Well.... I can't say that I have tested the current trunk version, but last December I ran a pretty exhaustive penetration test against a site developed web2py. The results were very good. No findings above low. The low findings were insignificant. I ran Cenzic Hailstorm, Qualys and one other automated vulnerability test suite (I cant remember which at the moment) against it without issue.
Here are some things that can cause issue though... * anywhere you use the XML() method in a view you should make sure you have validation turned on. Even though the framework is resilient and does a good job of sanitizing data in & out, you can still end up in XSS or XSRF trouble with XML(). * redirects can trip up or slow down a lot of vuln scanners. Watch out if you perform your own testing that you're not getting false negatives. I know some people that would take on a more "formal" assessment if there is consensus.... Dave On Monday, July 9, 2012 11:48:39 AM UTC-4, scausten wrote: > > One of the awesome things about web2py is of course the built-in and > well-documented resilience against a range of attack methods, but I was > wondering if anyone has attempted a methodical (white-hat) attack to probe > any potential weaknesses? > > Just out of interest :) >
