[GPC] OWASP Project - Brakeman - Static-ish Analysis for Ruby on Rails Applications

Paulo Coimbra paulo.coimbra at owasp.org
Thu Jul 8 06:28:05 EDT 2010


Hello GPC, Dinis, Justin and Neil,

 

Is this the right time to create a wiki page for this project?

 

Thanks,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: global-projects-committee-bounces at lists.owasp.org
[mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf Of
dinis cruz
Sent: quinta-feira, 8 de Julho de 2010 02:40
To: Justin Collins
Cc: tin.zaw at owasp.org; global-projects-committee at lists.owasp.org
Subject: Re: [GPC] OWASP Project - Brakeman - Static-ish Analysis for Ruby
on Rails Applications

 

Interesting, we really should swap notes on how you used the AST to create
those traces.

 

I think I followed a similar path with the OWASP O2 Platform when I added a
static analysis engine for .NET. The O2 traces are created from from the
.NET AST and are based on the concept of 'Method Streams' (which is a
dynamically created file that: "...for a staring method X  contains all
relevant methods that are (recursively( called from that method)). See here
for a couple examples:

*	http://o2platform.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_Example
*
http://o2platform.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_-_SQL_Injection_P
oC

Let me know when you have published the (code under an Open Source license),
so that I can integrate it with O2.

 

When you are ready, I really would like to give you a guided tour of O2,
since there are a lot of features and capabilities in there that will make
your live much easier (and prevent you from having to re-invent the wheel)

 

We also need to collaborate on the schema for the rules so that we have an
unified standard across engines and languages


Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2



On 8 July 2010 00:51, Justin Collins <jcollins at attinteractive.com> wrote:

Hi Dinis,

- is the code published?

Not yet.


- is it in a working state, i.e can it already find vulnerabilities?

Yes. It can detect the ones listed below, plus more.


- does it perform taint analysis on the code?

It does track variables, but it makes the basic assumption that request
parameters and database values are untrusted. At the moment, it does not do
anything fancier than that.


- how does it work internaly? (does it build an internal representation if
the code? Does it work on top of the source code AST?)

It works from the AST, which it pares down to the "interesting" parts. It
makes a pass over the AST to propagate variable values, particularly from
controllers to views. It also manages a central data structure with specific
parts of the Rails app that it has gathered (such as routes, controller
names, etc). Once the structure is set up, it gets passed to a set of checks
which look for specific vulnerabilities.


- how are the security rules created, edited and stored?

At the moment, the rules are just Ruby code, although each check is managed
independently. It is possible to create a better plug-in or rule-based
architecture.


- is it possible to export the artifacts and results created? (if so on what
formats?)

This is entirely possible, as there is already rudimentary support for
Ruport (http://rubyreports.org) which supports CSV, PDF, HTML, and text
reports.

-Justin


-----Original Message-----
From: dinis cruz [mailto:dinis.cruz at owasp.org]

Sent: Saturday, July 03, 2010 6:07 AM
To: Neil Matatall
Cc: global-projects-committee at lists.owasp.org; Justin Collins
Subject: Re: [GPC] OWASP Project - Brakeman - Static-ish Analysis for Ruby
on Rails Applications

This is great and perfect for OWASP.

Couple questions:
- is the code published?
- is it in a working state, i.e can it already find vulnerabilities?
- does it perform taint analysis on the code?
- how does it work internaly? (does it build an internal
representation if the code? Does it work on top of the source code AST?)
- how are the security rules created, edited and stored?
- is it possible to export the artifacts and results created? (if so
on what formats?)

Dinis Cruz

On 3 Jul 2010, at 00:38, Neil Matatall <neil at owasp.org> wrote:

> I just wanted to get a feeler, I can provide the rest if there is
> interest.  It is still in development.  This tool is being developed
> for AT&T Interactive with the plan of open sourcing it.
>
> A - PROJECT
>
>   1. Project Name - Brakeman
>   2. Project Purpose - Scan Rails applications and look for potential
> vulnerabilities
>   3. Project License - LGPL?
>   4. Project Leader - Justin Collins
>   5. Project Maintainer - TBD
>   6. Project Contributor(s) - Justin Collins
>
> Can detect:
> -Bad string interpolation in calls to Model.find, Model.last,
> Model.first, and instances of Model, as well as chained calls ending
> in 'find' (SQL Injection)
> -String interpolation in find_by_sql (SQL Injection)
> -String interpolation or params in calls to system, exec, and syscall
> and `` (Command Injection)
> -Unrestricted mass assignments
> -Global restriction of mass assignment
> -Missing call to protect_from_forgery in ApplicationController (CSRF
> protection)
> -Default routes, per-controller and globally
> -Redirects based on params (probably too broad currently)
>
> General capabilities:
> -Search for method calls based on target class and/or method name
> -Determine 'output' of templates using ERB, Erubis, or HAML
>
> --
>
> Neil
> _______________________________________________
> Global-projects-committee mailing list
> Global-projects-committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global-projects-committee

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20100708/a939d71f/attachment.html 


More information about the Global-projects-committee mailing list