Unvalidated Redirect Unit Test too Strict #317

nvisium-john-poulin · 2018-02-21T19:03:05Z

The Unvalidated Redirect test is too tight, as it accepts only /dashboard/home. The current code in Railsgoat sets a default path to home_dashboard_index_path (https://github.com/OWASP/railsgoat/blob/master/app/controllers/sessions_controller.rb#L12)

After successfully mitigating the vulnerability, the test still fails with the following error:

  1) unvalidated redirect attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)
     Failure/Error: expect(current_url).to eq("/dashboard/home")

       expected: "/dashboard/home"
            got: "http://127.0.0.1:55981/dashboard/home"

I was able to fix this test by modifying it to compare two things. #1) That the current_url starts_with http://127.0.0.1, and #2) that the current path matches /dashboard/home, as seen below:

    expect(current_url).to start_with("http://127.0.0.1")
    expect(current_path).to eq("/dashboard/home")

The text was updated successfully, but these errors were encountered:

nvisium-john-poulin added a commit to nvisium-john-poulin/railsgoat that referenced this issue Feb 21, 2018

Made unvalidated redirect tess less strict, to close OWASP#317

e53bb6f

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unvalidated Redirect Unit Test too Strict #317

Unvalidated Redirect Unit Test too Strict #317

nvisium-john-poulin commented Feb 21, 2018

Unvalidated Redirect Unit Test too Strict #317

Unvalidated Redirect Unit Test too Strict #317

Comments

nvisium-john-poulin commented Feb 21, 2018