adding password hashing spec

spec/support/capybara_shared.rb

@@ -16,7 +16,7 @@ def verifying_fixed?
 ******************************************************************************
   You are running the RailsGoat Capybara Specs in Training mode. These specs
   are supposed to fail, indicating vulnerabilities exist. They contain
-  spoilers, so do not read the code in spec/features if your goal is to
+  spoilers, so do not read the code in spec/vulnerabilities if your goal is to
   learn more about patching the vulnerabilities. You should fix the
   vulnerabilities in the application in order to get these specs to pass**.
   You can use them to measure your progress.

spec/vulnerabilities/password_hashing_spec.rb

@@ -0,0 +1,26 @@
+require 'spec_helper'
+
+feature 'improper password hashing' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'with just md5' do
+    new_pass = 'testpassword'
+    @normal_user.password = new_pass
+    @normal_user.password_confirmation = new_pass
+    @normal_user.save
+    pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(new_pass).should == @normal_user.password}
+  end
+
+  scenario 'with md5 and salt' do
+    if @normal_user.has_attribute?('salt')
+      new_pass = 'testpassword'
+      @normal_user.password = new_pass
+      @normal_user.password_confirmation = new_pass
+      @normal_user.save
+      pending(:if => verifying_fixed?) {Digest::MD5.hexdigest(@normal_user.salt + new_pass).should == @normal_user.password}
+    end
+  end
+end