team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

finished the writeup for password complexity

Browse Source
This commit is contained in:
Ken Johnson
2013-06-03 01:11:51 -04:00
parent 88ea613da6
commit 912c34a26e
3 changed files with 107 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/models/user.rb
+2 -1
View File
@@ -4,7 +4,8 @@ class User < ActiveRecord::Base
validates :password, :presence => true, validates :password, :presence => true,
:confirmation => true, :confirmation => true,
:length => {:within => 6..40}, :length => {:within => 6..40},
:on => :create :on => :create#,
#:format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
validates_presence_of :email validates_presence_of :email
validates_uniqueness_of :email validates_uniqueness_of :email
validates_format_of :email, :with => /.+@.+\..+/i validates_format_of :email, :with => /.+@.+\..+/i
app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb
+100
View File
@@ -0,0 +1,100 @@
<div class="widget">
<div class="widget-header">
<div class="title">
<span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A3 - Broken Authentication and Session Management - Lack of Password Complexity
</div>
</div>
<div class="widget-body">
<div id="accordion1" class="accordion no-margin">
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapsePwdOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-info icon-white">
</i>
Description
</a>
</div>
<div class="accordion-body in collapse" id="collapsePwdOne" style="height: auto;">
<div class="accordion-inner">
<p class="desc">
Password complexity is incredibly important and highly debated subject. Other factors play a part in the stringency of the enforcement policy applied. If a username can be enumerated, a CAPTCHA on the login form is not present or other methods to deter a brute-force password guessing campaign are not in place, at least password complexity enforcement policy can make it a that much more difficult for an attacker to guess users passwords.
</p>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapsePwdTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-bug icon-white">
</i>
Bug
</a>
</div>
<div class="accordion-body collapse" id="collapsePwdTwo" style="height: 0px;">
<div class="accordion-inner">
<p>
Within app/models/User.rb
</p>
<pre class="ruby">
validates :password, :presence => true,
:confirmation => true,
:length => {:within => 6..40},
:on => :create
</pre>
<p class="desc">
The application validates only the password length and nothing else. Developers can leverage the format option to apply a regular expression that checks the password has sufficient complexity.
</p>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapsePwdThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-lightning icon-white">
</i>
Solution
</a>
</div>
<div class="accordion-body collapse" id="collapsePwdThree" style="height: 0px;">
<div class="accordion-inner">
<p><b>Lack of Password Complexity - ATTACK</b></p>
<p class="desc">
Leverage a tool such as BurpSuite's intruder to brute-force the passwords of the users. The highest privileged account that you an attacker can compromise is the admin. The password is very simple ("admin1234"), username is ("admin@metacorp.com").
</p>
<p><b>Lack of Password Complexity - SOLUTION</b></p>
<p class="desc">
This regular expression validates the password has the following requirements:
<li>1 digit</li>
<li>1 lowercase alphabet</li>
<li>1 uppercase alphabet</li>
<li>1 special character</li>
</p>
<pre class="ruby">
validates :password, :presence => true,
:confirmation => true,
:length => {:within => 6..40},
:on => :create,
<span style="background-color: yellow">:format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}</span>
</pre>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a style="background-color: rgb(181, 121, 158)" href="#collapsePwdFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-aid icon-white">
</i>
Hint
</a>
</div>
<div class="accordion-body collapse" id="collapsePwdFour" style="height: 0px;">
<div class="accordion-inner">
<p class="desc">
I wonder how strong the administrator's password is?
</p>
</div>
</div>
</div>
</div>
</div>
</div>
app/views/tutorials/broken_auth.html.erb
+5
View File
@@ -5,6 +5,11 @@
<%= render :partial => ("layouts/tutorial/broken_auth_sess/user_pass_enum")%> <%= render :partial => ("layouts/tutorial/broken_auth_sess/user_pass_enum")%>
</div> <!-- End Span12--> </div> <!-- End Span12-->
</div> </div>
<div class="row-fluid">
<div class="span12">
<%= render :partial => ("layouts/tutorial/broken_auth_sess/password_complexity")%>
</div> <!-- End Span12-->
</div>
</div> </div>
</div> </div>