own Scenario: person accesses a project that is not theirs Given a new project created by a user When a different person attempts to access the project Then the system should prevent access
SecureRandom.uuid @user1 = "fb_user_1_#{uuid}@jemurai.com" register_as_user(@user1, "password") new_project("Insecure Direct Object Reference #{uuid}", "Forceful Browsing Desc") @url = current_url end When(/^a different person attempts to access the project$/) do logout(@user1) uuid = SecureRandom.uuid @user2 = "fb_user_2_#{uuid}@jemurai.com" register_as_user(@user2, "password") end Then(/^the system should prevent access$/) do visit @url expect(page).not_to have_content "Forceful Browsing Desc" end
"owner LIKE '#{email}'" ! if params[:name] ! ! conditions = "name like #{params[:name]} " + conditions ! end ! @projects = Project.find(:all, :conditions=>conditions) ! respond_to do |format| format.html # index.html.erb format.json { render json: @projects } end end SELECT "projects".* FROM "projects" WHERE (name like 'A') or 1=1 -- owner LIKE '[email protected]') For illustration
fields ! A user wants to be sure that others users can't put XSS in the projects pages ! in order to ensure that their sessions and information are safe. ! ! @javascript ! Scenario Outline: xss attempt ! ! Given the field is "<fieldname>" ! ! When the value is "<value>" ! ! Then the field result should be "<result>" ! ! ! ! Scenarios: xss in fields ! ! ! | fieldname | value | result | ! ! ! | project[name] | ProjectName | noxss | ! ! ! | project[name] | ProjectName <script>alert('project[name]- >xss');</script> | xss | ! ! ! | project[description] | ProjectDescription <script>alert('project[description]->xss');</script> | noxss | ! ! ! ! ! !
@field, :with => @value click_button "Update Project" if @result == "xss" # This should have xss in it...did it stick? alerted = false begin page.driver.browser.switch_to.alert.accept alerted = true rescue end if alerted fail("XSS Used to create Popup in #{@field} with #{@value}") else puts "Good news, no xss where expected." end else expect(page).to have_content @value end
page framed ! A user wants to be sure that effective browser protections are enabled ! in order to ensure that their information is safe. ! ! @javascript ! Scenario Outline: check for secure headers attempt ! ! Given a new project created by a user ! ! And the page is "<page>" ! ! When the header is "<header>" ! ! Then the header value should be "<result>" ! ! ! ! Scenarios: headers in pages ! ! ! | page | header | result | ! ! ! | projects/ | X-Frame-Options | DENY | ! ! ! | projects/ | X-XSS-Protection | 1 |
field that will be executed by the system • user is prevented from putting XSS in project form fields • user should not be able to set fields not shown in the form • user should not be able to submit forms in anothers session • user is protected from malicious content and having their page framed • users favorite album is in cookie
functions being called. • XSS: inject scripts into fields and detect that alerts are thrown • Mass assignment: set raw form data with net::http and send it to see how the server responds • csrf: alter csrf token and send otherwise valid request • headers: interact with system and verify that headers are being set • Sensitive Data: open session cookie and inspect
Neil Matatall @ndm Aaron Bedra @abedra Jon Claudius @claudijd Chris Oliver @excid3 Chris Hildebrand @ckhrysze Jon Rose Brett Hardin @miscsecurity Elizabeth Hendrickson @testobsessed