Dawnscanner - The raising security scanner for ruby web applications

dawn is a source code scanner designed to review your web applications for security issues.

The tool is able to scan web applications written in Ruby and it supports all major MVC (Model View Controller) frameworks, out of the box:

• Ruby on Rails
• Sinatra
• Padrino

dawn version 2.0 has 680+ security checks loaded in its knowledge base which is weekly updated from the National Vulnerability Database by NIST.

A brief "how it works"

When you run dawn on your code it parses your project Gemfile.lock looking for the gems used and it tries to detect the ruby interpreter version you are using or you declared in your ruby version management tool you like most (RVM, rbenv, ...).

Then the tool tries to detect the MVC framework your web application uses and it applies the security check accordingly. There checks designed to match rails application or checks that are appliable to any ruby code.

dawn can also understand the code in your views and to backtrack sinks to spot cross site scripting and sql injections introduced by the code you actually wrote (in the project roadmap this is the code most of the future development effort will be focused on).

dawn security scan result is a list of vulnerabilities with some mitigation actions you want to follow in order to build a stronger web application.

Installation

You can install latest dawn version, fetching it from Rubygems by typing:

$ gem install dawnscanner

After that, you need to download the knowledge base from Github and unpack the archive to $HOME/dawnscanner/kb directory.

A typical kb directory layout is similar to this:

$ ll ~/dawnscanner/kb
total 56K
drwxr-xr-x 2 thesp0nge users  28K 29 mar 18.27 bulletin
drwxr-xr-x 2 thesp0nge users   72  7 lug  2021 generic_check
-rw-r--r-- 1 thesp0nge users   65 29 mar 17.06 kb.yaml
-rw-r--r-- 1 thesp0nge users   74 29 mar 17.06 kb.yaml.sig
drwxr-xr-x 2 thesp0nge users 4,0K  7 lug  2021 owasp_ror_cheatsheet

The knowledge base is structured this way:

• bulletin is the folder where all CVE downloaded from NIST are stored.
• generic_check is the folder with all custom checks for your code
• owasp_ror_cheatsheet is for the Owasp Ruby on Rails cheatsheet recomendations

Usage

Starting from version 2.0, the tool uses subcommands to start specific tasks, each of them with specific help messages.

Scanning a project

The scan subcommand tells dawn to scan the specified target for security issues.

$ dawn scan target

At the moment results are available in text format only and they are stored in a directory named with the scan timestamp, under $HOME/dawnscanner/results/target, where target is the name of the application being analyzed.

Querying the knowledge base

Is it possible, with the kb subcommand, to query the knowledge base.

dawn kb find                        # Searches the knowledge base for a given vulnerability
dawn kb help [COMMAND]              # Describe subcommands or one specific subcommand
dawn kb lint                        # Checks knowledge base content for correcteness
dawn kb list gem_name[gem_version]  # List all security issues affecting a gem passed as argument (the version string is optional).
dawn kb status                      # Checks the status of the knowledge base
dawn kb unpack                      # Unpacks security checks in KB library path

Useful links

Twitter profile: @dawnscanner Github repository: https://github.com/thesp0nge/dawnscanner

Support us

Feedbacks are great and we really love to hear your voice.

If you're a proud dawn user, if you find it useful, if you integrated it in your release process and if you want to openly support the project you can put your reference here. Just open an issue with a statement saying how do you feel the tool and your company logo if any.

Thank you.

Thanks to

saten: first issue posted about a typo in the README

presidentbeef: for his outstanding work that inspired me creating dawn and for double check comparison matrix. Issue #2 is yours :)

marinerJB: for misc bug reports and further ideas

Matteo: for ideas on API and their usage with github.com hooks

LICENSE

Copyright (c) 2013-2023 Paolo Perego [email protected]

MIT License

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.