From 66445167bd0bcad6dc2d735fb90e5ee9aab41dc7 Mon Sep 17 00:00:00 2001 From: cktricky Date: Sun, 28 Jul 2013 19:59:03 -0400 Subject: [PATCH 001/149] shifting tutorials --- app/views/layouts/tutorial/_sidebar.html.erb | 51 ++++++++++---------- 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/app/views/layouts/tutorial/_sidebar.html.erb b/app/views/layouts/tutorial/_sidebar.html.erb index fde5442..68c3342 100755 --- a/app/views/layouts/tutorial/_sidebar.html.erb +++ b/app/views/layouts/tutorial/_sidebar.html.erb @@ -15,23 +15,24 @@ A1 Injection <% end %> + +
  • + <%= link_to broken_auth_tutorials_path do %> +
    + +
    + A2 Broken Auth + <% end %>
  • <%= link_to xss_tutorials_path do %>
    - A2 XSS - <% end %> -
    • -
  • - <%= link_to broken_auth_tutorials_path do %> -
    - -
    - A3 Broken Auth + A3 XSS <% end %>
    • +
  • <%= link_to insecure_dor_tutorials_path do %>
    @@ -40,36 +41,36 @@ A4 Insecure DOR <% end %>
    • -
  • - <%= link_to csrf_tutorials_path do %> -
    - -
    - A5 CSRF - <% end %> -
    • -
  • +
  • <%= link_to misconfig_tutorials_path do %>
    - A6 Misconfig + A5 Misconfig <% end %>
    • -
  • - <%= link_to crypto_tutorials_path do %> +
  • + <%= link_to "#" do %>
    - A7 Crypto + A6 Exposure <% end %>
    • -
  • +
  • <%= link_to url_access_tutorials_path do %>
    - A8 URL Access + A7 Access + <% end %> +
    • +
  • + <%= link_to csrf_tutorials_path do %> +
    + +
    + A8 CSRF <% end %>
  • @@ -77,7 +78,7 @@
    - A9 SSL/TLS + A9 Components <% end %>
  • From dafff5e60e0920fa5f55a184510fa7afe634456e Mon Sep 17 00:00:00 2001 From: cktricky Date: Thu, 8 Aug 2013 15:30:26 -0400 Subject: [PATCH 002/149] added ability to start and stop from rake tasks --- lib/tasks/server.rake | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 lib/tasks/server.rake diff --git a/lib/tasks/server.rake b/lib/tasks/server.rake new file mode 100644 index 0000000..f40dec9 --- /dev/null +++ b/lib/tasks/server.rake @@ -0,0 +1,18 @@ +namespace :server do + + desc "Start Rails" + task :start do + sh("rails s -d") + end + + desc "Stop Rails" + task :stop do + pid_file = "tmp/pids/server.pid" + if File.exists?(pid_file) + Process.kill("INT", File.read(pid_file).to_i) + else + puts "[-] Server isn't running" + end + end +end + From 761e38905e77eccd90ae75f3e9b057d60e076fdb Mon Sep 17 00:00:00 2001 From: cktricky Date: Thu, 8 Aug 2013 16:24:10 -0400 Subject: [PATCH 003/149] oops --- lib/tasks/server.rake | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/tasks/server.rake b/lib/tasks/server.rake index 17c9e35..a60c429 100644 --- a/lib/tasks/server.rake +++ b/lib/tasks/server.rake @@ -2,7 +2,6 @@ namespace :server do desc "Start Rails" task :start do - sh("rails s -d") pid_file = "tmp/pids/server.pid" if !(File.exists?(pid_file)) sh("rails s -d") From d909f55ab92154ba54f717910fafb3ff79f442d1 Mon Sep 17 00:00:00 2001 From: cktricky Date: Thu, 8 Aug 2013 21:25:52 -0400 Subject: [PATCH 004/149] initial write-up for gauntlt --- app/controllers/tutorials_controller.rb | 4 +++ app/views/layouts/tutorial/_sidebar.html.erb | 3 ++ app/views/tutorials/gauntlt.html.erb | 37 ++++++++++++++++++++ app/views/tutorials/guard.html.erb | 1 - config/routes.rb | 1 + 5 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 app/views/tutorials/gauntlt.html.erb diff --git a/app/controllers/tutorials_controller.rb b/app/controllers/tutorials_controller.rb index d27a0ca..f88edba 100755 --- a/app/controllers/tutorials_controller.rb +++ b/app/controllers/tutorials_controller.rb @@ -127,6 +127,10 @@ class TutorialsController < ApplicationController def mass_assignment end + def guantlt + + end + def constantize end diff --git a/app/views/layouts/tutorial/_sidebar.html.erb b/app/views/layouts/tutorial/_sidebar.html.erb index 68c3342..5eb1d72 100755 --- a/app/views/layouts/tutorial/_sidebar.html.erb +++ b/app/views/layouts/tutorial/_sidebar.html.erb @@ -97,6 +97,9 @@ Extras
      +
    • + <%= link_to "gauntlt", gauntlt_tutorials_path %> +
    • <%= link_to "Guard", guard_tutorials_path %>
      • diff --git a/app/views/tutorials/gauntlt.html.erb b/app/views/tutorials/gauntlt.html.erb new file mode 100644 index 0000000..bf2a098 --- /dev/null +++ b/app/views/tutorials/gauntlt.html.erb @@ -0,0 +1,37 @@ +
      +
      +
      +
      +
      +
      +
      + Gauntlet +
      +
      +
      +

      + Gauntlt is a tool used for unit testing leveraging third-party tools. We've baked this into Railsgoat so that you can play with it.

      To learn more about this tool, please visit their site at: <%= link_to "Gauntlet Github Repository", "https://github.com/gauntlt/gauntlt", {:style =>"color: rgb(181, 121, 158);"} %>

      +

      + All *.attack files are contained under the gauntlt_scripts directory. We have provided a simple.attack file that demonstrates the tool works. If errors occur, please submit a bug through our github powered issue tracking system. +

      +

      + To run this tool type this via the command line:

      $ gauntlt +

      +
      +
      +
      +
      +
      +
      + + + + \ No newline at end of file diff --git a/app/views/tutorials/guard.html.erb b/app/views/tutorials/guard.html.erb index a657301..b74d67c 100755 --- a/app/views/tutorials/guard.html.erb +++ b/app/views/tutorials/guard.html.erb @@ -21,7 +21,6 @@ \ No newline at end of file From f9bbbe0a549fd0bd5ab54f2c8f4259353c55c615 Mon Sep 17 00:00:00 2001 From: cktricky Date: Mon, 14 Oct 2013 08:44:09 -0400 Subject: [PATCH 016/149] oops --- app/views/tutorials/guard.html.erb.orig | 33 ------------------------- 1 file changed, 33 deletions(-) delete mode 100755 app/views/tutorials/guard.html.erb.orig diff --git a/app/views/tutorials/guard.html.erb.orig b/app/views/tutorials/guard.html.erb.orig deleted file mode 100755 index f0ff6d1..0000000 --- a/app/views/tutorials/guard.html.erb.orig +++ /dev/null @@ -1,33 +0,0 @@ -
      -
      -
      -
      -
      -
      -
      - Using Guard with Brakeman and Bundle-Audit -
      -
      -
      - -
      -
      -
      -
      -
      - - - - \ No newline at end of file From 64f2ad9f9e4cf7435d2a8281ed2b612ab81d8ff5 Mon Sep 17 00:00:00 2001 From: cktricky Date: Mon, 14 Oct 2013 08:46:21 -0400 Subject: [PATCH 017/149] very minor sidebar change --- app/views/tutorials/gauntlt.html.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/views/tutorials/gauntlt.html.erb b/app/views/tutorials/gauntlt.html.erb index bf2a098..27f9e8d 100644 --- a/app/views/tutorials/gauntlt.html.erb +++ b/app/views/tutorials/gauntlt.html.erb @@ -29,6 +29,7 @@ \ No newline at end of file diff --git a/config/routes.rb b/config/routes.rb index a58b21e..6aaa2c7 100755 --- a/config/routes.rb +++ b/config/routes.rb @@ -1,84 +1,85 @@ Railsgoat::Application.routes.draw do -get "login" => "sessions#new" -get "signup" => "users#new" -get "logout" => "sessions#destroy" + get "login" => "sessions#new" + get "signup" => "users#new" + get "logout" => "sessions#destroy" -resources :sessions do + resources :sessions do -end - -resources :users do - get "account_settings" - - resources :retirement do - end - - resources :paid_time_off do - end - - resources :work_info do - end - - resources :performance do - - end - - resources :benefit_forms do - end - resources :messages do + resources :users do + get "account_settings" + + resources :retirement do + end + + resources :paid_time_off do + end + + resources :work_info do + end + + resources :performance do + + end + + resources :benefit_forms do + + end + + resources :messages do + end + end - -end -get "download" => "benefit_forms#download" -post "upload" => "benefit_forms#upload" + get "download" => "benefit_forms#download" + post "upload" => "benefit_forms#upload" -resources :tutorials do - collection do - get "credentials" - get "injection" - get "xss" - get "broken_auth" - get "insecure_dor" - get "csrf" - get "misconfig" - get "crypto" - get "url_access" - get "ssl_tls" - get "redirects" - get "guard" - get "info_disclosure" - get "mass_assignment" - get "constantize" - get "gauntlt" + resources :tutorials do + collection do + get "credentials" + get "injection" + get "xss" + get "broken_auth" + get "insecure_dor" + get "csrf" + get "misconfig" + get "crypto" + get "url_access" + get "insecure_components" + get "ssl_tls" + get "redirects" + get "guard" + get "info_disclosure" + get "mass_assignment" + get "constantize" + get "gauntlt" + end end -end -resources :schedule do - collection do - get "get_pto_schedule" + resources :schedule do + collection do + get "get_pto_schedule" + end + end - -end -resources :admin do - get "dashboard" - get "get_user" - post "delete_user" - put "update_user" - get "get_all_users" -end - -resources :dashboard do - collection do - get "home" + resources :admin do + get "dashboard" + get "get_user" + post "delete_user" + put "update_user" + get "get_all_users" + end + + resources :dashboard do + collection do + get "home" + end end -end -root :to => "sessions#new" + root :to => "sessions#new" -end +end \ No newline at end of file From 9cbdbf01e5cceb6df7c858d66bcd03b3ba984b16 Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 13 Nov 2013 12:19:33 -0500 Subject: [PATCH 035/149] should fix conflicts --- config/routes.rb | 31 ++----------------------------- 1 file changed, 2 insertions(+), 29 deletions(-) diff --git a/config/routes.rb b/config/routes.rb index d4142bc..39206f2 100755 --- a/config/routes.rb +++ b/config/routes.rb @@ -45,7 +45,7 @@ Railsgoat::Application.routes.draw do get "insecure_dor" get "csrf" get "misconfig" - get "crypto" + get "exposure" get "url_access" get "insecure_components" get "ssl_tls" @@ -57,39 +57,12 @@ Railsgoat::Application.routes.draw do get "gauntlt" end end -<<<<<<< HEAD - -end - -get "download" => "benefit_forms#download" -post "upload" => "benefit_forms#upload" - -resources :tutorials do - collection do - get "credentials" - get "injection" - get "xss" - get "broken_auth" - get "insecure_dor" - get "csrf" - get "misconfig" - get "exposure" - get "url_access" - get "ssl_tls" - get "redirects" - get "guard" - get "info_disclosure" - get "mass_assignment" - get "constantize" - get "gauntlt" -======= resources :schedule do collection do get "get_pto_schedule" end ->>>>>>> f0ca17df79bce4b15917780924ceef8407300fbb end resources :admin do @@ -109,4 +82,4 @@ resources :tutorials do root :to => "sessions#new" -end +end \ No newline at end of file From 665ccb21678ff54c37c51607291797ce0040bd75 Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 13 Nov 2013 14:01:29 -0500 Subject: [PATCH 036/149] removed orig file and also began encryption related stuff for ssn(s) --- app/models/benefits.rb.orig | 33 --------------------------------- app/models/work_info.rb | 8 ++++++-- 2 files changed, 6 insertions(+), 35 deletions(-) delete mode 100644 app/models/benefits.rb.orig diff --git a/app/models/benefits.rb.orig b/app/models/benefits.rb.orig deleted file mode 100644 index 38ad1ff..0000000 --- a/app/models/benefits.rb.orig +++ /dev/null @@ -1,33 +0,0 @@ -class Benefits < ActiveRecord::Base - attr_accessor :backup - - def self.save(file, backup=false) - data_path = Rails.root.join("public", "data") - full_file_name = "#{data_path}/#{file.original_filename}" - f = File.open(full_file_name, "w+") - f.write file.read - f.close - make_backup(file, data_path, full_file_name) if backup == "true" - end - -<<<<<<< HEAD - def self.make_backup(*params) - if File.exists?(full_file_name) - system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}") - end - end -======= - def self.make_backup(file, data_path, full_file_name) - if File.exists?(full_file_name) - system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}") - end - end ->>>>>>> bd066068ff2fd63a0edeede010167cfa63a03aff - -=begin - def self.make_backup(file, data_path, full_file_name) - FileUtils.cp "#{full_file_name}", "#{data_path}/bak#{Time.now.to_i}_#{file.original_filename}" - end -=end - -end diff --git a/app/models/work_info.rb b/app/models/work_info.rb index c3b70b6..364ea3f 100644 --- a/app/models/work_info.rb +++ b/app/models/work_info.rb @@ -8,10 +8,14 @@ class WorkInfo < ActiveRecord::Base "***-**-" << self.SSN[-4,4] end - def encrypt_ssn + def encrypt_ssn(data) end - def decrypt_ssn + def decrypt_ssn(encrypted_data) + end + + def cipher_mode + 'aes-256-cbc' end end From d9956caec1991fc36fbfb5b2df8d9a4f4cb57d87 Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 13 Nov 2013 14:18:25 -0500 Subject: [PATCH 037/149] removed orig file --- app/models/performance.rb.orig | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 app/models/performance.rb.orig diff --git a/app/models/performance.rb.orig b/app/models/performance.rb.orig deleted file mode 100644 index 772aaf0..0000000 --- a/app/models/performance.rb.orig +++ /dev/null @@ -1,14 +0,0 @@ -class Performance < ActiveRecord::Base - attr_accessible :comments, :date_submitted, :reviewer, :score - belongs_to :user - - def reviewer_name -<<<<<<< HEAD - u = User.find_by_id(self.reviewer) - u.full_name if u.respond_to?('full_name') -======= - u = User.find_by_id(self.reviewer) - u.full_name if u.respond_to?('fullname') ->>>>>>> 289716b24c7c4a1d72fcf1cf16fdc003e96e728c - end -end From 91e6797b40cc34fe982e48f075a667845d5b3c83 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Wed, 13 Nov 2013 18:23:04 -0500 Subject: [PATCH 038/149] adding broken functionality for A7 --- app/controllers/admin_controller.rb | 8 +++++++- app/controllers/application_controller.rb | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 5926b40..d7a29c7 100755 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -1,6 +1,6 @@ class AdminController < ApplicationController - # before_filter :administrative + before_filter :administrative, :if => :admin_param skip_before_filter :has_info def dashboard @@ -45,4 +45,10 @@ class AdminController < ApplicationController end end + + private + + def admin_param + params[:admin_id] != '1' + end end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index a0ef5cf..9d5628d 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -23,7 +23,7 @@ class ApplicationController < ActionController::Base def administrative if not is_admin? - reset_session + #reset_session redirect_to root_url end end From af8776a3eaaea2167366f00c0a8d165d95fb34ec Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Wed, 13 Nov 2013 18:23:29 -0500 Subject: [PATCH 039/149] halfway done A7 --- app/controllers/tutorials_controller.rb | 3 + app/views/layouts/tutorial/_sidebar.html.erb | 8 +- .../_access_control_first.html.erb | 107 ++++++++++++++++++ app/views/tutorials/access_control.html.erb | 17 +++ config/routes.rb | 1 + 5 files changed, 132 insertions(+), 4 deletions(-) create mode 100644 app/views/layouts/tutorial/access_control/_access_control_first.html.erb create mode 100644 app/views/tutorials/access_control.html.erb diff --git a/app/controllers/tutorials_controller.rb b/app/controllers/tutorials_controller.rb index fb4d61d..0b88a9e 100755 --- a/app/controllers/tutorials_controller.rb +++ b/app/controllers/tutorials_controller.rb @@ -64,6 +64,9 @@ class TutorialsController < ApplicationController def insecure_components end + + def access_control + end def crypto end diff --git a/app/views/layouts/tutorial/_sidebar.html.erb b/app/views/layouts/tutorial/_sidebar.html.erb index 10e885f..acfdfd7 100755 --- a/app/views/layouts/tutorial/_sidebar.html.erb +++ b/app/views/layouts/tutorial/_sidebar.html.erb @@ -57,12 +57,12 @@ A6 Exposure <% end %> -
    • - <%= link_to url_access_tutorials_path do %> +
    • + <%= link_to access_control_tutorials_path do %>
      - A7 Access + A7 Access Control <% end %>
    • @@ -73,7 +73,7 @@ A8 CSRF <% end %>
      • -
    • +
    • <%= link_to insecure_components_tutorials_path do %>
      diff --git a/app/views/layouts/tutorial/access_control/_access_control_first.html.erb b/app/views/layouts/tutorial/access_control/_access_control_first.html.erb new file mode 100644 index 0000000..cce74f4 --- /dev/null +++ b/app/views/layouts/tutorial/access_control/_access_control_first.html.erb @@ -0,0 +1,107 @@ +
      +
      +
      + A7 - Missing Function Level Access Control +
      +
      +
      +
      +
      +
      + + + + Description + +
      +
      +
      + Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway. +
      +
      +
      +
      +
      + + + + Bug + +
      +
      +
      +

      + Rails provides the ability to apply before_filter(s) which run prior to rendering content to the user. This is helpful when restricting access to content based on the user's role. Currently, the methods to apply a before_filter already exist in the application controller but were forgotten when creating the administrative functionality. Notice an asbsence of the before_filter within app/controllers/admin_controller.rb +

      + 
      +        <%= %q{
+        class AdminController < ApplicationController
+        
+          skip_before_filter :has_info
+        } %>
+
      + +
      +
      +
      +
      +
      + + + + Solution + +
      +
      +
      +

      Failure to Restrict URL Access - ATTACK

      +

      + Request the following URL /admin/1/dashboard and have fun :-) +

      +

      Failure to Restrict URL Access - SOLUTION

      +

      + The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb: +

      + 
      +        helper_method :current_user, :is_admin?
+        
+        def is_admin?
+            current_user.admin if current_user 
+          end
+      
+          def administrative
+            if not is_admin?
+             reset_session
+             redirect_to root_url
+           end
+          end
+
      +

