From 366edc3b09ab27055271c96939d634f6561e6ec9 Mon Sep 17 00:00:00 2001
From: cktricky <ken.johnson@nvisiumsecurity.com>
Date: Thu, 17 Apr 2014 11:33:18 -0400
Subject: [PATCH 01/16] not sure if this is working

---
 app/views/sessions/new.html.erb | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb
index dbeea1f..2d1d450 100755
--- a/app/views/sessions/new.html.erb
+++ b/app/views/sessions/new.html.erb
@@ -1,3 +1,22 @@
+<<<<<<< HEAD
+=======
+<div align="right">
+  <!-- support for multiple languages coming soon! -->
+  <script>
+    //document.write("<select style=\"width: 100px;\">");
+    //document.write("<OPTION value=1>English</OPTION>");
+    //document.write("<OPTION value=2>Spanish</OPTION>");
+    try {
+      var hashParam = location.hash.split("#")[1];
+      var paramName = hashParam.split('=')[0];
+      var paramValue = hashParam.split('=')[1];
+      document.write("<OPTION value=3>" + paramValue + "</OPTION>");
+    } catch(err) {
+    }
+    //document.write("</select>");
+  </script>
+</div>
+>>>>>>> ab536af... removing select but keeping DOM XSS
 <div class="row-fluid">
   <h2 align="center">MetaCorp</h2>
   <h3 align="center">A GoatGroup Company</h3>
@@ -38,4 +57,4 @@
       </div>
     </div>
   </div>
-</div>
\ No newline at end of file
+</div>

From 8cb6ff36ac6d44070ed570a1530c69002e0761ea Mon Sep 17 00:00:00 2001
From: cktricky <ken.johnson@nvisiumsecurity.com>
Date: Thu, 17 Apr 2014 11:37:02 -0400
Subject: [PATCH 02/16] removed needless diff stuff

---
 app/views/sessions/new.html.erb | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb
index 2d1d450..eb80c99 100755
--- a/app/views/sessions/new.html.erb
+++ b/app/views/sessions/new.html.erb
@@ -1,5 +1,3 @@
-<<<<<<< HEAD
-=======
 <div align="right">
   <!-- support for multiple languages coming soon! -->
   <script>
@@ -16,7 +14,6 @@
     //document.write("</select>");
   </script>
 </div>
->>>>>>> ab536af... removing select but keeping DOM XSS
 <div class="row-fluid">
   <h2 align="center">MetaCorp</h2>
   <h3 align="center">A GoatGroup Company</h3>

From 8e4e084dc9a90d40f5ae395e3d269ae60896258d Mon Sep 17 00:00:00 2001
From: cktricky <ken.johnson@nvisiumsecurity.com>
Date: Thu, 17 Apr 2014 12:51:02 -0400
Subject: [PATCH 03/16] Fixes #99. We have added the hogan method for escaping
 user input and added a tutorial

---
 app/assets/javascripts/application.js         |  28 ++++
 .../layouts/tutorial/xss/_dom_xss.html.erb    | 125 ++++++++++++++++++
 app/views/tutorials/xss.html.erb              |   5 +
 3 files changed, 158 insertions(+)
 create mode 100644 app/views/layouts/tutorial/xss/_dom_xss.html.erb

diff --git a/app/assets/javascripts/application.js b/app/assets/javascripts/application.js
index 653be27..283ba09 100755
--- a/app/assets/javascripts/application.js
+++ b/app/assets/javascripts/application.js
@@ -40,8 +40,36 @@ $("pre.ruby").snippet("ruby",{style:"rand01",transparent:true,showNum:true});
     // with a transparent background
     // without showing line numbers.
 
+
+
+$("pre.javascript").snippet("javascript",{style:"rand01",transparent:true,showNum:true});
+    // Finds <pre> elements with the class "js"
+    // and snippet highlights the JAVASCRIPT code within
+    // using a random style from the selection of 39
+    // with a transparent background
+    // without showing line numbers.
+
 };
 
