diff --git a/Gemfile b/Gemfile index 7b630fe..effa434 100755 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ source 'https://rubygems.org' #don't upgrade -gem 'rails', '4.0.13' +gem 'rails', '4.2.2' ruby '2.2.2' diff --git a/Gemfile.lock b/Gemfile.lock index a4c4652..6c604d7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,32 +1,43 @@ GEM remote: https://rubygems.org/ specs: - actionmailer (4.0.13) - actionpack (= 4.0.13) + actionmailer (4.2.2) + actionpack (= 4.2.2) + actionview (= 4.2.2) + activejob (= 4.2.2) mail (~> 2.5, >= 2.5.4) - actionpack (4.0.13) - activesupport (= 4.0.13) - builder (~> 3.1.0) - erubis (~> 2.7.0) - rack (~> 1.5.2) + rails-dom-testing (~> 1.0, >= 1.0.5) + actionpack (4.2.2) + actionview (= 4.2.2) + activesupport (= 4.2.2) + rack (~> 1.6) rack-test (~> 0.6.2) - activemodel (4.0.13) - activesupport (= 4.0.13) - builder (~> 3.1.0) - activerecord (4.0.13) - activemodel (= 4.0.13) - activerecord-deprecated_finders (~> 1.0.2) - activesupport (= 4.0.13) - arel (~> 4.0.0) - activerecord-deprecated_finders (1.0.4) - activesupport (4.0.13) - i18n (~> 0.6, >= 0.6.9) - minitest (~> 4.2) - multi_json (~> 1.3) - thread_safe (~> 0.1) - tzinfo (~> 0.3.37) + rails-dom-testing (~> 1.0, >= 1.0.5) + rails-html-sanitizer (~> 1.0, >= 1.0.1) + actionview (4.2.2) + activesupport (= 4.2.2) + builder (~> 3.1) + erubis (~> 2.7.0) + rails-dom-testing (~> 1.0, >= 1.0.5) + rails-html-sanitizer (~> 1.0, >= 1.0.1) + activejob (4.2.2) + activesupport (= 4.2.2) + globalid (>= 0.3.0) + activemodel (4.2.2) + activesupport (= 4.2.2) + builder (~> 3.1) + activerecord (4.2.2) + activemodel (= 4.2.2) + activesupport (= 4.2.2) + arel (~> 6.0) + activesupport (4.2.2) + i18n (~> 0.7) + json (~> 1.7, >= 1.7.7) + minitest (~> 5.1) + thread_safe (~> 0.3, >= 0.3.4) + tzinfo (~> 1.1) addressable (2.3.8) - arel (4.0.2) + arel (6.0.3) aruba (0.7.4) childprocess (>= 0.3.6) cucumber (>= 1.1.1) @@ -48,7 +59,7 @@ GEM ruby_parser (~> 3.7.0) sass (~> 3.0) terminal-table (~> 1.4) - builder (3.1.4) + builder (3.2.2) bundler-audit (0.4.0) bundler (~> 1.2) thor (~> 0.18) @@ -95,13 +106,14 @@ GEM foreman (0.78.0) thor (~> 0.19.1) formatador (0.2.5) - gauntlt (1.0.6) - aruba + gauntlt (0.1.4) cucumber - nokogiri (~> 1.5.0) + nokogiri trollop gherkin (2.12.2) multi_json (~> 1.3) + globalid (0.3.6) + activesupport (>= 4.1.0) guard (2.13.0) formatador (>= 0.2.4) listen (>= 2.7, <= 4.0) @@ -134,8 +146,9 @@ GEM actionpack (>= 3.1) railties (>= 3.1) sass (>= 3.2) - jquery-rails (3.1.3) - railties (>= 3.0, < 5.0) + jquery-rails (4.0.4) + rails-dom-testing (~> 1.0) + railties (>= 4.2.0) thor (>= 0.14, < 2.0) json (1.8.3) kgio (2.9.3) @@ -145,6 +158,8 @@ GEM listen (3.0.3) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) + loofah (2.0.3) + nokogiri (>= 1.5.9) lumberjack (1.0.9) mail (2.6.3) mime-types (>= 1.16, < 3) @@ -158,12 +173,14 @@ GEM thin (~> 1.5.0) method_source (0.8.2) mime-types (2.6.1) - minitest (4.7.5) + mini_portile (0.6.2) + minitest (5.8.0) multi_json (1.11.2) multi_test (0.1.2) mysql2 (0.3.19) nenv (0.2.0) - nokogiri (1.5.11) + nokogiri (1.6.6.2) + mini_portile (~> 0.6.0) notiffany (0.0.7) nenv (~> 0.1) shellany (~> 0.0) @@ -181,24 +198,35 @@ GEM slop (~> 3.4) pry-rails (0.3.4) pry (>= 0.9.10) - rack (1.5.5) + rack (1.6.4) rack-livereload (0.3.16) rack rack-protection (1.5.3) rack rack-test (0.6.3) rack (>= 1.0) - rails (4.0.13) - actionmailer (= 4.0.13) - actionpack (= 4.0.13) - activerecord (= 4.0.13) - activesupport (= 4.0.13) + rails (4.2.2) + actionmailer (= 4.2.2) + actionpack (= 4.2.2) + actionview (= 4.2.2) + activejob (= 4.2.2) + activemodel (= 4.2.2) + activerecord (= 4.2.2) + activesupport (= 4.2.2) bundler (>= 1.3.0, < 2.0) - railties (= 4.0.13) - sprockets-rails (~> 2.0) - railties (4.0.13) - actionpack (= 4.0.13) - activesupport (= 4.0.13) + railties (= 4.2.2) + sprockets-rails + rails-deprecated_sanitizer (1.0.3) + activesupport (>= 4.2.0.alpha) + rails-dom-testing (1.0.7) + activesupport (>= 4.2.0.beta, < 5.0) + nokogiri (~> 1.6.0) + rails-deprecated_sanitizer (>= 1.0.1) + rails-html-sanitizer (1.0.2) + loofah (~> 2.0) + railties (4.2.2) + actionpack (= 4.2.2) + activesupport (= 4.2.2) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) raindrops (0.15.0) @@ -275,7 +303,8 @@ GEM trollop (2.1.2) turbolinks (2.5.3) coffee-rails - tzinfo (0.3.44) + tzinfo (1.2.2) + thread_safe (~> 0.1) uglifier (2.7.1) execjs (>= 0.3.0) json (>= 1.8.0) @@ -320,7 +349,7 @@ DEPENDENCIES pry pry-rails rack-livereload - rails (= 4.0.13) + rails (= 4.2.2) rb-fsevent rspec-rails (= 2.14.2) sass-rails diff --git a/README.md b/README.md index cd37342..f39a479 100755 --- a/README.md +++ b/README.md @@ -1,42 +1,49 @@ # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) -RailsGoat is a vulnerable version of the Ruby on Rails Framework. