From 01c246c902da88c8667fe110e1d86524e41a6e12 Mon Sep 17 00:00:00 2001
From: Ken Johnson <cktricky@Kens-MacBook-Pro.local>
Date: Thu, 25 Apr 2013 14:49:20 -0400
Subject: [PATCH] added a bunch of wording

---
 app/controllers/application_controller.rb |  2 +-
 app/controllers/tutorials_controller.rb   |  2 ++
 app/views/tutorials/csrf.html.erb         | 44 +++++++++++++++++++++--
 app/views/tutorials/xss.html.erb          |  6 +++-
 4 files changed, 49 insertions(+), 5 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index c0a10b8..d998974 100755
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -4,7 +4,7 @@ class ApplicationController < ActionController::Base
   helper_method :current_user
   
   # Our security guy keep talking about sea-surfing, cool story bro.
-  #protect_from_forgery
+  # protect_from_forgery
   
   private
 
diff --git a/app/controllers/tutorials_controller.rb b/app/controllers/tutorials_controller.rb
index 4de5cde..9565ce8 100755
--- a/app/controllers/tutorials_controller.rb
+++ b/app/controllers/tutorials_controller.rb
@@ -32,6 +32,8 @@ class TutorialsController < ApplicationController
   end
   
   def csrf
+    @meta_code_bad = %{<%#= csrf_meta_tags %> <!-- <~ What is this for? I hear it helps w/ JS and Sea-surfing.....whatevz -->}
+    @meta_code_good = %{<%= csrf_meta_tags %> }
   end
   
   def misconfig
diff --git a/app/views/tutorials/csrf.html.erb b/app/views/tutorials/csrf.html.erb
index b88e645..d60acca 100644
--- a/app/views/tutorials/csrf.html.erb
+++ b/app/views/tutorials/csrf.html.erb
@@ -20,7 +20,7 @@
 		              </div>
 		              <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
 		                <div class="accordion-inner">
-		                  Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+		                  <p>A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.</p>
 		                </div>
 		              </div>
 		            </div>
@@ -34,7 +34,23 @@
 		              </div>
 		              <div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
 		                <div class="accordion-inner">
-		                  Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+		                  <p><b>Cross-Site Request Forgery (CSRF) - The following code was taken from: /app/controllers/application_controller.rb and /app/views/layouts/application.html.erb</b></p>
+						  <p>application_controller.rb<<p>
+						  <p>
+							<font face="Courier New" style="color: rgb(69, 126, 136)">
+								<%= %{# Our security guy keep talking about sea-surfing, cool story bro.}%>
+								</br><%= %{
+							        # protect_from_forgery
+									} 
+								%>
+							</font>
+						  </p>
+						  <p> application.html.erb </p>
+						  <p>
+							  <font face="Courier New" style="color: rgb(69, 126, 136)">
+									<%= @meta_code_bad %>
+							  </font>
+						  </p>
 		                </div>
 		              </div>
 		            </div>
@@ -48,7 +64,29 @@
 		              </div>
 		              <div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
 		                <div class="accordion-inner">
-		                  Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+		                  <p><b> Cross-Site Request Forgery ATTACK:</b></p>
+							<p>
+								Save this content to an .html file and open it...
+							</p>
+						   	<p>
+								<font face="Courier New" style="color: rgb(69, 126, 136)">
+									<%= 
+						   				%{
+						   					
+						   				} 
+						   			%>
+								</font>
+							</p>
+							
+						  <p><b> Cross-Site Request Forgery SOLUTION:</b></p>
+						  <p>
+							 By Default, the protect_from_forgery directive is added under the application_controller.rb at project creation. However, occasionally developers turn it off (comment out) because of issues with JS. The solution around the JS problem is to add the following code within the header section of the application.html.erb file (or any other application layout file).
+						 </p>
+							<p>
+								<font face="Courier New" style="color: rgb(69, 126, 136)">
+									<%= @meta_code_good %>
+								</font>
+						  </p>
 		                </div>
 		              </div>
 		            </div>
diff --git a/app/views/tutorials/xss.html.erb b/app/views/tutorials/xss.html.erb
index f204b72..9a43d89 100644
--- a/app/views/tutorials/xss.html.erb
+++ b/app/views/tutorials/xss.html.erb
@@ -20,7 +20,7 @@
 		              </div>
 		              <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
 		                <div class="accordion-inner">
-		                  XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
+		                 <p>XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.</p>
 		                </div>
 		              </div>
 		            </div>
@@ -55,6 +55,10 @@
 		
 						 <p> When registering, enter your JavaScript tag such as <%= %{<script>alert("ohai")} %> in the First Name field. Upon login the header navigation bar will echo "Welcome" + your JS code. You can have your XSS code point the victim to a <%= link_to "BeEF server", "http://beefproject.com", {:style => "color: rgb(69, 126, 136)" } %> and have some fun as well.
 						 </p>
+						 <p><b> Stored Cross-Site Scripting SOLUTION:</b></p>
+						 <p> 
+							Often developers error on the side of using "html_safe" versus "raw" with the idea being one is safer than the other. In this example, simply removing the .html_safe call would both eliminate the attack (by default, Rails 3.x html encodes these dangerous chars). Rails 2.x would require that any potentially malicious content is wrapped within an h() tag. Potentially malicious content should be thought of anything that is dynamically generated. Also, it is important to note that if for some reason you wanted to render HTML code in literal form, you can use things like sanitize() or strip_tags().
+						 </p>
 		                </div>
 		              </div>
 		            </div>