GitXplorerGitXplorer
0

awesome-rails-security

public
56 stars
12 forks
4 issues

Commits

List of commits on branch master.
Unverified
3c70d52393ab0252f83c3ea21095b3df8a81494e

Update README.md

00xedward committed 6 years ago
Unverified
1bbe5c4b07259018d678dab4ee601e88f9c920af

Update README.md

00xedward committed 6 years ago
Unverified
2beda3bc1d5f200572752d6c146c73b443640866

Add code-of-conduct.md

00xedward committed 6 years ago
Unverified
07c0db8875f3c319b60fb820ab5be67e103b2efb

Add contributing.md

00xedward committed 6 years ago
Unverified
dd1daba0ed0bde9071eecc6e6134be32732a1cdd

Initial commit of gems and resources

00xedward committed 6 years ago
Unverified
2ac32ee0fe96f9272f172490c0649d6488a86f1c

Initial commit

00xedward committed 6 years ago

README

The README file for this repository.

Awesome Rails Security

Awesome

A curated list of security resources for a Ruby on Rails application

Table of Contents

Gems

Authentication and OAuth

  • Devise - Flexible authentication solution for Rails with Warden
  • Devise Security - A Devise extension to add additional security features required by modern web applications
  • Warden - General Rack Authentication Framework
  • AuthLogic - An unobtrusive ruby authentication library based on ActiveRecord
  • OmniAuth - A library that standardizes multi-provider authentication for web applications
  • JWT - A ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard
  • Knock - Seamless JWT authentication for Rails API

Authorization

  • CanCanCan - An authorization library for Ruby and Ruby on Rails which restricts what resources a given user is allowed to access.
  • Pundit - Pundit provides a set of helpers which guide you in leveraging regular Ruby classes and object oriented design patterns to build a simple, robust and scaleable authorization system

Rate Limiting

  • ReCaptcha - A plugin that adds helpers for the reCAPTCHA API

Request Management

  • Secure Headers - Manages application of security headers with many safe defaults
  • Rack::Attack - Rack middleware for blocking & throttling
  • ssrf_filter - A ruby gem for defending against Server Side Request Forgery (SSRF) attacks

Static Code Analysis

  • Brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications
  • bundler-audit - Patch-level verification for Bundler
  • Ruby Advisory Database - A database of vulnerable Ruby Gems. You can check your own Gemfile.locks against this database by using bundler-audit.
  • RoboCop - A Ruby static code analyzer and formatter, based on the community Ruby style guide
  • dawnscanner - A source code scanner designed to review your ruby code for security issues

File Upload

  • CarrierWave - A gem that provides a simple and extremely flexible way to upload files from Ruby applications

Logging and Monitoring

  • Exception Notification - A gem that provides a set of notifiers for sending notifications when errors occur in a Rack/Rails application

Password Strength

  • zxcvbn-ruby - Ruby port of zxcvbn.js (Low-Budget Password Strength Estimation)

Tools

Static Code Analysis

  • rails_best_practices - A code metric tool to check the quality of Rails code
  • Hawkeye scanner-cli - A project security, vulnerability and general risk highlighting tool
  • git-secrets - Prevents you from committing passwords and other sensitive information to a git repository
  • Snyk - A developer-first solution that automates finding & fixing vulnerabilities in your dependencies
  • GuardRails - Continuous security feedback for your GitHub repositories
  • Hakiri - Hakiri monitors Ruby apps for dependency and code security vulnerabilities

Logging and Monitoring

  • Sqreen - Unified security monitoring and protection for modern cloud & on-prem environments
  • Report URI

Security Vulnerability Advisories

Resources

Official Resources

Labs - Vulnerable Applications

  • OWASP RailsGoat - A vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
  • DeleteMe - Educational insecure Rails application
  • Checkmarx - Codebashing - Lessons on common vulnerabilities implemented in Rails. Lessons on SQL Injection, XXE and Stored XSS are free.
  • PentesterLab - Provides some vulnerable Rails environments to learn about security vulnerabilities, such as CVE-2019-5420

Best Practices

Anti-Patterns

Additional Reading

Reporting Bugs