      + Then add the following line within app/controllers/admin_controller.rb +

      + 
      +        class AdminController < ApplicationController
+
+          before_filter :administrative
+          skip_before_filter :has_info
+
      +
      +
      +
      +
      +
      + + + + Hint + +
      +
      +
      + I bet there is some admin functionality in here :-) +
      +
      +
      +
      +
      +
      \ No newline at end of file diff --git a/app/views/tutorials/access_control.html.erb b/app/views/tutorials/access_control.html.erb new file mode 100644 index 0000000..6796302 --- /dev/null +++ b/app/views/tutorials/access_control.html.erb @@ -0,0 +1,17 @@ +
      +
      +
      +
      + <%= render :partial => "layouts/tutorial/access_control/access_control_first" %> +
      +
      +
      +
      + + \ No newline at end of file diff --git a/config/routes.rb b/config/routes.rb index 39206f2..800d3d7 100755 --- a/config/routes.rb +++ b/config/routes.rb @@ -48,6 +48,7 @@ Railsgoat::Application.routes.draw do get "exposure" get "url_access" get "insecure_components" + get "access_control" get "ssl_tls" get "redirects" get "guard" From efcb7b8c4bee1d55f953bc2b60d1f8ab0b23756e Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 13 Nov 2013 18:24:26 -0500 Subject: [PATCH 040/149] working on encryption --- app/models/key_management.rb | 5 +++ app/models/work_info.rb | 32 ++++++++++++++++--- config/initializers/key.rb | 5 +++ .../20131113200708_create_key_managements.rb | 10 ++++++ db/schema.rb | 9 +++++- db/seeds.rb | 31 +++++++++++++++--- spec/models/key_management_spec.rb | 5 +++ 7 files changed, 88 insertions(+), 9 deletions(-) create mode 100644 app/models/key_management.rb create mode 100644 config/initializers/key.rb create mode 100644 db/migrate/20131113200708_create_key_managements.rb create mode 100644 spec/models/key_management_spec.rb diff --git a/app/models/key_management.rb b/app/models/key_management.rb new file mode 100644 index 0000000..80bf527 --- /dev/null +++ b/app/models/key_management.rb @@ -0,0 +1,5 @@ +class KeyManagement < ActiveRecord::Base + attr_accessible :iv, :user_id + belongs_to :work_info + +end diff --git a/app/models/work_info.rb b/app/models/work_info.rb index 364ea3f..f1fb5fd 100644 --- a/app/models/work_info.rb +++ b/app/models/work_info.rb @@ -1,20 +1,44 @@ class WorkInfo < ActiveRecord::Base attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked belongs_to :user - #before_save :encrypt_ssn + has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy + before_save :encrypt_ssn + # We should probably use this def last_four "***-**-" << self.SSN[-4,4] end - def encrypt_ssn(data) + def encrypt_ssn + aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes.encrypt + aes.key = key + aes.iv = iv if iv != nil + self.encrypted_ssn = aes.update(self.SSN) + aes.final + self.SSN = nil end - def decrypt_ssn(encrypted_data) + def decrypt_ssn + aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes.decrypt + aes.key = key + aes.iv = iv if iv != nil + aes.update(self.encrypted_ssn) + aes.final end - def cipher_mode + def key + raise "Key Missing" if !(KEY) + KEY + end + + def iv + "asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdf" + #self.key_management.iv + #raise "No IV for this User" if !(key_management.iv) + end + + def cipher_type 'aes-256-cbc' end diff --git a/config/initializers/key.rb b/config/initializers/key.rb new file mode 100644 index 0000000..5f43875 --- /dev/null +++ b/config/initializers/key.rb @@ -0,0 +1,5 @@ +if Rails.env.production? + # Specify env variable/location/etc. to retrieve key from +elsif Rails.env.development? + KEY = "123456789101112123456789101112123456789101112" +end \ No newline at end of file diff --git a/db/migrate/20131113200708_create_key_managements.rb b/db/migrate/20131113200708_create_key_managements.rb new file mode 100644 index 0000000..96ce247 --- /dev/null +++ b/db/migrate/20131113200708_create_key_managements.rb @@ -0,0 +1,10 @@ +class CreateKeyManagements < ActiveRecord::Migration + def change + create_table :key_managements do |t| + t.string :iv + t.integer :user_id + + t.timestamps + end + end +end diff --git a/db/schema.rb b/db/schema.rb index e98c34e..b7ded3a 100755 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,13 +11,20 @@ # # It's strongly recommended to check this file into your version control system. -ActiveRecord::Schema.define(:version => 20131112235256) do +ActiveRecord::Schema.define(:version => 20131113200708) do create_table "benefits", :force => true do |t| t.datetime "created_at", :null => false t.datetime "updated_at", :null => false end + create_table "key_managements", :force => true do |t| + t.string "iv" + t.integer "user_id" + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + end + create_table "messages", :force => true do |t| t.integer "creator_id" t.integer "receiver_id" diff --git a/db/seeds.rb b/db/seeds.rb index 3533d20..8583174 100755 --- a/db/seeds.rb +++ b/db/seeds.rb @@ -184,6 +184,21 @@ paid_time_off = [ } ] + key_mgmt = [ + { + :user_id => 2, + }, + { + :user_id => 3, + }, + { + :user_id => 4, + }, + { + :user_id => 5, + } + ] + performance = [ { :user_id => 2, @@ -289,12 +304,12 @@ schedule.each do |event| sched.save end -work_info.each do |wi| - info = WorkInfo.new(wi.reject {|k| k == :user_id}) - info.user_id = wi[:user_id] - info.save +key_mgmt.each do |key| + KeyManagement.create(:user_id => key[:user_id], :iv => Digest::SHA2.new.to_s) end + + performance.each do |perf| p = Performance.new(perf.reject {|k| k == :user_id}) p.user_id = perf[:user_id] @@ -306,3 +321,11 @@ messages.each do |message| m.creator_id = message[:creator_id] m.save end + + +work_info.each do |wi| + info = WorkInfo.new(wi.reject {|k| k == :user_id}) + info.user_id = wi[:user_id] + info.save +end + diff --git a/spec/models/key_management_spec.rb b/spec/models/key_management_spec.rb new file mode 100644 index 0000000..dd0b900 --- /dev/null +++ b/spec/models/key_management_spec.rb @@ -0,0 +1,5 @@ +require 'spec_helper' + +describe KeyManagement do + pending "add some examples to (or delete) #{__FILE__}" +end From 4be667b6068c2b82231b6d939e020105dd8f552a Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 13 Nov 2013 19:02:37 -0500 Subject: [PATCH 041/149] working --- app/controllers/admin_controller.rb | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index d7a29c7..d43dd81 100755 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -1,6 +1,6 @@ class AdminController < ApplicationController - before_filter :administrative, :if => :admin_param + #before_filter :administrative skip_before_filter :has_info def dashboard @@ -45,10 +45,4 @@ class AdminController < ApplicationController end end - - private - - def admin_param - params[:admin_id] != '1' - end end From aeabbcf8c6d31005cd99a1074cf3d51e21cba31d Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Wed, 13 Nov 2013 19:14:07 -0500 Subject: [PATCH 042/149] A7 - switching the var used in the view so that non-admins can view the admin panel --- app/views/admin/dashboard.html.erb | 2 +- app/views/layouts/admin/_get_user.html.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/views/admin/dashboard.html.erb b/app/views/admin/dashboard.html.erb index 3e1466c..da2c845 100755 --- a/app/views/admin/dashboard.html.erb +++ b/app/views/admin/dashboard.html.erb @@ -59,7 +59,7 @@ function makeActive(){ }; function loadTable(){ - $("#userDataTable").load("/admin/"+ <%=current_user.user_id %> + "/get_all_users") + $("#userDataTable").load("/admin/"+ <%= params[:admin_id] %> + "/get_all_users") }; $(document).ready( diff --git a/app/views/layouts/admin/_get_user.html.erb b/app/views/layouts/admin/_get_user.html.erb index eda97d7..9557b7d 100755 --- a/app/views/layouts/admin/_get_user.html.erb +++ b/app/views/layouts/admin/_get_user.html.erb @@ -83,7 +83,7 @@ $('#delete_button').click(function() { $("#editAcct").modal('hide'); $.ajax({ - url: "/admin/" + <%= @user.user_id %> + "/delete_user.json", + url: "/admin/" + <%= params[:admin_id] %> + "/delete_user.json", type: "POST", success: function(response) { $('#success').show(500).delay(1500).fadeOut(); From 2629565f216608e74bcc23d6ccd3a591534fda37 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Wed, 13 Nov 2013 19:34:04 -0500 Subject: [PATCH 043/149] fixing a small typo :) --- db/seeds.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/db/seeds.rb b/db/seeds.rb index 8583174..c8e5bfb 100755 --- a/db/seeds.rb +++ b/db/seeds.rb @@ -33,8 +33,8 @@ users = [ { :email => "mike@metacorp.com", :admin => false, - :password => "motorcross1445", - :password_confirmation => "motorcross1445", + :password => "motocross1445", + :password_confirmation => "motocross1445", :first_name => "Mike", :last_name => "McCabe", :user_id =>4 From 235b6418d0e07f666a2531e04c0b1d887dd6b655 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Wed, 13 Nov 2013 19:35:12 -0500 Subject: [PATCH 044/149] A7 adding before filter to see if admin or admin_id is 1 --- app/controllers/admin_controller.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index d43dd81..1a671f7 100755 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -1,6 +1,6 @@ class AdminController < ApplicationController - #before_filter :administrative + before_filter :administrative, :if => :admin_param skip_before_filter :has_info def dashboard @@ -44,5 +44,11 @@ class AdminController < ApplicationController format.json { render :json => { :msg => message ? "success" : "failure"} } end end + + private + + def admin_param + params[:id] == '1' + end end From b605a42812eba6ce87b94b9bb82d4b76dd0330f6 Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 13 Nov 2013 19:51:42 -0500 Subject: [PATCH 045/149] got the code kicked off so we can encrypt SSN(s) in the database --- app/models/user.rb | 2 ++ app/models/work_info.rb | 9 ++++---- app/views/work_info/index.html.erb | 3 +++ db/seeds.rb | 35 ++++++++++-------------------- 4 files changed, 21 insertions(+), 28 deletions(-) diff --git a/app/models/user.rb b/app/models/user.rb index d84909c..b0204b9 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -24,6 +24,8 @@ class User < ActiveRecord::Base build_retirement(POPULATE_RETIREMENTS.shuffle.first) build_paid_time_off(POPULATE_PAID_TIME_OFF.shuffle.first).schedule.build(POPULATE_SCHEDULE.shuffle.first) build_work_info(POPULATE_WORK_INFO.shuffle.first) + # Uncomment below line to use encrypted SSN(s) + #work_info.build_key_management(:iv => SecureRandom.hex(32)) performance.build(POPULATE_PERFORMANCE.shuffle.first) end diff --git a/app/models/work_info.rb b/app/models/work_info.rb index f1fb5fd..c8e30d8 100644 --- a/app/models/work_info.rb +++ b/app/models/work_info.rb @@ -2,12 +2,12 @@ class WorkInfo < ActiveRecord::Base attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked belongs_to :user has_one :key_management, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy - before_save :encrypt_ssn + #before_save :encrypt_ssn # We should probably use this def last_four - "***-**-" << self.SSN[-4,4] + "***-**-" << self.decrypt_ssn[-4,4] end def encrypt_ssn @@ -33,9 +33,8 @@ class WorkInfo < ActiveRecord::Base end def iv - "asdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdfasdf" - #self.key_management.iv - #raise "No IV for this User" if !(key_management.iv) + raise "No IV for this User" if !(self.key_management.iv) + self.key_management.iv end def cipher_type diff --git a/app/views/work_info/index.html.erb b/app/views/work_info/index.html.erb index 1b429b5..96fb928 100644 --- a/app/views/work_info/index.html.erb +++ b/app/views/work_info/index.html.erb @@ -28,6 +28,9 @@ <%= @user.work_info.bonuses %> <%= @user.work_info.years_worked %> <%= @user.work_info.SSN %> + + + <%= @user.work_info.DoB %> diff --git a/db/seeds.rb b/db/seeds.rb index 8583174..7a46893 100755 --- a/db/seeds.rb +++ b/db/seeds.rb @@ -184,21 +184,6 @@ paid_time_off = [ } ] - key_mgmt = [ - { - :user_id => 2, - }, - { - :user_id => 3, - }, - { - :user_id => 4, - }, - { - :user_id => 5, - } - ] - performance = [ { :user_id => 2, @@ -304,12 +289,6 @@ schedule.each do |event| sched.save end -key_mgmt.each do |key| - KeyManagement.create(:user_id => key[:user_id], :iv => Digest::SHA2.new.to_s) -end - - - performance.each do |perf| p = Performance.new(perf.reject {|k| k == :user_id}) p.user_id = perf[:user_id] @@ -322,10 +301,20 @@ messages.each do |message| m.save end - work_info.each do |wi| - info = WorkInfo.new(wi.reject {|k| k == :user_id}) + info = WorkInfo.new(wi.reject {|k| k == :user_id } ) info.user_id = wi[:user_id] info.save end + +=begin +work_info.each do |wi| + list = [:user_id, :SSN] + info = WorkInfo.new(wi.reject {|k| list.include?(k)}) + info.user_id = wi[:user_id] + info.build_key_management({:user_id => wi[:user_id], :iv => SecureRandom.hex(32) }) + info.SSN = wi[:SSN] + info.save +end +=end From e826adadbc0b5fa63d4179602ccd98be952b5d42 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Wed, 13 Nov 2013 19:55:49 -0500 Subject: [PATCH 046/149] removing empty spec --- spec/models/key_management_spec.rb | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/spec/models/key_management_spec.rb b/spec/models/key_management_spec.rb index dd0b900..335cafc 100644 --- a/spec/models/key_management_spec.rb +++ b/spec/models/key_management_spec.rb @@ -1,5 +1 @@ -require 'spec_helper' - -describe KeyManagement do - pending "add some examples to (or delete) #{__FILE__}" -end +require 'spec_helper' \ No newline at end of file From e764efe1d4b083c7c11278936ea74d58d5d707af Mon Sep 17 00:00:00 2001 From: cktricky Date: Thu, 14 Nov 2013 09:39:57 -0500 Subject: [PATCH 047/149] working on A6 tutorial write-up now that the code is working --- .../layouts/tutorial/exposure/_ssn.html.erb | 69 ++++++++++++++----- 1 file changed, 51 insertions(+), 18 deletions(-) diff --git a/app/views/layouts/tutorial/exposure/_ssn.html.erb b/app/views/layouts/tutorial/exposure/_ssn.html.erb index 0890a3e..4e64a01 100644 --- a/app/views/layouts/tutorial/exposure/_ssn.html.erb +++ b/app/views/layouts/tutorial/exposure/_ssn.html.erb @@ -36,20 +36,13 @@ The Railsgoat application stores user's Social Security Numbers in plain-text within the database and because of this, it fails to adequately protect these numbers from theft. Additionally, the user's full SSN is sent back to the user within an HTTP response from the application.

      - The WorkInfo model (app/models/work_info.rb) is missing code to encrypt this data prior to storage. Additionally, while code exists to render only the last 4 numbers of an SSN, at no time is it used. + The WorkInfo model (app/models/work_info.rb) is missing code to encrypt this data prior to storage. Additionally, while code exists to render only the last 4 numbers of an SSN (shown below), at no time is it used. 

      -				class WorkInfo < ActiveRecord::Base
-				  attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked
-				  belongs_to :user
-
 				  # We should probably use this
 				  def last_four
-				    "***-**-" << self.SSN[-4,4]
+				    "***-**-" << self.decrypt_ssn[-4,4]
 				  end
-
-				end
-
      @@ -72,15 +65,55 @@
    • Only authorized users can access decrypted copies of the data
    • Use a strong algorithm
    • Strong key is generated, protected from unauthorized access, and key change is planned for.

      • - One additional item to note with rails specifically, the framework makes it easy to determine the type of environment running, example: - 
      -					Rails.env.production?
-
      - ...or - 
      -					Rails.env.development?
-
      - This allows developers to easily create different keys for development and production and should be considered an asset to utilize. While development keys are usually stored within the source code of most rails applications, and developers with access to the repo can download those keys, the same should NOT hold true for production keys. +

      + +

      + In the following code, we demonstrate switching from the storage of full SSN(s) in clear-text to storing them in the AES-256 encrypted format. The first thing to do is build the encrypt and decrypt functions. These can be found within app/models/work_info.rb. +

      + 
      +				  def encrypt_ssn
+				     aes = OpenSSL::Cipher::Cipher.new(cipher_type)
+				     aes.encrypt
+				     aes.key = key
+				     aes.iv = iv if iv != nil
+				     self.encrypted_ssn = aes.update(self.SSN) + aes.final
+				     self.SSN = nil
+				  end
+
+				  def decrypt_ssn
+				     aes = OpenSSL::Cipher::Cipher.new(cipher_type)
+				     aes.decrypt
+				     aes.key = key
+				     aes.iv = iv if iv != nil
+				     aes.update(self.encrypted_ssn) + aes.final
+				  end
+				
+				  def key
+				    raise "Key Missing" if !(KEY)
+				    KEY
+				  end
+
+				  def iv
+				    raise "No IV for this User" if !(self.key_management.iv)
+				    self.key_management.iv
+				  end
+
+				  def cipher_type
+				    'aes-256-cbc'
+				  end
+
      +

      + Also within the WorkInfo model, we add the following line of code... +

      + 
      +			  	 before_save :encrypt_ssn
+
      +

      + The remaining pieces are: +

    • We "seed" the database with per-user initialization vectors (IV) and store them within the key_management table
      • +
    • Separate production and development encryption keys. Production keys should be stored in an HSM, environment variable, etc. but never within the source code. Development keys are irrelevant if not being used for real data
      • +
    • Change the view where SSNs are called and rendered to the user so that the "last_four" method is called instead
      • +
    • For new user's who are registering, we create an initialization specific to their account

      • From 890717b7ea0285a1cab4577782344ec4435b3e79 Mon Sep 17 00:00:00 2001 From: cktricky Date: Thu, 14 Nov 2013 10:10:58 -0500 Subject: [PATCH 048/149] write-up complete for exposure --- .../layouts/tutorial/exposure/_ssn.html.erb | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/app/views/layouts/tutorial/exposure/_ssn.html.erb b/app/views/layouts/tutorial/exposure/_ssn.html.erb index 4e64a01..0d1c827 100644 --- a/app/views/layouts/tutorial/exposure/_ssn.html.erb +++ b/app/views/layouts/tutorial/exposure/_ssn.html.erb @@ -115,6 +115,39 @@
    • Change the view where SSNs are called and rendered to the user so that the "last_four" method is called instead
    • For new user's who are registering, we create an initialization specific to their account

      • + 
      +				 # SEED DATA
+				 work_info.each do |wi|
+				  list = [:user_id, :SSN]
+				  info = WorkInfo.new(wi.reject {|k| list.include?(k)})
+				  info.user_id = wi[:user_id]
+				  info.build_key_management({:user_id => wi[:user_id], :iv => SecureRandom.hex(32) })
+				  info.SSN = wi[:SSN]
+				  info.save
+				end
+
      + 
      +				# SEPARATE PROD AND DEV KEYS (config/initializers/key.rb)
+				if Rails.env.production?
+				  # Specify env variable/location/etc. to retrieve key from
+				elsif Rails.env.development?
+				  KEY = "123456789101112123456789101112123456789101112"
+				end
+
      + 
      +				# CHANGE VIEW TO CALL LAST FOUR METHOD (app/views/work_info/index.html.erb)
+				<%= CGI.unescapeHTML("<td class="ssn"><%= @user.work_info.last_four %></td>") %>
+
      + 
      +			def build_benefits_data
+			   build_retirement(POPULATE_RETIREMENTS.shuffle.first)
+			   build_paid_time_off(POPULATE_PAID_TIME_OFF.shuffle.first).schedule.build(POPULATE_SCHEDULE.shuffle.first)
+			   build_work_info(POPULATE_WORK_INFO.shuffle.first)
+			   # Uncomment below line to use encrypted SSN(s)
+			   work_info.build_key_management(:iv => SecureRandom.hex(32))
+			   performance.build(POPULATE_PERFORMANCE.shuffle.first)
+			end
+
      From e116d8b0960af00d009150713bba90f605d5e0f2 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Thu, 14 Nov 2013 10:34:31 -0500 Subject: [PATCH 049/149] finishing A7 --- .../_access_control_first.html.erb | 45 ++++++++----------- 1 file changed, 18 insertions(+), 27 deletions(-) diff --git a/app/views/layouts/tutorial/access_control/_access_control_first.html.erb b/app/views/layouts/tutorial/access_control/_access_control_first.html.erb index cce74f4..832abb1 100644 --- a/app/views/layouts/tutorial/access_control/_access_control_first.html.erb +++ b/app/views/layouts/tutorial/access_control/_access_control_first.html.erb @@ -31,13 +31,19 @@

      - Rails provides the ability to apply before_filter(s) which run prior to rendering content to the user. This is helpful when restricting access to content based on the user's role. Currently, the methods to apply a before_filter already exist in the application controller but were forgotten when creating the administrative functionality. Notice an asbsence of the before_filter within app/controllers/admin_controller.rb + Rails provides the ability to apply before_filter(s) which run prior to rendering content to the user. This is helpful when restricting access to content based on the user's role. These filters can be skipped on certain actions or controllers and entirely if certain conditions are met. In this case, the before_filter is being skipped if the admin_id param is equal to 1. 

               <%= %q{
         class AdminController < ApplicationController
         
-          skip_before_filter :has_info
+          before_filter :administrative, :if => :admin_param
+
+          ...
+
+          def admin_param
+            params[:id] == '1'
+          end
         } %>
      @@ -56,37 +62,21 @@

      Failure to Restrict URL Access - ATTACK

      - Request the following URL /admin/1/dashboard and have fun :-) + Request the following URL: /admin/1/dashboard and have fun :-)

      Failure to Restrict URL Access - SOLUTION

      - The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb: + The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to enforce the filter on all access requests to the admin dashboard as follows: 

      -        helper_method :current_user, :is_admin?
-        
-        def is_admin?
-            current_user.admin if current_user 
-          end
-      
-          def administrative
-            if not is_admin?
-             reset_session
-             redirect_to root_url
-           end
-          end
-
      -

      - Then add the following line within app/controllers/admin_controller.rb -

      - 
      +        <%= %q{
         class AdminController < ApplicationController
-
-          before_filter :administrative
-          skip_before_filter :has_info
-
      -
      -
      + + before_filter :administrative, :if => :admin_param + } %> + +
      +
      @@ -96,6 +86,7 @@ Hint
      +
      I bet there is some admin functionality in here :-) From b84c8d4cc79dc7e647ed7b7b24e847c03fa1b477 Mon Sep 17 00:00:00 2001 From: cktricky Date: Thu, 14 Nov 2013 10:47:27 -0500 Subject: [PATCH 050/149] finished write-up for broken auth --- app/controllers/users_controller.rb | 2 +- app/models/user.rb | 8 +++++++- .../_password_complexity.html.erb | 18 +++++++++++++----- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index e7f1684..665c12c 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -16,7 +16,7 @@ class UsersController < ApplicationController else @user = user flash[:error] = user.errors.full_messages.to_sentence - redirect_to :sign_up + redirect_to :signup end end diff --git a/app/models/user.rb b/app/models/user.rb index b0204b9..105e3f0 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -5,7 +5,13 @@ class User < ActiveRecord::Base :length => {:within => 6..40}, :on => :create, :if => :password#, - #:format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/} +=begin :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/} + validates :password, :presence => true, + :confirmation => true, + :on => :update, + :if => :password, + :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/} +=end validates_presence_of :email validates_uniqueness_of :email validates_format_of :email, :with => /.+@.+\..+/i diff --git a/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb index 507bf0c..a373e91 100644 --- a/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb +++ b/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb @@ -70,11 +70,19 @@
    • 1 special character

      • -				  validates :password, :presence => true,
-				                       :confirmation => true,
-				                       :length => {:within => 6..40},
-				                       :on => :create,
-				                       :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
+			  # VALIDATE PASSWORD BOTH AT CREATION AND WHEN UPDATING	 
+			  validates :password, :presence => true,
+			                        :confirmation => true,
+			                        :length => {:within => 6..40},
+			                        :on => :create,
+			                        :if => :password,
+			                        :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
+			  validates :password, :presence => true,
+			                         :confirmation => true,
+			                         :on => :update,
+			                         :if => :password,
+			                         :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
+
      From edfe5b646e1325f9279b284ba1a2415eda779722 Mon Sep 17 00:00:00 2001 From: cktricky Date: Thu, 14 Nov 2013 10:52:04 -0500 Subject: [PATCH 051/149] fixed category number and this closes issue #35 --- app/views/layouts/tutorial/csrf/_csrf_first.html.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/layouts/tutorial/csrf/_csrf_first.html.erb b/app/views/layouts/tutorial/csrf/_csrf_first.html.erb index 1ae7ecd..621846f 100755 --- a/app/views/layouts/tutorial/csrf/_csrf_first.html.erb +++ b/app/views/layouts/tutorial/csrf/_csrf_first.html.erb @@ -1,7 +1,7 @@
      - A5 - Cross Site Request Forgery (CSRF) + A8 - Cross Site Request Forgery (CSRF)
      From b9e272317569ad89792cc3c3c87e95b674365825 Mon Sep 17 00:00:00 2001 From: cktricky Date: Thu, 14 Nov 2013 10:59:20 -0500 Subject: [PATCH 052/149] closes issue #30 --- app/views/layouts/tutorial/xss/_xss_first.html.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/layouts/tutorial/xss/_xss_first.html.erb b/app/views/layouts/tutorial/xss/_xss_first.html.erb index dc6e516..864f488 100755 --- a/app/views/layouts/tutorial/xss/_xss_first.html.erb +++ b/app/views/layouts/tutorial/xss/_xss_first.html.erb @@ -1,7 +1,7 @@
      - A2 - Cross-Site Scripting ("XSS") + A3 - Cross-Site Scripting ("XSS")
      From f53ab56e923408b7f51e9b756e6088e4413cb65e Mon Sep 17 00:00:00 2001 From: cktricky Date: Thu, 14 Nov 2013 11:06:27 -0500 Subject: [PATCH 053/149] fixes a bug introduced during the transition from info_disclosure to A6 --- app/controllers/tutorials_controller.rb | 46 +-------- app/views/layouts/tutorial/_sidebar.html.erb | 3 - .../info_disclosure/_ssn_disclosure.html.erb | 98 ------------------- app/views/tutorials/info_disclosure.html.erb | 18 ---- config/routes.rb | 1 - ...ure_spec.rb => sensitive_data_exposure.rb} | 2 +- 6 files changed, 2 insertions(+), 166 deletions(-) delete mode 100644 app/views/layouts/tutorial/info_disclosure/_ssn_disclosure.html.erb delete mode 100644 app/views/tutorials/info_disclosure.html.erb rename spec/vulnerabilities/{info_disclosure_spec.rb => sensitive_data_exposure.rb} (91%) diff --git a/app/controllers/tutorials_controller.rb b/app/controllers/tutorials_controller.rb index 0b88a9e..a8d151c 100755 --- a/app/controllers/tutorials_controller.rb +++ b/app/controllers/tutorials_controller.rb @@ -83,51 +83,7 @@ class TutorialsController < ApplicationController def guard end - def info_disclosure - @bad_code_1 = - %q{ - - - - - - - - - - - - - - - - - - - - - - - -
      Full NameIncomeBonusesYears w/ MetaCorpSSNDoB
      <%= "#{@user.first_name} #{@user.last_name}" %><%= @user.work_info.income %><%= @user.work_info.bonuses %><%= @user.work_info.years_worked %><%= @user.work_info.SSN %><%= @user.work_info.DoB %>
      - } - - @good_code_1 = %q{ - class WorkInfo < ActiveRecord::Base - attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked - belongs_to :user - - # We should probably use this - def last_four - "***-**-" << self.SSN[-4,4] - end - - end - } - - @bad_code_2 = %q{<%= @user.work_info.SSN %>} - @good_code_2 = %q{<%= @user.work_info.last_four %>} - end + def mass_assignment end diff --git a/app/views/layouts/tutorial/_sidebar.html.erb b/app/views/layouts/tutorial/_sidebar.html.erb index acfdfd7..b46902b 100755 --- a/app/views/layouts/tutorial/_sidebar.html.erb +++ b/app/views/layouts/tutorial/_sidebar.html.erb @@ -106,9 +106,6 @@ -
    • - <%= link_to "Info Dislosure", info_disclosure_tutorials_path %> -
    • <%= link_to "Mass Assignment", mass_assignment_tutorials_path %>
      • diff --git a/app/views/layouts/tutorial/info_disclosure/_ssn_disclosure.html.erb b/app/views/layouts/tutorial/info_disclosure/_ssn_disclosure.html.erb deleted file mode 100644 index 76c7d12..0000000 --- a/app/views/layouts/tutorial/info_disclosure/_ssn_disclosure.html.erb +++ /dev/null @@ -1,98 +0,0 @@ -
      -
      -
      - Information Disclosure (Sensitive) -
      -
      -
      -
      -
      -
      - - - - Description - -
      -
      -
      -

      - The application stores and returns full social security numbers. The clear-text storage of this value within the database falls under <%= link_to "Insecure Cryptographic Storage", crypto_tutorials_path, {:style => "color: rgb(181, 121, 158)"}%>. However, the other failure here is that the application returns this full SSN value within the response for the user's Work Info page. Although a portion of the SSN value is obfuscated using JavaScript (when rendered in the browser), any attacker who has positioned themselves to sniff this traffic or read the user's browser cache can extract the full value from the source. -

      -
      -
      -
      -
      -
      - - - - Bug - -
      -
      -
      -

      - The bug is introduced within app/views/work_info/index.html.erb, seen on line 20: -

      -

      - 

      -						<%= @bad_code_1 %>
-
      - - The value, stored unencrypted, is called directly from the database. (line 20) -

      -
      -
      -
      -
      -
      - - - - Solution - -
      -
      -
      -

      - A model method to return only the last four digits already exists. The following code was taken from the WorkInfo model - app/models/work_info.rb: -

      -

      - 

      -					<%= @good_code_1%>
-
      -

      -

      - Essentially, this takes the SSN string from the DB, retrieves only the last four characters in the string, and concatenates the last four characters with asterisks. Because this occurs at the model level, the view page never calls the full SSN value and therefore the user's browser never receives the full SSN. The view code would need to change from... - 

      -					<%= @bad_code_2 %>
-
      - to... - 
      -					<%= @good_code_2 %>
-
      -

      - -
      -
      -
      -
      -
      - - - - Hint - -
      -
      -
      -

      - Inspect your work information closely -

      -
      -
      -
      -
      -
      -
      \ No newline at end of file diff --git a/app/views/tutorials/info_disclosure.html.erb b/app/views/tutorials/info_disclosure.html.erb deleted file mode 100644 index b482a01..0000000 --- a/app/views/tutorials/info_disclosure.html.erb +++ /dev/null @@ -1,18 +0,0 @@ -
      -
      -
      -
      - <%= render :partial => "layouts/tutorial/info_disclosure/ssn_disclosure"%> -
      -
      -
      -
      - - \ No newline at end of file diff --git a/config/routes.rb b/config/routes.rb index 800d3d7..dac6707 100755 --- a/config/routes.rb +++ b/config/routes.rb @@ -52,7 +52,6 @@ Railsgoat::Application.routes.draw do get "ssl_tls" get "redirects" get "guard" - get "info_disclosure" get "mass_assignment" get "constantize" get "gauntlt" diff --git a/spec/vulnerabilities/info_disclosure_spec.rb b/spec/vulnerabilities/sensitive_data_exposure.rb similarity index 91% rename from spec/vulnerabilities/info_disclosure_spec.rb rename to spec/vulnerabilities/sensitive_data_exposure.rb index ce0bd2a..bc1e72e 100644 --- a/spec/vulnerabilities/info_disclosure_spec.rb +++ b/spec/vulnerabilities/sensitive_data_exposure.rb @@ -1,6 +1,6 @@ require 'spec_helper' -feature 'sensitive information disclosure' do +feature 'sensitive data exposure' do before do UserFixture.reset_all_users @normal_user = UserFixture.normal_user From 3ec9765ca3f4f37fc33144b7bdf8275d9dcdcb57 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Thu, 14 Nov 2013 11:24:15 -0500 Subject: [PATCH 054/149] small update to A7 --- .../tutorial/access_control/_access_control_first.html.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/views/layouts/tutorial/access_control/_access_control_first.html.erb b/app/views/layouts/tutorial/access_control/_access_control_first.html.erb index 832abb1..7dd02ed 100644 --- a/app/views/layouts/tutorial/access_control/_access_control_first.html.erb +++ b/app/views/layouts/tutorial/access_control/_access_control_first.html.erb @@ -66,13 +66,13 @@

      Failure to Restrict URL Access - SOLUTION

      - The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to enforce the filter on all access requests to the admin dashboard as follows: + The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to remove the conditional and enforce the filter on all access requests to the admin dashboard as follows: 

               <%= %q{
         class AdminController < ApplicationController
         
-          before_filter :administrative, :if => :admin_param
+          before_filter :administrative
         } %>
      From 4801dc518ae31188648757631323311d27c6795f Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Thu, 14 Nov 2013 11:26:31 -0500 Subject: [PATCH 055/149] fixing two A5 typos --- app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb | 2 +- app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb b/app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb index 076fab2..4679e7c 100755 --- a/app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb +++ b/app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb @@ -1,7 +1,7 @@
      - A6 - Security Misconfiguration + A5 - Security Misconfiguration
      diff --git a/app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb b/app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb index db874d7..e7635b1 100644 --- a/app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb +++ b/app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb @@ -1,7 +1,7 @@
      - A6 - Security Misconfiguration + A5 - Security Misconfiguration
      From 0075ca7a9c7b61078732510a77729553e472a96b Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Thu, 14 Nov 2013 12:32:53 -0500 Subject: [PATCH 056/149] lowering rack version for dos --- Gemfile | 2 +- Gemfile.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index 219755b..74972e1 100755 --- a/Gemfile +++ b/Gemfile @@ -2,7 +2,7 @@ source 'https://rubygems.org' #don't upgrade gem 'rails', '3.2.11' -gem 'rack', '1.4.3' +gem 'rack', '1.4.0' # Bundle edge Rails instead: # gem 'rails', :git => 'git://github.com/rails/rails.git' diff --git a/Gemfile.lock b/Gemfile.lock index 4c937ea..0d34071 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -167,7 +167,7 @@ GEM coderay (~> 1.0) method_source (~> 0.8) slop (~> 3.4) - rack (1.4.3) + rack (1.4.0) rack-cache (1.2) rack (>= 0.4) rack-livereload (0.3.15) @@ -293,7 +293,7 @@ DEPENDENCIES poltergeist powder pry - rack (= 1.4.3) + rack (= 1.4.0) rack-livereload rails (= 3.2.11) rb-fsevent From 53dcc75f740e92c288480ffe3712ac4a58384546 Mon Sep 17 00:00:00 2001 From: cktricky Date: Thu, 14 Nov 2013 15:05:00 -0500 Subject: [PATCH 057/149] I think there was a subtle bug in the intentional security bypass within the admin controller --- app/controllers/admin_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 1a671f7..d7efbdb 100755 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -48,7 +48,7 @@ class AdminController < ApplicationController private def admin_param - params[:id] == '1' + params[:admin_id] != '1' end end From cae21708798bf39f043cde388fab998174585875 Mon Sep 17 00:00:00 2001 From: James Espinosa Date: Thu, 14 Nov 2013 08:11:58 -0600 Subject: [PATCH 058/149] Remove unnecessary README.rdoc file --- README.rdoc | 261 ---------------------------------------------------- 1 file changed, 261 deletions(-) delete mode 100755 README.rdoc diff --git a/README.rdoc b/README.rdoc deleted file mode 100755 index 3e1c15c..0000000 --- a/README.rdoc +++ /dev/null @@ -1,261 +0,0 @@ -== Welcome to Rails - -Rails is a web-application framework that includes everything needed to create -database-backed web applications according to the Model-View-Control pattern. - -This pattern splits the view (also called the presentation) into "dumb" -templates that are primarily responsible for inserting pre-built data in between -HTML tags. The model contains the "smart" domain objects (such as Account, -Product, Person, Post) that holds all the business logic and knows how to -persist themselves to a database. The controller handles the incoming requests -(such as Save New Account, Update Product, Show Post) by manipulating the model -and directing data to the view. - -In Rails, the model is handled by what's called an object-relational mapping -layer entitled Active Record. This layer allows you to present the data from -database rows as objects and embellish these data objects with business logic -methods. You can read more about Active Record in -link:files/vendor/rails/activerecord/README.html. - -The controller and view are handled by the Action Pack, which handles both -layers by its two parts: Action View and Action Controller. These two layers -are bundled in a single package due to their heavy interdependence. This is -unlike the relationship between the Active Record and Action Pack that is much -more separate. Each of these packages can be used independently outside of -Rails. You can read more about Action Pack in -link:files/vendor/rails/actionpack/README.html. - - -== Getting Started - -1. At the command prompt, create a new Rails application: - rails new myapp (where myapp is the application name) - -2. Change directory to myapp and start the web server: - cd myapp; rails server (run with --help for options) - -3. Go to http://localhost:3000/ and you'll see: - "Welcome aboard: You're riding Ruby on Rails!" - -4. Follow the guidelines to start developing your application. You can find -the following resources handy: - -* The Getting Started Guide: http://guides.rubyonrails.org/getting_started.html -* Ruby on Rails Tutorial Book: http://www.railstutorial.org/ - - -== Debugging Rails - -Sometimes your application goes wrong. Fortunately there are a lot of tools that -will help you debug it and get it back on the rails. - -First area to check is the application log files. Have "tail -f" commands -running on the server.log and development.log. Rails will automatically display -debugging and runtime information to these files. Debugging info will also be -shown in the browser on requests from 127.0.0.1. - -You can also log your own messages directly into the log file from your code -using the Ruby logger class from inside your controllers. Example: - - class WeblogController < ActionController::Base - def destroy - @weblog = Weblog.find(params[:id]) - @weblog.destroy - logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!") - end - end - -The result will be a message in your log file along the lines of: - - Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1! - -More information on how to use the logger is at http://www.ruby-doc.org/core/ - -Also, Ruby documentation can be found at http://www.ruby-lang.org/. There are -several books available online as well: - -* Programming Ruby: http://www.ruby-doc.org/docs/ProgrammingRuby/ (Pickaxe) -* Learn to Program: http://pine.fm/LearnToProgram/ (a beginners guide) - -These two books will bring you up to speed on the Ruby language and also on -programming in general. - - -== Debugger - -Debugger support is available through the debugger command when you start your -Mongrel or WEBrick server with --debugger. This means that you can break out of -execution at any point in the code, investigate and change the model, and then, -resume execution! You need to install ruby-debug to run the server in debugging -mode. With gems, use sudo gem install ruby-debug. Example: - - class WeblogController < ActionController::Base - def index - @posts = Post.all - debugger - end - end - -So the controller will accept the action, run the first line, then present you -with a IRB prompt in the server window. Here you can do things like: - - >> @posts.inspect - => "[#nil, "body"=>nil, "id"=>"1"}>, - #"Rails", "body"=>"Only ten..", "id"=>"2"}>]" - >> @posts.first.title = "hello from a debugger" - => "hello from a debugger" - -...and even better, you can examine how your runtime objects actually work: - - >> f = @posts.first - => #nil, "body"=>nil, "id"=>"1"}> - >> f. - Display all 152 possibilities? (y or n) - -Finally, when you're ready to resume execution, you can enter "cont". - - -== Console - -The console is a Ruby shell, which allows you to interact with your -application's domain model. Here you'll have all parts of the application -configured, just like it is when the application is running. You can inspect -domain models, change values, and save to the database. Starting the script -without arguments will launch it in the development environment. - -To start the console, run rails console from the application -directory. - -Options: - -* Passing the -s, --sandbox argument will rollback any modifications - made to the database. -* Passing an environment name as an argument will load the corresponding - environment. Example: rails console production. - -To reload your controllers and models after launching the console run -reload! - -More information about irb can be found at: -link:http://www.rubycentral.org/pickaxe/irb.html - - -== dbconsole - -You can go to the command line of your database directly through rails -dbconsole. You would be connected to the database with the credentials -defined in database.yml. Starting the script without arguments will connect you -to the development database. Passing an argument will connect you to a different -database, like rails dbconsole production. Currently works for MySQL, -PostgreSQL and SQLite 3. - -== Description of Contents - -The default directory structure of a generated Ruby on Rails application: - - |-- app - | |-- assets - | | |-- images - | | |-- javascripts - | | `-- stylesheets - | |-- controllers - | |-- helpers - | |-- mailers - | |-- models - | `-- views - | `-- layouts - |-- config - | |-- environments - | |-- initializers - | `-- locales - |-- db - |-- doc - |-- lib - | |-- assets - | `-- tasks - |-- log - |-- public - |-- script - |-- test - | |-- fixtures - | |-- functional - | |-- integration - | |-- performance - | `-- unit - |-- tmp - | `-- cache - | `-- assets - `-- vendor - |-- assets - | |-- javascripts - | `-- stylesheets - `-- plugins - -app - Holds all the code that's specific to this particular application. - -app/assets - Contains subdirectories for images, stylesheets, and JavaScript files. - -app/controllers - Holds controllers that should be named like weblogs_controller.rb for - automated URL mapping. All controllers should descend from - ApplicationController which itself descends from ActionController::Base. - -app/models - Holds models that should be named like post.rb. Models descend from - ActiveRecord::Base by default. - -app/views - Holds the template files for the view that should be named like - weblogs/index.html.erb for the WeblogsController#index action. All views use - eRuby syntax by default. - -app/views/layouts - Holds the template files for layouts to be used with views. This models the - common header/footer method of wrapping views. In your views, define a layout - using the layout :default and create a file named default.html.erb. - Inside default.html.erb, call <% yield %> to render the view using this - layout. - -app/helpers - Holds view helpers that should be named like weblogs_helper.rb. These are - generated for you automatically when using generators for controllers. - Helpers can be used to wrap functionality for your views into methods. - -config - Configuration files for the Rails environment, the routing map, the database, - and other dependencies. - -db - Contains the database schema in schema.rb. db/migrate contains all the - sequence of Migrations for your schema. - -doc - This directory is where your application documentation will be stored when - generated using rake doc:app - -lib - Application specific libraries. Basically, any kind of custom code that - doesn't belong under controllers, models, or helpers. This directory is in - the load path. - -public - The directory available for the web server. Also contains the dispatchers and the - default HTML files. This should be set as the DOCUMENT_ROOT of your web - server. - -script - Helper scripts for automation and generation. - -test - Unit and functional tests along with fixtures. When using the rails generate - command, template test files will be generated for you and placed in this - directory. - -vendor - External libraries that the application depends on. Also includes the plugins - subdirectory. If the app has frozen rails, those gems also go here, under - vendor/rails/. This directory is in the load path. From 64bdc001611bee0ba7da8d7765f7d42b4331957a Mon Sep 17 00:00:00 2001 From: James Espinosa Date: Thu, 14 Nov 2013 08:13:58 -0600 Subject: [PATCH 059/149] Add minor changes to README.md file --- README.md | 121 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 69 insertions(+), 52 deletions(-) diff --git a/README.md b/README.md index 10fe978..ad52e61 100755 --- a/README.md +++ b/README.md @@ -1,78 +1,95 @@ -## Getting Started ## -#### With Ruby, Rubygems, Git, and Bundler installed #### +# RailsGoat [![Build Status](https://api.travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) [![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) - git clone https://github.com/OWASP/railsgoat.git +RailsGoat is a vulnerable version of the Ruby on Rails Framework. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals. - cd railsgoat +## Getting Started - rvm use 1.9.3@railsgoat --create # https://rvm.io/ +Requirements: **Ruby 1.9.3** - bundle +To begin, install the Ruby Version Manager (RVM): - rake db:setup +``` +$ curl -L https://get.rvm.io | bash -s stable --autolibs=3 --ruby=1.9.3 +``` - rails s +After installing the package, clone this repo: - open http://0.0.0.0:3000 +``` +$ git clone git@github.com:OWASP/railsgoat.git +``` - Start hacking!!! +Navigate into the directory and accept the notice by typing `yes`: +``` +***************************************************************************************************** +* NOTICE * +***************************************************************************************************** +* RVM has encountered a new or modified .rvmrc file in the current directory, this is a shell * +* script and therefore may contain any shell commands. * +* * +* Examine the contents of this file carefully to be sure the contents are safe before trusting it! * +* Do you wish to trust '/path/to/railsgoat/.rvmrc'? * +* Choose v[view] below to view the contents * +***************************************************************************************************** +y[es], n[o], v[iew], c[cancel]> +``` -### Running Capybara Tests ### +Install the project dependencies: -RailsGoat now includes a set of _failing_ Capybara RSpecs, each one indicating a separate vulnerability exists -in the application. +``` +$ bundle install +``` -To run them, though, you'll first need to [install PhantomJS](https://github.com/jonleighton/poltergeist#installing-phantomjs), -which is required by the Poltergeist Capybara driver. Then just rake: +If you receive an error, make sure you have `bundler` installed: - rake training +``` +$ gem install bundler +``` -NOTE: As vulnerabilities are fixed in the application, these specs won't change from to passing but to _pending_. +Initialize the database: -### Developer Note ### +``` +$ rake db:setup +``` -As changes are made to the application, the Capybara RSpecs can be used to verify the vulnerabilities -in the application are still intact. To use them in this way, and have them _pass_ instead of fail, -set the `RAILSGOAT_MAINTAINER` environment variable. +Start the WEBrick HTTP Server: -

      -Conversion to the OWASP Top 10, 2013 is under way. +``` +$ rails server +``` -You can view progress within the top-10-2013 branch. +Open your favorite browser, navigate to `http://localhost:3000` and start hacking! + +## Capybara Tests + +RailsGoat now includes a set of failing Capybara RSpecs, each one indicating that a separate vulnerability exists in the application. To run them, you first need to install [PhantomJS](https://github.com/jonleighton/poltergeist#installing-phantomjs), which is required by the Poltergeist Capybara driver. Upon installation, simply run the following rake task: + +``` +$ rake training +``` + +Please note, as vulnerabilities are fixed in the application, these specs will not change to `passing`, but to `pending`. + +## Contributing + +As changes are made to the application, the Capybara RSpecs can be used to verify that the vulnerabilities in the application are still intact. To use them in this way, and have them `pass` instead of `fail`, set the `RAILSGOAT_MAINTAINER` environment variable. + +Conversion to the OWASP Top 10, 2013 is under way. You can view progress within the `top-10-2013` branch. + +``` +$ git fetch origin +$ git checkout top-10-2013 +``` - git fetch origin - git checkout top-10-2013 Then proceed with browsing the site as normal :thumbsup: -

      -### Build Info ### - -[![Code Climate](https://codeclimate.com/github/OWASP/railsgoat.png)](https://codeclimate.com/github/OWASP/railsgoat) - -[![Build Status](https://travis-ci.org/OWASP/railsgoat.png?branch=master)](https://travis-ci.org/OWASP/railsgoat) - -### License Stuff ### +# License The MIT License (MIT) -Copyright (c) 2013 The Open Web Application Security Project +Copyright (c) 2013 The Open Web Application Security Project -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. - -
      +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file From 69078aa4048f0261ed7aca79fd5dce5ffe7619a9 Mon Sep 17 00:00:00 2001 From: James Espinosa Date: Thu, 14 Nov 2013 13:37:56 -0600 Subject: [PATCH 060/149] Add minor text and typo changes --- README.md | 22 +++++++++++----------- spec/support/capybara_shared.rb | 23 +++++++++++------------ 2 files changed, 22 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index ad52e61..680cbd0 100755 --- a/README.md +++ b/README.md @@ -20,16 +20,16 @@ $ git clone git@github.com:OWASP/railsgoat.git Navigate into the directory and accept the notice by typing `yes`: ``` -***************************************************************************************************** -* NOTICE * -***************************************************************************************************** -* RVM has encountered a new or modified .rvmrc file in the current directory, this is a shell * -* script and therefore may contain any shell commands. * -* * -* Examine the contents of this file carefully to be sure the contents are safe before trusting it! * -* Do you wish to trust '/path/to/railsgoat/.rvmrc'? * -* Choose v[view] below to view the contents * -***************************************************************************************************** +**************************************************************************************************** +* NOTICE * +**************************************************************************************************** +* RVM has encountered a new or modified .rvmrc file in the current directory, this is a shell * +* script and therefore may contain any shell commands. * +* * +* Examine the contents of this file carefully to be sure the contents are safe before trusting it! * +* Do you wish to trust '/path/to/railsgoat/.rvmrc'? * +* Choose v[view] below to view the contents * +**************************************************************************************************** y[es], n[o], v[iew], c[cancel]> ``` @@ -67,7 +67,7 @@ RailsGoat now includes a set of failing Capybara RSpecs, each one indicating tha $ rake training ``` -Please note, as vulnerabilities are fixed in the application, these specs will not change to `passing`, but to `pending`. +NOTE: As vulnerabilities are fixed in the application, these specs will not change to `passing`, but to `pending`. ## Contributing diff --git a/spec/support/capybara_shared.rb b/spec/support/capybara_shared.rb index 8606ce4..a0866c6 100644 --- a/spec/support/capybara_shared.rb +++ b/spec/support/capybara_shared.rb @@ -15,20 +15,19 @@ def verifying_fixed? ****************************************************************************** You are running the RailsGoat Capybara Specs in Training mode. These specs - are supposed to fail, indicating vulnerabilities exist. They contain - spoilers, so do not read the code in spec/vulnerabilities if your goal is to - learn more about patching the vulnerabilities. You should fix the - vulnerabilities in the application in order to get these specs to pass**. - You can use them to measure your progress. + are supposed to fail, indicating vulnerabilities exist. They contain spoilers, + so do not read the code in spec/vulnerabilities if your goal is to learn more + about patching the vulnerabilities. You should fix the vulnerabilities in the + application in order to get these specs to pass**. You can use them to measure + your progress. - These same specs will pass if you set the #{maintainer_env_name} ENV - variable. + These same specs will pass if you set the #{maintainer_env_name} ENV variable. + + **NOTE: The RSpec pending feature is used to toggle the outcome of these specs + between Training mode and RailsGoat Maintainer mode. When the vulnerabilities + are removed, the specs will not "pass," but rather go into a "pending" state. + ****************************************************************************** - **NOTE: The RSpec pending feature is used to toggle the outcome of these - specs between Training mode and RailsGoat Maintainer mode, so when the - vulnerabilities are removed, these specs actually won't 'pass' but go into - a 'pending' state. -****************************************************************************** NOTICE $displayed_spec_notice = true end From ab22759bbf5e436c397c93c4c64e769cff46e948 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 18 Nov 2013 11:13:34 -0500 Subject: [PATCH 061/149] Rebuilt Gemfile.lock file --- Gemfile.lock | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 0d34071..991949d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -29,7 +29,7 @@ GEM i18n (~> 0.6) multi_json (~> 1.0) addressable (2.3.5) - arel (3.0.2) + arel (3.0.3) aruba (0.5.3) childprocess (>= 0.3.6) cucumber (>= 1.1.1) @@ -73,7 +73,7 @@ GEM coffee-script-source execjs coffee-script-source (1.6.3) - cucumber (1.3.9) + cucumber (1.3.10) builder (>= 2.1.2) diff-lcs (>= 1.1.3) gherkin (~> 2.12) @@ -103,7 +103,7 @@ GEM trollop gherkin (2.12.2) multi_json (~> 1.3) - guard (2.2.3) + guard (2.2.4) formatador (>= 0.2.4) listen (~> 2.1) lumberjack (~> 1.0) @@ -119,7 +119,7 @@ GEM guard-rspec (4.0.4) guard (>= 2.1.1) rspec (~> 2.14) - guard-shell (0.5.1) + guard-shell (0.5.2) guard (>= 1.1.0) haml (4.0.4) tilt @@ -234,7 +234,7 @@ GEM slim (2.0.2) temple (~> 0.6.6) tilt (>= 1.3.3, < 2.1) - slop (3.4.6) + slop (3.4.7) sprockets (2.2.2) hike (~> 1.2) multi_json (~> 1.0) From 209d2440a82a7d096e5a8cc0f5cb86e8dfb4f161 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 23 Nov 2013 16:00:32 -0500 Subject: [PATCH 062/149] Upgrade .rvmrc to 1.9.3-p484; Rebuilt Gemfile.lock file --- .rvmrc | 2 +- Gemfile.lock | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.rvmrc b/.rvmrc index bf053af..d816235 100755 --- a/.rvmrc +++ b/.rvmrc @@ -1 +1 @@ -rvm use 1.9.3@railsgoat --create +rvm use 1.9.3-p484@railsgoat --create diff --git a/Gemfile.lock b/Gemfile.lock index 991949d..7551790 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -97,7 +97,6 @@ GEM thor (>= 0.13.6) formatador (0.2.4) gauntlt (1.0.6) - aruba cucumber nokogiri (~> 1.5.0) trollop From c7515af6ab6d014e0d1d22687212f68b7d5b6d5d Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Sat, 23 Nov 2013 16:04:48 -0500 Subject: [PATCH 063/149] adding basic forgot password controller and views --- app/controllers/users_controller.rb | 26 +++++++++++++++++++- app/views/sessions/new.html.erb | 1 + app/views/users/forgot_password.html.erb | 30 ++++++++++++++++++++++++ config/routes.rb | 1 + 4 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 app/views/users/forgot_password.html.erb diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 665c12c..81a0e52 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,7 +1,19 @@ +require class UsersController < ApplicationController skip_before_filter :has_info - skip_before_filter :authenticated, :only => [:new, :create] + skip_before_filter :authenticated, :only => [:new, :create, :forgot_password] + + def forgot_password + @user = User.find_by_email(params[:email]) unless params[:email].nil? + + if @user && password_reset_mailer_setup(@user) + flash[:success] = "Password reset email sent to #{params[:email]}" + redirect_to :login + else + flash[:error] = "There was an issue sending password reset email to #{params[:email]}".html_safe unless params[:email].nil? + end + end def new @user = User.new @@ -52,4 +64,16 @@ class UsersController < ApplicationController end end + private + + def password_reset_mailer_setup(user) + token = generate_token(user.id, user.email) + #reset_password_mailer(user.email, token) + end + + def generate_token(id, email) + hash = Digest::MD5.hexdigest(email) + "#{id}~#{hash}" + end + end \ No newline at end of file diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb index 481763a..a7c9932 100755 --- a/app/views/sessions/new.html.erb +++ b/app/views/sessions/new.html.erb @@ -22,6 +22,7 @@
      + <%= link_to "Forgot Password", forgot_password_path, {:class => "btn btn-warning btn-small"} %> <%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %>
      diff --git a/app/views/users/forgot_password.html.erb b/app/views/users/forgot_password.html.erb new file mode 100644 index 0000000..061181b --- /dev/null +++ b/app/views/users/forgot_password.html.erb @@ -0,0 +1,30 @@ +
      +

      MetaCorp

      +

      A GoatGroup Company

      +
      +
      +
      + +
      +
      +
      \ No newline at end of file diff --git a/config/routes.rb b/config/routes.rb index dac6707..441d118 100755 --- a/config/routes.rb +++ b/config/routes.rb @@ -3,6 +3,7 @@ Railsgoat::Application.routes.draw do get "login" => "sessions#new" get "signup" => "users#new" get "logout" => "sessions#destroy" + match "forgot_password" => "users#forgot_password" resources :sessions do From ce239e84bec0a44c664fef30ef214d51cc08adb0 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Sat, 23 Nov 2013 17:59:41 -0500 Subject: [PATCH 064/149] oops, maybe I should actually run the tests before committing --- app/controllers/users_controller.rb | 3 +-- app/views/users/forgot_password.html.erb | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 81a0e52..aa6dde1 100755 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,4 +1,3 @@ -require class UsersController < ApplicationController skip_before_filter :has_info @@ -76,4 +75,4 @@ class UsersController < ApplicationController "#{id}~#{hash}" end -end \ No newline at end of file +end diff --git a/app/views/users/forgot_password.html.erb b/app/views/users/forgot_password.html.erb index 061181b..034add2 100644 --- a/app/views/users/forgot_password.html.erb +++ b/app/views/users/forgot_password.html.erb @@ -8,7 +8,7 @@ <%= form_tag "forgot_password", :class=> "signup-wrapper" do %>
      -

      Login

      +

      Forgot Password

      Fill out the form below to reset your email.

