finished the write-up for crytpo vuln, close issue #5

app/models/user.rb

@@ -25,7 +25,6 @@ class User < ActiveRecord::Base
   def self.authenticate(email, password)
        auth = nil
        user = find_by_email(email)
-       # I heard something about hashing, dunno, why bother really. Nobody will get access to my stuff!
        if user
          if user.password == Digest::MD5.hexdigest(password)
            auth = user

app/views/layouts/tutorial/crypto/_password_hashing.html.erb

@@ -1,7 +1,7 @@
 <div class="widget">
     <div class="widget-header">
       <div class="title">
-        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A7 - Insecure Cryptographic Storage
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A7 - Insecure Cryptographic Storage - Password Storage
       </div>
     </div>
     <div class="widget-body">
@@ -16,7 +16,15 @@
           </div>
           <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
             <div class="accordion-inner">
-              Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+			  <p class="desc">
+              The OWASP description - Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.
+ 			  </p>
+			  <p class="desc">
+ 			  Railsgoat does hash user passwords. Unfortunately, it does so using an extremely weak algorithm (MD5). Generally speaking, a strong algorithm and per-user salt can greatly improve the security of a hashed value. Also important to note, hashing and encryption are not the same. Encryption is meant to be reversible using some secret information, hashing is not, hashing is a one-way function not meant to be reversible.
+			  </p>
+			  <p class="desc">
+			 All that being said, there are groups within security organizations that devote themselves to threat models built around this topic so clearly, this description does not encompass all scenarios. However, our recommendation is better than hashing using MD5 <i class="icon-wink-2"></i>.
+			  </p>
             </div>
           </div>
         </div>
@@ -30,7 +38,35 @@
           </div>
           <div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
             <div class="accordion-inner">
-              Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+	          <p>
+              Within app/models/user.rb:
+ 			  </p>
+ 			  <pre class="ruby">
+	 		   before_save <span style="background-color:yellow">:encrypt_password</span>
+	
+				def self.authenticate(email, password)
+			       auth = nil
+			       user = find_by_email(email)
+			       if user
+			         if user.password == <span style="background-color:yellow">Digest::MD5.hexdigest(password)</span>
+			           auth = user
+			         else
+			          raise "Incorrect Password!"
+			         end 
+			       else
+			          raise "#{email} doesn't exist!"
+			       end
+			       return auth
+			    end
+			
+				def encrypt_password
+			    	if self.password.present?
+			      		self.password = <span style="background-color:yellow">Digest::MD5.hexdigest(password)</span>
+			    	end
+			    end
+	 
+			  </pre>
+			  
             </div>
           </div>
         </div>
@@ -44,7 +80,31 @@
           </div>
           <div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
             <div class="accordion-inner">
-              Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+              <p><b>Password Storage - ATTACK</b></p>
+ 			  <p class="desc">
+			 	 Using the passwords stored within db/seeds.rb file, create a wordlist and leverage a password cracking tool such as John The Ripper to crack those passwords.
+			  </p>
+			  <p><b>Password Storage - SOLUTION</b></p>
+			  <p class="desc">
+				A simple solution here would be to enforce a per-user salt in creating a BCrypt hash. You would need to alter the db schema to add a password_salt and password_hash columns to the table.
+			  </p>
+			  <pre class="ruby">	
+				def self.authenticate(email, password)
+				    user = find_by_email(email)
+				    if user and user.password_hash == <span style="background-color:yellow">BCrypt::Engine.hash_secret(password, user.password_salt)</span>
+				        user
+				    else
+				       "Invalid Credentials Supplied"
+				    end
+				end
+				
+				def encrypt_password
+				    if self.password.present?
+				      <span style="background-color:yellow">self.password_salt = BCrypt::Engine.generate_salt</span>
+				      <span style="background-color:yellow">self.password_hash = BCrypt::Engine.hash_secret(self.password, self.password_salt)</span>
+				    end
+				end
+			  </pre>	
             </div>
           </div>
         </div>
@@ -58,7 +118,7 @@
           </div>
           <div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
             <div class="accordion-inner">
-              Anim pariatur cliche reprehenderit, enim eiusmod high life accusamus terry richardson ad squid. 3 wolf moon officia aute, non cupidatat skateboard dolor brunch. Food truck quinoa nesciunt laborum eiusmod. Brunch 3 wolf moon tempor
+              How protected are those passwords in the database against cracking?
             </div>
           </div>
         </div>