I'm working through OWASP's "WebGoat" (version 5.4) vulnerable web application, but I'm getting stuck on one of the earliest lessons which is to do with HTTP response splitting.
I've looked in all the hints and the solution (and even at all the tutorials dotted about the interwebs), but I still can't get it to work.
I've even completely modified my web server's response to:
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://localhost/WebGoat/attack?Screen=3&menu=100&fromRedirect=yes&language=en
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19
<html>Graeme</html>
Content-Type: text/html;charset=ISO-8859-1
Content-length: 0
Date: Sun, 28 Jul 2013 20:26:13 GMT
I'm fairly confident that this is supposed to make my browser display "Grezzo", but instead it's following the first response rather than the second response. I even tried taking out the first "Content-Length: 0" line, but it makes no difference.
What's going on here? Am I missing something? Perhaps modern web browsers always follow the first response these days?