-
-
Save streichsbaer/f4777dc012809162ac86d4f06790c748 to your computer and use it in GitHub Desktop.
brakeman scan result for RailsGoat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Loading scanner... | |
| Processing application in /Users/at/src/github.com/OWASP/railsgoat | |
| Processing gems... | |
| [Notice] Detected Rails 5 application | |
| Processing configuration... | |
| [Notice] Escaping HTML by default | |
| Parsing files... | |
| Processing initializers... | |
| Processing libs...sed | |
| Processing routes... | |
| Processing templates... | |
| Processing data flow in templates... | |
| Processing models... | |
| Processing controllers... | |
| Processing data flow in controllers... | |
| Indexing call sites... | |
| Running checks in parallel... | |
| - CheckBasicAuth | |
| - CheckBasicAuthTimingAttack | |
| - CheckCrossSiteScripting | |
| - CheckContentTag | |
| - CheckCreateWith | |
| - CheckDefaultRoutes | |
| - CheckDeserialize | |
| - CheckDetailedExceptions | |
| - CheckDigestDoS | |
| - CheckDynamicFinders | |
| - CheckEscapeFunction | |
| - CheckEvaluation | |
| - CheckExecute | |
| - CheckFileAccess | |
| - CheckFileDisclosure | |
| - CheckFilterSkipping | |
| - CheckForgerySetting | |
| - CheckHeaderDoS | |
| - CheckI18nXSS | |
| - CheckJRubyXML | |
| - CheckJSONEncoding | |
| - CheckJSONParsing | |
| - CheckLinkTo | |
| - CheckLinkToHref | |
| - CheckMailTo | |
| - CheckMassAssignment | |
| - CheckMimeTypeDoS | |
| - CheckModelAttrAccessible | |
| - CheckModelAttributes | |
| - CheckModelSerialize | |
| - CheckNestedAttributes | |
| - CheckNestedAttributesBypass | |
| - CheckNumberToCurrency | |
| - CheckPermitAttributes | |
| - CheckQuoteTableName | |
| - CheckRedirect | |
| - CheckRegexDoS | |
| - CheckRender | |
| - CheckRenderDoS | |
| - CheckRenderInline | |
| - CheckResponseSplitting | |
| - CheckRouteDoS | |
| - CheckSafeBufferManipulation | |
| - CheckSanitizeMethods | |
| - CheckSelectTag | |
| - CheckSelectVulnerability | |
| - CheckSend | |
| - CheckSendFile | |
| - CheckSessionManipulation | |
| - CheckSessionSettings | |
| - CheckSimpleFormat | |
| - CheckSingleQuotes | |
| - CheckSkipBeforeFilter | |
| - CheckSQL | |
| - CheckSQLCVEs | |
| - CheckSSLVerify | |
| - CheckStripTags | |
| - CheckSymbolDoSCVE | |
| - CheckTranslateBug | |
| - CheckUnsafeReflection | |
| - CheckValidationRegex | |
| - CheckWithoutProtection | |
| - CheckXMLDoS | |
| - CheckYAMLParsing | |
| Checks finished, collecting results... | |
| Generating report... | |
| == Brakeman Report == | |
| Application Path: /Users/at/src/github.com/OWASP/railsgoat | |
| Rails Version: 5.1.6 | |
| Brakeman Version: 4.3.1 | |
| Scan Date: 2018-09-20 09:51:57 +0700 | |
| Duration: 0.926424 seconds | |
| Checks Run: BasicAuth, BasicAuthTimingAttack, ContentTag, CreateWith, CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions, DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute, FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS, I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref, MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible, ModelAttributes, ModelSerialize, NestedAttributes, NestedAttributesBypass, NumberToCurrency, PermitAttributes, QuoteTableName, Redirect, RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting, RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation, SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile, SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes, SkipBeforeFilter, StripTags, SymbolDoSCVE, TranslateBug, UnsafeReflection, ValidationRegex, WithoutProtection, XMLDoS, YAMLParsing | |
| == Overview == | |
| Controllers: 17 | |
| Models: 12 | |
| Templates: 27 | |
| Errors: 0 | |
| Security Warnings: 17 | |
| == Warning Types == | |
| Command Injection: 1 | |
| Cross-Site Request Forgery: 1 | |
| Cross-Site Scripting: 1 | |
| Dangerous Send: 1 | |
| File Access: 1 | |
| Format Validation: 1 | |
| Mass Assignment: 2 | |
| Remote Code Execution: 4 | |
| SQL Injection: 2 | |
| Session Setting: 3 | |
| == Warnings == | |
| Confidence: High | |
| Category: Cross-Site Request Forgery | |
| Check: ForgerySetting | |
