created the info disclosure write-up. Close issue #16

app/views/layouts/tutorial/_sidebar.html.erb

@@ -99,8 +99,11 @@
         <li id="guard">
          <%= link_to "Guard", guard_tutorials_path %>
         </li>
-        <li>
+        <li id="info_dislosure">
           <a href="#">Session Secret</a>
+        </li>
+		<li>
+          <%= link_to "Info Dislosure", info_disclosure_tutorials_path %>
         </li>
         <li>
           <a href="#">DB Sessions</a>

app/views/layouts/tutorial/info_disclosure/_ssn_disclosure.html.erb

@@ -0,0 +1,98 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> Information Disclosure (Sensitive)
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
+            <div class="accordion-inner">
+             <p class="desc">
+			  The application stores and returns full social security numbers. The clear-text storage of this value within the database falls under <%= link_to "Insecure Cryptographic Storage", crypto_tutorials_path, {:style => "color: rgb(181, 121, 158)"}%>. However, the other failure here is that the application returns this full SSN value within the response for the user's Work Info page. Although a portion of the SSN value is obfuscated using JavaScript (when rendered in the browser), any attacker who has positioned themselves to sniff this traffic or read the user's browser cache can extract the full value from the source. 
+			 </p>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
+            <div class="accordion-inner">
+               <p>
+				The bug is introduced within app/views/work_info/index.html.erb, seen on line 20:
+			   </p>
+			   <p>
+			   		<pre class="ruby">
+						<%= @bad_code_1 %>
+				 	</pre>
+				
+				The value, stored unencrypted, is called directly from the database. (line 20)
+			   </p>	
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
+            <div class="accordion-inner">
+			 <p>
+              A model method to return only the last four digits already exists. The following code was taken from the WorkInfo model - app/models/work_info.rb:
+			 </p>
+			 <p class="desc">
+				<pre class="ruby">
+					<%= @good_code_1%>
+			    </pre>
+			</p>
+			<p class="desc">		
+			  Essentially, this takes the SSN string from the DB, retrieves only the last four characters in the string, and concatenates the last four characters with asterisks. Because this occurs at the model level, the view page never calls the full SSN value and therefore the user's browser never receives the full SSN. The view code would need to change from...
+				<pre class="ruby">
+					<%= @bad_code_2 %>
+			    </pre>
+			    to...
+			    <pre class="ruby">
+					<%= @good_code_2 %>
+				</pre>
+			 </p>	
+			
+            </div>
+          </div>
+        </div>
+     	<div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
+            <div class="accordion-inner">
+			 <p>
+              Inspect your work information closely
+ 			 </p>
+            </div>
+          </div>
+        </div> 
+	 </div>
+    </div>
+  </div>