Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
brakeman scan result for RailsGoat
Loading scanner...
Processing application in /Users/at/src/github.com/OWASP/railsgoat
Processing gems...
[Notice] Detected Rails 5 application
Processing configuration...
[Notice] Escaping HTML by default
Parsing files...
Processing initializers...
Processing libs...sed
Processing routes...
Processing templates...
Processing data flow in templates...
Processing models...
Processing controllers...
Processing data flow in controllers...
Indexing call sites...
Running checks in parallel...
- CheckBasicAuth
- CheckBasicAuthTimingAttack
- CheckCrossSiteScripting
- CheckContentTag
- CheckCreateWith
- CheckDefaultRoutes
- CheckDeserialize
- CheckDetailedExceptions
- CheckDigestDoS
- CheckDynamicFinders
- CheckEscapeFunction
- CheckEvaluation
- CheckExecute
- CheckFileAccess
- CheckFileDisclosure
- CheckFilterSkipping
- CheckForgerySetting
- CheckHeaderDoS
- CheckI18nXSS
- CheckJRubyXML
- CheckJSONEncoding
- CheckJSONParsing
- CheckLinkTo
- CheckLinkToHref
- CheckMailTo
- CheckMassAssignment
- CheckMimeTypeDoS
- CheckModelAttrAccessible
- CheckModelAttributes
- CheckModelSerialize
- CheckNestedAttributes
- CheckNestedAttributesBypass
- CheckNumberToCurrency
- CheckPermitAttributes
- CheckQuoteTableName
- CheckRedirect
- CheckRegexDoS
- CheckRender
- CheckRenderDoS
- CheckRenderInline
- CheckResponseSplitting
- CheckRouteDoS
- CheckSafeBufferManipulation
- CheckSanitizeMethods
- CheckSelectTag
- CheckSelectVulnerability
- CheckSend
- CheckSendFile
- CheckSessionManipulation
- CheckSessionSettings
- CheckSimpleFormat
- CheckSingleQuotes
- CheckSkipBeforeFilter
- CheckSQL
- CheckSQLCVEs
- CheckSSLVerify
- CheckStripTags
- CheckSymbolDoSCVE
- CheckTranslateBug
- CheckUnsafeReflection
- CheckValidationRegex
- CheckWithoutProtection
- CheckXMLDoS
- CheckYAMLParsing
Checks finished, collecting results...
Generating report...
== Brakeman Report ==
Application Path: /Users/at/src/github.com/OWASP/railsgoat
Rails Version: 5.1.6
Brakeman Version: 4.3.1
Scan Date: 2018-09-20 09:51:57 +0700
Duration: 0.926424 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, ContentTag, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoSCVE, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing
== Overview ==
Controllers: 17
Models: 12
Templates: 27
Errors: 0
Security Warnings: 17
== Warning Types ==
Command Injection: 1
Cross-Site Request Forgery: 1
Cross-Site Scripting: 1
Dangerous Send: 1
File Access: 1
Format Validation: 1
Mass Assignment: 2
Remote Code Execution: 4
SQL Injection: 2
Session Setting: 3
== Warnings ==
Confidence: High
Category: Cross-Site Request Forgery
Check: ForgerySetting
Message: 'protect_from_forgery' should be called in ApplicationController
File: app/controllers/application_controller.rb
Line: 2
Confidence: High
Category: Cross-Site Scripting
Check: CrossSiteScripting
Message: Unescaped cookie value
Code: cookies[:font]
File: app/views/layouts/application.html.erb
Line: 12
Confidence: High
Category: Dangerous Send
Check: Send
Message: User controlled method execution
Code: self.try(params[:graph])
File: app/controllers/dashboard_controller.rb
Line: 16
Confidence: High
Category: File Access
Check: SendFile
Message: Parameter value used in file name
Code: send_file(params[:type].constantize.new(params[:name]), :disposition => "attachment")
File: app/controllers/benefit_forms_controller.rb
Line: 12
Confidence: High
Category: Format Validation
Check: ValidationRegex
Message: Insufficient validation for 'email' using /.+@.+\..+/i. Use \A and \z as anchors
File: app/models/user.rb
Line: 13
Confidence: High
Category: Mass Assignment
Check: PermitAttributes
Message: Potentially dangerous key allowed for mass assignment
Code: params.require(:user).permit(:email, :admin, :first_name, :last_name)
File: app/controllers/users_controller.rb
Line: 55
Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method constantize called with parameter value
Code: params[:class].classify.constantize
File: app/controllers/api/v1/mobile_controller.rb
Line: 17
Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method constantize called with parameter value
Code: params[:class].classify.constantize
File: app/controllers/api/v1/mobile_controller.rb
Line: 10
Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method constantize called with parameter value
Code: params[:type].constantize
File: app/controllers/benefit_forms_controller.rb
Line: 11
Confidence: High
Category: SQL Injection
Check: SQL
Message: Possible SQL injection
Code: User.where("id = '#{params[:user][:id]}'")
File: app/controllers/users_controller.rb
Line: 29
Confidence: High
Category: Session Setting
Check: SessionSettings
Message: Session cookies should be set to HTTP only
File: config/initializers/session_store.rb
Line: 4
Confidence: High
Category: Session Setting
Check: SessionSettings
Message: Session secret should not be included in version control
File: config/initializers/secret_token.rb
Line: 9
Confidence: High
Category: Session Setting
Check: SessionSettings
Message: Session secret should not be included in version control
File: config/initializers/secret_token.rb
Line: 8
Confidence: Medium
Category: Command Injection
Check: Execute
Message: Possible command injection
Code: system("cp #{full_file_name} #{data_path}/bak#{Time.zone.now.to_i}_#{file.original_filename}")
File: app/models/benefits.rb
Line: 15
Confidence: Medium
Category: Mass Assignment
Check: MassAssignment
Message: Parameters should be whitelisted for mass assignment
Code: params.require(:user).permit!
File: app/controllers/users_controller.rb
Line: 50
Confidence: Medium
Category: Remote Code Execution
Check: Deserialize
Message: Marshal.load called with parameter value
Code: Marshal.load(Base64.decode64(params[:user]))
File: app/controllers/password_resets_controller.rb
Line: 6
Confidence: Medium
Category: SQL Injection
Check: SQL
Message: Possible SQL injection
Code: select("#{col}")
File: app/models/analytics.rb
Line: 3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.