diff --git a/app/controllers/password_resets_controller.rb b/app/controllers/password_resets_controller.rb index 959d828..b8178fd 100644 --- a/app/controllers/password_resets_controller.rb +++ b/app/controllers/password_resets_controller.rb @@ -25,7 +25,7 @@ class PasswordResetsController < ApplicationController end end - def forgot_password + def send_forgot_password @user = User.find_by_email(params[:email]) unless params[:email].nil? if @user && password_reset_mailer(@user) diff --git a/config/routes.rb b/config/routes.rb index e9e30b0..7fe93b7 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -3,9 +3,12 @@ Railsgoat::Application.routes.draw do get "login" => "sessions#new" get "signup" => "users#new" get "logout" => "sessions#destroy" - post "forgot_password" => "password_resets#forgot_password" + + get "forgot_password" => "password_resets#forgot_password" + post "forgot_password" => "password_resets#send_forgot_password" get "password_resets" => "password_resets#confirm_token" post "password_resets" => "password_resets#reset_password" + get "dashboard/doc" => "dashboard#doc" resources :sessions do diff --git a/r b/r deleted file mode 100644 index 4165392..0000000 --- a/r +++ /dev/null @@ -1,393 +0,0 @@ - -Randomized with seed 33309 -FFFFFFFFFFFFFFFFFFFFF - -Failures: - - 1) improper password hashing with just md5 -Tutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/password_hashing_spec.rb:5:in `block (2 levels) in ' - - 2) command injection attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/command_injection_spec.rb:6:in `block (2 levels) in ' - - 3) csrf attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/csrf_spec.rb:6:in `block (2 levels) in ' - - 4) url access attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller) - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/url_access_spec.rb:5:in `block (2 levels) in ' - - 5) broken_auth one -Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/broken_auth_spec.rb:5:in `block (2 levels) in ' - - 6) broken_auth two -Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/broken_auth_spec.rb:5:in `block (2 levels) in ' - - 7) xss attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/xss_spec.rb:5:in `block (2 levels) in ' - - 8) insecure direct object reference attack one - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/insecure_dor_spec.rb:5:in `block (2 levels) in ' - - 9) insecure direct object reference attack two -Tutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/insecure_dor_spec.rb:5:in `block (2 levels) in ' - - 10) sql injection attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/sql_injection_spec.rb:5:in `block (2 levels) in ' - - 11) User can be instantiated - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/benefits_spec.rb:5:in `block (2 levels) in ' - - 12) User name can be updated - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/benefits_spec.rb:5:in `block (2 levels) in ' - - 13) mass assignment attack one - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/mass_assignment_spec.rb:5:in `block (2 levels) in ' - - 14) mass assignment attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/mass_assignment_spec.rb:5:in `block (2 levels) in ' - - 15) password complexity one -Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/password_complexity_spec.rb:5:in `block (2 levels) in ' - - 16) User can be instantiated - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' - - 17) User should require a email - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' - - 18) User should require valid email - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' - - 19) User should require unique email - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' - - 20) User name can be updated - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/models/user_spec.rb:5:in `block (2 levels) in ' - - 21) unvalidated redirect attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to) - Failure/Error: aes.iv = iv if iv != nil - - ArgumentError: - iv must be 16 bytes - # ./lib/encryption.rb:8:in `iv=' - # ./lib/encryption.rb:8:in `encrypt_sensitive_value' - # ./app/models/user.rb:82:in `generate_token' - # ./app/models/user.rb:23:in `block in ' - # /Users/macbookpro/.rvm/rubies/ruby-2.4.2/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize' - # ./db/seeds.rb:270:in `block in ' - # ./db/seeds.rb:267:in `each' - # ./db/seeds.rb:267:in `' - # ./spec/support/user_fixture.rb:4:in `reset_all_users' - # ./spec/vulnerabilities/unvalidated_redirects_spec.rb:5:in `block (2 levels) in ' - -Finished in 0.2747 seconds (files took 2.04 seconds to load) -21 examples, 21 failures - -Failed examples: - -rspec ./spec/vulnerabilities/password_hashing_spec.rb:9 # improper password hashing with just md5 -Tutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage -rspec ./spec/vulnerabilities/command_injection_spec.rb:10 # command injection attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection -rspec ./spec/vulnerabilities/csrf_spec.rb:10 # csrf attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF -rspec ./spec/vulnerabilities/url_access_spec.rb:9 # url access attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller) -rspec ./spec/vulnerabilities/broken_auth_spec.rb:9 # broken_auth one -Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration -rspec ./spec/vulnerabilities/broken_auth_spec.rb:22 # broken_auth two -Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration -rspec ./spec/vulnerabilities/xss_spec.rb:9 # xss attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting -rspec ./spec/vulnerabilities/insecure_dor_spec.rb:9 # insecure direct object reference attack one -rspec ./spec/vulnerabilities/insecure_dor_spec.rb:23 # insecure direct object reference attack two -Tutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference -rspec ./spec/vulnerabilities/sql_injection_spec.rb:10 # sql injection attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation -rspec ./spec/models/benefits_spec.rb:13 # User can be instantiated -rspec ./spec/models/benefits_spec.rb:17 # User name can be updated -rspec ./spec/vulnerabilities/mass_assignment_spec.rb:9 # mass assignment attack one -rspec ./spec/vulnerabilities/mass_assignment_spec.rb:24 # mass assignment attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role -rspec ./spec/vulnerabilities/password_complexity_spec.rb:9 # password complexity one -Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity -rspec ./spec/models/user_spec.rb:13 # User can be instantiated -rspec ./spec/models/user_spec.rb:17 # User should require a email -rspec ./spec/models/user_spec.rb:21 # User should require valid email -rspec ./spec/models/user_spec.rb:25 # User should require unique email -rspec ./spec/models/user_spec.rb:30 # User name can be updated -rspec ./spec/vulnerabilities/unvalidated_redirects_spec.rb:9 # unvalidated redirect attack -Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to) - -Randomized with seed 33309 -