team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,938 Commits 1 Branch 0 Tags
01fef633d019d2ee6020ba227b304459ecf09973
Commit Graph

32 Commits

Author SHA1 Message Date
Ken Johnson feba9b7889 Replace modal with dedicated credentials page 
Removed complex modal implementation and replaced with simple
link to dedicated credentials page to eliminate all modal issues.

Changes:
- Add credentials action to TutorialsController
- Remove layout false restriction for credentials
- Replace button with simple link_to for Demo Credentials
- Remove entire modal HTML structure
- Remove all JavaScript for modal initialization
- Remove fetch/AJAX complexity

The credentials view already existed but was modal-only. Now it's
a proper page that users can navigate to directly. Much simpler!

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-07 01:50:54 -05:00
Ken Johnson 9f157012b0 Add Rails 8 vulnerabilities aligned with OWASP Top 10 2025 
This commit adds comprehensive coverage of OWASP Top 10 2025 categories,
implementing both ReDoS (A05:2025) and Software Supply Chain (A03:2025)
vulnerabilities for educational purposes.

## New Vulnerabilities Added

### A05:2025 - Injection (ReDoS)
- Implemented three ReDoS endpoints in TutorialsController:
  - POST /tutorials/redos_email - Vulnerable email regex with nested quantifiers
  - POST /tutorials/redos_username - Classic (a+)+ pattern
  - POST /tutorials/redos_email_safe - Secure version using URI::MailTo::EMAIL_REGEXP
- Added Regexp.timeout = 1.0 configuration (Rails 8 protection)
- All endpoints include timing and error handling demonstrations

### A03:2025 - Software Supply Chain Failures
- Demonstrated missing SRI on CDN assets in application.html.erb
- Added educational endpoints:
  - GET /tutorials/supply_chain - Comprehensive supply chain vulnerabilities overview
  - GET /tutorials/check_dependencies - Dependency scanning simulation
- Covers: Missing SRI, outdated dependencies, no SBOM, insecure gem sources

## Files Changed

### New Files
- config/initializers/regexp_timeout.rb: Enables Rails 8 ReDoS protection
- spec/controllers/tutorials_controller_spec.rb: 23 passing tests for all endpoints

### Modified Files
- app/controllers/tutorials_controller.rb: Added 5 new educational endpoints
- app/views/layouts/application.html.erb: Added CDN assets WITHOUT SRI (intentional vuln)
- config/routes.rb: Added routes for ReDoS and supply chain endpoints

## Test Coverage
- 23 RSpec tests covering both ReDoS and A03 vulnerabilities
- Tests validate vulnerability behavior, error handling, and educational content
- All tests passing

## Educational Value
- Demonstrates OWASP 2025 categories A03 and A05
- Shows both vulnerable and secure implementations
- Includes real-world CVE examples (British Airways, Magecart)
- Provides mitigation guidance and tool recommendations

This completes 100% coverage of OWASP Top 10 2025 categories in RailsGoat Rails 8.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-12-06 15:11:54 -05:00
Joseph Mastey 6e0a0a8312 feat(cops): clean rubocop run 
1. ignoring one file because it's an intentional vuln
2. made a few small semantic changes, but verified that they're equivalent.
 2017-12-06 17:14:25 -06:00
Joseph Mastey 9902345291 chore(rubocop): giganto rubocop commit. 
muahahahah
 2017-12-05 18:46:21 -06:00
Joseph Mastey d3fce41e60 change to idiomatic use of layouts versus regular views 
no functional change here, but familiar Rails users will see view files in the
locations they expect. this also slightly simplifies controller code

there is one attendant change in the wiki at `rails_3/A1-SQL-Injection-Interpolation.md`
that I'm happy to make after the PR is merged.
 2017-09-27 19:22:44 -05:00
Joseph Mastey c310273606 upgrade(rails 5): change before_filter to before_action 2017-01-19 13:59:14 -06:00
cktricky efe81fb6a6 okay, a lot of changes but this basically gets us out of tutorials being hosted locally 2015-03-25 19:32:12 -04:00
cktricky 09ba2b3270 going to dynamically load the tutorial page depending on the route folks decide to take 2015-01-06 19:43:23 -05:00
James Espinosa 7e4fad462b Convert file indentation to spaces 2014-07-05 20:17:27 -05:00
James Espinosa 68e6a01743 Clean up trailing and leading whitespace 2014-07-05 19:15:32 -05:00
cktricky 8ed2714f3f changed constantize to metaprogramming for the addition of tutorials specific to metaprogramming flaws. In addition, the messages portion of the app needed some generic TLC so I have removed the "new" view in order to bring that functionality into the seed message page/view. 2014-05-20 14:25:45 -04:00
cktricky 4b0560a250 whew, now THAT is a huge tutorial explanation for a relatively simple issue! 2014-03-12 18:59:38 -04:00
cktricky f53ab56e92 fixes a bug introduced during the transition from info_disclosure to A6 2013-11-14 11:06:27 -05:00
Mike McCabe af8776a3ea halfway done A7 2013-11-13 18:23:38 -05:00
Mike McCabe f0ca17df79 updating the information for A9 fixes #27 2013-11-13 11:47:29 -05:00
cktricky d909f55ab9 initial write-up for gauntlt 2013-08-08 21:25:52 -04:00
Ken Johnson 7b900bda2d fixes issue #24 2013-06-10 16:25:14 -04:00
Ken Johnson 39d2e9d79f finished CSRF/AJAX, closes issue #21 2013-06-06 22:40:52 -04:00
Ken Johnson caecb88e30 prepping for constantize 2013-06-02 20:35:01 -04:00
Ken Johnson 570eafa01b this closes issue #9 2013-06-02 20:19:31 -04:00
Ken Johnson 4e445375fa created the info disclosure write-up. Close issue #16 2013-06-02 12:39:04 -04:00
Ken Johnson 6199beb780 we are going to fix this by automatically generating data for ppl that register HOWEVER, just in case that fails for some reason, I have applied a filter that ensures if some data is not associated with a person they cannot navigate to all aspects of the application. This is a preventive measure 2013-05-31 19:02:00 -04:00
Ken Johnson f674a57440 awesome. now we show code snippets in a much better way. Peeps who add to the tutorials will need to enclose code w/ <pre class="ruby></pre> 2013-05-23 15:18:39 -04:00
Ken Johnson 9c37eb99a1 lost track of what I was doing so I cant tell you what Ive done, heh 2013-04-25 15:23:07 -04:00
Ken Johnson 01c246c902 added a bunch of wording 2013-04-25 14:49:20 -04:00
Ken Johnson db19e5d990 went ahead and filled in XSS 2013-04-25 13:40:50 -04:00
Ken Johnson 726526eabf added a sidebar element, an index to let ppl know how to get started, and some logic to get users to the tutorials and back into the app regardless of auth or not 2013-04-25 02:11:11 -04:00
Ken Johnson fda47b3643 changed a bunch of stuff 2013-04-25 01:54:10 -04:00
Ken Johnson c75c0b20b3 made pages for all of the tutorials 2013-04-25 01:06:42 -04:00
Ken Johnson 9542e3f717 undid some mistakes 2013-04-25 00:46:26 -04:00
Ken Johnson 47ce08bb20 working login, signup, and logout 2013-04-25 00:19:00 -04:00
Ken Johnson c003bd8a9a added a tutorial controller to handle all deez toots 2013-04-24 19:20:51 -04:00