Ken Johnson
+16
-10
@@ -48,6 +48,7 @@ GEM
|
||||
ffi (~> 1.9.10)
|
||||
rspec-expectations (>= 2.99)
|
||||
thor (~> 0.19)
|
||||
backports (3.8.0)
|
||||
bcrypt (3.1.11)
|
||||
better_errors (2.3.0)
|
||||
coderay (>= 1.0.0)
|
||||
@@ -60,7 +61,7 @@ GEM
|
||||
bundler-audit (0.6.0)
|
||||
bundler (~> 1.2)
|
||||
thor (~> 0.18)
|
||||
capybara (2.15.1)
|
||||
capybara (2.15.2)
|
||||
addressable
|
||||
mini_mime (>= 0.1.3)
|
||||
nokogiri (>= 1.3.3)
|
||||
@@ -82,16 +83,21 @@ GEM
|
||||
contracts (0.16.0)
|
||||
crack (0.3.1)
|
||||
crass (1.0.2)
|
||||
cucumber (2.4.0)
|
||||
cucumber (3.0.1)
|
||||
builder (>= 2.1.2)
|
||||
cucumber-core (~> 1.5.0)
|
||||
cucumber-core (~> 3.0.0)
|
||||
cucumber-expressions (~> 4.0.3)
|
||||
cucumber-wire (~> 0.0.1)
|
||||
diff-lcs (>= 1.1.3)
|
||||
diff-lcs (~> 1.3)
|
||||
gherkin (~> 4.0)
|
||||
multi_json (>= 1.7.5, < 2.0)
|
||||
multi_test (>= 0.1.2)
|
||||
cucumber-core (1.5.0)
|
||||
gherkin (~> 4.0)
|
||||
cucumber-core (3.0.0)
|
||||
backports (>= 3.8.0)
|
||||
cucumber-tag_expressions (>= 1.0.1)
|
||||
gherkin (>= 4.1.3)
|
||||
cucumber-expressions (4.0.3)
|
||||
cucumber-tag_expressions (1.0.1)
|
||||
cucumber-wire (0.0.1)
|
||||
database_cleaner (1.6.1)
|
||||
debug_inspector (0.0.3)
|
||||
@@ -160,7 +166,7 @@ GEM
|
||||
lumberjack (1.0.12)
|
||||
mail (2.6.6)
|
||||
mime-types (>= 1.16, < 4)
|
||||
method_source (0.8.2)
|
||||
method_source (0.9.0)
|
||||
mime-types (3.1)
|
||||
mime-types-data (~> 3.2015)
|
||||
mime-types-data (3.2016.0521)
|
||||
@@ -184,9 +190,9 @@ GEM
|
||||
powder (0.3.2)
|
||||
thor (>= 0.11.5)
|
||||
power_assert (1.1.0)
|
||||
pry (0.11.0)
|
||||
pry (0.11.1)
|
||||
coderay (~> 1.1.0)
|
||||
method_source (~> 0.8.1)
|
||||
method_source (~> 0.9.0)
|
||||
pry-rails (0.3.6)
|
||||
pry (>= 0.10.4)
|
||||
public_suffix (3.0.0)
|
||||
@@ -353,4 +359,4 @@ RUBY VERSION
|
||||
ruby 2.4.2p198
|
||||
|
||||
BUNDLED WITH
|
||||
1.15.4
|
||||
1.16.0.pre.2
|
||||
|
||||
@@ -1,393 +0,0 @@
|
||||
|
||||
Randomized with seed 33309
|
||||
FFFFFFFFFFFFFFFFFFFFF
|
||||
|
||||
Failures:
|
||||
|
||||
1) improper password hashing with just md5
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/password_hashing_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
2) command injection attack
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/command_injection_spec.rb:6:in `block (2 levels) in <top (required)>'
|
||||
|
||||
3) csrf attack
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/csrf_spec.rb:6:in `block (2 levels) in <top (required)>'
|
||||
|
||||
4) url access attack
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller)
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/url_access_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
5) broken_auth one
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/broken_auth_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
6) broken_auth two
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/broken_auth_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
7) xss attack
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/xss_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
8) insecure direct object reference attack one
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/insecure_dor_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
9) insecure direct object reference attack two
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/insecure_dor_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
10) sql injection attack
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/sql_injection_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
11) User can be instantiated
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/models/benefits_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
12) User name can be updated
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/models/benefits_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
13) mass assignment attack one
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/mass_assignment_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
