team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

okay, finally got a working redirect vuln

Browse Source
This commit is contained in:
Ken Johnson
2013-06-04 11:00:01 -04:00
parent e1dfb8309c
commit ef2b2e8e11
6 changed files with 124 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/application_controller.rb
+2 -1
View File
@@ -13,7 +13,8 @@ class ApplicationController < ActionController::Base
end
def authenticated
redirect_to root_url and reset_session if not current_user
path = request.fullpath.present? ? root_url(:url => request.fullpath) : root_url
redirect_to path and reset_session if not current_user
end
def is_admin?
app/controllers/sessions_controller.rb
+4 -3
View File
@@ -4,28 +4,29 @@ class SessionsController < ApplicationController
skip_before_filter :authenticated, :only => [:new, :create]
def new
@url = params[:url]
redirect_to home_dashboard_index_path if current_user
end
def create
path = params[:url].present? ? params[:url] : home_dashboard_index_path
begin
# Normalize the email address, why not
user = User.authenticate(params[:email].to_s.downcase, params[:password])
# @url = params[:url]
rescue Exception => e
end
if user
session[:user_id] = user.user_id if User.where(:user_id => user.user_id).exists?
redirect_to home_dashboard_index_path
redirect_to path
else
# Removed this code, just doesn't seem specific enough!
# flash[:error] = "Either your username and password is incorrect"
flash[:error] = e.message
render "new"
end
end
def destroy
app/models/work_info.rb
+7
View File
@@ -1,10 +1,17 @@
class WorkInfo < ActiveRecord::Base
attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked
belongs_to :user
#before_save :encrypt_ssn
# We should probably use this
def last_four
"***-**-" << self.SSN[-4,4]
end
def encrypt_ssn
end
def decrypt_ssn
end
end
app/views/layouts/tutorial/crypto/_ssn.html.erb
+101
View File
@@ -0,0 +1,101 @@
<div class="widget">
<div class="widget-header">
<div class="title">
<span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A7 - Insecure Cryptographic Storage - Clear-text storage of SSN(s)
</div>
</div>
<div class="widget-body">
<div id="accordion1" class="accordion no-margin">
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapseSSNOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-info icon-white">
</i>
Description
</a>
</div>
<div class="accordion-body in collapse" id="collapseSSNOne" style="height: auto;">
<div class="accordion-inner">
<p class="desc">
The Railsgoat application stores Social Security Numbers in plain-text and because of this, it fails to adequately protect these numbers from theft.
</p>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapseSSNTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-bug icon-white">
</i>
Bug
</a>
</div>
<div class="accordion-body collapse" id="collapseSSNTwo" style="height: 0px;">
<div class="accordion-inner">
<p class="desc">
The WorkInfo model (app/models/work_info.rb) is where the code to encrypt this data should be. However, as seen, is missing any routine to do so.
</p>
<pre class="ruby">
class WorkInfo < ActiveRecord::Base
attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked
belongs_to :user
# We should probably use this
def last_four
"***-**-" << self.SSN[-4,4]
end
end
</pre>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapseSSNThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-lightning icon-white">
</i>
Solution
</a>
</div>
<div class="accordion-body collapse" id="collapseSSNThree" style="height: 0px;">
<div class="accordion-inner">
<p><b>Password Storage - SOLUTION</b></p>
<p class="desc">
There is a lot of guidance on adequately protecting sensitive data at rest and using a layered defensive approach. Make no mistake, this should not be your sole means of securing sensitive data. That being said, there are at least four precautions that should be taken.
<li>The sensitive data is encrypted everywhere, including backups</li>
<li>Only authorized users can access decrypted copies of the data </li>
<li>Use a strong algorithm</li>
<li>Strong key is generated, protected from unauthorized access, and key change is planned for.</li><br/>
One additional item to note with rails specifically, the framework makes it easy to determine the type of environment running, example:
<pre class="ruby">
Rails.env.production?
</pre>
...or
<pre class="ruby">
Rails.env.development?
</pre>
This allows developers to easily create different keys for development and production and should be considered an asset to utilize. While development keys are usually stored within the source code of most rails applications, and developers with access to the repo can download those keys, the same should NOT hold true for production keys.
</p>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a style="background-color: rgb(181, 121, 158)" href="#collapseSSNFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-aid icon-white">
</i>
Hint
</a>
</div>
<div class="accordion-body collapse" id="collapseSSNFour" style="height: 0px;">
<div class="accordion-inner">
How protected are those passwords in the database against cracking?
</div>
</div>
</div>
</div>
</div>
</div>
app/views/sessions/new.html.erb
+1
View File
@@ -13,6 +13,7 @@
</div>
<div class="content">
<%= hidden_field_tag :url, @url%>
<%= label_tag "Email Address" %>
<%= text_field_tag :email, params[:email], {:class => "input input-block-level"} %>
app/views/tutorials/crypto.html.erb
+7
View File
@@ -5,6 +5,13 @@
<%= render :partial => "layouts/tutorial/crypto/password_hashing" %>
</div> <!-- End of span-->
</div>
<!--
<div class="row-fluid">
<div class="span12">
<%#= render :partial => "layouts/tutorial/crypto/ssn" %>
</div>
</div>
-->
</div>
</div>