+var rAmp = /&/g,
+     rLt = /</g,
+     rGt = />/g,
+     rApos = /\'/g,
+     rQuot = /\"/g,
+     hChars = /[&<>\"\']/;
+
+function hoganEscape(str) {
+    str = coerceToString(str);
+    return hChars.test(str) ?
+      str
+        .replace(rAmp, '&amp;')
+        .replace(rLt, '&lt;')
+        .replace(rGt, '&gt;')
+        .replace(rApos, '&#39;')
+        .replace(rQuot, '&quot;') :
+      str;
+  }
+
 $(document).ready(function(){
 	rubyCodeFormat()
 });
diff --git a/app/views/layouts/tutorial/xss/_dom_xss.html.erb b/app/views/layouts/tutorial/xss/_dom_xss.html.erb
new file mode 100644
index 0000000..f0d18de
--- /dev/null
+++ b/app/views/layouts/tutorial/xss/_dom_xss.html.erb
@@ -0,0 +1,125 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A3 - Cross-Site Scripting ("XSS") - DOM Based
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseFive" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+				Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseFive" style="height: auto;">
+            <div class="accordion-inner">
+             <p>
+             DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.	
+             </p>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseSix" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseSix" style="height: 0px;">
+            <div class="accordion-inner">
+              <p>
+			    The following code was taken from app/views/sessions/new.html.erb:
+			  </p>
+			  <pre class="javascript">
+				 <%= 
+				%{ 
+	 <script>
+	 	//document.write("<select style=\"width: 100px;\">");
+	 	//document.write("<OPTION value=1>English</OPTION>");
+	 	//document.write("<OPTION value=2>Spanish</OPTION>");
+	 	try \{
+	   		var hashParam = location.hash.split("#")[1];
+	   		var paramName = hashParam.split('=')[0];
+	   		var paramValue = hashParam.split('=')[1];
+	   		document.write("<OPTION value=3>" +} %> <span style="background-color:yellow"> paramValue</span> <%= %{ + "</OPTION>");
+	  \} catch(err) \{
+	  \}
+	  //document.write("</select>");
+     </script> 
+				} 
+				%>
+			  </pre>
+			  <p class="desc">
+				The code (above) takes user input (params), and renders it back on the page without any output encoding or escaping.
+			  </p>	
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseSeven" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseSeven" style="height: 0px;">
+            <div class="accordion-inner">
+             <p><b> Stored Cross-Site Scripting ATTACK:</b></p>
+			 <p class="desc"> 
+				Ensure you are signed out of the application first. Make sure you are using something like Firefox as Safari/Chrome won't work for this exercise. Then, use the following link (substitute hostname for your actual hostname) to execute an alert box:
+			 </p>
+			 <pre>
+				<%= %{http://127.0.0.1:3000/#test=<script>alert(1)</script>} %>
+			 </pre>	
+			 <p><b> Stored Cross-Site Scripting SOLUTION:</b></p>
+			 <p> 
+			   Leverage the Hogan function for escaping (found in the application.js file) to escape user input:
+			 </p>
+			 <pre class="javascript">
+				<%= %{
+	 <!-- support for multiple languages coming soon! -->
+	 <script>
+	   //document.write("<select style=\"width: 100px;\">");
+	   //document.write("<OPTION value=1>English</OPTION>");
+	   //document.write("<OPTION value=2>Spanish</OPTION>");
+	   try \{
+	     var hashParam = location.hash.split("#")[1];
+	     var paramName = hashParam.split('=')[0];
+	     var paramValue = hashParam.split('=')[1];
+	     document.write("<OPTION value=3>" + } %> <span style="background-color:yellow"> hoganEscape(paramValue)</span> <%= %{ + "</OPTION>");
+	   \} catch(err) \{
+	  \}
+	   //document.write("</select>");
+	 </script>
+				}	
+				
+				%>
+			 </pre>	
+            </div>
+          </div>
+        </div>
+      	<div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseEight" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseEight" style="height: 0px;">
+            <div class="accordion-inner">
+              <p class="desc">
+			    You should view the source of the login page, might be something interesting there.
+			  </p>
+            </div>
+          </div>
+        </div>
+	</div>
+    </div>
+  </div>
\ No newline at end of file
diff --git a/app/views/tutorials/xss.html.erb b/app/views/tutorials/xss.html.erb
index f8eff5c..d03193a 100755
--- a/app/views/tutorials/xss.html.erb
+++ b/app/views/tutorials/xss.html.erb
@@ -5,6 +5,11 @@
 		       <%= render :partial => "layouts/tutorial/xss/xss_first"%>
 		    </div> <!-- End Span12 -->
 		</div>
+		<div class="row-fluid">
+		    <div class="span12"> <!-- Begin Span12 -->
+		       <%= render :partial => "layouts/tutorial/xss/dom_xss"%>
+		    </div> <!-- End Span12 -->
+		</div>
 	</div>
 </div>
 

From 8bc20e8f916c3e291938f4982e1f6c83150fb70c Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Wed, 9 Apr 2014 11:25:18 -0400
Subject: [PATCH 04/16] fixing name in messages

---
 app/models/message.rb | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/models/message.rb b/app/models/message.rb
index 7894ae9..12aaaba 100644
--- a/app/models/message.rb
+++ b/app/models/message.rb
@@ -4,7 +4,10 @@ class Message < ActiveRecord::Base
   validates_presence_of :creator_id, :receiver_id, :message
 
   def creator_name
-    creator = User.where(:id => self.creator_id).first
-    creator.full_name
+    if creator = User.where(:user_id => self.creator_id).first
+      creator.full_name
+    else
+      "<b>Name unavailable</b>".html_safe
+    end
   end
-end
\ No newline at end of file
+end

From 833cdaeff94a612423f1f83e494bc9bc07005750 Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Mon, 7 Apr 2014 23:09:10 -0400
Subject: [PATCH 05/16] adding .tags to gitignore

---
 .gitignore | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index c58b054..d990b41 100755
--- a/.gitignore
+++ b/.gitignore
@@ -7,4 +7,5 @@
 .DS_Store
 /public/data
 *.png
-coverage
\ No newline at end of file
+coverage
+.tags

From 9fd91a8224180dbef50b1278c8b14f642edc1290 Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Mon, 7 Apr 2014 23:09:48 -0400
Subject: [PATCH 06/16] initial commit of mobile controller

