Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 17 lines (15 sloc) 0.877 kb
cd1663f @presidentbeef Initial release
authored
1 Can detect:
2 -Possibly unescaped model attributes or parameters in views (Cross Site Scripting)
3 -Bad string interpolation in calls to Model.find, Model.last, Model.first, etc., as well as chained calls (SQL Injection)
4 -String interpolation in find_by_sql (SQL Injection)
5 -String interpolation or params in calls to system, exec, and syscall and `` (Command Injection)
6 -Unrestricted mass assignments
7 -Global restriction of mass assignment
8 -Missing call to protect_from_forgery in ApplicationController (CSRF protection)
9 -Default routes, per-controller and globally
10 -Redirects based on params (probably too broad currently)
11 -Validation regexes not using \A and \z
12 -Calls to render with dynamic paths
13
14 General capabilities:
15 -Search for method calls based on target class and/or method name
16 -Determine 'output' of templates using ERB, Erubis, or HAML. Can handle automatic escaping
Something went wrong with that request. Please try again.