By default, Railroader reports as much as possible. Because there is no way for Railroader to know if certain items are actually safe or not, it errs on the side of reporting too much rather than possibly not reporting a real problem. Sometimes, though, these false positives can become overwhelming. Railroader does provides many options for customizing reports. It is also possible to ignore specific warnings.
It is recommended to always run Railroader with the default settings first (and then periodically after that), but it is possible to narrow down the results to make them less annoying.
Specify Checks to Run
When running Railroader, one can specify a set of checks to run or a set to exclude using the
--except, respectively. These options take a comma-separated list of check names, which are case-sensitive. Use
railroader --checks to get a list of the exact check names.
For example, to only check for SQL injection and cross-site scripting:
railroader --test CheckSQL,CheckCrossSiteScripting
(‘Check’ can actually be omitted from the names.)
To exclude checks for dynamic render paths:
railroader --except CheckRender
Set Confidence Threshold
Getting a ton of weak confidence warnings? Use
-w3 to only report high confidence warnings or
-w2 to only report high and medium confidence warnings.
-w3 is not recommended, however.)
Mark Methods as Safe
If an applications has custome sanitizing methods or just methods which are known to be safe, then the
--safe-methods option can be used to ignore those methods. Specify the methods as a comma-separated list.
railroader --safe-methods this_one,that_one,totally_safe,my_sanitizer
Only Reporting Direct Vulnerabilities
With the default settings, Railroader will report cross-site scripting vulnerabilities if the return value of a method where user input is a parameter is output.
For example, this will raise a warning unless
some_method is marked as safe like above:
<%= some_method(params[:blah]) %>
To ignore this kind of output, use the
--report-direct option. This also applies to some other situations, such as checking calls to
Ignoring Model Attributes
Railroader assumes database values are suspect (and so should you). But for some applications this does not make sense. Use the
--ignore-model-output option to suppress reporting model attributes as cross-site scripting vulnerabilities.
Ignoring false positives