updating the information for A9 fixes #27

app/controllers/tutorials_controller.rb

@@ -15,7 +15,6 @@ class TutorialsController < ApplicationController
   end
   
   def injection
-  
   end
   
   def xss
@@ -62,6 +61,9 @@ class TutorialsController < ApplicationController
   
   def misconfig
   end
+
+  def insecure_components
+  end
   
   def crypto
   end

app/views/layouts/tutorial/_sidebar.html.erb

@@ -74,7 +74,7 @@
       <% end %>
     </li>
     <li id="ssl_tls">
-      <%= link_to ssl_tls_tutorials_path do %>
+      <%= link_to insecure_components_tutorials_path do %>
         <div class="icon">
           <span class="fs1" aria-hidden="true" data-icon="&#xe094;"></span>
         </div>

app/views/layouts/tutorial/insecure_components/_insecure_components_first.html.erb

@@ -0,0 +1,81 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A9 - Using Components with Known Vulnerabilities
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
+            <div class="accordion-inner">
+              <p class="desc">
+              Virtually every application has these issues because most development teams don’t focus on ensuring their components/libraries are up to date. In many cases, the developers don’t even know all the components they are using, never mind their versions. Component dependencies make things even worse.
+	 		        </p>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
+            <div class="accordion-inner">
+              <p class="desc">
+				Within the Gemfile the following gem versions are set. These versions of Rails and Rack are both vulnerable to multiple attacks.
+	 		  </p>
+	 		  <pre class="ruby">
+				<%= %q{
+          gem 'rails', '3.2.11'
+          gem 'rack', '1.4.3'
+				} %>
+			  </pre>
+			  <p class="desc">
+			  </p>	
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
+            <div class="accordion-inner">
+			  <p class="desc">
+				    To fix this issue, simply update your gems after unpinning the gem versions. You should always run the most up to date version possible and run Bundler-Audit Regularly.
+	          </p>
+            </div>
+          </div>
+        </div>
+      	<div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
+            <div class="accordion-inner">
+                Remeber to keep your gems up to date!
+            </div>
+          </div>
+        </div>
+	</div>
+    </div>
+  </div>

app/views/tutorials/insecure_components.html.erb

@@ -0,0 +1,17 @@
+<div class="dashboard-wrapper">
+	<div class="main-container">
+		<div class="row-fluid">
+		    <div class="span12"> <!-- Begin Span12 -->
+		      <%= render :partial => "layouts/tutorial/insecure_components/insecure_components_first" %>
+		    </div> <!-- End Span12 -->
+		</div>
+	</div>
+</div>
+
+<script type="text/javascript">
+function makeActive(){
+	$('li[id="insecure_components"]').addClass('active');
+};
+
+$(document).ready(makeActive);
+</script>

config/routes.rb

@@ -1,84 +1,85 @@
 Railsgoat::Application.routes.draw do
 
-get "login" => "sessions#new"
-get "signup" => "users#new"
-get "logout" => "sessions#destroy"
+  get "login" => "sessions#new"
+  get "signup" => "users#new"
+  get "logout" => "sessions#destroy"
 
-resources :sessions do
+  resources :sessions do
 
-end
-
-resources :users do
-  get "account_settings"
-  
-  resources :retirement do 
-  end
-  
-  resources :paid_time_off do 
-  end
-  
-  resources :work_info do
-  end
-  
-  resources :performance do 
-   
-  end
-  
-  resources :benefit_forms do 
-    
   end
 
-  resources :messages do 
+  resources :users do
+    get "account_settings"
+
+    resources :retirement do
+    end
+
+    resources :paid_time_off do
+    end
+
+    resources :work_info do
+    end
+
+    resources :performance do
+
+    end
+
+    resources :benefit_forms do
+
+    end
+
+    resources :messages do
+    end
+
   end
-  
-end
 
-get "download" => "benefit_forms#download"
-post "upload" => "benefit_forms#upload"
+  get "download" => "benefit_forms#download"
+  post "upload" => "benefit_forms#upload"
 
-resources :tutorials do
-  collection do 
-    get "credentials"
-    get "injection"
-    get "xss"
-    get "broken_auth"
-    get "insecure_dor"
-    get "csrf"
-    get "misconfig"
-    get "crypto"
-    get "url_access"
-    get "ssl_tls"
-    get "redirects"
-    get "guard"
-    get "info_disclosure"
-    get "mass_assignment"
-    get "constantize"
-    get "gauntlt"
+  resources :tutorials do
+    collection do
+      get "credentials"
+      get "injection"
+      get "xss"
+      get "broken_auth"
+      get "insecure_dor"
+      get "csrf"
+      get "misconfig"
+      get "crypto"
+      get "url_access"
+      get "insecure_components"
+      get "ssl_tls"
+      get "redirects"
+      get "guard"
+      get "info_disclosure"
+      get "mass_assignment"
+      get "constantize"
+      get "gauntlt"
+    end
   end
-end
 
-resources :schedule do 
-  collection do
-    get "get_pto_schedule"
+  resources :schedule do
+    collection do
+      get "get_pto_schedule"
+    end
+
   end
-  
-end
 
-resources :admin do
-  get "dashboard"
-  get "get_user"
-  post "delete_user"
-  put "update_user"
-  get "get_all_users"
-end
-
-resources :dashboard do
-  collection do 
-    get "home"
+  resources :admin do
+    get "dashboard"
+    get "get_user"
+    post "delete_user"
+    put "update_user"
+    get "get_all_users"
+  end
+
+  resources :dashboard do
+    collection do
+      get "home"
+    end
   end
-end
 
 
-root :to => "sessions#new"
+  root :to => "sessions#new"
 
-end
+end