I spent this summer doing an internship at ATTi, during which I developed a static analysis tool called brakeman for finding security vulnerabilities in Ruby on Rails applications.

What it is

Brakeman uses Ryan Davis’ Ruby Parser to parse the code of your RoR application, mangles it a bit, extracts some information, and then runs various checks on the result. It then uses Ruport to generate a report.

The HTML reports look like this.

Because brakeman analyzes the source code, there is no need to wait until the application is deployed to start testing it. Brakeman can be run at any point in the development process.

What it can do

Right now, brakeman can find these kinds of problems:

• Cross site scripting vulnerabilities
• SQL injection
• Command injection
• Unsafe redirects
• Unrestricted mass assignments
• Insufficient validation regexes
• Default routes
• Dynamic render paths

It can also check configuration settings, such as cross site request forgery protection and session secret length.

Unfortunately, it is not (yet?) compatible with Rails 3.0. Hopefully it will still be of use to a lot of people, though.

Installation

Brakeman can be installed as a gem (and, in fact, that is how I would recommend doing it):

gem install brakeman

(may require sudo).

Documentation

brakeman -h provides information on the options available. I’ve also been working on fleshing out the wiki with more detailed info.

Problems?

I really want this to be a useful tool, so if it does not work for you or there are any problems, please file an issue or even just leave a comment on this post. I’ll do my best to get everything fixed up.