Thank you Dave for the feedback. It would be nice to have the results of those tests (Cenznic, Hailstorm, Quails) published somewhere. Once in a while people ask about this.
Massimo On Tuesday, 10 July 2012 11:28:39 UTC-5, Dave wrote: > > Well.... > > I can't say that I have tested the current trunk version, but last > December I ran a pretty exhaustive penetration test against a site > developed web2py. The results were very good. No findings above low. The > low findings were insignificant. I ran Cenzic Hailstorm, Qualys and one > other automated vulnerability test suite (I cant remember which at the > moment) against it without issue. > > Here are some things that can cause issue though... > > * anywhere you use the XML() method in a view you should make sure you > have validation turned on. Even though the framework is resilient and does > a good job of sanitizing data in & out, you can still end up in XSS or XSRF > trouble with XML(). > > * redirects can trip up or slow down a lot of vuln scanners. Watch out if > you perform your own testing that you're not getting false negatives. > > I know some people that would take on a more "formal" assessment if there > is consensus.... > > Dave > > On Monday, July 9, 2012 11:48:39 AM UTC-4, scausten wrote: >> >> One of the awesome things about web2py is of course the built-in and >> well-documented resilience against a range of attack methods, but I was >> wondering if anyone has attempted a methodical (white-hat) attack to probe >> any potential weaknesses? >> >> Just out of interest :) >> >
