A Static Analysis Security Scanner for Rails Applications

David Worth -

Why a security scanner just for Rails Apps?

Because of this guy:

Wait... who?

He kinda owned Github* but they were cool about it

oh, and he gained commit access to Rails core but didn't use it for Evil.

Types of Security Scanners:

Introducing Brakeman


History and details:

So what does it do?

Finds 0-day in your apps before others do!

"Standard" web vulnerabilities

Rails-specific vulnerabilities

All of these are covered in the Rails Security Guide and at length on the web as well as in the Brakeman docs

Does it work?


At Highgroove a remote vulnerability was found on first running

... and patched 30s later.

How do I use it?

  1. Install the gem
    ~/rails_app $ gem install brakeman
  2. Run the scanner
    ~/rails_app $ brakeman
    [Notice] Detected Rails 3 application
    Loading scanner...
    [Notice] Using Ruby 1.9.3. Please make sure this matches the one used to run your Rails application.
    Processing application in /Users/dworth/Documents/my_projects/badapp
    Processing configuration...
    [Notice] Escaping HTML by default
    Processing gems...
      # ... SNIP ...
    Indexing call sites...
    Running checks in parallel...
     - CheckBasicAuth
     - CheckCrossSiteScripting
     # ... SNIP ...

How do I use it? (con't)

  1. Take action! Read the console:
    Application path: /Users/dworth/Documents/my_projects/badapp
    Rails version: 3.2.1
    Generated at 2012-04-11 16:17:02 -0400
    Checks run: BasicAuth, CrossSiteScripting, DefaultRoutes, # ... SNIP ...
    |          Scanned/Reported           | Total |
    | Controllers                         |     2 |
    | Models                              |     1 |
    | Templates                           |     1 |
    | Errors                              |     0 |
    | Security Warnings                   | 2 (1) |
    | Ignored warnings due to annotations |     0 |
    # ... SNIP ...

How do I use it? (con't)

  1. Take action! (con't)
    • output to HTML
      -f html -o brakeman_report.html

Brakeman on the web

Other Resources