Merge branch 'top-10-2013' of github.com:OWASP/railsgoat into top-10-2013
This commit is contained in:
cktricky
@@ -31,13 +31,19 @@
|
||||
<div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
|
||||
<div class="accordion-inner">
|
||||
<p class="desc">
|
||||
Rails provides the ability to apply before_filter(s) which run prior to rendering content to the user. This is helpful when restricting access to content based on the user's role. Currently, the methods to apply a before_filter already exist in the application controller but were forgotten when creating the administrative functionality. Notice an asbsence of the before_filter within app/controllers/admin_controller.rb
|
||||
Rails provides the ability to apply before_filter(s) which run prior to rendering content to the user. This is helpful when restricting access to content based on the user's role. These filters can be skipped on certain actions or controllers and entirely if certain conditions are met. In this case, the before_filter is being skipped if the admin_id param is equal to 1.
|
||||
</p>
|
||||
<pre class="ruby">
|
||||
<%= %q{
|
||||
class AdminController < ApplicationController
|
||||
|
||||
skip_before_filter :has_info
|
||||
before_filter :administrative, :if => :admin_param
|
||||
|
||||
...
|
||||
|
||||
def admin_param
|
||||
params[:id] == '1'
|
||||
end
|
||||
} %>
|
||||
</pre>
|
||||
|
||||
@@ -56,37 +62,21 @@
|
||||
<div class="accordion-inner">
|
||||
<p><b>Failure to Restrict URL Access - ATTACK</b></p>
|
||||
<p class="desc">
|
||||
Request the following URL /admin/1/dashboard and have fun :-)
|
||||
Request the following URL: /admin/1/dashboard and have fun :-)
|
||||
</p>
|
||||
<p><b>Failure to Restrict URL Access - SOLUTION</b></p>
|
||||
<p class="desc">
|
||||
The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb:
|
||||
The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to enforce the filter on all access requests to the admin dashboard as follows:
|
||||
</p>
|
||||
<pre class="ruby">
|
||||
helper_method :current_user, <span style="background-color:yellow">:is_admin?</span>
|
||||
|
||||
def is_admin?
|
||||
current_user.admin if current_user
|
||||
end
|
||||
|
||||
def administrative
|
||||
if not is_admin?
|
||||
reset_session
|
||||
redirect_to root_url
|
||||
end
|
||||
end
|
||||
</pre>
|
||||
<p>
|
||||
Then add the following line within app/controllers/admin_controller.rb
|
||||
</p>
|
||||
<pre class="ruby">
|
||||
<%= %q{
|
||||
class AdminController < ApplicationController
|
||||
|
||||
<span style="background-color:yellow">before_filter :administrative</span>
|
||||
skip_before_filter :has_info
|
||||
</pre>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
before_filter :administrative, :if => :admin_param
|
||||
} %>
|
||||
</pre>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="accordion-group">
|
||||
<div class="accordion-heading">
|
||||
@@ -96,6 +86,7 @@
|
||||
Hint
|
||||
</a>
|
||||
</div>
|
||||
</div>
|
||||
<div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
|
||||
<div class="accordion-inner">
|
||||
I bet there is some admin functionality in here :-)
|
||||
|
||||
Reference in New Issue
Block a user