Log in

CherryPy

CherryPy is an "object-oriented HTTP framework."

CherryPy does not include any application scaffolding, nor does it include access control or account management tools. CherryPy is very minimalist and the developer is expected to provide such needed functionality.

Access Control/Authorization

See access control.

CherryPy does not distribute authorization tools. Developers are free to obtain or build their own.

Authentication

What authentication methods are available?

  • Basic and Digest auth.

What hash method is used on user credentials? Is it salted?

Could account creation overwrite an existing account?

  • CherryPy does not distribute account management tools.

Could the change password or recover password functions be used maliciously?

  • CherryPy does not distribute password management tools.

Configuration

Are the framework dependencies up to date? Are there security vulnerabilities in the versions used by the framework?

  • CherryPy has no dependencies other than Python. There are no know security vulnerabilities.

Are there default account passwords?

  • CherryPy does not distribute account management tools.

If there an exception handler, will it run in production? Are there notes and reminders to turn it off in configuration?

  • Exception handlers are configurable. The "production" configuration environment turns them off by default.

Cross-Site Request Forgery (CSRF)

Are there GET requests that change state? This helps enable CSRF.

  • CherryPy does not distribute request handlers.

What mechanisms are there to add CSRF tokens to forms? How easy is it to use?

  • CherryPy does not distribute form management tools.

Cross-Site Scripting (XSS)

What escaping does the template engine do to prevent XSS? What does the developer need to do to use it?

Are there vulnerabilities in the template engine?

  • CherryPy does not distribute a template engine.

Cryptography

What in the application is encrypted? Are there items that should be encrypted that are not?

What algorithm is it using?

Where is the key stored?

Who can access the encrypted data?

  • CherryPy does not distribute anything that needs encryption.

Injection

What interpreters is the framework capable of using?

  • CherryPy does not employ any interpreters.

How does it access a database? What about LDAP queries or OS commands?

  • CherryPy does not distribute database tools.

What escaping is done on data headed to an interpreter?

Can a developer write raw SQL? If so, proper escaping is almost certainly not done. A warning should be written.

Object Reference

Is there a mechanism to proxy direct object references through an indirect reference?

  • No.

Redirects and Forwards

Can a URL be crafted to redirect to an arbitrary site?

  • CherryPy does not craft URL's.

Session Management

How are session IDs generated?

Are session IDs ever exposed in the URL? Leaking session IDs through logs, referrer headers, etc can lead to compromised accounts.

  • No.

Are session IDs accepted through GET or POST data? This would aid in session fixation attacks.

  • No.

Do session IDs timeout?

Can users log out?

Are session IDs changed after login?

Transport Layer Security

Can the framework be used with SSL? What is required and how difficult is it to set up?

  • CherryPy distributes an SSL-enabled HTTP server. Developers enable SSL by providing valid certificate files.

When used in SSL mode, do session cookies have the 'secure' flag set?

  • Version: latest
  • Edited by Craig Younkins on 6/30/10 4:05 PM
  • History
  • Edit

An OWASP project created by Craig Younkins

Powered by Moe and Google App Engine