[GPC] OWASP Project - Brakeman - Static-ish Analysis for Ruby on Rails Applications

dinis cruz dinis.cruz at owasp.org
Sat Jul 3 09:06:35 EDT 2010


This is great and perfect for OWASP.

Couple questions:
- is the code published?
- is it in a working state, i.e can it already find vulnerabilities?
- does it perform taint analysis on the code?
- how does it work internaly? (does it build an internal
representation if the code? Does it work on top of the source code AST?)
- how are the security rules created, edited and stored?
- is it possible to export the artifacts and results created? (if so
on what formats?)

Dinis Cruz

On 3 Jul 2010, at 00:38, Neil Matatall <neil at owasp.org> wrote:

> I just wanted to get a feeler, I can provide the rest if there is
> interest.  It is still in development.  This tool is being developed
> for AT&T Interactive with the plan of open sourcing it.
>
> A – PROJECT
>
>   1. Project Name - Brakeman
>   2. Project Purpose - Scan Rails applications and look for potential
> vulnerabilities
>   3. Project License - LGPL?
>   4. Project Leader - Justin Collins
>   5. Project Maintainer - TBD
>   6. Project Contributor(s) - Justin Collins
>
> Can detect:
> -Bad string interpolation in calls to Model.find, Model.last,
> Model.first, and instances of Model, as well as chained calls ending
> in 'find' (SQL Injection)
> -String interpolation in find_by_sql (SQL Injection)
> -String interpolation or params in calls to system, exec, and syscall
> and `` (Command Injection)
> -Unrestricted mass assignments
> -Global restriction of mass assignment
> -Missing call to protect_from_forgery in ApplicationController (CSRF
> protection)
> -Default routes, per-controller and globally
> -Redirects based on params (probably too broad currently)
>
> General capabilities:
> -Search for method calls based on target class and/or method name
> -Determine 'output' of templates using ERB, Erubis, or HAML
>
> --
>
> Neil
> _______________________________________________
> Global-projects-committee mailing list
> Global-projects-committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global-projects-committee


More information about the Global-projects-committee mailing list