Initial commit (history cleared)

spec/vulnerabilities/broken_auth_spec.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+require "spec_helper"
+
+feature "broken_auth" do
+  let(:normal_user) { UserFixture.normal_user }
+
+  before do
+    UserFixture.reset_all_users
+
+    skip unless verifying_fixed?
+  end
+
+  scenario "one\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration" do
+    wrong_email = normal_user.email + "not"
+
+    visit "/"
+    fill_in "email", with: wrong_email
+    fill_in "password", with: normal_user.clear_password
+    find("input[type='submit'][value='Login']").click
+
+    expect(find("div#flash_notice").text).not_to include(wrong_email)
+  end
+
+  scenario "two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration" do
+    visit "/"
+    fill_in "email", with: normal_user.email
+    fill_in "password", with: normal_user.clear_password + "not"
+    find("input[type='submit'][value='Login']").click
+
+    expect(find("div#flash_notice").text).not_to include("Incorrect Password!")
+  end
+end