Giters

OWASP / railsgoat

A vulnerable version of Rails that follows the OWASP Top 10

Home Page:railsgoat.cktricky.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Unvalidated Redirect Unit Test too Strict

nvisium-john-poulin opened this issue · comments

commented

The Unvalidated Redirect test is too tight, as it accepts only /dashboard/home. The current code in Railsgoat sets a default path to home_dashboard_index_path (https://github.com/OWASP/railsgoat/blob/master/app/controllers/sessions_controller.rb#L12)

After successfully mitigating the vulnerability, the test still fails with the following error:

  1) unvalidated redirect attack
Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to)
     Failure/Error: expect(current_url).to eq("/dashboard/home")

       expected: "/dashboard/home"
            got: "http://127.0.0.1:55981/dashboard/home"

I was able to fix this test by modifying it to compare two things. #1) That the current_url starts_with http://127.0.0.1, and #2) that the current path matches /dashboard/home, as seen below:

    expect(current_url).to start_with("http://127.0.0.1")
    expect(current_path).to eq("/dashboard/home")