owasp anyone ?

[António Ramos]

Hello all

I read this part of the book about owasp

Security

The Open Web Application Security Project[owasp] (OWASP) is a free and open worldwide community focused on improving the security of application software.

OWASP has listed the top ten security issues that put web applications at risk. That list is reproduced here, along with a description of how each issue is addressed by web2py:

• "Cross Site Scripting (XSS): XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc." web2py, by default, escapes all variables rendered in the view, preventing XSS.
• "Injection Flaws: Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data." web2py includes a Database Abstraction Layer that makes SQL injection impossible. Normally, SQL statements are not written by the developer. Instead, SQL is generated dynamically by the DAL, ensuring that all inserted data is properly escaped.
• "Malicious File Execution: Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise." web2py allows only exposed functions to be executed, preventing malicious file execution. Imported functions are never exposed; only actions are exposed. web2py uses a Web-based administration interface which makes it very easy to keep track of what is exposed and what is not.
• "Insecure Direct Object Reference: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization." web2py does not expose any internal objects; moreover, web2py validates all URLs, thus preventing directory traversal attacks. web2py also provides a simple mechanism to create forms that automatically validate all input values.
• "Cross Site Request Forgery (CSRF): A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks." web2py prevents CSRF as well as accidental double submission of forms by assigning a one-time random token to each form. Moreover web2py uses UUID for session cookie.
• "Information Leakage and Improper Error Handling: Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks." web2py includes a ticketing system. No error can result in code being exposed to the users. All errors are logged and a ticket is issued to the user that allows error tracking. But errors and source code are accessible only to the administrator.
• "Broken Authentication and Session Management: Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities." web2py provides a built-in mechanism for administrator authentication, and it manages sessions independently for each application. The administrative interface also forces the use of secure session cookies when the client is not "localhost". For applications, it includes a powerful Role Based Access Control API.
• "Insecure Cryptographic Storage: Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud." web2py uses the MD5 or the HMAC+SHA-512 hash algorithms to protect stored passwords. Other algorithms are also available.
• "Insecure Communications: Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications." web2py includes the SSL-enabled[ssl] Rocket WSGI server, but it can also use Apache or Lighttpd and mod_ssl to provide SSL encryption of communications.
• "Failure to Restrict URL Access: Frequently an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly." web2py maps URL requests to Python modules and functions. web2py provides a mechanism for declaring which functions are public and which require authentication and authorization. The included Role Based Access Control API allow developers to restrict access to any function based on login, group membership or group based permissions. The permissions are very granular and can be combined with database filters to allow, for example, to give access to specific tables and/or records. web2py also allows digitally signed URL and provides API to digitally sign Ajax callbacks.

web2py was reviewed for security and you can find the result of the review in ref.[pythonsecurity].

The link to pythonsecurity at the botton dos not work.

What is the status of web2py and owasp certification/validation ?

Regards

António

[Christian Varas]

Hi, well i can say based in my experience developing in web2py:

"Cross Site Scripting (XSS):

• XSS doesn't affect components in web2py (forms, grid,  and returned data in view). XSS are effective here only when you use the data supplied by the user in a insecure way like:
•  returning user input and using it with javascript DOM. Ex: document.getElementById('some_div').innerHtml = 'xss code'

• also with datatables loading data via ajax
• when you return the user input in view inside the XML() helper, this converts the code into an executable code. Ex: <div>{{=XML('malicius_user_input')}}</div>

"Injection Flaws:`

• sql injection doesn't affect DAL, dal indeed sanitizes the input before doing the sql query. The only exception could be when you execute raw sql queries with DAL. 

Malicious File Execution

• This doesn't affect the framework until you do a vulnerable function like: using the user input directly to call an internal/external file and read it.

Insecure Direct Object Reference

• web2py is not affected by this until the developer do a vulnerable code. Always depend on what you do with the user input.

Cross Site Request Forgery (CSRF)

• web2py Is not affected when you use the components in web2py, like forms (the have csrf token). Is affected if you custom ajax call or forms that are not part of the framework, in that case you have to implement a custom csrf token.

Information Leakage and Improper Error Handling

• This doesn't affect web2p. Web2py includes a ticketing system. No error can result in code being exposed to the users. All errors are logged and a ticket is issued to the user that allows error tracking. But errors and source code are accessible only to the administrator. 

Broken Authentication and Session Management

• Session and authentication is strong. Web2py uses encrypted cookies, stores passwords as hashes, and has decorators like : @auth.requires_login(),  @auth.requires_membership(), etc... 

Insecure Cryptographic Storage

• WEb2py stores password hashes, so clear text passwords are never stored.

Insecure Communications

• This is more concerned with the infrastructure where you deploy the framework. Nginx, Apache, and others. Always use SSL

Failure to Restrict URL Access

• Auth system in web2py is strong. You can't access other functions if they have the decorators like : @auth.requires_login(),  @auth.requires_membership(), etc... 

I don't know about the "certificated status". But web2py has good security in general, there have not been any known vulnerabilities in years.

Cheers.

Chris.

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/CAEM0BxPL29q6CXH2Q1QBbM_191yxuVoP%2BxijgivwNQMAFsb98w%40mail.gmail.com.