team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
262 Commits 1 Branch 0 Tags
7ddec28bcc6613aad94ce3d56ae6cb7dad0b7334
Commit Graph

162 Commits

Author SHA1 Message Date
GSMcNamara 7ddec28bcc Removed apostrophe 2013-11-07 15:02:31 -05:00
GSMcNamara 813711d79e Grammar fix. 2013-11-07 14:56:18 -05:00
cktricky 1e93dc3d4d appears to have solved the issue with our code printing stderrs 2013-10-27 22:38:52 -04:00
cktricky 86035a1cbd appears to have solved the issue with our code printing stderrs 2013-10-27 22:38:38 -04:00
cktricky 11480ac853 tests are working again, I will work on surpressing the errors. Also merged @jasnow work 2013-10-27 21:46:12 -04:00
cktricky 6d1c0c7869 merging 2013-10-27 20:17:52 -04:00
cktricky 7c1d52320a does not fix the error that occurs (as it should, but that we want to obfuscate) when a command is injected into, however, it does pass the build and does not break the entire call 2013-10-23 17:11:28 -05:00
Mike McCabe 3820b78066 fixing this function that was not explicitly using the params 2013-10-22 10:16:09 -04:00
cktricky b7c3b04c74 this seems to have fixed a nuisance error within our unit-tests. Issue #57 2013-10-22 00:58:48 -04:00
cktricky d2bc7d740a minor fix 2013-10-14 08:36:52 -04:00
cktricky f02895351d removed a bit of cruft, also activated the sidebar item when working within the messages section 2013-10-13 23:17:18 -04:00
cktricky 7a101a9bb5 fix for issue #44 2013-10-13 21:50:25 -04:00
cktricky 16bd465633 this appears to fix the problem with our accordion not working correctly. I couldnt find a reason to use bootstrap.js anyways. 2013-10-13 21:50:25 -04:00
Mike McCabe 8c17a3df0e adding messaging function, needs tests... 2013-10-13 21:49:17 -04:00
Mike McCabe 8686f6b9d3 adding messages mvc to allow users to send messages. 2013-10-11 16:03:37 -04:00
Mike McCabe dbd0c2548d making full_name method public 2013-10-11 16:03:37 -04:00
Mike McCabe bbed455178 verifying user exists before trying to update 2013-10-09 11:08:39 -04:00
Mike McCabe 73f3272aa1 adding flash message with validation errors, and redirect to sign_up 2013-10-07 15:23:37 -04:00
cktricky da061c79b6 intended to remove some of the weirdness when updating a users account. A blank password basically ends up causing the previously existing password to be hashed twice. Probably move to has_secure_password at some point although that may end up screwing up the intent of the particular tutorial item 2013-09-30 13:03:03 -04:00
chrismo e0bca0139e Added command injection Capybara spec. 2013-09-27 14:59:30 -05:00
Chris Morris 20420be1a6 Fixed logic to strip out user params. 
Disclaimer: changes like these in this sort of app are tricky because
it's harder to presume the intention of the code in question.

The prior line:

```
user.update_attributes(params[:user].reject { |k| k == ("password" || "password_confirmation") || "user_id" })
```

returns an empty hash, because of the way the block evaluates:

```
irb(main):002:0> k = 'foo'
=> "foo"
irb(main):003:0> k == ("password" || "password_confirmation") || "user_id"
=> "user_id"
```

Before the last change to that line, without 'user_id' outside the
params, it didn't evaluate properly either:

```
irb(main):007:0> k = 'password_confirmation'
=> "password_confirmation"
irb(main):008:0> k == ("password" || "password_confirmation")
=> false
irb(main):009:0> ("password" || "password_confirmation")
=> "password"
```

So, in the normal use case for this form, you can't update any other
attribute of the User. To me, that's probably the best argument for
making this change, but it does simplify the SQL Injection attack
(although perhaps the prior complication was intended).

