25 lines
705 B
Ruby
25 lines
705 B
Ruby
# frozen_string_literal: true
|
|
require "spec_helper"
|
|
|
|
feature "sensitive data exposure" do
|
|
let(:normal_user) { UserFixture.normal_user }
|
|
let(:user_ssn) { "999-99-9999" }
|
|
|
|
before do
|
|
UserFixture.reset_all_users
|
|
normal_user.work_info.update(:SSN, user_ssn)
|
|
|
|
skip unless verifying_fixed?
|
|
end
|
|
|
|
# this won't work with javascript_driver, as it'll apply the javascript
|
|
# function to mask this value and the source will be overwritten.
|
|
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Cleartext-Storage-SSNs" do
|
|
login(normal_user)
|
|
|
|
visit "/users/#{normal_user.id}/work_info"
|
|
|
|
expect(page.source).not_to include(user_ssn)
|
|
end
|
|
end
|