14) mass assignment attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/mass_assignment_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
15) password complexity one
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/password_complexity_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
16) User can be instantiated
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
17) User should require a email
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
18) User should require valid email
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
19) User should require unique email
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
20) User name can be updated
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/models/user_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
21) unvalidated redirect attack
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)
|
||||
Failure/Error: aes.iv = iv if iv != nil
|
||||
|
||||
ArgumentError:
|
||||
iv must be 16 bytes
|
||||
# ./lib/encryption.rb:8:in `iv='
|
||||
# ./lib/encryption.rb:8:in `encrypt_sensitive_value'
|
||||
# ./app/models/user.rb:82:in `generate_token'
|
||||
# ./app/models/user.rb:23:in `block in <class:User>'
|
||||
# /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
|
||||
# ./db/seeds.rb:270:in `block in <top (required)>'
|
||||
# ./db/seeds.rb:267:in `each'
|
||||
# ./db/seeds.rb:267:in `<top (required)>'
|
||||
# ./spec/support/user_fixture.rb:4:in `reset_all_users'
|
||||
# ./spec/vulnerabilities/unvalidated_redirects_spec.rb:5:in `block (2 levels) in <top (required)>'
|
||||
|
||||
Finished in 0.2747 seconds (files took 2.04 seconds to load)
|
||||
21 examples, 21 failures
|
||||
|
||||
Failed examples:
|
||||
|
||||
rspec ./spec/vulnerabilities/password_hashing_spec.rb:9 # improper password hashing with just md5
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage
|
||||
rspec ./spec/vulnerabilities/command_injection_spec.rb:10 # command injection attack
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection
|
||||
rspec ./spec/vulnerabilities/csrf_spec.rb:10 # csrf attack
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF
|
||||
rspec ./spec/vulnerabilities/url_access_spec.rb:9 # url access attack
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller)
|
||||
rspec ./spec/vulnerabilities/broken_auth_spec.rb:9 # broken_auth one
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration
|
||||
rspec ./spec/vulnerabilities/broken_auth_spec.rb:22 # broken_auth two
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration
|
||||
rspec ./spec/vulnerabilities/xss_spec.rb:9 # xss attack
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting
|
||||
rspec ./spec/vulnerabilities/insecure_dor_spec.rb:9 # insecure direct object reference attack one
|
||||
rspec ./spec/vulnerabilities/insecure_dor_spec.rb:23 # insecure direct object reference attack two
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference
|
||||
rspec ./spec/vulnerabilities/sql_injection_spec.rb:10 # sql injection attack
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation
|
||||
rspec ./spec/models/benefits_spec.rb:13 # User can be instantiated
|
||||
rspec ./spec/models/benefits_spec.rb:17 # User name can be updated
|
||||
rspec ./spec/vulnerabilities/mass_assignment_spec.rb:9 # mass assignment attack one
|
||||
rspec ./spec/vulnerabilities/mass_assignment_spec.rb:24 # mass assignment attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role
|
||||
rspec ./spec/vulnerabilities/password_complexity_spec.rb:9 # password complexity one
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity
|
||||
rspec ./spec/models/user_spec.rb:13 # User can be instantiated
|
||||
rspec ./spec/models/user_spec.rb:17 # User should require a email
|
||||
rspec ./spec/models/user_spec.rb:21 # User should require valid email
|
||||
rspec ./spec/models/user_spec.rb:25 # User should require unique email
|
||||
rspec ./spec/models/user_spec.rb:30 # User name can be updated
|
||||
rspec ./spec/vulnerabilities/unvalidated_redirects_spec.rb:9 # unvalidated redirect attack
|
||||
Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)
|
||||
|
||||
Randomized with seed 33309
|
||||
|
||||
Reference in New Issue
Block a user