Created
January 4, 2026 17:28
-
-
Save jasnow/d3a1806aeb7ff33633edb3a10a6c85ef to your computer and use it in GitHub Desktop.
Railsgoat PR 487 output
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Randomized with seed 22469 | |
| *Capybara starting Puma... | |
| * Version 6.6.1, codename: Return to Forever | |
| * Min threads: 0, max threads: 4 | |
| * Listening on http://127.0.0.1:35813 | |
| *********.......................*..***....... | |
| Pending: (Failures listed here are expected and do not affect your suite's status) | |
| 1) password complexity one | |
| Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Lack-of-Password-Complexity | |
| # No reason given | |
| Failure/Error: | |
| within(".signup") do | |
| fill_in "user_email", with: new_user_email | |
| fill_in "user_first_name", with: normal_user.first_name | |
| fill_in "user_last_name", with: normal_user.last_name + "not" | |
| fill_in "user_password", with: "password" | |
| fill_in "user_password_confirmation", with: "password" | |
| end | |
| Capybara::ElementNotFound: | |
| Unable to find css ".signup" | |
| 2) xss attack | |
| Tutorial: https://github.com/OWASP/railsgoat/wiki/A3-Cross-Site-Scripting | |
| # No reason given | |
| Failure/Error: click_button "Login" | |
| Capybara::Ambiguous: | |
| Ambiguous match, found 2 elements matching visible button "Login" that is not disabled | |
| 3) improper password hashing with just md5 | |
| Tutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage | |
| # No reason given | |
| Failure/Error: expect(normal_user.password).not_to eq(Digest::MD5.hexdigest(new_pass)) | |
| expected: value != "b56d58cc23f979a5cb9e027c5b87c2b4" | |
| got: "b56d58cc23f979a5cb9e027c5b87c2b4" | |
| (compared using ==) | |
| 4) insecure direct object reference attack two | |
| Tutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference | |
| # No reason given | |
| Failure/Error: click_button "Login" | |
| Capybara::Ambiguous: | |
| Ambiguous match, found 2 elements matching visible button "Login" that is not disabled | |
| 5) insecure direct object reference attack one | |
| # No reason given | |
| Failure/Error: click_button "Login" | |
| Capybara::Ambiguous: | |
| Ambiguous match, found 2 elements matching visible button "Login" that is not disabled | |
| 6) unvalidated redirect attack | |
| Tutorial: https://github.com/OWASP/railsgoat/wiki/A10-Unvalidated-Redirects-and-Forwards-(redirect_to) | |
| # No reason given | |
| Failure/Error: | |
| within(".signup") do | |
| fill_in "email", with: normal_user.email | |
| fill_in "password", with: normal_user.clear_password | |
| end | |
| Capybara::ElementNotFound: | |
| Unable to find css ".signup" | |
| 7) command injection attack | |
| Tutorial: https://github.com/OWASP/railsgoat/wiki/A1-Command-Injection | |
| # No reason given | |
| Failure/Error: click_button "Login" | |
| Capybara::Ambiguous: | |
| Ambiguous match, found 2 elements matching visible button "Login" that is not disabled | |
| 8) broken_auth two | |
| Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration | |
| # No reason given | |
| Failure/Error: | |
| within(".signup") do | |
| fill_in "email", with: normal_user.email | |
| fill_in "password", with: normal_user.clear_password + "not" | |
| end | |
| Capybara::ElementNotFound: | |
| Unable to find css ".signup" | |
| 9) broken_auth one | |
| Tutorial: https://github.com/OWASP/railsgoat/wiki/A2-Credential-Enumeration | |
| # No reason given | |
| Failure/Error: | |
| within(".signup") do | |
| fill_in "email", with: wrong_email | |
| fill_in "password", with: normal_user.clear_password | |
| end | |
| Capybara::ElementNotFound: | |
| Unable to find css ".signup" | |
| 10) sql injection attack | |
| Tutorial: https://github.com/OWASP/railsgoat/wiki/R5-A1-SQL-Injection-Concatentation | |
| # No reason given | |
| Failure/Error: click_button "Login" | |
| Capybara::Ambiguous: | |
| Ambiguous match, found 2 elements matching visible button "Login" that is not disabled | |
| 11) url access attack | |
| Tutorial: https://github.com/OWASP/railsgoat/wiki/A7-Missing-Function-Level-Access-Control--(Admin-Controller) | |
| # No reason given | |
| Failure/Error: click_button "Login" | |
| Capybara::Ambiguous: | |
| Ambiguous match, found 2 elements matching visible button "Login" that is not disabled | |
| 12) mass assignment attack two, Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-Extras-Mass-Assignment-Admin-Role | |
| # No reason given | |
| Failure/Error: expect(User.find_by(email: "hackety@h4x0rs.c0m").admin).to be_falsy | |
| expected: falsey value | |
| got: true | |
| 13) mass assignment attack one | |
| # No reason given | |
| Failure/Error: fill_in "email", with: user.email | |
| Capybara::ElementNotFound: | |
| Unable to find field "email" that is not disabled | |
| 14) csrf attack | |
| Tutorial: https://github.com/OWASP/railsgoat/wiki/R4-A8-CSRF | |
| # No reason given | |
| Failure/Error: click_button "Login" | |
| Capybara::Ambiguous: | |
| Ambiguous match, found 2 elements matching visible button "Login" that is not disabled | |
| Finished in 27.95 seconds (files took 3.22 seconds to load) | |
| 46 examples, 0 failures, 14 pending | |
| Randomized with seed 22469 | |
| EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment