/ ruby

Security checks for Ruby apps

If you, like me, have a lot of ruby apps and want to check if the code is vulnerable, Codesake::Dawn could be a useful gem.

This gem supports Rails, Sinatra and Padrino apps. To install it in a Rails app, add the gem to the development group in Gemfile:

group :development do
  gem 'codesake-dawn', require: false

then run bundle install.
Now add this line in the Rakefile:

require 'codesake/dawn/tasks'

Install finished. To check the app you just have to run rake dawn:run:

~$ rake dawn:run
15:27:03 [*] dawn v1.1.0 is starting up
15:27:04 [$] dawn: scanning .
15:27:04 [$] dawn: rails v4.0.3 detected
15:27:04 [$] dawn: applying all security checks
15:27:04 [$] dawn: 171 security checks applied - 0 security checks skipped
15:27:04 [$] dawn: 1 vulnerability found
15:27:04 [!] dawn: Owasp Ror CheatSheet: Session management check failed
15:27:04 [$] dawn: Severity: info
15:27:04 [$] dawn: Priority: unknown
15:27:04 [$] dawn: Description: By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session.
15:27:04 [$] dawn: Solution: Use ActiveRecord or the ORM you love most to handle your code session_store. Add "Application.config.session_store :active_record_store" to your session_store.rb file.
15:27:04 [$] dawn: Evidence:
15:27:04 [$] dawn: 	In your session_store.rb file you are not using ActiveRercord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack.
15:27:04 [$] dawn: 	{:filename=>"./config/initializers/session_store.rb", :matches=>[]}
15:27:04 [*] dawn is leaving