Joseph Mastey
21 lines
683 B
Ruby
21 lines
683 B
Ruby
# frozen_string_literal: true
|
|
require "spec_helper"
|
|
|
|
feature "sensitive data exposure" do
|
|
before do
|
|
UserFixture.reset_all_users
|
|
@normal_user = UserFixture.normal_user
|
|
@normal_user.work_info.update_attribute(:SSN, "999-99-9999")
|
|
end
|
|
|
|
# this won't work with javascript_driver, as it'll apply the javascript
|
|
# function to mask this value and the source will be overwritten.
|
|
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Cleartext-Storage-SSNs" do
|
|
login @normal_user
|
|
|
|
visit "/users/#{@normal_user.user_id}/work_info"
|
|
pending if verifying_fixed?
|
|
expect(page.source).to include "999-99-9999"
|
|
end
|
|
end
|