From 91e6797b40cc34fe982e48f075a667845d5b3c83 Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Wed, 13 Nov 2013 18:23:04 -0500
Subject: [PATCH 1/2] adding broken functionality for A7

---
 app/controllers/admin_controller.rb       | 8 +++++++-
 app/controllers/application_controller.rb | 2 +-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 5926b40..d7a29c7 100755
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -1,6 +1,6 @@
 class AdminController < ApplicationController
   
- # before_filter :administrative
+  before_filter :administrative, :if => :admin_param
   skip_before_filter :has_info
   
   def dashboard
@@ -45,4 +45,10 @@ class AdminController < ApplicationController
     end
   end
   
+
+  private
+
+  def admin_param
+    params[:admin_id] != '1'
+  end
 end
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index a0ef5cf..9d5628d 100755
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -23,7 +23,7 @@ class ApplicationController < ActionController::Base
 
   def administrative
     if not is_admin?
-     reset_session
+     #reset_session
      redirect_to root_url
    end
   end

From af8776a3eaaea2167366f00c0a8d165d95fb34ec Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Wed, 13 Nov 2013 18:23:29 -0500
Subject: [PATCH 2/2] halfway done A7

---
 app/controllers/tutorials_controller.rb       |   3 +
 app/views/layouts/tutorial/_sidebar.html.erb  |   8 +-
 .../_access_control_first.html.erb            | 107 ++++++++++++++++++
 app/views/tutorials/access_control.html.erb   |  17 +++
 config/routes.rb                              |   1 +
 5 files changed, 132 insertions(+), 4 deletions(-)
 create mode 100644 app/views/layouts/tutorial/access_control/_access_control_first.html.erb
 create mode 100644 app/views/tutorials/access_control.html.erb

diff --git a/app/controllers/tutorials_controller.rb b/app/controllers/tutorials_controller.rb
index fb4d61d..0b88a9e 100755
--- a/app/controllers/tutorials_controller.rb
+++ b/app/controllers/tutorials_controller.rb
@@ -64,6 +64,9 @@ class TutorialsController < ApplicationController
 
   def insecure_components
   end
+
+  def access_control
+  end
   
   def crypto
   end
diff --git a/app/views/layouts/tutorial/_sidebar.html.erb b/app/views/layouts/tutorial/_sidebar.html.erb
index 10e885f..acfdfd7 100755
--- a/app/views/layouts/tutorial/_sidebar.html.erb
+++ b/app/views/layouts/tutorial/_sidebar.html.erb
@@ -57,12 +57,12 @@
         A6 Exposure
       <% end %>
     </li>
-    <li id="access">
-      <%= link_to url_access_tutorials_path do %>
+    <li id="access_control">
+      <%= link_to access_control_tutorials_path do %>
         <div class="icon">
           <span class="fs1" aria-hidden="true" data-icon="&#xe094;"></span>
         </div>
-        A7 Access
+        A7 Access Control
       <% end %>
     </li>
 	<li id="csrf">
@@ -73,7 +73,7 @@
         A8 CSRF
       <% end %>
     </li>
-    <li id="ssl_tls">
+    <li id="insecure_components">
       <%= link_to insecure_components_tutorials_path do %>
         <div class="icon">
           <span class="fs1" aria-hidden="true" data-icon="&#xe094;"></span>
diff --git a/app/views/layouts/tutorial/access_control/_access_control_first.html.erb b/app/views/layouts/tutorial/access_control/_access_control_first.html.erb
new file mode 100644
index 0000000..cce74f4
--- /dev/null
+++ b/app/views/layouts/tutorial/access_control/_access_control_first.html.erb
@@ -0,0 +1,107 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A7 - Missing Function Level Access Control
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
+            <div class="accordion-inner">
+             Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
+            <div class="accordion-inner">
+              <p class="desc">
+        Rails provides the ability to apply before_filter(s) which run prior to rendering content to the user. This is helpful when restricting access to content based on the user's role. Currently, the methods to apply a before_filter already exist in the application controller but were forgotten when creating the administrative functionality. Notice an asbsence of the before_filter within app/controllers/admin_controller.rb
+        </p>
+        <pre class="ruby">
+        <%= %q{
+        class AdminController < ApplicationController
+        
+          skip_before_filter :has_info
+        } %>
+        </pre>   
+   
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
+            <div class="accordion-inner">
+              <p><b>Failure to Restrict URL Access - ATTACK</b></p>
+        <p class="desc">
+        Request the following URL /admin/1/dashboard and have fun :-)
+        </p>  
+        <p><b>Failure to Restrict URL Access - SOLUTION</b></p>
+        <p class="desc">
+        The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb:
+        </p>
+        <pre class="ruby">
+        helper_method :current_user, <span style="background-color:yellow">:is_admin?</span>
+        
+        def is_admin?
+            current_user.admin if current_user 
+          end
+      
+          def administrative
+            if not is_admin?
+             reset_session
+             redirect_to root_url
+           end
+          end
+        </pre>  
+        <p>
+        Then add the following line within app/controllers/admin_controller.rb
+        </p>  
+        <pre class="ruby">
+        class AdminController < ApplicationController
+
+          <span style="background-color:yellow">before_filter :administrative</span>
+          skip_before_filter :has_info
+        </pre>  
+            </div>
+          </div>
+        </div>
+      <div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
+            <div class="accordion-inner">
+              I bet there is some admin functionality in here :-)
+            </div>
+          </div>
+        </div>
+  </div>
+    </div>
+  </div>
\ No newline at end of file
diff --git a/app/views/tutorials/access_control.html.erb b/app/views/tutorials/access_control.html.erb
new file mode 100644
index 0000000..6796302
--- /dev/null
+++ b/app/views/tutorials/access_control.html.erb
@@ -0,0 +1,17 @@
+<div class="dashboard-wrapper">
+	<div class="main-container">
+		<div class="row-fluid">
+		    <div class="span12"> <!-- Begin Span12 -->
+		      <%= render :partial => "layouts/tutorial/access_control/access_control_first" %>
+		    </div> <!-- End Span12 -->
+		</div>
+	</div>
+</div>
+
+<script type="text/javascript">
+function makeActive(){
+	$('li[id="access_control"]').addClass('active');
+};
+
+$(document).ready(makeActive);
+</script>
\ No newline at end of file
diff --git a/config/routes.rb b/config/routes.rb
index 39206f2..800d3d7 100755
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -48,6 +48,7 @@ Railsgoat::Application.routes.draw do
       get "exposure"
       get "url_access"
       get "insecure_components"
+      get "access_control"
       get "ssl_tls"
       get "redirects"
       get "guard"