonight between 7 and 10--Annette
Scherer."&SUBMIT=Submit
Comment
War and Peace, by Leo Tolstoy
ID
266
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=REFACE.
A singular fatality has ruled the destiny of nearly all the most
famous of Leonardo da Vinci's works. Two of the three most important
were never completed, obstacles having arisen during his life-time,
which obliged him to leave them unfinished; namely the Sforza
Monument and the Wall-painting of the Battle of Anghiari, while the
third--the picture of the Last Supper at Milan--has suffered
irremediable injury from decay and the repeated restorations to
which it was recklessly subjected during the XVIIth and XVIIIth
centuries. Nevertheless, no other picture of the Renaissance has
become so wellknown and popular through copies of every description.
Vasari says, and rightly, in his Life of Leonardo, "that he laboured
much more by his word than in fact or by deed", and the biographer
evidently had in his mind the numerous works in Manuscript which
have been preserved to this day. To us, now, it seems almost
inexplicable that these valuable and interesting original texts
should have remained so long unpublished, and indeed forgotten. It
is certain that during the XVIth and XVIIth centuries their
exceptional value was highly appreciated. This is proved not merely
by the prices which they commanded, but also by the exceptional
interest which has been attached to the change of ownership of
merely a few pages of Manuscript.&SUBMIT=Submit
Comment
The Notebooks of Leonardo Da Vinci, by Leonardo Da Vinci
ID
267
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=THE PHYSICAL DESCRIPTION
Let us first examine the book as it appears before us. The title-page
reads:
Doctrina Christiana, en
lengua espaola ytagala, cor
regida por los Religiosos de las
ordenes Impressa con licencia, en
S. gabriel. de la orden de. S. Domigo
En Manila. 1593
The book, printed in Gothic letters and Tagalog [1] characters on
paper made from the paper mulberry, now browned and brittle with age,
consists of thirty-eight leaves, comprising a title-page as above,
under a woodcut [2] of St. Dominic, with the verso originally blank,
but in this copy bearing the contemporary manuscript inscription,
_Tassada en dos rreales_, signed _Juan de Cuellar_; and seventy-four
pages of text in Spanish, Tagalog transliterated into roman letters,
and Tagalog in Tagalog characters. The size of the volume, which
is unbound, is 9 1/8 by 7 inches, although individual leaves vary
somewhat due to chipping. Some of the leaves have become separated
from their complements, but enough remain in the original stitching
to indicate that the book was originally made up in four gatherings,
the first of twelve leaves, the second of ten, the third of ten, and
the fourth of six. Although the book is of the size called quarto,
the method of printing must have been page by page, so it is doubtful
that each sheet was folded twice in the usual quarto manner, but
more probable that it was printed four pages to a sheet of paper
approximately 9 1/8 by 14 inches, which was folded once.&SUBMIT=Submit
Comment
Doctrina Christiana, by Anonymous
Not an Attack
Blocked
Yes
ID
268
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I. The Period
Not an Attack
Blocked
Yes
Not an Attack
Blocked
Yes
It was the best of times,
it was the worst of times,
it was the age of wisdom,
it was the age of foolishness,
it was the epoch of belief,
it was the epoch of incredulity,
it was the season of Light,
it was the season of Darkness,
it was the spring of hope,
it was the winter of despair,
we had everything before us,
we had nothing before us,
we were all going direct to Heaven,
we were all going direct the other way-in short, the period was so far like the present period, that some of
its noisiest authorities insisted on its being received, for good or for
evil, in the superlative degree of comparison only.
There were a king with a large jaw and a queen with a plain face, on the
throne of England; there were a king with a large jaw and a queen with
a fair face, on the throne of France. In both countries it was clearer
than crystal to the lords of the State preserves of loaves and fishes,
that things in general were settled for ever.&SUBMIT=Submit
Comment
A Tale of Two Cities, by Charles Dickens
ID
269
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=PROLOGUE
IT was 2 p.m. on the afternoon of May 7, 1915. The Lusitania had been
struck by two torpedoes in succession and was sinking rapidly, while
the boats were being launched with all possible speed. The women and
children were being lined up awaiting their turn. Some still clung
desperately to husbands and fathers; others clutched their children
closely to their breasts. One girl stood alone, slightly apart from
the rest. She was quite young, not more than eighteen. She did not seem
afraid, and her grave, steadfast eyes looked straight ahead.