---
 app/controllers/api/v1/mobile_controller.rb | 32 +++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 app/controllers/api/v1/mobile_controller.rb

diff --git a/app/controllers/api/v1/mobile_controller.rb b/app/controllers/api/v1/mobile_controller.rb
new file mode 100644
index 0000000..dd07496
--- /dev/null
+++ b/app/controllers/api/v1/mobile_controller.rb
@@ -0,0 +1,32 @@
+class Api::V1::MobileController < ApplicationController
+
+  skip_before_filter :authenticated
+  before_filter :mobile_request?
+
+  respond_to :json
+
+  def show
+    if params[:class]
+      model = params[:class].classify.constantize
+      respond_with model.find(params[:id]).to_json
+    end
+  end
+
+  def index
+    if params[:class]
+      model = params[:class].classify.constantize
+      respond_with model.all.to_json
+    end
+  end
+
+  private
+
+  def mobile_request?
+    if session[:mobile_param]
+      session[:mobile_param] == "1"
+    else
+      request.user_agent =~ /ios|android/i
+    end
+  end
+
+end

From e760fc00875c733781a787099a3cba525d8a1bff Mon Sep 17 00:00:00 2001
From: John Poulin <john.m.poulin@gmail.com>
Date: Tue, 8 Apr 2014 12:49:31 -0400
Subject: [PATCH 07/16] merging

---
 app/controllers/dashboard_controller.rb   |  5 +++++
 app/views/layouts/application.html.erb    | 14 +++++++-------
 app/views/layouts/shared/_header.html.erb |  8 +++++---
 3 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
index 593abe4..41d4236 100755
--- a/app/controllers/dashboard_controller.rb
+++ b/app/controllers/dashboard_controller.rb
@@ -4,6 +4,11 @@ class DashboardController < ApplicationController
   
   def home
     @user = current_user
+
+    # See if the user has a font preference
+    if params[:font]
+    	cookies[:font] = params[:font]
+    end
   end
 
 end
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 4720e04..01d0022 100755
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -6,13 +6,13 @@
   <%= javascript_include_tag "application" %>
   <%= csrf_meta_tags %> <!-- <~ What is this for? I hear it helps w/ JS and Sea-surfing.....whatevz -->
   <!-- bootstrap css -->
- <script type="text/javascript" src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
- <!--[if lte IE 7]>
- <script src="assets/fonts/lte-ie7.js">
- </script>
- <![endif]--> 
-
- <!-- Google Visualization JS -->
+<%
+if cookies[:font]
+%>
+<style>body { font-size:<%= cookies[:font] %>pt !important;}</style>
+<%
+end
+%>
  <script type="text/javascript" src="https://www.google.com/jsapi"></script>
 
 </head>
diff --git a/app/views/layouts/shared/_header.html.erb b/app/views/layouts/shared/_header.html.erb
index 7c4d310..95f1b31 100755
--- a/app/views/layouts/shared/_header.html.erb
+++ b/app/views/layouts/shared/_header.html.erb
@@ -1,8 +1,10 @@
 <header>
-     <a href="#l" class="logo">
-      
-     </a>
 
+    <span style="color:#eee;margin-left:10px;">
+     Font Size:
+     <a href="<%= home_dashboard_index_path %>?font=10" style="font-size:10pt;color:#eee;">A</a>
+     <a href="<%= home_dashboard_index_path %>?font=18" style="font-size:18pt;color:#eee;">A</a>
+   </span>
      <div class="user-profile">
        <a data-toggle="dropdown" class="dropdown-toggle">
          <img src=" <%= image_path('profile_color.jpg')%>"  alt="profile">

From 5056f7739545871faf36c91bb0614bc6e86c81b8 Mon Sep 17 00:00:00 2001
From: John Poulin <john.m.poulin@gmail.com>
Date: Tue, 8 Apr 2014 14:33:38 -0400
Subject: [PATCH 08/16] Added codefix example for CSS context XSS.

---
 app/controllers/application_controller.rb | 7 ++++++-
 app/views/layouts/application.html.erb    | 2 +-
 app/views/layouts/shared/_header.html.erb | 4 ++--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 56ad260..86c33e2 100755
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,7 +1,7 @@
 class ApplicationController < ActionController::Base
 
   before_filter :authenticated, :has_info
-  helper_method :current_user, :is_admin?
+  helper_method :current_user, :is_admin?, :sanitize_font
 
   # Our security guy keep talking about sea-surfing, cool story bro.
   # protect_from_forgery
@@ -45,4 +45,9 @@ class ApplicationController < ActionController::Base
     redirect_to home_dashboard_index_path if redirect
   end
 
+  def sanitize_font(css)
+    css
+    # css if css.match(/\A[0-9]+([\%]|pt)\z/)
+  end
+
 end
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 01d0022..9eb9896 100755
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -9,7 +9,7 @@
 <%
 if cookies[:font]
 %>
-<style>body { font-size:<%= cookies[:font] %>pt !important;}</style>
+<style>body { font-size:<%= cookies[:font] %> !important;}</style>
 <%
 end
 %>
diff --git a/app/views/layouts/shared/_header.html.erb b/app/views/layouts/shared/_header.html.erb
index 95f1b31..3a62d80 100755
--- a/app/views/layouts/shared/_header.html.erb
+++ b/app/views/layouts/shared/_header.html.erb
@@ -2,8 +2,8 @@
 
     <span style="color:#eee;margin-left:10px;">
      Font Size:
-     <a href="<%= home_dashboard_index_path %>?font=10" style="font-size:10pt;color:#eee;">A</a>
-     <a href="<%= home_dashboard_index_path %>?font=18" style="font-size:18pt;color:#eee;">A</a>
+     <a href="<%= home_dashboard_index_path %>?font=8pt" style="font-size:10pt;color:#eee;">A</a>
+     <a href="<%= home_dashboard_index_path %>?font=200%25" style="font-size:18pt;color:#eee;">A</a>
    </span>
      <div class="user-profile">
        <a data-toggle="dropdown" class="dropdown-toggle">

