Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systematic security review(s) #318

Open
ThomasWaldmann opened this issue Feb 4, 2013 · 4 comments
Open

systematic security review(s) #318

ThomasWaldmann opened this issue Feb 4, 2013 · 4 comments
Labels
help wanted we need your help prio2 security task
Milestone
2.0.0c1

Comments

@ThomasWaldmann
Copy link
Member

Original report by Thomas Waldmann (Bitbucket: thomaswaldmann, GitHub: thomaswaldmann).

Some hints (not everything applies to Python, but you get the idea):

http://cwe.mitre.org/top25/index.html
@ThomasWaldmann ThomasWaldmann added this to the 2.0.0c1 milestone Aug 26, 2018
@RogerHaase
Copy link
Member

Google led me to ZAP: https://www.zaproxy.org/

GitHub has suppport: https://github.com/marketplace/actions/owasp-zap-baseline-scan

ZAP can be installed and run against the built-in server. The test wiki had auto registration turned off, one item with one bad link.

ZAP found 9 alerts: 5 medium risk, 3 low risk, 1 informational.

  • Absence of Anti-CSRF Tokens (1664)

  • Application Error Disclosure (2)

  • Content Security Policy (CSP) Header Not Set (1320)

  • Missing Anti-clickjacking Header (1034)

  • Vulnerable JS Library (5) {werkzeug 1.0.1 installs jquery 3.4.1}

  • Application Error Disclosure (220)

  • Timestamp Disclosure - Unix (12)

  • X-Content-Type-Options Header Missing (1171)

  • Information Disclosure - Suspicious Comments (57)

Any suggestions for a better tool?

@ReimarBauer
Copy link
Member

ReimarBauer commented Feb 14, 2023
edited
Loading

I have a similiar issue in my project, a colleague mentioned there https://w3af.org/
we have not compared both. seems that it is py 2.7 based.

@UlrichB22 UlrichB22 added the help wanted we need your help label Aug 16, 2024
@UlrichB22
Copy link
Collaborator

From what I've read, ZAP looks good (I haven't tested it). The new URL for the ZAP basic scan is https://github.com/marketplace/actions/zap-baseline-scan.

Additionally, we can do a static security code analysis, e.g. with 'bandit'. See https://bandit.readthedocs.io.

I tested 'bandit' using config from https://github.com/codefactor-io/default-configs/blob/master/.bandit.yml and an additional line in .bandit.yml to exclude test modules:

exclude_dirs: ["*/_tests/*"]

This results in 13 issues, see the summary section in the report:

[...]
Code scanned:
	Total lines of code: 33362
	Total lines skipped (#nosec): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 6
		Medium: 2
		High: 5
	Total issues (by confidence):
		Undefined: 0
		Low: 1
		Medium: 0
		High: 12
Files skipped (0):

@UlrichB22 UlrichB22 mentioned this issue Dec 3, 2024
Closed
@RogerHaase RogerHaase mentioned this issue Dec 3, 2024
Open
@UlrichB22 UlrichB22 mentioned this issue Dec 5, 2024
Closed
@UlrichB22
Copy link
Collaborator

Further issues related to 'bandit' findings are documented in #1820.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted we need your help prio2 security task
Projects
None yet
Milestone
2.0.0c1
Development

No branches or pull requests
4 participants
@ReimarBauer @ThomasWaldmann @RogerHaase @UlrichB22