team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upgraded cucumber gem

Browse Source
This commit is contained in:
Al Snow
2017-09-29 11:23:19 -04:00
parent 145fdcd03c
commit 68e475efd7
2 changed files with 2 additions and 395 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Gemfile.lock
+2 -2
View File
@@ -61,7 +61,7 @@ GEM
bundler-audit (0.6.0) bundler-audit (0.6.0)
bundler (~> 1.2) bundler (~> 1.2)
thor (~> 0.18) thor (~> 0.18)
capybara (2.15.1) capybara (2.15.2)
addressable addressable
mini_mime (>= 0.1.3) mini_mime (>= 0.1.3)
nokogiri (>= 1.3.3) nokogiri (>= 1.3.3)
@@ -83,7 +83,7 @@ GEM
contracts (0.16.0) contracts (0.16.0)
crack (0.3.1) crack (0.3.1)
crass (1.0.2) crass (1.0.2)
cucumber (3.0.0) cucumber (3.0.1)
builder (>= 2.1.2) builder (>= 2.1.2)
cucumber-core (~> 3.0.0) cucumber-core (~> 3.0.0)
cucumber-expressions (~> 4.0.3) cucumber-expressions (~> 4.0.3)
r
-393
View File
@@ -1,393 +0,0 @@
Randomized with seed 33309
FFFFFFFFFFFFFFFFFFFFF
Failures:
1) improper password hashing with just md5
Tutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/password_hashing_spec.rb:5:in `block (2 levels) in <top (required)>'
2) command injection attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/command_injection_spec.rb:6:in `block (2 levels) in <top (required)>'
3) csrf attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/csrf_spec.rb:6:in `block (2 levels) in <top (required)>'
4) url access attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller)
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/url_access_spec.rb:5:in `block (2 levels) in <top (required)>'
5) broken_auth one
Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/broken_auth_spec.rb:5:in `block (2 levels) in <top (required)>'
6) broken_auth two
Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/broken_auth_spec.rb:5:in `block (2 levels) in <top (required)>'
7) xss attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/xss_spec.rb:5:in `block (2 levels) in <top (required)>'
8) insecure direct object reference attack one
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/insecure_dor_spec.rb:5:in `block (2 levels) in <top (required)>'
9) insecure direct object reference attack two
Tutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/insecure_dor_spec.rb:5:in `block (2 levels) in <top (required)>'
10) sql injection attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/sql_injection_spec.rb:5:in `block (2 levels) in <top (required)>'
11) User can be instantiated
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/models/benefits_spec.rb:5:in `block (2 levels) in <top (required)>'
12) User name can be updated
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/models/benefits_spec.rb:5:in `block (2 levels) in <top (required)>'
13) mass assignment attack one
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/mass_assignment_spec.rb:5:in `block (2 levels) in <top (required)>'
14) mass assignment attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/mass_assignment_spec.rb:5:in `block (2 levels) in <top (required)>'
15) password complexity one
Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/password_complexity_spec.rb:5:in `block (2 levels) in <top (required)>'
16) User can be instantiated
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
17) User should require a email
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
18) User should require valid email
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
19) User should require unique email
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
20) User name can be updated
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
21) unvalidated redirect attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)
Failure/Error: aes.iv = iv if iv != nil
ArgumentError:
iv must be 16 bytes
# ./lib/encryption.rb:8:in `iv='
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
# ./app/models/user.rb:82:in `generate_token'
# ./app/models/user.rb:23:in `block in <class:User>'
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
# ./db/seeds.rb:270:in `block in <top (required)>'
# ./db/seeds.rb:267:in `each'
# ./db/seeds.rb:267:in `<top (required)>'
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
# ./spec/vulnerabilities/unvalidated_redirects_spec.rb:5:in `block (2 levels) in <top (required)>'
Finished in 0.2747 seconds (files took 2.04 seconds to load)
21 examples, 21 failures
Failed examples:
rspec ./spec/vulnerabilities/password_hashing_spec.rb:9 # improper password hashing with just md5
Tutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage
rspec ./spec/vulnerabilities/command_injection_spec.rb:10 # command injection attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection
rspec ./spec/vulnerabilities/csrf_spec.rb:10 # csrf attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF
rspec ./spec/vulnerabilities/url_access_spec.rb:9 # url access attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller)
rspec ./spec/vulnerabilities/broken_auth_spec.rb:9 # broken_auth one
Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration
rspec ./spec/vulnerabilities/broken_auth_spec.rb:22 # broken_auth two
Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration
rspec ./spec/vulnerabilities/xss_spec.rb:9 # xss attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting
rspec ./spec/vulnerabilities/insecure_dor_spec.rb:9 # insecure direct object reference attack one
rspec ./spec/vulnerabilities/insecure_dor_spec.rb:23 # insecure direct object reference attack two
Tutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference
rspec ./spec/vulnerabilities/sql_injection_spec.rb:10 # sql injection attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation
rspec ./spec/models/benefits_spec.rb:13 # User can be instantiated
rspec ./spec/models/benefits_spec.rb:17 # User name can be updated
rspec ./spec/vulnerabilities/mass_assignment_spec.rb:9 # mass assignment attack one
rspec ./spec/vulnerabilities/mass_assignment_spec.rb:24 # mass assignment attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role
rspec ./spec/vulnerabilities/password_complexity_spec.rb:9 # password complexity one
Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity
rspec ./spec/models/user_spec.rb:13 # User can be instantiated
rspec ./spec/models/user_spec.rb:17 # User should require a email
rspec ./spec/models/user_spec.rb:21 # User should require valid email
rspec ./spec/models/user_spec.rb:25 # User should require unique email
rspec ./spec/models/user_spec.rb:30 # User name can be updated
rspec ./spec/vulnerabilities/unvalidated_redirects_spec.rb:9 # unvalidated redirect attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)
Randomized with seed 33309