What is a Brakeman?
in the 1800s a brakeman was a rail worker responsible for keeping the rail roads safe by applying the brakes to each individual car. In this case Brakeman is a security scanner for programs written in the Rails framework. Brakeman works by analyzing the source code of Ruby on Rails programs and highlighting vulnerabilities.
Installation is a breeze using rubygems, alternatively you can build it with the latest and greatest from GitHub. The project is really popular and being used by top companies such as Groupon, Twitter and GitHub itself
gem install brakeman
git clone https://github.com/presidentbeef/brakeman.git
docker build . -t brakeman
How is it used?
The main advantages of Brakeman is that it can run anytime during the development cycle because all it needs is the source code and it requires zero setup or configuration once installed. It comes with 3 different warning levels [high, medium, low] and they provide an estimation on the certainty of the program in question. Brakeman is also much faster than black box scanners but can only scan statically not dynamically.
Brakeman comes with many scanning options such as scanning a specified path, enabling each scan to run in a single thread or forcing brakeman to run in Rails 3 or 4. To run Brakeman locally just use the brakeman command. To run outside of rails use the same command followed by the path to the application. Brakeman will work with any version of rails from version 2.4 until 6.x and can analyze code written in Ruby 1.8 syntax and beyond but needs at least ruby 2.4.0 to run efficiently.
How much do we like it?
All in all this tool and all of its advantages make me want to give it a 3/5 bunny rating. The fact that you can run this tool at any stage in development is very convenient as well as being able to scan individual paths. This tool seems like it could be every ruby developers dream tool
Want to learn more about ethical hacking?
We have a networking hacking course that is of a similar level to OSCP, get an exclusive discount HERE
Do you know of another GitHub related hacking tool?
Get in touch with us via the contact form if you would like us to look at any other GitHub ethical hacking tools.