moin icon indicating copy to clipboard operation
moin copied to clipboard

Published 20 hours ago verified publisher icon moinwiki

systematic security review(s)

Open ThomasWaldmann opened this issue 12 years ago • 2 comments

Original report by Thomas Waldmann (Bitbucket: thomaswaldmann, GitHub: thomaswaldmann).

Some hints (not everything applies to Python, but you get the idea):

http://cwe.mitre.org/top25/index.html

ThomasWaldmann avatar Feb 04 '13 02:02 ThomasWaldmann

Google led me to ZAP: https://www.zaproxy.org/

GitHub has suppport: https://github.com/marketplace/actions/owasp-zap-baseline-scan

ZAP can be installed and run against the built-in server. The test wiki had auto registration turned off, one item with one bad link.

ZAP found 9 alerts: 5 medium risk, 3 low risk, 1 informational.

  • Absence of Anti-CSRF Tokens (1664)

  • Application Error Disclosure (2)

  • Content Security Policy (CSP) Header Not Set (1320)

  • Missing Anti-clickjacking Header (1034)

  • Vulnerable JS Library (5) {werkzeug 1.0.1 installs jquery 3.4.1}

  • Application Error Disclosure (220)

  • Timestamp Disclosure - Unix (12)

  • X-Content-Type-Options Header Missing (1171)

  • Information Disclosure - Suspicious Comments (57)

Any suggestions for a better tool?

RogerHaase avatar Jul 04 '22 17:07 RogerHaase

I have a similiar issue in my project, a colleague mentioned there https://w3af.org/ we have not compared both. seems that it is py 2.7 based.

ReimarBauer avatar Feb 14 '23 08:02 ReimarBauer