| Message: 'protect_from_forgery' should be called in ApplicationController | |
| File: app/controllers/application_controller.rb | |
| Line: 2 | |
| Confidence: High | |
| Category: Cross-Site Scripting | |
| Check: CrossSiteScripting | |
| Message: Unescaped cookie value | |
| Code: cookies[:font] | |
| File: app/views/layouts/application.html.erb | |
| Line: 12 | |
| Confidence: High | |
| Category: Dangerous Send | |
| Check: Send | |
| Message: User controlled method execution | |
| Code: self.try(params[:graph]) | |
| File: app/controllers/dashboard_controller.rb | |
| Line: 16 | |
| Confidence: High | |
| Category: File Access | |
| Check: SendFile | |
| Message: Parameter value used in file name | |
| Code: send_file(params[:type].constantize.new(params[:name]), :disposition => "attachment") | |
| File: app/controllers/benefit_forms_controller.rb | |
| Line: 12 | |
| Confidence: High | |
| Category: Format Validation | |
| Check: ValidationRegex | |
| Message: Insufficient validation for 'email' using /.+@.+\..+/i. Use \A and \z as anchors | |
| File: app/models/user.rb | |
| Line: 13 | |
| Confidence: High | |
| Category: Mass Assignment | |
| Check: PermitAttributes | |
| Message: Potentially dangerous key allowed for mass assignment | |
| Code: params.require(:user).permit(:email, :admin, :first_name, :last_name) | |
| File: app/controllers/users_controller.rb | |
| Line: 55 | |
| Confidence: High | |
| Category: Remote Code Execution | |
| Check: UnsafeReflection | |
| Message: Unsafe reflection method constantize called with parameter value | |
| Code: params[:class].classify.constantize | |
| File: app/controllers/api/v1/mobile_controller.rb | |
| Line: 17 | |
| Confidence: High | |
| Category: Remote Code Execution | |
| Check: UnsafeReflection | |
| Message: Unsafe reflection method constantize called with parameter value | |
| Code: params[:class].classify.constantize | |
| File: app/controllers/api/v1/mobile_controller.rb | |
| Line: 10 | |
| Confidence: High | |
| Category: Remote Code Execution | |
| Check: UnsafeReflection | |
| Message: Unsafe reflection method constantize called with parameter value | |
| Code: params[:type].constantize | |
| File: app/controllers/benefit_forms_controller.rb | |
| Line: 11 | |
| Confidence: High | |
| Category: SQL Injection | |
| Check: SQL | |
| Message: Possible SQL injection | |
| Code: User.where("id = '#{params[:user][:id]}'") | |
| File: app/controllers/users_controller.rb | |
| Line: 29 | |
| Confidence: High | |
| Category: Session Setting | |
| Check: SessionSettings | |
| Message: Session cookies should be set to HTTP only | |
| File: config/initializers/session_store.rb | |
| Line: 4 | |
| Confidence: High | |
| Category: Session Setting | |
| Check: SessionSettings | |
| Message: Session secret should not be included in version control | |
| File: config/initializers/secret_token.rb | |
| Line: 9 | |
| Confidence: High | |
| Category: Session Setting | |
| Check: SessionSettings | |
| Message: Session secret should not be included in version control | |
| File: config/initializers/secret_token.rb | |
| Line: 8 | |
| Confidence: Medium | |
| Category: Command Injection | |
| Check: Execute | |
| Message: Possible command injection | |
| Code: system("cp #{full_file_name} #{data_path}/bak#{Time.zone.now.to_i}_#{file.original_filename}") | |
| File: app/models/benefits.rb | |
| Line: 15 | |
| Confidence: Medium | |
| Category: Mass Assignment | |
| Check: MassAssignment | |
| Message: Parameters should be whitelisted for mass assignment | |
| Code: params.require(:user).permit! | |
| File: app/controllers/users_controller.rb | |
| Line: 50 | |
| Confidence: Medium | |
| Category: Remote Code Execution | |
| Check: Deserialize | |
| Message: Marshal.load called with parameter value | |
| Code: Marshal.load(Base64.decode64(params[:user])) | |
| File: app/controllers/password_resets_controller.rb | |
| Line: 6 | |
| Confidence: Medium | |
| Category: SQL Injection | |
| Check: SQL | |
| Message: Possible SQL injection | |
| Code: select("#{col}") | |
| File: app/models/analytics.rb | |
| Line: 3 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment