@@ -1,14 +1,15 @@ class PostsController < ApplicationController # GET /posts # GET /posts.xml + # codecite SQL injection flaw def index if (!params[:search].blank?) - # codecite SQL injection flaw + # insecure! @posts = Post.find(:all, :conditions => "title = '#{params[:search]}'") - # codecite SQL injection flaw else @posts = Post.find(:all) end + # codecite SQL injection flaw respond_to do |format| format.html # index.html.erb app/controllers/posts_controller.rb @@ -10,7 +10,7 @@ <p> <%= f.label :body %><br /> <%= f.text_area :body %> - </p> + <!-- broken html, missing closing p --> <p> <%= f.label :published %><br /> <%= f.check_box :published %> app/views/posts/edit.html.erb @@ -1,11 +1,13 @@ <h1>Listing posts</h1> +<%# codecite search form %> <% form_tag({ }, {:method => "get"}) do %> <p> <%= submit_tag "Search" %> <%= text_field_tag :search, params[:search] %> </p> <% end %> - +<%# codecite search form %> +g <table> <tr> <th>Title</th> app/views/posts/index.html.erb @@ -16,4 +16,5 @@ <%= link_to 'Edit', edit_post_path(@post) %> | -<%= link_to 'Back', posts_path %> +<%= link_to 'Back', posts_path %> | +<%= link_to 'Broken link', "/broken" %> app/views/posts/show.html.erb @@ -11,10 +11,12 @@ class TarantulaTest < ActionController::IntegrationTest :input => "<script>gotcha!</script>", :output => "<script>gotcha!</script>", } + # codecite SQL injection attack AttackFormSubmission.attacks << { :name => :sql_injection, :input => "a'; DROP TABLE posts;", } + # codecite SQL injection attack t.handlers << AttackHandler.new t.fuzzers << AttackFormSubmission t.times_to_crawl = 2 test/tarantula/tarantula_test.rb 9af205d85a6ab40e14bc67fd7f3379fee246867c Stuart Halloway stu@thinkrelevance.com http://github.com/relevance/flawd/commit/730588413b11612877041c163ee23673ac52ae6c 730588413b11612877041c163ee23673ac52ae6c 2008-06-05T10:46:09-07:00 2008-06-05T10:46:09-07:00 more flaws * bad HTML * busted links * markers for codecite 317b5989f8d3ab090cd43c54eb9b525d3ecfac71 Stuart Halloway stu@thinkrelevance.com