New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update R5 A4 documentation for IDOR "attack one" #312

Open

nvisium-john-poulin opened this issue Feb 21, 2018 · 0 comments

Labels

Contributor

nvisium-john-poulin commented Feb 21, 2018

The documentation does not cover the second test case, within which a user can specify an arbitrary filename to gain access to.

The unit test:

  scenario "attack one" do
    login(normal_user)

    visit "/users/#{normal_user.id}/benefit_forms"
    download_url = first(".widget-body a")[:href]
    visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")

    expect(page.status_code).not_to eq(200)
    expect(page.response_headers["Content-Disposition"]).not_to include("database.yml")
  end

https://github.com/owasp/railsgoat/wiki/R5-A4-Insecure-Direct-Object-Reference

nvisium-john-poulin added the Documentation label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment