diff --git a/Gemfile.lock b/Gemfile.lock index 4f7f1a6..929c115 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -61,7 +61,7 @@ GEM bundler-audit (0.6.0) bundler (~> 1.2) thor (~> 0.18) - capybara (2.15.1) + capybara (2.15.2) addressable mini_mime (>= 0.1.3) nokogiri (>= 1.3.3) @@ -83,7 +83,7 @@ GEM contracts (0.16.0) crack (0.3.1) crass (1.0.2) - cucumber (3.0.0) + cucumber (3.0.1) builder (>= 2.1.2) cucumber-core (~> 3.0.0) cucumber-expressions (~> 4.0.3) diff --git a/r b/r deleted file mode 100644 index 4165392..0000000 --- a/r +++ /dev/null @@ -1,393 +0,0 @@ - -Randomized with seed 33309 -FFFFFFFFFFFFFFFFFFFFF - -Failures: - - 1) improper password hashing with just md5 -Tutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/password_hashing_spec.rb:5:in `block (2 levels) in ' - - 2) command injection attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/command_injection_spec.rb:6:in `block (2 levels) in ' - - 3) csrf attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/csrf_spec.rb:6:in `block (2 levels) in ' - - 4) url access attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller) - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/url_access_spec.rb:5:in `block (2 levels) in ' - - 5) broken_auth one -Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/broken_auth_spec.rb:5:in `block (2 levels) in ' - - 6) broken_auth two -Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/broken_auth_spec.rb:5:in `block (2 levels) in ' - - 7) xss attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/xss_spec.rb:5:in `block (2 levels) in ' - - 8) insecure direct object reference attack one - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/insecure_dor_spec.rb:5:in `block (2 levels) in ' - - 9) insecure direct object reference attack two -Tutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/insecure_dor_spec.rb:5:in `block (2 levels) in ' - - 10) sql injection attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/sql_injection_spec.rb:5:in `block (2 levels) in ' - - 11) User can be instantiated - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/benefits_spec.rb:5:in `block (2 levels) in ' - - 12) User name can be updated - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/benefits_spec.rb:5:in `block (2 levels) in ' - - 13) mass assignment attack one - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/mass_assignment_spec.rb:5:in `block (2 levels) in ' - - 14) mass assignment attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/mass_assignment_spec.rb:5:in `block (2 levels) in ' - - 15) password complexity one -Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/password_complexity_spec.rb:5:in `block (2 levels) in ' - - 16) User can be instantiated - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' - - 17) User should require a email - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' - - 18) User should require valid email - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' - - 19) User should require unique email - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' - - 20) User name can be updated - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' - - 21) unvalidated redirect attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to) - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/unvalidated_redirects_spec.rb:5:in `block (2 levels) in ' - -Finished in 0.2747 seconds (files took 2.04 seconds to load) -21 examples, 21 failures - -Failed examples: - -rspec ./spec/vulnerabilities/password_hashing_spec.rb:9 # improper password hashing with just md5 -Tutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage -rspec ./spec/vulnerabilities/command_injection_spec.rb:10 # command injection attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection -rspec ./spec/vulnerabilities/csrf_spec.rb:10 # csrf attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF -rspec ./spec/vulnerabilities/url_access_spec.rb:9 # url access attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller) -rspec ./spec/vulnerabilities/broken_auth_spec.rb:9 # broken_auth one -Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration -rspec ./spec/vulnerabilities/broken_auth_spec.rb:22 # broken_auth two -Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration -rspec ./spec/vulnerabilities/xss_spec.rb:9 # xss attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting -rspec ./spec/vulnerabilities/insecure_dor_spec.rb:9 # insecure direct object reference attack one -rspec ./spec/vulnerabilities/insecure_dor_spec.rb:23 # insecure direct object reference attack two -Tutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference -rspec ./spec/vulnerabilities/sql_injection_spec.rb:10 # sql injection attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation -rspec ./spec/models/benefits_spec.rb:13 # User can be instantiated -rspec ./spec/models/benefits_spec.rb:17 # User name can be updated -rspec ./spec/vulnerabilities/mass_assignment_spec.rb:9 # mass assignment attack one -rspec ./spec/vulnerabilities/mass_assignment_spec.rb:24 # mass assignment attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role -rspec ./spec/vulnerabilities/password_complexity_spec.rb:9 # password complexity one -Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity -rspec ./spec/models/user_spec.rb:13 # User can be instantiated -rspec ./spec/models/user_spec.rb:17 # User should require a email -rspec ./spec/models/user_spec.rb:21 # User should require valid email -rspec ./spec/models/user_spec.rb:25 # User should require unique email -rspec ./spec/models/user_spec.rb:30 # User name can be updated -rspec ./spec/vulnerabilities/unvalidated_redirects_spec.rb:9 # unvalidated redirect attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to) - -Randomized with seed 33309 -