griffinbyatt

griffinbyatt

Sobelow - Uncover vulnerabilities in your Phoenix projects

Sobelow

Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent introducing a number of common vulnerabilities.

Currently Sobelow detects some types of the following security issues:

  • Insecure configuration
  • Cross-Site Scripting
  • SQL injection
  • Directory traversal
  • Unsafe serialization

Potential vulnerabilities are flagged in different colors according to confidence in their insecurity. High confidence is red, medium confidence is yellow, and low confidence is green.

There was some initial discussion, but I thought it could use its own thread. This is just the initial release, so additional features will be added over time, and I’m sure things will change and update based on feedback. Feel free to ask any questions here, or message me on the Elixir slack channel or Keybase chat. I’m @griffinmb on both!

You can find the repository here, and a video demo here!

Most Liked

griffinbyatt

griffinbyatt

Sobelow - 0.3.6

Sobelow will now warn you if your application is susceptible to publicly disclosed vulnerabilities. This was a much-requested feature in previous disclosure threads, so hopefully it gets put to good use!


Random info

  • Sobelow automatically identifies valid vulnerabilities in around 90% of my 30ish-project body of tests. This is excluding HTTPS checks.
  • The most common vulnerabilities are: missing HTTPS, known-vulnerable packages, directory traversal, and memory exhaustion.
  • This will probably be the last addition I make to vulnerability checks for the next couple of weeks. I’m going to focus on refactoring and getting the API/configs locked down.
realcorvus

realcorvus

Good news, Sobelow is being actively maintained. Holden Oullette is the new maintainer, and my PR for adding HEEx support is included in the new release:

griffinbyatt

griffinbyatt

If sobelow helps you find and fix a vulnerability, let me know! I’d love to hear where it helps out. Additional feedback, feature suggestions, etc are also greatly appreciated :slight_smile:

Where Next?

Popular in Discussions Top

PragTob
Hello everyone, I know we had quite some threads (read through lots of them) about background job processing but it remains a hotly deba...
New
blackode
Elixir Upgrading is so Simple in Ubuntu and It worked for me Ubuntu 16.04 git clone https://github.com/elixir-lang/elixir.git cd elixir...
New
owaisqayum
I have a sample string sentence = "Hello, world ... 123 *** ^%&*())^% %%:>" From this string, I want to only keep the integers, ...
New
arpan
Hello everyone :wave: Today I am very excited to announce a project that I have been working on for almost 3 months now. The project is...
New
pillaiindu
I want to convert a Phoenix LiveView CRUD website to a CRUD mobile app. What do you think is the easiest way to do so?
New
ben-pr-p
In general I’ve been sticking to this community style guide GitHub - christopheradams/elixir_style_guide: A community driven style guide ...
New
chulkilee
Here are the list of HTTP client libraries/wrappers, and some thoughts on HTTP client in general. I’d like to hear from others how they w...
New
AstonJ
Can you believe the first professionally published Elixir book was published just 8 years ago? Since then I think we’ve seen more books f...
New
AstonJ
If so I (and hopefully others!) might have some tips for you :slight_smile: But first, please say which area you’re finding most challen...
New
opsb
We’re considering our architecture from a viewpoint of scaling our traffic heavily over the next 6 months. Our current deployment is runn...
New

Other popular topics Top

albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
dokuzbir
I want to highlight html closing tags when i click a html tag. That works in .html files but doesnt work for html.eex templates. How can...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52341 488
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New
klo
Got a question about when to concat vs. prepending items to list then reversing to achieve appending. So i know lists boil down to [1 | ...
New
sergio
Kind of like when jquery came out, it was super necessary. Existing drag and drop libraries have a bunch of baggage to support old browse...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

We're in Beta

About us Mission Statement