team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Convert file indentation to spaces

Browse Source
This commit is contained in:
James Espinosa
2014-07-05 20:17:27 -05:00
parent 68e6a01743
commit 7e4fad462b
88 changed files with 2915 additions and 2999 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/views/layouts/tutorial/csrf/_csrf_first.html.erb
+59 -59
View File
@@ -31,20 +31,20 @@
<div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
<div class="accordion-inner">
<p><b>Cross-Site Request Forgery (CSRF) - The following code was taken from: /app/controllers/application_controller.rb and /app/views/layouts/application.html.erb</b></p>
<p>application_controller.rb<p>
<p>
<pre class="ruby">
# Our security guy keep talking about sea-surfing, cool story bro.
# protect_from_forgery
</pre>
<p>application_controller.rb<p>
<p>
<pre class="ruby">
# Our security guy keep talking about sea-surfing, cool story bro.
# protect_from_forgery
</pre>
</p>
<p> application.html.erb </p>
<p>
<pre class="ruby">
<%= @meta_code_bad %>
</pre>
</p>
</p>
<p> application.html.erb </p>
<p>
<pre class="ruby">
<%= @meta_code_bad %>
</pre>
</p>
</div>
</div>
</div>
@@ -59,57 +59,57 @@
<div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
<div class="accordion-inner">
<p><b> Cross-Site Request Forgery ATTACK:</b></p>
<p class="desc">
The application allows users to update their calendar and schedule PTO events (PTO section). Due to the fact CSRF protections are disabled, the AJAX request will send the authenticity token but the application will <b>not</b> validate either its presence or validity. Create an html page using the code shown below, authenticate as another user, click on it, review the new calendar (change the dates under date_range1). You should see this HTML code will work, even if you hadn't navigated to the PTO section prior to sending it.
</p>
<p>
<pre class="ruby">
<%=
<p class="desc">
The application allows users to update their calendar and schedule PTO events (PTO section). Due to the fact CSRF protections are disabled, the AJAX request will send the authenticity token but the application will <b>not</b> validate either its presence or validity. Create an html page using the code shown below, authenticate as another user, click on it, review the new calendar (change the dates under date_range1). You should see this HTML code will work, even if you hadn't navigated to the PTO section prior to sending it.
</p>
<p>
<pre class="ruby">
<%=
%{
<html>
<body>
<form action="http://railsgoat.dev/schedule.json" method="POST">
<input type="hidden" name="schedule&#91;event&#95;name&#93;" value="Bad&#32;Guy" />
<input type="hidden" name="schedule&#91;event&#95;type&#93;" value="pto" />
<input type="hidden" name="schedule&#91;event&#95;desc&#93;" value="Fun&#32;Fun" />
<input type="hidden" name="date&#95;range1" value="06&#47;08&#47;2013&#32;&#45;&#32;06&#47;09&#47;2013" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
<html>
<body>
<form action="http://railsgoat.dev/schedule.json" method="POST">
<input type="hidden" name="schedule&#91;event&#95;name&#93;" value="Bad&#32;Guy" />
<input type="hidden" name="schedule&#91;event&#95;type&#93;" value="pto" />
<input type="hidden" name="schedule&#91;event&#95;desc&#93;" value="Fun&#32;Fun" />
<input type="hidden" name="date&#95;range1" value="06&#47;08&#47;2013&#32;&#45;&#32;06&#47;09&#47;2013" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
}
%>
</pre>
</p>
%>
</pre>
</p>
<p><b> Cross-Site Request Forgery SOLUTION:</b></p>
<p>
By default, the protect_from_forgery directive is added under the application_controller.rb at project creation. However, occasionally developers turn it off (comment out) because of issues with JS. There are two separate solutions around the JS problem.
</p>
<p>
Once protect_from_forgery is added back...
<li>Add the following code within the header section of the application.html.erb file (or any other application layout file).</li>
</p>
<p>
<pre class="ruby">
<%= @meta_code_good %>
</pre>
</p>
<p>
That will allow you to parse the meta tag with JS. However, keep in mind that any form generated by Rails is populated with an authenticity token so, if you leverage something like JQuery to make an Ajax request, you can include all values within the form by using the technique shown next.
</p>
<p>
<li>Leverage the serialize() method, shown on line 3. This grabs all the values from the form, including the authenticity token.</li>
</p>
<p>
<pre class="ruby">
<%= @ajax_code_good %>
</pre>
</p>
<p><b> Cross-Site Request Forgery SOLUTION:</b></p>
<p>
By default, the protect_from_forgery directive is added under the application_controller.rb at project creation. However, occasionally developers turn it off (comment out) because of issues with JS. There are two separate solutions around the JS problem.
</p>
<p>
Once protect_from_forgery is added back...
<li>Add the following code within the header section of the application.html.erb file (or any other application layout file).</li>
</p>
<p>
<pre class="ruby">
<%= @meta_code_good %>
</pre>
</p>
<p>
That will allow you to parse the meta tag with JS. However, keep in mind that any form generated by Rails is populated with an authenticity token so, if you leverage something like JQuery to make an Ajax request, you can include all values within the form by using the technique shown next.
</p>
<p>
<li>Leverage the serialize() method, shown on line 3. This grabs all the values from the form, including the authenticity token.</li>
</p>
<p>
<pre class="ruby">
<%= @ajax_code_good %>
</pre>
</p>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-group">
<div class="accordion-heading">
<a style="background-color: rgb(181, 121, 158)" href="#collapseFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-aid icon-white">
@@ -123,6 +123,6 @@
</div>
</div>
</div>
</div>
</div>
</div>
</div>