team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
640 Commits 1 Branch 0 Tags
ea8e9901f45dfa5fc5d6308ac7ffd0dc5a9996da
Commit Graph

92 Commits

Author SHA1 Message Date
Fred Nixon ea8e9901f4 On branch strong-params 
Your branch is behind 'origin/strong-params' by 1 commit, and can be fast-forwarded.

I'll pull to catch up after this commit
Change code to whitelist params
Remove attr_accessible lines
Add strong_params to Gemfile, since this branch is still on Rails 3
Mixin to ActiveRecord::Base ActiveModel::ForbiddenAttributesProtection
Use an initializer for the mixin
 2014-12-05 15:04:01 -05:00
Al Snow 87fed3a305 Rebuilt Gemfile.lock file; Fixed Time.now issue 2014-10-28 13:45:12 -04:00
cktricky 7e38ac845f oops, omitted a couple important features/vulnerabilities 2014-09-11 11:13:15 -04:00
cktricky ef2bc20c97 working on the httponly tutorial 2014-09-11 11:01:56 -04:00
James Espinosa 7e4fad462b Convert file indentation to spaces 2014-07-05 20:17:27 -05:00
James Espinosa 68e6a01743 Clean up trailing and leading whitespace 2014-07-05 19:15:32 -05:00
James Espinosa ad784fd099 Remove placeholders from non-empty directories 2014-07-03 07:38:12 -05:00
Rory McCune 239c96039b Update benefits.rb accept binary file types. 
The modification allows binary file types (e.g. MS word docs) to be uploaded without encountering encoding errors
 2014-05-22 19:31:33 +01:00
John Poulin 5bb9c75f06 Added fix for Analytics SQLi 2014-04-17 20:05:07 -04:00
John Poulin 3f63480022 Added Analytics function to track user hits by ip address, referrer and user agent 2014-04-17 20:03:50 -04:00
Mike McCabe 8bc20e8f91 fixing name in messages 2014-04-17 19:56:48 -04:00
cktricky 7a89ae6f17 added the tutorial for the newest logic flaw 2014-03-16 22:10:19 -04:00
cktricky 3a5818c493 the basics of a working remember-me-logic-flaw completed :-) 2014-03-15 22:30:31 -04:00
cktricky 1f922916d2 have the ability now to update a row of direct deposit information as well as leverage the encryption routine to introduce a serious flaw 2014-03-15 21:58:42 -04:00
cktricky 2c8781ebc1 added a pay controller and model 2014-03-14 20:29:14 -04:00
cktricky 7823eadf3c first round of tests look okay, now we can re-use this function :-) 2014-03-14 16:32:44 -04:00
cktricky 62920b535c Merge branch 'master' of github.com:OWASP/railsgoat into pr-96 2014-03-14 14:00:56 -04:00
cktricky d0e825fc17 making sure this is up to date 2014-03-14 14:00:51 -04:00
cktricky 48ddc99955 some basic api functionality with a few gotchas 2014-03-12 17:45:08 -04:00
relotnek 4e6006dcc8 added before_create generate token to user model 2014-03-11 20:29:43 -04:00
relotnek e7c30151d4 added token to users model and generate token method to users controller 2014-03-11 20:28:15 -04:00
ecneladis 84fd9503ca Removed duplicated code from exemplary validations for password 2014-03-06 19:40:33 +01:00
cktricky b84c8d4cc7 finished write-up for broken auth 2013-11-14 10:47:27 -05:00
cktricky b605a42812 got the code kicked off so we can encrypt SSN(s) in the database 2013-11-13 19:51:42 -05:00
cktricky efcb7b8c4b working on encryption 2013-11-13 18:24:26 -05:00
cktricky d9956caec1 removed orig file 2013-11-13 14:18:25 -05:00
cktricky 665ccb2167 removed orig file and also began encryption related stuff for ssn(s) 2013-11-13 14:01:29 -05:00
cktricky 14bff998dd Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013 2013-11-12 16:07:23 -05:00
cktricky 86035a1cbd appears to have solved the issue with our code printing stderrs 2013-10-27 22:38:38 -04:00
cktricky 11480ac853 tests are working again, I will work on surpressing the errors. Also merged @jasnow work 2013-10-27 21:46:12 -04:00
cktricky 6d1c0c7869 merging 2013-10-27 20:17:52 -04:00
cktricky 7c1d52320a does not fix the error that occurs (as it should, but that we want to obfuscate) when a command is injected into, however, it does pass the build and does not break the entire call 2013-10-23 17:11:28 -05:00
cktricky c6e42901c7 fixing a mistake 2013-10-22 10:38:23 -04:00
cktricky 1817251af5 changes 2013-10-22 10:38:00 -04:00
Mike McCabe 3820b78066 fixing this function that was not explicitly using the params 2013-10-22 10:16:09 -04:00
cktricky b7c3b04c74 this seems to have fixed a nuisance error within our unit-tests. Issue #57 2013-10-22 00:58:48 -04:00
cktricky 753840a276 this seems to have fixed a nuisance error within our unit-tests. Issue #57 2013-10-22 00:57:32 -04:00
cktricky a65a20a647 Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013 2013-10-14 08:29:39 -04:00
Mike McCabe 8c17a3df0e adding messaging function, needs tests... 2013-10-13 21:49:17 -04:00
Mike McCabe 8686f6b9d3 adding messages mvc to allow users to send messages. 2013-10-11 16:03:37 -04:00
Mike McCabe dbd0c2548d making full_name method public 2013-10-11 16:03:37 -04:00
cktricky e2c4fb4bd8 change to the user model based on a merge with master. Master is the correct code 2013-10-11 12:04:19 -04:00
cktricky da061c79b6 intended to remove some of the weirdness when updating a users account. A blank password basically ends up causing the previously existing password to be hashed twice. Probably move to has_secure_password at some point although that may end up screwing up the intent of the particular tutorial item 2013-09-30 13:03:03 -04:00
cktricky ef8a9c1a46 merged with master 2013-09-27 21:55:50 -04:00
chrismo e0bca0139e Added command injection Capybara spec. 2013-09-27 14:59:30 -05:00
cktricky c56dbe54a7 no change really 2013-09-11 10:58:46 -04:00
cktricky aab489ef40 fix for performance bug 2013-09-10 21:58:29 -04:00
cktricky 6f71d7eda7 bug fix w/ the performance section 2013-09-10 21:57:03 -04:00
cktricky d5801f0684 Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013 2013-09-10 13:31:48 -04:00
Michael McCabe 69c180e845 minor changes to spec_helper and user model 2013-09-06 15:54:06 -04:00