From 47095b72d0d3c624bba72d58f72bf56030edbd1f Mon Sep 17 00:00:00 2001 From: Al Snow Date: Tue, 29 Jul 2014 11:43:51 -0400 Subject: [PATCH 1/7] Upgraded Rails from 3.2.11 to 3.2.19 - Step 1 of Rails 4.1.x upgrade --- Gemfile | 3 +-- Gemfile.lock | 62 +++++++++++++++++++++++++--------------------------- 2 files changed, 31 insertions(+), 34 deletions(-) diff --git a/Gemfile b/Gemfile index ff224d7..ee1afb3 100755 --- a/Gemfile +++ b/Gemfile @@ -1,8 +1,7 @@ source 'https://rubygems.org' #don't upgrade -gem 'rails', '3.2.11' -gem 'rack', '1.4.0' +gem 'rails', '3.2.19' ruby '2.1.2' diff --git a/Gemfile.lock b/Gemfile.lock index 791e6a7..38893eb 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,32 +1,32 @@ GEM remote: https://rubygems.org/ specs: - actionmailer (3.2.11) - actionpack (= 3.2.11) - mail (~> 2.4.4) - actionpack (3.2.11) - activemodel (= 3.2.11) - activesupport (= 3.2.11) + actionmailer (3.2.19) + actionpack (= 3.2.19) + mail (~> 2.5.4) + actionpack (3.2.19) + activemodel (= 3.2.19) + activesupport (= 3.2.19) builder (~> 3.0.0) erubis (~> 2.7.0) journey (~> 1.0.4) - rack (~> 1.4.0) + rack (~> 1.4.5) rack-cache (~> 1.2) rack-test (~> 0.6.1) sprockets (~> 2.2.1) - activemodel (3.2.11) - activesupport (= 3.2.11) + activemodel (3.2.19) + activesupport (= 3.2.19) builder (~> 3.0.0) - activerecord (3.2.11) - activemodel (= 3.2.11) - activesupport (= 3.2.11) + activerecord (3.2.19) + activemodel (= 3.2.19) + activesupport (= 3.2.19) arel (~> 3.0.2) tzinfo (~> 0.3.29) - activeresource (3.2.11) - activemodel (= 3.2.11) - activesupport (= 3.2.11) - activesupport (3.2.11) - i18n (~> 0.6) + activeresource (3.2.19) + activemodel (= 3.2.19) + activesupport (= 3.2.19) + activesupport (3.2.19) + i18n (~> 0.6, >= 0.6.4) multi_json (~> 1.0) addressable (2.3.6) arel (3.0.3) @@ -148,8 +148,7 @@ GEM rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) lumberjack (1.0.9) - mail (2.4.4) - i18n (>= 0.4.0) + mail (2.5.4) mime-types (~> 1.16) treetop (~> 1.4.8) mailcatcher (0.5.12) @@ -181,7 +180,7 @@ GEM coderay (~> 1.1.0) method_source (~> 0.8.1) slop (~> 3.4) - rack (1.4.0) + rack (1.4.5) rack-cache (1.2) rack (>= 0.4) rack-livereload (0.3.15) @@ -192,17 +191,17 @@ GEM rack rack-test (0.6.2) rack (>= 1.0) - rails (3.2.11) - actionmailer (= 3.2.11) - actionpack (= 3.2.11) - activerecord (= 3.2.11) - activeresource (= 3.2.11) - activesupport (= 3.2.11) + rails (3.2.19) + actionmailer (= 3.2.19) + actionpack (= 3.2.19) + activerecord (= 3.2.19) + activeresource (= 3.2.19) + activesupport (= 3.2.19) bundler (~> 1.0) - railties (= 3.2.11) - railties (3.2.11) - actionpack (= 3.2.11) - activesupport (= 3.2.11) + railties (= 3.2.19) + railties (3.2.19) + actionpack (= 3.2.19) + activesupport (= 3.2.19) rack-ssl (~> 1.3.2) rake (>= 0.8.7) rdoc (~> 3.4) @@ -322,9 +321,8 @@ DEPENDENCIES poltergeist powder pry - rack (= 1.4.0) rack-livereload - rails (= 3.2.11) + rails (= 3.2.19) rb-fsevent rspec-rails (= 2.14.2) sass-rails From 670dc2ed75e68d82de099d47e579ef5e92a5e124 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 30 Jul 2014 11:23:45 -0400 Subject: [PATCH 2/7] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 38893eb..734e9d0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -235,7 +235,7 @@ GEM sexp_processor (~> 4.0) ruby_parser (3.5.0) sexp_processor (~> 4.1) - sass (3.3.11) + sass (3.3.12) sass-rails (3.2.6) railties (~> 3.2.0) sass (>= 3.1.10) From 1620f2bf42cbdc1806d25db65294b586e97df45a Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sun, 3 Aug 2014 20:00:31 -0400 Subject: [PATCH 3/7] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 