diff --git a/.ruby-version b/.ruby-version index cc6c9a4..8e8299d 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -2.3.5 +2.4.2 diff --git a/.travis.yml b/.travis.yml index 8e4ea97..da33b7b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,6 @@ language: ruby rvm: - - "2.3.5" + - "2.4.2" before_install: - "phantomjs --version" diff --git a/Dockerfile b/Dockerfile index 744f6b0..1b9bc1d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ruby:2.3.5 +FROM ruby:2.4.2 RUN apt-get update -qq && apt-get install -y build-essential libpq-dev nodejs RUN mkdir /myapp WORKDIR /myapp diff --git a/Gemfile b/Gemfile index e1223b0..d14933a 100644 --- a/Gemfile +++ b/Gemfile @@ -3,7 +3,7 @@ source 'https://rubygems.org' #don't upgrade gem 'rails', '5.1.4' -ruby '2.3.5' +ruby '2.4.2' gem 'rake' gem 'rails-perftest' diff --git a/Gemfile.lock b/Gemfile.lock index 07327f5..5cbc89b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -55,7 +55,7 @@ GEM rack (>= 0.9.0) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) - brakeman (3.7.2) + brakeman (4.0.1) builder (3.2.3) bundler-audit (0.6.0) bundler (~> 1.2) @@ -81,6 +81,7 @@ GEM concurrent-ruby (1.0.5) contracts (0.16.0) crack (0.3.1) + crass (1.0.2) cucumber (2.4.0) builder (>= 2.1.2) cucumber-core (~> 1.5.0) @@ -153,7 +154,8 @@ GEM rb-fsevent (~> 0.9, >= 0.9.4) rb-inotify (~> 0.9, >= 0.9.7) ruby_dep (~> 1.2) - loofah (2.0.3) + loofah (2.1.1) + crass (~> 1.0.2) nokogiri (>= 1.5.9) lumberjack (1.0.12) mail (2.6.6) @@ -348,7 +350,7 @@ DEPENDENCIES unicorn RUBY VERSION - ruby 2.3.5p376 + ruby 2.4.2p198 BUNDLED WITH - 1.16.0.pre.2 + 1.15.4 diff --git a/README.md b/README.md index d7ac746..b990958 100755 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ If you are looking for support or troubleshooting assistance, please visit our [ To begin, install the Ruby Version Manager (RVM): ```bash -$ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.3.5 +$ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.4.2 ``` After installing the package, clone this repo: diff --git a/app/models/work_info.rb b/app/models/work_info.rb index 2642aec..bdf65df 100644 --- a/app/models/work_info.rb +++ b/app/models/work_info.rb @@ -9,18 +9,18 @@ class WorkInfo < ApplicationRecord end def encrypt_ssn - aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes = OpenSSL::Cipher.new(cipher_type) aes.encrypt - aes.key = key + aes.key = key[0..31] aes.iv = iv if iv != nil self.encrypted_ssn = aes.update(self.SSN) + aes.final self.SSN = nil end def decrypt_ssn - aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes = OpenSSL::Cipher.new(cipher_type) aes.decrypt - aes.key = key + aes.key = key[0..31] aes.iv = iv if iv != nil aes.update(self.encrypted_ssn) + aes.final end diff --git a/lib/encryption.rb b/lib/encryption.rb index 85cd165..31eeda3 100644 --- a/lib/encryption.rb +++ b/lib/encryption.rb @@ -2,19 +2,19 @@ module Encryption # Added a re-usable encryption routine, shouldn't be an issue! def self.encrypt_sensitive_value(val="") - aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes = OpenSSL::Cipher.new(cipher_type) aes.encrypt - aes.key = key - aes.iv = iv if iv != nil + aes.key = key[0..31] + aes.iv = iv[0..15] if iv != nil new_val = aes.update("#{val}") + aes.final Base64.strict_encode64(new_val).encode('utf-8') end def self.decrypt_sensitive_value(val="") - aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes = OpenSSL::Cipher.new(cipher_type) aes.decrypt - aes.key = key - aes.iv = iv if iv != nil + aes.key = key[0..31] + aes.iv = iv[0.15] if iv != nil decoded = Base64.strict_decode64("#{val}") aes.update("#{decoded}") + aes.final end diff --git a/r b/r new file mode 100644 index 0000000..4165392 --- /dev/null +++ b/r @@ -0,0 +1,393 @@ + +Randomized with seed 33309 +FFFFFFFFFFFFFFFFFFFFF + +Failures: + + 1) improper password hashing with just md5 +Tutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/password_hashing_spec.rb:5:in `block (2 levels) in ' + + 2) command injection attack +Tutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/command_injection_spec.rb:6:in `block (2 levels) in ' + + 3) csrf attack +Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/csrf_spec.rb:6:in `block (2 levels) in ' + + 4) url access attack +Tutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller) + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/url_access_spec.rb:5:in `block (2 levels) in ' + + 5) broken_auth one +Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/broken_auth_spec.rb:5:in `block (2 levels) in ' + + 6) broken_auth two +Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/broken_auth_spec.rb:5:in `block (2 levels) in ' + + 7) xss attack +Tutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/xss_spec.rb:5:in `block (2 levels) in ' + + 8) insecure direct object reference attack one + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/insecure_dor_spec.rb:5:in `block (2 levels) in ' + + 9) insecure direct object reference attack two +Tutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/insecure_dor_spec.rb:5:in `block (2 levels) in ' + + 10) sql injection attack +Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/sql_injection_spec.rb:5:in `block (2 levels) in ' + + 11) User can be instantiated + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/models/benefits_spec.rb:5:in `block (2 levels) in ' + + 12) User name can be updated + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/models/benefits_spec.rb:5:in `block (2 levels) in ' + + 13) mass assignment attack one + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/mass_assignment_spec.rb:5:in `block (2 levels) in ' + + 14) mass assignment attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/mass_assignment_spec.rb:5:in `block (2 levels) in ' + + 15) password complexity one +Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/password_complexity_spec.rb:5:in `block (2 levels) in ' + + 16) User can be instantiated + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' + + 17) User should require a email + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' + + 18) User should require valid email + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' + + 19) User should require unique email + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' + + 20) User name can be updated + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' + + 21) unvalidated redirect attack +Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to) + Failure/Error: aes.iv = iv if iv != nil + + ArgumentError: + iv must be 16 bytes + # ./lib/encryption.rb:8:in `iv=' + # ./lib/encryption.rb:8:in `encrypt_sensitive_value' + # ./app/models/user.rb:82:in `generate_token' + # ./app/models/user.rb:23:in `block in ' + # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' + # ./db/seeds.rb:270:in `block in ' + # ./db/seeds.rb:267:in `each' + # ./db/seeds.rb:267:in `' + # ./spec/support/user_fixture.rb:4:in `reset_all_users' + # ./spec/vulnerabilities/unvalidated_redirects_spec.rb:5:in `block (2 levels) in ' + +Finished in 0.2747 seconds (files took 2.04 seconds to load) +21 examples, 21 failures + +Failed examples: + +rspec ./spec/vulnerabilities/password_hashing_spec.rb:9 # improper password hashing with just md5 +Tutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage +rspec ./spec/vulnerabilities/command_injection_spec.rb:10 # command injection attack +Tutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection +rspec ./spec/vulnerabilities/csrf_spec.rb:10 # csrf attack +Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF +rspec ./spec/vulnerabilities/url_access_spec.rb:9 # url access attack +Tutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller) +rspec ./spec/vulnerabilities/broken_auth_spec.rb:9 # broken_auth one +Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration +rspec ./spec/vulnerabilities/broken_auth_spec.rb:22 # broken_auth two +Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration +rspec ./spec/vulnerabilities/xss_spec.rb:9 # xss attack +Tutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting +rspec ./spec/vulnerabilities/insecure_dor_spec.rb:9 # insecure direct object reference attack one +rspec ./spec/vulnerabilities/insecure_dor_spec.rb:23 # insecure direct object reference attack two +Tutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference +rspec ./spec/vulnerabilities/sql_injection_spec.rb:10 # sql injection attack +Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation +rspec ./spec/models/benefits_spec.rb:13 # User can be instantiated +rspec ./spec/models/benefits_spec.rb:17 # User name can be updated +rspec ./spec/vulnerabilities/mass_assignment_spec.rb:9 # mass assignment attack one +rspec ./spec/vulnerabilities/mass_assignment_spec.rb:24 # mass assignment attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role +rspec ./spec/vulnerabilities/password_complexity_spec.rb:9 # password complexity one +Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity +rspec ./spec/models/user_spec.rb:13 # User can be instantiated +rspec ./spec/models/user_spec.rb:17 # User should require a email +rspec ./spec/models/user_spec.rb:21 # User should require valid email +rspec ./spec/models/user_spec.rb:25 # User should require unique email +rspec ./spec/models/user_spec.rb:30 # User name can be updated +rspec ./spec/vulnerabilities/unvalidated_redirects_spec.rb:9 # unvalidated redirect attack +Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to) + +Randomized with seed 33309 +