griffinbyatt
Sobelow - Uncover vulnerabilities in your Phoenix projects
Sobelow
Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent introducing a number of common vulnerabilities.
Currently Sobelow detects some types of the following security issues:
- Insecure configuration
- Cross-Site Scripting
- SQL injection
- Directory traversal
- Unsafe serialization
Potential vulnerabilities are flagged in different colors according to confidence in their insecurity. High confidence is red, medium confidence is yellow, and low confidence is green.
There was some initial discussion, but I thought it could use its own thread. This is just the initial release, so additional features will be added over time, and I’m sure things will change and update based on feedback. Feel free to ask any questions here, or message me on the Elixir slack channel or Keybase chat. I’m @griffinmb on both!
You can find the repository here, and a video demo here!
Most Liked
griffinbyatt
Sobelow - 0.3.6
Sobelow will now warn you if your application is susceptible to publicly disclosed vulnerabilities. This was a much-requested feature in previous disclosure threads, so hopefully it gets put to good use!
Random info
- Sobelow automatically identifies valid vulnerabilities in around 90% of my 30ish-project body of tests. This is excluding HTTPS checks.
- The most common vulnerabilities are: missing HTTPS, known-vulnerable packages, directory traversal, and memory exhaustion.
- This will probably be the last addition I make to vulnerability checks for the next couple of weeks. I’m going to focus on refactoring and getting the API/configs locked down.
realcorvus
Good news, Sobelow is being actively maintained. Holden Oullette is the new maintainer, and my PR for adding HEEx support is included in the new release:
griffinbyatt
If sobelow helps you find and fix a vulnerability, let me know! I’d love to hear where it helps out. Additional feedback, feature suggestions, etc are also greatly appreciated ![]()
Popular in Discussions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