734e9d0..f72c3ac 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -235,7 +235,7 @@ GEM sexp_processor (~> 4.0) ruby_parser (3.5.0) sexp_processor (~> 4.1) - sass (3.3.12) + sass (3.3.14) sass-rails (3.2.6) railties (~> 3.2.0) sass (>= 3.1.10) From 791936c92a2e74042ead3e611072ce61461b1b2c Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sun, 10 Aug 2014 18:53:21 -0400 Subject: [PATCH 4/7] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index f72c3ac..550486f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -113,7 +113,7 @@ GEM lumberjack (~> 1.0) pry (>= 0.9.12) thor (>= 0.18.1) - guard-brakeman (0.8.1) + guard-brakeman (0.8.2) brakeman (>= 2.1.1) guard (>= 1.1.0) guard-livereload (2.3.0) @@ -281,7 +281,7 @@ GEM polyglot polyglot (>= 0.3.1) trollop (2.0) - tzinfo (0.3.40) + tzinfo (0.3.41) uglifier (2.5.3) execjs (>= 0.3.0) json (>= 1.8.0) From b45e54006f27d63de62e7545f1e49ea804d28525 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 16 Aug 2014 18:43:08 -0400 Subject: [PATCH 5/7] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 550486f..672adc9 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -240,7 +240,7 @@ GEM railties (~> 3.2.0) sass (>= 3.1.10) tilt (~> 1.3) - sexp_processor (4.4.3) + sexp_processor (4.4.4) simplecov (0.9.0) docile (~> 1.1.0) multi_json From 2a720ffc3c130bc147d4bd87ac0016a7e65ef69b Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 18 Aug 2014 22:23:53 -0400 Subject: [PATCH 6/7] Upgraded 3 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 672adc9..6b1d65f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -40,13 +40,13 @@ GEM erubis (>= 2.6.6) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) - brakeman (2.6.1) + brakeman (2.6.2) erubis (~> 2.6) fastercsv (~> 1.5) haml (>= 3.0, < 5.0) highline (~> 1.6.20) multi_json (~> 1.2) - ruby2ruby (~> 2.0.5) + ruby2ruby (~> 2.1.1) ruby_parser (~> 3.5.0) sass (~> 3.0) slim (>= 1.3.6, < 3.0) @@ -176,7 +176,7 @@ GEM polyglot (0.3.5) powder (0.2.1) thor (>= 0.11.5) - pry (0.10.0) + pry (0.10.1) coderay (~> 1.1.0) method_source (~> 0.8.1) slop (~> 3.4) @@ -230,7 +230,7 @@ GEM rspec-core (~> 2.14.0) rspec-expectations (~> 2.14.0) rspec-mocks (~> 2.14.0) - ruby2ruby (2.0.8) + ruby2ruby (2.1.1) ruby_parser (~> 3.1) sexp_processor (~> 4.0) ruby_parser (3.5.0) From 286e89ea366b045ae7a208a2fcde658ad39ed756 Mon Sep 17 00:00:00 2001 From: cktricky Date: Tue, 19 Aug 2014 12:32:19 -0400 Subject: [PATCH 7/7] removed the tutorial snippet about using Rails 3.2.11 since this is no longer the case; under the insecure components section. Also, changed the partials name to first (from second), and renumbered the collapsable sections. Ran tests, all seems good to go --- .../_insecure_components_first.html.erb | 62 +++++++--- .../_insecure_components_second.html.erb | 109 ------------------ .../tutorials/insecure_components.html.erb | 5 - 3 files changed, 45 insertions(+), 131 deletions(-) delete mode 100644 app/views/layouts/tutorial/insecure_components/_insecure_components_second.html.erb diff --git a/app/views/layouts/tutorial/insecure_components/_insecure_components_first.html.erb b/app/views/layouts/tutorial/insecure_components/_insecure_components_first.html.erb index 16c8060..3f90c41 100644 --- a/app/views/layouts/tutorial/insecure_components/_insecure_components_first.html.erb +++ b/app/views/layouts/tutorial/insecure_components/_insecure_components_first.html.erb @@ -1,7 +1,7 @@
- A9 - Using Components with Known Vulnerabilities (Rack / Rails) + A9 - Using Components with Known Vulnerabilities (DOM XSS / JQuery Snippet)
@@ -16,9 +16,7 @@
-

- Virtually every application has these issues because most development teams don’t focus on ensuring their components/libraries are up to date. In many cases, the developers don’t even know all the components they are using, never mind their versions. Component dependencies make things even worse. -

+ JQuery Snippet contains at least one DOM-Based XSS vulnerability that can be confirmed in IE11. Unknowingly, the Railsgoat development team used this library. Credit for vulnerability discovery as well as submission to <%= link_to "@raesene", "http://github.com/raesene", {:style => "color: rgb(181, 121, 158)", :target => "_blank"}%>. This was unintentional but goes to show how easily vulnerabilities can creep in when using third-party libraries.
@@ -32,17 +30,33 @@
-

- Within the Gemfile the following gem versions are set. These versions of Rails and Rack are both vulnerable to multiple attacks. -

- 
-        <%= %q{
-          gem 'rails', '3.2.11'
-          gem 'rack', '1.4.3'
-        } %>
-

+ Within the file app/assets/javascripts/jquery.snippet.js:

+ 
+        <%= %{
+// snippet new window popup function
+function snippetPopup(content) \{
+   top.consoleRef=window.open('','myconsole',
+    'width=600,height=300'
+     +',left=50,top=50'
+     +',menubar=0'
+     +',toolbar=0'
+     +',location=0'
+     +',status=0'
+     +',scrollbars=1'
+     +',resizable=1');
+   top.consoleRef.document.writeln(
+    'Snippet :: Code View :: '+}%><span style="background-color:yellow">location.href</span><%= %{+''
+     +''
+     +'
'+content+'
'
+     +''
+   );
+   top.consoleRef.document.close();
+\}}%>
+

+ We can see that the location.href DOM property is used to dynamically generate a title for the text box pop-up. This value is string concatenated directly from the DOM without first performing some escaping routine or HTML encoding. +

@@ -56,9 +70,23 @@
-

- To fix this issue, simply update your gems after unpinning the gem versions. You should always run the most up to date version possible and run Bundler-Audit Regularly. -

+

Using Components with Known Vulnerabilities (DOM XSS) - ATTACK

+

+ In order to demonstrate that you can indeed perform DOM XSS through this coding error, we will use a simple alert box. This does not appear to work in Chrome, Safari, or Firefox as they first URL encoded the script portion of the url before rendering which complicates browser interpretation. IE on the other hand, true to form, is totally vulnerable. The following example assumes you are running Railsgoat on localhost, port 3000. If this is the case, open IE, paste the URL (below) into IE. +

+ 
+<%= "http://localhost:3000/tutorials/injection#" %>
+
+

+ The portion after the pound (#) symbol will close off the title and head portions of the HTML and then allow for properly generated JavaScript to be rendered and executed. After browsing to this URL, navigate to the tutorial where code snippets are shown and click on the "pop-up" link that appears after hovering over the code snippet. This should be all that is required to demonstrate DOM-XSS. +

+

Using Components with Known Vulnerabilities (DOM XSS) - SOLUTION

+

+ Use the hoganEscape() function defined in application.js to solve this problem. For instance: +