"I beg your pardon."
A man's voice beside her made her start and turn. She had noticed the
speaker more than once amongst the first-class passengers. There had
been a hint of mystery about him which had appealed to her imagination.
He spoke to no one. If anyone spoke to him he was quick to rebuff the
overture. Also he had a nervous way of looking over his shoulder with a
swift, suspicious glance.
She noticed now that he was greatly agitated. There were beads of
perspiration on his brow. He was evidently in a state of overmastering
fear. And yet he did not strike her as the kind of man who would be
afraid to meet death!&SUBMIT=Submit
Comment
The Secret Adversary, by Agatha Christie
ID
270
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Chapter 1. Marseilles--The Arrival.
On the 24th of February, 1815, the look-out at Notre-Dame de la Garde
signalled the three-master, the Pharaon from Smyrna, Trieste, and
Naples.
As usual, a pilot put off immediately, and rounding the Chateau d'If,
got on board the vessel between Cape Morgion and Rion island.
Immediately, and according to custom, the ramparts of Fort Saint-Jean
were covered with spectators; it is always an event at Marseilles for a
ship to come into port, especially when this ship, like the Pharaon, has
been built, rigged, and laden at the old Phocee docks, and belongs to an
owner of the city.
The ship drew on and had safely passed the strait, which some volcanic
shock has made between the Calasareigne and Jaros islands; had doubled
Pomegue, and approached the harbor under topsails, jib, and spanker, but
so slowly and sedately that the idlers, with that instinct which is
the forerunner of evil, asked one another what misfortune could have
happened on board. However, those experienced in navigation saw plainly
that if any accident had occurred, it was not to the vessel herself,
for she bore down with all the evidence of being skilfully handled, the
anchor a-cockbill, the jib-boom guys already eased off, and standing by
the side of the pilot, who was steering the Pharaon towards the narrow
entrance of the inner port, was a young man, who, with activity and
vigilant eye, watched every motion of the ship, and repeated each
direction of the pilot.&SUBMIT=Submit
Comment
The Count of Monte Cristo, by Alexandre Dumas, Pere
Not an Attack
Blocked
Yes
ID
271
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Everything was perfectly swell.
There were no prisons, no slums, no insane asylums, no cripples, no
poverty, no wars.
All diseases were conquered. So was old age.
Death, barring accidents, was an adventure for volunteers.
The population of the United States was stabilized at forty-million
souls.
One bright morning in the Chicago Lying-in Hospital, a man named Edward
K. Wehling, Jr., waited for his wife to give birth. He was the only man
waiting. Not many people were born a day any more.
Wehling was fifty-six, a mere stripling in a population whose average
age was one hundred and twenty-nine.
X-rays had revealed that his wife was going to have triplets. The
children would be his first.
Young Wehling was hunched in his chair, his head in his hand. He was so
rumpled, so still and colorless as to be virtually invisible. His
camouflage was perfect, since the waiting room had a disorderly and
demoralized air, too. Chairs and ashtrays had been moved away from the
walls. The floor was paved with spattered dropcloths.
&SUBMIT=Submit
Comment
2 B R 0 2 B, by Kurt Vonnegut
Not an Attack
Blocked
Yes
ID
272
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=THE WORLD FACTBOOK :: WHAT'S NEW
January 31, 2011
What do the initials ESA stand for? Check out Appendix A:
Abbreviations to find out. New space-based photos have been uploaded
for Australia, China, Namibia, Mexico, and the US.
January 25, 2011
What country enjoyed the lowest unemployment rate in 2010? Find out
by checking "Unemployment rate" under the Country Comparison feature
(in the References tab). The entire Economy category has been
updated to reflect data for years 2010 and earlier.
January 14, 2011
Did you know that the highest elevation in the Netherlands is not in
Europe? Where is it? Find out by checking the "Elevation extremes"
field in the Geography section. New space-based photos have been
added for Iran and Russia.
January 07, 2011
What country flag is only one color? To find out visit the Flags of
the World page.
&SUBMIT=Submit
Comment
The 2010 CIA World Factbook, by United States. Central Intelligence Agency.
