Hi, just looking back over anything about penetration testing and web2py - does anyone know of any recent (or any at all) testing of web2py? We're getting close to our first customers on an app we've been developing the last year so really need to try and pick it to pieces now while we have a few months to work on anything we need to.
Thanks Ian On Tuesday, 10 July 2012 19:42:46 UTC+2, Massimo Di Pierro wrote: > > Thank you Dave for the feedback. It would be nice to have the results of > those tests (Cenznic, Hailstorm, Quails) published somewhere. Once in a > while people ask about this. > > Massimo > > On Tuesday, 10 July 2012 11:28:39 UTC-5, Dave wrote: >> >> Well.... >> >> I can't say that I have tested the current trunk version, but last >> December I ran a pretty exhaustive penetration test against a site >> developed web2py. The results were very good. No findings above low. The >> low findings were insignificant. I ran Cenzic Hailstorm, Qualys and one >> other automated vulnerability test suite (I cant remember which at the >> moment) against it without issue. >> >> Here are some things that can cause issue though... >> >> * anywhere you use the XML() method in a view you should make sure you >> have validation turned on. Even though the framework is resilient and does >> a good job of sanitizing data in & out, you can still end up in XSS or XSRF >> trouble with XML(). >> >> * redirects can trip up or slow down a lot of vuln scanners. Watch out >> if you perform your own testing that you're not getting false negatives. >> >> I know some people that would take on a more "formal" assessment if there >> is consensus.... >> >> Dave >> >> On Monday, July 9, 2012 11:48:39 AM UTC-4, scausten wrote: >>> >>> One of the awesome things about web2py is of course the built-in and >>> well-documented resilience against a range of attack methods, but I was >>> wondering if anyone has attempted a methodical (white-hat) attack to probe >>> any potential weaknesses? >>> >>> Just out of interest :) >>> >> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
