@Antonio I think Simone just point to the tool that can be use for such purpose... You can use it over your App. From my understanding the App tested is the Ian App...
Richard On Thu, Oct 8, 2015 at 1:19 PM, António Ramos <[email protected]> wrote: > Niphold, > i dont see where you are pointing on https://www.qualys.com/ > where is the web2py app that survived the security scan ? > > thank you > > 2015-10-05 11:25 GMT+01:00 Niphlod <[email protected]>: > >> here in ***undisclosed company**** web2py survives a >> https://www.qualys.com/ security scan with no reports whatsoever. >> >> >> On Sunday, October 4, 2015 at 2:47:44 PM UTC+2, Ian Ryder wrote: >>> >>> Hi, just looking back over anything about penetration testing and web2py >>> - does anyone know of any recent (or any at all) testing of web2py? We're >>> getting close to our first customers on an app we've been developing the >>> last year so really need to try and pick it to pieces now while we have a >>> few months to work on anything we need to. >>> >>> Thanks >>> Ian >>> >>> On Tuesday, 10 July 2012 19:42:46 UTC+2, Massimo Di Pierro wrote: >>>> >>>> Thank you Dave for the feedback. It would be nice to have the results >>>> of those tests (Cenznic, Hailstorm, Quails) published somewhere. Once in a >>>> while people ask about this. >>>> >>>> Massimo >>>> >>>> On Tuesday, 10 July 2012 11:28:39 UTC-5, Dave wrote: >>>>> >>>>> Well.... >>>>> >>>>> I can't say that I have tested the current trunk version, but last >>>>> December I ran a pretty exhaustive penetration test against a site >>>>> developed web2py. The results were very good. No findings above low. >>>>> The >>>>> low findings were insignificant. I ran Cenzic Hailstorm, Qualys and one >>>>> other automated vulnerability test suite (I cant remember which at the >>>>> moment) against it without issue. >>>>> >>>>> Here are some things that can cause issue though... >>>>> >>>>> * anywhere you use the XML() method in a view you should make sure you >>>>> have validation turned on. Even though the framework is resilient and >>>>> does >>>>> a good job of sanitizing data in & out, you can still end up in XSS or >>>>> XSRF >>>>> trouble with XML(). >>>>> >>>>> * redirects can trip up or slow down a lot of vuln scanners. Watch >>>>> out if you perform your own testing that you're not getting false >>>>> negatives. >>>>> >>>>> I know some people that would take on a more "formal" assessment if >>>>> there is consensus.... >>>>> >>>>> Dave >>>>> >>>>> On Monday, July 9, 2012 11:48:39 AM UTC-4, scausten wrote: >>>>>> >>>>>> One of the awesome things about web2py is of course the built-in and >>>>>> well-documented resilience against a range of attack methods, but I was >>>>>> wondering if anyone has attempted a methodical (white-hat) attack to >>>>>> probe >>>>>> any potential weaknesses? >>>>>> >>>>>> Just out of interest :) >>>>>> >>>>> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
