fec458f1a7
Merge pull request #45 from chrismo/users_controller_change
...
Fixed logic to strip out user params.
2013-09-27 07:34:24 -07:00
20420be1a6
Fixed logic to strip out user params.
...
Disclaimer: changes like these in this sort of app are tricky because
it's harder to presume the intention of the code in question.
The prior line:
```
user.update_attributes(params[:user].reject { |k| k == ("password" || "password_confirmation") || "user_id" })
```
returns an empty hash, because of the way the block evaluates:
```
irb(main):002:0> k = 'foo'
=> "foo"
irb(main):003:0> k == ("password" || "password_confirmation") || "user_id"
=> "user_id"
```
Before the last change to that line, without 'user_id' outside the
params, it didn't evaluate properly either:
```
irb(main):007:0> k = 'password_confirmation'
=> "password_confirmation"
irb(main):008:0> k == ("password" || "password_confirmation")
=> false
irb(main):009:0> ("password" || "password_confirmation")
=> "password"
```
So, in the normal use case for this form, you can't update any other
attribute of the User. To me, that's probably the best argument for
making this change, but it does simplify the SQL Injection attack
(although perhaps the prior complication was intended).
Before this change, injecting conditional SQL into the user_id param in
the account_settings update call would allow the password of whatever
account is found (e.g. the first one if injecting 'OR 1=1') to be reset,
but without additional attacks, the email address of that account is not
known.
After this change, the email address of that account now is also updated
in addition to the password, making it simpler to get in as an admin --
though you're still presuming the first account to be an admin.
2013-09-25 16:56:34 -05:00
90c4807554
merge
2013-09-24 21:13:59 -04:00
aab489ef40
fix for performance bug
2013-09-10 21:58:29 -04:00
2eeb8291ba
Merge pull request #40 from mccabe615/master
...
Minor Changes
2013-09-10 10:19:48 -07:00
9638d8137b
travis fix
2013-09-10 10:02:11 -04:00
2949ff6a0d
Merge branch 'master' of github.com:mccabe615/railsgoat into ubuntu-fix
2013-09-10 09:18:08 -04:00
987b6d8844
setting up travis ci env
2013-09-10 09:17:40 -04:00
292e8d9845
adding execjs and therubyracer to fix js issue on ubuntu
2013-09-09 21:45:00 -04:00
5123d8ba77
Update README.md
2013-09-06 16:03:09 -04:00
16d1150375
adding basic tests or user model, more to come
2013-09-06 15:55:08 -04:00
69c180e845
minor changes to spec_helper and user model
2013-09-06 15:54:06 -04:00
dc3de592ea
init\'ing guard-rspec
2013-09-06 15:44:40 -04:00
914e35e0dd
adding rspec-rails and guard-rspec
2013-09-06 15:43:59 -04:00
71c690bd03
Merge branch 'master' of github.com:mccabe615/railsgoat
2013-09-06 10:09:04 -04:00
0bb5fd06c1
fixing Gemfile
2013-09-06 10:08:53 -04:00
08c7800dff
Update README.md
...
Update readme with getting started instructions
2013-09-06 10:04:25 -04:00
1f3620a3de
adding rspec and auto test runs
2013-09-05 16:52:17 -04:00
65eb2caeaf
made a suggestion based on digininjas comment on Rails tutorials blog post. Better to change method name to hash_password than encrypt_password
2013-08-08 16:57:58 -04:00
c024bd6591
changed something small
2013-08-08 16:21:04 -04:00
9533f0d098
added a task for stopping and starting rails
2013-08-08 16:17:55 -04:00
1b9e60b982
uncessary task
2013-08-08 14:11:49 -04:00
2a4a7a5440
that was painful but managed to install gauntlt. Turns out you need to revert to minitest 4 (not 5, for the love of humantiy, not 5). Also, added rspec (not sure that did anything). Lastly, aruba and gauntlt. So, we now have a dir explicitly for attack files.
2013-08-08 14:04:52 -04:00
8f4644c312
new note on top 10, 2013 progress
2013-07-28 20:13:16 -04:00
ef9570c4b2
Merge branch 'master' of github.com:OWASP/railsgoat
2013-07-28 19:45:00 -04:00
f67bd0f5ed
correct naming within the command injection tutorial
2013-07-28 19:44:51 -04:00
0dd84a1724
Merge pull request #38 from cmlh/license
...
Add LICENSE.md file
2013-07-27 05:11:24 -07:00
558b020411
Add LICENSE.md file
...
https://help.github.com/articles/open-source-licensing#how-can-i-go-back-through-my-public-repositories-and-give-them-licenses
2013-07-27 12:31:51 +10:00
14c1fb367d
added a tutorial for command injection
2013-07-10 20:42:04 -04:00
82b5809bee
almost finished with the write-up for the command injection vulnerability
2013-07-10 11:41:36 -04:00
ce6f32a1a2
working command injection in fileupload, closes issue #23
2013-07-09 16:36:03 -04:00
ea2014b637
I have exhausted all thoughts on how to actually get jquery file upload to work, so screw it, I am just going to make something homegrown for tomorrow
2013-07-09 13:53:00 -04:00
1a79471ef8
trying to fix a bug where you have to click twice on the tutorial credentials button
2013-06-20 11:28:29 -04:00
2e052828a6
taskbar / active enhancement
2013-06-16 00:49:28 -04:00
7b900bda2d
fixes issue #24
2013-06-10 16:25:14 -04:00
56381fe318
fixed issue #25
2013-06-10 15:27:21 -04:00
5ea8006fc1
closes issue #22
2013-06-07 09:05:11 -04:00
39d2e9d79f
finished CSRF/AJAX, closes issue #21
2013-06-06 22:40:52 -04:00
cc38bd3f2a
testing to see if I have commit access
2013-06-06 20:52:09 -04:00
db952a3dd9
Merge branch 'master' of github.com:cktricky/railsgoat
2013-06-06 16:44:07 -04:00
d445e59a98
this fixes issue #20 , seriously, no clue how I missed the missing constantize code
2013-06-06 16:43:58 -04:00
f126ad49da
Merge pull request #19 from presidentbeef/remove_ds_store
...
Remove and ignore .DS_Store files
2013-06-04 13:05:13 -07:00
215bc8614c
removed orig
2013-06-04 16:04:58 -04:00
dc96bf524d
merged
2013-06-04 16:04:12 -04:00
9d42453b05
removed pesky files
2013-06-04 16:00:30 -04:00
d9f4ac72d5
Remove and ignore .DS_Store files
2013-06-04 11:54:39 -07:00
bdf3f20955
added a license
2013-06-04 14:17:12 -04:00
b76283910c
holding off on the last issue until i confirm whether or not oreoshake can cover secure headers here
2013-06-04 14:06:10 -04:00
bb2985018d
closes issue #7
2013-06-04 13:59:41 -04:00
089e9540ac
finished admin filter and write-up for issue #6
2013-06-04 11:49:59 -04:00
Ken Johnson