From 144a6eed2aea17023e27dea7cf3bb77759eb4844 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 3 Jul 2015 10:52:29 -0400 Subject: [PATCH 01/10] updated gemfile --- Gemfile | 2 +- Gemfile.lock | 117 ++++++++++++++++++++++++++++++++------------------- 2 files changed, 74 insertions(+), 45 deletions(-) diff --git a/Gemfile b/Gemfile index 25bb777..c78f5cc 100755 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,7 @@ source 'https://rubygems.org' #don't upgrade -gem 'rails', '4.0.13' +gem 'rails', '4.2.2' ruby '2.2.2' diff --git a/Gemfile.lock b/Gemfile.lock index d834ed1..7bd6b59 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,32 +1,43 @@ GEM remote: https://rubygems.org/ specs: - actionmailer (4.0.13) - actionpack (= 4.0.13) + actionmailer (4.2.2) + actionpack (= 4.2.2) + actionview (= 4.2.2) + activejob (= 4.2.2) mail (~> 2.5, >= 2.5.4) - actionpack (4.0.13) - activesupport (= 4.0.13) - builder (~> 3.1.0) - erubis (~> 2.7.0) - rack (~> 1.5.2) + rails-dom-testing (~> 1.0, >= 1.0.5) + actionpack (4.2.2) + actionview (= 4.2.2) + activesupport (= 4.2.2) + rack (~> 1.6) rack-test (~> 0.6.2) - activemodel (4.0.13) - activesupport (= 4.0.13) - builder (~> 3.1.0) - activerecord (4.0.13) - activemodel (= 4.0.13) - activerecord-deprecated_finders (~> 1.0.2) - activesupport (= 4.0.13) - arel (~> 4.0.0) - activerecord-deprecated_finders (1.0.4) - activesupport (4.0.13) - i18n (~> 0.6, >= 0.6.9) - minitest (~> 4.2) - multi_json (~> 1.3) - thread_safe (~> 0.1) - tzinfo (~> 0.3.37) + rails-dom-testing (~> 1.0, >= 1.0.5) + rails-html-sanitizer (~> 1.0, >= 1.0.1) + actionview (4.2.2) + activesupport (= 4.2.2) + builder (~> 3.1) + erubis (~> 2.7.0) + rails-dom-testing (~> 1.0, >= 1.0.5) + rails-html-sanitizer (~> 1.0, >= 1.0.1) + activejob (4.2.2) + activesupport (= 4.2.2) + globalid (>= 0.3.0) + activemodel (4.2.2) + activesupport (= 4.2.2) + builder (~> 3.1) + activerecord (4.2.2) + activemodel (= 4.2.2) + activesupport (= 4.2.2) + arel (~> 6.0) + activesupport (4.2.2) + i18n (~> 0.7) + json (~> 1.7, >= 1.7.7) + minitest (~> 5.1) + thread_safe (~> 0.3, >= 0.3.4) + tzinfo (~> 1.1) addressable (2.3.8) - arel (4.0.2) + arel (6.0.0) aruba (0.6.2) childprocess (>= 0.3.6) cucumber (>= 1.1.1) @@ -48,7 +59,7 @@ GEM ruby_parser (~> 3.7.0) sass (~> 3.0) terminal-table (~> 1.4) - builder (3.1.4) + builder (3.2.2) bundler-audit (0.4.0) bundler (~> 1.2) thor (~> 0.18) @@ -95,13 +106,15 @@ GEM foreman (0.78.0) thor (~> 0.19.1) formatador (0.2.5) - gauntlt (1.0.6) + gauntlt (0.1.4) aruba cucumber - nokogiri (~> 1.5.0) + nokogiri trollop gherkin (2.12.2) multi_json (~> 1.3) + globalid (0.3.5) + activesupport (>= 4.1.0) guard (2.12.7) formatador (>= 0.2.4) listen (>= 2.7, <= 4.0) @@ -134,8 +147,9 @@ GEM actionpack (>= 3.1) railties (>= 3.1) sass (>= 3.2) - jquery-rails (3.1.3) - railties (>= 3.0, < 5.0) + jquery-rails (4.0.4) + rails-dom-testing (~> 1.0) + railties (>= 4.2.0) thor (>= 0.14, < 2.0) json (1.8.3) kgio (2.9.3) @@ -145,6 +159,8 @@ GEM listen (3.0.1) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) + loofah (2.0.2) + nokogiri (>= 1.5.9) lumberjack (1.0.9) mail (2.6.3) mime-types (>= 1.16, < 3) @@ -159,12 +175,13 @@ GEM method_source (0.8.2) mime-types (2.6.1) mini_portile (0.6.2) - minitest (4.7.5) + minitest (5.7.0) multi_json (1.11.1) multi_test (0.1.2) mysql2 (0.3.18) nenv (0.2.0) - nokogiri (1.5.11) + nokogiri (1.6.6.2) + mini_portile (~> 0.6.0) notiffany (0.0.6) nenv (~> 0.1) shellany (~> 0.0) @@ -182,24 +199,35 @@ GEM slop (~> 3.4) pry-rails (0.3.4) pry (>= 0.9.10) - rack (1.5.5) + rack (1.6.4) rack-livereload (0.3.15) rack rack-protection (1.5.3) rack rack-test (0.6.3) rack (>= 1.0) - rails (4.0.13) - actionmailer (= 4.0.13) - actionpack (= 4.0.13) - activerecord (= 4.0.13) - activesupport (= 4.0.13) + rails (4.2.2) + actionmailer (= 4.2.2) + actionpack (= 4.2.2) + actionview (= 4.2.2) + activejob (= 4.2.2) + activemodel (= 4.2.2) + activerecord (= 4.2.2) + activesupport (= 4.2.2) bundler (>= 1.3.0, < 2.0) - railties (= 4.0.13) - sprockets-rails (~> 2.0) - railties (4.0.13) - actionpack (= 4.0.13) - activesupport (= 4.0.13) + railties (= 4.2.2) + sprockets-rails + rails-deprecated_sanitizer (1.0.3) + activesupport (>= 4.2.0.alpha) + rails-dom-testing (1.0.6) + activesupport (>= 4.2.0.beta, < 5.0) + nokogiri (~> 1.6.0) + rails-deprecated_sanitizer (>= 1.0.1) + rails-html-sanitizer (1.0.2) + loofah (~> 2.0) + railties (4.2.2) + actionpack (= 4.2.2) + activesupport (= 4.2.2) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) raindrops (0.14.0) @@ -276,7 +304,8 @@ GEM trollop (2.1.2) turbolinks (2.5.3) coffee-rails - tzinfo (0.3.44) + tzinfo (1.2.2) + thread_safe (~> 0.1) uglifier (2.7.1) execjs (>= 0.3.0) json (>= 1.8.0) @@ -322,7 +351,7 @@ DEPENDENCIES pry pry-rails rack-livereload - rails (= 4.0.13) + rails (= 4.2.2) rb-fsevent rspec-rails (= 2.14.2) sass-rails @@ -336,4 +365,4 @@ DEPENDENCIES unicorn BUNDLED WITH - 1.10.4 + 1.10.5 From 58fb4025c925a5b4fd30fdc00f5998460d525f84 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 3 Jul 2015 11:37:02 -0400 Subject: [PATCH 02/10] kinda cant do much without bootstrap --- app/assets/javascripts/application.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/assets/javascripts/application.js b/app/assets/javascripts/application.js index f58ec86..aa51d07 100755 --- a/app/assets/javascripts/application.js +++ b/app/assets/javascripts/application.js @@ -16,6 +16,7 @@ //= require wysiwyg/wysihtml5-0.3.0.js //= require jquery.min.js //= require jquery.scrollUp.js +//= require bootstrap.js //= require wysiwyg/bootstrap-wysihtml5.js //= require bootstrap-colorpicker.js //= require date-picker/date.js @@ -32,7 +33,6 @@ //= require jsapi //= html5.js - function rubyCodeFormat() { From 5945b4956d8c9996279a65395e9c2c449c0c0187 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 3 Jul 2015 11:49:10 -0400 Subject: [PATCH 03/10] better spacing while troubleshooting --- app/controllers/sessions_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index fdf2edc..f9172d9 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -25,7 +25,7 @@ class SessionsController < ApplicationController redirect_to path else # Removed this code, just doesn't seem specific enough! - # flash[:error] = "Either your username and password is incorrect" + # flash[:error] = "Either your username and password is incorrect" flash[:error] = e.message render "new" end From f6f3af918a204dbdd3c1570dd861852f449a5ce9 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 3 Jul 2015 12:10:58 -0400 Subject: [PATCH 04/10] fixes change show that error messages display and the broken auth tests are not failing. Basically in Rails 4 each error messages name value is no longer a symbol but a string --- app/views/layouts/shared/_messages.html.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/views/layouts/shared/_messages.html.erb b/app/views/layouts/shared/_messages.html.erb index 76785d5..08ef212 100755 --- a/app/views/layouts/shared/_messages.html.erb +++ b/app/views/layouts/shared/_messages.html.erb @@ -1,4 +1,5 @@ <% flash.each do |name, msg| %> + <% name = name.to_sym %> <% if name == :error %>
× From a2c4f46c2614a7115426cea08a0d030f4d081923 Mon Sep 17 00:00:00 2001 From: cktricky Date: Mon, 6 Jul 2015 13:25:46 -0400 Subject: [PATCH 05/10] I have changed the second visit statement from the root path (/) to the account settings page. The reason is that the submit button is changed via JS but you need to be at the account settings page to see that change --- spec/vulnerabilities/xss_spec.rb | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/spec/vulnerabilities/xss_spec.rb b/spec/vulnerabilities/xss_spec.rb index 325da0b..9549f4d 100644 --- a/spec/vulnerabilities/xss_spec.rb +++ b/spec/vulnerabilities/xss_spec.rb @@ -20,10 +20,11 @@ feature 'xss' do click_on 'Submit' sleep(1) - visit '/' - - pending(:if => verifying_fixed?) { find('div input.btn').value.should == 'RailsGoat h4x0r3d' } - + + visit "/users/#{@normal_user.user_id}/account_settings" + + pending(:if => verifying_fixed?) { find('#submit_button').value.should == 'RailsGoat h4x0r3d' } + # might be nice to demonstrate posting cookie contents or somesuch, but # this at least shows the vulnerability still exists. end From b89f520a7dabc5139a8d0e013177e10e6bb471fe Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 10 Jul 2015 17:38:37 -0400 