team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'top-10-2013' of github.com:OWASP/railsgoat into top-10-2013

Browse Source
This commit is contained in:
cktricky
2013-11-13 18:24:33 -05:00
parent efcb7b8c4b af8776a3ea
commit 447c408699
7 changed files with 140 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/admin_controller.rb
+7 -1
View File
@@ -1,6 +1,6 @@
class AdminController < ApplicationController
# before_filter :administrative
before_filter :administrative, :if => :admin_param
skip_before_filter :has_info
def dashboard
@@ -45,4 +45,10 @@ class AdminController < ApplicationController
end
end
private
def admin_param
params[:admin_id] != '1'
end
end
app/controllers/application_controller.rb
+1 -1
View File
@@ -23,7 +23,7 @@ class ApplicationController < ActionController::Base
def administrative
if not is_admin?
reset_session
#reset_session
redirect_to root_url
end
end
app/controllers/tutorials_controller.rb
+3
View File
@@ -64,6 +64,9 @@ class TutorialsController < ApplicationController
def insecure_components
end
def access_control
end
def crypto
end
app/views/layouts/tutorial/_sidebar.html.erb
+4 -4
View File
@@ -57,12 +57,12 @@
A6 Exposure
<% end %>
</li>
<li id="access">
<%= link_to url_access_tutorials_path do %>
<li id="access_control">
<%= link_to access_control_tutorials_path do %>
<div class="icon">
<span class="fs1" aria-hidden="true" data-icon="&#xe094;"></span>
</div>
A7 Access
A7 Access Control
<% end %>
</li>
<li id="csrf">
@@ -73,7 +73,7 @@
A8 CSRF
<% end %>
</li>
<li id="ssl_tls">
<li id="insecure_components">
<%= link_to insecure_components_tutorials_path do %>
<div class="icon">
<span class="fs1" aria-hidden="true" data-icon="&#xe094;"></span>
app/views/layouts/tutorial/access_control/_access_control_first.html.erb
+107
View File
@@ -0,0 +1,107 @@
<div class="widget">
<div class="widget-header">
<div class="title">
<span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A7 - Missing Function Level Access Control
</div>
</div>
<div class="widget-body">
<div id="accordion1" class="accordion no-margin">
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapseOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-info icon-white">
</i>
Description
</a>
</div>
<div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
<div class="accordion-inner">
Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapseTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-bug icon-white">
</i>
Bug
</a>
</div>
<div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
<div class="accordion-inner">
<p class="desc">
Rails provides the ability to apply before_filter(s) which run prior to rendering content to the user. This is helpful when restricting access to content based on the user's role. Currently, the methods to apply a before_filter already exist in the application controller but were forgotten when creating the administrative functionality. Notice an asbsence of the before_filter within app/controllers/admin_controller.rb
</p>
<pre class="ruby">
<%= %q{
class AdminController < ApplicationController
skip_before_filter :has_info
} %>
</pre>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapseThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-lightning icon-white">
</i>
Solution
</a>
</div>
<div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
<div class="accordion-inner">
<p><b>Failure to Restrict URL Access - ATTACK</b></p>
<p class="desc">
Request the following URL /admin/1/dashboard and have fun :-)
</p>
<p><b>Failure to Restrict URL Access - SOLUTION</b></p>
<p class="desc">
The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb:
</p>
<pre class="ruby">
helper_method :current_user, <span style="background-color:yellow">:is_admin?</span>
def is_admin?
current_user.admin if current_user
end
def administrative
if not is_admin?
reset_session
redirect_to root_url
end
end
</pre>
<p>
Then add the following line within app/controllers/admin_controller.rb
</p>
<pre class="ruby">
class AdminController < ApplicationController
<span style="background-color:yellow">before_filter :administrative</span>
skip_before_filter :has_info
</pre>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a style="background-color: rgb(181, 121, 158)" href="#collapseFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-aid icon-white">
</i>
Hint
</a>
</div>
<div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
<div class="accordion-inner">
I bet there is some admin functionality in here :-)
</div>
</div>
</div>
</div>
</div>
</div>
app/views/tutorials/access_control.html.erb
+17
View File
@@ -0,0 +1,17 @@
<div class="dashboard-wrapper">
<div class="main-container">
<div class="row-fluid">
<div class="span12"> <!-- Begin Span12 -->
<%= render :partial => "layouts/tutorial/access_control/access_control_first" %>
</div> <!-- End Span12 -->
</div>
</div>
</div>
<script type="text/javascript">
function makeActive(){
$('li[id="access_control"]').addClass('active');
};
$(document).ready(makeActive);
</script>
config/routes.rb
+1
View File
@@ -48,6 +48,7 @@ Railsgoat::Application.routes.draw do
get "exposure"
get "url_access"
get "insecure_components"
get "access_control"
get "ssl_tls"
get "redirects"
get "guard"