From bc74edf28dcf681bf875e474faedee262789f2c5 Mon Sep 17 00:00:00 2001
From: cktricky <ken.johnson@nvisiumsecurity.com>
Date: Sun, 18 Aug 2013 20:10:36 -0400
Subject: [PATCH] lastest work towards the secure_compare tutorial

---
 app/models/user.rb                                        | 2 +-
 .../tutorial/broken_auth_sess/_insecure_compare.html.erb  | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 18d1cf1..3b4f8f6 100755
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -37,7 +37,7 @@ class User < ActiveRecord::Base
 =begin
   # More secure version, still lacking a decent hashing routine, this is for timing attack prevention
   def self.authenticate(email, password)
-       user = find_by_email(email) || User.new(:password => '')
+       user = find_by_email(email) || User.new(:password => "")
         if Rack::Utils.secure_compare(user.password, Digest::MD5.hexdigest(password))
           return user
         else
diff --git a/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb
index 776384d..9fad652 100644
--- a/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb
+++ b/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb
@@ -16,7 +16,9 @@
           </div>
           <div class="accordion-body in collapse" id="collapsePwdOne" style="height: auto;">
             <div class="accordion-inner">
-              
+				<p class="desc">
+              A timing attack can exist in several forms. This specific case relates to username (email address) enumeration. By leveraging an automated tool, an attacker can review any subtle variation in response times after submitting a login request to determine if the application is performing a computationally intense function. Meaning, if a function is run once a user is discovered, even if the password is incorrect, this information provides the user with valid or invalid usernames.
+				</p>
             </div>
           </div>
         </div>
@@ -59,11 +61,11 @@
           <div class="accordion-body collapse" id="collapsePwdFour" style="height: 0px;">
             <div class="accordion-inner">
 				<p class="desc">
-				
+					Test
 				</p>	
              </div>
           </div>
         </div>
       </div>
     </div>
-  </div>
+</div>