Broken Authorization specs added.

spec/features/broken_auth_spec.rb

@@ -0,0 +1,25 @@
+require 'spec_helper'
+
+feature 'broken_auth' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'TMI during login', :js => true do
+    visit '/'
+    within('.signup') do
+      fill_in 'email', :with => @normal_user.email + 'not'
+      fill_in 'password', :with => @normal_user.clear_password
+    end
+    click_on 'Login'
+    find('div#flash_notice').text.should == "#{@normal_user.email}not doesn't exist!"
+
+    within('.signup') do
+      fill_in 'email', :with => @normal_user.email
+      fill_in 'password', :with => @normal_user.clear_password + 'not'
+    end
+    click_on 'Login'
+    find('div#flash_notice').text.should == 'Incorrect Password!'
+  end
+end

spec/features/xss_spec.rb

@@ -6,7 +6,7 @@
     @normal_user = UserFixture.normal_user
   end
 
-  scenario 'injection attack on account_settings', :js => true do
+  scenario 'xss attack on account_settings', :js => true do
     login @normal_user
 
     visit "/users/#{@normal_user.user_id}/account_settings"