Merge branch 'master' of https://github.com/OWASP/railsgoat

2014-05-22 14:58:00 -04:00
parent 0889f68ba9 7acc17aea3
commit ca46d01a0e
8 changed files with 164 additions and 6 deletions
@@ -28,6 +28,8 @@
 //= require jquery.easy-pie-chart.js
 //= require jquery-fileupload/basic
 //= require jquery-fileupload/vendor/tmpl
+//= require jsapi
+//= html5.js

 function rubyCodeFormat() {
 	
@@ -0,0 +1,8 @@
+/*
+ HTML5 Shiv v3.7.0 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed
+*/
+(function(l,f){function m(){var a=e.elements;return"string"==typeof a?a.split(" "):a}function i(a){var b=n[a[o]];b||(b={},h++,a[o]=h,n[h]=b);return b}function p(a,b,c){b||(b=f);if(g)return b.createElement(a);c||(c=i(b));b=c.cache[a]?c.cache[a].cloneNode():r.test(a)?(c.cache[a]=c.createElem(a)).cloneNode():c.createElem(a);return b.canHaveChildren&&!s.test(a)?c.frag.appendChild(b):b}function t(a,b){if(!b.cache)b.cache={},b.createElem=a.createElement,b.createFrag=a.createDocumentFragment,b.frag=b.createFrag();
+a.createElement=function(c){return!e.shivMethods?b.createElem(c):p(c,a,b)};a.createDocumentFragment=Function("h,f","return function(){var n=f.cloneNode(),c=n.createElement;h.shivMethods&&("+m().join().replace(/[\w\-]+/g,function(a){b.createElem(a);b.frag.createElement(a);return'c("'+a+'")'})+");return n}")(e,b.frag)}function q(a){a||(a=f);var b=i(a);if(e.shivCSS&&!j&&!b.hasCSS){var c,d=a;c=d.createElement("p");d=d.getElementsByTagName("head")[0]||d.documentElement;c.innerHTML="x<style>article,aside,dialog,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}mark{background:#FF0;color:#000}template{display:none}</style>";
+c=d.insertBefore(c.lastChild,d.firstChild);b.hasCSS=!!c}g||t(a,b);return a}var k=l.html5||{},s=/^<|^(?:button|map|select|textarea|object|iframe|option|optgroup)$/i,r=/^(?:a|b|code|div|fieldset|h1|h2|h3|h4|h5|h6|i|label|li|ol|p|q|span|strong|style|table|tbody|td|th|tr|ul)$/i,j,o="_html5shiv",h=0,n={},g;(function(){try{var a=f.createElement("a");a.innerHTML="<xyz></xyz>";j="hidden"in a;var b;if(!(b=1==a.childNodes.length)){f.createElement("a");var c=f.createDocumentFragment();b="undefined"==typeof c.cloneNode||
+"undefined"==typeof c.createDocumentFragment||"undefined"==typeof c.createElement}g=b}catch(d){g=j=!0}})();var e={elements:k.elements||"abbr article aside audio bdi canvas data datalist details dialog figcaption figure footer header hgroup main mark meter nav output progress section summary template time video",version:"3.7.0",shivCSS:!1!==k.shivCSS,supportsUnknownElements:g,shivMethods:!1!==k.shivMethods,type:"default",shivDocument:q,createElement:p,createDocumentFragment:function(a,b){a||(a=f);
+if(g)return a.createDocumentFragment();for(var b=b||i(a),c=b.frag.cloneNode(),d=0,e=m(),h=e.length;d<h;d++)c.createElement(e[d]);return c}};l.html5=e;q(f)})(this,document);
@@ -13,7 +13,6 @@ if cookies[:font]
 <%
 end
 %>
- <script type="text/javascript" src="https://www.google.com/jsapi"></script>