Not an Attack
Blocked
Yes
ID
273
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=THE SONNETS
by William Shakespeare
1
From fairest creatures we desire increase,
That thereby beauty's rose might never die,
But as the riper should by time decease,
His tender heir might bear his memory:
But thou contracted to thine own bright eyes,
Feed'st thy light's flame with self-substantial fuel,
Making a famine where abundance lies,
Thy self thy foe, to thy sweet self too cruel:
Thou that art now the world's fresh ornament,
And only herald to the gaudy spring,
Within thine own bud buriest thy content,
And tender churl mak'st waste in niggarding:
Pity the world, or else this glutton be,
To eat the world's due, by the grave and thee.
2
When forty winters shall besiege thy brow,
And dig deep trenches in thy beauty's field,
Thy youth's proud livery so gazed on now,
Will be a tattered weed of small worth held:
Then being asked, where all thy beauty lies,
Where all the treasure of thy lusty days;
To say within thine own deep sunken eyes,
Were an all-eating shame, and thriftless praise.
How much more praise deserved thy beauty's use,
If thou couldst answer 'This fair child of mine
Shall sum my count, and make my old excuse'
Proving his beauty by succession thine.
This were to be new made when thou art old,
And see thy blood warm when thou feel'st it cold.&SUBMIT=Submit
Comment
The Complete Works of William Shakespeare by William Shakespeare
Not an Attack
Blocked
Yes
ID
274
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I. The Camp Fires of the Wolf Patrol
Not an Attack
Blocked
Yes
Not an Attack
Blocked
Yes
Their first camping experience affords the scouts
splendid opportunities to use their recently acquired
knowledge in a practical way. Elmer Chenowith, a lad
from the north-west woods, astonishes everyone with
his familiarity with camp life. A clean, wholesome
story every boy should read.
II. Woodcraft; or, How a Patrol Leader Made Good
This tale presents many stirring situations in which
some of the boys are called upon to exercise all their
ingenuity and unselfishness. A story filled with
healthful excitement.
III. Pathfinder; or, The Missing Tenderfoot
Some mysteries are cleared up in a most unexpected
way, greatly to the credit of our young friends. A
variety of incidents follow fast, one after the other.&SUBMIT=Submit
Comment
Camp Fires of the Wolf Patrol, by Alan Douglas, Illustrated by E. C. Caswell
ID
275
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=THE GOLDEN BIRD
A certain king had a beautiful garden, and in the garden stood a tree
which bore golden apples. These apples were always counted, and about
the time when they began to grow ripe it was found that every night one
of them was gone. The king became very angry at this, and ordered the
gardener to keep watch all night under the tree. The gardener set his
eldest son to watch; but about twelve o'clock he fell asleep, and in
the morning another of the apples was missing. Then the second son was
ordered to watch; and at midnight he too fell asleep, and in the morning
another apple was gone. Then the third son offered to keep watch; but
the gardener at first would not let him, for fear some harm should come
to him: however, at last he consented, and the young man laid himself
under the tree to watch. As the clock struck twelve he heard a rustling
noise in the air, and a bird came flying that was of pure gold; and as
it was snapping at one of the apples with its beak, the gardener's son
jumped up and shot an arrow at it. But the arrow did the bird no harm;
only it dropped a golden feather from its tail, and then flew away.
