diff --git a/app/controllers/tutorials_controller.rb b/app/controllers/tutorials_controller.rb index f88edba..fb4d61d 100755 --- a/app/controllers/tutorials_controller.rb +++ b/app/controllers/tutorials_controller.rb @@ -15,7 +15,6 @@ class TutorialsController < ApplicationController end def injection - end def xss @@ -62,6 +61,9 @@ class TutorialsController < ApplicationController def misconfig end + + def insecure_components + end def crypto end diff --git a/app/views/layouts/tutorial/_sidebar.html.erb b/app/views/layouts/tutorial/_sidebar.html.erb index 5eb1d72..0f5328e 100755 --- a/app/views/layouts/tutorial/_sidebar.html.erb +++ b/app/views/layouts/tutorial/_sidebar.html.erb @@ -74,7 +74,7 @@ <% end %>
  • - <%= link_to ssl_tls_tutorials_path do %> + <%= link_to insecure_components_tutorials_path do %>
    diff --git a/app/views/layouts/tutorial/insecure_components/_insecure_components_first.html.erb b/app/views/layouts/tutorial/insecure_components/_insecure_components_first.html.erb new file mode 100644 index 0000000..b5192d5 --- /dev/null +++ b/app/views/layouts/tutorial/insecure_components/_insecure_components_first.html.erb @@ -0,0 +1,81 @@ +
    +
    +
    + A9 - Using Components with Known Vulnerabilities +
    +
    +
    +
    +
    +
    + + + + Description + +
    +
    +
    +

    + Virtually every application has these issues because most development teams don’t focus on ensuring their components/libraries are up to date. In many cases, the developers don’t even know all the components they are using, never mind their versions. Component dependencies make things even worse. +

    +
    +
    +
    +
    +
    + + + + Bug + +
    +
    +
    +

    + Within the Gemfile the following gem versions are set. These versions of Rails and Rack are both vulnerable to multiple attacks. +

    + 
    +				<%= %q{
+          gem 'rails', '3.2.11'
+          gem 'rack', '1.4.3'
+				} %>
+
    +

    +

    +
    +
    +
    +
    +
    + + + + Solution + +
    +
    +
    +

    + To fix this issue, simply update your gems after unpinning the gem versions. You should always run the most up to date version possible and run Bundler-Audit Regularly. +

    +
    +
    +
    +
    +
    + + + + Hint + +
    +
    +
    + Remeber to keep your gems up to date! +
    +
    +
    +
    +
    +
    \ No newline at end of file diff --git a/app/views/tutorials/insecure_components.html.erb b/app/views/tutorials/insecure_components.html.erb new file mode 100644 index 0000000..271f7a9 --- /dev/null +++ b/app/views/tutorials/insecure_components.html.erb @@ -0,0 +1,17 @@ +
    +
    +
    +
    + <%= render :partial => "layouts/tutorial/insecure_components/insecure_components_first" %> +
    +
    +
    +
    + + \ No newline at end of file diff --git a/config/routes.rb b/config/routes.rb index a58b21e..6aaa2c7 100755 --- a/config/routes.rb +++ b/config/routes.rb @@ -1,84 +1,85 @@ Railsgoat::Application.routes.draw do -get "login" => "sessions#new" -get "signup" => "users#new" -get "logout" => "sessions#destroy" + get "login" => "sessions#new" + get "signup" => "users#new" + get "logout" => "sessions#destroy" -resources :sessions do + resources :sessions do -end - -resources :users do - get "account_settings" - - resources :retirement do - end - - resources :paid_time_off do - end - - resources :work_info do - end - - resources :performance do - - end - - resources :benefit_forms do - end - resources :messages do + resources :users do + get "account_settings" + + resources :retirement do + end + + resources :paid_time_off do + end + + resources :work_info do + end + + resources :performance do + + end + + resources :benefit_forms do + + end + + resources :messages do + end + end - -end -get "download" => "benefit_forms#download" -post "upload" => "benefit_forms#upload" + get "download" => "benefit_forms#download" + post "upload" => "benefit_forms#upload" -resources :tutorials do - collection do - get "credentials" - get "injection" - get "xss" - get "broken_auth" - get "insecure_dor" - get "csrf" - get "misconfig" - get "crypto" - get "url_access" - get "ssl_tls" - get "redirects" - get "guard" - get "info_disclosure" - get "mass_assignment" - get "constantize" - get "gauntlt" + resources :tutorials do + collection do + get "credentials" + get "injection" + get "xss" + get "broken_auth" + get "insecure_dor" + get "csrf" + get "misconfig" + get "crypto" + get "url_access" + get "insecure_components" + get "ssl_tls" + get "redirects" + get "guard" + get "info_disclosure" + get "mass_assignment" + get "constantize" + get "gauntlt" + end end -end -resources :schedule do - collection do - get "get_pto_schedule" + resources :schedule do + collection do + get "get_pto_schedule" + end + end - -end -resources :admin do - get "dashboard" - get "get_user" - post "delete_user" - put "update_user" - get "get_all_users" -end - -resources :dashboard do - collection do - get "home" + resources :admin do + get "dashboard" + get "get_user" + post "delete_user" + put "update_user" + get "get_all_users" + end + + resources :dashboard do + collection do + get "home" + end end -end -root :to => "sessions#new" + root :to => "sessions#new" -end +end \ No newline at end of file