XSS Capybara spec added.

spec/features/command_injection_spec.rb

@@ -3,21 +3,12 @@ require 'tmpdir'
 
 feature 'command injection' do
   before do
-    User.delete_all
+    UserFixture.reset_all_users
-    Rails.application.load_seed
+    @normal_user = UserFixture.normal_user
-    @normal_user = User.new(:first_name => 'Joe', :last_name => 'Schmoe',
-                            :email => 'joe@schmoe.com', :password => 'aoeuaoeu', :password_confirmation => 'aoeuaoeu')
-    @normal_user.build_benefits_data
-    @normal_user.save!
   end
 
   scenario 'injection attack on file upload', :js => true do
-    visit '/'
+    login(@normal_user)
-    within('.signup') do
-      fill_in 'email', :with => 'joe@schmoe.com'
-      fill_in 'password', :with => 'aoeuaoeu'
-    end
-    click_on 'Login'
 
     legit_file = File.join(Rails.root, 'public', 'data', 'legit.txt')
     File.open(legit_file, 'w') { |f| f.puts 'totes legit' }

spec/features/sql_injection_spec.rb

@@ -2,22 +2,15 @@ require 'spec_helper'
 
 feature 'sql injection' do
   before do
-    User.delete_all
+    UserFixture.reset_all_users
-    Rails.application.load_seed
+    @normal_user = UserFixture.normal_user
-    @normal_user = User.create!(:first_name => 'Joe', :last_name => 'Schmoe',
-                                :email => 'joe@schmoe.com', :password => 'aoeuaoeu', :password_confirmation => 'aoeuaoeu')
     @admin_user = User.where("admin='t'").first
   end
 
   scenario 'injection attack on account_settings' do
     @admin_user.admin.should be_true
 
-    visit '/'
+    login(@normal_user)
-    within('.signup') do
-      fill_in 'email', :with => 'joe@schmoe.com'
-      fill_in 'password', :with => 'aoeuaoeu'
-    end
-    click_on 'Login'
 
     visit "/users/#{@normal_user.user_id}/account_settings"
     within('#account_edit') do

spec/features/xss_spec.rb

@@ -0,0 +1,30 @@
+require 'spec_helper'
+
+feature 'xss' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'injection attack on account_settings', :js => true do
+    login @normal_user
+
+    visit "/users/#{@normal_user.user_id}/account_settings"
+    within('#account_edit') do
+      fill_in 'First name', :with => "B<script>$(function() { $('form.button_to input.btn.btn-primary').val('RailsGoat h4x0r3d') } )</script>"
+
+      # password gets screwed up if you don't re-submit - need to fix
+      fill_in 'user_password', :with => @normal_user.clear_password
+      fill_in 'user_password_confirmation', :with => @normal_user.clear_password
+    end
+    click_on 'Submit'
+    save_screenshot('screenshot.post.submit.png')
+
+    visit '/'
+
+    find('form.button_to input.btn.btn-primary').value.should == 'RailsGoat h4x0r3d'
+
+    # might be nice to demonstrate posting cookie contents or somesuch, but
+    # this at least shows the vulnerability still exists.
+  end
+end

spec/support/capybara_shared.rb

@@ -0,0 +1,8 @@
+def login(user)
+  visit '/'
+  within('.signup') do
+    fill_in 'email', :with => user.email
+    fill_in 'password', :with => user.clear_password
+  end
+  click_on 'Login'
+end

spec/support/user_fixture.rb

@@ -0,0 +1,18 @@
+class UserFixture
+  def self.reset_all_users
+    User.delete_all
+    Rails.application.load_seed
+  end
+
+  def self.normal_user
+    password = 'aoeuaoeu'
+    user = User.new(:first_name => 'Joe', :last_name => 'Schmoe',
+                    :email => 'joe@schmoe.com', :password => password, :password_confirmation => password)
+    def user.clear_password
+      'aoeuaoeu'
+    end
+    user.build_benefits_data
+    user.save!
+    user
+  end
+end