team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/OWASP/railsgoat

Browse Source
This commit is contained in:
Al Snow
2013-11-08 08:28:50 -05:00
parent 98ccf0bd41 9f34e4fa37
commit 46128211e1
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/views/layouts/tutorial/csrf/_csrf_first.html.erb
+2 -2
View File
@@ -60,7 +60,7 @@
<div class="accordion-inner">
<p><b> Cross-Site Request Forgery ATTACK:</b></p>
<p class="desc">
The application allows users to update their calendar and schedule PTO events (PTO section). Due to the fact CSRF protections are disabled, the AJAX request will send the authenticity token but the application will <b>not</b> validate either it's presence or validity. Create an html page using the code shown below, authenticate as another user, click on it, review the new calendar (change the dates under date_range1). You should see this HTML code will work, even if you hadn't navigated to the PTO section prior to sending it.
The application allows users to update their calendar and schedule PTO events (PTO section). Due to the fact CSRF protections are disabled, the AJAX request will send the authenticity token but the application will <b>not</b> validate either its presence or validity. Create an html page using the code shown below, authenticate as another user, click on it, review the new calendar (change the dates under date_range1). You should see this HTML code will work, even if you hadn't navigated to the PTO section prior to sending it.
</p>
<p>
<pre class="ruby">
@@ -84,7 +84,7 @@
<p><b> Cross-Site Request Forgery SOLUTION:</b></p>
<p>
By Default, the protect_from_forgery directive is added under the application_controller.rb at project creation. However, occasionally developers turn it off (comment out) because of issues with JS. There are two separate solutions around the JS problem.
By default, the protect_from_forgery directive is added under the application_controller.rb at project creation. However, occasionally developers turn it off (comment out) because of issues with JS. There are two separate solutions around the JS problem.
</p>
<p>
Once protect_from_forgery is added back...
app/views/layouts/tutorial/xss/_xss_first.html.erb
+1 -1
View File
@@ -84,7 +84,7 @@
<div class="accordion-inner">
<p class="desc">
Apparently we had some issues rendering people's names with weird formatting or something, I dunno, I think I fixed it by safely encoding html and rendering the necessary content.<br/><br/>
Your <b>Welcome</b>!
You're <b>Welcome</b>!
</p>
</div>
</div>