Dawnscanner - Dawn Is A Static Analysis Safety Scanner For Cherry-Red Written Spider Web Applications (Sinatra, Padrino In Addition To Ror Frameworks)


dawnscanner is a source code scanner designed to review your ruby code for safety issues.
dawnscanner is able to scan manifestly ruby scripts (e.g. command trace applications) but all its features are unleashed when dealing amongst spider web applications source code. dawnscanner is able to scan major MVC (Model View Controller) frameworks, out of the box:

Quick update from November, 2018
As yous tin run into dawnscanner is on concord since to a greater extent than together with thus an year. Sorry for that. It's life. I was overwhelmed past times tons of materials together with I dedicated gratis fourth dimension to Offensive Security certifications. True to hold out told, I'm starting OSCE journeying truly soon.
The dawnscanner projection volition hold out updated shortly amongst novel safety checks together with kickstarted again.
Paolo

dawnscanner version 1.6.6 has 235 safety checks loaded inwards its cognition base. Most of them are CVE bulletins applying to gems or the ruby interpreter itself. There are also approximately cheque coming from Owasp Ruby on Rails cheatsheet.

An overall introduction
When yous run dawnscanner on your code it parses your projection Gemfile.lock looking for the gems used together with it tries to discovery the ruby interpreter version yous are using or yous declared inwards your ruby version administration tool yous similar most (RVM, rbenv, ...).
Then the tool tries to discovery the MVC framework your spider web application uses together with it applies the safety cheque accordingly. There checks designed to jibe rails application or checks that are appliable to whatsoever ruby code.
dawnscanner tin also sympathize the code inwards your views together with to backtrack sinks to spot cross site scripting together with sql injections introduced past times the code yous truly wrote. In the projection roadmap this is the code most of the futurity evolution attempt volition hold out focused on.
dawnscanner safety scan upshot is a listing of vulnerabilities amongst approximately mitigation actions yous desire to follow inwards companionship to cook a stronger spider web application.

Installation
You tin install latest dawnscanner version, fetching it from Rubygems past times typing:
$ precious rock install dawnscanner 
If yous desire to add together dawn to your projection Gemfile, yous must add together the following:
group :development exercise   precious rock 'dawnscanner', :require=>false end
And together with thus upgrade your bundle
$ package install
You may desire to cook it from source, thus yous bring to cheque it out from github first:
$ git clone https://github.com/thesp0nge/dawnscanner.git $ cd dawnscanner $ package install $ rake install
And the dawnscanner precious rock volition hold out built inwards a pkg directory together with and thus installed on your system. Please greenback that yous bring to care dependencies on your ain this way. It makes feel exclusively if yous desire to hack the code or something similar that.

Usage
You tin start your code review amongst dawnscanner real easily. Simply say the tool where the projection root directory.
Underlying MVC framework is autodetected past times dawnscanner using target Gemfile.lock file. If autodetect fails for approximately reason, the tool volition complain nigh it together with yous bring to specify if it's a rails, sinatra or padrino spider web application past times hand.
Basic usage is to specify approximately optional command trace selection to fit best your needs, together with to specify the target directory where your code is stored.
$ dawn [options] target
In illustration of need, at that topographic point is a quick command trace selection reference running dawn -h at your OS prompt.
$ dawn -h Usage: dawn [options] target_directory  Examples:  $ dawn a_sinatra_webapp_directory  $ dawn -C the_rails_blog_engine  $ dawn -C --json a_sinatra_webapp_directory  $ dawn --ascii-tabular-report my_rails_blog_ecommerce  $ dawn --html -F my_report.html my_rails_blog_ecommerce     -G, --gem-lock    forcefulness dawn to scan exclusively for vulnerabilities affecting dependencies inwards Gemfile.lock (DEPRECATED)    -d, --dependencies    forcefulness dawn to scan exclusively for vulnerabilities affecting dependencies inwards Gemfile.lock  Reporting     -a, --ascii-tabular-report   elbow grease dawn to format findings using tables inwards ascii fine art (DEPRECATED)    -j, --json     elbow grease dawn to format findings using json    -K, --console     elbow grease dawn to format findings using manifestly ascii text    -C, --count-only    dawn volition exclusively count vulnerabilities (useful for scripts)    -z, --exit-on-warn    dawn volition provide number of establish vulnerabilities every bit move out code    -F, --file filename    tells dawn to write output to filename    -c, --config-file filename   tells dawn to charge configuration from filename  Disable safety cheque trace of piece of job solid unit of measurement         --disable-cve-bulletins   disable all CVE safety checks        --disable-code-quality   disable all code character checks        --disable-code-style   disable all code trend checks        --disable-owasp-ror-cheatsheet  disable all Owasp Ruby on Rails cheatsheet checks        --disable-owasp-top-10   disable all Owasp Top 10 checks  Flags useful to enquiry Dawn     -S, --search-knowledge-base [check_name] search check_name inwards the cognition base of operations        --list-knowledge-base   listing knowledge-base content        --list-known-families   listing safety cheque families contained inwards dawn's cognition base of operations        --list-known-framework   listing ruby MVC frameworks supported past times dawn        --list-scan-registry   listing past times scan informations stored inwards scan registry   Service flags     -D, --debug     enters dawn debug trend    -V, --verbose    the output volition hold out to a greater extent than verbose    -v, --version    present version information    -h, --help     present this help

