Modernize UI/UX with Bootstrap 5.3 and contemporary design

Complete UI overhaul bringing RailsGoat into 2024 with a professional, modern interface while maintaining all security vulnerabilities for educational purposes. ## Design System - Modern color palette with CSS variables - Primary: #e63946 (red), Secondary: #457b9d (blue) - Professional sans-serif typography - Consistent spacing and shadows - Bootstrap Icons for modern iconography - Responsive design with mobile-first approach ## Layout Changes - Fixed header with clean navigation (60px height) - Dark sidebar with modern icons and section headers (250px width) - Proper spacing and padding throughout - Responsive breakpoints for mobile/tablet/desktop - Modern card-based content areas ## Header Modernization - Clean white header with subtle shadow - RailsGoat branding with shield icon - Modern dropdown user menu with avatar - Improved font size controls - Better button styling and spacing - Modal-based credentials display (Bootstrap 5) ## Sidebar Improvements - Dark navy background (#1d3557) - Bootstrap Icons instead of custom fonts - Section headers (Admin, Employee) - Active state highlighting - Smooth hover transitions - Version info in footer ## Login Page Redesign - Beautiful gradient background - Centered card with shadow - Modern form inputs with icons - Clear call-to-action buttons - Security training notice banner - Responsive design ## Components Updated - Modern alerts with icons and proper dismiss buttons - Footer with OWASP links and copyright - Scroll-to-top button (vanilla JS, no jQuery) - Form controls with proper Bootstrap 5 classes ## Technical Improvements - Bootstrap 5.3 properly implemented (not just CDN reference) - Bootstrap Icons 1.11.1 for modern iconography - Removed jQuery dependencies where possible - Modern JavaScript (vanilla, no jQuery for new features) - Proper Bootstrap 5 data attributes (data-bs-*) - Semantic HTML5 structure ## Security Vulnerabilities Preserved - XSS via html_safe in user welcome (header) - XSS via cookie font-size (application layout) - XSS via URL hash parameter (login page) - Missing SRI on CDN assets (A03:2025) - All educational vulnerabilities intact ## Files Modified - app/views/layouts/application.html.erb - Complete redesign with CSS variables - app/views/layouts/shared/_header.html.erb - Modern navigation - app/views/layouts/shared/_sidebar.html.erb - Dark sidebar with icons - app/views/layouts/shared/_footer.html.erb - Modern footer with links - app/views/layouts/shared/_messages.html.erb - Bootstrap 5 alerts - app/views/sessions/new.html.erb - Beautiful login page This modernization makes RailsGoat visually appealing and professional while maintaining its core educational purpose. The application now looks like a modern web app security professionals want to use. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-07 00:36:21 -05:00
parent 9f157012b0
commit 876955fff1
6 changed files with 599 additions and 325 deletions
@@ -1,55 +1,102 @@
-<div align="right">
-  <!-- support for multiple languages coming soon! -->
-  <script>
-    //document.write("<select style=\"width: 100px;\">");
-    //document.write("<OPTION value=1>English</OPTION>");
-    //document.write("<OPTION value=2>Spanish</OPTION>");
-    try {
-      var hashParam = location.hash.split("#")[1];
-      var paramName = hashParam.split('=')[0];
-      var paramValue = decodeURIComponent(hashParam.split('=')[1]);
-      document.write("<OPTION value=3>" + paramValue + "</OPTION>");
-    } catch(err) {
-    }
-    //document.write("</select>");
-  </script>
-</div>
-<div class="row-fluid">
-  <div class="span12">
-    <div class="row-fluid">
-      <div class="span4 offset4">
-        <h2 align="center">MetaCorp</h2>
-        <h3 align="center">A GoatGroup Company</h3>
+<div class="rg-login-wrapper">
+  <div class="rg-login-card">
+    <div class="rg-login-header">
+      <div class="rg-login-logo">
+        <i class="bi bi-shield-fill-exclamation"></i>
+      </div>
+      <h2 class="mb-1">MetaCorp</h2>
+      <p class="text-muted mb-0">A GoatGroup Company</p>
+    </div>