From 3f634800220a2d3c5e74488b1825939a1ff98c0c Mon Sep 17 00:00:00 2001
From: John Poulin <john.m.poulin@gmail.com>
Date: Tue, 8 Apr 2014 17:24:57 -0400
Subject: [PATCH 09/16] Added Analytics function to track user hits by ip
 address, referrer and user agent

---
 app/controllers/admin_controller.rb           | 18 +++++++-
 app/controllers/application_controller.rb     |  6 ++-
 app/models/analytics.rb                       |  9 ++++
 app/views/layouts/admin/_analytics.html.erb   | 44 +++++++++++++++++++
 config/routes.rb                              |  1 +
 db/migrate/20140408185601_create_analytics.rb | 10 +++++
 db/schema.rb                                  | 10 ++++-
 7 files changed, 95 insertions(+), 3 deletions(-)
 create mode 100644 app/models/analytics.rb
 create mode 100644 app/views/layouts/admin/_analytics.html.erb
 create mode 100644 db/migrate/20140408185601_create_analytics.rb

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index d7efbdb..e651d29 100755
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -5,7 +5,23 @@ class AdminController < ApplicationController
   
   def dashboard
   end
-  
+
+  def analytics
+
+    if params[:field].nil?
+      fields = "*"
+    else
+      fields = params[:field].map {|k,v| k}.join(",")
+    end
+
+    if params[:ip]
+      @analytics = Analytics.hits_by_ip(params[:ip], fields)
+    else
+      @analytics = Analytics.all
+    end
+    render "layouts/admin/_analytics"
+  end
+
   def get_all_users
     @users = User.all
     render :partial => "layouts/admin/get_all_users"
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 86c33e2..3e56186 100755
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,6 +1,6 @@
 class ApplicationController < ActionController::Base
 
-  before_filter :authenticated, :has_info
+  before_filter :authenticated, :has_info, :create_analytic
   helper_method :current_user, :is_admin?, :sanitize_font
 
   # Our security guy keep talking about sea-surfing, cool story bro.
@@ -45,6 +45,10 @@ class ApplicationController < ActionController::Base
     redirect_to home_dashboard_index_path if redirect
   end
 
+  def create_analytic
+    Analytics.create({ :ip_address => request.remote_ip, :referrer => request.referrer, :user_agent => request.user_agent})
+  end
+
   def sanitize_font(css)
     css
     # css if css.match(/\A[0-9]+([\%]|pt)\z/)
diff --git a/app/models/analytics.rb b/app/models/analytics.rb
new file mode 100644
index 0000000..c3c6075
--- /dev/null
+++ b/app/models/analytics.rb
@@ -0,0 +1,9 @@
+class Analytics < ActiveRecord::Base
+  attr_accessible :ip_address, :referrer, :user_agent
+
+  scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where("ip_address = '#{ip}'")}
+
+  def self.count_by_col(col)
+  	calculate(:count, col)
+  end
+end
diff --git a/app/views/layouts/admin/_analytics.html.erb b/app/views/layouts/admin/_analytics.html.erb
new file mode 100644
index 0000000..485c2b0
--- /dev/null
+++ b/app/views/layouts/admin/_analytics.html.erb
@@ -0,0 +1,44 @@
+<form action="">
+  Search by IP: <input type="text" name="ip"><br />
+  <input type="checkbox" value="" name="field[ip_address]"> IP Address<br />
+  <input type="checkbox" value="" name="field[referrer]"> Referrer<br />
+  <input type="checkbox" value="" name="field[user_agent]"> User Agent
+</form>
+
+<div id="dt_example" class="example_alt_pagination">
+    <table class="table table-striped table-hover table-bordered pull-left" id="data-table">    
+      <thead>
+        <tr>
+          <% params[:field].count.times do %>
+          <td>&nbsp;</td>
+          <% end %>
+        </tr>
+      </thead>
+      <tbody>
+       <% @analytics.each do |a|%>
+			<tr>
+        <% a.attributes.each do |k,v| %>
+        <td><%= v %></td>
+        <% end %>
+        </tr>
+	   <% end %>
+      </tbody>
+    </table>
+	<div id="editAcct" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="myModalLabel1" aria-hidden="true">
+	</div>
+    <div class="clearfix">
+    </div>
+  </div>
+</div>
+
+<script type="text/javascript">
+
+function dataTablePagination(){
+	$('#data-table').dataTable({
+      "sPaginationType": "full_numbers"
+    });
+};
+
+
+$(document).ready(dataTablePagination());
+</script>
\ No newline at end of file
diff --git a/config/routes.rb b/config/routes.rb
index 9386fd0..df7bf2d 100755
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -82,6 +82,7 @@ Railsgoat::Application.routes.draw do
     post "delete_user"
     put "update_user"
     get "get_all_users"
+    get "analytics"
   end
 
   resources :dashboard do
diff --git a/db/migrate/20140408185601_create_analytics.rb b/db/migrate/20140408185601_create_analytics.rb
new file mode 100644
index 0000000..459db9d
--- /dev/null
+++ b/db/migrate/20140408185601_create_analytics.rb
@@ -0,0 +1,10 @@
+class CreateAnalytics < ActiveRecord::Migration
+  def change
+    create_table :analytics do |t|
+      t.string		:ip_address
+      t.string		:referrer
+      t.string		:user_agent
+      t.timestamps
+    end
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index a32189b..a51d0db 100755
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,15 @@
 #
 # It's strongly recommended to check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 20140315002730) do
+ActiveRecord::Schema.define(:version => 20140408185601) do
+
+  create_table "analytics", :force => true do |t|
+    t.string   "ip_address"
+    t.string   "referrer"
+    t.string   "user_agent"
+    t.datetime "created_at", :null => false
+    t.datetime "updated_at", :null => false
+  end
 
   create_table "benefits", :force => true do |t|
     t.datetime "created_at", :null => false

