Brakeman

A Static Analysis Security Scanner for Rails Applications

David Worth - dave@highgroove.com

Why a security scanner just for Rails Apps?

Because of this guy:

Wait... who?

He kinda owned Github* but they were cool about it

oh, and he gained commit access to Rails core but didn't use it for Evil.

Types of Security Scanners:

Active Scanners

Active scanners operate on on a running application and attempt to discover and/or exploit vulnerabilities
- skipfish by Michael Zalewski
- Web Application Attack and Audit Framework (w3af)
Static Analysis Scanners

Attempt to discover ~~features~~ vulnerabilities by analyzing an application at rest
- Brakeman
- Gaggillions of others, primarily for "static" languages, but not for rails apps!

Introducing Brakeman

Brakeman

History and details:

Released August 27, 2010 by Justin aka PresidentBeef
Under very constant development with many contributors
Understands Rails 2 and 3
Written in Ruby 1.8 compatible syntax for maximum flexibility
- separate scanners for Ruby 1.8 and 1.9 parsing

So what does it do?

Finds 0-day in your apps before others do!

"Standard" web vulnerabilities

XSS, CSRF, SQLi
User-controlled data (Command Injection, unsafe redirects, dynamic render paths, "dangerous evaluation", file-access)
Session and Authentication settings

Rails-specific vulnerabilities

Mass-Assignment (aka the Github vulnerability)
Unsafe model validators

All of these are covered in the Rails Security Guide and at length on the web as well as in the Brakeman docs

Does it work?

YEP!

At Highgroove a remote vulnerability was found on first running

... and patched 30s later.

How do I use it?

Install the gem
```
~/rails_app $ gem install brakeman
```

Run the scanner

~/rails_app $ brakeman
[Notice] Detected Rails 3 application
Loading scanner...
[Notice] Using Ruby 1.9.3. Please make sure this matches the one used to run your Rails application.
Processing application in /Users/dworth/Documents/my_projects/badapp
Processing configuration...
[Notice] Escaping HTML by default
Processing gems...
  # ... SNIP ...
Indexing call sites...
Running checks in parallel...
 - CheckBasicAuth
 - CheckCrossSiteScripting
 # ... SNIP ...

How do I use it? (con't)

Take action! Read the console:

+BRAKEMAN REPORT+
Application path: /Users/dworth/Documents/my_projects/badapp
Rails version: 3.2.1
Generated at 2012-04-11 16:17:02 -0400
Checks run: BasicAuth, CrossSiteScripting, DefaultRoutes, # ... SNIP ...

+SUMMARY+
+---------------------------------------------+
|          Scanned/Reported           | Total |
+---------------------------------------------+
| Controllers                         |     2 |
| Models                              |     1 |
| Templates                           |     1 |
| Errors                              |     0 |
| Security Warnings                   | 2 (1) |
| Ignored warnings due to annotations |     0 |
+---------------------------------------------+

# ... SNIP ...

Brakeman

A Static Analysis Security Scanner for Rails Applications

David Worth - dave@highgroove.com

Why a security scanner just for Rails Apps?

Because of this guy:

Wait... who?

He kinda owned Github* but they were cool about it

oh, and he gained commit access to Rails core but didn't use it for Evil.

Types of Security Scanners:

Active Scanners

Static Analysis Scanners

Introducing Brakeman

Brakeman

History and details:

So what does it do?

Finds 0-day in your apps before others do!

"Standard" web vulnerabilities

Rails-specific vulnerabilities

Does it work?

YEP!

At Highgroove a remote vulnerability was found on first running

... and patched 30s later.

How do I use it?

How do I use it? (con't)

How do I use it? (con't)

Brakeman on the web

Other Resources