5056f77395
Added codefix example for CSS context XSS.
2014-04-17 20:03:17 -04:00
e760fc0087
merging
2014-04-17 20:03:14 -04:00
9fd91a8224
initial commit of mobile controller
2014-04-17 20:00:30 -04:00
87f9c825ba
a function to decrypt has been added to the mix
2014-03-16 15:26:33 -04:00
3a5818c493
the basics of a working remember-me-logic-flaw completed :-)
2014-03-15 22:30:31 -04:00
1f922916d2
have the ability now to update a row of direct deposit information as well as leverage the encryption routine to introduce a serious flaw
2014-03-15 21:58:42 -04:00
16eaefefdf
view portion of adding a column almost complete, then backend logic
2014-03-15 15:29:45 -04:00
7a4efaa950
added the basic components to begin working on the pay index view
2014-03-15 10:28:52 -04:00
2c8781ebc1
added a pay controller and model
2014-03-14 20:29:14 -04:00
62920b535c
Merge branch 'master' of github.com:OWASP/railsgoat into pr-96
2014-03-14 14:00:56 -04:00
d0e825fc17
making sure this is up to date
2014-03-14 14:00:51 -04:00
8daeee09f2
working on cleaning up and testing if I can push changes to a PR
2014-03-14 09:07:52 -04:00
4b0560a250
whew, now THAT is a huge tutorial explanation for a relatively simple issue!
2014-03-12 18:59:38 -04:00
48ddc99955
some basic api functionality with a few gotchas
2014-03-12 17:45:08 -04:00
95eb5a56fd
added vulnerable auth check for the API
2014-03-12 15:40:12 -04:00
f4f5d5744c
working on the auth structure for the API
2014-03-12 13:24:37 -04:00
932d2304f9
okay first run at making an API for railsgoat
2014-03-12 12:38:41 -04:00
b101c286ce
application controller edits
2014-03-11 20:54:38 -04:00
6a4bc922bd
added user lookup in application controller by auth_token
2014-03-11 20:40:10 -04:00
a5c4dc37a2
added logic in sessions controller for rememberme checkbox
2014-03-11 20:38:26 -04:00
015b36d379
added cookie delete to session destroy method
2014-03-11 20:32:12 -04:00
a707e75662
added cookies.permanent in replacement of session
2014-03-11 20:31:32 -04:00
abe22b19e9
adding password rest method and changing some logic around
2013-12-11 22:25:02 -05:00
be0d8f7594
Remove unnecessary comment
2013-12-04 00:59:00 -06:00
da1845e8f9
Implement working mailer and controller
2013-12-04 00:57:32 -06:00
1a3d6d690c
Update SMTP settings for Mailcatcher
2013-12-03 21:16:44 -06:00
26e04deb9f
Implement basic password reset mailer
2013-11-25 19:36:33 -06:00
ce239e84be
oops, maybe I should actually run the tests before committing
2013-11-23 17:59:41 -05:00
c7515af6ab
adding basic forgot password controller and views
2013-11-23 16:04:48 -05:00
53dcc75f74
I think there was a subtle bug in the intentional security bypass within the admin controller
2013-11-14 15:05:00 -05:00
f53ab56e92
fixes a bug introduced during the transition from info_disclosure to A6
2013-11-14 11:06:27 -05:00
b84c8d4cc7
finished write-up for broken auth
2013-11-14 10:47:27 -05:00
235b6418d0
A7 adding before filter to see if admin or admin_id is 1
2013-11-13 19:35:12 -05:00
4be667b606
working
2013-11-13 19:02:37 -05:00
af8776a3ea
halfway done A7
2013-11-13 18:23:38 -05:00
91e6797b40
adding broken functionality for A7
2013-11-13 18:23:38 -05:00
f0ca17df79
updating the information for A9 fixes #27
2013-11-13 11:47:29 -05:00
a65a20a647
Merge branch 'master' of github.com:OWASP/railsgoat into top-10-2013
2013-10-14 08:29:39 -04:00
8c17a3df0e
adding messaging function, needs tests...
2013-10-13 21:49:17 -04:00
8686f6b9d3
adding messages mvc to allow users to send messages.
2013-10-11 16:03:37 -04:00
e2c4fb4bd8
change to the user model based on a merge with master. Master is the correct code
2013-10-11 12:04:19 -04:00
bbed455178
verifying user exists before trying to update
2013-10-09 11:08:39 -04:00
73f3272aa1
adding flash message with validation errors, and redirect to sign_up
2013-10-07 15:23:37 -04:00
da061c79b6
intended to remove some of the weirdness when updating a users account. A blank password basically ends up causing the previously existing password to be hashed twice. Probably move to has_secure_password at some point although that may end up screwing up the intent of the particular tutorial item
2013-09-30 13:03:03 -04:00
ef8a9c1a46
merged with master
2013-09-27 21:55:50 -04:00
e0bca0139e
Added command injection Capybara spec.
2013-09-27 14:59:30 -05:00
825a972e4c
oops
2013-09-27 11:18:04 -04:00
c3562592c6
deleted some files
2013-09-27 11:17:16 -04:00
20420be1a6
Fixed logic to strip out user params.
...
Disclaimer: changes like these in this sort of app are tricky because
it's harder to presume the intention of the code in question.
The prior line:
```
user.update_attributes(params[:user].reject { |k| k == ("password" || "password_confirmation") || "user_id" })
```
returns an empty hash, because of the way the block evaluates:
```
irb(main):002:0> k = 'foo'
=> "foo"
irb(main):003:0> k == ("password" || "password_confirmation") || "user_id"
=> "user_id"
```
Before the last change to that line, without 'user_id' outside the
params, it didn't evaluate properly either:
```
irb(main):007:0> k = 'password_confirmation'
=> "password_confirmation"
irb(main):008:0> k == ("password" || "password_confirmation")
=> false
irb(main):009:0> ("password" || "password_confirmation")
=> "password"
```
So, in the normal use case for this form, you can't update any other
attribute of the User. To me, that's probably the best argument for
making this change, but it does simplify the SQL Injection attack
(although perhaps the prior complication was intended).
Before this change, injecting conditional SQL into the user_id param in
the account_settings update call would allow the password of whatever
account is found (e.g. the first one if injecting 'OR 1=1') to be reset,
but without additional attacks, the email address of that account is not
known.
After this change, the email address of that account now is also updated
in addition to the password, making it simpler to get in as an admin --
though you're still presuming the first account to be an admin.
2013-09-25 16:56:34 -05:00
d909f55ab9
initial write-up for gauntlt
2013-08-08 21:25:52 -04:00
John Poulin