Ok, really I did not explain very well Software testing has different levels of testing http://en.wikipedia.org/wiki/Software_testing#Testing_levels
Some vulnerabilities in Top 10 OWASP depends on other elections like webserver or O.S. Frameworks can't avoid this point, but can protect itself against possible intrussions. For example, web2py doesn`t list static folders by default, but an apache misconfiguration allows listing folders. I will mail you a more specific example Others vulns, for example XSS, depends completelly on web2py, and programmer has all responsability (for this reason xss is the 1º at owasp) And scope of SQL injections depends on database Anyway as soon as I complete my actual job, I will start Fuzzing Testing against Web2py running as is, on local server. Fuzzing testing is easy thanks to fuzzing software http://en.wikipedia.org/wiki/Fuzz_testing Everyone can use fuzzers to find bugs. Thanks to web2py ticket system, testing will be easier if possible, because all errors will be logged I will take necessary decisions. I will send you results On 25 mayo, 05:25, mdipierro <[email protected]> wrote: > I do not know the answer to those questions. I can only say that at > least you should test the features we claim (sql injection protection, > xss protection, cross site request forgery protection, and the auth > mechanism). The rest really depends on the tools and time you have > available. Perhaps other users have more to say. I appreciate your > interest in this. > > Massimo > > On May 24, 10:19 pm, GoldenTiger <[email protected]> wrote: > > > Great!! really I 've already planned doing it because i have personal > > projects that I decided doing it with web2py, instead of django. > > so for my part I feel better being gratefull with you by all > > knowledge, by now i got a good paid job by urgent webs, and web2py do > > it easy anf funny > > > My friend's company is a group of 12 hackers about 30 years old , who > > really enjoy with this. I think theirs strengths are remote testing of > > linux servers and web applications, the company is on Madrid (Spain), > > but generally they spends most of his time along auditing systems in > > another sites of Europe > > > I 'll talk with them soon, and I say you > > you could for example prepare a dedicated server with web2py and > > probing diferrent server, os, bd, or apps . > > you goes coding and you want to test. You should be say the level at > > you want web2py be tested. net level? bruteforce alowed? local access? > > transport level? application? if you use ubuntu, you could want > > testing web2py at ubuntu, or web2py at ubuntu and cherry, and decide > > if you are included or not in that > > > The other way I know of testing an app is undestanding how components > > are conected, and undestanding the consistency of the logic . Really > > this is my preffered one ^^ It's not necessary to hack, just imagine > > > On 22 mayo, 16:31, mdipierro <[email protected]> wrote: > > > > I am very much interested in this. We may even find a couple of $100 > > > to pay for some security testing of web2py. Let me know what we need > > > to do. > > > > Massimo > > > > On May 22, 8:53 am, GoldenTiger <[email protected]> wrote: > > > > > Well, I have been working for years as security auditor and etichal > > > > hacking. Last years I decided focusing at more creative works and I > > > > started personal projects. > > > > I can do tests against web2py, no problem, but first I want to > > > > understand the framework as well as possible. > > > > a friend of mine who auditsbanksweb and networks is interested in > > > > python frameworks as I said him, so they could be a good help > > > > In my opinion, the most important thing in secure software is the > > > > design and the logic, ( microsoft declared some windows desing flaws > > > > as a not possible solution) > > > > since web2py was designed 100% before implemention, I can say that > > > > web2py is probably one of the most consistent frameworks today > > > > :D