      From 5db8eab56492d6ff6bdae7bbab0c65a9141f7e26 Mon Sep 17 00:00:00 2001 From: James Espinosa Date: Sun, 24 Nov 2013 20:34:18 -0600 Subject: [PATCH 065/149] Fix typo, should be password --- app/views/users/forgot_password.html.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/views/users/forgot_password.html.erb b/app/views/users/forgot_password.html.erb index 034add2..81c54ec 100644 --- a/app/views/users/forgot_password.html.erb +++ b/app/views/users/forgot_password.html.erb @@ -7,9 +7,9 @@ -
      \ No newline at end of file +
      diff --git a/config/routes.rb b/config/routes.rb index a9f6e25..9c21e1a 100755 --- a/config/routes.rb +++ b/config/routes.rb @@ -3,8 +3,10 @@ Railsgoat::Application.routes.draw do get "login" => "sessions#new" get "signup" => "users#new" get "logout" => "sessions#destroy" - match "forgot_password" => "users#forgot_password" - match "password_resets" => "password_resets#reset_password" + match "forgot_password" => "password_resets#forgot_password" + get "password_resets" => "password_resets#confirm_token" + post "password_resets" => "password_resets#reset_password" + resources :sessions do end @@ -83,4 +85,4 @@ Railsgoat::Application.routes.draw do root :to => "sessions#new" -end \ No newline at end of file +end From 67514193d3a8df728cbe9d0ba784faeae2fd0ba6 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Fri, 13 Dec 2013 17:46:42 -0500 Subject: [PATCH 083/149] Rebuilt Gemfile.lock file --- Gemfile.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 5c5b57f..e15fb57 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -40,7 +40,7 @@ GEM erubis (>= 2.6.6) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) - brakeman (2.2.0) + brakeman (2.3.1) erubis (~> 2.6) fastercsv (~> 1.5) haml (>= 3.0, < 5.0) @@ -64,7 +64,7 @@ GEM timers (~> 1.1.0) childprocess (0.3.9) ffi (~> 1.0, >= 1.0.11) - cliver (0.3.1) + cliver (0.3.2) coderay (1.1.0) coffee-rails (3.2.2) coffee-script (>= 2.2.0) @@ -104,7 +104,7 @@ GEM trollop gherkin (2.12.2) multi_json (~> 1.3) - guard (2.2.4) + guard (2.2.5) formatador (>= 0.2.4) listen (~> 2.1) lumberjack (~> 1.0) @@ -279,7 +279,7 @@ GEM polyglot (>= 0.3.1) trollop (2.0) tzinfo (0.3.38) - uglifier (2.3.2) + uglifier (2.3.3) execjs (>= 0.3.0) json (>= 1.8.0) unicorn (4.7.0) From a673f13b29c77846e447cc8ccfda1f7873b21063 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sun, 15 Dec 2013 10:51:30 -0500 Subject: [PATCH 084/149] Rebuilt Gemfile.lock file - 4 more gem upgrades --- Gemfile.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index e15fb57..0c795c6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -164,7 +164,7 @@ GEM mime-types (1.25.1) multi_json (1.8.2) multi_test (0.0.2) - nokogiri (1.5.10) + nokogiri (1.5.11) poltergeist (1.5.0) capybara (~> 2.1) cliver (~> 0.3.1) @@ -206,7 +206,7 @@ GEM raindrops (0.12.0) rake (10.1.0) rb-fsevent (0.9.3) - rb-inotify (0.9.2) + rb-inotify (0.9.3) ffi (>= 0.5.0) rdoc (3.12.2) json (~> 1.4) @@ -226,7 +226,7 @@ GEM rspec-core (~> 2.14.0) rspec-expectations (~> 2.14.0) rspec-mocks (~> 2.14.0) - ruby2ruby (2.0.6) + ruby2ruby (2.0.7) ruby_parser (~> 3.1) sexp_processor (~> 4.0) ruby_parser (3.2.2) @@ -236,7 +236,7 @@ GEM railties (~> 3.2.0) sass (>= 3.1.10) tilt (~> 1.3) - sexp_processor (4.4.0) + sexp_processor (4.4.1) simplecov (0.8.0.pre2) docile (~> 1.1.0) lockfile (>= 2.1.0) From c1a3e806dec6874619a8ae16328762410c64f2e3 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Fri, 20 Dec 2013 19:59:00 -0500 Subject: [PATCH 085/149] Rebuilt Gemfile.lock file --- Gemfile.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 0c795c6..8437945 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -204,7 +204,7 @@ GEM rdoc (~> 3.4) thor (>= 0.14.6, < 2.0) raindrops (0.12.0) - rake (10.1.0) + rake (10.1.1) rb-fsevent (0.9.3) rb-inotify (0.9.3) ffi (>= 0.5.0) @@ -231,7 +231,7 @@ GEM sexp_processor (~> 4.0) ruby_parser (3.2.2) sexp_processor (~> 4.1) - sass (3.2.12) + sass (3.2.13) sass-rails (3.2.6) railties (~> 3.2.0) sass (>= 3.1.10) @@ -279,7 +279,7 @@ GEM polyglot (>= 0.3.1) trollop (2.0) tzinfo (0.3.38) - uglifier (2.3.3) + uglifier (2.4.0) execjs (>= 0.3.0) json (>= 1.8.0) unicorn (4.7.0) From 98dbad1cec33be97329b2aa841d0b0141e8430da Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 23 Dec 2013 11:55:04 -0500 Subject: [PATCH 086/149] Upgraded better_errors gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 8437945..d0f0c24 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -35,7 +35,7 @@ GEM cucumber (>= 1.1.1) rspec-expectations (>= 2.7.0) bcrypt-ruby (3.1.2) - better_errors (1.0.1) + better_errors (1.1.0) coderay (>= 1.0.0) erubis (>= 2.6.6) binding_of_caller (0.7.2) From e757f33c0a0d790514ace2559533cc622b1d3a6a Mon Sep 17 00:00:00 2001 From: cktricky Date: Tue, 24 Dec 2013 08:35:29 -0500 Subject: [PATCH 087/149] UI improvements for the login page --- app/assets/stylesheets/main.css.erb | 2 +- app/views/sessions/new.html.erb | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/app/assets/stylesheets/main.css.erb b/app/assets/stylesheets/main.css.erb index a46df97..2296075 100755 --- a/app/assets/stylesheets/main.css.erb +++ b/app/assets/stylesheets/main.css.erb @@ -4616,7 +4616,7 @@ button.close { .signup .signup-wrapper .actions { padding: 10px; } .signup .signup-wrapper .actions a { - color: #ffffff; } + color: #b3b3b3; } .signup .signup-wrapper .checkbox { visibility: hidden; } .signup .signup-wrapper .checkbox-wrapper { diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb index a1fa5a0..f559a6e 100755 --- a/app/views/sessions/new.html.erb +++ b/app/views/sessions/new.html.erb @@ -15,14 +15,14 @@
      <%= hidden_field_tag :url, @url%> - <%= label_tag "Email Address" %> - <%= text_field_tag :email, params[:email], {:class => "input input-block-level"} %> - <%= label_tag :password, nil %> - <%= password_field_tag :password, nil, {:class => "input input-block-level"}%> + <%= text_field_tag :email, params[:email], {:class => "input input-block-level", :placeholder=>"Email"} %> + <%= password_field_tag :password, nil, {:class => "input input-block-level", :placeholder=>"Password"}%>
      - <%= link_to "Forgot Password", forgot_password_path, {:class => "btn btn-danger btn-large"} %> + + <%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%> + <%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %>
      From 80e9fd11a8bdd3935f325ae8a26bd0c0dab79d69 Mon Sep 17 00:00:00 2001 From: cktricky Date: Tue, 24 Dec 2013 08:46:43 -0500 Subject: [PATCH 088/149] minor UI improvements on the Forgot Password and Register pages --- .../password_resets/forgot_password.html.erb | 5 ++--- app/views/users/new.html.erb | 15 +++++---------- 2 files changed, 7 insertions(+), 13 deletions(-) diff --git a/app/views/password_resets/forgot_password.html.erb b/app/views/password_resets/forgot_password.html.erb index be3d8a3..2378f58 100644 --- a/app/views/password_resets/forgot_password.html.erb +++ b/app/views/password_resets/forgot_password.html.erb @@ -14,12 +14,11 @@
      - <%= label_tag "Email Address" %> - <%= text_field_tag :email, params[:email], {:class => "input input-block-level"} %> + <%= text_field_tag :email, params[:email], {:class => "input input-block-level", :placeholder => "Email"} %>
      - <%= submit_tag "Reset Password", {:class => "btn btn-danger btn-large"} %> + <%= submit_tag "Reset Password", {:class => "btn btn-info btn-large"} %>
      diff --git a/app/views/users/new.html.erb b/app/views/users/new.html.erb index 27f3738..cf03ae2 100755 --- a/app/views/users/new.html.erb +++ b/app/views/users/new.html.erb @@ -13,22 +13,17 @@
      - <%= f.label "Email Address" %> - <%= f.text_field :email, {:class => "input input-block-level"} %> + <%= f.text_field :email, {:class => "input input-block-level", :placeholder => "Email"} %> - <%= f.label "First Name" %> - <%= f.text_field :first_name, {:class => "input input-block-level"} %> + <%= f.text_field :first_name, {:class => "input input-block-level", :placeholder => "First Name"} %> - <%= f.label "Last Name" %> - <%= f.text_field :last_name, {:class => "input input-block-level"} %> + <%= f.text_field :last_name, {:class => "input input-block-level", :placeholder => "Last Name"} %>
      - <%= f.label :password, nil %> - <%= f.password_field :password, {:class => "input input-block-level"}%> + <%= f.password_field :password, {:class => "input input-block-level", :placeholder => "Password"}%>
      - <%= f.label :confirm_password %> - <%= f.password_field :password_confirmation, {:class => "input input-block-level"}%> + <%= f.password_field :password_confirmation, {:class => "input input-block-level", :placeholder => "Confirm Password"}%>
      From 0b4425550b1808a4a219e551c647d871d9d3a085 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Thu, 26 Dec 2013 15:12:27 -0500 Subject: [PATCH 089/149] Rebuilt Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index d0f0c24..02c7753 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -120,7 +120,7 @@ GEM guard-rspec (4.2.0) guard (>= 2.1.1) rspec (>= 2.14, < 4.0) - guard-shell (0.5.2) + guard-shell (0.6.0) guard (>= 1.1.0) haml (4.0.4) tilt From ad4f982992ecc5e4f8093765f6703acb3c9c6e55 Mon Sep 17 00:00:00 2001 From: mccabe615 Date: Fri, 27 Dec 2013 15:47:41 -0500 Subject: [PATCH 090/149] Update README.md --- README.md | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index bb79789..653408c 100755 --- a/README.md +++ b/README.md @@ -94,14 +94,7 @@ Alternatively, you can run MailCatcher in the foreground by running `mailcatcher As changes are made to the application, the Capybara RSpecs can be used to verify that the vulnerabilities in the application are still intact. To use them in this way, and have them `pass` instead of `fail`, set the `RAILSGOAT_MAINTAINER` environment variable. -Conversion to the OWASP Top 10, 2013 is under way. You can view progress within the `top-10-2013` branch. - -``` -$ git fetch origin -$ git checkout top-10-2013 -``` - -Then proceed with browsing the site as normal :thumbsup: +Conversion to the OWASP Top Ten 2013 completed in November, 2013. # License @@ -113,4 +106,4 @@ Permission is hereby granted, free of charge, to any person obtaining a copy of The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. From 161b390d704b6efb798a751c8ec8912b32b67f94 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 30 Dec 2013 07:58:23 -0500 Subject: [PATCH 091/149] Upgraded 5 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 02c7753..8a94a0d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -117,8 +117,8 @@ GEM em-websocket (~> 0.5) guard (~> 2.0) multi_json (~> 1.8) - guard-rspec (4.2.0) - guard (>= 2.1.1) + guard-rspec (4.2.3) + guard (~> 2.1) rspec (>= 2.14, < 4.0) guard-shell (0.6.0) guard (>= 1.1.0) @@ -205,7 +205,7 @@ GEM thor (>= 0.14.6, < 2.0) raindrops (0.12.0) rake (10.1.1) - rb-fsevent (0.9.3) + rb-fsevent (0.9.4) rb-inotify (0.9.3) ffi (>= 0.5.0) rdoc (3.12.2) @@ -219,8 +219,9 @@ GEM rspec-expectations (2.14.4) diff-lcs (>= 1.1.3, < 2.0) rspec-mocks (2.14.4) - rspec-rails (2.14.0) + rspec-rails (2.14.1) actionpack (>= 3.0) + activemodel (>= 3.0) activesupport (>= 3.0) railties (>= 3.0) rspec-core (~> 2.14.0) @@ -286,7 +287,7 @@ GEM kgio (~> 2.6) rack raindrops (~> 0.7) - websocket-driver (0.3.1) + websocket-driver (0.3.2) xpath (2.0.0) nokogiri (~> 1.3) From 0acf26379b98e9e1637a0645dcee1c1ff96f662b Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 1 Jan 2014 14:21:35 -0500 Subject: [PATCH 092/149] Removed several gem numbers then refreshed Gemfile.lock file --- Gemfile | 4 ++-- Gemfile.lock | 14 ++++++-------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/Gemfile b/Gemfile index 262f341..cd72c65 100755 --- a/Gemfile +++ b/Gemfile @@ -27,12 +27,12 @@ end gem 'gauntlt' -gem 'simplecov', '0.8.0.pre2', :require => false, :group => :test +gem 'simplecov', :require => false, :group => :test group :development, :test do gem 'launchy' gem 'capybara' - gem 'database_cleaner', '< 1.1.0' + gem 'database_cleaner' gem 'poltergeist' gem 'rspec-rails' end diff --git a/Gemfile.lock b/Gemfile.lock index 8a94a0d..ad0547e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -80,7 +80,7 @@ GEM multi_json (>= 1.7.5, < 2.0) multi_test (>= 0.0.2) daemons (1.1.9) - database_cleaner (1.0.1) + database_cleaner (1.2.0) debug_inspector (0.0.2) diff-lcs (1.2.5) docile (1.1.1) @@ -145,7 +145,6 @@ GEM celluloid (>= 0.15.2) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) - lockfile (2.1.0) lumberjack (1.0.4) mail (2.4.4) i18n (>= 0.4.0) @@ -238,12 +237,11 @@ GEM sass (>= 3.1.10) tilt (~> 1.3) sexp_processor (4.4.1) - simplecov (0.8.0.pre2) + simplecov (0.8.2) docile (~> 1.1.0) - lockfile (>= 2.1.0) multi_json - simplecov-html (~> 0.7.1) - simplecov-html (0.7.1) + simplecov-html (~> 0.8.0) + simplecov-html (0.8.0) sinatra (1.4.4) rack (~> 1.4) rack-protection (~> 1.4) @@ -303,7 +301,7 @@ DEPENDENCIES bundler-audit capybara coffee-rails - database_cleaner (< 1.1.0) + database_cleaner execjs foreman gauntlt @@ -324,7 +322,7 @@ DEPENDENCIES rb-fsevent rspec-rails sass-rails - simplecov (= 0.8.0.pre2) + simplecov sqlite3 therubyracer travis-lint From 429d1b0f7803b1b79c8e1b1d58974ebef6749873 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sun, 5 Jan 2014 09:10:12 -0500 Subject: [PATCH 093/149] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index ad0547e..100b64c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -162,7 +162,7 @@ GEM method_source (0.8.2) mime-types (1.25.1) multi_json (1.8.2) - multi_test (0.0.2) + multi_test (0.0.3) nokogiri (1.5.11) poltergeist (1.5.0) capybara (~> 2.1) From 42eb12b602e48a63d0909e6edf140ee8bf987188 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 8 Jan 2014 11:13:14 -0500 Subject: [PATCH 094/149] Upgraded 2 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 100b64c..d1effb4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -54,7 +54,7 @@ GEM builder (3.0.4) bundler-audit (0.3.0) bundler (~> 1.2) - capybara (2.2.0) + capybara (2.2.1) mime-types (>= 1.16) nokogiri (>= 1.3.3) rack (>= 1.0.0) @@ -122,7 +122,7 @@ GEM rspec (>= 2.14, < 4.0) guard-shell (0.6.0) guard (>= 1.1.0) - haml (4.0.4) + haml (4.0.5) tilt hashr (0.0.22) highline (1.6.20) From 48acca6eda9276f26a907114532f34ac06700398 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Fri, 10 Jan 2014 14:19:26 -0500 Subject: [PATCH 095/149] Upgraded 3 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index d1effb4..42e0cbe 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -83,7 +83,7 @@ GEM database_cleaner (1.2.0) debug_inspector (0.0.2) diff-lcs (1.2.5) - docile (1.1.1) + docile (1.1.2) dotenv (0.9.0) em-websocket (0.5.0) eventmachine (>= 0.12.9) @@ -117,7 +117,7 @@ GEM em-websocket (~> 0.5) guard (~> 2.0) multi_json (~> 1.8) - guard-rspec (4.2.3) + guard-rspec (4.2.4) guard (~> 2.1) rspec (>= 2.14, < 4.0) guard-shell (0.6.0) @@ -161,7 +161,7 @@ GEM thin (~> 1.5.0) method_source (0.8.2) mime-types (1.25.1) - multi_json (1.8.2) + multi_json (1.8.4) multi_test (0.0.3) nokogiri (1.5.11) poltergeist (1.5.0) From 18766032f05fcfcef7221dea099c473f32c49fa2 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 11 Jan 2014 09:52:16 -0500 Subject: [PATCH 096/149] Upgraded 1 gem by rebuilding Gemfile.lock file --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 42e0cbe..0d0de8f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -281,7 +281,7 @@ GEM uglifier (2.4.0) execjs (>= 0.3.0) json (>= 1.8.0) - unicorn (4.7.0) + unicorn (4.8.0) kgio (~> 2.6) rack raindrops (~> 0.7) From e80c37e04081c89bdea5420d8546a0538ceaf295 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 15 Jan 2014 10:26:22 -0500 Subject: [PATCH 097/149] Upgraded 3 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 0d0de8f..14d9c49 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -30,7 +30,7 @@ GEM multi_json (~> 1.0) addressable (2.3.5) arel (3.0.3) - aruba (0.5.3) + aruba (0.5.4) childprocess (>= 0.3.6) cucumber (>= 1.1.1) rspec-expectations (>= 2.7.0) @@ -120,7 +120,7 @@ GEM guard-rspec (4.2.4) guard (~> 2.1) rspec (>= 2.14, < 4.0) - guard-shell (0.6.0) + guard-shell (0.6.1) guard (>= 1.1.0) haml (4.0.5) tilt @@ -181,7 +181,7 @@ GEM rack (>= 0.4) rack-livereload (0.3.15) rack - rack-protection (1.5.1) + rack-protection (1.5.2) rack rack-ssl (1.3.3) rack From a614620836e7d4568b614699c13466dab6179469 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 18 Jan 2014 12:36:17 -0500 Subject: [PATCH 098/149] Upgraded 3 gems by rebuilding Gemfile.lock file --- Gemfile.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 14d9c49..8b72271 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -62,7 +62,7 @@ GEM xpath (~> 2.0) celluloid (0.15.2) timers (~> 1.1.0) - childprocess (0.3.9) + childprocess (0.4.0) ffi (~> 1.0, >= 1.0.11) cliver (0.3.2) coderay (1.1.0) @@ -104,7 +104,7 @@ GEM trollop gherkin (2.12.2) multi_json (~> 1.3) - guard (2.2.5) + guard (2.3.0) formatador (>= 0.2.4) listen (~> 2.1) lumberjack (~> 1.0) @@ -113,7 +113,7 @@ GEM guard-brakeman (0.8.1) brakeman (>= 2.1.1) guard (>= 1.1.0) - guard-livereload (2.1.0) + guard-livereload (2.1.1) em-websocket (~> 0.5) guard (~> 2.0) multi_json (~> 1.8) From ebeb84c9883ddce32ee4c70579c1ef347c88051f Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 27 Jan 2014 11:36:27 -0500 Subject: [PATCH 099/149] Upgraded 2 gems by refreshing Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 8b72271..3d63d0f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -117,7 +117,7 @@ GEM em-websocket (~> 0.5) guard (~> 2.0) multi_json (~> 1.8) - guard-rspec (4.2.4) + guard-rspec (4.2.5) guard (~> 2.1) rspec (>= 2.14, < 4.0) guard-shell (0.6.1) @@ -231,7 +231,7 @@ GEM sexp_processor (~> 4.0) ruby_parser (3.2.2) sexp_processor (~> 4.1) - sass (3.2.13) + sass (3.2.14) sass-rails (3.2.6) railties (~> 3.2.0) sass (>= 3.1.10) From 92a1f28df6eb862e1f2fb533932cce8f0a6da303 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sun, 2 Feb 2014 12:37:18 -0500 Subject: [PATCH 100/149] Rebuilt Gemfile.lock file --- Gemfile.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 3d63d0f..8c0c281 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -72,7 +72,7 @@ GEM coffee-script (2.2.0) coffee-script-source execjs - coffee-script-source (1.6.3) + coffee-script-source (1.7.0) cucumber (1.3.10) builder (>= 2.1.2) diff-lcs (>= 1.1.3) @@ -133,7 +133,7 @@ GEM jquery-fileupload-rails (0.4.1) actionpack (>= 3.1) railties (>= 3.1) - jquery-rails (3.0.4) + jquery-rails (3.1.0) railties (>= 3.0, < 5.0) thor (>= 0.14, < 2.0) json (1.8.1) @@ -172,7 +172,7 @@ GEM polyglot (0.3.3) powder (0.2.0) thor (>= 0.11.5) - pry (0.9.12.4) + pry (0.9.12.6) coderay (~> 1.0) method_source (~> 0.8) slop (~> 3.4) @@ -215,9 +215,9 @@ GEM rspec-expectations (~> 2.14.0) rspec-mocks (~> 2.14.0) rspec-core (2.14.7) - rspec-expectations (2.14.4) + rspec-expectations (2.14.5) diff-lcs (>= 1.1.3, < 2.0) - rspec-mocks (2.14.4) + rspec-mocks (2.14.5) rspec-rails (2.14.1) actionpack (>= 3.0) activemodel (>= 3.0) @@ -281,7 +281,7 @@ GEM uglifier (2.4.0) execjs (>= 0.3.0) json (>= 1.8.0) - unicorn (4.8.0) + unicorn (4.8.1) kgio (~> 2.6) rack raindrops (~> 0.7) From a5a1ce5d676a3b36e8bca50c2ccf7f6ac9e17f78 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Thu, 6 Feb 2014 17:17:56 -0500 Subject: [PATCH 101/149] Rebuilt Gemfile.lock file --- Gemfile.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 8c0c281..300dd4f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -40,14 +40,14 @@ GEM erubis (>= 2.6.6) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) - brakeman (2.3.1) + brakeman (2.4.0) erubis (~> 2.6) fastercsv (~> 1.5) haml (>= 3.0, < 5.0) highline (~> 1.6.20) multi_json (~> 1.2) ruby2ruby (~> 2.0.5) - ruby_parser (~> 3.2.2) + ruby_parser (~> 3.4.0) sass (~> 3.0) slim (>= 1.3.6, < 3.0) terminal-table (~> 1.4) @@ -83,7 +83,7 @@ GEM database_cleaner (1.2.0) debug_inspector (0.0.2) diff-lcs (1.2.5) - docile (1.1.2) + docile (1.1.3) dotenv (0.9.0) em-websocket (0.5.0) eventmachine (>= 0.12.9) @@ -104,7 +104,7 @@ GEM trollop gherkin (2.12.2) multi_json (~> 1.3) - guard (2.3.0) + guard (2.4.0) formatador (>= 0.2.4) listen (~> 2.1) lumberjack (~> 1.0) @@ -137,7 +137,7 @@ GEM railties (>= 3.0, < 5.0) thor (>= 0.14, < 2.0) json (1.8.1) - kgio (2.8.1) + kgio (2.9.1) launchy (2.4.2) addressable (~> 2.3) libv8 (3.16.14.3) @@ -170,7 +170,7 @@ GEM multi_json (~> 1.0) websocket-driver (>= 0.2.0) polyglot (0.3.3) - powder (0.2.0) + powder (0.2.1) thor (>= 0.11.5) pry (0.9.12.6) coderay (~> 1.0) @@ -229,7 +229,7 @@ GEM ruby2ruby (2.0.7) ruby_parser (~> 3.1) sexp_processor (~> 4.0) - ruby_parser (3.2.2) + ruby_parser (3.4.0) sexp_processor (~> 4.1) sass (3.2.14) sass-rails (3.2.6) @@ -261,7 +261,7 @@ GEM sqlite3 (1.3.8) temple (0.6.7) terminal-table (1.4.5) - therubyracer (0.12.0) + therubyracer (0.12.1) libv8 (~> 3.16.14.0) ref thin (1.5.1) @@ -281,7 +281,7 @@ GEM uglifier (2.4.0) execjs (>= 0.3.0) json (>= 1.8.0) - unicorn (4.8.1) + unicorn (4.8.2) kgio (~> 2.6) rack raindrops (~> 0.7) From a27ffb31ab4a61f882ce03961b3c05bdcd90a962 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 10 Feb 2014 16:56:34 -0500 Subject: [PATCH 102/149] Rebuilt Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 300dd4f..41d5807 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -117,7 +117,7 @@ GEM em-websocket (~> 0.5) guard (~> 2.0) multi_json (~> 1.8) - guard-rspec (4.2.5) + guard-rspec (4.2.6) guard (~> 2.1) rspec (>= 2.14, < 4.0) guard-shell (0.6.1) @@ -141,7 +141,7 @@ GEM launchy (2.4.2) addressable (~> 2.3) libv8 (3.16.14.3) - listen (2.4.0) + listen (2.4.1) celluloid (>= 0.15.2) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) From 06b9bdbc1d1c1ff651c8e5c043da7e3155a2cf2b Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sun, 16 Feb 2014 10:16:46 -0500 Subject: [PATCH 103/149] Rebuilt Gemfile.lock file --- Gemfile.lock | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 41d5807..27c65ba 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -62,7 +62,10 @@ GEM xpath (~> 2.0) celluloid (0.15.2) timers (~> 1.1.0) - childprocess (0.4.0) + celluloid-io (0.15.0) + celluloid (>= 0.15.0) + nio4r (>= 0.5.0) + childprocess (0.4.2) ffi (~> 1.0, >= 1.0.11) cliver (0.3.2) coderay (1.1.0) @@ -137,12 +140,13 @@ GEM railties (>= 3.0, < 5.0) thor (>= 0.14, < 2.0) json (1.8.1) - kgio (2.9.1) + kgio (2.9.2) launchy (2.4.2) addressable (~> 2.3) libv8 (3.16.14.3) - listen (2.4.1) + listen (2.5.0) celluloid (>= 0.15.2) + celluloid-io (>= 0.15.0) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) lumberjack (1.0.4) @@ -163,6 +167,7 @@ GEM mime-types (1.25.1) multi_json (1.8.4) multi_test (0.0.3) + nio4r (1.0.0) nokogiri (1.5.11) poltergeist (1.5.0) capybara (~> 2.1) @@ -229,7 +234,7 @@ GEM ruby2ruby (2.0.7) ruby_parser (~> 3.1) sexp_processor (~> 4.0) - ruby_parser (3.4.0) + ruby_parser (3.4.1) sexp_processor (~> 4.1) sass (3.2.14) sass-rails (3.2.6) From b99385dff5d3c8277c46b8d1c58b257b07ffa740 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Tue, 18 Feb 2014 16:15:42 -0500 Subject: [PATCH 104/149] Rebuilt Gemfile.lock file --- Gemfile.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 27c65ba..71e13ef 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -65,7 +65,7 @@ GEM celluloid-io (0.15.0) celluloid (>= 0.15.0) nio4r (>= 0.5.0) - childprocess (0.4.2) + childprocess (0.5.1) ffi (~> 1.0, >= 1.0.11) cliver (0.3.2) coderay (1.1.0) @@ -174,7 +174,7 @@ GEM cliver (~> 0.3.1) multi_json (~> 1.0) websocket-driver (>= 0.2.0) - polyglot (0.3.3) + polyglot (0.3.4) powder (0.2.1) thor (>= 0.11.5) pry (0.9.12.6) @@ -207,7 +207,7 @@ GEM rake (>= 0.8.7) rdoc (~> 3.4) thor (>= 0.14.6, < 2.0) - raindrops (0.12.0) + raindrops (0.13.0) rake (10.1.1) rb-fsevent (0.9.4) rb-inotify (0.9.3) From 38584b703dbbcabec8cfbf967c2e22574fe99cd2 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Sun, 23 Feb 2014 13:43:56 -0500 Subject: [PATCH 105/149] updating brakeman --- Gemfile.lock | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 71e13ef..4921cc5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,13 +34,15 @@ GEM childprocess (>= 0.3.6) cucumber (>= 1.1.1) rspec-expectations (>= 2.7.0) - bcrypt-ruby (3.1.2) + bcrypt (3.1.6) + bcrypt-ruby (3.1.5) + bcrypt (>= 3.1.3) better_errors (1.1.0) coderay (>= 1.0.0) erubis (>= 2.6.6) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) - brakeman (2.4.0) + brakeman (2.4.1) erubis (~> 2.6) fastercsv (~> 1.5) haml (>= 3.0, < 5.0) @@ -87,7 +89,7 @@ GEM debug_inspector (0.0.2) diff-lcs (1.2.5) docile (1.1.3) - dotenv (0.9.0) + dotenv (0.10.0) em-websocket (0.5.0) eventmachine (>= 0.12.9) http_parser.rb (~> 0.5.3) @@ -120,7 +122,7 @@ GEM em-websocket (~> 0.5) guard (~> 2.0) multi_json (~> 1.8) - guard-rspec (4.2.6) + guard-rspec (4.2.7) guard (~> 2.1) rspec (>= 2.14, < 4.0) guard-shell (0.6.1) @@ -144,7 +146,7 @@ GEM launchy (2.4.2) addressable (~> 2.3) libv8 (3.16.14.3) - listen (2.5.0) + listen (2.6.0) celluloid (>= 0.15.2) celluloid-io (>= 0.15.0) rb-fsevent (>= 0.9.3) @@ -222,7 +224,7 @@ GEM rspec-core (2.14.7) rspec-expectations (2.14.5) diff-lcs (>= 1.1.3, < 2.0) - rspec-mocks (2.14.5) + rspec-mocks (2.14.6) rspec-rails (2.14.1) actionpack (>= 3.0) activemodel (>= 3.0) From 84fd9503ca740e7e237d65e9dbb500daf782fe8d Mon Sep 17 00:00:00 2001 From: ecneladis Date: Thu, 6 Mar 2014 19:40:33 +0100 Subject: [PATCH 106/149] Removed duplicated code from exemplary validations for password --- app/models/user.rb | 5 ++--- .../broken_auth_sess/_password_complexity.html.erb | 7 ------- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/app/models/user.rb b/app/models/user.rb index 105e3f0..2af7dc2 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -4,11 +4,10 @@ class User < ActiveRecord::Base :confirmation => true, :length => {:within => 6..40}, :on => :create, - :if => :password#, -=begin :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/} + :if => :password +=begin validates :password, :presence => true, :confirmation => true, - :on => :update, :if => :password, :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/} =end diff --git a/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb index a373e91..4ca6a3e 100644 --- a/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb +++ b/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb @@ -70,18 +70,11 @@
    • 1 special character

      • -			  # VALIDATE PASSWORD BOTH AT CREATION AND WHEN UPDATING	 
 			  validates :password, :presence => true,
 			                        :confirmation => true,
 			                        :length => {:within => 6..40},
-			                        :on => :create,
 			                        :if => :password,
 			                        :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
-			  validates :password, :presence => true,
-			                         :confirmation => true,
-			                         :on => :update,
-			                         :if => :password,
-			                         :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
      From c559bd56026cd27c8afbdfe377e8f017175afb7d Mon Sep 17 00:00:00 2001 From: cktricky Date: Sun, 9 Mar 2014 20:16:54 -0400 Subject: [PATCH 107/149] updated tutorial to reflect changes to the correct code listed within the user model --- .../broken_auth_sess/_password_complexity.html.erb | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb index 4ca6a3e..9f4ad27 100644 --- a/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb +++ b/app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb @@ -70,12 +70,11 @@
    • 1 special character

