From 7acc17aea3d8322233f20106f0cbc44780cf95ec Mon Sep 17 00:00:00 2001
From: cktricky <ken.johnson@nvisiumsecurity.com>
Date: Thu, 22 May 2014 10:56:29 -0600
Subject: [PATCH] everything checks out re: unit tests. Additionally, this
 closes issue #112 (seriously, are we up to 112 issues already?)

---
 .../_insecure_components_first.html.erb       |   2 +-
 .../_insecure_components_second.html.erb      | 109 ++++++++++++++++++
 .../tutorials/insecure_components.html.erb    |   5 +
 3 files changed, 115 insertions(+), 1 deletion(-)
 create mode 100644 app/views/layouts/tutorial/insecure_components/_insecure_components_second.html.erb

diff --git a/app/views/layouts/tutorial/insecure_components/_insecure_components_first.html.erb b/app/views/layouts/tutorial/insecure_components/_insecure_components_first.html.erb
index b5192d5..208412e 100644
--- a/app/views/layouts/tutorial/insecure_components/_insecure_components_first.html.erb
+++ b/app/views/layouts/tutorial/insecure_components/_insecure_components_first.html.erb
@@ -1,7 +1,7 @@
 <div class="widget">
     <div class="widget-header">
       <div class="title">
-        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A9 - Using Components with Known Vulnerabilities
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A9 - Using Components with Known Vulnerabilities (Rack / Rails)
       </div>
     </div>
     <div class="widget-body">
diff --git a/app/views/layouts/tutorial/insecure_components/_insecure_components_second.html.erb b/app/views/layouts/tutorial/insecure_components/_insecure_components_second.html.erb
new file mode 100644
index 0000000..0c424c4
--- /dev/null
+++ b/app/views/layouts/tutorial/insecure_components/_insecure_components_second.html.erb
@@ -0,0 +1,109 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A9 - Using Components with Known Vulnerabilities (DOM XSS / JQuery Snippet)
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseFive" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseFive" style="height: auto;">
+            <div class="accordion-inner">
+				JQuery Snippet contains at least one DOM-Based XSS vulnerability that can be confirmed in IE11. Unknowingly, the Railsgoat 	   development team used this library. Credit for vulnerability discovery as well as submission to <%= link_to "@raesene", "http://github.com/raesene", {:style => "color: rgb(181, 121, 158)", :target => "_blank"}%>. This was unintentional but goes to show how easily vulnerabilities can creep in when using third-party libraries.
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseSix" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseSix" style="height: 0px;">
+            <div class="accordion-inner">
+			  <p class="desc">
+               	Within the file app/assets/javascripts/jquery.snippet.js:
+			  </p>
+			  <pre>
+				<%= %{
+// snippet new window popup function
+function snippetPopup(content) \{
+	 top.consoleRef=window.open('','myconsole',
+	  'width=600,height=300'
+	   +',left=50,top=50'
+	   +',menubar=0'
+	   +',toolbar=0'
+	   +',location=0'
+	   +',status=0'
+	   +',scrollbars=1'
+	   +',resizable=1');
+	 top.consoleRef.document.writeln(
+	  '<html><head><title>Snippet :: Code View :: '+}%><span style="background-color:yellow">location.href</span><%= %{+'</title></head>'
+	   +'<body bgcolor=white onLoad="self.focus()">'
+	   +'<pre>'+content+'</pre>'
+	   +'</body></html>'
+	 );
+	 top.consoleRef.document.close();
+\}}%></pre>
+			<p class="desc">
+				We can see that the <i>location.href</i> DOM property is used to dynamically generate a title for the text box pop-up. This value is string concatenated directly from the DOM without first performing some escaping routine or HTML encoding.
+			</p>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseSeven" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseSeven" style="height: 0px;">
+            <div class="accordion-inner">
+			  	 <p><b>Using Components with Known Vulnerabilities (DOM XSS) - ATTACK</b></p>
+	 			  <p class="desc">
+					In order to demonstrate that you can indeed perform DOM XSS through this coding error, we will use a simple alert box. This does not appear to work in Chrome, Safari, or Firefox as they first URL encoded the script portion of the url before rendering which complicates browser interpretation. IE on the other hand, true to form, is totally vulnerable. The following example assumes you are running Railsgoat on localhost, port 3000. If this is the case, open IE, paste the URL (below) into IE.
+		          </p>	
+				  <pre>
+<%= "http://localhost:3000/tutorials/injection#</title></head><script>alert(1)</script>" %>
+				  </pre>	
+				  <p class="desc">
+					The portion after the pound (#) symbol will close off the title and head portions of the HTML and then allow for properly generated JavaScript to be rendered and executed. After browsing to this URL, navigate to the tutorial where code snippets are shown and click on the "pop-up" link that appears after hovering over the code snippet. This should be all that is required to demonstrate DOM-XSS.
+				  </p>	
+				  <p><b>Using Components with Known Vulnerabilities (DOM XSS) - SOLUTION</b></p>
+				  <p class="desc">
+					Use the hoganEscape() function defined in application.js to solve this problem. For instance:
+		          </p>
+		 		  <pre class="javascript">
+<%=%{'<html><head><title>Snippet :: Code View :: '+}%><span style="background-color:yellow">hoganEscape(location.href)</span> <%=%{+'</title></head>' }%>
+			      </pre>
+            </div>
+          </div>
+        </div>
+      	<div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseEight" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseEight" style="height: 0px;">
+            <div class="accordion-inner">
+               Review the JQuery Code Snippet for any content that might be mirrored or reflected back and that is under our control.
+            </div>
+          </div>
+        </div>
+	</div>
+    </div>
+  </div>
\ No newline at end of file
diff --git a/app/views/tutorials/insecure_components.html.erb b/app/views/tutorials/insecure_components.html.erb
index 271f7a9..66d9863 100644
--- a/app/views/tutorials/insecure_components.html.erb
+++ b/app/views/tutorials/insecure_components.html.erb
@@ -5,6 +5,11 @@
 		      <%= render :partial => "layouts/tutorial/insecure_components/insecure_components_first" %>
 		    </div> <!-- End Span12 -->
 		</div>
+		<div class="row-fluid">
+		    <div class="span12"> <!-- Begin Span12 -->
+		      <%= render :partial => "layouts/tutorial/insecure_components/insecure_components_second" %>
+		    </div> <!-- End Span12 -->
+		</div>
 	</div>
 </div>