Hi, well i can say based in my experience developing in web2py:

"Cross Site Scripting (XSS):

   - XSS doesn't affect components in web2py (forms, grid,  and returned
   data in view). XSS are effective here only when you use the data
   supplied by the user in a insecure way like:
      -  returning user input and using it with javascript DOM. Ex:
      document.getElementById('some_div').innerHtml = 'xss code'


   - also with datatables loading data via ajax
      - when you return the user input in view inside the XML() helper,
      this converts the code into an executable code. Ex:
      <div>{{=XML('malicius_user_input')}}</div>

"Injection Flaws:`

   - sql injection doesn't affect DAL, dal indeed sanitizes the input
   before doing the sql query. The only exception could be when you execute
   raw sql queries with DAL.

Malicious File Execution

   - This doesn't affect the framework until you do a vulnerable function
   like: using the user input directly to call an internal/external file and
   read it.

Insecure Direct Object Reference

   - web2py is not affected by this until the developer do a vulnerable
   code. Always depend on what you do with the user input.

Cross Site Request Forgery (CSRF)

   - web2py Is not affected when you use the components in web2py, like
   forms (the have csrf token). Is affected if you custom ajax call or forms
   that are not part of the framework, in that case you have to implement a
   custom csrf token.

Information Leakage and Improper Error Handling

   - *This doesn't affect web2p. Web2py includes a ticketing system. No
   error can result in code being exposed to the users. All errors are logged
   and a ticket is issued to the user that allows error tracking. But errors
   and source code are accessible only to the administrator. *

Broken Authentication and Session Management

   - Session and authentication is strong. Web2py uses encrypted cookies,
   stores passwords as hashes, and has decorators like :
@auth.requires_login(),
    @auth.requires_membership(), etc...

Insecure Cryptographic Storage

   - WEb2py stores password hashes, so clear text passwords are never
   stored.

Insecure Communications

   - This is more concerned with the infrastructure where you deploy the
   framework. Nginx, Apache, and others. Always use SSL

Failure to Restrict URL Access

   - Auth system in web2py is strong. You can't access other functions if
   they have the decorators like : @auth.requires_login(),
    @auth.requires_membership(), etc...


I don't know about the "certificated status". But web2py has good security
in general, there have not been any known vulnerabilities in years.

Cheers.
Chris.


El dom, 29 may 2022 a las 17:30, António Ramos (<ramstei...@gmail.com>)
escribió:

> Hello all
> I read this part of the book about owasp
> Security
>
> The Open Web Application Security Project[owasp
> <http://web2py.com/books/default/reference/29/owasp>] (OWASP) is a free
> and open worldwide community focused on improving the security of
> application software.
>
> OWASP has listed the top ten security issues that put web applications at
> risk. That list is reproduced here, along with a description of how each
> issue is addressed by web2py:
>
>    - "Cross Site Scripting (XSS): XSS flaws occur whenever an application
>    takes user supplied data and sends it to a web browser without first
>    validating or encoding that content. XSS allows attackers to execute
>    scripts in the victim's browser which can hijack user sessions, deface web
>    sites, possibly introduce worms, etc." *web2py, by default, escapes
>    all variables rendered in the view, preventing XSS.*
>    - "Injection Flaws: Injection flaws, particularly SQL injection, are
>    common in web applications. Injection occurs when user-supplied data is
>    sent to an interpreter as part of a command or query. The attacker's
>    hostile data tricks the interpreter into executing unintended commands or
>    changing data." *web2py includes a Database Abstraction Layer that
>    makes SQL injection impossible. Normally, SQL statements are not written by
>    the developer. Instead, SQL is generated dynamically by the DAL, ensuring
>    that all inserted data is properly escaped.*
>    - "Malicious File Execution: Code vulnerable to remote file inclusion
>    (RFI) allows attackers to include hostile code and data, resulting in
>    devastating attacks, such as total server compromise." *web2py allows
>    only exposed functions to be executed, preventing malicious file execution.
>    Imported functions are never exposed; only actions are exposed. web2py uses
>    a Web-based administration interface which makes it very easy to keep track
>    of what is exposed and what is not.*
>    - "Insecure Direct Object Reference: A direct object reference occurs
>    when a developer exposes a reference to an internal implementation object,
>    such as a file, directory, database record, or key, as a URL or form
>    parameter. Attackers can manipulate those references to access other
>    objects without authorization." *web2py does not expose any internal
>    objects; moreover, web2py validates all URLs, thus preventing directory
>    traversal attacks. web2py also provides a simple mechanism to create forms
>    that automatically validate all input values.*
>    - "Cross Site Request Forgery (CSRF): A CSRF attack forces a logged-on
>    victim's browser to send a pre-authenticated request to a vulnerable web
>    application, which then forces the victim's browser to perform a hostile
>    action to the benefit of the attacker. CSRF can be as powerful as the web
>    application that it attacks." *web2py prevents CSRF as well as
>    accidental double submission of forms by assigning a one-time random token
>    to each form. Moreover web2py uses UUID for session cookie.*
>    - "Information Leakage and Improper Error Handling: Applications can
>    unintentionally leak information about their configuration, internal
>    workings, or violate privacy through a variety of application problems.
>    Attackers use this weakness to steal sensitive data, or conduct more
>    serious attacks." *web2py includes a ticketing system. No error can
>    result in code being exposed to the users. All errors are logged and a
>    ticket is issued to the user that allows error tracking. But errors and
>    source code are accessible only to the administrator.*
>    - "Broken Authentication and Session Management: Account credentials
>    and session tokens are often not properly protected. Attackers compromise
>    passwords, keys, or authentication tokens to assume other users'
>    identities." *web2py provides a built-in mechanism for administrator
>    authentication, and it manages sessions independently for each application.
>    The administrative interface also forces the use of secure session cookies
>    when the client is not "localhost". For applications, it includes a
>    powerful Role Based Access Control API.*
>    - "Insecure Cryptographic Storage: Web applications rarely use
>    cryptographic functions properly to protect data and credentials. Attackers
>    use weakly protected data to conduct identity theft and other crimes, such
>    as credit card fraud." *web2py uses the MD5 or the HMAC+SHA-512 hash
>    algorithms to protect stored passwords. Other algorithms are also
>    available.*
>    - "Insecure Communications: Applications frequently fail to encrypt
>    network traffic when it is necessary to protect sensitive communications." 
> *web2py
>    includes the SSL-enabled[ssl
>    <http://web2py.com/books/default/reference/29/ssl>] Rocket WSGI server, but
>    it can also use Apache or Lighttpd and mod_ssl to provide SSL encryption of
>    communications.*
>    - "Failure to Restrict URL Access: Frequently an application only
>    protects sensitive functionality by preventing the display of links or URLs
>    to unauthorized users. Attackers can use this weakness to access and
>    perform unauthorized operations by accessing those URLs directly." *web2py
>    maps URL requests to Python modules and functions. web2py provides a
>    mechanism for declaring which functions are public and which require
>    authentication and authorization. The included Role Based Access Control
>    API allow developers to restrict access to any function based on login,
>    group membership or group based permissions. The permissions are very
>    granular and can be combined with database filters to allow, for example,
>    to give access to specific tables and/or records. web2py also allows
>    digitally signed URL and provides API to digitally sign Ajax callbacks.*
>
> web2py was reviewed for security and you can find the result of the review
> in ref.[pythonsecurity
> <http://web2py.com/books/default/reference/29/pythonsecurity>].
>
>
>
>
> The link to pythonsecurity at the botton dos not work.
>
>
> What is the status of web2py and owasp certification/validation ?
>
>
> Regards
>
> António
>
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to web2py+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/web2py/CAEM0BxPL29q6CXH2Q1QBbM_191yxuVoP%2BxijgivwNQMAFsb98w%40mail.gmail.com
> <https://groups.google.com/d/msgid/web2py/CAEM0BxPL29q6CXH2Q1QBbM_191yxuVoP%2BxijgivwNQMAFsb98w%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/CA%2Bs%2BuJsanYkt_hfUCxSQ52mOc%2Byehp9uBPbavJAecit1_XnWsg%40mail.gmail.com.

Reply via email to