      • -			  validates :password, :presence => true,
-			                        :confirmation => true,
-			                        :length => {:within => 6..40},
-			                        :if => :password,
-			                        :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
-										
+validates :password, :presence => true,
+                      :confirmation => true,
+                      :if => :password,
+                      :format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
+
      From e7c30151d441a57958468951c25222396112dc16 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:28:15 -0400 Subject: [PATCH 108/149] added token to users model and generate token method to users controller --- app/models/user.rb | 6 ++++++ db/migrate/20140312002642_add_auth_token_to_users.rb | 5 +++++ db/schema.rb | 3 ++- 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 db/migrate/20140312002642_add_auth_token_to_users.rb diff --git a/app/models/user.rb b/app/models/user.rb index 2af7dc2..909fb64 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -81,5 +81,11 @@ private end end end + + def generate_token(column) + begin + self[column] = SecureRandom.urlsafe_base64 + end while User.exists?(column => self[column]) + end end diff --git a/db/migrate/20140312002642_add_auth_token_to_users.rb b/db/migrate/20140312002642_add_auth_token_to_users.rb new file mode 100644 index 0000000..2c83ac1 --- /dev/null +++ b/db/migrate/20140312002642_add_auth_token_to_users.rb @@ -0,0 +1,5 @@ +class AddAuthTokenToUsers < ActiveRecord::Migration + def change + add_column :users, :auth_token, :string + end +end diff --git a/db/schema.rb b/db/schema.rb index b7ded3a..2ec1d36 100755 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended to check this file into your version control system. -ActiveRecord::Schema.define(:version => 20131113200708) do +ActiveRecord::Schema.define(:version => 20140312002642) do create_table "benefits", :force => true do |t| t.datetime "created_at", :null => false @@ -83,6 +83,7 @@ ActiveRecord::Schema.define(:version => 20131113200708) do t.integer "user_id" t.datetime "created_at", :null => false t.datetime "updated_at", :null => false + t.string "auth_token" end create_table "work_infos", :force => true do |t| From 4e6006dcc88049a3fbcb45bc6ed96d74371b3f41 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:29:43 -0400 Subject: [PATCH 109/149] added before_create generate token to user model --- app/models/user.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/user.rb b/app/models/user.rb index 909fb64..5543fe2 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -23,7 +23,7 @@ class User < ActiveRecord::Base has_one :work_info, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy has_many :performance, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy has_many :messages, :foreign_key => :receiver_id, :primary_key => :user_id, :dependent => :destroy - + before_create { generate_token(:auth_token) } def build_benefits_data build_retirement(POPULATE_RETIREMENTS.shuffle.first) From a707e756627e218437cd1bcc32489b484ec5bfa8 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:31:32 -0400 Subject: [PATCH 110/149] added cookies.permanent in replacement of session --- app/controllers/sessions_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 3f84173..b69a820 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -19,7 +19,7 @@ class SessionsController < ApplicationController end if user - session[:user_id] = user.user_id if User.where(:user_id => user.user_id).exists? + cookies.permanent[:auth_token = user.auth_token ] if User.where(:user_id => user.user_id).exists? redirect_to path else # Removed this code, just doesn't seem specific enough! From 015b36d379c7362744de583088b570171425f4e5 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:32:12 -0400 Subject: [PATCH 111/149] added cookie delete to session destroy method --- app/controllers/sessions_controller.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index b69a820..923b939 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -30,6 +30,7 @@ class SessionsController < ApplicationController end def destroy + cookies.delete(:auth_token) reset_session redirect_to root_path end From 18a1e219b7b6fa6ebcda1bdca541d5369e9ccaa1 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:34:47 -0400 Subject: [PATCH 112/149] added rememberme checkbox to new session form --- app/views/sessions/new.html.erb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb index f559a6e..7ed1272 100755 --- a/app/views/sessions/new.html.erb +++ b/app/views/sessions/new.html.erb @@ -25,6 +25,11 @@ <%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %> + +
      + <%= check_box_tag :remember_me, 1, params[:remember_me] %> + <%= label_tag :remember_me %> +
      <% end %> From a5c4dc37a2161baaab1689ceaecef5e77b31a964 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:38:26 -0400 Subject: [PATCH 113/149] added logic in sessions controller for rememberme checkbox --- app/controllers/sessions_controller.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 923b939..777bf6e 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -19,7 +19,11 @@ class SessionsController < ApplicationController end if user - cookies.permanent[:auth_token = user.auth_token ] if User.where(:user_id => user.user_id).exists? + if params[:remember_me] + cookies.permanent[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? + else + cookies[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? + end redirect_to path else # Removed this code, just doesn't seem specific enough! From 6a4bc922bd491d10fba49b4a82f8846c63b46d8d Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:40:10 -0400 Subject: [PATCH 114/149] added user lookup in application controller by auth_token --- app/controllers/application_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 7590751..ce73728 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -9,7 +9,7 @@ class ApplicationController < ActionController::Base private def current_user - @current_user ||= User.find_by_user_id(session[:user_id].to_s) + @current_user ||= User.find_by_auth_token!(cookies[:auth_token].to_s) end def authenticated From b101c286ce11c65e025419870a3dfc31681c3969 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 20:54:38 -0400 Subject: [PATCH 115/149] application controller edits --- app/controllers/application_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index ce73728..02b8df5 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -9,7 +9,7 @@ class ApplicationController < ActionController::Base private def current_user - @current_user ||= User.find_by_auth_token!(cookies[:auth_token].to_s) + @current_user ||= User.find_by_auth_token(cookies[:auth_token].to_s) end def authenticated From b9f61b3686b843ee8759c2326c8f489664e04166 Mon Sep 17 00:00:00 2001 From: relotnek Date: Tue, 11 Mar 2014 21:18:48 -0400 Subject: [PATCH 116/149] stylistic elements --- app/views/sessions/new.html.erb | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb index 7ed1272..57c707d 100755 --- a/app/views/sessions/new.html.erb +++ b/app/views/sessions/new.html.erb @@ -21,15 +21,16 @@
      - <%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%> + <%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%>
       +
      + +
      <%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %>
      -
      - <%= check_box_tag :remember_me, 1, params[:remember_me] %> - <%= label_tag :remember_me %> -
      <% end %> From 932d2304f9ebdc0c74ab0d3623ad213701d69bdb Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 12 Mar 2014 12:38:41 -0400 Subject: [PATCH 117/149] okay first run at making an API for railsgoat --- app/controllers/api/v1/users_controller.rb | 11 +++++++++++ app/helpers/api/v1/users_helper.rb | 2 ++ config/routes.rb | 8 +++++++- spec/controllers/api/v1/users_controller_spec.rb | 5 +++++ spec/helpers/api/v1/users_helper_spec.rb | 15 +++++++++++++++ 5 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 app/controllers/api/v1/users_controller.rb create mode 100644 app/helpers/api/v1/users_helper.rb create mode 100644 spec/controllers/api/v1/users_controller_spec.rb create mode 100644 spec/helpers/api/v1/users_helper_spec.rb diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb new file mode 100644 index 0000000..2afc41e --- /dev/null +++ b/app/controllers/api/v1/users_controller.rb @@ -0,0 +1,11 @@ +class Api::V1::UsersController < ApplicationController + + skip_before_filter :authenticated + + respond_to :json + + def index + respond_with ({:hi => :world}) + end + +end diff --git a/app/helpers/api/v1/users_helper.rb b/app/helpers/api/v1/users_helper.rb new file mode 100644 index 0000000..4d5288c --- /dev/null +++ b/app/helpers/api/v1/users_helper.rb @@ -0,0 +1,2 @@ +module Api::V1::UsersHelper +end diff --git a/config/routes.rb b/config/routes.rb index 9c21e1a..2383276 100755 --- a/config/routes.rb +++ b/config/routes.rb @@ -33,7 +33,7 @@ Railsgoat::Application.routes.draw do resources :messages do end - + end get "download" => "benefit_forms#download" @@ -81,6 +81,12 @@ Railsgoat::Application.routes.draw do get "home" end end + + namespace :api, defaults: {format: 'json'} do + namespace :v1 do + resources :users + end + end root :to => "sessions#new" diff --git a/spec/controllers/api/v1/users_controller_spec.rb b/spec/controllers/api/v1/users_controller_spec.rb new file mode 100644 index 0000000..184b048 --- /dev/null +++ b/spec/controllers/api/v1/users_controller_spec.rb @@ -0,0 +1,5 @@ +require 'spec_helper' + +describe Api::V1::UsersController do + +end diff --git a/spec/helpers/api/v1/users_helper_spec.rb b/spec/helpers/api/v1/users_helper_spec.rb new file mode 100644 index 0000000..13a6067 --- /dev/null +++ b/spec/helpers/api/v1/users_helper_spec.rb @@ -0,0 +1,15 @@ +require 'spec_helper' + +# Specs in this file have access to a helper object that includes +# the Api::V1::UsersHelper. For example: +# +# describe Api::V1::UsersHelper do +# describe "string concat" do +# it "concats two strings with spaces" do +# expect(helper.concat_strings("this","that")).to eq("this that") +# end +# end +# end +describe Api::V1::UsersHelper do + pending "add some examples to (or delete) #{__FILE__}" +end From f4f5d5744cc064a3612d87bb885061d5a09d96f3 Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 12 Mar 2014 13:24:37 -0400 Subject: [PATCH 118/149] working on the auth structure for the API --- app/controllers/api/v1/users_controller.rb | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index 2afc41e..5f59b33 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -1,11 +1,20 @@ class Api::V1::UsersController < ApplicationController skip_before_filter :authenticated - + before_filter :valid_api_token + respond_to :json - def index - respond_with ({:hi => :world}) + def valid_api_token + authenticate_or_request_with_http_token do |token, options| + # TODO :add some functionality to check if the HTTP Header is valid + return true + end end - + + def index + respond_with User.all + end + + end From 95eb5a56fdecc079c727affe14472fb7a0492727 Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 12 Mar 2014 15:40:12 -0400 Subject: [PATCH 119/149] added vulnerable auth check for the API --- app/controllers/api/v1/users_controller.rb | 43 ++++++++++++++++++---- config/initializers/constants.rb | 1 + 2 files changed, 36 insertions(+), 8 deletions(-) create mode 100644 config/initializers/constants.rb diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index 5f59b33..a23daf3 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -2,19 +2,46 @@ class Api::V1::UsersController < ApplicationController skip_before_filter :authenticated before_filter :valid_api_token + before_filter :extrapolate_user respond_to :json - def valid_api_token - authenticate_or_request_with_http_token do |token, options| - # TODO :add some functionality to check if the HTTP Header is valid - return true - end - end - def index - respond_with User.all + respond_with @user end +private + + def valid_api_token + authenticate_or_request_with_http_token do |token, options| + # TODO :add some functionality to check if the HTTP Header is valid + identify_user(token) + end + end + + def identify_user(token="") + # We've had issues with URL encoding, etc. causing issues so just to be safe + # we will go ahead and unescape the user's token + unescape_token(token) + @clean_token =~ /(.*?)-(.*)/ + id = $1 + hash = $2 + (id && hash) ? true : false + check_hash(id, hash) ? true : false + end + + def check_hash(id, hash) + digest = OpenSSL::Digest::SHA1.hexdigest("#{ACCESS_TOKEN_SALT}:#{id}") + hash == digest + end + + def unescape_token(token="") + @clean_token = CGI::unescape(token) + end + + # Added a method to make it easy to figure out who the user is. + def extrapolate_user + @user = User.find_by_id(@clean_token.split("-").first) + end end diff --git a/config/initializers/constants.rb b/config/initializers/constants.rb new file mode 100644 index 0000000..7fdcd8f --- /dev/null +++ b/config/initializers/constants.rb @@ -0,0 +1 @@ +ACCESS_TOKEN_SALT = "S4828341189aefiasd#ASDF" \ No newline at end of file From 48ddc999557a8eda671d86c666c8ac5661d047fc Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 12 Mar 2014 17:45:08 -0400 Subject: [PATCH 120/149] some basic api functionality with a few gotchas --- app/controllers/api/v1/users_controller.rb | 12 ++++++++++-- app/models/user.rb | 7 +++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index a23daf3..d995abb 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -5,9 +5,17 @@ class Api::V1::UsersController < ApplicationController before_filter :extrapolate_user respond_to :json - + def index - respond_with @user + # We removed the .as_json code from the model, just seemed like extra work. + # dunno, maybe useful at a later time? + #respond_with @user.admin ? User.all.as_json : @user.as_json + + respond_with @user.admin ? User.all : @user + end + + def show + respond_with @user.as_json end private diff --git a/app/models/user.rb b/app/models/user.rb index 2af7dc2..7705a10 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -37,6 +37,13 @@ class User < ActiveRecord::Base def full_name "#{self.first_name} #{self.last_name}" end + +=begin + # Instead of the entire user object being returned, we can use this to filter. + def as_json + super(only: [:user_id, :email, :first_name, :last_name]) + end +=end private From 4b0560a25003c6cd32b76c5981f92218f2f30e1f Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 12 Mar 2014 18:59:38 -0400 Subject: [PATCH 121/149] whew, now THAT is a huge tutorial explanation for a relatively simple issue! --- app/controllers/api/v1/users_controller.rb | 2 + app/controllers/tutorials_controller.rb | 3 +- app/views/layouts/tutorial/_sidebar.html.erb | 3 + .../logic_flaws/_broken_regexp.html.erb | 219 ++++++++++++++++++ app/views/tutorials/logic_flaws.html.erb | 19 ++ config/routes.rb | 1 + 6 files changed, 246 insertions(+), 1 deletion(-) create mode 100644 app/views/layouts/tutorial/logic_flaws/_broken_regexp.html.erb create mode 100644 app/views/tutorials/logic_flaws.html.erb diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index d995abb..6866774 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -43,6 +43,8 @@ private hash == digest end + # We had some issues with the token and url encoding... + # this is an attempt to normalize the data. def unescape_token(token="") @clean_token = CGI::unescape(token) end diff --git a/app/controllers/tutorials_controller.rb b/app/controllers/tutorials_controller.rb index a8d151c..69df74f 100755 --- a/app/controllers/tutorials_controller.rb +++ b/app/controllers/tutorials_controller.rb @@ -83,7 +83,8 @@ class TutorialsController < ApplicationController def guard end - + def logic_flaws + end def mass_assignment end diff --git a/app/views/layouts/tutorial/_sidebar.html.erb b/app/views/layouts/tutorial/_sidebar.html.erb index b46902b..644b772 100755 --- a/app/views/layouts/tutorial/_sidebar.html.erb +++ b/app/views/layouts/tutorial/_sidebar.html.erb @@ -112,6 +112,9 @@
    • <%= link_to "Constantize", constantize_tutorials_path %>
      • +
    • + <%= link_to "Logic Flaws", logic_flaws_tutorials_path %> +
      • + + + + + + \ No newline at end of file diff --git a/config/routes.rb b/config/routes.rb index 2383276..6dfde00 100755 --- a/config/routes.rb +++ b/config/routes.rb @@ -58,6 +58,7 @@ Railsgoat::Application.routes.draw do get "mass_assignment" get "constantize" get "gauntlt" + get "logic_flaws" end end From e49b43f89996dcafa3f512bd97813379081e3e87 Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 12 Mar 2014 20:28:59 -0400 Subject: [PATCH 122/149] added the verbose model attributes finding under the exposure section within the tutorials --- .../_model_attributes_exposure.html.erb | 144 ++++++++++++++++++ app/views/tutorials/exposure.html.erb | 6 + 2 files changed, 150 insertions(+) create mode 100644 app/views/layouts/tutorial/exposure/_model_attributes_exposure.html.erb diff --git a/app/views/layouts/tutorial/exposure/_model_attributes_exposure.html.erb b/app/views/layouts/tutorial/exposure/_model_attributes_exposure.html.erb new file mode 100644 index 0000000..a5d4dd0 --- /dev/null +++ b/app/views/layouts/tutorial/exposure/_model_attributes_exposure.html.erb @@ -0,0 +1,144 @@ +
      +
      +
      + A6 - Sensitive Data Exposure - Model Attributes Exposure +
      +
      +
      +
      +
      +
      + + + + Description + +
      +
      +
      +

      + The application's API returns a model object (user or users). Using respond_with, the API returns the full model object. It is simple but exposes information such as the user's password and other user attributes that you may wish to keep invisible. +

      +
      +
      +
      +
      +
      + + + + Bug + +
      +
      +
      +

      + Within app/controllers/api/v1/users_controller.rb: +

      + 
      +				 def index
+			       # We removed the .as_json code from the model, just seemed like extra work.
+			       # dunno, maybe useful at a later time?
+			       #respond_with @user.admin ? User.all.as_json : @user.as_json
+
+			       respond_with @user.admin ? User.all : @user
+			     end
+
+			     def show
+			       respond_with @user.as_json
+			     end
+
      +

      + The as_json method referenced in the comments section of the index action exists within the user model in order to override and safely protect our model from only rendering certain attributes. It is unused (commented out), app/models/user.rb: +

      + 
      	
+				  # Instead of the entire user object being returned, we can use this to filter.
+				  def as_json
+				    super(only: [:user_id, :email, :first_name, :last_name])
+				  end
+
      +

      + When utilizing the method that most tutorials describe or advocate when rendering model objects via JSON in an API (unsafe), the response looks like this: +

      + 
      +	HTTP/1.1 200 OK
+	Content-Type: application/json; charset=utf-8
+	X-UA-Compatible: IE=Edge
+	ETag: "6b4caf343a20865de174b2b530b945dd"
+	Cache-Control: max-age=0, private, must-revalidate
+	X-Request-Id: c3b0a57861087c0b827aab231747ef0c
+	X-Runtime: 0.051734
+	Connection: close
+	
+	{"admin":false,"created_at":"2014-01-23T16:17:10Z","email":
+	"jack@metacorp.com","first_name":"Jack","id":2,"last_name":"Mannino","password":
+	"b46dd2888a0904972649cc880a93f4dd","updated_at":"2014-01-23T16:17:10Z","user_id":2}
+
      +

      + Note that all attributes associated with this user are returned via the API. +

      +
      +
      +
      +
      +
      + + + + Solution + +
      +
      +
      +

      Model Attributes Exposure - ATTACK

      +

      Use the API and review the data returned. Additional information on exploiting the API available under the Extras > Logic Flaws Section.

      +

      Model Attributes Exposure - SOLUTION

      +

      + Uncomment the as_json method within the user model. Additionally, call .as_json on any User model object you would like to return via the API or other means. Example: +

      + 
      +					respond_with @user.admin ? User.all.as_json : @user.as_json
+
      +

      + Upon uncommenting the as_json method within the User model, the as_json method will ensure the API output only returns those attributes you have allowed in the following code: +

      + 
      +				def as_json
+				  super(only: [:user_id, :email, :first_name, :last_name])
+				end
+
      +