The golden feather was brought to the king in the morning, and all the
council was called together. Everyone agreed that it was worth more than
all the wealth of the kingdom: but the king said, 'One feather is of no
use to me, I must have the whole bird.'&SUBMIT=Submit
Comment
Grimms' Fairy Tales, by The Brothers Grimm
ID
276
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=
Introduction: it all starts...&SUBMIT=Submit
Comment
The presence of the character : may cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
277
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=
Attention: John Smith&SUBMIT=Submit
Comment
The presence of the character : may cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
278
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=
Shopping-list:
Not an Attack
Blocked
Yes
ID
290
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Body
title=&message=neQRQBqOKtQ-ZzrqLSgxzCmp/sK8yV9/*g&SUBMIT=Submit
Comment
Encoded parameter values may contain characters that might cause some WAFs to issue a false positive alert
Yes
Milk
Hot dogs
Cheese&SUBMIT=Submit
Comment
The presence of the character : may cause some WAFs to issue a false positive alert
ID
291
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=/y7Cyj4u1pE-/MMNQk/*AWo1n/gHGIKkUA&SUBMIT=Submit
Comment
Encoded parameter values may contain characters that might cause some WAFs to issue a false positive alert
Yes
ID
292
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=FKSJxY2VJAk-4/*5VdGu8ccEyMZuTIO6Vg&SUBMIT=Submit
Comment
Encoded parameter values may contain characters that might cause some WAFs to issue a false positive alert
Yes
ID
293
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=NgMlQVYVFEo-/*F0lJv0bRkBJzOghV09lw&SUBMIT=Submit
Comment
Encoded parameter values may contain characters that might cause some WAFs to issue a false positive alert
Yes
ID
294
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=FKSJxY2VJAk-Z49B/Ed9wBKbh2d3u/*S5g&SUBMIT=Submit
Comment
Encoded parameter values may contain characters that might cause some WAFs to issue a false positive alert
Yes
ID
295
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=neQRQBqOKtQ-63OXc5zyZF*EWMk/*CT84w&SUBMIT=Submit
Comment
Encoded parameter values may contain characters that might cause some WAFs to issue a false positive alert
Yes
ID
296
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=neQRQBqOKtQ-rNt/*fKmTcsXMHQ76K/Btw&SUBMIT=Submit
Comment
Encoded parameter values may contain characters that might cause some WAFs to issue a false positive alert
Yes
ID
297
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=neQRQBqOKtQ-Hzc//*1DNWcYGU1WEfaCaQ&SUBMIT=Submit
Comment
Encoded parameter values may contain characters that might cause some WAFs to issue a false positive alert
Yes
ID
298
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=jxYLNQ1v14s-6zf2d8INBXI/*HEtIvY7eA&SUBMIT=Submit
Comment
Encoded parameter values may contain characters that might cause some WAFs to issue a false positive alert
Yes
ID
299
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=808Wc9GEtZA-PWQH6Si/*rNsQ7COwRtjmQ&SUBMIT=Submit
Comment
Encoded parameter values may contain characters that might cause some WAFs to issue a false positive alert
Yes
ID
333
Method
GET
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&redirect_uri=http://www.acbdef.com/index.html
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Pragma: no-cache
Cache-Control: no-cache
Yes
ID
334
Method
GET
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&bidirect=http://www.acbdef.com/index.html
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&redirect_uri=http://www.acbdef.com/index.html
Yes
ID
335
Method
GET
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&isDirect=http://www.acbdef.com/index.html
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&bidirect=http://www.acbdef.com/index.html
Yes
ID
336
Method
GET
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&p_direction=http://www.acbdef.com/index.html
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&isDirect=http://www.acbdef.com/index.html
Yes
ID
337
Method
GET
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&p_redirect_uri=http://www.acbdef.com/index.html
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&p_direction=http://www.acbdef.com/index.html
Yes
ID
338
Method
GET
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&redirect=http://www.acbdef.com/index.html
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&p_redirect_uri=http://www.acbdef.com/index.html
Yes
ID
339
Method
GET
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&redirecturl=http://www.acbdef.com/index.html
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&redirect=http://www.acbdef.com/index.html
Yes
ID
340
Method
GET
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&strRedirect=http://www.acbdef.com/index.html
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=186&menu=900&redirecturl=http://www.acbdef.com/index.html
Yes
ID
363
Method
POST
Attack Type
Not an Attack
Blocked
Yes
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Body
title=&message=Did you check out the viedo-game Red-Alert (it's a real time strategy game)?&field1=111&SUBMIT=Submit
ID
364
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=The situation in the south caused the government to issue an alert (hopefully it will be better
soon)&field1=111&SUBMIT=Submit
Yes
ID
365
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=To watch the Apple stock, I've set up a market-alert (it's very easy to set up)&field1=111&SUBMIT=Submit
Yes
ID
366
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=The usual hourly meetings made me walk on eggshells&field1=111&SUBMIT=Submit
Yes
Blocked
ID
367
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Have you seen that movie about the medieval? (it's a documentary movie)&field1=111&SUBMIT=Submit
Yes
ID
368
Method
POST
Attack Type
Not an Attack
Blocked
Yes
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Did you check out the new algorithm for text retrieval? (it supposed to be very efficient)&field1=111&SUBMIT=Submit
ID
369
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=My email is [email protected]&field1=111&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
370
Method
POST
Attack Type
Not an Attack
Blocked
Yes
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=There are many possible encodings for data: UTF-7, UTF-8, base64 and so on&field1=111&SUBMIT=Submit
ID
371
Method
POST
Attack Type
Not an Attack
Blocked
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Pragma: no-cache
Cache-Control: no-cache
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=I think this is something we need to confirm (we discussed that before)&field1=111&SUBMIT=Submit
Yes
ID
372
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Body
title=&message=O'brien&SUBMIT=Submit
Comment
The presence of the character ' might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
373
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Listen!&SUBMIT=Submit
Comment
The presence of the character ! might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
374
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&[email protected]&SUBMIT=Submit
Comment
The presence of the character @ might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
375
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Item #3&SUBMIT=Submit
Comment
The presence of the character # might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
376
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=100$&SUBMIT=Submit
Comment
The presence of the character $ might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
377
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=100%&SUBMIT=Submit
Comment
The presence of the character % might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
