updating the information for A9 fixes #27
This commit is contained in:
Mike McCabe
@@ -15,7 +15,6 @@ class TutorialsController < ApplicationController
|
|||||||
end
|
end
|
||||||
|
|
||||||
def injection
|
def injection
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def xss
|
def xss
|
||||||
@@ -63,6 +62,9 @@ class TutorialsController < ApplicationController
|
|||||||
def misconfig
|
def misconfig
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def insecure_components
|
||||||
|
end
|
||||||
|
|
||||||
def crypto
|
def crypto
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|||||||
@@ -74,7 +74,7 @@
|
|||||||
<% end %>
|
<% end %>
|
||||||
</li>
|
</li>
|
||||||
<li id="ssl_tls">
|
<li id="ssl_tls">
|
||||||
<%= link_to ssl_tls_tutorials_path do %>
|
<%= link_to insecure_components_tutorials_path do %>
|
||||||
<div class="icon">
|
<div class="icon">
|
||||||
<span class="fs1" aria-hidden="true" data-icon=""></span>
|
<span class="fs1" aria-hidden="true" data-icon=""></span>
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
@@ -0,0 +1,81 @@
|
|||||||
|
<div class="widget">
|
||||||
|
<div class="widget-header">
|
||||||
|
<div class="title">
|
||||||
|
<span class="fs1" aria-hidden="true" data-icon=""></span> A9 - Using Components with Known Vulnerabilities
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
<div class="widget-body">
|
||||||
|
<div id="accordion1" class="accordion no-margin">
|
||||||
|
<div class="accordion-group">
|
||||||
|
<div class="accordion-heading">
|
||||||
|
<a href="#collapseOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
|
||||||
|
<i class="icon-info icon-white">
|
||||||
|
</i>
|
||||||
|
Description
|
||||||
|
</a>
|
||||||
|
</div>
|
||||||
|
<div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
|
||||||
|
<div class="accordion-inner">
|
||||||
|
<p class="desc">
|
||||||
|
Virtually every application has these issues because most development teams don’t focus on ensuring their components/libraries are up to date. In many cases, the developers don’t even know all the components they are using, never mind their versions. Component dependencies make things even worse.
|
||||||
|
</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
<div class="accordion-group">
|
||||||
|
<div class="accordion-heading">
|
||||||
|
<a href="#collapseTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
|
||||||
|
<i class="icon-bug icon-white">
|
||||||
|
</i>
|
||||||
|
Bug
|
||||||
|
</a>
|
||||||
|
</div>
|
||||||
|
<div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
|
||||||
|
<div class="accordion-inner">
|
||||||
|
<p class="desc">
|
||||||
|
Within the Gemfile the following gem versions are set. These versions of Rails and Rack are both vulnerable to multiple attacks.
|
||||||
|
</p>
|
||||||
|
<pre class="ruby">
|
||||||
|
<%= %q{
|
||||||
|
gem 'rails', '3.2.11'
|
||||||
|
gem 'rack', '1.4.3'
|
||||||
|
} %>
|
||||||
|
</pre>
|
||||||
|
<p class="desc">
|
||||||
|
</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
<div class="accordion-group">
|
||||||
|
<div class="accordion-heading">
|
||||||
|
<a href="#collapseThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
|
||||||
|
<i class="icon-lightning icon-white">
|
||||||
|
</i>
|
||||||
|
Solution
|
||||||
|
</a>
|
||||||
|
</div>
|
||||||
|
<div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
|
||||||
|
<div class="accordion-inner">
|
||||||
|
<p class="desc">
|
||||||
|
To fix this issue, simply update your gems after unpinning the gem versions. You should always run the most up to date version possible and run Bundler-Audit Regularly.
|
||||||
|
</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
<div class="accordion-group">
|
||||||
|
<div class="accordion-heading">
|
||||||
|
<a style="background-color: rgb(181, 121, 158)" href="#collapseFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
|
||||||
|
<i class="icon-aid icon-white">
|
||||||
|
</i>
|
||||||
|
Hint
|
||||||
|
</a>
|
||||||
|
</div>
|
||||||
|
<div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
|
||||||
|
<div class="accordion-inner">
|
||||||
|
Remeber to keep your gems up to date!
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
<div class="dashboard-wrapper">
|
||||||
|
<div class="main-container">
|
||||||
|
<div class="row-fluid">
|
||||||
|
<div class="span12"> <!-- Begin Span12 -->
|
||||||
|
<%= render :partial => "layouts/tutorial/insecure_components/insecure_components_first" %>
|
||||||
|
</div> <!-- End Span12 -->
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<script type="text/javascript">
|
||||||
|
function makeActive(){
|
||||||
|
$('li[id="insecure_components"]').addClass('active');
|
||||||
|
};
|
||||||
|
|
||||||
|
$(document).ready(makeActive);
|
||||||
|
</script>
|
||||||
@@ -47,6 +47,7 @@ resources :tutorials do
|
|||||||
get "misconfig"
|
get "misconfig"
|
||||||
get "crypto"
|
get "crypto"
|
||||||
get "url_access"
|
get "url_access"
|
||||||
|
get "insecure_components"
|
||||||
get "ssl_tls"
|
get "ssl_tls"
|
||||||
get "redirects"
|
get "redirects"
|
||||||
get "guard"
|
get "guard"
|
||||||
|
|||||||
Reference in New Issue
Block a user