systematic security review(s)

[ThomasWaldmann]

Original report by Thomas Waldmann (Bitbucket: thomaswaldmann, GitHub: thomaswaldmann).

---

Some hints (not everything applies to Python, but you get the idea):

http://cwe.mitre.org/top25/index.html

[RogerHaase]

Google led me to ZAP: https://www.zaproxy.org/

GitHub has suppport: https://github.com/marketplace/actions/owasp-zap-baseline-scan

ZAP can be installed and run against the built-in server. The test wiki had auto registration turned off, one item with one bad link.

ZAP found 9 alerts: 5 medium risk, 3 low risk, 1 informational.

• Absence of Anti-CSRF Tokens (1664)

• Application Error Disclosure (2)

• Content Security Policy (CSP) Header Not Set (1320)

• Missing Anti-clickjacking Header (1034)

• Vulnerable JS Library (5) {werkzeug 1.0.1 installs jquery 3.4.1}

• Application Error Disclosure (220)

• Timestamp Disclosure - Unix (12)

• X-Content-Type-Options Header Missing (1171)

• Information Disclosure - Suspicious Comments (57)

Any suggestions for a better tool?

[ReimarBauer]

I have a similiar issue in my project, a colleague mentioned there https://w3af.org/ we have not compared both. seems that it is py 2.7 based.