griffinbyatt

griffinbyatt

Sobelow - Uncover vulnerabilities in your Phoenix projects

Sobelow

Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent introducing a number of common vulnerabilities.

Currently Sobelow detects some types of the following security issues:

  • Insecure configuration
  • Cross-Site Scripting
  • SQL injection
  • Directory traversal
  • Unsafe serialization

Potential vulnerabilities are flagged in different colors according to confidence in their insecurity. High confidence is red, medium confidence is yellow, and low confidence is green.

There was some initial discussion, but I thought it could use its own thread. This is just the initial release, so additional features will be added over time, and I’m sure things will change and update based on feedback. Feel free to ask any questions here, or message me on the Elixir slack channel or Keybase chat. I’m @griffinmb on both!

You can find the repository here, and a video demo here!

Most Liked

griffinbyatt

griffinbyatt

Sobelow - 0.3.6

Sobelow will now warn you if your application is susceptible to publicly disclosed vulnerabilities. This was a much-requested feature in previous disclosure threads, so hopefully it gets put to good use!


Random info

  • Sobelow automatically identifies valid vulnerabilities in around 90% of my 30ish-project body of tests. This is excluding HTTPS checks.
  • The most common vulnerabilities are: missing HTTPS, known-vulnerable packages, directory traversal, and memory exhaustion.
  • This will probably be the last addition I make to vulnerability checks for the next couple of weeks. I’m going to focus on refactoring and getting the API/configs locked down.
realcorvus

realcorvus

Good news, Sobelow is being actively maintained. Holden Oullette is the new maintainer, and my PR for adding HEEx support is included in the new release:

griffinbyatt

griffinbyatt

If sobelow helps you find and fix a vulnerability, let me know! I’d love to hear where it helps out. Additional feedback, feature suggestions, etc are also greatly appreciated :slight_smile:

Where Next?

Popular in Discussions Top

Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
owaisqayum
I have a sample string sentence = "Hello, world ... 123 *** ^%&*())^% %%:>" From this string, I want to only keep the integers, ...
New
Fl4m3Ph03n1x
Background A few days ago I was listening to The future of Elixir from Elixir Talks, with Dave Thomas (@pragdave ) and Brian Mitchell. I...
New
JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1144 53690 245
New
Qqwy
Looking at the stacks that existing large companies have used, WhatsApp internally uses Mnesia to store the messages, while Discord uses ...
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39297 209
New
AstonJ
Are there any Elixir or Erlang libraries that help with this? I’ve been thinking how streaming services like twitch have exploded recentl...
New
AstonJ
Please see the new poll here: Which code editor or IDE do you use? (Poll) (2022 Edition) It’s been a while since we first asked this, I...
208 31142 143
New
Qqwy
I would like to spark a discussion about the static access operator: .. For whom does not know: it is used in Elixir to access fields of...
New
AstonJ
Can you believe the first professionally published Elixir book was published just 8 years ago? Since then I think we’ve seen more books f...
New

Other popular topics Top

marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
chrismccord
As promised, the first release candidate of Phoenix 1.3.0 is out! This release focuses on code generators with improved project structure...
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
johnnyicon
Hi all, I’ve just started learning Elixir and Phoenix Framework, so please pardon my n00bness at this stage. I’m trying to use Postgres...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52341 488
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
joaquinalcerro
Hi there, I am working with Ecto-Postgresql and I need to call all of the records from a specific table but the table has 40,000 records...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement