Hi all,
I would like to introduce you to brakeman, a static analysis tool which searches for security vulnerabilities in Ruby on Rails applications.
Although this is the first public release, brakeman can already help you find:
-SQL injection -Command injection -Unrestricted mass assignment -Unsafe redirects -Cross site scripting vulnerabilities -Evaluation of user input -Insufficient validation regexes -Unsafe file access
...and more! All without requiring a web server, database, or even completely working code.
== Installation ==
gem install brakeman
Source: http://github.com/presidentbeef/brakeman
== Basic Use ==
To generate an HTML report with default options:
brakeman -o report.html /path/to/rails/app
Brakeman has quite a few options, so be sure to use
brakeman -h
to see what is available and also take a gander at the README.
== Problems/Suggestions ==
I'm very interested in any Rails applications which brakeman has trouble scanning so that I can make it as useful as possible. If brakeman does not work for you or there are any problems please file an issue so I can make improvements.
Brakeman is only expected to work with Rails > 2.0 and < 3.0.
Suggestions are very welcome.
-Justin