Rake task
To include dawnscanner inwards your rake chore list, yous only bring to position this trace inwards your Rakefile
require 'dawn/tasks'
Then executing $ rake -T yous volition bring a dawn:run chore yous desire to execute.
$ rake -T ... rake dawn:run                  # Execute dawnscanner on the electrical flow directory ...

Interacting amongst the cognition base
You tin dump all safety checks inwards the cognition base of operations this way
$ dawn --list-knowledge-base
Useful inwards scripts, yous tin role --search-knowledge-base or -S amongst every bit parameter the cheque advert yous desire to run into if it's implemented every bit a safety command or not.
$ dawn -S CVE-2013-6421 07:59:30 [*] dawn v1.1.0 is starting upward CVE-2013-6421 establish inwards knowledgebase.  $ dawn -S this_test_does_not_exist 08:02:17 [*] dawn v1.1.0 is starting upward this_test_does_not_exist non establish inwards knowledgebase

dawnscanner safety scan inwards action
As output, dawnscanner volition position all safety checks that are failed during the scan.
This the upshot of Codedake::dawnscanner running against a Sinatra 1.4.2 spider web application wrote for a utter I delivered inwards 2013 at Railsberry conference.
As yous may see, dawnscanner origin detects MVC running the application past times looking at Gemfile.lock, than it discards all safety checks non appliable to Sinatra (49 safety checks, inwards version 1.0, specially designed for Ruby on Rails) together with it applies them.
$ dawn  /src/hacking/railsberry2013 18:40:27 [*] dawn v1.1.0 is starting upward 18:40:27 [$] dawn: scanning /Users/thesp0nge/src/hacking/railsberry2013 18:40:27 [$] dawn: sinatra v1.4.2 detected 18:40:27 [$] dawn: applying all safety checks 18:40:27 [$] dawn: 109 safety checks applied - 0 safety checks skipped 18:40:27 [$] dawn: 1 vulnerabilities establish 18:40:27 [!] dawn: CVE-2013-1800 cheque failed 18:40:27 [$] dawn: Severity: high 18:40:27 [$] dawn: Priority: unknown 18:40:27 [$] dawn: Description: The fissure precious rock 0.3.1 together with before for Ruby does non properly limit casts of string values, which mightiness allow remote attackers to acquit object-injection attacks together with execute arbitrary code, or elbow grease a denial of service (memory together with CPU consumption) past times leveraging Action Pack back upward for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. 18:40:27 [$] dawn: Solution: Please role fissure precious rock version 0.3.2 or above. Correct your gemfile 18:40:27 [$] dawn: Evidence: 18:40:27 [$] dawn:      Vulnerable fissure precious rock version found: 0.3.1 18:40:27 [*] dawn is leaving

When yous run dawnscanner on a spider web application amongst upward to engagement dependencies, it's probable to provide a friendly no vulnerabilities found message. Keep it upward working that way!
This is dawnscanner running against a Padrino spider web application I wrote for a scorecard quiz game nigh application security. Italian linguistic communication only. Sorry.
18:42:39 [*] dawn v1.1.0 is starting upward 18:42:39 [$] dawn: scanning /Users/thesp0nge/src/CORE_PROJECTS/scorecard 18:42:39 [$] dawn: padrino v0.11.2 detected 18:42:39 [$] dawn: applying all safety checks 18:42:39 [$] dawn: 109 safety checks applied - 0 safety checks skipped 18:42:39 [*] dawn: no vulnerabilities found. 18:42:39 [*] dawn is leaving
If yous demand a fancy HTML study nigh your scan, exactly inquire it to dawnscanner amongst the --html flag used amongst the --file since I wanto to salvage the HTML to disk.
$ dawn /Users/thesp0nge/src/hacking/rt_first_app --html --file report.html  09:00:54 [*] dawn v1.1.0 is starting upward 09:00:54 [*] dawn: report.html created (2952 bytes) 09:00:54 [*] dawn is leaving

Useful links
Project homepage: http://dawnscanner.org
Twitter profile: @dawnscanner
Github repository: https://github.com/thesp0nge/dawnscanner
Mailing list: https://groups.google.com/forum/#!forum/dawnscanner

Thanks to
saten: origin number posted nigh a typo inwards the README
presidentbeef: for his outstanding run that inspired me creating dawn together with for double cheque comparing matrix. Issue #2 is yours :)
marinerJB: for misc põrnikas reports together with farther ideas
Matteo: for ideas on API together with their usage amongst github.com hooks