moving vulnerability tests and adding password complexity test

2013-10-07 14:18:17 -04:00
parent 829b566c29
commit 9b3181eef9
11 changed files with 21 additions and 0 deletions
@@ -0,0 +1,28 @@
+require 'spec_helper'
+
+feature 'broken_auth' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'one' do
+    visit '/'
+    within('.signup') do
+      fill_in 'email', :with => @normal_user.email + 'not'
+      fill_in 'password', :with => @normal_user.clear_password
+    end
+    click_on 'Login'
+    pending(:if => verifying_fixed?) { find('div#flash_notice').text.should == "#{@normal_user.email}not doesn't exist!" }
+  end
+
+  scenario 'two' do
+    visit '/'
+    within('.signup') do
+      fill_in 'email', :with => @normal_user.email
+      fill_in 'password', :with => @normal_user.clear_password + 'not'
+    end
+    click_on 'Login'
+    pending(:if => verifying_fixed?) { find('div#flash_notice').text.should == 'Incorrect Password!' }
+  end
+end
@@ -0,0 +1,28 @@
+require 'spec_helper'
+require 'tmpdir'
+
+feature 'command injection' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'attack', :js => true do
+    login @normal_user
+
+    legit_file = File.join(Rails.root, 'public', 'data', 'legit.txt')
+    File.open(legit_file, 'w') { |f| f.puts 'totes legit' }
+
+    visit "/users/#{@normal_user.user_id}/benefit_forms"
+    Dir.mktmpdir do |dir|
+      hackety_file = File.join(dir, '; cd public && cd data && rm -f * ;')
+      File.open(hackety_file, 'w') { |f| f.print 'mwahaha' }
+      within('.new_benefits') do
+        attach_file 'benefits_upload', hackety_file
+        find(:xpath, "//input[@id='benefits_backup']", :visible => false).set 'true'
+      end
+      click_on 'Start Upload'
+    end
+    pending(:if => verifying_fixed?) { File.exists?(legit_file).should be_false }
+  end
+end
@@ -0,0 +1,44 @@
+require 'spec_helper'
+require 'tmpdir'
+
+feature 'csrf' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'attack', :js => true do
+    visit '/'
+    # TODO: is there a way to get this without visiting root first?
+    base_url = current_url
+
+    login @normal_user
+
+    Dir.mktmpdir do |dir|
+      hackety_file = File.join(dir, 'form.on.bad.guy.site.html')
+      post_url = "#{base_url}schedule.json"
+      File.open(hackety_file, 'w') do |f|
+        f.print <<-HTML
+        <html>
+          <body>
+            <form id='submit_me' action="#{post_url}" method="POST">
+              <input type="hidden" name="schedule&#91;event&#95;name&#93;" value="Bad&#32;Guy" />
+              <input type="hidden" name="schedule&#91;event&#95;type&#93;" value="pto" />
+              <input type="hidden" name="schedule&#91;event&#95;desc&#93;" value="Fun&#32;Fun" />
+              <input type="hidden" name="date&#95;range1" value="06&#47;08&#47;2013&#32;&#45;&#32;06&#47;09&#47;2013" />
+              <input type="submit" value="Submit request" />
+            </form>
+          </body>
+        </html>
+        HTML
+      end
+
+      page.driver.visit "file://#{hackety_file}"
+      within('#submit_me') do
+        click_on 'Submit request'
+      end
+    end
+
+    pending(:if => verifying_fixed?) { @normal_user.reload.paid_time_off.schedule.last.event_name.should == 'Bad Guy' }
+  end
+end
@@ -0,0 +1,18 @@
+require 'spec_helper'
+
+feature 'sensitive information disclosure' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+    @normal_user.work_info.update_attribute(:SSN, '999-99-9999')
+  end
+
+  # this won't work with javascript_driver, as it'll apply the javascript
+  # function to mask this value and the source will be overwritten.
