+1 it would be nice to have a blog for this type of news...
2015-10-05 15:27 GMT+02:00 Ian Ryder <[email protected]>: > Thanks, just running some of their tools against our app - all good so > far, if there's anything of interest I'll let you know (possibly off forum > first :)) > > > On Monday, 5 October 2015 12:25:20 UTC+2, Niphlod wrote: >> >> here in ***undisclosed company**** web2py survives a >> https://www.qualys.com/ security scan with no reports whatsoever. >> >> On Sunday, October 4, 2015 at 2:47:44 PM UTC+2, Ian Ryder wrote: >>> >>> Hi, just looking back over anything about penetration testing and web2py >>> - does anyone know of any recent (or any at all) testing of web2py? We're >>> getting close to our first customers on an app we've been developing the >>> last year so really need to try and pick it to pieces now while we have a >>> few months to work on anything we need to. >>> >>> Thanks >>> Ian >>> >>> On Tuesday, 10 July 2012 19:42:46 UTC+2, Massimo Di Pierro wrote: >>>> >>>> Thank you Dave for the feedback. It would be nice to have the results >>>> of those tests (Cenznic, Hailstorm, Quails) published somewhere. Once in a >>>> while people ask about this. >>>> >>>> Massimo >>>> >>>> On Tuesday, 10 July 2012 11:28:39 UTC-5, Dave wrote: >>>>> >>>>> Well.... >>>>> >>>>> I can't say that I have tested the current trunk version, but last >>>>> December I ran a pretty exhaustive penetration test against a site >>>>> developed web2py. The results were very good. No findings above low. >>>>> The >>>>> low findings were insignificant. I ran Cenzic Hailstorm, Qualys and one >>>>> other automated vulnerability test suite (I cant remember which at the >>>>> moment) against it without issue. >>>>> >>>>> Here are some things that can cause issue though... >>>>> >>>>> * anywhere you use the XML() method in a view you should make sure you >>>>> have validation turned on. Even though the framework is resilient and >>>>> does >>>>> a good job of sanitizing data in & out, you can still end up in XSS or >>>>> XSRF >>>>> trouble with XML(). >>>>> >>>>> * redirects can trip up or slow down a lot of vuln scanners. Watch >>>>> out if you perform your own testing that you're not getting false >>>>> negatives. >>>>> >>>>> I know some people that would take on a more "formal" assessment if >>>>> there is consensus.... >>>>> >>>>> Dave >>>>> >>>>> On Monday, July 9, 2012 11:48:39 AM UTC-4, scausten wrote: >>>>>> >>>>>> One of the awesome things about web2py is of course the built-in and >>>>>> well-documented resilience against a range of attack methods, but I was >>>>>> wondering if anyone has attempted a methodical (white-hat) attack to >>>>>> probe >>>>>> any potential weaknesses? >>>>>> >>>>>> Just out of interest :) >>>>>> >>>>> -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
