team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit (history cleared)
CI / test (3.4.1) (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Robbie Paul
2026-04-29 11:21:39 +01:00
commit 298610b5f6
277 changed files with 30877 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/views/sessions/new.html.erb
Executable
+102
View File
@@ -0,0 +1,102 @@
<div class="rg-login-wrapper">
<div class="rg-login-card">
<div class="rg-login-header">
<div class="rg-login-logo">
<i class="bi bi-shield-fill-exclamation"></i>
</div>
<h2 class="mb-1">MetaCorp</h2>
<p class="text-muted mb-0">A GoatGroup Company</p>
</div>
<%= form_tag "sessions", class: "needs-validation", novalidate: true do %>
<div class="mb-3">
<label for="email" class="form-label">Email Address</label>
<div class="input-group">
<span class="input-group-text"><i class="bi bi-envelope"></i></span>
<%= text_field_tag :email, params[:email], {
class: "form-control",
id: "email",
placeholder: "you@example.com",
required: true,
autofocus: true
} %>
</div>
</div>
<div class="mb-3">
<label for="password" class="form-label">Password</label>
<div class="input-group">
<span class="input-group-text"><i class="bi bi-lock"></i></span>
<%= password_field_tag :password, nil, {
class: "form-control",
id: "password",
placeholder: "Enter your password",
required: true
} %>
</div>
</div>
<%= hidden_field_tag :url, @url %>
<div class="mb-3 form-check">
<%= check_box_tag :remember_me, 1, params[:remember_me], {
id: "remember_me",
class: "form-check-input"
} %>
<label class="form-check-label" for="remember_me">
Remember me
</label>
</div>
<div class="d-grid gap-2">
<%= submit_tag "Login", class: "btn btn-primary btn-lg" %>
</div>
<div class="text-center mt-3">
<%= link_to "Forgot Password?", forgot_password_path, class: "text-decoration-none" %>
</div>
<hr class="my-4">
<div class="text-center">
<p class="text-muted mb-2">Don't have an account?</p>
<%= link_to "Sign up now", signup_path, class: "btn btn-outline-primary" %>
</div>
<% end %>
<div class="mt-4 p-3 rounded" style="background: linear-gradient(135deg, rgba(255, 193, 7, 0.1), rgba(255, 152, 0, 0.1)); border: 2px solid rgba(255, 193, 7, 0.3); backdrop-filter: blur(10px);">
<div class="d-flex align-items-start">
<i class="bi bi-exclamation-triangle-fill text-warning me-2 mt-1" style="font-size: 1.25rem;"></i>
<div class="small">
<strong class="d-block mb-1">Security Training Environment</strong>
This is an intentionally vulnerable application for educational purposes.
<a href="https://github.com/OWASP/railsgoat/wiki" target="_blank" class="text-warning fw-semibold text-decoration-none">Learn more →</a>
</div>
</div>
</div>
</div>
</div>
<!-- VULNERABILITY: XSS via URL hash parameter -->
<script>
// support for multiple languages coming soon!
try {
var hashParam = location.hash.split("#")[1];
if (hashParam) {
var paramName = hashParam.split('=')[0];
var paramValue = decodeURIComponent(hashParam.split('=')[1]);
// VULNERABLE: Directly writing user input to DOM
document.write("<div class='alert alert-info mt-3'>" + paramValue + "</div>");
}
} catch(err) {
// Silently fail
}
</script>
<style>
/* Override main content styling for login page */
.rg-main.no-sidebar {
margin: 0;
padding: 0;
}
</style>