team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
298610b5f6b508a1b5f209f84ee9a565360a0ff4
railsgoat/spec/vulnerabilities/csrf_spec.rb
T
robbiepaul 298610b5f6
CI / test (3.4.1) (push) Has been cancelled
Details
Initial commit (history cleared)
2026-04-29 11:21:39 +01:00

48 lines
1.5 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
require "spec_helper"
require "tmpdir"
feature "csrf" do
let(:normal_user) { UserFixture.normal_user }
before(:each) do
UserFixture.reset_all_users
skip unless verifying_fixed?
end
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF", js: true do
visit "/"
# TODO: is there a way to get this without visiting root first?
base_url = current_url
login(normal_user)
Dir.mktmpdir do |dir|
hackety_file = File.join(dir, "form.on.bad.guy.site.html")
post_url = "#{base_url}schedule.json"
File.open(hackety_file, "w") do |f|
f.print <<-HTML
<html>
<body>
<form id='submit_me' action="#{post_url}" method="POST">
<input type="hidden" name="schedule&#91;event&#95;name&#93;" value="Bad&#32;Guy" />
<input type="hidden" name="schedule&#91;event&#95;type&#93;" value="pto" />
<input type="hidden" name="schedule&#91;event&#95;desc&#93;" value="Fun&#32;Fun" />
<input type="hidden" name="date&#95;range1" value="06&#47;08&#47;2013&#32;&#45;&#32;06&#47;09&#47;2013" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
HTML
end
page.driver.visit "file://#{hackety_file}"
within("#submit_me") do
click_on "Submit request"
end
end
expect(normal_user.reload.paid_time_off.schedule.last.event_name).not_to eq("Bad Guy")
end
end
Reference in New Issue View Git Blame Copy Permalink