From 7eb0ddf22921d53f2f230490323d31c267f4995d Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Wed, 20 Nov 2019 07:49:52 -0500 Subject: [PATCH 1/7] clean up insecure_dor_spec --- spec/vulnerabilities/insecure_dor_spec.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb index 2434e61..5d842e8 100644 --- a/spec/vulnerabilities/insecure_dor_spec.rb +++ b/spec/vulnerabilities/insecure_dor_spec.rb @@ -22,11 +22,13 @@ feature "insecure direct object reference" do end scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do + login(normal_user) + expect(normal_user.id).not_to eq(another_user.id) visit "/users/#{another_user.id}/work_info" - expect(first("td").text).not_to include(another_user.name) - expect(first("td").text).to include(normal_user.name) + expect(first("td").text).not_to include(another_user.full_name) + expect(first("td").text).to include(normal_user.full_name) end end From 18433833d395738551cbfc4d3f01d089217c4d24 Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Wed, 20 Nov 2019 07:53:25 -0500 Subject: [PATCH 2/7] clean up url_access_spec --- spec/vulnerabilities/url_access_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/vulnerabilities/url_access_spec.rb b/spec/vulnerabilities/url_access_spec.rb index f7d0468..4fa70ce 100644 --- a/spec/vulnerabilities/url_access_spec.rb +++ b/spec/vulnerabilities/url_access_spec.rb @@ -15,6 +15,6 @@ feature "url access" do visit "/admin/1/dashboard" - expect(current_path).to eq("/") + expect(current_path).to eq("/dashboard/home") end end From d82ff9a66a9d13794bdf96eacb984e1b4dade559 Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Wed, 20 Nov 2019 09:24:24 -0500 Subject: [PATCH 3/7] clean up insecure_dor_spec --- spec/vulnerabilities/insecure_dor_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/vulnerabilities/insecure_dor_spec.rb b/spec/vulnerabilities/insecure_dor_spec.rb index 5d842e8..50e5854 100644 --- a/spec/vulnerabilities/insecure_dor_spec.rb +++ b/spec/vulnerabilities/insecure_dor_spec.rb @@ -18,7 +18,7 @@ feature "insecure direct object reference" do visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&") expect(page.status_code).not_to eq(200) - expect(page.response_headers["Content-Disposition"]).not_to include("database.yml") + expect(page.response_headers["Content-Disposition"].to_a).not_to include("database.yml") end scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do From 02dcd42bc7066a4b9b886b3e249e50c1f27a54b4 Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Wed, 20 Nov 2019 09:57:58 -0500 Subject: [PATCH 4/7] clean up unvalidated_redirects_spec --- spec/vulnerabilities/unvalidated_redirects_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/vulnerabilities/unvalidated_redirects_spec.rb b/spec/vulnerabilities/unvalidated_redirects_spec.rb index a1ff494..cb880e4 100644 --- a/spec/vulnerabilities/unvalidated_redirects_spec.rb +++ b/spec/vulnerabilities/unvalidated_redirects_spec.rb @@ -20,6 +20,6 @@ feature "unvalidated redirect" do click_on "Login" end - expect(current_url).to eq("/dashboard/home") + expect(current_path).to eq("/dashboard/home") end end From e72f4ca64f3aca2f6d11a23178cdd801a6e7d67f Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Wed, 20 Nov 2019 14:27:56 -0500 Subject: [PATCH 5/7] update tutorial links --- spec/vulnerabilities/csrf_spec.rb | 2 +- spec/vulnerabilities/mass_assignment_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/vulnerabilities/csrf_spec.rb b/spec/vulnerabilities/csrf_spec.rb index 375ae40..d876dab 100644 --- a/spec/vulnerabilities/csrf_spec.rb +++ b/spec/vulnerabilities/csrf_spec.rb @@ -10,7 +10,7 @@ feature "csrf" do pending unless verifying_fixed? end - scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A8-CSRF", js: true do + scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF", js: true do visit "/" # TODO: is there a way to get this without visiting root first? base_url = current_url diff --git a/spec/vulnerabilities/mass_assignment_spec.rb b/spec/vulnerabilities/mass_assignment_spec.rb index 43f6f59..ab3e3cb 100644 --- a/spec/vulnerabilities/mass_assignment_spec.rb +++ b/spec/vulnerabilities/mass_assignment_spec.rb @@ -23,7 +23,7 @@ feature "mass assignment" do expect(normal_user.reload.admin).to be_falsy end - scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-Extras-Mass-Assignment-Admin-Role" do + scenario "attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-Extras-Mass-Assignment-Admin-Role" do params = { user: { admin: "t", email: "hackety@h4x0rs.c0m", first_name: "hackety", From 483112bb18f21a68e40327e80f235ad443dd2700 Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Wed, 20 Nov 2019 17:06:23 -0500 Subject: [PATCH 6/7] clean up mass_assignment_spec --- spec/vulnerabilities/mass_assignment_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/vulnerabilities/mass_assignment_spec.rb b/spec/vulnerabilities/mass_assignment_spec.rb index ab3e3cb..5b40ca0 100644 --- a/spec/vulnerabilities/mass_assignment_spec.rb +++ b/spec/vulnerabilities/mass_assignment_spec.rb @@ -33,6 +33,6 @@ feature "mass assignment" do page.driver.post "/users", params - expect(User.find_by(email: "hackety@h4x0rs.c0m")).to be_nil + expect(User.find_by(email: "hackety@h4x0rs.c0m").admin).to be_falsy end end From 5191409db6372d57a21c41f088605dc28b91d54a Mon Sep 17 00:00:00 2001 From: Nicole Rifkin Date: Thu, 21 Nov 2019 09:07:38 -0500 Subject: [PATCH 7/7] validate root is localhost in redirect_spec --- spec/vulnerabilities/unvalidated_redirects_spec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/spec/vulnerabilities/unvalidated_redirects_spec.rb b/spec/vulnerabilities/unvalidated_redirects_spec.rb index cb880e4..97b9627 100644 --- a/spec/vulnerabilities/unvalidated_redirects_spec.rb +++ b/spec/vulnerabilities/unvalidated_redirects_spec.rb @@ -20,6 +20,7 @@ feature "unvalidated redirect" do click_on "Login" end + expect(current_url).to start_with("http://127.0.0.1") expect(current_path).to eq("/dashboard/home") end end