class TutorialsController < ApplicationController
skip_before_filter :has_info
skip_before_filter :authenticated
def index
end
def credentials
render :partial => "layouts/tutorial/credentials/creds"
end
def show
render "injection"
end
def injection
end
def xss
@code = %{
Welcome, <%= current_user.first_name.html_safe %>
}
end
def broken_auth
end
def insecure_dor
end
def csrf
@meta_code_bad = %{<%#= csrf_meta_tags %> }
@meta_code_good = %{<%= csrf_meta_tags %> }
@ajax_code_good = %q{
("#example_submit_button_id").click(function(event) {
var valuesToSubmit = $("#example_form_id").serialize();
event.preventDefault();
$.ajax(\{
url: "/example",
data: valuesToSubmit,
type: "POST",
success: function(response) \{
alert('success!');
},
error: function(event) \{
alert('failure!');
\}
\});
\});
\} }
end
def misconfig
end
def crypto
end
def url_access
end
def ssl_tls
end
def redirects
end
def guard
end
def info_disclosure
@bad_code_1 =
%q{
Full Name
Income
Bonuses
Years w/ MetaCorp
SSN
DoB
<%= "#{@user.first_name} #{@user.last_name}" %>
<%= @user.work_info.income %>
<%= @user.work_info.bonuses %>
<%= @user.work_info.years_worked %>
<%= @user.work_info.SSN %>
<%= @user.work_info.DoB %>
}
@good_code_1 = %q{
class WorkInfo < ActiveRecord::Base
attr_accessible :DoB, :SSN, :bonuses, :income, :years_worked
belongs_to :user
# We should probably use this
def last_four
"***-**-" << self.SSN[-4,4]
end
end
}
@bad_code_2 = %q{
<%= @user.work_info.SSN %>
}
@good_code_2 = %q{
<%= @user.work_info.last_four %>
}
end
def mass_assignment
end
def constantize
end
end