 </head>
 <body>
@@ -1,7 +1,7 @@
 <div class="widget">
    <div class="widget-header">
      <div class="title">
-        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A9 - Using Components with Known Vulnerabilities
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A9 - Using Components with Known Vulnerabilities (Rack / Rails)
      </div>
    </div>
    <div class="widget-body">
@@ -0,0 +1,109 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A9 - Using Components with Known Vulnerabilities (DOM XSS / JQuery Snippet)
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseFive" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseFive" style="height: auto;">
+            <div class="accordion-inner">
+				JQuery Snippet contains at least one DOM-Based XSS vulnerability that can be confirmed in IE11. Unknowingly, the Railsgoat 	   development team used this library. Credit for vulnerability discovery as well as submission to <%= link_to "@raesene", "http://github.com/raesene", {:style => "color: rgb(181, 121, 158)", :target => "_blank"}%>. This was unintentional but goes to show how easily vulnerabilities can creep in when using third-party libraries.
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseSix" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseSix" style="height: 0px;">
+            <div class="accordion-inner">
+			  <p class="desc">
+               	Within the file app/assets/javascripts/jquery.snippet.js:
+			  </p>
+			  <pre>
+				<%= %{
+// snippet new window popup function
+function snippetPopup(content) \{
+	 top.consoleRef=window.open('','myconsole',
+	  'width=600,height=300'
+	   +',left=50,top=50'
+	   +',menubar=0'
+	   +',toolbar=0'
+	   +',location=0'
+	   +',status=0'
+	   +',scrollbars=1'
+	   +',resizable=1');
+	 top.consoleRef.document.writeln(
+	  '<html><head><title>Snippet :: Code View :: '+}%><span style="background-color:yellow">location.href</span><%= %{+'</title></head>'
+	   +'<body bgcolor=white onLoad="self.focus()">'
+	   +'<pre>'+content+'</pre>'
+	   +'</body></html>'
+	 );
+	 top.consoleRef.document.close();
+\}}%></pre>
+			<p class="desc">
+				We can see that the <i>location.href</i> DOM property is used to dynamically generate a title for the text box pop-up. This value is string concatenated directly from the DOM without first performing some escaping routine or HTML encoding.
+			</p>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseSeven" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseSeven" style="height: 0px;">
+            <div class="accordion-inner">
+			  	 <p><b>Using Components with Known Vulnerabilities (DOM XSS) - ATTACK</b></p>
+	 			  <p class="desc">
+					In order to demonstrate that you can indeed perform DOM XSS through this coding error, we will use a simple alert box. This does not appear to work in Chrome, Safari, or Firefox as they first URL encoded the script portion of the url before rendering which complicates browser interpretation. IE on the other hand, true to form, is totally vulnerable. The following example assumes you are running Railsgoat on localhost, port 3000. If this is the case, open IE, paste the URL (below) into IE.
+		          </p>	
+				  <pre>
+<%= "http://localhost:3000/tutorials/injection#</title></head><script>alert(1)</script>" %>
+				  </pre>	
+				  <p class="desc">
+					The portion after the pound (#) symbol will close off the title and head portions of the HTML and then allow for properly generated JavaScript to be rendered and executed. After browsing to this URL, navigate to the tutorial where code snippets are shown and click on the "pop-up" link that appears after hovering over the code snippet. This should be all that is required to demonstrate DOM-XSS.
+				  </p>	
+				  <p><b>Using Components with Known Vulnerabilities (DOM XSS) - SOLUTION</b></p>
+				  <p class="desc">
+					Use the hoganEscape() function defined in application.js to solve this problem. For instance:
+		          </p>
+		 		  <pre class="javascript">
+<%=%{'<html><head><title>Snippet :: Code View :: '+}%><span style="background-color:yellow">hoganEscape(location.href)</span> <%=%{+'</title></head>' }%>
+			      </pre>
+            </div>
+          </div>
+        </div>
+      	<div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseEight" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseEight" style="height: 0px;">
+            <div class="accordion-inner">
+               Review the JQuery Code Snippet for any content that might be mirrored or reflected back and that is under our control.
+            </div>
+          </div>
+        </div>
+	</div>
+    </div>
+  </div>
@@ -5,15 +5,11 @@
  <%= stylesheet_link_tag    "application", :media => "all" %>
  <%= javascript_include_tag "application" %>
  <%#= csrf_meta_tags %> <!-- <~ What is this for? I hear it helps w/ JS and Sea-surfing.....whatevz -->
-
- <script type="text/javascript" src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
 <!--[if lte IE 7]>
 <script src="assets/fonts/lte-ie7.js">
 </script>
 <![endif]--> 

- <!-- Google Visualization JS -->
- <script type="text/javascript" src="https://www.google.com/jsapi"></script>

 </head>
 <body>
@@ -5,6 +5,11 @@
 		      <%= render :partial => "layouts/tutorial/insecure_components/insecure_components_first" %>
 		    </div> <!-- End Span12 -->
 		</div>
+		<div class="row-fluid">
+		    <div class="span12"> <!-- Begin Span12 -->
+		      <%= render :partial => "layouts/tutorial/insecure_components/insecure_components_second" %>
+		    </div> <!-- End Span12 -->
+		</div>
 	</div>
 </div>