      + The response from the API should look like: +

      + 
      +	HTTP/1.1 200 OK
+	Content-Type: application/json; charset=utf-8
+	X-UA-Compatible: IE=Edge
+	ETag: "2333488e856669ac637e37cb4cf09cb6"
+	Cache-Control: max-age=0, private, must-revalidate
+	X-Request-Id: baa6a1c90004838793614e4c61633767
+	X-Runtime: 0.092768
+	Connection: close
+
+	{"email":"jack@metacorp.com","first_name":"Jack","last_name":"Mannino","user_id":2}
+
      +
      +
      +
      +
      +
      + + + + Hint + +
      +
      +
      + We have an API available... what does it return? +
      +
      +
      +
      +
      +
      \ No newline at end of file diff --git a/app/views/tutorials/exposure.html.erb b/app/views/tutorials/exposure.html.erb index 3e99af5..1d92130 100755 --- a/app/views/tutorials/exposure.html.erb +++ b/app/views/tutorials/exposure.html.erb @@ -11,6 +11,12 @@ <%= render :partial => "layouts/tutorial/exposure/ssn" %> + +
      +
      + <%= render :partial => "layouts/tutorial/exposure/model_attributes_exposure" %> +
      +
      From 8daeee09f213c85f8bad267ccc26f7e5bd8177eb Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 09:07:52 -0400 Subject: [PATCH 123/149] working on cleaning up and testing if I can push changes to a PR --- app/controllers/application_controller.rb | 2 +- app/controllers/sessions_controller.rb | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 02b8df5..c8605d7 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -9,7 +9,7 @@ class ApplicationController < ActionController::Base private def current_user - @current_user ||= User.find_by_auth_token(cookies[:auth_token].to_s) + @current_user ||= (User.find_by_auth_token(cookies[:auth_token].to_s) || User.find_by_user_id(session[:user_id].to_s)) end def authenticated diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 777bf6e..339cde8 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -22,7 +22,8 @@ class SessionsController < ApplicationController if params[:remember_me] cookies.permanent[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? else - cookies[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? + session[:user_id] = user.user_id if User.where(:user_id => user.user_id).exists? + #cookies[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? end redirect_to path else From ec8a187833116e702c93ecbdf85dae080d32d4d7 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 12:50:45 -0400 Subject: [PATCH 124/149] fixed the checkbox layout, etc. --- app/views/sessions/new.html.erb | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb index 57c707d..816e2c3 100755 --- a/app/views/sessions/new.html.erb +++ b/app/views/sessions/new.html.erb @@ -20,16 +20,16 @@
      - - <%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%>
      -       -
      - -
      - <%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %> -
      + + <%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%>
      + <%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %> + + <%= check_box_tag :remember_me, 1, params[:remember_me], {:id => "form-terms", :class => "checkbox", :type => "checkbox"} %> + Remember + + + +
      From d0e825fc175976f46cd8b403bf02bb8205bed6c0 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 14:00:51 -0400 Subject: [PATCH 125/149] making sure this is up to date --- app/controllers/application_controller.rb | 5 ++- app/controllers/sessions_controller.rb | 4 +-- app/models/key_management.rb | 1 + app/models/user.rb | 37 +++++++++++++++++++++-- 4 files changed, 40 insertions(+), 7 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index c8605d7..56ad260 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -9,7 +9,10 @@ class ApplicationController < ActionController::Base private def current_user - @current_user ||= (User.find_by_auth_token(cookies[:auth_token].to_s) || User.find_by_user_id(session[:user_id].to_s)) + @current_user ||= ( + User.find_by_auth_token(cookies[:auth_token].to_s) || + User.find_by_user_id(session[:user_id].to_s) + ) end def authenticated diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 339cde8..a13bbc7 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -8,7 +8,6 @@ class SessionsController < ApplicationController redirect_to home_dashboard_index_path if current_user end - def create path = params[:url].present? ? params[:url] : home_dashboard_index_path begin @@ -20,10 +19,9 @@ class SessionsController < ApplicationController if user if params[:remember_me] - cookies.permanent[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? + cookies.permanent[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? else session[:user_id] = user.user_id if User.where(:user_id => user.user_id).exists? - #cookies[:auth_token] = user.auth_token if User.where(:user_id => user.user_id).exists? end redirect_to path else diff --git a/app/models/key_management.rb b/app/models/key_management.rb index 80bf527..174b80c 100644 --- a/app/models/key_management.rb +++ b/app/models/key_management.rb @@ -1,5 +1,6 @@ class KeyManagement < ActiveRecord::Base attr_accessible :iv, :user_id belongs_to :work_info + belongs_to :user end diff --git a/app/models/user.rb b/app/models/user.rb index 5543fe2..df0f140 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -64,8 +64,6 @@ private end =end - - def assign_user_id unless @skip_user_id_assign.present? || self.user_id.present? user = User.order("user_id").last @@ -82,9 +80,42 @@ private end end + # Added a re-usable encryption routine, shouldn't be an issue! + def encrypt_sensitive_value(val="") + aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes.encrypt + aes.key = key + aes.iv = iv if iv != nil + #self.encrypted_ssn = aes.update(self.SSN) + aes.final + #self.SSN = nil + end + + def decrypt_ssn + aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes.decrypt + aes.key = key + aes.iv = iv if iv != nil + #aes.update(self.encrypted_ssn) + aes.final + end + + # Should be able to just re-use the same key we already have! + def key + raise "Key Missing" if !(KEY) + KEY + end + + def iv + raise "No IV for this User" if !(self.key_management.iv) + #self.key_management.iv + end + + def cipher_type + 'aes-256-cbc' + end + def generate_token(column) begin - self[column] = SecureRandom.urlsafe_base64 + #self[column] = end while User.exists?(column => self[column]) end From 7823eadf3cd8086c98a07c19e26a74363c39fde0 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 16:32:44 -0400 Subject: [PATCH 126/149] first round of tests look okay, now we can re-use this function :-) --- app/models/user.rb | 38 ++++---------------------------- config/initializers/constants.rb | 4 +++- lib/encryption.rb | 36 ++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 35 deletions(-) create mode 100644 lib/encryption.rb diff --git a/app/models/user.rb b/app/models/user.rb index b2ccf52..05eb101 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,4 +1,7 @@ +require 'encryption' + class User < ActiveRecord::Base + attr_accessible :email, :admin, :first_name, :last_name, :user_id, :password, :password_confirmation validates :password, :presence => true, :confirmation => true, @@ -87,42 +90,9 @@ private end end - # Added a re-usable encryption routine, shouldn't be an issue! - def encrypt_sensitive_value(val="") - aes = OpenSSL::Cipher::Cipher.new(cipher_type) - aes.encrypt - aes.key = key - aes.iv = iv if iv != nil - #self.encrypted_ssn = aes.update(self.SSN) + aes.final - #self.SSN = nil - end - - def decrypt_ssn - aes = OpenSSL::Cipher::Cipher.new(cipher_type) - aes.decrypt - aes.key = key - aes.iv = iv if iv != nil - #aes.update(self.encrypted_ssn) + aes.final - end - - # Should be able to just re-use the same key we already have! - def key - raise "Key Missing" if !(KEY) - KEY - end - - def iv - raise "No IV for this User" if !(self.key_management.iv) - #self.key_management.iv - end - - def cipher_type - 'aes-256-cbc' - end - def generate_token(column) begin - #self[column] = + self[column] = Encryption.encrypt_sensitive_value(self.user_id) end while User.exists?(column => self[column]) end diff --git a/config/initializers/constants.rb b/config/initializers/constants.rb index 7fdcd8f..086522f 100644 --- a/config/initializers/constants.rb +++ b/config/initializers/constants.rb @@ -1 +1,3 @@ -ACCESS_TOKEN_SALT = "S4828341189aefiasd#ASDF" \ No newline at end of file +ACCESS_TOKEN_SALT = "S4828341189aefiasd#ASDF" + +RG_IV = "PPKLKAJDKGHALDJL482823458028" \ No newline at end of file diff --git a/lib/encryption.rb b/lib/encryption.rb new file mode 100644 index 0000000..defa525 --- /dev/null +++ b/lib/encryption.rb @@ -0,0 +1,36 @@ +module Encryption + + # Added a re-usable encryption routine, shouldn't be an issue! + def self.encrypt_sensitive_value(val="") + aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes.encrypt + aes.key = key + aes.iv = iv if iv != nil + new_val = aes.update("#{val}") + aes.final + Base64.strict_encode64(new_val).encode('utf-8') + end + + def self.decrypt_sensitive_value(val="") + aes = OpenSSL::Cipher::Cipher.new(cipher_type) + aes.decrypt + aes.key = key + aes.iv = iv if iv != nil + decoded = Base64.strict_decode64("#{val}") + aes.update("#{decoded}") + aes.final + end + + # Should be able to just re-use the same key we already have! + def self.key + raise "Key Missing" if !(KEY) + KEY + end + + def self.iv + RG_IV + end + + def self.cipher_type + 'aes-256-cbc' + end + +end \ No newline at end of file From 0a647cbbe6b1000f3ef4d1d81cf032275f9d1725 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 16:53:44 -0400 Subject: [PATCH 127/149] this appears to fix the issue of our test cases breaking. I had specified that if the rails env was a dev env, the key would be a certain value. Instead, it has been changed to any env other than prod --- config/initializers/key.rb | 4 ++-- lib/encryption.rb | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/config/initializers/key.rb b/config/initializers/key.rb index 5f43875..89022ee 100644 --- a/config/initializers/key.rb +++ b/config/initializers/key.rb @@ -1,5 +1,5 @@ if Rails.env.production? # Specify env variable/location/etc. to retrieve key from -elsif Rails.env.development? +else KEY = "123456789101112123456789101112123456789101112" -end \ No newline at end of file +end diff --git a/lib/encryption.rb b/lib/encryption.rb index defa525..a409e37 100644 --- a/lib/encryption.rb +++ b/lib/encryption.rb @@ -1,3 +1,5 @@ +require './config/initializers/key' + module Encryption # Added a re-usable encryption routine, shouldn't be an issue! From caaa3ba96df8fcfd98ba095c4479c25424d2fba8 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 16:57:55 -0400 Subject: [PATCH 128/149] commented out unused spec tests as well as removed unnecessary require statement --- lib/encryption.rb | 2 -- spec/controllers/api/v1/users_controller_spec.rb | 3 ++- spec/helpers/api/v1/users_helper_spec.rb | 3 ++- spec/helpers/password_resets_helper_spec.rb | 3 ++- spec/views/password_resets/new.html.erb_spec.rb | 3 ++- 5 files changed, 8 insertions(+), 6 deletions(-) diff --git a/lib/encryption.rb b/lib/encryption.rb index a409e37..defa525 100644 --- a/lib/encryption.rb +++ b/lib/encryption.rb @@ -1,5 +1,3 @@ -require './config/initializers/key' - module Encryption # Added a re-usable encryption routine, shouldn't be an issue! diff --git a/spec/controllers/api/v1/users_controller_spec.rb b/spec/controllers/api/v1/users_controller_spec.rb index 184b048..9b5309e 100644 --- a/spec/controllers/api/v1/users_controller_spec.rb +++ b/spec/controllers/api/v1/users_controller_spec.rb @@ -1,5 +1,6 @@ -require 'spec_helper' +=begin require 'spec_helper' describe Api::V1::UsersController do end +=end \ No newline at end of file diff --git a/spec/helpers/api/v1/users_helper_spec.rb b/spec/helpers/api/v1/users_helper_spec.rb index 13a6067..9619df0 100644 --- a/spec/helpers/api/v1/users_helper_spec.rb +++ b/spec/helpers/api/v1/users_helper_spec.rb @@ -1,4 +1,4 @@ -require 'spec_helper' +=begin require 'spec_helper' # Specs in this file have access to a helper object that includes # the Api::V1::UsersHelper. For example: @@ -13,3 +13,4 @@ require 'spec_helper' describe Api::V1::UsersHelper do pending "add some examples to (or delete) #{__FILE__}" end +=end \ No newline at end of file diff --git a/spec/helpers/password_resets_helper_spec.rb b/spec/helpers/password_resets_helper_spec.rb index a0df3dd..b87346e 100644 --- a/spec/helpers/password_resets_helper_spec.rb +++ b/spec/helpers/password_resets_helper_spec.rb @@ -1,4 +1,4 @@ -require 'spec_helper' +=begin require 'spec_helper' # Specs in this file have access to a helper object that includes # the PasswordResetsHelper. For example: @@ -13,3 +13,4 @@ require 'spec_helper' describe PasswordResetsHelper do pending "add some examples to (or delete) #{__FILE__}" end +=end \ No newline at end of file diff --git a/spec/views/password_resets/new.html.erb_spec.rb b/spec/views/password_resets/new.html.erb_spec.rb index 38c6853..fcb6721 100644 --- a/spec/views/password_resets/new.html.erb_spec.rb +++ b/spec/views/password_resets/new.html.erb_spec.rb @@ -1,5 +1,6 @@ -require 'spec_helper' +=begin require 'spec_helper' describe "password_resets/new.html.erb" do pending "add some examples to (or delete) #{__FILE__}" end +=end \ No newline at end of file From 2c8781ebc1f247750416c7acfdfa92a48f38c0e9 Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 20:29:14 -0400 Subject: [PATCH 129/149] added a pay controller and model --- app/controllers/pay_controller.rb | 2 ++ app/helpers/pay_helper.rb | 2 ++ app/models/pay.rb | 5 +++++ app/models/user.rb | 1 + app/views/layouts/shared/_sidebar.html.erb | 8 ++++++++ app/views/sessions/new.html.erb | 5 ++--- db/migrate/20140315002730_create_pays.rb | 12 ++++++++++++ db/schema.rb | 11 ++++++++++- spec/controllers/pay_controller_spec.rb | 5 +++++ spec/helpers/pay_helper_spec.rb | 15 +++++++++++++++ spec/models/pay_spec.rb | 5 +++++ 11 files changed, 67 insertions(+), 4 deletions(-) create mode 100644 app/controllers/pay_controller.rb create mode 100644 app/helpers/pay_helper.rb create mode 100644 app/models/pay.rb create mode 100644 db/migrate/20140315002730_create_pays.rb create mode 100644 spec/controllers/pay_controller_spec.rb create mode 100644 spec/helpers/pay_helper_spec.rb create mode 100644 spec/models/pay_spec.rb diff --git a/app/controllers/pay_controller.rb b/app/controllers/pay_controller.rb new file mode 100644 index 0000000..a91df4f --- /dev/null +++ b/app/controllers/pay_controller.rb @@ -0,0 +1,2 @@ +class PayController < ApplicationController +end diff --git a/app/helpers/pay_helper.rb b/app/helpers/pay_helper.rb new file mode 100644 index 0000000..0af6719 --- /dev/null +++ b/app/helpers/pay_helper.rb @@ -0,0 +1,2 @@ +module PayHelper +end diff --git a/app/models/pay.rb b/app/models/pay.rb new file mode 100644 index 0000000..1e465e1 --- /dev/null +++ b/app/models/pay.rb @@ -0,0 +1,5 @@ +class Pay < ActiveRecord::Base + attr_accessible :bank_account_num, :bank_routing_num, :percent_of_deposit + belongs_to :user + +end diff --git a/app/models/user.rb b/app/models/user.rb index 05eb101..261703e 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -26,6 +26,7 @@ class User < ActiveRecord::Base has_one :work_info, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy has_many :performance, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy has_many :messages, :foreign_key => :receiver_id, :primary_key => :user_id, :dependent => :destroy + has_many :pay, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy before_create { generate_token(:auth_token) } def build_benefits_data diff --git a/app/views/layouts/shared/_sidebar.html.erb b/app/views/layouts/shared/_sidebar.html.erb index 1add2e3..19dd55e 100755 --- a/app/views/layouts/shared/_sidebar.html.erb +++ b/app/views/layouts/shared/_sidebar.html.erb @@ -65,6 +65,14 @@ Messages <% end %> + +
    • + <%= link_to "#" do %> +
      + +
      + Pay + <% end %>
    diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb index 816e2c3..dbeea1f 100755 --- a/app/views/sessions/new.html.erb +++ b/app/views/sessions/new.html.erb @@ -24,9 +24,8 @@ <%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%>
    <%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %> - <%= check_box_tag :remember_me, 1, params[:remember_me], {:id => "form-terms", :class => "checkbox", :type => "checkbox"} %> - Remember - + <%= check_box_tag :remember_me, 1, params[:remember_me], {:id => "form-terms", :class => "checkbox", :type => "checkbox"} %> + Remember diff --git a/db/migrate/20140315002730_create_pays.rb b/db/migrate/20140315002730_create_pays.rb new file mode 100644 index 0000000..78a9b37 --- /dev/null +++ b/db/migrate/20140315002730_create_pays.rb @@ -0,0 +1,12 @@ +class CreatePays < ActiveRecord::Migration + def change + create_table :pays do |t| + t.integer :user_id + t.string :bank_account_num + t.string :bank_routing_num + t.integer :percent_of_deposit + + t.timestamps + end + end +end diff --git a/db/schema.rb b/db/schema.rb index 2ec1d36..a32189b 100755 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended to check this file into your version control system. -ActiveRecord::Schema.define(:version => 20140312002642) do +ActiveRecord::Schema.define(:version => 20140315002730) do create_table "benefits", :force => true do |t| t.datetime "created_at", :null => false @@ -44,6 +44,15 @@ ActiveRecord::Schema.define(:version => 20140312002642) do t.datetime "updated_at", :null => false end + create_table "pays", :force => true do |t| + t.integer "user_id" + t.string "bank_account_num" + t.string "bank_routing_num" + t.integer "percent_of_deposit" + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + end + create_table "performances", :force => true do |t| t.integer "user_id" t.date "date_submitted" diff --git a/spec/controllers/pay_controller_spec.rb b/spec/controllers/pay_controller_spec.rb new file mode 100644 index 0000000..2dc3878 --- /dev/null +++ b/spec/controllers/pay_controller_spec.rb @@ -0,0 +1,5 @@ +require 'spec_helper' + +describe PayController do + +end diff --git a/spec/helpers/pay_helper_spec.rb b/spec/helpers/pay_helper_spec.rb new file mode 100644 index 0000000..bebe4c4 --- /dev/null +++ b/spec/helpers/pay_helper_spec.rb @@ -0,0 +1,15 @@ +require 'spec_helper' + +# Specs in this file have access to a helper object that includes +# the PayHelper. For example: +# +# describe PayHelper do +# describe "string concat" do +# it "concats two strings with spaces" do +# expect(helper.concat_strings("this","that")).to eq("this that") +# end +# end +# end +describe PayHelper do + pending "add some examples to (or delete) #{__FILE__}" +end diff --git a/spec/models/pay_spec.rb b/spec/models/pay_spec.rb new file mode 100644 index 0000000..7dd47ed --- /dev/null +++ b/spec/models/pay_spec.rb @@ -0,0 +1,5 @@ +require 'spec_helper' + +describe Pay do + pending "add some examples to (or delete) #{__FILE__}" +end From a06788ff58cf37fa9a86eccf368c5307c8749b8e Mon Sep 17 00:00:00 2001 From: cktricky Date: Fri, 14 Mar 2014 20:30:57 -0400 Subject: [PATCH 130/149] commented out currently unused spec tests for the pay controller and model --- spec/controllers/pay_controller_spec.rb | 3 ++- spec/helpers/pay_helper_spec.rb | 3 ++- spec/models/pay_spec.rb | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/spec/controllers/pay_controller_spec.rb b/spec/controllers/pay_controller_spec.rb index 2dc3878..84b6475 100644 --- a/spec/controllers/pay_controller_spec.rb +++ b/spec/controllers/pay_controller_spec.rb @@ -1,5 +1,6 @@ -require 'spec_helper' +=begin require 'spec_helper' describe PayController do end +=end diff --git a/spec/helpers/pay_helper_spec.rb b/spec/helpers/pay_helper_spec.rb index bebe4c4..408d779 100644 --- a/spec/helpers/pay_helper_spec.rb +++ b/spec/helpers/pay_helper_spec.rb @@ -1,4 +1,4 @@ -require 'spec_helper' +=begin require 'spec_helper' # Specs in this file have access to a helper object that includes # the PayHelper. For example: @@ -13,3 +13,4 @@ require 'spec_helper' describe PayHelper do pending "add some examples to (or delete) #{__FILE__}" end +=end \ No newline at end of file diff --git a/spec/models/pay_spec.rb b/spec/models/pay_spec.rb index 7dd47ed..1b4399c 100644 --- a/spec/models/pay_spec.rb +++ b/spec/models/pay_spec.rb @@ -1,5 +1,6 @@ -require 'spec_helper' +=begin require 'spec_helper' describe Pay do pending "add some examples to (or delete) #{__FILE__}" end +=end \ No newline at end of file From 7a4efaa950bd42b93f6f9c446b365f728f741983 Mon Sep 17 00:00:00 2001 From: cktricky Date: Sat, 15 Mar 2014 10:28:52 -0400 Subject: [PATCH 131/149] added the basic components to begin working on the pay index view --- app/controllers/pay_controller.rb | 5 +++++ app/views/layouts/shared/_sidebar.html.erb | 2 +- app/views/pay/index.html.erb | 9 +++++++++ config/routes.rb | 3 +++ 4 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 app/views/pay/index.html.erb diff --git a/app/controllers/pay_controller.rb b/app/controllers/pay_controller.rb index a91df4f..3efacd2 100644 --- a/app/controllers/pay_controller.rb +++ b/app/controllers/pay_controller.rb @@ -1,2 +1,7 @@ class PayController < ApplicationController + + def index + + end + end diff --git a/app/views/layouts/shared/_sidebar.html.erb b/app/views/layouts/shared/_sidebar.html.erb index 19dd55e..7114b08 100755 --- a/app/views/layouts/shared/_sidebar.html.erb +++ b/app/views/layouts/shared/_sidebar.html.erb @@ -67,7 +67,7 @@ <% end %>
  • - <%= link_to "#" do %> + <%= link_to user_pay_index_path(:user_id => current_user.user_id) do %>
    diff --git a/app/views/pay/index.html.erb b/app/views/pay/index.html.erb new file mode 100644 index 0000000..f7c7154 --- /dev/null +++ b/app/views/pay/index.html.erb @@ -0,0 +1,9 @@ + \ No newline at end of file diff --git a/config/routes.rb b/config/routes.rb index 6dfde00..cdd5060 100755 --- a/config/routes.rb +++ b/config/routes.rb @@ -33,6 +33,9 @@ Railsgoat::Application.routes.draw do resources :messages do end + + resources :pay do + end end From bdc529972d25f11e9366da7eba4168230858982d Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 15 Mar 2014 12:49:42 -0400 Subject: [PATCH 132/149] Increase Poltergeist timeout to 60; Rebuild Gemfile.lock file --- Gemfile.lock | 48 ++++++++++++++++++--------------- spec/support/capybara_shared.rb | 2 +- 2 files changed, 27 insertions(+), 23 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 4921cc5..38be44c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,7 +34,7 @@ GEM childprocess (>= 0.3.6) cucumber (>= 1.1.1) rspec-expectations (>= 2.7.0) - bcrypt (3.1.6) + bcrypt (3.1.7) bcrypt-ruby (3.1.5) bcrypt (>= 3.1.3) better_errors (1.1.0) @@ -78,7 +78,7 @@ GEM coffee-script-source execjs coffee-script-source (1.7.0) - cucumber (1.3.10) + cucumber (1.3.11) builder (>= 2.1.2) diff-lcs (>= 1.1.3) gherkin (~> 2.12) @@ -102,16 +102,16 @@ GEM dotenv (>= 0.7) thor (>= 0.13.6) formatador (0.2.4) - gauntlt (1.0.6) - aruba - cucumber - nokogiri (~> 1.5.0) - trollop + gauntlt (1.0.8) + aruba (= 0.5.4) + cucumber (= 1.3.11) + nokogiri (= 1.6.1) + trollop (~> 2.0) gherkin (2.12.2) multi_json (~> 1.3) - guard (2.4.0) + guard (2.5.1) formatador (>= 0.2.4) - listen (~> 2.1) + listen (~> 2.6) lumberjack (~> 1.0) pry (>= 0.9.12) thor (>= 0.18.1) @@ -122,7 +122,7 @@ GEM em-websocket (~> 0.5) guard (~> 2.0) multi_json (~> 1.8) - guard-rspec (4.2.7) + guard-rspec (4.2.8) guard (~> 2.1) rspec (>= 2.14, < 4.0) guard-shell (0.6.1) @@ -130,7 +130,7 @@ GEM haml (4.0.5) tilt hashr (0.0.22) - highline (1.6.20) + highline (1.6.21) hike (1.2.3) http_parser.rb (0.5.3) i18n (0.6.9) @@ -146,7 +146,7 @@ GEM launchy (2.4.2) addressable (~> 2.3) libv8 (3.16.14.3) - listen (2.6.0) + listen (2.7.1) celluloid (>= 0.15.2) celluloid-io (>= 0.15.0) rb-fsevent (>= 0.9.3) @@ -167,10 +167,12 @@ GEM thin (~> 1.5.0) method_source (0.8.2) mime-types (1.25.1) - multi_json (1.8.4) + mini_portile (0.5.2) + multi_json (1.9.0) multi_test (0.0.3) nio4r (1.0.0) - nokogiri (1.5.11) + nokogiri (1.6.1) + mini_portile (~> 0.5.0) poltergeist (1.5.0) capybara (~> 2.1) cliver (~> 0.3.1) @@ -221,7 +223,7 @@ GEM rspec-core (~> 2.14.0) rspec-expectations (~> 2.14.0) rspec-mocks (~> 2.14.0) - rspec-core (2.14.7) + rspec-core (2.14.8) rspec-expectations (2.14.5) diff-lcs (>= 1.1.3, < 2.0) rspec-mocks (2.14.6) @@ -238,12 +240,13 @@ GEM sexp_processor (~> 4.0) ruby_parser (3.4.1) sexp_processor (~> 4.1) - sass (3.2.14) + safe_yaml (0.9.7) + sass (3.3.3) sass-rails (3.2.6) railties (~> 3.2.0) sass (>= 3.1.10) tilt (~> 1.3) - sexp_processor (4.4.1) + sexp_processor (4.4.2) simplecov (0.8.2) docile (~> 1.1.0) multi_json @@ -259,13 +262,13 @@ GEM slim (2.0.2) temple (~> 0.6.6) tilt (>= 1.3.3, < 2.1) - slop (3.4.7) + slop (3.5.0) sprockets (2.2.2) hike (~> 1.2) multi_json (~> 1.0) rack (~> 1.0) tilt (~> 1.1, != 1.3.0) - sqlite3 (1.3.8) + sqlite3 (1.3.9) temple (0.6.7) terminal-table (1.4.5) therubyracer (0.12.1) @@ -278,14 +281,15 @@ GEM thor (0.18.1) tilt (1.4.1) timers (1.1.0) - travis-lint (1.7.0) + travis-lint (1.8.0) hashr (~> 0.0.22) + safe_yaml (~> 0.9.0) treetop (1.4.15) polyglot polyglot (>= 0.3.1) trollop (2.0) - tzinfo (0.3.38) - uglifier (2.4.0) + tzinfo (0.3.39) + uglifier (2.5.0) execjs (>= 0.3.0) json (>= 1.8.0) unicorn (4.8.2) diff --git a/spec/support/capybara_shared.rb b/spec/support/capybara_shared.rb index a0866c6..e140dd4 100644 --- a/spec/support/capybara_shared.rb +++ b/spec/support/capybara_shared.rb @@ -76,7 +76,7 @@ class WarningSuppressor end Capybara.register_driver :poltergeist do |app| - Capybara::Poltergeist::Driver.new(app, phantomjs_logger: WarningSuppressor) + Capybara::Poltergeist::Driver.new(app, phantomjs_logger: WarningSuppressor, timeout: 60) end Capybara.javascript_driver = :poltergeist From 16eaefefdfa07f93fa5413746ad434ee66cf0f0d Mon Sep 17 00:00:00 2001 From: cktricky Date: Sat, 15 Mar 2014 15:29:45 -0400 Subject: [PATCH 133/149] view portion of adding a column almost complete, then backend logic --- app/controllers/pay_controller.rb | 7 ++- app/views/pay/index.html.erb | 82 +++++++++++++++++++++++++++++++ config/routes.rb | 3 ++ 3 files changed, 91 insertions(+), 1 deletion(-) diff --git a/app/controllers/pay_controller.rb b/app/controllers/pay_controller.rb index 3efacd2..d03b21c 100644 --- a/app/controllers/pay_controller.rb +++ b/app/controllers/pay_controller.rb @@ -1,7 +1,12 @@ class PayController < ApplicationController def index - + end + + def update_dd_info + respond_to do |format| + format.json {render :json => {:hello => :world} } + end end end diff --git a/app/views/pay/index.html.erb b/app/views/pay/index.html.erb index f7c7154..e18eec1 100644 --- a/app/views/pay/index.html.erb +++ b/app/views/pay/index.html.erb @@ -1,5 +1,87 @@ +
    +
    +
    +
    + +
    +
    +
    +
    + +
    +
    +
    +
    +
    +
    +
    + Direct Deposit +
    +
    +
    +
    + <%= form_tag "#", {:class => "form-horizontal", :id => "bank_info_form" } do %> + + +
    + <%= text_field_tag :bank_account_num, params[:bank_account_num], {:placeholder => "Bank Account Number"} %> + # +
    + +
    + <%= text_field_tag :bank_routing_num, params[:bank_routing_num], {:placeholder => "Bank Routing Number"} %> + # +
    + + +
    + <%= text_field_tag :dd_percent, params[:dd_percent], {:placeholder => "Percentage of Deposit"} %> + % +
    + + + <%= submit_tag "Submit", {:id => "dd_form_btn", :style => "margin-left: 10px;", :class => "btn btn-medium btn-primary"} %> + <% end %> +
    +
    +
    +
    +
    +
    +
    + \ No newline at end of file diff --git a/config/environments/development.rb b/config/environments/development.rb index 39b0f53..9ff11cf 100755 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -28,6 +28,9 @@ Railsgoat::Application.configure do # Log the query plan for queries taking more than this (works # with SQLite, MySQL, and PostgreSQL) config.active_record.auto_explain_threshold_in_seconds = 0.5 + + # Tired of caching causing issues + config.middleware.delete Rack::ETag # Do not compress assets config.assets.compress = false From 3a5818c493e406935dbe3cb6caa286503a3cfe69 Mon Sep 17 00:00:00 2001 From: cktricky Date: Sat, 15 Mar 2014 22:30:31 -0400 Subject: [PATCH 136/149] the basics of a working remember-me-logic-flaw completed :-) --- app/controllers/pay_controller.rb | 12 +++++++++++- app/models/pay.rb | 2 +- app/views/pay/index.html.erb | 27 +++++++++------------------ 3 files changed, 21 insertions(+), 20 deletions(-) diff --git a/app/controllers/pay_controller.rb b/app/controllers/pay_controller.rb index b7ca2d5..30368f1 100644 --- a/app/controllers/pay_controller.rb +++ b/app/controllers/pay_controller.rb @@ -13,7 +13,7 @@ class PayController < ApplicationController pay.user_id = current_user.user_id msg = true if pay.save! respond_to do |format| - format.json {render :json => {:msg => :world} } + format.json {render :json => {:msg => msg } } end end @@ -23,4 +23,14 @@ class PayController < ApplicationController end end + def destroy + pay = Pay.find_by_id(params[:id]) + if pay.present? and pay.destroy + flash[:success] = "Successfully Deleted Entry" + else + flash[:error] = "Unable to process that request at this time" + end + redirect_to user_pay_index_path + end + end diff --git a/app/models/pay.rb b/app/models/pay.rb index a1ee601..74116a3 100644 --- a/app/models/pay.rb +++ b/app/models/pay.rb @@ -15,7 +15,7 @@ class Pay < ActiveRecord::Base before_save :encrypt_bank_account_num def as_json - super(only: [:bank_account_num, :bank_routing_num, :percent_of_deposit]) + super(only: [:bank_account_num, :bank_routing_num, :percent_of_deposit, :id]) end def encrypt_bank_account_num diff --git a/app/views/pay/index.html.erb b/app/views/pay/index.html.erb index c9bb2e9..74c6a8a 100644 --- a/app/views/pay/index.html.erb +++ b/app/views/pay/index.html.erb @@ -97,23 +97,7 @@ - +
    @@ -132,6 +116,13 @@ \ No newline at end of file From d11617f2720451a0c016c4db86f736506da32fab Mon Sep 17 00:00:00 2001 From: cktricky Date: Sun, 16 Mar 2014 16:10:12 -0400 Subject: [PATCH 139/149] while the pay page could use further refinement from a visual aspect, it is completely working and ready for a tutorial --- app/views/pay/index.html.erb | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/app/views/pay/index.html.erb b/app/views/pay/index.html.erb index 324a108..3895d4b 100644 --- a/app/views/pay/index.html.erb +++ b/app/views/pay/index.html.erb @@ -82,13 +82,18 @@ - - diff --git a/db/seeds.rb b/db/seeds.rb index 7caa258..9750f25 100755 --- a/db/seeds.rb +++ b/db/seeds.rb @@ -33,7 +33,7 @@ users = [ { :email => "mike@metacorp.com", :admin => false, - :password => "motorcross1445", + :password => "motocross1445", :password_confirmation => "motocross1445", :first_name => "Mike", :last_name => "McCabe", From 1aec17184d43238dca74a874484aa6e27772ce47 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 31 Mar 2014 09:02:58 -0400 Subject: [PATCH 149/149] Rebuilt Gemfile.lock file. Upgraded 2 gems. --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index e0f8d1b..0cbaddd 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -67,7 +67,7 @@ GEM celluloid-io (0.15.0) celluloid (>= 0.15.0) nio4r (>= 0.5.0) - childprocess (0.5.1) + childprocess (0.5.2) ffi (~> 1.0, >= 1.0.11) cliver (0.3.2) coderay (1.1.0) @@ -212,7 +212,7 @@ GEM rdoc (~> 3.4) thor (>= 0.14.6, < 2.0) raindrops (0.13.0) - rake (10.2.1) + rake (10.2.2) rb-fsevent (0.9.4) rb-inotify (0.9.3) ffi (>= 0.5.0)
    - Bank Account Number + + Encrypted Bank Account Number + <%=link_to "#", { :style => "color:#AA6F93", :id => "encrypted_acct_question"} do %> + + + + <% end %> Bank Routing Number + Percentage of Deposit @@ -267,6 +272,14 @@ $("#dd_form_btn").click(function(event) { }); }); +$("#encrypted_acct_question").click(function(event) { + event.preventDefault(); + alert("For your safety your account number is stored encrypted as well as presented to you \nin an encrypted form.\n\n" + + "For your convenience, you can decrypt your bank account number at any time using our\n" + + "conveniently located decryption function." + ) +}); + /* Make the sidebar element "Pay" active. */ From 8140cb3a1b834346a47ede4aec02490e459d0063 Mon Sep 17 00:00:00 2001 From: cktricky Date: Sun, 16 Mar 2014 16:19:07 -0400 Subject: [PATCH 140/149] added the basic template of a tutorial guide for the newly added logic flaw, now I have to fill it out :-( (j/k) --- .../_insecure_crypto_reuse.html.erb | 70 +++++++++++++++++++ app/views/tutorials/logic_flaws.html.erb | 5 ++ 2 files changed, 75 insertions(+) create mode 100644 app/views/layouts/tutorial/logic_flaws/_insecure_crypto_reuse.html.erb diff --git a/app/views/layouts/tutorial/logic_flaws/_insecure_crypto_reuse.html.erb b/app/views/layouts/tutorial/logic_flaws/_insecure_crypto_reuse.html.erb new file mode 100644 index 0000000..d7ce9f3 --- /dev/null +++ b/app/views/layouts/tutorial/logic_flaws/_insecure_crypto_reuse.html.erb @@ -0,0 +1,70 @@ +
    +
    +
    + Logic Flaws - Insecure Encryption Re-use +
    +
    +
    +
    +
    +
    + + + + Description + +
    +
    +
    + insert desc +
    +
    +
    +
    +
    + + + + Bug + +
    +
    +
    + insert bug info +
    +
    +
    +
    +
    + + + + Solution + +
    +
    +
    +

