diff --git a/app/views/layouts/tutorial/csrf/_csrf_first.html.erb b/app/views/layouts/tutorial/csrf/_csrf_first.html.erb index 79c7213..ff4f512 100755 --- a/app/views/layouts/tutorial/csrf/_csrf_first.html.erb +++ b/app/views/layouts/tutorial/csrf/_csrf_first.html.erb @@ -59,17 +59,27 @@

Cross-Site Request Forgery ATTACK:

-

- Save this content to an .html file and open it... +

+ The application allows users to update their calendar and schedule PTO events (PTO section). Due to the fact CSRF protections are disabled, the AJAX request will send the authenticity token but the application will not validate either it's presence or validity. Create an html page using the code shown below, authenticate as another user, click on it, review the new calendar (change the dates under date_range1). You should see this HTML code will work, even if you hadn't navigated to the PTO section prior to sending it.

- + 

 						<%= 
-			   				%{
-			   					
-			   				} 
+ %{
+ 	
+ 	  
+ 	    

+ 	      
+ 	      
+ 	      
+ 	      
+ 	      
+ 	    

+ 	  
+ 	
+ } 
 			   			%>
-					
+

Cross-Site Request Forgery SOLUTION:

@@ -109,7 +119,7 @@
- Under progess.... + PTO is precious, glad my calendar is safe!