Hi all,
I would like to introduce you to brakeman, a static analysis tool which
searches for security vulnerabilities in Ruby on Rails applications.
Although this is the first public release, brakeman can already help you
find:
-SQL injection
-Command injection
-Unrestricted mass assignment
-Unsafe redirects
-Cross site scripting vulnerabilities
-Evaluation of user input
-Insufficient validation regexes
-Unsafe file access
…and more! All without requiring a web server, database, or even
completely working code.
== Installation ==
gem install brakeman
== Basic Use ==
To generate an HTML report with default options:
brakeman -o report.html /path/to/rails/app
Brakeman has quite a few options, so be sure to use
brakeman -h
to see what is available and also take a gander at the README.
== Problems/Suggestions ==
I’m very interested in any Rails applications which brakeman has trouble
scanning so that I can make it as useful as possible. If brakeman does
not work for you or there are any problems please file an issue so I can
make improvements.
Brakeman is only expected to work with Rails > 2.0 and < 3.0.
Suggestions are very welcome.
-Justin