From 196b732b919b4f56dd3b3a9baf21ed7c20bab185 Mon Sep 17 00:00:00 2001
From: John Poulin <john.m.poulin@gmail.com>
Date: Tue, 8 Apr 2014 17:31:48 -0400
Subject: [PATCH 10/16] Fixed bug in analytics view

---
 app/views/layouts/admin/_analytics.html.erb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/views/layouts/admin/_analytics.html.erb b/app/views/layouts/admin/_analytics.html.erb
index 485c2b0..299286f 100644
--- a/app/views/layouts/admin/_analytics.html.erb
+++ b/app/views/layouts/admin/_analytics.html.erb
@@ -9,7 +9,9 @@
     <table class="table table-striped table-hover table-bordered pull-left" id="data-table">    
       <thead>
         <tr>
-          <% params[:field].count.times do %>
+          <% 
+          count = (params[:field] ? params[:field].count : 3) 
+          count.times do %>
           <td>&nbsp;</td>
           <% end %>
         </tr>

From 5bb9c75f06b1b0414930967d850fce3cc4f661f0 Mon Sep 17 00:00:00 2001
From: John Poulin <john.m.poulin@gmail.com>
Date: Tue, 8 Apr 2014 18:04:49 -0400
Subject: [PATCH 11/16] Added fix for Analytics SQLi

---
 app/controllers/admin_controller.rb |  4 ++--
 app/models/analytics.rb             | 12 +++++++++++-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index e651d29..9f09a67 100755
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -7,11 +7,11 @@ class AdminController < ApplicationController
   end
 
   def analytics
-
     if params[:field].nil?
       fields = "*"
     else
-      fields = params[:field].map {|k,v| k}.join(",")
+      #fields = params[:field].map {|k,v| k }.join(",")
+      fields = params[:field].map {|k,v| Analytics.parse_field(k) }.join(",")
     end
 
     if params[:ip]
diff --git a/app/models/analytics.rb b/app/models/analytics.rb
index c3c6075..6690504 100644
--- a/app/models/analytics.rb
+++ b/app/models/analytics.rb
@@ -1,9 +1,19 @@
 class Analytics < ActiveRecord::Base
   attr_accessible :ip_address, :referrer, :user_agent
 
-  scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where("ip_address = '#{ip}'")}
+  scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")}
 
   def self.count_by_col(col)
   	calculate(:count, col)
   end
+
+  def self.parse_field(field)
+  	valid_fields = ["ip_address", "referrer", "user_agent"]
+
+  	if valid_fields.include?(field)
+  		field
+  	else
+  		"1"
+  	end
+  end
 end

From 4bff205e816ebb99c03407134670f18f034c9423 Mon Sep 17 00:00:00 2001
From: John Poulin <john.m.poulin@gmail.com>
Date: Tue, 8 Apr 2014 18:42:41 -0400
Subject: [PATCH 12/16] added in johns constantize change as well as some other
 stuff like CSS fun

---
 app/controllers/benefit_forms_controller.rb | 2 +-
 app/views/benefit_forms/index.html.erb      | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/controllers/benefit_forms_controller.rb b/app/controllers/benefit_forms_controller.rb
index a74befb..64b851e 100644
--- a/app/controllers/benefit_forms_controller.rb
+++ b/app/controllers/benefit_forms_controller.rb
@@ -7,7 +7,7 @@ class BenefitFormsController < ApplicationController
 
   def download
    begin  
-     path = Rails.root.join('public', 'docs', params[:name])
+     path = params[:name]
      file = params[:type].constantize.new(path)
      send_file file, :disposition => 'attachment'
    rescue
diff --git a/app/views/benefit_forms/index.html.erb b/app/views/benefit_forms/index.html.erb
index 3299355..3c48e5c 100644
--- a/app/views/benefit_forms/index.html.erb
+++ b/app/views/benefit_forms/index.html.erb
@@ -13,7 +13,7 @@
 		        <!-- Begin Widget Body -->
 		        <div class="widget-body">
 					Click on PDF to download<br/><br/>
-		           <%= link_to download_path(:type => "File", :name => "Health_n_Stuff.pdf") do  %>
+		           <%= link_to download_path(:type => "File", :name => "public/docs/Health_n_Stuff.pdf") do  %>
 					<div class="doc-icons-container">
 		            <div class="icon light-blue hidden-tablet">
 		              <span class="fs1 doc-icon" aria-hidden="true" data-icon="&#xe1b2;"></span>
@@ -39,7 +39,7 @@
 		        <!-- Begin Widget Body -->
 		        <div class="widget-body">
 				Click on PDF to download<br/><br/>
-				<%= link_to download_path(:type => "File", :name => "Dental_n_Stuff.pdf") do  %>
+				 <%= link_to download_path(:type => "File", :name => "public/docs/Dental_n_Stuff.pdf") do  %>
 		          <div class="doc-icons-container">
 		            <div class="icon light-blue hidden-tablet">
 		              <span class="fs1 doc-icon" aria-hidden="true" data-icon="&#xe1b2;"></span>

