From 7eb0ddf22921d53f2f230490323d31c267f4995d Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Wed, 20 Nov 2019 07:49:52 -0500 Subject: [PATCH 01/13] clean up insecure_dor_spec --- spec/vulnerabilities/insecure_dor_spec.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb index 2434e61..5d842e8 100644 --- a/spec/vulnerabilities/insecure_dor_spec.rb +++ b/spec/vulnerabilities/insecure_dor_spec.rb @@ -22,11 +22,13 @@ feature "insecure direct object reference" do end scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do + login(normal_user) + expect(normal_user.id).not_to eq(another_user.id) visit "/users/#{another_user.id}/work_info" - expect(first("td").text).not_to include(another_user.name) - expect(first("td").text).to include(normal_user.name) + expect(first("td").text).not_to include(another_user.full_name) + expect(first("td").text).to include(normal_user.full_name) end end From 18433833d395738551cbfc4d3f01d089217c4d24 Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Wed, 20 Nov 2019 07:53:25 -0500 Subject: [PATCH 02/13] clean up url_access_spec --- spec/vulnerabilities/url_access_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/vulnerabilities/url_access_spec.rb b/spec/vulnerabilities/url_access_spec.rb index f7d0468..4fa70ce 100644 --- a/spec/vulnerabilities/url_access_spec.rb +++ b/spec/vulnerabilities/url_access_spec.rb @@ -15,6 +15,6 @@ feature "url access" do visit "/admin/1/dashboard" - expect(current_path).to eq("/") + expect(current_path).to eq("/dashboard/home") end end From d82ff9a66a9d13794bdf96eacb984e1b4dade559 Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Wed, 20 Nov 2019 09:24:24 -0500 Subject: [PATCH 03/13] clean up insecure_dor_spec --- spec/vulnerabilities/insecure_dor_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb index 5d842e8..50e5854 100644 --- a/spec/vulnerabilities/insecure_dor_spec.rb +++ b/spec/vulnerabilities/insecure_dor_spec.rb @@ -18,7 +18,7 @@ feature "insecure direct object reference" do visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&") expect(page.status_code).not_to eq(200) - expect(page.response_headers["Content-Disposition"]).not_to include("database.yml") + expect(page.response_headers["Content-Disposition"].to_a).not_to include("database.yml") end scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do From 02dcd42bc7066a4b9b886b3e249e50c1f27a54b4 Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Wed, 20 Nov 2019 09:57:58 -0500 Subject: [PATCH 04/13] clean up unvalidated_redirects_spec --- spec/vulnerabilities/unvalidated_redirects_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/vulnerabilities/unvalidated_redirects_spec.rb b/spec/vulnerabilities/unvalidated_redirects_spec.rb index a1ff494..cb880e4 100644 --- a/spec/vulnerabilities/unvalidated_redirects_spec.rb +++ b/spec/vulnerabilities/unvalidated_redirects_spec.rb @@ -20,6 +20,6 @@ feature "unvalidated redirect" do click_on "Login" end - expect(current_url).to eq("/dashboard/home") + expect(current_path).to eq("/dashboard/home") end end From e72f4ca64f3aca2f6d11a23178cdd801a6e7d67f Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Wed, 20 Nov 2019 14:27:56 -0500 Subject: [PATCH 05/13] update tutorial links --- spec/vulnerabilities/csrf_spec.rb | 2 +- spec/vulnerabilities/mass_assignment_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/vulnerabilities/csrf_spec.rb b/spec/vulnerabilities/csrf_spec.rb index 375ae40..d876dab 100644 --- a/spec/vulnerabilities/csrf_spec.rb +++ b/spec/vulnerabilities/csrf_spec.rb @@ -10,7 +10,7 @@ feature "csrf" do pending unless verifying_fixed? end - scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", js: