CSC/ECE 517 Fall 2014/ch1b 33 jy
Software security in Ruby on Rails web applications using Brakeman scanner
Introduction
Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.<ref name=brakeman>Brakeman Scanner Introduction</ref> Lift borrows fro Brakeman scans your application by looking at your source code, which means it is not necessary to set up your application stack to use it. Once the scan is complete, Brakeman displays a list of all security issues that were found.
Background
- 2011 - v1.0 released - Brakeman can now be used as a library
- v1.2 - Added rake options to create rake task to run Brakeman
- v1.3 - Added skip files option
- v1.5 - Added JSON Report Format
- v1.7 - Improved processing of Rails 3 routes
- v1.9 - Updated to RubyParser 3
- v2.0 - Combine deserialization checks into single check
- v2.1 - Support for ignoring warnings
- v2.2 - Reduce command injection false positives
- v2.4 - Detect SQL Injection in ‘delete_all’/’destroy_all’
- v2.6 - Parse most files upfront instead of on demand
Using Brakeman as a Library
Brakeman was initially designed to be used as a command-line application. Version 1.0 introduced changes that allowed Brakeman to be used as a library and future releases will make it even easier to use.
require 'brakeman'
tracker = Brakeman.run "my/app"
puts tracker.report
This code runs Brakeman against the Rails application in ‘my/app’ and prints out the report.<ref name=brakeman>Brakeman Scanner Introduction</ref> This is the same as running Brakeman with no options. Brakeman.run returns a Tracker object which contains all the information from the scan. Tracker#checks holds the results from running the checks. Brakeman can be run with a host of command-line options:
Brakeman.run :app_path => "my/app"
- app_path - path to root of Rails app (required)
- assume_all_routes - assume all methods are routes (default: false)
- check_arguments - check arguments of methods (default: true)
- collapse_mass_assignment - report unprotected models in single warning (default: true)
- combine_locations - combine warning locations (default: true)
- config_file - configuration file
- escape_html - escape HTML by default (automatic)
- exit_on_warn - return false if warnings found, true otherwise. Not recommended for library use (default: false)
- html_style - path to CSS file
- ignore_model_output - consider models safe (default: false)
- message_limit - limit length of messages
- min_confidence - minimum confidence (0-2, 0 is highest)
- output_file - file for output
- output_format - format for output (:to_s, :to_tabs, :to_csv, :to_html)
- parallel_checks - run checks in parallel (default: true)
- print_report - if no output file specified, print to stdout (default: false)
- quiet - suppress most messages (default: true)
- rails3 - force Rails 3 mode (automatic)
- report_routes - show found routes on controllers (default: false)
- run_checks - array of checks to run (run all if not specified)
- safe_methods - array of methods to consider safe
- skip_libs - do not process lib/ directory (default: false)
- skip_checks - checks not to run (run all if not specified)
Advantages
1. No Configuration Necessary -
- Once Brakeman has been installed, no configuration is required. It can directly be run.
2. Run It Anytime -
- Brakeman can run at any stage of development because all it needs is source code. A new application can be generated instantly and can be run against Brakeman.
3. Better Coverage -
- Brakeman provides security before they can become exploitable because it can scan pages that are not ‘live’ yet.
4. Best Practices -
- Brakeman is built specifically for Rails applications, so it can check configuration settings for best practices.
5. Flexible Testing -
- Each Brakeman check is independent of the other and hence testing can be limited to a small subset of checks.
6. Speed -
- Much faster than “black box” website scanner. Large applications can be scanned in a matter of minutes.
Disadvantages
1. False Positives -
- Brakeman is extremely suspicious by default. Some values that are safe may be marked suspicious by Brakeman.
2. Unusual Configurations -
- Brakeman assumes all applications follow the typical Rails setup. If not, it may miss scanning certain files.
3. Only Knows Code -
- Brakeman cannot scan the entire application stack,, but only the software code.
4. Isn’t Omniscient -
- Brakeman may miss certain things or misunderstand them.
References
<references></references>