ea8e9901f4
On branch strong-params
...
Your branch is behind 'origin/strong-params' by 1 commit, and can be fast-forwarded.
I'll pull to catch up after this commit
Change code to whitelist params
Remove attr_accessible lines
Add strong_params to Gemfile, since this branch is still on Rails 3
Mixin to ActiveRecord::Base ActiveModel::ForbiddenAttributesProtection
Use an initializer for the mixin
2014-12-05 15:04:01 -05:00
88ed0e2b50
need to create the bar graph version, write up the remaining parts of the tutorial, and ensure it did not break the DOM vuln
2014-07-29 17:56:33 -05:00
561e404e29
Fixes #142 with dynamic ActionMailer url options
2014-07-25 23:04:19 -05:00
2a12765933
slight change to make our cookie even more insecure
2014-06-27 12:05:50 -04:00
8595954096
removed alert when an error is thrown
2014-05-26 16:58:26 -04:00
8ed2714f3f
changed constantize to metaprogramming for the addition of tutorials specific to metaprogramming flaws. In addition, the messages portion of the app needed some generic TLC so I have removed the "new" view in order to bring that functionality into the seed message page/view.
2014-05-20 14:25:45 -04:00
fceeb94b05
adding mysql env to bundler require
2014-04-17 23:08:55 -04:00
c0ea2c87a5
adding mysql environment for mysql sql injection tests
2014-04-17 23:03:46 -04:00
6975f94381
adding routes. catching nulls
2014-04-17 20:18:39 -04:00
3f63480022
Added Analytics function to track user hits by ip address, referrer and user agent
2014-04-17 20:03:50 -04:00
87f9c825ba
a function to decrypt has been added to the mix
2014-03-16 15:26:33 -04:00
1f922916d2
have the ability now to update a row of direct deposit information as well as leverage the encryption routine to introduce a serious flaw
2014-03-15 21:58:42 -04:00
16eaefefdf
view portion of adding a column almost complete, then backend logic
2014-03-15 15:29:45 -04:00
7a4efaa950
added the basic components to begin working on the pay index view
2014-03-15 10:28:52 -04:00
0a647cbbe6
this appears to fix the issue of our test cases breaking. I had specified that if the rails env was a dev env, the key would be a certain value. Instead, it has been changed to any env other than prod
2014-03-14 16:53:44 -04:00
7823eadf3c
first round of tests look okay, now we can re-use this function :-)
2014-03-14 16:32:44 -04:00
4b0560a250
whew, now THAT is a huge tutorial explanation for a relatively simple issue!
2014-03-12 18:59:38 -04:00
95eb5a56fd
added vulnerable auth check for the API
2014-03-12 15:40:12 -04:00
932d2304f9
okay first run at making an API for railsgoat
2014-03-12 12:38:41 -04:00
abe22b19e9
adding password rest method and changing some logic around
2013-12-11 22:25:02 -05:00
8eb398950f
Merge pull request #76 from jamesejr/feature/user_mailer
...
Implement Forgot Password Feature
2013-12-11 09:19:42 -08:00
da1845e8f9
Implement working mailer and controller
2013-12-04 00:57:32 -06:00
1a3d6d690c
Update SMTP settings for Mailcatcher
2013-12-03 21:16:44 -06:00
5cd7a1b9cb
Got rid of i18n warning; Rebuilt Gemfile.lock file
2013-12-03 20:35:04 -05:00
26e04deb9f
Implement basic password reset mailer
2013-11-25 19:36:33 -06:00
93d7c2bd44
Add mailtrap.io SMTP settings
2013-11-24 23:57:52 -06:00
c7515af6ab
adding basic forgot password controller and views
2013-11-23 16:04:48 -05:00
f53ab56e92
fixes a bug introduced during the transition from info_disclosure to A6
2013-11-14 11:06:27 -05:00
447c408699
Merge branch 'top-10-2013' of github.com:OWASP/railsgoat into top-10-2013
2013-11-13 18:24:33 -05:00
efcb7b8c4b
working on encryption
2013-11-13 18:24:26 -05:00
af8776a3ea
halfway done A7
2013-11-13 18:23:38 -05:00
9cbdbf01e5
should fix conflicts
2013-11-13 12:19:33 -05:00
8c672fd2fc
fixed the route
2013-11-13 12:16:48 -05:00
f0ca17df79
updating the information for A9 fixes #27
2013-11-13 11:47:29 -05:00
e077ad6815
fixing escaping entities
2013-11-12 19:20:42 -05:00
fe9d8b266f
adding security misconfig text
2013-11-12 18:55:14 -05:00
6950accce4
a6 exposure, working on the wording for SSNs being stored in the clear
2013-11-12 17:44:27 -05:00
108c8d2e2a
turning off whitelisting and entities encoding
2013-11-12 16:11:30 -05:00
a65a20a647
Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013
2013-10-14 08:29:39 -04:00
8686f6b9d3
adding messages mvc to allow users to send messages.
2013-10-11 16:03:37 -04:00
d909f55ab9
initial write-up for gauntlt
2013-08-08 21:25:52 -04:00
ea2014b637
I have exhausted all thoughts on how to actually get jquery file upload to work, so screw it, I am just going to make something homegrown for tomorrow
2013-07-09 13:53:00 -04:00
7b900bda2d
fixes issue #24
2013-06-10 16:25:14 -04:00
e97afb9bb4
added a very dangerous, very serious vulnerability (constantize
2013-06-02 22:42:29 -04:00
caecb88e30
prepping for constantize
2013-06-02 20:35:01 -04:00
570eafa01b
this closes issue #9
2013-06-02 20:19:31 -04:00
4e445375fa
created the info disclosure write-up. Close issue #16
2013-06-02 12:39:04 -04:00
8f1ee5ccbe
trying this
2013-06-01 01:09:01 -04:00
0319cc4768
added a few things here. Firstly, I fixed the broken delete function with the admin page. Secondly, whenever you register for this application, we will automatically populate your user data to make the application functional. Seemed like the easiest way to do this
2013-06-01 00:19:07 -04:00
379c442049
I have added the performance model, controller, route and seed data, now I am working on the actual visual aspects of the page
2013-05-31 14:45:31 -04:00
Fred Nixon