Add "Owasp Ror Cheatsheet" example to README file. #21

Closed
jasnow opened this Issue Jan 21, 2014 · 3 comments

Projects

None yet

2 participants

@jasnow
Contributor
jasnow commented Jan 21, 2014

Can you add this example to the README with details on how to fix it?
I am getting this on the first two projects I installed the gem in.
Maybe break the Owasp Ror Cheatsheet up into more specific vulnerabilities.
Finally fix the "refere" typo.

10:44:13 [*] dawn v1.0.0 is starting up
10:44:14 [$] dawn: scanning .
10:44:14 [$] dawn: rails v4.1.0.beta1 detected
10:44:14 [$] dawn: applying all security checks
10:44:14 [$] dawn: 142 security checks applied - 0 security checks skipped
10:44:14 [$] dawn: 1 vulnerabilities found
10:44:14 [$] dawn: Owasp Ror Cheatsheet failed
10:44:14 [$] dawn: Description: This Cheatsheet intends to provide quick basic Ruby on Rails security tips for developers. It complements, augments or emphasizes points brought up in the rails security guide from rails core.  The Rails framework abstracts developers from quite a bit of tedious work and provides the means to accomplish complex tasks quickly and with ease. New developers, those unfamiliar with the inner-workings of Rails, likely need a basic set of guidelines to secure fundamental aspects of their application. The intended purpose of this doc is to be that guide.
10:44:14 [$] dawn: Solution: Please refere to the Ruby on Rails cheatsheet available from owasp.org to mitigate this vulnerability
10:44:14 [!] dawn: Evidence:**
10:44:14 [!] dawn: [{:filename=>"./config/environments/production.rb",  :matches=>[{:match=>"  # Add `rack-cache` to your Gemfile before enabling this.\n", :line=>17}]}]
10:44:14 [!] dawn: []
10:44:14 [!] dawn: []
10:44:14 [!] dawn: []
10:44:14 [*] dawn is leaving

Thanks

@thesp0nge
Owner

Hi @jasnow thank your for the submission. I think that splitting Owasp Ror Cheatsheet is the best option I can see to leverage this issue.

Paolo

@jasnow
Contributor
jasnow commented Jan 21, 2014

Here is a repo to demo this output: https://github.com/jasnow/rt_first_app
This is Rails Tutorial's First app (based on 3.0 version, but updated to 4.1.x) - very basic.

@jasnow
Contributor
jasnow commented Jan 21, 2014

Also getting this on Rails 3.2.16 projects:

to mitigate this vulnerability
11:53:54 [!] dawn: Evidence:
11:53:54 [!] dawn: []
11:53:54 [!] dawn: []
11:53:54 [*] dawn is leaving
@thesp0nge thesp0nge was assigned Jan 21, 2014
@thesp0nge thesp0nge referenced this issue Jan 22, 2014
Closed

typo fixed #23

@thesp0nge thesp0nge added a commit that referenced this issue Jan 24, 2014
@thesp0nge Fixing issue #21. Added mitigation string for existing RoR security
cheatsheet tests. This would lead to a better and more comprehensive
output for rails apps.
e8a8cd7
@thesp0nge thesp0nge closed this Jan 25, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment