diff --git a/app/views/layouts/tutorial/redirects/_redirects_first.html.erb b/app/views/layouts/tutorial/redirects/_redirects_first.html.erb index aef3a4b..10f875f 100755 --- a/app/views/layouts/tutorial/redirects/_redirects_first.html.erb +++ b/app/views/layouts/tutorial/redirects/_redirects_first.html.erb @@ -16,7 +16,12 @@
- Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor +

+ OWASP Description - Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. +

+

+ Railsgoat allows the redirection to the paths previously requested but for which the user did not have access. Following authentication, the user is redirected. +

@@ -30,7 +35,31 @@
- Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor +

+ The application performs zero validation of the path for which they will redirect users, following authentication. The URL parameter is used to determine where to redirect the user, if the url parameter is not present, the user will be redirect to their home page. +

+ 
 
+					def create
+				      path = params[:url].present? ? params[:url] : home_dashboard_index_path    
+				      begin
+				        # Normalize the email address, why not
+				        user = User.authenticate(params[:email].to_s.downcase, params[:password])
+				       # @url = params[:url]
+				      rescue Exception => e
+				      end
+
+				      if user
+				        session[:user_id] = user.user_id if User.where(:user_id => user.user_id).exists?
+				        redirect_to path
+				      else
+				        # Removed this code, just doesn't seem specific enough!
+				        #  flash[:error] = "Either your username and password is incorrect" 
+				        flash[:error] = e.message
+				        render "new"
+				      end         
+				  end
+
+
@@ -44,7 +73,26 @@
- Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor +

Unvalidated Redirects and Forwards - ATTACK

+

+ Ensure you are logged out of the application. When requesting the login page, ensure you append a url=. Then, authenticate to the application. Once authenticated, you should be redirected to your test url. +

+

Unvalidated Redirects and Forwards - SOLUTION

+

+ To fix this vulnerability, validate the path. In our case, we really only want to redirect users to our site so the TLD is not important. In this case, leveraging URI.parse() can be incredibly helpful. We can change the code to something like: +

+ 
+				  path = home_dashboard_index_path    
+				  begin 
+				   if params[:url].present?
+				   	path = URI.parse(params[:url]).path
+				   end
+				  rescue 
+				  end
+
+

+ Further validation can occur with regular expression. If you must redirect to another application, remember to use URI.parse() and the host, path, and scheme (ssl or not) options FIRST, prior to performing regular expression validation. Additionally, always open and close your validation regexp using Ruby anchor tags \A and \z. +

@@ -58,7 +106,9 @@
- Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor +

+ Read the description section, fairly big hint there. +