From dbbb2ce65108764c013097be0fdcda8ad60214d5 Mon Sep 17 00:00:00 2001 From: Ken Johnson Date: Thu, 23 May 2013 20:06:24 -0400 Subject: [PATCH] finished the first instance of broken auth and sess mgmt --- app/controllers/sessions_controller.rb | 3 ++ app/models/user.rb | 5 +-- .../broken_auth_sess/_user_pass_enum.html.erb | 33 +++++++++++++++++-- .../tutorial/csrf/_csrf_first.html.erb | 2 +- 4 files changed, 37 insertions(+), 6 deletions(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 91de7ea..0f734b7 100755 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -6,6 +6,7 @@ class SessionsController < ApplicationController redirect_to home_dashboard_index_path if current_user end + def create begin @@ -17,6 +18,8 @@ class SessionsController < ApplicationController session[:id] = user.id if User.where(:id => user.id).exists? redirect_to home_dashboard_index_path else + # Removed this code, just doesn't seem specific enough! + # flash[:error] = "Either your username and password is incorrect" flash[:error] = e.message render "new" end diff --git a/app/models/user.rb b/app/models/user.rb index 43c9a75..a813974 100755 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -9,6 +9,7 @@ class User < ActiveRecord::Base validates_uniqueness_of :email validates_format_of :email, :with => /.+@.+\..+/i + def self.authenticate(email, password) auth = nil user = find_by_email(email) @@ -23,6 +24,6 @@ class User < ActiveRecord::Base raise "#{email} doesn't exist!" end return auth - end - + end + end diff --git a/app/views/layouts/tutorial/broken_auth_sess/_user_pass_enum.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_user_pass_enum.html.erb index 6637631..35a8015 100644 --- a/app/views/layouts/tutorial/broken_auth_sess/_user_pass_enum.html.erb +++ b/app/views/layouts/tutorial/broken_auth_sess/_user_pass_enum.html.erb @@ -90,7 +90,31 @@
- Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor +

+ Username and Password Enumeration - SOLUTION +

+

Within /app/controllers/sessions_controller.rb

+ 
+				  def create
+
+				      begin
+				        user = User.authenticate(params[:email], params[:password])
+				      rescue Exception => e
+				      end
+
+				      if user
+				        session[:id] = user.id if User.where(:id => user.id).exists?
+				        redirect_to home_dashboard_index_path
+				      else
+				        flash[:error] =  "Either your username and password is incorrect" #e.message
+				        render "new"
+				      end
+
+				  end
+
+

+ Although this fix is neither systemic nor does it address the problematic code at its core (within the user model), it does provide a quick solution. On line 12, we comment out the "e.message code" and instead provide a very generic error message that lacks specificity on what credential was incorrectly entered. +

@@ -104,8 +128,11 @@
- Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor -
+

+ Enter an email address that wouldn't likely exist into the login form. Analyze the result.

+ Can you leverage this to gain unauthorized access? +

+
diff --git a/app/views/layouts/tutorial/csrf/_csrf_first.html.erb b/app/views/layouts/tutorial/csrf/_csrf_first.html.erb index e56c42e..b08e0fc 100644 --- a/app/views/layouts/tutorial/csrf/_csrf_first.html.erb +++ b/app/views/layouts/tutorial/csrf/_csrf_first.html.erb @@ -31,7 +31,7 @@

Cross-Site Request Forgery (CSRF) - The following code was taken from: /app/controllers/application_controller.rb and /app/views/layouts/application.html.erb

-

application_controller.rb<

+

application_controller.rb

 				 # Our security guy keep talking about sea-surfing, cool story bro.