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. +RailsGoat is a vulnerable version of the Ruby on Rails Framework both versions 3 and 4. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. ## Getting Started To begin, install the Ruby Version Manager (RVM): -``` +```bash $ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.1.2 ``` After installing the package, clone this repo: -``` +```bash $ git clone git@github.com:OWASP/railsgoat.git ``` -Navigate into the directory and install the dependencies: +**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 4.** Otherwise, if you wish to use the Rails 3 version, you'll need to switch branches +```bash +$ cd railsgoat +$ git checkout rails_3_2 ``` + +Navigate into the directory (already there if you followed the previous step) and install the dependencies: + +```bash $ bundle install ``` If you receive an error, make sure you have `bundler` installed: -``` +```bash $ gem install bundler ``` Initialize the database: -``` +```bash $ rake db:setup ``` Start the Thin web server: -``` +```bash $ rails server ``` diff --git a/app/assets/javascripts/application.js b/app/assets/javascripts/application.js index f58ec86..aa51d07 100755 --- a/app/assets/javascripts/application.js +++ b/app/assets/javascripts/application.js @@ -16,6 +16,7 @@ //= require wysiwyg/wysihtml5-0.3.0.js //= require jquery.min.js //= require jquery.scrollUp.js +//= require bootstrap.js //= require wysiwyg/bootstrap-wysihtml5.js //= require bootstrap-colorpicker.js //= require date-picker/date.js @@ -32,7 +33,6 @@ //= require jsapi //= html5.js - function rubyCodeFormat() { diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index fdf2edc..f9172d9 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -25,7 +25,7 @@ class SessionsController < ApplicationController redirect_to path else # Removed this code, just doesn't seem specific enough! - # flash[:error] = "Either your username and password is incorrect" + # flash[:error] = "Either your username and password is incorrect" flash[:error] = e.message render "new" end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 5d812df..58ca211 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -55,7 +55,7 @@ class UsersController < ApplicationController private def user_params - params.require(:user).permit(:email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation) + params.require(:user).permit! end # unpermitted attributes are ignored in production diff --git a/app/views/layouts/shared/_messages.html.erb b/app/views/layouts/shared/_messages.html.erb index 76785d5..08ef212 100755 --- a/app/views/layouts/shared/_messages.html.erb +++ b/app/views/layouts/shared/_messages.html.erb @@ -1,4 +1,5 @@ <% flash.each do |name, msg| %> + <% name = name.to_sym %> <% if name == :error %>
× diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index a60be40..caf4a5b 100755 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -1,3 +1,3 @@ # Be sure to restart your server when you modify this file. -Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session' +Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: false diff --git a/spec/vulnerabilities/xss_spec.rb b/spec/vulnerabilities/xss_spec.rb index 325da0b..9549f4d 100644 --- a/spec/vulnerabilities/xss_spec.rb +++ b/spec/vulnerabilities/xss_spec.rb @@ -20,10 +20,11 @@ feature 'xss' do click_on 'Submit' sleep(1) - visit '/' - - pending(:if => verifying_fixed?) { find('div input.btn').value.should == 'RailsGoat h4x0r3d' } - + + visit "/users/#{@normal_user.user_id}/account_settings" + + pending(:if => verifying_fixed?) { find('#submit_button').value.should == 'RailsGoat h4x0r3d' } + # might be nice to demonstrate posting cookie contents or somesuch, but # this at least shows the vulnerability still exists. end