diff --git a/spec/features/command_injection_spec.rb b/spec/features/command_injection_spec.rb index e1ef311..d2b8a55 100644 --- a/spec/features/command_injection_spec.rb +++ b/spec/features/command_injection_spec.rb @@ -21,10 +21,8 @@ feature 'command injection' do attach_file 'benefits_upload', hackety_file find(:xpath, "//input[@id='benefits_backup']", :visible => false).set 'true' end - save_screenshot('screenshot.before.upload.png') click_on 'Start Upload' end - save_screenshot('screenshot.after.upload.png') File.exists?(legit_file).should be_false end end \ No newline at end of file diff --git a/spec/features/csrf_spec.rb b/spec/features/csrf_spec.rb new file mode 100644 index 0000000..b088291 --- /dev/null +++ b/spec/features/csrf_spec.rb @@ -0,0 +1,44 @@ +require 'spec_helper' +require 'tmpdir' + +feature 'csrf' do + before do + UserFixture.reset_all_users + @normal_user = UserFixture.normal_user + end + + scenario 'csrf attack to pto', :js => true do + visit '/' + # TODO: is there a way to get this without visiting root first? + base_url = current_url + + login @normal_user + + Dir.mktmpdir do |dir| + hackety_file = File.join(dir, 'form.on.bad.guy.site.html') + post_url = "#{base_url}schedule.json" + File.open(hackety_file, 'w') do |f| + f.print <<-HTML + + +
+ + + + + +
+ + + HTML + end + + page.driver.visit "file://#{hackety_file}" + within('#submit_me') do + click_on 'Submit request' + end + end + + @normal_user.reload.paid_time_off.schedule.last.event_name.should == 'Bad Guy' + end +end \ No newline at end of file diff --git a/spec/features/xss_spec.rb b/spec/features/xss_spec.rb index a5bea9f..f7c4694 100644 --- a/spec/features/xss_spec.rb +++ b/spec/features/xss_spec.rb @@ -18,7 +18,6 @@ feature 'xss' do fill_in 'user_password_confirmation', :with => @normal_user.clear_password end click_on 'Submit' - save_screenshot('screenshot.post.submit.png') visit '/'