-
Notifications
You must be signed in to change notification settings - Fork 0
/
brakeman_presentation.html
198 lines (196 loc) · 7.01 KB
/
brakeman_presentation.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
<head>
<title>ATLRUG April 2012 - Brakeman: Static Analysis Security Scanner for Rails apps</title>
<meta content="ATLRUG April 2012 - Brakeman: Static Analysis Security Scanner for Rails apps" name="description" />
<meta content="David Worth - [email protected]" name="author" />
<meta content="width=1024, user-scalable=no" name="viewport" />
<link href="core/deck.core.css" rel="stylesheet" />
<link href="dave.css" rel="stylesheet" />
<link href="extensions/status/deck.status.css" rel="stylesheet" />
<link href="themes/style/swiss.css" rel="stylesheet" />
<link href="themes/transition/horizontal-slide.css" rel="stylesheet" />
<script src="js/modernizr.custom.js"></script>
<script src="js/jquery-1.7.2.min.js"></script>
<script src="core/deck.core.js"></script>
<script src="extensions/status/deck.status.js"></script>
<script type="text/javascript">$(function() { $.deck('.slide'); });</script>
</head>
<body class="deck-container">
<section class="slide">
<h2>Brakeman</h2>
<h3>A Static Analysis Security Scanner for Rails Applications</h3>
<br />
<h4>David Worth - [email protected]</h4>
<img alt="Highgroove Studios" class="hglogo" src="highgroove.png" />
</section>
<section class="slide">
<h2>Why a security scanner just for Rails Apps?</h2>
<h3 class="slide center">Because of this guy:<br /><img alt="Egor" src="egor.png" />
</h3>
<h3 class="slide">Wait... who?</h3>
<h4 class="slide">He kinda owned Github* but they were cool about it</h4>
<h5 class="slide">oh, and he gained commit access to Rails core but didn't use it for Evil.</h5>
</section>
<section class="slide">
<h2>Types of Security Scanners:</h2>
<ul>
<li class="slide">
<h3>Active Scanners</h3>
<p>Active scanners operate on on a running application and attempt to discover and/or exploit vulnerabilities</p>
<ul class="slide">
<li>
<a href="http://code.google.com/p/skipfish/">skipfish</a> by Michael Zalewski</li>
<li>
<a href="http://w3af.sourceforge.net/">Web Application Attack and Audit Framework (w3af)</a>
</li>
</ul>
</li>
<li class="slide">
<h3>Static Analysis Scanners</h3>
<p>Attempt to discover <strike>features</strike> vulnerabilities by analyzing an application at rest</p>
<ul>
<li>Brakeman</li>
<li>Gaggillions of others, primarily for "static" languages, but not for rails apps!</li>
</ul>
</li>
</ul>
</section>
<section class="slide">
<h1>Introducing Brakeman</h1>
</section>
<section class="slide">
<h2>Brakeman</h2>
<h3>History and details:</h3>
<ul>
<li>Released August 27, 2010 by Justin aka PresidentBeef</li>
<li>Under very constant development with many contributors</li>
<li>Understands Rails 2 and 3</li>
<li>Written in Ruby 1.8 compatible syntax for maximum flexibility<ul>
<li>separate scanners for Ruby 1.8 and 1.9 parsing</li>
</ul>
</li>
</ul>
</section>
<section class="slide">
<h2>So what does it do?</h2>
<div class="slide">
<h3>Finds 0-day in your apps before others do!</h3>
</div>
<div class="slide">
<h3>"Standard" web vulnerabilities</h3>
<ul>
<li>XSS, CSRF, SQLi</li>
<li>User-controlled data (Command Injection, unsafe redirects, dynamic render paths, "dangerous evaluation", file-access)</li>
<li>Session and Authentication settings</li>
</ul>
</div>
<div class="slide">
<h3>Rails-specific vulnerabilities</h3>
<ul>
<li>Mass-Assignment (aka the Github vulnerability)</li>
<li>Unsafe model validators</li>
</ul>
</div>
<div class="slide">
<p>All of these are covered in the Rails Security Guide and at length on the web as well as in the Brakeman docs</p>
</div>
</section>
<section class="slide">
<h2>Does it work?</h2>
<div class="slide">
<h3>YEP!</h3>
</div>
<div class="slide">
<h4>At Highgroove a remote vulnerability was found on first running</h4>
</div>
<div class="slide">
<h4>... and patched 30s later.</h4>
</div>
</section>
<section class="slide">
<h2>How do I use it?</h2>
<ol>
<li>Install the gem<pre>~/rails_app $ gem install brakeman</pre>
</li>
<li>Run the scanner<pre>~/rails_app $ brakeman
[Notice] Detected Rails 3 application
Loading scanner...
[Notice] Using Ruby 1.9.3. Please make sure this matches the one used to run your Rails application.
Processing application in /Users/dworth/Documents/my_projects/badapp
Processing configuration...
[Notice] Escaping HTML by default
Processing gems...
# ... SNIP ...
Indexing call sites...
Running checks in parallel...
- CheckBasicAuth
- CheckCrossSiteScripting
# ... SNIP ...</pre>
</li>
</ol>
</section>
<section class="slide">
<h2>How do I use it? (con't)</h2>
<ol start="3">
<li>Take action! Read the console:<pre>+BRAKEMAN REPORT+
Application path: /Users/dworth/Documents/my_projects/badapp
Rails version: 3.2.1
Generated at 2012-04-11 16:17:02 -0400
Checks run: BasicAuth, CrossSiteScripting, DefaultRoutes, # ... SNIP ...
+SUMMARY+
+---------------------------------------------+
| Scanned/Reported | Total |
+---------------------------------------------+
| Controllers | 2 |
| Models | 1 |
| Templates | 1 |
| Errors | 0 |
| Security Warnings | 2 (1) |
| Ignored warnings due to annotations | 0 |
+---------------------------------------------+
# ... SNIP ...</pre>
</li>
</ol>
</section>
<section class="slide">
<h2>How do I use it? (con't)</h2>
<ol start="3">
<li>Take action! (con't)<ul>
<li>output to HTML<pre>-f html -o brakeman_report.html</pre>
</li>
</ul>
</li>
</ol>
</section>
<section class="slide">
<h2>Brakeman on the web</h2>
<ul>
<li>More Info<ul>
<li>
<a href="http://www.brakemanscanner.org">http://www.brakemanscanner.org</a>
</li>
<li>
<a href="http://github.com/presidentbeef/brakeman">http://github.com/presidentbeef/brakeman</a>
</li>
<li>
<a href="https://twitter.com/#!/brakeman">@brakeman</a>
</li>
</ul>
</li>
</ul>
<h2>Other Resources</h2>
<ul>
<li>
<a href="http://guides.rubyonrails.org/security.html">Ruby on Rails Security Guide</a>
</li>
<li>
<a href="https://www.owasp.org/index.php/Main_Page">OWASP - The Open Web Application Security Project</a>
</li>
<li>
<a href="https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation">Github's response to Egor's hack</a>
</li>
</ul>
</section>
</body>
<p class="deck-status">
<span class="deck-status-current"></span> /<span class="deck-status-total"></span>
</p>