From c157496b1e45376eb5ede5863a1b7fea2a808693 Mon Sep 17 00:00:00 2001
From: cktricky <ken.johnson@nvisiumsecurity.com>
Date: Thu, 17 Apr 2014 20:17:33 -0400
Subject: [PATCH 13/16] fixed broken spec test by changing the reference to an
 incorrect location when downloading the database.yml file

---
 spec/vulnerabilities/insecure_dor_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb
index aada5eb..29d14b6 100644
--- a/spec/vulnerabilities/insecure_dor_spec.rb
+++ b/spec/vulnerabilities/insecure_dor_spec.rb
@@ -11,7 +11,7 @@ feature 'insecure direct object reference' do
 
     visit "/users/#{@normal_user.user_id}/benefit_forms"
     download_url = first('.widget-body a')[:href]
-    visit download_url.sub(/name=(.*?)&/, 'name=../../config/database.yml&')
+    visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&')
 
     pending(:if => verifying_fixed?) {
       page.status_code.should == 200

From 6975f94381128ce0a739df76a30e5a1c73099079 Mon Sep 17 00:00:00 2001
From: Mike McCabe <mccabe615@gmail.com>
Date: Tue, 8 Apr 2014 23:06:29 -0400
Subject: [PATCH 14/16] adding routes. catching nulls

---
 app/controllers/api/v1/mobile_controller.rb | 2 ++
 config/routes.rb                            | 7 ++++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/controllers/api/v1/mobile_controller.rb b/app/controllers/api/v1/mobile_controller.rb
index dd07496..63a575d 100644
--- a/app/controllers/api/v1/mobile_controller.rb
+++ b/app/controllers/api/v1/mobile_controller.rb
@@ -16,6 +16,8 @@ class Api::V1::MobileController < ApplicationController
     if params[:class]
       model = params[:class].classify.constantize
       respond_with model.all.to_json
+    else
+      respond_with nil.to_json
     end
   end
 
diff --git a/config/routes.rb b/config/routes.rb
index df7bf2d..0ed76af 100755
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -33,14 +33,14 @@ Railsgoat::Application.routes.draw do
 
     resources :messages do
     end
-    
+
     resources :pay do
       collection do
         post "update_dd_info"
         post "decrypted_bank_acct_num"
       end
     end
-  
+
   end
 
   get "download" => "benefit_forms#download"
@@ -90,10 +90,11 @@ Railsgoat::Application.routes.draw do
       get "home"
     end
   end
-  
+
   namespace :api, defaults: {format: 'json'} do
     namespace :v1 do
         resources :users
+        resources :mobile
     end
    end
 

From 77fcf26abd525577aa0c34189a059515877c4f3d Mon Sep 17 00:00:00 2001
From: cktricky <ken.johnson@nvisiumsecurity.com>
Date: Thu, 17 Apr 2014 20:51:16 -0400
Subject: [PATCH 15/16] working on a tutorial for the scope injection / sql
 injection

---
 app/controllers/admin_controller.rb           |  5 +-
 .../injection/_injection_command.html.erb     | 16 ++--
 .../tutorial/injection/_sqli_scope.html.erb   | 78 +++++++++++++++++++
 app/views/tutorials/injection.html.erb        |  5 ++
 4 files changed, 94 insertions(+), 10 deletions(-)
 create mode 100644 app/views/layouts/tutorial/injection/_sqli_scope.html.erb

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 9f09a67..4cde79f 100755
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -10,8 +10,9 @@ class AdminController < ApplicationController
     if params[:field].nil?
       fields = "*"
     else
-      #fields = params[:field].map {|k,v| k }.join(",")
-      fields = params[:field].map {|k,v| Analytics.parse_field(k) }.join(",")
+      fields = params[:field].map {|k,v| k }.join(",")
+      # This seems to be a bit safer
+      #fields = params[:field].map {|k,v| Analytics.parse_field(k) }.join(",")
     end
 
