:) Nice to heard that!
Richard On Thu, Oct 8, 2015 at 2:59 PM, Niphlod <[email protected]> wrote: > not really. > I built some apps on web2py that are live and in production, and since > EVERY app in my environment NEEDS to pass a Qualys scan to be live and > production ready, I know that MY apps survive a Qualys scan with flying > colors. > Point being "ATM web2py does not expose any obvious/hidden threat that > Qualys identifies". > I'll reinstate the obvious though: this "just" means that if you code > responsibly, your app is safe. It's not too little of a "just". But it's a > "just" nonetheless. > Noone is saying that EVERY app you code will pass a white-hat attempt if > it's hosted on web2py, and I don't think that any framework in any language > will ever have the guts to assure it. > > > On Thursday, October 8, 2015 at 8:38:05 PM UTC+2, Richard wrote: >> >> @Antonio >> >> I think Simone just point to the tool that can be use for such purpose... >> You can use it over your App. From my understanding the App tested is the >> Ian App... >> >> Richard >> >> On Thu, Oct 8, 2015 at 1:19 PM, António Ramos <[email protected]> wrote: >> >>> Niphold, >>> i dont see where you are pointing on https://www.qualys.com/ >>> where is the web2py app that survived the security scan ? >>> >>> thank you >>> >>> 2015-10-05 11:25 GMT+01:00 Niphlod <[email protected]>: >>> >>>> here in ***undisclosed company**** web2py survives a >>>> https://www.qualys.com/ security scan with no reports whatsoever. >>>> >>>> >>>> On Sunday, October 4, 2015 at 2:47:44 PM UTC+2, Ian Ryder wrote: >>>>> >>>>> Hi, just looking back over anything about penetration testing and >>>>> web2py - does anyone know of any recent (or any at all) testing of web2py? >>>>> We're getting close to our first customers on an app we've been developing >>>>> the last year so really need to try and pick it to pieces now while we >>>>> have >>>>> a few months to work on anything we need to. >>>>> >>>>> Thanks >>>>> Ian >>>>> >>>>> On Tuesday, 10 July 2012 19:42:46 UTC+2, Massimo Di Pierro wrote: >>>>>> >>>>>> Thank you Dave for the feedback. It would be nice to have the results >>>>>> of those tests (Cenznic, Hailstorm, Quails) published somewhere. Once >>>>>> in a >>>>>> while people ask about this. >>>>>> >>>>>> Massimo >>>>>> >>>>>> On Tuesday, 10 July 2012 11:28:39 UTC-5, Dave wrote: >>>>>>> >>>>>>> Well.... >>>>>>> >>>>>>> I can't say that I have tested the current trunk version, but last >>>>>>> December I ran a pretty exhaustive penetration test against a site >>>>>>> developed web2py. The results were very good. No findings above low. >>>>>>> The >>>>>>> low findings were insignificant. I ran Cenzic Hailstorm, Qualys and one >>>>>>> other automated vulnerability test suite (I cant remember which at the >>>>>>> moment) against it without issue. >>>>>>> >>>>>>> Here are some things that can cause issue though... >>>>>>> >>>>>>> * anywhere you use the XML() method in a view you should make sure >>>>>>> you have validation turned on. Even though the framework is resilient >>>>>>> and >>>>>>> does a good job of sanitizing data in & out, you can still end up in >>>>>>> XSS or >>>>>>> XSRF trouble with XML(). >>>>>>> >>>>>>> * redirects can trip up or slow down a lot of vuln scanners. Watch >>>>>>> out if you perform your own testing that you're not getting false >>>>>>> negatives. >>>>>>> >>>>>>> I know some people that would take on a more "formal" assessment if >>>>>>> there is consensus.... >>>>>>> >>>>>>> Dave >>>>>>> >>>>>>> On Monday, July 9, 2012 11:48:39 AM UTC-4, scausten wrote: >>>>>>>> >>>>>>>> One of the awesome things about web2py is of course the built-in >>>>>>>> and well-documented resilience against a range of attack methods, but >>>>>>>> I was >>>>>>>> wondering if anyone has attempted a methodical (white-hat) attack to >>>>>>>> probe >>>>>>>> any potential weaknesses? >>>>>>>> >>>>>>>> Just out of interest :) >>>>>>>> >>>>>>> -- >>>> Resources: >>>> - http://web2py.com >>>> - http://web2py.com/book (Documentation) >>>> - http://github.com/web2py/web2py (Source code) >>>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "web2py-users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "web2py-users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
