What is RAVAGE

Ravage is a Java runtime analysis tool built to accurately detect vulnerabilities. It leverages the standard program execution to detect the full dataflow of vulnerabilities at runtime. In addition to the offensive usage, it can also be used defensively by running existing non-security-related test cases to detect security vulnerabilities.

Key Highlights:

Open Source RTA for Java
Written in Java/C++/Assembly (~5k LOC)
Monitors the program at runtime
Detects when data flows from untrusted sources to sinks
Can detect XSS, SQLi, static encryption keys, Sensitive data leaking via logs, App misconfigurations

Why RAVAGE

Low false positive rate

No exploit data needed

No source code needed

Detects vulnerabilities during standard usage

Can leverage existing testing

Complete dataflow

CUTTING-EDGE RUNTIME ANALYSIS

Using RAVAGE

Different ways you can use RAVAGE to detect vulnerabilities

Don’t panic if RAVAGE does not detect vulnerabilities, it is most likely the rules are not complete. Take some time to think about what kind of vulnerabilities you would like to detect, and write sources, sinks and passthrough rules for them.

If you think the rules are generic enough, please consider contributing back so that it can be shared with the community. Please download RAVAGE and refer to the README.md on how to build, run and extend RAVAGE.

Run your existing test cases with RAVAGE
Run RAVAGE with your application and use your application normally
Run RAVAGE with your application and use black box scanners to drive your application

Download Ravage

presentation slides
source code
whitepaper

Download Binary

About Us & Contact

Xiaoran Wang

Xiaoran Wang is a Senior Product Security Engineer at salesforce.com. He is passionate about security, especially web application security. At work, he does architectural feature review for security, web penetration testing, security training, security automation, etc. In his personal time, he does security research in a variety of topics including exploit writing, malware analysis, vulnerability analysis, and tearing things apart. He has written many useful defensive tools as well. For example, he developed an add-on "Mixed Content Monitor" for Firefox to block and show the insecure resources loaded within https. He also developed "Process Injection Monitor" that does automatic malware analysis and extracts injected code to a binary when a malware process tries to inject itself into other processes. He holds a MS degree in Information Security from Carnegie Mellon University.

Yoel Gluck
Yoel Gluck is a security researcher with 13 years of experience in the industry. He is currently a Researcher and Senior Manager of Product Security at Salesforce.com. Yoel graduated from Bar-Ilan University (Israel) with a B.Sc in Computer Science and Math. Using his experience as a software engineer, he attempts to break applications by analyzing developer design patterns. His research areas include web application, network, virtualization, encryption, and email security. When he's not busy analyzing security risks, he enjoys spending time with his three-year-old daughter. Past research: presented BREACH at Black Hat USA 2013.

Help us improve its performance
Help us build a rich rule set
Contribute back to Java as a developer option
We encourage you to implement RAVAGE for other languages

Runtime Analysis of Vulnerabilities and Generation of Exploits