[GPC] OWASP Project - Brakeman - Static-ish Analysis for Ruby on Rails Applications

Neil Matatall neil at owasp.org
Thu Jul 8 14:23:52 EDT 2010


Sounds good to me.

On Thu, Jul 8, 2010 at 3:28 AM, Paulo Coimbra <paulo.coimbra at owasp.org> wrote:
> Hello GPC, Dinis, Justin and Neil,
>
>
>
> Is this the right time to create a wiki page for this project?
>
>
>
> Thanks,
>
>
>
> Paulo Coimbra,
>
> OWASP Project Manager
>
>
>
> From: global-projects-committee-bounces at lists.owasp.org
> [mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf Of
> dinis cruz
> Sent: quinta-feira, 8 de Julho de 2010 02:40
> To: Justin Collins
> Cc: tin.zaw at owasp.org; global-projects-committee at lists.owasp.org
> Subject: Re: [GPC] OWASP Project - Brakeman - Static-ish Analysis for Ruby
> on Rails Applications
>
>
>
> Interesting, we really should swap notes on how you used the AST to create
> those traces.
>
>
>
> I think I followed a similar path with the OWASP O2 Platform when I added a
> static analysis engine for .NET. The O2 traces are created from from the
> .NET AST and are based on the concept of 'Method Streams' (which is a
> dynamically created file that: "...for a staring method X  contains all
> relevant methods that are (recursively( called from that method)). See here
> for a couple examples:
>
> http://o2platform.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_Example
> http://o2platform.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_-_SQL_Injection_PoC
>
> Let me know when you have published the (code under an Open Source license),
> so that I can integrate it with O2.
>
>
>
> When you are ready, I really would like to give you a guided tour of O2,
> since there are a lot of features and capabilities in there that will make
> your live much easier (and prevent you from having to re-invent the wheel)
>
>
>
> We also need to collaborate on the schema for the rules so that we have an
> unified standard across engines and languages
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
> On 8 July 2010 00:51, Justin Collins <jcollins at attinteractive.com> wrote:
>
> Hi Dinis,
>
> - is the code published?
>
> Not yet.
>
> - is it in a working state, i.e can it already find vulnerabilities?
>
> Yes. It can detect the ones listed below, plus more.
>
> - does it perform taint analysis on the code?
>
> It does track variables, but it makes the basic assumption that request
> parameters and database values are untrusted. At the moment, it does not do
> anything fancier than that.
>
> - how does it work internaly? (does it build an internal representation if
> the code? Does it work on top of the source code AST?)
>
> It works from the AST, which it pares down to the "interesting" parts. It
> makes a pass over the AST to propagate variable values, particularly from
> controllers to views. It also manages a central data structure with specific
> parts of the Rails app that it has gathered (such as routes, controller
> names, etc). Once the structure is set up, it gets passed to a set of checks
> which look for specific vulnerabilities.
>
> - how are the security rules created, edited and stored?
>
> At the moment, the rules are just Ruby code, although each check is managed
> independently. It is possible to create a better plug-in or rule-based
> architecture.
>
> - is it possible to export the artifacts and results created? (if so on what
> formats?)
>
> This is entirely possible, as there is already rudimentary support for
> Ruport (http://rubyreports.org) which supports CSV, PDF, HTML, and text
> reports.
>
> -Justin
>
> -----Original Message-----
> From: dinis cruz [mailto:dinis.cruz at owasp.org]
>
> Sent: Saturday, July 03, 2010 6:07 AM
> To: Neil Matatall
> Cc: global-projects-committee at lists.owasp.org; Justin Collins
> Subject: Re: [GPC] OWASP Project - Brakeman - Static-ish Analysis for Ruby
> on Rails Applications
>
> This is great and perfect for OWASP.
>
> Couple questions:
> - is the code published?
> - is it in a working state, i.e can it already find vulnerabilities?
> - does it perform taint analysis on the code?
> - how does it work internaly? (does it build an internal
> representation if the code? Does it work on top of the source code AST?)
> - how are the security rules created, edited and stored?
> - is it possible to export the artifacts and results created? (if so
> on what formats?)
>
> Dinis Cruz
>
> On 3 Jul 2010, at 00:38, Neil Matatall <neil at owasp.org> wrote:
>
>> I just wanted to get a feeler, I can provide the rest if there is
>> interest.  It is still in development.  This tool is being developed
>> for AT&T Interactive with the plan of open sourcing it.
>>
>> A - PROJECT
>>
>>   1. Project Name - Brakeman
>>   2. Project Purpose - Scan Rails applications and look for potential
>> vulnerabilities
>>   3. Project License - LGPL?
>>   4. Project Leader - Justin Collins
>>   5. Project Maintainer - TBD
>>   6. Project Contributor(s) - Justin Collins
>>
>> Can detect:
>> -Bad string interpolation in calls to Model.find, Model.last,
>> Model.first, and instances of Model, as well as chained calls ending
>> in 'find' (SQL Injection)
>> -String interpolation in find_by_sql (SQL Injection)
>> -String interpolation or params in calls to system, exec, and syscall
>> and `` (Command Injection)
>> -Unrestricted mass assignments
>> -Global restriction of mass assignment
>> -Missing call to protect_from_forgery in ApplicationController (CSRF
>> protection)
>> -Default routes, per-controller and globally
>> -Redirects based on params (probably too broad currently)
>>
>> General capabilities:
>> -Search for method calls based on target class and/or method name
>> -Determine 'output' of templates using ERB, Erubis, or HAML
>>
>> --
>>
>> Neil
>> _______________________________________________
>> Global-projects-committee mailing list
>> Global-projects-committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global-projects-committee
>
>




-- 

--

Neil


More information about the Global-projects-committee mailing list