Format sample — findings below are representative, drawn from common Rails vulnerability patterns, not from a real client.
Rails Security Audit — Findings Report
- Client
- <redacted>
- Application
- Rails 7.0 monolith, ~48k LOC
- Audit window
- 5 business days
- Auditor
- Senior Rails engineer, 13 yrs
Executive summary
The audit identified 3 critical, 4 high, 6 medium, and 5 low severity findings. The three most urgent: a SQL injection reachable from the public search field (RSA-001); an unrestricted mass assignment in the admin area allowing privilege escalation (RSA-002); and session cookies issued without transport/script protections (RSA-003). All three have low-effort fixes and should be patched before the next release.
Findings (excerpt — 4 of 18)
RSA-001 SQL injection via string-interpolated search scope
Criticalapp/models/order.rb:34
The `search` scope builds a WHERE clause by interpolating user input directly into the SQL string. Any value passed to the search box reaches the database unescaped.
Impact: An attacker can read arbitrary rows from any table — including password digests and API tokens — or modify data, using nothing but the public search field.
- scope :search, ->(q) { where("reference LIKE '%#{q}%'") }+ scope :search, ->(q) { where("reference LIKE ?", "%#{Order.sanitize_sql_like(q)}%") }
RSA-002 Mass assignment: permit! on admin params
Highapp/controllers/admin/users_controller.rb:52
`params.require(:user).permit!` whitelists every attribute, including `role` and `admin` flags. Any request that reaches this action can set any column on User.
Impact: A compromised or malicious staff account can escalate itself (or any user) to full admin by adding one form field to the request.
- def user_params- params.require(:user).permit!- end+ def user_params+ params.require(:user).permit(:name, :email, :department_id)+ end
RSA-003 Session cookies missing Secure/HttpOnly flags in production
Mediumconfig/environments/production.rb
The session cookie is issued without `secure: true` and `httponly: true`, so it can travel over plain HTTP and is readable from JavaScript.
Impact: On any shared or intercepted network, the session token can be captured and replayed; an XSS bug anywhere on the site immediately becomes full account takeover.
+ config.session_store :cookie_store,+ key: "_app_session",+ secure: true,+ httponly: true,+ same_site: :lax
RSA-004 Outdated nokogiri with known ReDoS advisory
LowGemfile.lock — nokogiri 1.13.x
The locked nokogiri version carries a published low-severity ReDoS advisory in its bundled libxml2. No exploit path was found in this app's current usage, but the dependency is two minor versions behind.
Impact: Crafted input to any future XML/HTML parsing path could pin a worker process. Low today; cheap to eliminate now.
# Gemfile- gem "nokogiri", "~> 1.13.0"+ gem "nokogiri", "~> 1.16"# then: bundle update nokogiri && bundle exec rspec
Prioritized action plan
| Order | Finding | Impact | Effort |
|---|---|---|---|
| 1 | RSA-001 | Critical | Low (1–2 h) |
| 2 | RSA-002 | High | Low (1 h) |
| 3 | RSA-003 | Medium | Low (30 min) |
| 4 | RSA-004 | Low | Low (1 h + test run) |
This report, for your app
Fixed price from $500. Report in 5–7 days. White-label for agencies.
See audit pricing →