+  scenario 'attack' do
+    login @normal_user
+
+    visit "/users/#{@normal_user.user_id}/work_info"
+    pending(:if => verifying_fixed?) { page.source.should include '999-99-9999' }
+  end
+end
@@ -0,0 +1,31 @@
+require 'spec_helper'
+
+feature 'insecure direct object reference' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'attack one' do
+    login(@normal_user)
+
+    visit "/users/#{@normal_user.user_id}/benefit_forms"
+    download_url = first('.widget-body a')[:href]
+    visit download_url.sub(/name=(.*?)&/, 'name=../../config/database.yml&')
+
+    pending(:if => verifying_fixed?) {
+      page.status_code.should == 200
+      page.response_headers['Content-Disposition'].should include('database.yml')
+      page.response_headers['Content-Length'].should == '576'
+    }
+  end
+
+  scenario 'attack two' do
+    login(@normal_user)
+
+    @normal_user.user_id.should_not == 2
+    visit '/users/2/work_info'
+
+    pending(:if => verifying_fixed?) { first('td').text.should == 'Jack Mannino' }
+  end
+end
@@ -0,0 +1,37 @@
+require 'spec_helper'
+
+feature 'mass assignment' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'attack one' do
+    @normal_user.admin.should be_false
+
+    login(@normal_user)
+
+    params = {:user => {:admin => 't',
+                        :user_id => @normal_user.user_id,
+                        :password => @normal_user.clear_password,
+                        :password_confirmation => @normal_user.clear_password}}
+    page.driver.put "/users/#{@normal_user.user_id}.json", params
+
+    pending(:if => verifying_fixed?) { @normal_user.reload.admin.should be_true }
+  end
+
+  scenario 'attack two' do
+    params = {:user => {:admin => 't',
+                        :email => 'hackety@h4x0rs.c0m',
+                        :first_name => 'hackety',
+                        :last_name => 'hax',
+                        :password => 'foobarewe',
+                        :password_confirmation => 'foobarewe'}}
+    page.driver.post '/users', params
+
+    pending(:if => verifying_fixed?) {
+      User.last.email.should == 'hackety@h4x0rs.c0m'
+      User.last.admin.should be_true
+    }
+  end
+end
@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+feature 'password complexity' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'one' do
+    visit '/signup'
+    within('.signup') do
+      fill_in 'user_email', :with => @normal_user.email + 'not'
+      fill_in 'user_first_name', :with => @normal_user.first_name
+      fill_in 'user_last_name', :with => @normal_user.last_name + 'not'
+      fill_in 'user_password', :with => 'password'
+      fill_in 'user_password_confirmation', :with => 'password'
+    end
+    click_on 'Submit'
+    pending(:if => verifying_fixed?) {current_path.should == '/dashboard/home'}
+  end
+end
@@ -0,0 +1,32 @@
+require 'spec_helper'
+
+feature 'sql injection' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+    @admin_user = User.where("admin='t'").first
+  end
+
+  scenario 'attack' do
+    @admin_user.admin.should be_true
+
+    login(@normal_user)
+
+    visit "/users/#{@normal_user.user_id}/account_settings"
+    within('#account_edit') do
+      fill_in 'Email', :with => 'joe.admin@schmoe.com'
+      fill_in 'user_password', :with => 'hacketyhack'
+      fill_in 'user_password_confirmation', :with => 'hacketyhack'
+
+      # this is a hidden field, so cannot use fill_in to access it.
+      find(:xpath, "//input[@id='user_user_id']", :visible => false).set "8' OR admin='t') --"
+    end
+    click_on 'Submit'
+
+    pending(:if => verifying_fixed?) {
+      @admin_user = User.where("admin='t'").first
+      @admin_user.email.should == 'joe.admin@schmoe.com'
+      @admin_user.admin.should == true
+    }
+  end
+end
@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+feature 'unvalidated redirect' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'attack', :js => true do
+    visit '/?url=http://example.com/do/evil/things'
+    within('.signup') do
+      fill_in 'email', :with => @normal_user.email
+      fill_in 'password', :with => @normal_user.clear_password
+    end
+    click_on 'Login'
+
+    pending(:if => verifying_fixed?) { current_url.should == 'http://example.com/do/evil/things' }
+  end
+end
@@ -0,0 +1,15 @@
+require 'spec_helper'
+
+feature 'url access' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'attack', :js => true do
+    login @normal_user
+
+    visit '/admin/1/dashboard'
+    pending(:if => verifying_fixed?) { current_path.should == '/admin/1/dashboard' }
+  end
+end
@@ -0,0 +1,29 @@
+require 'spec_helper'
+
+feature 'xss' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'attack', :js => true do
+    login @normal_user
+
+    visit "/users/#{@normal_user.user_id}/account_settings"
+    within('#account_edit') do
+      fill_in 'First name', :with => "B<script>$(function() { $('form.button_to input.btn.btn-primary').val('RailsGoat h4x0r3d') } )</script>"
+
+      # password gets screwed up if you don't re-submit - need to fix
+      fill_in 'user_password', :with => @normal_user.clear_password
+      fill_in 'user_password_confirmation', :with => @normal_user.clear_password
+    end
+    click_on 'Submit'
+
+    visit '/'
+
+    pending(:if => verifying_fixed?) { find('form.button_to input.btn.btn-primary').value.should == 'RailsGoat h4x0r3d' }
+
+    # might be nice to demonstrate posting cookie contents or somesuch, but
+    # this at least shows the vulnerability still exists.
+  end
+end