Subject: [PATCH 06/10] not sure why this was removed in the first place --- app/controllers/users_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 5d812df..bcea95b 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -32,7 +32,7 @@ class UsersController < ApplicationController #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"]) # user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") - user = User.where("user_id = '#{params[:user][:user_id]}'").first + user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") if user user.skip_user_id_assign = true user.skip_hash_password = true From 1e5962a1ca7fc1fbbef38892c405350b441a3ae7 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 10 Jul 2015 17:52:37 -0400 Subject: [PATCH 07/10] Revert "not sure why this was removed in the first place" This reverts commit b89f520a7dabc5139a8d0e013177e10e6bb471fe. --- app/controllers/users_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index bcea95b..5d812df 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -32,7 +32,7 @@ class UsersController < ApplicationController #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"]) # user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") - user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'") + user = User.where("user_id = '#{params[:user][:user_id]}'").first if user user.skip_user_id_assign = true user.skip_hash_password = true From 5c62c1b0216c9118964d9fb496d7459d3858c51f Mon Sep 17 00:00:00 2001 From: cktricky Date: Tue, 18 Aug 2015 12:27:20 -0400 Subject: [PATCH 08/10] the setting was incorrect and did not match what we show in the tutorial --- config/initializers/session_store.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index a60be40..caf4a5b 100755 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -1,3 +1,3 @@ # Be sure to restart your server when you modify this file. -Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session' +Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', httponly: false From cdbf2d7d92adb8bb688a9ef5afaaf7e5d9f35f3b Mon Sep 17 00:00:00 2001 From: cktricky Date: Tue, 18 Aug 2015 20:23:35 -0400 Subject: [PATCH 09/10] mass assignment vulnerability, how it manifests in Rails 4 --- app/controllers/users_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 5d812df..58ca211 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -55,7 +55,7 @@ class UsersController < ApplicationController private def user_params - params.require(:user).permit(:email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation) + params.require(:user).permit! end # unpermitted attributes are ignored in production From d8f9ba6eefb9444adb9966e5be47676bb4a5fc05 Mon Sep 17 00:00:00 2001 From: cktricky Date: Tue, 18 Aug 2015 21:29:39 -0400 Subject: [PATCH 10/10] updated to reflect the rails 3 deprecation --- README.md | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index cd37342..f39a479 100755 --- a/README.md +++ b/README.md @@ -1,42 +1,49 @@ # RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) -RailsGoat is a vulnerable version of the Ruby on Rails Framework. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. +RailsGoat is a vulnerable version of the Ruby on Rails Framework both versions 3 and 4. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. ## Getting Started To begin, install the Ruby Version Manager (RVM): -``` +```bash $ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=2.1.2 ``` After installing the package, clone this repo: -``` +```bash $ git clone git@github.com:OWASP/railsgoat.git ``` -Navigate into the directory and install the dependencies: +**NOTE: NOT NECESSARY IF YOU WANT TO WORK WITH RAILS 4.** Otherwise, if you wish to use the Rails 3 version, you'll need to switch branches +```bash +$ cd railsgoat +$ git checkout rails_3_2 ``` + +Navigate into the directory (already there if you followed the previous step) and install the dependencies: + +```bash $ bundle install ``` If you receive an error, make sure you have `bundler` installed: -``` +```bash $ gem install bundler ``` Initialize the database: -``` +```bash $ rake db:setup ``` Start the Thin web server: -``` +```bash $ rails server ```