feat(vulnerabilities): adds description of vulnerability for sql interpolation
also fixes several small errors on that page, otherwise JS raises errors. fixes #181
This commit is contained in:
Joseph Mastey
@@ -1,18 +1,18 @@
|
|||||||
<form action="">
|
<form action="" id="analytics_search">
|
||||||
Search by IP: <input type="text" name="ip"><br />
|
Search by IP: <input type="text" id="ip" name="ip"><br />
|
||||||
<input type="checkbox" value="" name="field[ip_address]"> IP Address<br />
|
<input type="checkbox" value="" id="field_ip_address" name="field[ip_address]"> IP Address<br />
|
||||||
<input type="checkbox" value="" name="field[referrer]"> Referrer<br />
|
<input type="checkbox" value="" id="field_referrer" name="field[referrer]"> Referrer<br />
|
||||||
<input type="checkbox" value="" name="field[user_agent]"> User Agent
|
<input type="checkbox" value="" id="field_user_agent" name="field[user_agent]"> User Agent
|
||||||
</form>
|
</form>
|
||||||
|
|
||||||
<div id="dt_example" class="example_alt_pagination">
|
<div id="dt_example" class="example_alt_pagination">
|
||||||
<table class="table table-striped table-hover table-bordered pull-left" id="data-table">
|
<table class="table table-striped table-hover table-bordered pull-left <%= "custom" if params[:field] %>" id="data-table">
|
||||||
<thead>
|
<thead>
|
||||||
<tr>
|
<tr>
|
||||||
<%
|
<%
|
||||||
count = (params[:field] ? params[:field].count : 3)
|
count = (params[:field] ? (params[:field].count+1) : 6)
|
||||||
count.times do %>
|
count.times do %>
|
||||||
<td> </td>
|
<th> </th>
|
||||||
<% end %>
|
<% end %>
|
||||||
</tr>
|
</tr>
|
||||||
</thead>
|
</thead>
|
||||||
@@ -33,6 +33,8 @@
|
|||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
<%= javascript_include_tag "jquery.dataTables.js"%>
|
||||||
|
|
||||||
<script type="text/javascript">
|
<script type="text/javascript">
|
||||||
|
|
||||||
function dataTablePagination(){
|
function dataTablePagination(){
|
||||||
@@ -42,4 +44,4 @@ function dataTablePagination(){
|
|||||||
};
|
};
|
||||||
|
|
||||||
$(document).ready(dataTablePagination());
|
$(document).ready(dataTablePagination());
|
||||||
</script>
|
</script>
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
require 'spec_helper'
|
require 'spec_helper'
|
||||||
|
|
||||||
feature 'sql injection' do
|
feature 'sql injection' do
|
||||||
before do
|
before(:each) do
|
||||||
UserFixture.reset_all_users
|
UserFixture.reset_all_users
|
||||||
@normal_user = UserFixture.normal_user
|
@normal_user = UserFixture.normal_user
|
||||||
@admin_user = User.where("admin='t'").first
|
@admin_user = User.where("admin='t'").first
|
||||||
@@ -28,4 +28,24 @@ feature 'sql injection' do
|
|||||||
expect(@admin_user.email).to eq('joe.admin@schmoe.com')
|
expect(@admin_user.email).to eq('joe.admin@schmoe.com')
|
||||||
expect(@admin_user.admin).to eq(true)
|
expect(@admin_user.admin).to eq(true)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A1-SQL-Injection-Interpolation", js: true do
|
||||||
|
login(@normal_user)
|
||||||
|
Analytics.create!(ip_address: "::1")
|
||||||
|
|
||||||
|
visit "/admin/1/analytics"
|
||||||
|
|
||||||
|
within('#analytics_search') do
|
||||||
|
fill_in 'ip', :with => '::1'
|
||||||
|
check "field_user_agent"
|
||||||
|
payload = "(select group_concat(password) from users where admin='t')"
|
||||||
|
|
||||||
|
page.execute_script "$('#field_user_agent').attr('name', \"field[#{payload}]\");"
|
||||||
|
page.execute_script "$('#analytics_search').submit();"
|
||||||
|
end
|
||||||
|
|
||||||
|
pending if verifying_fixed?
|
||||||
|
expect(page).to have_css(".dataTable.custom")
|
||||||
|
expect(page.source).to include(@admin_user.password)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|||||||
Reference in New Issue
Block a user