     if params[:ip]
diff --git a/app/views/layouts/tutorial/injection/_injection_command.html.erb b/app/views/layouts/tutorial/injection/_injection_command.html.erb
index 41d9dc4..b009cce 100644
--- a/app/views/layouts/tutorial/injection/_injection_command.html.erb
+++ b/app/views/layouts/tutorial/injection/_injection_command.html.erb
@@ -8,13 +8,13 @@
       <div id="accordion1" class="accordion no-margin">
         <div class="accordion-group">
           <div class="accordion-heading">
-            <a href="#collapseFive" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+            <a href="#collapseNine" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
               <i class="icon-info icon-white">
               </i>
               Description
             </a>
           </div>
-          <div class="accordion-body in collapse" id="collapseFive" style="height: auto;">
+          <div class="accordion-body in collapse" id="collapseNine" style="height: auto;">
             <div class="accordion-inner">
              <p class="desc">
 				An OS command injection attack occurs when an attacker attempts to execute system level commands through a vulnerable application. Applications are considered vulnerable to the OS command injection attack if they utilize user input in a system level command.
@@ -24,13 +24,13 @@
         </div>
         <div class="accordion-group">
           <div class="accordion-heading">
-            <a href="#collapseSix" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+            <a href="#collapseTen" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
               <i class="icon-bug icon-white">
               </i>
               Bug
             </a>
           </div>
-          <div class="accordion-body collapse" id="collapseSix" style="height: 0px;">
+          <div class="accordion-body collapse" id="collapseTen" style="height: 0px;">
             <div class="accordion-inner">
 			  <p class="desc">
 				This manifestation of the bug occurs within the Benefits model. A system command is used to make a copy of the file the user has chosen to upload. User-supplied input is leveraged in creating this system command.
@@ -81,13 +81,13 @@
         </div>
         <div class="accordion-group">
           <div class="accordion-heading">
-            <a href="#collapseSeven" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+            <a href="#collapseEleven" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
               <i class="icon-lightning icon-white">
               </i>
               Solution
             </a>
           </div>
-          <div class="accordion-body collapse" id="collapseSeven" style="height: 0px;">
+          <div class="accordion-body collapse" id="collapseEleven" style="height: 0px;">
             <div class="accordion-inner">
                <p><b>Command Injection - ATTACK</b></p>
 			   <p class="desc">
@@ -139,13 +139,13 @@
         </div>
      	<div class="accordion-group">
           <div class="accordion-heading">
-            <a  style="background-color: rgb(181, 121, 158)" href="#collapseEight" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseTwelve" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
               <i class="icon-aid icon-white">
               </i>
               Hint
             </a>
           </div>
-          <div class="accordion-body collapse" id="collapseEight" style="height: 0px;">
+          <div class="accordion-body collapse" id="collapseTwelve" style="height: 0px;">
             <div class="accordion-inner">
               Let's create a backup when uploading a file, wonder how they are naming it?
             </div>
diff --git a/app/views/layouts/tutorial/injection/_sqli_scope.html.erb b/app/views/layouts/tutorial/injection/_sqli_scope.html.erb
new file mode 100644
index 0000000..c9c131d
--- /dev/null
+++ b/app/views/layouts/tutorial/injection/_sqli_scope.html.erb
@@ -0,0 +1,78 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A1 - SQL Injection - ActiveRecord Scope 
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseFive" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseFive" style="height: auto;">
+            <div class="accordion-inner">
+             <p class="desc">
+				Insert
+			 </p>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseSix" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseSix" style="height: 0px;">
+            <div class="accordion-inner">
+			  <p class="desc">
+				Insert
+			  </p>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseSeven" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseSeven" style="height: 0px;">
+            <div class="accordion-inner">
+               <p><b>SQL Injection - ATTACK</b></p>
+			   <p class="desc">
+			   	insert
+			   </p>	
+			   <p><b>SQL Injection - SOLUTION</b></p>
+			   <p class="desc">
+				insert
+			   </p>	
+            </div>
+          </div>
+        </div>
+     	<div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseEight" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseEight" style="height: 0px;">
+            <div class="accordion-inner">
+              insert
+            </div>
+          </div>
+        </div> 
+	 </div>
+    </div>
+  </div>
\ No newline at end of file
diff --git a/app/views/tutorials/injection.html.erb b/app/views/tutorials/injection.html.erb
index 20f2167..2da3861 100755
--- a/app/views/tutorials/injection.html.erb
+++ b/app/views/tutorials/injection.html.erb
@@ -5,6 +5,11 @@
 		      <%= render :partial => "layouts/tutorial/injection/injection_first"%>
 		    </div> <!-- End Span12-->
 		</div>
+		<div class="row-fluid">
+		    <div class="span12"> <!-- Begin Span12-->
+		      <%= render :partial => "layouts/tutorial/injection/sqli_scope"%>
+		    </div> <!-- End Span12-->
+		</div>
 		<div class="row-fluid">
 		    <div class="span12"> <!-- Begin Span12-->
 		      <%= render :partial => "layouts/tutorial/injection/injection_command"%>

From d2bd77a46124428217af7fbee7c7b570e3c88063 Mon Sep 17 00:00:00 2001
From: cktricky <ken.johnson@nvisiumsecurity.com>
Date: Thu, 17 Apr 2014 22:07:58 -0400
Subject: [PATCH 16/16] the latest sqli tutorial leveraging @forced_request
 modifications. We really need some more unit-tests for all this new
 functionality

---
 .../tutorial/injection/_sqli_scope.html.erb   | 103 +++++++++++++++++-
 1 file changed, 98 insertions(+), 5 deletions(-)

