diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 203f116..3221cb4 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -12,7 +12,7 @@ class SessionsController < ApplicationController path = params[:url].present? ? params[:url] : home_dashboard_index_path begin # Normalize the email address, why not - user = User.authenticate(params[:email].to_s.downcase, params[:password]) + user = User.authenticate(params[:email].to_s.strip.downcase, params[:password]) rescue RuntimeError => e # don't do ANYTHING end diff --git a/app/views/dashboard/home.html.erb b/app/views/dashboard/home.html.erb index 36e5d6b..b103978 100644 --- a/app/views/dashboard/home.html.erb +++ b/app/views/dashboard/home.html.erb @@ -1,43 +1,37 @@
-
-
-
-
- Current Statistics -
- -
-
- - - - - - -
-
- -
-
- <%#= render partial: "dashboard_stats" %> -
-
-
-
-
-
Need help using this portal? Check out the Readme
-
+
+
+
+
+ Current Statistics +
+ +
+
+ + + + + + +
+
+ +
+
+ <%#= render partial: "dashboard_stats" %> +
+
+
+
+
- - - - - - - diff --git a/app/views/pay/index.html.erb b/app/views/pay/index.html.erb index b807bc0..38af494 100644 --- a/app/views/pay/index.html.erb +++ b/app/views/pay/index.html.erb @@ -1,27 +1,23 @@
-
- +
-
- +
diff --git a/app/views/users/account_settings.html.erb b/app/views/users/account_settings.html.erb index 709a77d..d2ab8be 100755 --- a/app/views/users/account_settings.html.erb +++ b/app/views/users/account_settings.html.erb @@ -1,28 +1,22 @@
-
- +
-
-
- -
+
diff --git a/app/views/work_info/index.html.erb b/app/views/work_info/index.html.erb index ab0e9b5..ca3ef98 100644 --- a/app/views/work_info/index.html.erb +++ b/app/views/work_info/index.html.erb @@ -12,26 +12,26 @@ - + - - + - + - - - - - + + + + + diff --git a/lib/encryption.rb b/lib/encryption.rb index bf654e6..431ec8e 100644 --- a/lib/encryption.rb +++ b/lib/encryption.rb @@ -15,7 +15,7 @@ module Encryption aes = OpenSSL::Cipher.new(cipher_type) aes.decrypt aes.key = key[0..31] - aes.iv = iv[0.15] if iv != nil + aes.iv = iv[0..15] if iv != nil decoded = Base64.strict_decode64("#{val}") aes.update("#{decoded}") + aes.final end diff --git a/spec/lib/encryption_spec.rb b/spec/lib/encryption_spec.rb new file mode 100644 index 0000000..c039df7 --- /dev/null +++ b/spec/lib/encryption_spec.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true +require "spec_helper" +require_relative "../../lib/encryption" + +describe Encryption do + let(:value) { + allow(Encryption).to receive(:key).and_return(SecureRandom.bytes(32)) + allow(Encryption).to receive(:iv).and_return(SecureRandom.bytes(16)) + + "OMG PII" + } + + it "encrypts values" do + encrypted = Encryption.encrypt_sensitive_value(value) + expect(Base64.decode64(encrypted)).not_to eq(value) + end + + it "decrypts values" do + encrypted = Encryption.encrypt_sensitive_value(value) + decrypted = Encryption.decrypt_sensitive_value(encrypted) + + expect(decrypted).to eq(value) + end +end diff --git a/spec/vulnerabilities/csrf_spec.rb b/spec/vulnerabilities/csrf_spec.rb index 375ae40..d876dab 100644 --- a/spec/vulnerabilities/csrf_spec.rb +++ b/spec/vulnerabilities/csrf_spec.rb @@ -10,7 +10,7 @@ feature "csrf" do pending unless verifying_fixed? end - scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", js: true do + scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF", js: true do visit "/" # TODO: is there a way to get this without visiting root first? base_url = current_url diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb index 2434e61..50e5854 100644 --- a/spec/vulnerabilities/insecure_dor_spec.rb +++ b/spec/vulnerabilities/insecure_dor_spec.rb @@ -18,15 +18,17 @@ feature "insecure direct object reference" do visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&") expect(page.status_code).not_to eq(200) - expect(page.response_headers["Content-Disposition"]).not_to include("database.yml") + expect(page.response_headers["Content-Disposition"].to_a).not_to include("database.yml") end scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do + login(normal_user) + expect(normal_user.id).not_to eq(another_user.id) visit "/users/#{another_user.id}/work_info" - expect(first("td").text).not_to include(another_user.name) - expect(first("td").text).to include(normal_user.name) + expect(first("td").text).not_to include(another_user.full_name) + expect(first("td").text).to include(normal_user.full_name) end end diff --git a/spec/vulnerabilities/mass_assignment_spec.rb b/spec/vulnerabilities/mass_assignment_spec.rb index 43f6f59..5b40ca0 100644 --- a/spec/vulnerabilities/mass_assignment_spec.rb +++ b/spec/vulnerabilities/mass_assignment_spec.rb @@ -23,7 +23,7 @@ feature "mass assignment" do expect(normal_user.reload.admin).to be_falsy end - scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role" do + scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-Extras-Mass-Assignment-Admin-Role" do params = { user: { admin: "t", email: "hackety@h4x0rs.c0m", first_name: "hackety", @@ -33,6 +33,6 @@ feature "mass assignment" do page.driver.post "/users", params - expect(User.find_by(email: "hackety@h4x0rs.c0m")).to be_nil + expect(User.find_by(email: "hackety@h4x0rs.c0m").admin).to be_falsy end end diff --git a/spec/vulnerabilities/unvalidated_redirects_spec.rb b/spec/vulnerabilities/unvalidated_redirects_spec.rb index a1ff494..97b9627 100644 --- a/spec/vulnerabilities/unvalidated_redirects_spec.rb +++ b/spec/vulnerabilities/unvalidated_redirects_spec.rb @@ -20,6 +20,7 @@ feature "unvalidated redirect" do click_on "Login" end - expect(current_url).to eq("/dashboard/home") + expect(current_url).to start_with("http://127.0.0.1") + expect(current_path).to eq("/dashboard/home") end end diff --git a/spec/vulnerabilities/url_access_spec.rb b/spec/vulnerabilities/url_access_spec.rb index f7d0468..4fa70ce 100644 --- a/spec/vulnerabilities/url_access_spec.rb +++ b/spec/vulnerabilities/url_access_spec.rb @@ -15,6 +15,6 @@ feature "url access" do visit "/admin/1/dashboard" - expect(current_path).to eq("/") + expect(current_path).to eq("/dashboard/home") end end
Full NameFull Name IncomeBonus/th> + Bonus Years w/ MetaCorp SSNDoBDoB
<%= "#{@user.first_name} #{@user.last_name}" %> <%= @user.work_info.income %> <%= @user.work_info.bonuses %> <%= @user.work_info.years_worked %><%= @user.work_info.SSN %><%= @user.work_info.DoB %><%= @user.work_info.SSN %><%= @user.work_info.DoB %>