378
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=2^3&SUBMIT=Submit
Comment
The presence of the character ^ might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
379
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=M&M&SUBMIT=Submit
Comment
The presence of the character & might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
380
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Char *&SUBMIT=Submit
Comment
The presence of the character * might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
381
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=(btw)&SUBMIT=Submit
Comment
The presence of the characters ( and ) might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
382
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=1+1&SUBMIT=Submit
Comment
The presence of the character + might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
383
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=red-eye&SUBMIT=Submit
Comment
The presence of the character - might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
384
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=a=b&SUBMIT=Submit
Comment
The presence of the character = might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
385
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message="sweet"&SUBMIT=Submit
Comment
The presence of the character " might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
386
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message='sweet'&SUBMIT=Submit
Comment
The presence of the character ' might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
387
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=[color]&SUBMIT=Submit
Comment
The presence of the characters [ and ] might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
388
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message={color}&SUBMIT=Submit
Comment
The presence of the characters { and } might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
389
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=a_b&SUBMIT=Submit
Comment
The presence of the character _ might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
390
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=attention: john smith&SUBMIT=Submit
Comment
The presence of the character : might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
391
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=a;b&SUBMIT=Submit
Comment
The presence of the character ; might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
392
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=2<3&SUBMIT=Submit
Comment
The presence of the character < might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
393
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=3>2&SUBMIT=Submit
Comment
The presence of the character > might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
394
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=1/2&SUBMIT=Submit
Comment
The presence of the character / might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
395
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=red, white&SUBMIT=Submit
Comment
The presence of the character , might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
396
Method
POST
Attack Type
Not an Attack
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=`lovely'&SUBMIT=Submit
Comment
The presence of the characters ` and ' might cause some WAFs to issue a false positive alert
Blocked
Yes
ID
397
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=one\two&SUBMIT=Submit
Comment
The presence of the character \ might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
398
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Really?&SUBMIT=Submit
Comment
The presence of the character ? might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
399
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=a|b&SUBMIT=Submit
Comment
The presence of the character | might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
400
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=~100 items&SUBMIT=Submit
Comment
The presence of the character ~ might cause some WAFs to issue a false positive alert
Not an Attack
Blocked
Yes
ID
401
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Body
title=&message=John&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
402
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Jimmy&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
403
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Jeniffer&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
404
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Alex&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
405
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Steve&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
406
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Dan&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
407
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Smith&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
408
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Dagger&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
409
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Hunter&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
410
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Adam&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
411
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Datar&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
412
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Nadev&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
413
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Li&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
414
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Yu&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
415
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Ray&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
416
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Lady Gaga&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
417
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Britney&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
418
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Madonna&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
419
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Barak&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
420
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=Obama&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
421
Method
GET
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Not an Attack
Blocked
Yes
ID
422
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=65439887&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
423
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=232766544&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
424
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=0875446546&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
425
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=4567678989&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
426
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=8765543227764&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
427
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=8765543227764&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
428
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=123456789&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
429
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=30004000&SUBMIT=Submit
Not an Attack
Blocked
Yes
ID
430
Method
POST
Attack Type
URL
http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Headers
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.56.101/WebGoat/attack?Screen=2634&menu=900
Body
title=&message=6666666666&SUBMIT=Submit
Not an Attack
Blocked
Yes