Forum OpenACS Development: Re: XSS / Reflection with return_url

Collapse
Posted by Maurizio Martignano on
Dear Frank,
reducing the number of security/vulnerability issues in an web application is very important nowadays.
OWASP (https://owasp.org/) offers a set or recommendations and tools supporting this activity.
In particular the OWASP ZAP tool (https://owasp.org/www-project-zap/) is able to analyse a "life" web site/page to look for vulnerability issues. I'm currently using this tool to strengthen a web application of a customer of mine (written in Python/Django).
Yesterday I run the tool against "my" port of the latest version of ]project-open[. It was a "gentle" attack, but already it provided some few indications.
I will send the results to you and Gustaf.
I hope it helps,
Maurizio
Collapse
Posted by Frank Bergmann on
Funny, I also just installed ZAP last night.

I tried, but so far I wasn't able to reproduce the known return_url reflection issue in this thread. I'll continue to investigate.

Cheers
Frank

Collapse
Posted by Maurizio Martignano on
Well, in the report I sent you "return_url" appears 293 times.
So that report could provide you some additional information.

Hope it helps,
Maurizio