diff --git a/app/views/layouts/tutorial/injection/_sqli_scope.html.erb b/app/views/layouts/tutorial/injection/_sqli_scope.html.erb
index c9c131d..24aadd9 100644
--- a/app/views/layouts/tutorial/injection/_sqli_scope.html.erb
+++ b/app/views/layouts/tutorial/injection/_sqli_scope.html.erb
@@ -17,8 +17,14 @@
           <div class="accordion-body in collapse" id="collapseFive" style="height: auto;">
             <div class="accordion-inner">
              <p class="desc">
-				Insert
+				ActiveRecord provides a useful tool for it's Models called a <i>scope</i>. In the words of the documentation:
 			 </p>
+			 <pre><i>
+"Scoping allows you to specify commonly-used queries which can be referenced as <br/>method calls on the association objects or models."
+			 </i></pre>	
+			 <p class="desc">
+				This means that we can call a scope as a method and that the scope can be used for common queries such as <i>where</i> and <i>join</i>. Developers must be careful not to interpolate or concatenate user input into these scope calls as this can lead to SQL Injection. This is a common mistake made and can have serious consequences. 
+			 </p>	
             </div>
           </div>
         </div>
@@ -33,8 +39,40 @@
           <div class="accordion-body collapse" id="collapseSix" style="height: 0px;">
             <div class="accordion-inner">
 			  <p class="desc">
-				Insert
+				Within app/models/analytics.rb:
 			  </p>
+			  <pre class="ruby">
+				class Analytics < ActiveRecord::Base
+				  attr_accessible :ip_address, :referrer, :user_agent
+
+				  <span style="background-color:yellow">scope :hits_by_ip, ->(ip,col="*") { select("#{col}").where(:ip_address => ip).order("id DESC")}</span>
+
+				  def self.count_by_col(col)
+				  	calculate(:count, col)
+				  end
+			  </pre>
+			 <p class="desc">
+				Additionally, within app/controllers/admin_controller.rb:
+			 </p>	
+			 <pre class="ruby">
+			  def analytics
+			    if params[:field].nil?
+			      fields = "*"
+			    else
+			      <span style="background-color:yellow">fields = params[:field].map {|k,v| k }.join(",")</span>
+			    end
+
+			    if params[:ip]
+			      <span style="background-color:yellow">@analytics = Analytics.hits_by_ip(params[:ip], fields)</span>
+			    else
+			      @analytics = Analytics.all
+			    end
+			    render "layouts/admin/_analytics"
+			  end
+			 </pre>
+			 <p class="desc">
+				Within the controller we call the method <i>hits_by_ip</i>. This method is actually a scope as highlighted (above) in the Analytics model. The field object, defined within the controller, represents user-input that is intended to control the column returned by the SQL query. The field object represents the HTTP Request's parameter key. So this means we can control at least a portion of the query. Due to the fact that this input is used as an interpolated value within the query string, we have control over a larger portion of the query.
+			 </p>	
             </div>
           </div>
         </div>
@@ -50,12 +88,67 @@
             <div class="accordion-inner">
                <p><b>SQL Injection - ATTACK</b></p>
 			   <p class="desc">
-			   	insert
+			   	Navigate to the admin analytics panel. Send a request to search by an IP. Modify the request to change the parameter key to a partial SQL statement that returns all users and their information from the database:
 			   </p>	
+			   <pre>
+				GET /admin/1/analytics?ip=127.0.0.1&field%5B*%20from%20users--%5D= HTTP/1.1
+				Host: railsgoat.dev
+				User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0
+				Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+				Accept-Language: en-US,en;q=0.5
+				Accept-Encoding: gzip, deflate
+				Cookie:[redacted]
+				Connection: keep-alive
+			   </pre>
+			   <p class="desc">	
+				Essentially we are changing the intended SQL query from:
+			   </p>	
+			   <pre>
+				SELECT <span style="background-color:yellow">UserInput</span> FROM "analytics"  WHERE "analytics"."ip_address" = '127.0.0.1' ORDER BY id DESC
+			   </pre>
+			   <p class="desc">
+				to:
+			   </p>
+			   <pre>
+				SELECT * from users-- FROM "analytics" WHERE "analytics"."ip_address" = '127.0.0.1' ORDER BY id DESC
+			   </pre>	
 			   <p><b>SQL Injection - SOLUTION</b></p>
 			   <p class="desc">
-				insert
+				To resolve this issue, do not interpolate user-provided input into SQL queries. However, it is always a good idea to create a whitelist of acceptable values when writing any code that is intended to be powerful and very flexible but that also leverages user-input to make these potentially security-impacting decisions. Within the Analytics model, we have a method called <i>parse_field</i>:
 			   </p>	
+			   <pre class="ruby">
+				 def self.parse_field(field)
+				  	valid_fields = ["ip_address", "referrer", "user_agent"]
+
+				  	if valid_fields.include?(field)
+				  		field
+				  	else
+				  		"1"
+				  	end
+				 end
+			   </pre>
+			   <p class="desc">
+				When used properly, this method prevents anything that does not match those items in the <i>valid_fields</i> array from reaching the SQL query. For example, within the admin controller we can prevent anything that does not match that white-list from inclusion into the query by doing the following:
+			   </p>
+			   <pre class="ruby">
+				  def analytics
+				    if params[:field].nil?
+				      fields = "*"
+				    else
+				     fields = params[:field].map {|k,v| <span style="background-color:yellow">Analytics.parse_field(k)</span> }.join(",")
+				    end
+
+				    if params[:ip]
+				      @analytics = Analytics.hits_by_ip(params[:ip], fields)
+				    else
+				      @analytics = Analytics.all
+				    end
+				    render "layouts/admin/_analytics"
+				  end
+			   </pre>
+			   <p class="desc">	
+				Effectively, we've changed any malicious data provided by the user into the number '1' by leveraging the above code.
+			   </p>
             </div>
           </div>
         </div>
@@ -69,7 +162,7 @@
           </div>
           <div class="accordion-body collapse" id="collapseEight" style="height: 0px;">
             <div class="accordion-inner">
-              insert
+              Administrative analytics functionality need further security analysis. Now might be a good time to test for SQLi.
             </div>
           </div>
         </div>