team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixes a bug introduced during the transition from info_disclosure to A6

Browse Source
This commit is contained in:
cktricky
2013-11-14 11:06:27 -05:00
parent b9e2723175
commit f53ab56e92
6 changed files with 2 additions and 166 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/tutorials_controller.rb
+1 -45
View File
@@ -83,51 +83,7 @@ class TutorialsController < ApplicationController
def guard
end
def info_disclosure
@bad_code_1 =
%q{
<table class="table table-bordered table-striped">
<thead>
<tr>
<th style="width:16%">Full Name</th>
<th style="width:16%">Income</th>
<th style="width:16%">Bonuses</th>
<th style="width:16%">Years w/ MetaCorp</th>
<th style="width:16%">SSN</th>
<th style="width:16%">DoB</th>
</tr>
</thead>
<tbody>
<tr>
<td><%= "#{@user.first_name} #{@user.last_name}" %></td>
<td><%= @user.work_info.income %></td>
<td><%= @user.work_info.bonuses %></td>
<td><%= @user.work_info.years_worked %></td>
<td class="ssn"><%= @user.work_info.SSN %></td>
<td><%= @user.work_info.DoB %></td>
</tr>
</tbody>
</table>
}
@good_code_1 = %q{
class WorkInfo < ActiveRecord::Base
attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked
belongs_to :user
# We should probably use this
def last_four
"***-**-" << self.SSN[-4,4]
end
end
}
@bad_code_2 = %q{<td class="ssn"><%= @user.work_info.SSN %></td>}
@good_code_2 = %q{<td class="ssn"><%= @user.work_info.last_four %></td>}
end
def mass_assignment
end
app/views/layouts/tutorial/_sidebar.html.erb
-3
View File
@@ -106,9 +106,6 @@
<!--<li>
<a href="#">Session Secret</a>
</li>-->
<li id="info_dislosure">
<%= link_to "Info Dislosure", info_disclosure_tutorials_path %>
</li>
<li id="mass_assignment">
<%= link_to "Mass Assignment", mass_assignment_tutorials_path %>
</li>
app/views/layouts/tutorial/info_disclosure/_ssn_disclosure.html.erb
-98
View File
@@ -1,98 +0,0 @@
<div class="widget">
<div class="widget-header">
<div class="title">
<span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> Information Disclosure (Sensitive)
</div>
</div>
<div class="widget-body">
<div id="accordion1" class="accordion no-margin">
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapseOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-info icon-white">
</i>
Description
</a>
</div>
<div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
<div class="accordion-inner">
<p class="desc">
The application stores and returns full social security numbers. The clear-text storage of this value within the database falls under <%= link_to "Insecure Cryptographic Storage", crypto_tutorials_path, {:style => "color: rgb(181, 121, 158)"}%>. However, the other failure here is that the application returns this full SSN value within the response for the user's Work Info page. Although a portion of the SSN value is obfuscated using JavaScript (when rendered in the browser), any attacker who has positioned themselves to sniff this traffic or read the user's browser cache can extract the full value from the source.
</p>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapseTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-bug icon-white">
</i>
Bug
</a>
</div>
<div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
<div class="accordion-inner">
<p>
The bug is introduced within app/views/work_info/index.html.erb, seen on line 20:
</p>
<p>
<pre class="ruby">
<%= @bad_code_1 %>
</pre>
The value, stored unencrypted, is called directly from the database. (line 20)
</p>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapseThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-lightning icon-white">
</i>
Solution
</a>
</div>
<div class="accordion-body collapse" id="collapseThree" style="height: 0px;">
<div class="accordion-inner">
<p>
A model method to return only the last four digits already exists. The following code was taken from the WorkInfo model - app/models/work_info.rb:
</p>
<p class="desc">
<pre class="ruby">
<%= @good_code_1%>
</pre>
</p>
<p class="desc">
Essentially, this takes the SSN string from the DB, retrieves only the last four characters in the string, and concatenates the last four characters with asterisks. Because this occurs at the model level, the view page never calls the full SSN value and therefore the user's browser never receives the full SSN. The view code would need to change from...
<pre class="ruby">
<%= @bad_code_2 %>
</pre>
to...
<pre class="ruby">
<%= @good_code_2 %>
</pre>
</p>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a style="background-color: rgb(181, 121, 158)" href="#collapseFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-aid icon-white">
</i>
Hint
</a>
</div>
<div class="accordion-body collapse" id="collapseFour" style="height: 0px;">
<div class="accordion-inner">
<p>
Inspect your work information closely
</p>
</div>
</div>
</div>
</div>
</div>
</div>
app/views/tutorials/info_disclosure.html.erb
-18
View File
@@ -1,18 +0,0 @@
<div class="dashboard-wrapper">
<div class="main-container">
<div class="row-fluid">
<div class="span12"> <!-- Begin Span12 -->
<%= render :partial => "layouts/tutorial/info_disclosure/ssn_disclosure"%>
</div> <!-- End Span12 -->
</div>
</div>
</div>
<script type="text/javascript">
function makeActive(){
$('li[id="info_dislosure"]').addClass('active');
$('li[id="submenu"]').addClass('active open');
};
$(document).ready(makeActive);
</script>
config/routes.rb
-1
View File
@@ -52,7 +52,6 @@ Railsgoat::Application.routes.draw do
get "ssl_tls"
get "redirects"
get "guard"
get "info_disclosure"
get "mass_assignment"
get "constantize"
get "gauntlt"
spec/vulnerabilities/info_disclosure_spec.rb → spec/vulnerabilities/sensitive_data_exposure.rb
+1 -1
View File
@@ -1,6 +1,6 @@
require 'spec_helper'
feature 'sensitive information disclosure' do
feature 'sensitive data exposure' do
before do
UserFixture.reset_all_users
@normal_user = UserFixture.normal_user