+ 
+<%=%{'Snippet :: Code View :: '+}%><span style="background-color:yellow">hoganEscape(location.href)</span> <%=%{+'' }%>
+
@@ -72,7 +100,7 @@
- Remeber to keep your gems up to date! + Review the JQuery Code Snippet for any content that might be mirrored or reflected back and that is under our control.
diff --git a/app/views/layouts/tutorial/insecure_components/_insecure_components_second.html.erb b/app/views/layouts/tutorial/insecure_components/_insecure_components_second.html.erb deleted file mode 100644 index 45d212e..0000000 --- a/app/views/layouts/tutorial/insecure_components/_insecure_components_second.html.erb +++ /dev/null @@ -1,109 +0,0 @@ -
-
-
- A9 - Using Components with Known Vulnerabilities (DOM XSS / JQuery Snippet) -
-
-
-
-
-
- - - - Description - -
-
-
- JQuery Snippet contains at least one DOM-Based XSS vulnerability that can be confirmed in IE11. Unknowingly, the Railsgoat development team used this library. Credit for vulnerability discovery as well as submission to <%= link_to "@raesene", "http://github.com/raesene", {:style => "color: rgb(181, 121, 158)", :target => "_blank"}%>. This was unintentional but goes to show how easily vulnerabilities can creep in when using third-party libraries. -
-
-
-
-
- - - - Bug - -
-
-
-

- Within the file app/assets/javascripts/jquery.snippet.js: -

- 
-        <%= %{
-// snippet new window popup function
-function snippetPopup(content) \{
-   top.consoleRef=window.open('','myconsole',
-    'width=600,height=300'
-     +',left=50,top=50'
-     +',menubar=0'
-     +',toolbar=0'
-     +',location=0'
-     +',status=0'
-     +',scrollbars=1'
-     +',resizable=1');
-   top.consoleRef.document.writeln(
-    'Snippet :: Code View :: '+}%><span style="background-color:yellow">location.href</span><%= %{+''
-     +''
-     +'
'+content+'
'
-     +''
-   );
-   top.consoleRef.document.close();
-\}}%>
-

- We can see that the location.href DOM property is used to dynamically generate a title for the text box pop-up. This value is string concatenated directly from the DOM without first performing some escaping routine or HTML encoding. -

-
-
-
-
-
- - - - Solution - -
-
-
-

Using Components with Known Vulnerabilities (DOM XSS) - ATTACK

-

- In order to demonstrate that you can indeed perform DOM XSS through this coding error, we will use a simple alert box. This does not appear to work in Chrome, Safari, or Firefox as they first URL encoded the script portion of the url before rendering which complicates browser interpretation. IE on the other hand, true to form, is totally vulnerable. The following example assumes you are running Railsgoat on localhost, port 3000. If this is the case, open IE, paste the URL (below) into IE. -

- 
-<%= "http://localhost:3000/tutorials/injection#" %>
-
-

- The portion after the pound (#) symbol will close off the title and head portions of the HTML and then allow for properly generated JavaScript to be rendered and executed. After browsing to this URL, navigate to the tutorial where code snippets are shown and click on the "pop-up" link that appears after hovering over the code snippet. This should be all that is required to demonstrate DOM-XSS. -

-

Using Components with Known Vulnerabilities (DOM XSS) - SOLUTION

-

- Use the hoganEscape() function defined in application.js to solve this problem. For instance: -

- 
-<%=%{'Snippet :: Code View :: '+}%><span style="background-color:yellow">hoganEscape(location.href)</span> <%=%{+'' }%>
-
-
-
-
-
-
- - - - Hint - -
-
-
- Review the JQuery Code Snippet for any content that might be mirrored or reflected back and that is under our control. -
-
-
-
-
-
\ No newline at end of file diff --git a/app/views/tutorials/insecure_components.html.erb b/app/views/tutorials/insecure_components.html.erb index 8d11c80..e9fb34e 100644 --- a/app/views/tutorials/insecure_components.html.erb +++ b/app/views/tutorials/insecure_components.html.erb @@ -5,11 +5,6 @@ <%= render :partial => "layouts/tutorial/insecure_components/insecure_components_first" %> -
-
- <%= render :partial => "layouts/tutorial/insecure_components/insecure_components_second" %> -
-