Initial commit (history cleared)

2026-04-29 11:21:39 +01:00
commit 298610b5f6
277 changed files with 30877 additions and 0 deletions
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+require "spec_helper"
+
+feature "insecure direct object reference" do
+  let(:normal_user) { UserFixture.normal_user }
+  let(:another_user) { User.find_by(id: 2) }
+
+  before do
+    UserFixture.reset_all_users
+    skip unless verifying_fixed?
+  end
+
+  scenario "attack one" do
+    login(normal_user)
+
+    visit "/users/#{normal_user.id}/benefit_forms"
+    download_url = first(".widget-body a")[:href]
+    visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")
+
+    expect(page.status_code).not_to eq(200)
+    expect(page.response_headers["Content-Disposition"].to_a).not_to include("database.yml")
+  end
+
+  scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
+    login(normal_user)
+
+    expect(normal_user.id).not_to eq(another_user.id)
+
+    visit "/users/#{another_user.id}/work_info"
+
+    expect(first("td").text).not_to include(another_user.full_name)
+    expect(first("td").text).to include(normal_user.full_name)
+  end
+end