true do + scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF", js: true do visit "/" # TODO: is there a way to get this without visiting root first? base_url = current_url diff --git a/spec/vulnerabilities/mass_assignment_spec.rb b/spec/vulnerabilities/mass_assignment_spec.rb index 43f6f59..ab3e3cb 100644 --- a/spec/vulnerabilities/mass_assignment_spec.rb +++ b/spec/vulnerabilities/mass_assignment_spec.rb @@ -23,7 +23,7 @@ feature "mass assignment" do expect(normal_user.reload.admin).to be_falsy end - scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role" do + scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-Extras-Mass-Assignment-Admin-Role" do params = { user: { admin: "t", email: "hackety@h4x0rs.c0m", first_name: "hackety", From 483112bb18f21a68e40327e80f235ad443dd2700 Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Wed, 20 Nov 2019 17:06:23 -0500 Subject: [PATCH 06/13] clean up mass_assignment_spec --- spec/vulnerabilities/mass_assignment_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/vulnerabilities/mass_assignment_spec.rb b/spec/vulnerabilities/mass_assignment_spec.rb index ab3e3cb..5b40ca0 100644 --- a/spec/vulnerabilities/mass_assignment_spec.rb +++ b/spec/vulnerabilities/mass_assignment_spec.rb @@ -33,6 +33,6 @@ feature "mass assignment" do page.driver.post "/users", params - expect(User.find_by(email: "hackety@h4x0rs.c0m")).to be_nil + expect(User.find_by(email: "hackety@h4x0rs.c0m").admin).to be_falsy end end From 5191409db6372d57a21c41f088605dc28b91d54a Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Thu, 21 Nov 2019 09:07:38 -0500 Subject: [PATCH 07/13] validate root is localhost in redirect_spec --- spec/vulnerabilities/unvalidated_redirects_spec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/spec/vulnerabilities/unvalidated_redirects_spec.rb b/spec/vulnerabilities/unvalidated_redirects_spec.rb index cb880e4..97b9627 100644 --- a/spec/vulnerabilities/unvalidated_redirects_spec.rb +++ b/spec/vulnerabilities/unvalidated_redirects_spec.rb @@ -20,6 +20,7 @@ feature "unvalidated redirect" do click_on "Login" end + expect(current_url).to start_with("http://127.0.0.1") expect(current_path).to eq("/dashboard/home") end end From 7e25fd0f6cdc20278d0f680a7d3de09e33186aa3 Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Wed, 18 Mar 2020 09:07:28 -0700 Subject: [PATCH 08/13] Fix decryption IV --- lib/encryption.rb | 2 +- spec/lib/encryption_spec.rb | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 spec/lib/encryption_spec.rb diff --git a/lib/encryption.rb b/lib/encryption.rb index bf654e6..431ec8e 100644 --- a/lib/encryption.rb +++ b/lib/encryption.rb @@ -15,7 +15,7 @@ module Encryption aes = OpenSSL::Cipher.new(cipher_type) aes.decrypt aes.key = key[0..31] - aes.iv = iv[0.15] if iv != nil + aes.iv = iv[0..15] if iv != nil decoded = Base64.strict_decode64("#{val}") aes.update("#{decoded}") + aes.final end diff --git a/spec/lib/encryption_spec.rb b/spec/lib/encryption_spec.rb new file mode 100644 index 0000000..c039df7 --- /dev/null +++ b/spec/lib/encryption_spec.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true +require "spec_helper" +require_relative "../../lib/encryption" + +describe Encryption do + let(:value) { + allow(Encryption).to receive(:key).and_return(SecureRandom.bytes(32)) + allow(Encryption).to receive(:iv).and_return(SecureRandom.bytes(16)) + + "OMG PII" + } + + it "encrypts values" do + encrypted = Encryption.encrypt_sensitive_value(value) + expect(Base64.decode64(encrypted)).not_to eq(value) + end + + it "decrypts values" do + encrypted = Encryption.encrypt_sensitive_value(value) + decrypted = Encryption.decrypt_sensitive_value(encrypted) + + expect(decrypted).to eq(value) + end +end From 4c7286d0885903bcd15da5f584a0f1def6ab5471 Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Wed, 18 Mar 2020 14:17:55 -0700 Subject: [PATCH 09/13] Remove unused dashboard README link --- app/views/dashboard/home.html.erb | 62 +++++++++++++------------------ 1 file changed, 26 insertions(+), 36 deletions(-) diff --git a/app/views/dashboard/home.html.erb b/app/views/dashboard/home.html.erb index 36e5d6b..b103978 100644 --- a/app/views/dashboard/home.html.erb +++ b/app/views/dashboard/home.html.erb @@ -1,43 +1,37 @@
-
-
-
-
- Current Statistics -
- -
-
- - - - - - -
-
- -
-
- <%#= render partial: "dashboard_stats" %> -
-
-
-
-
-
Need help using this portal? Check out the Readme
-
+
+
+
+
+ Current Statistics +
+ +
+
+ + + + + + +
+
+ +
+
+ <%#= render partial: "dashboard_stats" %> +
+
+
+
+
- - - - - - - From 6acf74aa350a58adea5f4370dc6eee5e2543164e Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Wed, 25 Mar 2020 11:22:20 -0700 Subject: [PATCH 10/13] Strip whitespace from email when logging in Makes it a little easier to copy-paste credentials --- app/controllers/sessions_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 203f116..3221cb4 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -12,7 +12,7 @@ class SessionsController < ApplicationController path = params[:url].present? ? params[:url] : home_dashboard_index_path begin # Normalize the email address, why not - user = User.authenticate(params[:email].to_s.downcase, params[:password]) + user = User.authenticate(params[:email].to_s.strip.downcase, params[:password]) rescue RuntimeError => e # don't do ANYTHING end From fc77a9846108f67d031540629a3b05d1d58b469c Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Wed, 25 Mar 2020 11:57:59 -0700 Subject: [PATCH 11/13] Fix alert box on account settings Remove unnecessary divs that were adding extra whitespace to top of page --- app/views/users/account_settings.html.erb | 34 ++++++++++------------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/app/views/users/account_settings.html.erb b/app/views/users/account_settings.html.erb index 709a77d..d2ab8be 100755 --- a/app/views/users/account_settings.html.erb +++ b/app/views/users/account_settings.html.erb @@ -1,28 +1,22 @@
-
- +
-
-
- -
+
From d25e62db1c57f9998a06d1d33818961294fc2031 Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Thu, 26 Mar 2020 10:50:41 -0700 Subject: [PATCH 12/13] Fix alert boxes on bank account settings page --- app/views/pay/index.html.erb | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/app/views/pay/index.html.erb b/app/views/pay/index.html.erb index b807bc0..38af494 100644 --- a/app/views/pay/index.html.erb +++ b/app/views/pay/index.html.erb @@ -1,27 +1,23 @@
-
- +
-
- +
From de04f0fff17e33b51a66e3741cf1c15c7d6f582e Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Fri, 27 Mar 2020 09:43:51 -0700 Subject: [PATCH 13/13] Fix missing < on bonus work info Plus some whitespace adjustment for clarity --- app/views/work_info/index.html.erb | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/app/views/work_info/index.html.erb b/app/views/work_info/index.html.erb index ab0e9b5..ca3ef98 100644 --- a/app/views/work_info/index.html.erb +++ b/app/views/work_info/index.html.erb @@ -12,26 +12,26 @@ - + - - + - + - - - - - + + + + +
Full NameFull Name IncomeBonus/th> + Bonus Years w/ MetaCorp SSNDoBDoB
<%= "#{@user.first_name} #{@user.last_name}" %> <%= @user.work_info.income %> <%= @user.work_info.bonuses %> <%= @user.work_info.years_worked %><%= @user.work_info.SSN %><%= @user.work_info.DoB %><%= @user.work_info.SSN %><%= @user.work_info.DoB %>