[GPC] OWASP Project - Brakeman - Static-ish Analysis for Ruby on Rails Applications

dinis cruz dinis.cruz at owasp.org
Wed Jul 7 21:39:50 EDT 2010


Interesting, we really should swap notes on how you used the AST to create
those traces.

I think I followed a similar path with the OWASP O2 Platform when I added a
static analysis engine for .NET. The O2 traces are created from from the
.NET AST and are based on the concept of 'Method Streams' (which is a
dynamically created file that: "...for a staring method X  contains all
relevant methods that are (recursively( called from that method)). See here
for a couple examples:

   - http://o2platform.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_Example
   -
   http://o2platform.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_-_SQL_Injection_PoC

Let me know when you have published the (code under an Open Source license),
so that I can integrate it with O2.

When you are ready, I really would like to give you a guided tour of O2,
since there are a lot of features and capabilities in there that will make
your live much easier (and prevent you from having to re-invent the wheel)

We also need to collaborate on the schema for the rules so that we have an
unified standard across engines and languages

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 8 July 2010 00:51, Justin Collins <jcollins at attinteractive.com> wrote:

> Hi Dinis,
>
> - is the code published?
>
> Not yet.
>
> - is it in a working state, i.e can it already find vulnerabilities?
>
> Yes. It can detect the ones listed below, plus more.
>
> - does it perform taint analysis on the code?
>
> It does track variables, but it makes the basic assumption that request
> parameters and database values are untrusted. At the moment, it does not do
> anything fancier than that.
>
> - how does it work internaly? (does it build an internal representation if
> the code? Does it work on top of the source code AST?)
>
> It works from the AST, which it pares down to the "interesting" parts. It
> makes a pass over the AST to propagate variable values, particularly from
> controllers to views. It also manages a central data structure with specific
> parts of the Rails app that it has gathered (such as routes, controller
> names, etc). Once the structure is set up, it gets passed to a set of checks
> which look for specific vulnerabilities.
>
> - how are the security rules created, edited and stored?
>
> At the moment, the rules are just Ruby code, although each check is managed
> independently. It is possible to create a better plug-in or rule-based
> architecture.
>
> - is it possible to export the artifacts and results created? (if so on
> what formats?)
>
> This is entirely possible, as there is already rudimentary support for
> Ruport (http://rubyreports.org) which supports CSV, PDF, HTML, and text
> reports.
>
> -Justin
>
> -----Original Message-----
> From: dinis cruz [mailto:dinis.cruz at owasp.org]
> Sent: Saturday, July 03, 2010 6:07 AM
> To: Neil Matatall
> Cc: global-projects-committee at lists.owasp.org; Justin Collins
> Subject: Re: [GPC] OWASP Project - Brakeman - Static-ish Analysis for Ruby
> on Rails Applications
>
> This is great and perfect for OWASP.
>
> Couple questions:
> - is the code published?
> - is it in a working state, i.e can it already find vulnerabilities?
> - does it perform taint analysis on the code?
> - how does it work internaly? (does it build an internal
> representation if the code? Does it work on top of the source code AST?)
> - how are the security rules created, edited and stored?
> - is it possible to export the artifacts and results created? (if so
> on what formats?)
>
> Dinis Cruz
>
> On 3 Jul 2010, at 00:38, Neil Matatall <neil at owasp.org> wrote:
>
> > I just wanted to get a feeler, I can provide the rest if there is
> > interest.  It is still in development.  This tool is being developed
> > for AT&T Interactive with the plan of open sourcing it.
> >
> > A - PROJECT
> >
> >   1. Project Name - Brakeman
> >   2. Project Purpose - Scan Rails applications and look for potential
> > vulnerabilities
> >   3. Project License - LGPL?
> >   4. Project Leader - Justin Collins
> >   5. Project Maintainer - TBD
> >   6. Project Contributor(s) - Justin Collins
> >
> > Can detect:
> > -Bad string interpolation in calls to Model.find, Model.last,
> > Model.first, and instances of Model, as well as chained calls ending
> > in 'find' (SQL Injection)
> > -String interpolation in find_by_sql (SQL Injection)
> > -String interpolation or params in calls to system, exec, and syscall
> > and `` (Command Injection)
> > -Unrestricted mass assignments
> > -Global restriction of mass assignment
> > -Missing call to protect_from_forgery in ApplicationController (CSRF
> > protection)
> > -Default routes, per-controller and globally
> > -Redirects based on params (probably too broad currently)
> >
> > General capabilities:
> > -Search for method calls based on target class and/or method name
> > -Determine 'output' of templates using ERB, Erubis, or HAML
> >
> > --
> >
> > Neil
> > _______________________________________________
> > Global-projects-committee mailing list
> > Global-projects-committee at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/global-projects-committee
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20100708/424bd129/attachment-0001.html 


More information about the Global-projects-committee mailing list