    Insecure Encryption Re-use ATTACK:

    + insert attack +

    Insecure Encryption Re-use SOLUTION:

    + insert solution +
    +
    +
    +
    +
    + + + + Hint + +
    +
    +
    + insert hint +
    +
    +
    +
    +
    +
    \ No newline at end of file diff --git a/app/views/tutorials/logic_flaws.html.erb b/app/views/tutorials/logic_flaws.html.erb index f2367d0..ed83c4f 100644 --- a/app/views/tutorials/logic_flaws.html.erb +++ b/app/views/tutorials/logic_flaws.html.erb @@ -5,6 +5,11 @@ <%= render :partial => ("layouts/tutorial/logic_flaws/broken_regexp")%> +
    +
    + <%= render :partial => ("layouts/tutorial/logic_flaws/insecure_crypto_reuse")%> +
    +
    From 7a89ae6f17548668575b47a0e97dd564502d3df1 Mon Sep 17 00:00:00 2001 From: cktricky Date: Sun, 16 Mar 2014 22:10:19 -0400 Subject: [PATCH 141/149] added the tutorial for the newest logic flaw --- app/models/pay.rb | 2 +- .../_insecure_crypto_reuse.html.erb | 72 +++++++++++++++++-- 2 files changed, 68 insertions(+), 6 deletions(-) diff --git a/app/models/pay.rb b/app/models/pay.rb index 74116a3..78f0278 100644 --- a/app/models/pay.rb +++ b/app/models/pay.rb @@ -11,7 +11,7 @@ class Pay < ActiveRecord::Base validates :bank_routing_num, presence: true validates :percent_of_deposit, presence: true - # actions + # callbacks before_save :encrypt_bank_account_num def as_json diff --git a/app/views/layouts/tutorial/logic_flaws/_insecure_crypto_reuse.html.erb b/app/views/layouts/tutorial/logic_flaws/_insecure_crypto_reuse.html.erb index d7ce9f3..c9e9e53 100644 --- a/app/views/layouts/tutorial/logic_flaws/_insecure_crypto_reuse.html.erb +++ b/app/views/layouts/tutorial/logic_flaws/_insecure_crypto_reuse.html.erb @@ -16,7 +16,9 @@
    - insert desc +

    + The Railsgoat application allows employees of Metacorp to choose the Remember Me option at login, which creates a cookie named auth-token. The encryption routine used to generate the auth-token allows the application to extract a user ID. When decrypted, a user ID is extracted and the user is authorized appropriately. This same encryption routine is used elsewhere in the application in a manner such that a clever attacker can generate an auth_token cookie with whatever user ID they prefer and authorize to the application as a different user. +

    @@ -30,7 +32,63 @@
    - insert bug info +

    + Within the file lib/encryption.rb, there are two encryption related methods that we have exposed: +

    + 
    +				  # Added a re-usable encryption routine, shouldn't be an issue!
+				  def self.encrypt_sensitive_value(val="")
+				     aes = OpenSSL::Cipher::Cipher.new(cipher_type)
+				     aes.encrypt
+				     aes.key = key
+				     aes.iv = iv if iv != nil
+				     new_val = aes.update("#{val}") + aes.final
+				     Base64.strict_encode64(new_val).encode('utf-8')
+				  end
+
+				  def self.decrypt_sensitive_value(val="")
+				     aes = OpenSSL::Cipher::Cipher.new(cipher_type)
+				     aes.decrypt
+				     aes.key = key
+				     aes.iv = iv if iv != nil
+				     decoded = Base64.strict_decode64("#{val}")
+				     aes.update("#{decoded}") + aes.final
+				  end
+
    +

    + We have placed this code under the lib directory so that we have a re-usable encryption routine. This code is used to generate a user's auth_token cookie responsible for authorization and access. However, we've also used this same code when encrypting a user's bank account number. This means, a user can enter in any value they would like and will receive it's encrypted equivalent back from the application. Essentially, a user has the ability to generate the auth_token cookie for any user ID and authorize as that user.

    + Within the app/models/pay.rb file we have a before hook that will save a user's bank account number as an encrypted value: +

    + 
    +				  # callbacks
+				  before_save :encrypt_bank_account_num
+					
+				  def encrypt_bank_account_num
+				  	self.bank_account_num = Encryption.encrypt_sensitive_value(self.bank_account_num)
+				  end
+
    +

    + Additionally, we render that encrypted value (purposefully) when the show action is created within the app/controllers/pay_controller.rb file: +

    + 
    +				   def show
+				   	respond_to do |format|
+				   	  format.json { render :json => {:user => current_user.pay.as_json} }
+				   	end
+				  end
+
    +

    + Lastly, we re-use this same routine within the following code is used to create a user's auth_token cookie upon sign-up or creation (app/models/user.rb): +

    + 
    +					before_create { generate_token(:auth_token) }
+					
+				   def generate_token(column)
+				   	begin
+				   		self[column] = Encryption.encrypt_sensitive_value(self.user_id)
+				   	end while User.exists?(column => self[column])
+				   end
+
    @@ -45,9 +103,13 @@

    Insecure Encryption Re-use ATTACK:

    - insert attack +

    + Navigate to the Pay section of the application. Enter your bank account number but use the number 1 as your bank account number. Once the information is entered and submitted, you'll see the encrypted value of your bank account number (1) returned. URL encode the special characters (+ and ==) and use this value as your auth_token cookie. Navigate to your dashboard and you'll have the ability to access administrative functionality. +

    Insecure Encryption Re-use SOLUTION:

    - insert solution +

    + Create an entirely new encryption routine or create the SHA1 hash with a different salt. +

    @@ -61,7 +123,7 @@
    - insert hint + My "Remember Me" cookie looks familiar, almost like one of those values you get when you enter your bank account number.
    From e53d5c928d321427c5755322c2f79e734f2b6fc1 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Thu, 20 Mar 2014 09:10:12 -0400 Subject: [PATCH 142/149] Rebuilt Gemfile.lock file --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 38be44c..64cc288 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -168,8 +168,8 @@ GEM method_source (0.8.2) mime-types (1.25.1) mini_portile (0.5.2) - multi_json (1.9.0) - multi_test (0.0.3) + multi_json (1.9.2) + multi_test (0.1.1) nio4r (1.0.0) nokogiri (1.6.1) mini_portile (~> 0.5.0) From bdeef0508bcc7197ec9d1b595055ec19fd73a1a0 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 24 Mar 2014 09:50:49 -0400 Subject: [PATCH 143/149] Rebuilt Gemfile.lock file --- Gemfile.lock | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 64cc288..c1a8d92 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -28,7 +28,7 @@ GEM activesupport (3.2.11) i18n (~> 0.6) multi_json (~> 1.0) - addressable (2.3.5) + addressable (2.3.6) arel (3.0.3) aruba (0.5.4) childprocess (>= 0.3.6) @@ -42,7 +42,7 @@ GEM erubis (>= 2.6.6) binding_of_caller (0.7.2) debug_inspector (>= 0.0.1) - brakeman (2.4.1) + brakeman (2.4.3) erubis (~> 2.6) fastercsv (~> 1.5) haml (>= 3.0, < 5.0) @@ -109,16 +109,16 @@ GEM trollop (~> 2.0) gherkin (2.12.2) multi_json (~> 1.3) - guard (2.5.1) + guard (2.6.0) formatador (>= 0.2.4) - listen (~> 2.6) + listen (~> 2.7) lumberjack (~> 1.0) pry (>= 0.9.12) thor (>= 0.18.1) guard-brakeman (0.8.1) brakeman (>= 2.1.1) guard (>= 1.1.0) - guard-livereload (2.1.1) + guard-livereload (2.1.2) em-websocket (~> 0.5) guard (~> 2.0) multi_json (~> 1.8) @@ -151,7 +151,7 @@ GEM celluloid-io (>= 0.15.0) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) - lumberjack (1.0.4) + lumberjack (1.0.5) mail (2.4.4) i18n (>= 0.4.0) mime-types (~> 1.16) @@ -192,7 +192,7 @@ GEM rack rack-protection (1.5.2) rack - rack-ssl (1.3.3) + rack-ssl (1.3.4) rack rack-test (0.6.2) rack (>= 1.0) @@ -227,7 +227,7 @@ GEM rspec-expectations (2.14.5) diff-lcs (>= 1.1.3, < 2.0) rspec-mocks (2.14.6) - rspec-rails (2.14.1) + rspec-rails (2.14.2) actionpack (>= 3.0) activemodel (>= 3.0) activesupport (>= 3.0) @@ -241,7 +241,7 @@ GEM ruby_parser (3.4.1) sexp_processor (~> 4.1) safe_yaml (0.9.7) - sass (3.3.3) + sass (3.3.4) sass-rails (3.2.6) railties (~> 3.2.0) sass (>= 3.1.10) @@ -278,7 +278,7 @@ GEM daemons (>= 1.0.9) eventmachine (>= 0.12.6) rack (>= 1.0.0) - thor (0.18.1) + thor (0.19.1) tilt (1.4.1) timers (1.1.0) travis-lint (1.8.0) From cee5030047fcf8e1a2c5a3f9e80efc37c6f74537 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 24 Mar 2014 09:58:41 -0400 Subject: [PATCH 144/149] Added rack-ssl (1.3.4) gem --- Gemfile | 2 ++ Gemfile.lock | 1 + 2 files changed, 3 insertions(+) diff --git a/Gemfile b/Gemfile index cd72c65..e901d2f 100755 --- a/Gemfile +++ b/Gemfile @@ -4,6 +4,8 @@ source 'https://rubygems.org' gem 'rails', '3.2.11' gem 'rack', '1.4.0' +gem 'rack-ssl', '1.3.4' + # Bundle edge Rails instead: # gem 'rails', :git => 'git://github.com/rails/rails.git' diff --git a/Gemfile.lock b/Gemfile.lock index c1a8d92..7a9912a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -329,6 +329,7 @@ DEPENDENCIES pry rack (= 1.4.0) rack-livereload + rack-ssl (= 1.3.4) rails (= 3.2.11) rb-fsevent rspec-rails From 70b44b36ad2674a6d56fccc07661104e7a70dab8 Mon Sep 17 00:00:00 2001 From: cktricky Date: Tue, 25 Mar 2014 11:57:11 -0400 Subject: [PATCH 145/149] oops, mikes password changed for some reason which conflicts with our tutorials and such --- db/seeds.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/seeds.rb b/db/seeds.rb index 9750f25..7caa258 100755 --- a/db/seeds.rb +++ b/db/seeds.rb @@ -33,7 +33,7 @@ users = [ { :email => "mike@metacorp.com", :admin => false, - :password => "motocross1445", + :password => "motorcross1445", :password_confirmation => "motocross1445", :first_name => "Mike", :last_name => "McCabe", From 21b7de06f97dac7551e6c7ff643c25885ae7c6a4 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 26 Mar 2014 09:53:02 -0400 Subject: [PATCH 146/149] Rebuilt Gemfile.lock file (4 gems) --- Gemfile.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 7a9912a..e0f8d1b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -167,7 +167,7 @@ GEM thin (~> 1.5.0) method_source (0.8.2) mime-types (1.25.1) - mini_portile (0.5.2) + mini_portile (0.5.3) multi_json (1.9.2) multi_test (0.1.1) nio4r (1.0.0) @@ -212,7 +212,7 @@ GEM rdoc (~> 3.4) thor (>= 0.14.6, < 2.0) raindrops (0.13.0) - rake (10.1.1) + rake (10.2.1) rb-fsevent (0.9.4) rb-inotify (0.9.3) ffi (>= 0.5.0) @@ -235,7 +235,7 @@ GEM rspec-core (~> 2.14.0) rspec-expectations (~> 2.14.0) rspec-mocks (~> 2.14.0) - ruby2ruby (2.0.7) + ruby2ruby (2.0.8) ruby_parser (~> 3.1) sexp_processor (~> 4.0) ruby_parser (3.4.1) @@ -246,7 +246,7 @@ GEM railties (~> 3.2.0) sass (>= 3.1.10) tilt (~> 1.3) - sexp_processor (4.4.2) + sexp_processor (4.4.3) simplecov (0.8.2) docile (~> 1.1.0) multi_json From 77b6160be90e74272b626acbe03e03ba4d4b3322 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 26 Mar 2014 10:27:11 -0400 Subject: [PATCH 147/149] Added 'bundle exec' to cmd line --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 4ae7691..78932af 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,5 @@ language: ruby rvm: - "1.9.3" -before_script: rake db:setup +before_script: bundle exec rake db:setup env: RAILSGOAT_MAINTAINER=true \ No newline at end of file From 59946e056ce1fc6f18d0ad70b1d732dc1cb12c15 Mon Sep 17 00:00:00 2001 From: cktricky Date: Wed, 26 Mar 2014 12:58:48 -0400 Subject: [PATCH 148/149] changed motorcross to motocross everywhere that it used. Closes or resolves issue #104 --- app/views/layouts/tutorial/credentials/_creds.html.erb | 2 +- db/seeds.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/views/layouts/tutorial/credentials/_creds.html.erb b/app/views/layouts/tutorial/credentials/_creds.html.erb index 8e42115..039799a 100644 --- a/app/views/layouts/tutorial/credentials/_creds.html.erb +++ b/app/views/layouts/tutorial/credentials/_creds.html.erb @@ -55,7 +55,7 @@ mike@metacorp.com     		- motorcross1445 + motocross1445