Before this change, injecting conditional SQL into the user_id param in
the account_settings update call would allow the password of whatever
account is found (e.g. the first one if injecting 'OR 1=1') to be reset,
but without additional attacks, the email address of that account is not
known.

After this change, the email address of that account now is also updated
in addition to the password, making it simpler to get in as an admin --
though you're still presuming the first account to be an admin.
 2013-09-25 16:56:34 -05:00
cktricky aab489ef40 fix for performance bug 2013-09-10 21:58:29 -04:00
Michael McCabe 69c180e845 minor changes to spec_helper and user model 2013-09-06 15:54:06 -04:00
cktricky 65eb2caeaf made a suggestion based on digininjas comment on Rails tutorials blog post. Better to change method name to hash_password than encrypt_password 2013-08-08 16:57:58 -04:00
cktricky f67bd0f5ed correct naming within the command injection tutorial 2013-07-28 19:44:51 -04:00
Ken Johnson 14c1fb367d added a tutorial for command injection 2013-07-10 20:42:04 -04:00
Ken Johnson 82b5809bee almost finished with the write-up for the command injection vulnerability 2013-07-10 11:41:36 -04:00
Ken Johnson ce6f32a1a2 working command injection in fileupload, closes issue #23 2013-07-09 16:36:03 -04:00
Ken Johnson ea2014b637 I have exhausted all thoughts on how to actually get jquery file upload to work, so screw it, I am just going to make something homegrown for tomorrow 2013-07-09 13:53:00 -04:00
Ken Johnson 1a79471ef8 trying to fix a bug where you have to click twice on the tutorial credentials button 2013-06-20 11:28:29 -04:00
Ken Johnson 2e052828a6 taskbar / active enhancement 2013-06-16 00:49:28 -04:00
Ken Johnson 7b900bda2d fixes issue #24 2013-06-10 16:25:14 -04:00
Ken Johnson 56381fe318 fixed issue #25 2013-06-10 15:27:21 -04:00
Ken Johnson 5ea8006fc1 closes issue #22 2013-06-07 09:05:11 -04:00
Ken Johnson 39d2e9d79f finished CSRF/AJAX, closes issue #21 2013-06-06 22:40:52 -04:00
Ken Johnson d445e59a98 this fixes issue #20, seriously, no clue how I missed the missing constantize code 2013-06-06 16:43:58 -04:00
Ken Johnson 9d42453b05 removed pesky files 2013-06-04 16:00:30 -04:00
Ken Johnson bdf3f20955 added a license 2013-06-04 14:17:12 -04:00
Ken Johnson b76283910c holding off on the last issue until i confirm whether or not oreoshake can cover secure headers here 2013-06-04 14:06:10 -04:00
Ken Johnson bb2985018d closes issue #7 2013-06-04 13:59:41 -04:00
Ken Johnson 089e9540ac finished admin filter and write-up for issue #6 2013-06-04 11:49:59 -04:00
Ken Johnson b0ace5ebef added write-up for issue #8 2013-06-04 11:24:39 -04:00
Ken Johnson ef2b2e8e11 okay, finally got a working redirect vuln 2013-06-04 11:00:01 -04:00
Ken Johnson e1dfb8309c finished the write-up for crytpo vuln, close issue #5 2013-06-03 18:08:21 -04:00
Ken Johnson 0b09e0d4c1 added the primary insecure crypto storage vuln 2013-06-03 12:52:24 -04:00
Ken Johnson 6d5623a423 changed SQLi vuln location, did write-up, closes issue #1 2013-06-03 12:31:34 -04:00
Ken Johnson 6528b56de6 added a sql injection vulnerability 2013-06-03 02:19:36 -04:00
Ken Johnson 2ac771ca50 Issue #3 can be closed, write-up and vuln complete for A4 2013-06-03 01:54:07 -04:00
Ken Johnson 14251e6f39 added Insecure dor vuln 2013-06-03 01:29:16 -04:00
Ken Johnson 912c34a26e finished the writeup for password complexity 2013-06-03 01:11:51 -04:00