I have changed the second visit statement from the root path (/) to the account settings page. The reason is that the submit button is changed via JS but you need to be at the account settings page to see that change
This commit is contained in:
cktricky
@@ -20,10 +20,11 @@ feature 'xss' do
|
|||||||
click_on 'Submit'
|
click_on 'Submit'
|
||||||
|
|
||||||
sleep(1)
|
sleep(1)
|
||||||
visit '/'
|
|
||||||
|
visit "/users/#{@normal_user.user_id}/account_settings"
|
||||||
pending(:if => verifying_fixed?) { find('div input.btn').value.should == 'RailsGoat h4x0r3d' }
|
|
||||||
|
pending(:if => verifying_fixed?) { find('#submit_button').value.should == 'RailsGoat h4x0r3d' }
|
||||||
|
|
||||||
# might be nice to demonstrate posting cookie contents or somesuch, but
|
# might be nice to demonstrate posting cookie contents or somesuch, but
|
||||||
# this at least shows the vulnerability still exists.
|
# this at least shows the vulnerability still exists.
|
||||||
end
|
end
|
||||||
|
|||||||
Reference in New Issue
Block a user