"You may also want to ask some questions about form validation, default validators and directory traversal attacks in file uploads. "
Good idea. I'll add those. I've reviewed what you wrote on the wiki and some parts of the application code, and I have a few preliminary recommendations to improve security: * Drop support for basic auth. It's really insecure - http://www.pythonsecurity.org/wiki/basicauthentication/ * Drop MD5 as the default hashing algorithm, use SHA512. MD5 is now considered 'cryptographically broken' * The HMAC secret is by default '<your secret key>', and I don't see anywhere in the documentation how to generate a new one or the recommendation to do so * Do not use cgi.escape for HTML escaping because it does not escape single quotes and may lead to XSS - See http://www.pythonsecurity.org/wiki/web2py/#cross-site-scripting-xss and http://www.pythonsecurity.org/wiki/cgi/ * Session IDs should time out when the authentication information does, and the user should get a new session ID when they reauthenticate. This defense will help ensure that even if a session ID is leaked, it will only be useful for a limited amount of time. It sounds like users always have the same session ID. Questions: "If not key/salt is provided is provided web2py uses MD5, but is a key/ salt is provided (and the scaffolding application generates one automatically) it uses HMAC+MD5 or HMAC+SHA512." I ran 'python web2py.py -S testapp' but it did not generate a new value for auth.settings.hmac_key in db.py. Should it have? It appears to use MD5 by default unless an alternative is specified, such as SHA512. Please feel free to discuss! Craig Younkins On Jun 30, 9:58 am, mdipierro <mdipie...@cs.depaul.edu> wrote: > Hi Craig, > > You may also want to ask some questions about form validation, default > validators and directory traversal attacks in file uploads. > > Massimo > > On 29 Giu, 11:08, Craig Younkins <cyounk...@gmail.com> wrote: > > > > > Hello there! My name is Craig Younkins. I'm a summer intern at OWASP, > > the Open Web Application Security Project. This summer I'm working > > heavily on web security in Python. > > > First, I would like to praise Dr. Di Pierro and all the web2py > > contributors for their focus on security. Examining the OWASP Top 10 > > (http://www.web2py.com/examples/default/security) is a great way to > > start. Keep it up! > > > Second, I'd like to invite the web2py community over to a site I've > > started about security in Python -http://www.pythonsecurity.org. The > > site aims to be the central hub for security in Python, and right now > > has a focus on web security. Inside there are articles specific to > > software like frameworks as well as articles related to security > > topics like cross-site scripting. We also have a Google Group (http:// > > groups.google.com/group/python-security/topics) which I encourage the > > developers to join. There you can get answers to your Python security > > questions. I hope you check it out! > > > Lastly, I'd like to encourage you to take a look at web2py's page on > > PythonSecurity.org -http://www.pythonsecurity.org/wiki/web2py/. I > > haven't had the time yet to examine web2py in detail, but on that page > > there is a pretty well-defined template of questions to be answered. > > Going through the list there will help the developers see areas in > > web2py that could use improvement, as well as documenting the > > strengths for other frameworks to model off of. > > > Thanks! > > > Craig Younkins
