Hopefully some useful tips for auditing and bug hunting ruby rails apps.

• Brakeman is a good start for automated source code analysis http://brakemanscanner.org/
• Generate model and controller UML diagrams using https://github.com/preston/railroady
  • /myapp$ ~/railroady/bin/railroady -a -i -m -p -z -t –engine-controllers -C | dot -Tsvg > controllers.svg
• Run $ rake routes to list controllers and routes
• Improper use of regex. http://guides.rubyonrails.org/security.html#regular-expressions

Debug tips

• <variable>.methods prints object methods
• <variable>.inspect prints object values

Some useful links

• http://guides.rubyonrails.org/security.html
• https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet
• https://www.owasp.org/index.php/Category:OWASP_Ruby_on_Rails_Security_Guide_V2
• https://blog.codeship.com/preproduction-checklist-for-a-rails-app/