Brakeman VS BeEF

Brakeman - “Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis”

My team and I released Bearer a couple of weeks ago, a newer open and free alternative to Brakeman to check your code for security and privacy risks. In addition to Ruby/Rails, we also cover your JS/TS code, which allows you to use a single solution for your whole Rails application.

Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications. It finds potential security issues in Rails applications by examining the Ruby code. Brakeman helps find and fix security holes before deploying your Rails app.

brakeman is another useful Ruby gem that is a static analysis security vulnerability scanner for Ruby on Rails applications.

You might find brakeman interesting: https://brakemanscanner.org

It’s assumed that you already have a Rails app and use Brakeman to keep your app secure and Rspec to run your test cases.

Another great lib for this is Brakeman, which can be installed in a very similar process and gives you even more detailed reports:

This is pretty easy to handle. In the case where a splatted array is the only argument to a method, we'll simply use the elements of the array as the argument list. (Check out the pull request here)

Ha, fun to see this again! Back before everything was HTTPS, it was fun to use the Browser Exploitation Framework (https://beefproject.com) which had a script included that did this. Though in those cases I wasn't in control of the gateway, so ARP spoofing was required to get other devices to route through me.

For example IOS WebKit has a bunch of vulnerabilities announced recently. and one of those could be used via the Browser Exploitation Framework to install malware on your phone with you just clicking the link.

Motivation is a key part, so those attacks are more theoretical than practically dangerous, however there is a class of attacks that's based on the fact that your browser can make arbitrary network connections, so unprivileged javascript can be used for some scans of your local network - for example, your router's internally accessible admin page or some vulnerability in a printer accessible in local network, as the attacker might guess commonly used models, the internal IP addresses they use by default, etc. For example, you might take a look at https://beefproject.com/

This is something that kind of annoys me; there's even a /r/rails sub-reddit specifically for Ruby on Rails stuff. Understandably Rails helped put Ruby on the map. Before Rails, Ruby was just another fringe language. Rails became massively popular, helped many startups quickly build their Web 2.0 sites, and become successful companies (ex: GitHub, LinkedIn, AirBnB, etc). Like others have said, "Rails is where the money is at". However, this posses a problem for the Ruby community: whenever Rails becomes less popular, so does Ruby. I wish the Ruby ecosystem wasn't so heavily centralized around Rails, and that we diversified our uses of Ruby a bit. There's of course Sinatra, dry-rb, Hanami, Dragon Ruby, SciRuby, and a dozen security tools written in Ruby such as Metasploit, BeFF, Arachni, and Ronin.

If you can open any webpage there then I would recommend using BeEF https://beefproject.com/

Perhaps https://beefproject.com/

If you want an example of what exploiting a browser can do, see the capabilities of the Browser Exploitation Framework (BEef): https://github.com/beefproject/beef/wiki/BeEF-modules

Take a look at BeEF framework - https://beefproject.com/ that's pretty much all the things you can do from a browser.