-        <div class="signup">
-          <%= form_tag "sessions", :class=> "signup-wrapper" do %>
-
-          <div class="header">
-            <h2>Login</h2>
-            <p>Fill out the form below to login to your control panel.</p>
-          </div>
-
-          <div class="content">
-            <%= hidden_field_tag :url, @url %>
-            <%= text_field_tag :email, params[:email], {:class => "input input-block-level", :placeholder=>"Email"} %>
-            <%= password_field_tag :password, nil, {:class => "input input-block-level", :placeholder=>"Password"}%>
-          </div>
-
-          <div class="actions">
-
-              <%= link_to "Forgot Password", forgot_password_path, {:class=>"pull-left"}%><br/>
-        <%= submit_tag "Login", {:class => "btn btn-info btn-large pull-right"} %>
-      <span class="checkbox-wrapper">
-          <%= check_box_tag :remember_me, 1, params[:remember_me], {:id => "form-terms", :class => "checkbox", :type => "checkbox"} %>
-          <label class="checkbox-label" for="form-terms"></label> <span class="label-text">Remember</span>
-
-      </span>
-
-          <div class="clearfix"></div>
-          <% end %>
+    <%= form_tag "sessions", class: "needs-validation", novalidate: true do %>
+      <div class="mb-3">
+        <label for="email" class="form-label">Email Address</label>
+        <div class="input-group">
+          <span class="input-group-text"><i class="bi bi-envelope"></i></span>
+          <%= text_field_tag :email, params[:email], {
+            class: "form-control",
+            id: "email",
+            placeholder: "you@example.com",
+            required: true,
+            autofocus: true
+          } %>
        </div>
+      </div>

+      <div class="mb-3">
+        <label for="password" class="form-label">Password</label>
+        <div class="input-group">
+          <span class="input-group-text"><i class="bi bi-lock"></i></span>
+          <%= password_field_tag :password, nil, {
+            class: "form-control",
+            id: "password",
+            placeholder: "Enter your password",
+            required: true
+          } %>
+        </div>
+      </div>
+
+      <%= hidden_field_tag :url, @url %>
+
+      <div class="mb-3 form-check">
+        <%= check_box_tag :remember_me, 1, params[:remember_me], {
+          id: "remember_me",
+          class: "form-check-input"
+        } %>
+        <label class="form-check-label" for="remember_me">
+          Remember me
+        </label>
+      </div>
+
+      <div class="d-grid gap-2">
+        <%= submit_tag "Login", class: "btn btn-primary btn-lg" %>
+      </div>
+
+      <div class="text-center mt-3">
+        <%= link_to "Forgot Password?", forgot_password_path, class: "text-decoration-none" %>
+      </div>
+
+      <hr class="my-4">
+
+      <div class="text-center">
+        <p class="text-muted mb-2">Don't have an account?</p>
+        <%= link_to "Sign up now", signup_path, class: "btn btn-outline-primary" %>
+      </div>
+    <% end %>
+
+    <div class="mt-4 p-3 bg-warning bg-opacity-10 border border-warning rounded">
+      <div class="d-flex align-items-start">
+        <i class="bi bi-exclamation-triangle-fill text-warning me-2 mt-1"></i>
+        <div class="small">
+          <strong>Security Training Environment</strong><br>
+          This is an intentionally vulnerable application for educational purposes.
+          <a href="https://github.com/OWASP/railsgoat/wiki" target="_blank" class="text-decoration-none">Learn more</a>
+        </div>
      </div>
    </div>
  </div>
 </div>
+
+<!-- VULNERABILITY: XSS via URL hash parameter -->
+<script>
+  // support for multiple languages coming soon!
+  try {
+    var hashParam = location.hash.split("#")[1];
+    if (hashParam) {
+      var paramName = hashParam.split('=')[0];
+      var paramValue = decodeURIComponent(hashParam.split('=')[1]);
+      // VULNERABLE: Directly writing user input to DOM
+      document.write("<div class='alert alert-info mt-3'>" + paramValue + "</div>");
+    }
+  } catch(err) {
+    // Silently fail
+  }
+</script>
+
+<style>
+  /* Override main content styling for login page */
+  .rg-main.no-sidebar {
+    margin: 0;
+    padding: 0;
+  }
+</style>