Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

[scausten]

One of the awesome things about web2py is of course the built-in and well-documented resilience against a range of attack methods, but I was wondering if anyone has attempted a methodical (white-hat) attack to probe any potential weaknesses?

Just out of interest :)

[Massimo Di Pierro]

No but I am willing to pay to get it done.

[Jason Brower]

I know a few of these guys, and they relly seem to know their stuff.  Let's see if they take the bait. :)  They know python and webservices very well.
BR,
Jason Brower

[Dave]

Well....

I can't say that I have tested the current trunk version, but last December I ran a pretty exhaustive penetration test against a site developed web2py.  The results were very good.  No findings above low.  The low findings were insignificant.  I ran Cenzic Hailstorm, Qualys and one other automated vulnerability test suite (I cant remember which at the moment) against it without issue.  

Here are some things that can cause issue though...

* anywhere you use the XML() method in a view you should make sure you have validation turned on.  Even though the framework is resilient and does a good job of sanitizing data in & out, you can still end up in XSS or XSRF trouble with XML().

* redirects can trip up or slow down a lot of vuln scanners.  Watch out if you perform your own testing that you're not getting false negatives.

I know some people that would take on a more "formal" assessment if there is consensus....

Dave

[Massimo Di Pierro]

Thank you Dave for the feedback. It would be nice to have the results of those  tests (Cenznic, Hailstorm, Quails) published somewhere. Once in a while people ask about this.

Massimo

[Ian Ryder]

Hi, just looking back over anything about penetration testing and web2py - does anyone know of any recent (or any at all) testing of web2py? We're getting close to our first customers on an app we've been developing the last year so really need to try and pick it to pieces now while we have a few months to work on anything we need to.

Thanks

Ian

[Niphlod]

here in ***undisclosed company**** web2py survives a https://www.qualys.com/ security scan with no reports whatsoever.

[Ian Ryder]

Thanks, just running some of their tools against our app - all good so far, if there's anything of interest I'll let you know (possibly off forum first :))

[Michele Comitini]

+1

it would be nice to have a blog for this type of news...

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups "web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Ian Ryder]

Just to add my perception slightly from the outside - and I'm an A1 web2py fan for life now, I've spent the last year inside it and not a lot else! But would probably take the framework up a few levels if there was a really good set of responses to this. Our app should hopefully start providing financial processing for some high profile orgs and this will be top of the list for them...we picked web2py as the security aspects were better than other frameworks we looked (in our opinion). Some more formal, non gut-feel answers provided by external parties would make the sale (for our future customers and to future developers looking for a framework) a lot easier. We'll do our own work now on this as it's essential, happy to feedback anything useful we come up with.

[Niphlod]

well, IMHO it really shouldn't matter. 

Yes, web2py, as any other mature framework, does its best to comply to security best practices. As soon as they're found, they're addressed and fixed. If you iterate long enough, you can be pretty sure that your foundations are solid ground.

That being said, ANY framework lets you do whatever you want, and if you build SQL statements concatening user inputs and using db.executesql() well, there's nothing any framework can do.

"Is web2py safe for banking" shouldn't really need to be asked: the question is "is my app ready for banking"...

[António Ramos]

Niphold,

i dont see where you are pointing on  https://www.qualys.com/

where is the web2py app that survived the security scan ?

thank you

--

[Richard Vézina]

@Antonio

I think Simone just point to the tool that can be use for such purpose... You can use it over your App. From my understanding the App tested is the Ian App...

Richard

[Niphlod]

not really. 

I built some apps on web2py that are live and in production, and since EVERY app in my environment NEEDS to pass a Qualys scan to be live and production ready, I know that MY apps survive a Qualys scan with flying colors.

Point being "ATM web2py does not expose any obvious/hidden threat that Qualys identifies".

I'll reinstate the obvious though: this "just" means that if you code responsibly, your app is safe. It's not too little of a "just". But it's a "just" nonetheless. 

Noone is saying that EVERY app you code will pass a white-hat attempt if it's hosted on web2py, and I don't think that any framework in any language will ever have the guts to assure it. 

[Richard Vézina]

:)

Nice to heard that!

Richard

[Michael M]

My company has to have an outside firm Pen test all Web-Service applications.  So I am spinning up two internal services and both are going to be tested around November before they go into Prod from Non-Prod.  I'm starting talks with the InfoSec team to see if I can share the findings of the test.

[Jason Solack]

Any updates on this?  I am in the process of finding a supplier to pen test, wondering if i should be prepared for anything.