From ef2bc20c970528aefca623ab698c6efb47698bc5 Mon Sep 17 00:00:00 2001
From: cktricky <ken.johnson@nvisiumsecurity.com>
Date: Thu, 11 Sep 2014 11:01:56 -0400
Subject: [PATCH] working on the httponly tutorial

---
 app/models/user.rb                            |  4 +-
 app/views/layouts/shared/_header.html.erb     |  2 +-
 .../broken_auth_sess/_httponly_flag.html.erb  | 75 +++++++++++++++++++
 .../_insecure_compare.html.erb                |  2 +-
 app/views/tutorials/broken_auth.html.erb      |  5 ++
 5 files changed, 84 insertions(+), 4 deletions(-)
 create mode 100644 app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb

diff --git a/app/models/user.rb b/app/models/user.rb
index 9c5cc7f..23922eb 100755
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -62,7 +62,7 @@ class User < ActiveRecord::Base
     return auth
   end
 
-=begin
+#=begin
   # More secure version, still lacking a decent hashing routine, this is for timing attack prevention
   def self.authenticate(email, password)
        user = find_by_email(email) || User.new(:password => "")
@@ -72,7 +72,7 @@ class User < ActiveRecord::Base
           raise "Incorrect username or password"
         end
    end
-=end
+#=end
 
   def assign_user_id
     unless @skip_user_id_assign.present? || self.user_id.present?
diff --git a/app/views/layouts/shared/_header.html.erb b/app/views/layouts/shared/_header.html.erb
index 0be9691..b2ee16d 100755
--- a/app/views/layouts/shared/_header.html.erb
+++ b/app/views/layouts/shared/_header.html.erb
@@ -26,7 +26,7 @@
     going on with funny chars and jquery, plus it says safe so I'm guessing
     nothing bad will happen
     -->
-    Welcome, <%= current_user.first_name.html_safe %>
+    Welcome, <%= current_user.first_name %>
      </li>
      <li>
     <%= button_to "RailsGoat Tutorials", tutorials_path, {:class => "btn btn-primary", :method => "get"}%>
diff --git a/app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb
new file mode 100644
index 0000000..52a13a5
--- /dev/null
+++ b/app/views/layouts/tutorial/broken_auth_sess/_httponly_flag.html.erb
@@ -0,0 +1,75 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A2 - Broken Authentication and Session Management - Lack of HttpOnly Flag
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseHttpOnlyOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseHttpOnlyOne" style="height: auto;">
+            <div class="accordion-inner">
+        		INSERT DESC
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseHttpOnlyTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseHttpOnlyTwo" style="height: 0px;">
+            <div class="accordion-inner">
+				<p class="desc">
+					By default, Ruby on Rails protects it's cookies with the HttpOnly flag. However, it is possible to disable this security protection and is not recommended. You can disable this protection using the flag highlighted below. This is an insecure and unnecessary change.
+				</p>	
+       			<pre class="ruby">
+Railsgoat::Application.config.session_store :cookie_store, key: '_railsgoat_session', <span style="background:yellow">httponly: false</span>
+				</pre>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseHttpOnlyThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseHttpOnlyThree" style="height: 0px;">
+            <div class="accordion-inner">
+              <p><b>Lack of Password Complexity - SOLUTION</b></p>
+        	  	INSERT SOLUTION
+            </div>
+          </div>
+        </div>
+    <div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseHttpOnlyFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseHttpOnlyFour" style="height: 0px;">
+            <div class="accordion-inner">
+        <p class="desc">
+         INSERT DESC
+        </p>
+             </div>
+          </div>
+        </div>
+      </div>
+    </div>
+</div>
diff --git a/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb
index 98cc566..de35813 100644
--- a/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb
+++ b/app/views/layouts/tutorial/broken_auth_sess/_insecure_compare.html.erb
@@ -67,7 +67,7 @@
           </div>
           <div class="accordion-body collapse" id="collapseCompThree" style="height: 0px;">
             <div class="accordion-inner">
-              <p><b>Lack of Password Complexity - SOLUTION</b></p>
+              <p><b>Insecure Timing Attacks - SOLUTION</b></p>
         <p>
         Within app/models/user.rb:
         </p>
diff --git a/app/views/tutorials/broken_auth.html.erb b/app/views/tutorials/broken_auth.html.erb
index 4953d5b..4b9056c 100755
--- a/app/views/tutorials/broken_auth.html.erb
+++ b/app/views/tutorials/broken_auth.html.erb
@@ -15,6 +15,11 @@
           <%= render :partial => ("layouts/tutorial/broken_auth_sess/insecure_compare")%>
         </div> <!-- End Span12-->
     </div>
+    <div class="row-fluid">
+        <div class="span12">
+          <%= render :partial => ("layouts/tutorial/broken_auth_sess/httponly_flag")%>
+        </div> <!-- End Span12-->
+    </div>
   </div>
 </div>