14bff998dd
Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013
2013-11-12 16:07:23 -05:00
7833b85837
updating description with owasp 2013 description
2013-11-12 15:24:07 -05:00
09c0f07d8b
Lowercased a letter.
2013-11-07 15:06:05 -05:00
7ddec28bcc
Removed apostrophe
2013-11-07 15:02:31 -05:00
813711d79e
Grammar fix.
2013-11-07 14:56:18 -05:00
1e93dc3d4d
appears to have solved the issue with our code printing stderrs
2013-10-27 22:38:52 -04:00
86035a1cbd
appears to have solved the issue with our code printing stderrs
2013-10-27 22:38:38 -04:00
11480ac853
tests are working again, I will work on surpressing the errors. Also merged @jasnow work
2013-10-27 21:46:12 -04:00
6d1c0c7869
merging
2013-10-27 20:17:52 -04:00
7c1d52320a
does not fix the error that occurs (as it should, but that we want to obfuscate) when a command is injected into, however, it does pass the build and does not break the entire call
2013-10-23 17:11:28 -05:00
c6e42901c7
fixing a mistake
2013-10-22 10:38:23 -04:00
1817251af5
changes
2013-10-22 10:38:00 -04:00
3820b78066
fixing this function that was not explicitly using the params
2013-10-22 10:16:09 -04:00
b7c3b04c74
this seems to have fixed a nuisance error within our unit-tests. Issue #57
2013-10-22 00:58:48 -04:00
753840a276
this seems to have fixed a nuisance error within our unit-tests. Issue #57
2013-10-22 00:57:32 -04:00
64f2ad9f9e
very minor sidebar change
2013-10-14 08:46:21 -04:00
f9bbbe0a54
oops
2013-10-14 08:44:09 -04:00
6897996394
merged
2013-10-14 08:42:27 -04:00
940181f397
merged some content
2013-10-14 08:39:20 -04:00
d2bc7d740a
minor fix
2013-10-14 08:36:52 -04:00
a65a20a647
Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013
2013-10-14 08:29:39 -04:00
f02895351d
removed a bit of cruft, also activated the sidebar item when working within the messages section
2013-10-13 23:17:18 -04:00
7a101a9bb5
fix for issue #44
2013-10-13 21:50:25 -04:00
16bd465633
this appears to fix the problem with our accordion not working correctly. I couldnt find a reason to use bootstrap.js anyways.
2013-10-13 21:50:25 -04:00
8c17a3df0e
adding messaging function, needs tests...
2013-10-13 21:49:17 -04:00
8686f6b9d3
adding messages mvc to allow users to send messages.
2013-10-11 16:03:37 -04:00
dbd0c2548d
making full_name method public
2013-10-11 16:03:37 -04:00
e2c4fb4bd8
change to the user model based on a merge with master. Master is the correct code
2013-10-11 12:04:19 -04:00
bbed455178
verifying user exists before trying to update
2013-10-09 11:08:39 -04:00
73f3272aa1
adding flash message with validation errors, and redirect to sign_up
2013-10-07 15:23:37 -04:00
da061c79b6
intended to remove some of the weirdness when updating a users account. A blank password basically ends up causing the previously existing password to be hashed twice. Probably move to has_secure_password at some point although that may end up screwing up the intent of the particular tutorial item
2013-09-30 13:03:03 -04:00
ef8a9c1a46
merged with master
2013-09-27 21:55:50 -04:00
e0bca0139e
Added command injection Capybara spec.
2013-09-27 14:59:30 -05:00
825a972e4c
oops
2013-09-27 11:18:04 -04:00
c3562592c6
deleted some files
2013-09-27 11:17:16 -04:00
20420be1a6
Fixed logic to strip out user params.
...
Disclaimer: changes like these in this sort of app are tricky because
it's harder to presume the intention of the code in question.
The prior line:
```
user.update_attributes(params[:user].reject { |k| k == ("password" || "password_confirmation") || "user_id" })
```
returns an empty hash, because of the way the block evaluates:
```
irb(main):002:0> k = 'foo'
=> "foo"
irb(main):003:0> k == ("password" || "password_confirmation") || "user_id"
=> "user_id"
```
Before the last change to that line, without 'user_id' outside the
params, it didn't evaluate properly either:
```
irb(main):007:0> k = 'password_confirmation'
=> "password_confirmation"
irb(main):008:0> k == ("password" || "password_confirmation")
=> false
irb(main):009:0> ("password" || "password_confirmation")
=> "password"
```
So, in the normal use case for this form, you can't update any other
attribute of the User. To me, that's probably the best argument for
making this change, but it does simplify the SQL Injection attack
(although perhaps the prior complication was intended).
Before this change, injecting conditional SQL into the user_id param in
the account_settings update call would allow the password of whatever
account is found (e.g. the first one if injecting 'OR 1=1') to be reset,
but without additional attacks, the email address of that account is not
known.
After this change, the email address of that account now is also updated
in addition to the password, making it simpler to get in as an admin --
though you're still presuming the first account to be an admin.
2013-09-25 16:56:34 -05:00
c56dbe54a7
no change really
2013-09-11 10:58:46 -04:00
aab489ef40
fix for performance bug
2013-09-10 21:58:29 -04:00
6f71d7eda7
bug fix w/ the performance section
2013-09-10 21:57:03 -04:00
d5801f0684
Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013
2013-09-10 13:31:48 -04:00
69c180e845
minor changes to spec_helper and user model
2013-09-06 15:54:06 -04:00
17e082a63e
I believe the secure_compare tutorial is complete
2013-08-18 20:46:40 -04:00
5b6b88a4ba
fixed broken auth numbering and also the incorrect accordion labels within insecure_compare
2013-08-18 20:18:33 -04:00
bc74edf28d
lastest work towards the secure_compare tutorial
2013-08-18 20:10:36 -04:00
3c7a3fc9e4
still working on the timing attack prevention tutorial
2013-08-18 17:39:13 -04:00
979b6a229a
working on avoiding timing attacks piece
2013-08-17 21:27:33 -04:00
d909f55ab9
initial write-up for gauntlt
2013-08-08 21:25:52 -04:00
077e45c819
Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013
2013-08-08 16:59:14 -04:00
65eb2caeaf
made a suggestion based on digininjas comment on Rails tutorials blog post. Better to change method name to hash_password than encrypt_password
2013-08-08 16:57:58 -04:00
66445167bd
shifting tutorials
2013-07-28 19:59:03 -04:00
cktricky