Brakeman 101 : Static Analysis Security Tool for Ruby on Rails Application

Photo by Maiken Ingvordsen on Unsplash

Brakeman is a static analysis tool that checks Ruby on Rails applications for security vulnerabilities. With Brakeman, we can check for vulnerability issues in our code and generate reports for analysis and fixes.

Topics ✅

In this article we will focus in this topic below :

1. Installation
2. Running
3. Reporting
4. Practice with Railsgoat
5. References

1) Installation

Brakeman has different installation options. But, in this article we will install it using bundler.

Edit your file Gemfile , and add this line :

group :development do
  gem 'brakeman'
end

install it using command :

bundle install

Follow 🌐 this link, if you want to know more detail about different installation options.

2) Running

We can run Brakeman with simple command.

brakeman

Brakeman comes with many running options ( 🌐 more detail here ). However, in this article we will try to use config file (ex : brakeman.yml) for simplify, configurable and easy to use multiple options.

Run with config file :

Before we can use config file, we need to create this file using command brakeman -C scripts/brakeman.yml. Brakeman will create file config in path scripts/brakeman.yml.

Open config file and add this following lines. For example, we want to configure skip_files and output_files options :

---
:skip_files:
- test/
:output_files:
- reports/brakeman.json
- reports/brakeman.html

After that, run Brakeman again with config file :

brakeman -c scripts/brakeman.yml

We can read more detail about running options in 🌐 this link.

3) Reporting

By default, after we run Brakeman, Brakeman will generate report using text format.

Sample output using text format

But, Brakeman have different options for reporting :

• -o : Specify files for output. Defaults to stdout. Multiple ‘-o’s allowed
• -f : Specify output formats. Default is text.

For example, we need to generate report using format html and write to file report.html, the command will look like this :

brakeman -f html -o report.html

And we can generate multiple report in one execution :

brakeman -o report.html -o report.json

List available formats :

• text (default)
• html
• json (recommended for automation)
• junit (JUnit XML)
• markdown (with GitHub support)
• table (old default)
• tabs (tab-separated, originally for the Jenkins plugin, deprecated)
• csv (deprecated)
• codeclimate (for use with the Code Climate engine)

Sample reports with different format :

Report using format Text

Report using format HTML

Report using format Markdown

Warning Types

Brakeman will scan and check for several warning types in our code:

• Attribute Restriction
• Authentication
• Basic Authentication
• Command Injection
• etc

Read more detail about warning types in 🌐 this link!

4) Practice with Railsgoat

For practical scanning or bug fixing vulnerable issue, we can use RailsGoat from OWASP foundation.

What is OWASP ?

The Open Worldwide Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. More 🌐 detail here!

Basically, Railsgoat is a vulnerable version of Ruby on Rails application that follows the 🌐 OWASP Top 10.

source : https://owasp.org/Top10/

You can read more detail about step by step guideline for use Railsgoat in this link below :

GitHub - OWASP/railsgoat: A vulnerable version of Rails that follows the OWASP Top 10

Summary 🗒

Security is an important part of an application, we must know the risks of the code we write. While almost no system is 100% secure, we should try to secure it as much as possible.

Thanks for reading! 😸 💻

References

Quickstart

GitHub - presidentbeef/brakeman: A static analysis security vulnerability scanner for Ruby on Rails…

brakeman/docs/warning_types at main · presidentbeef/brakeman

OWASP Top 10:2021

Common Weakness Enumeration