Format sample — findings below are representative, drawn from common Rails vulnerability patterns, not from a real client.

Rails Security Audit — Findings Report

Client
<redacted>
Application
Rails 7.0 monolith, ~48k LOC
Audit window
5 business days
Auditor
Senior Rails engineer, 13 yrs

Executive summary

The audit identified 3 critical, 4 high, 6 medium, and 5 low severity findings. The three most urgent: a SQL injection reachable from the public search field (RSA-001); an unrestricted mass assignment in the admin area allowing privilege escalation (RSA-002); and session cookies issued without transport/script protections (RSA-003). All three have low-effort fixes and should be patched before the next release.

Critical High Medium Low

Findings (excerpt — 4 of 18)

RSA-001 SQL injection via string-interpolated search scope

Critical

app/models/order.rb:34

The `search` scope builds a WHERE clause by interpolating user input directly into the SQL string. Any value passed to the search box reaches the database unescaped.

Impact: An attacker can read arbitrary rows from any table — including password digests and API tokens — or modify data, using nothing but the public search field.

- scope :search, ->(q) { where("reference LIKE '%#{q}%'") }
+ scope :search, ->(q) { where("reference LIKE ?", "%#{Order.sanitize_sql_like(q)}%") }

RSA-002 Mass assignment: permit! on admin params

High

app/controllers/admin/users_controller.rb:52

`params.require(:user).permit!` whitelists every attribute, including `role` and `admin` flags. Any request that reaches this action can set any column on User.

Impact: A compromised or malicious staff account can escalate itself (or any user) to full admin by adding one form field to the request.

- def user_params
- params.require(:user).permit!
- end
+ def user_params
+ params.require(:user).permit(:name, :email, :department_id)
+ end

RSA-003 Session cookies missing Secure/HttpOnly flags in production

Medium

config/environments/production.rb

The session cookie is issued without `secure: true` and `httponly: true`, so it can travel over plain HTTP and is readable from JavaScript.

Impact: On any shared or intercepted network, the session token can be captured and replayed; an XSS bug anywhere on the site immediately becomes full account takeover.

+ config.session_store :cookie_store,
+ key: "_app_session",
+ secure: true,
+ httponly: true,
+ same_site: :lax

RSA-004 Outdated nokogiri with known ReDoS advisory

Low

Gemfile.lock — nokogiri 1.13.x

The locked nokogiri version carries a published low-severity ReDoS advisory in its bundled libxml2. No exploit path was found in this app's current usage, but the dependency is two minor versions behind.

Impact: Crafted input to any future XML/HTML parsing path could pin a worker process. Low today; cheap to eliminate now.

# Gemfile
- gem "nokogiri", "~> 1.13.0"
+ gem "nokogiri", "~> 1.16"
# then: bundle update nokogiri && bundle exec rspec

Prioritized action plan

Order Finding Impact Effort
1 RSA-001 Critical Low (1–2 h)
2 RSA-002 High Low (1 h)
3 RSA-003 Medium Low (30 min)
4 RSA-004 Low Low (1 h + test run)

This report, for your app

Fixed price from $500. Report in 5–7 days. White-label for agencies.

See audit pricing →