Hi devs,
I've been investigating OFBiz within my Bachelor's thesis "Application
of security test tools in open source" at the Free University of Berlin
(FU Berlin) [1].
Basically, I am looking for security measures which have been taken to
prevent security leaks/vulnerabilities especially with security test
tools which provide fuzzing capabilities for SQL injection, parameter
tampering, path traversal, XSS etc.
OFBiz seems to be a very popular open-source enterprise software product.
Revealing sensitive data by exploiting security vulnerabilities may be
devastating.
So far, I have search the repository and the ant build.xml, the homepage
and the mailing list. The repo/build.xml and the homepage a battery of
JUnit test
cases [2]. The mailing list revealed a lot of interesting information
regarding the app's security [2] to [7] and further testing [8] to [14].
I was not able to track something particular for security testing
although you guys seem to be very tough in security.
Did you explicitly design any security tests with your JUnit test cases?
Where you able to introduce any security testing by the talks in [8]
thru [14] to any extent?
Additionaly, are any measures taken whatsoever to assure security with
testing tools,
a special test plan or functional requirements?
Thanks in advance,
Michael
[1]
https://www.inf.fu-berlin.de/w/SE/ThesisFOSSSecurityTools[2]
http://docs.ofbiz.org/display/OFBIZ/Main+New+features[3]
http://www.nabble.com/Users---Security-td2956588.html#a2956588[4]
http://www.nabble.com/Users---OFBiz-application-security-td3263502.html#a3263502[5]
http://www.nabble.com/Major-security-lapse-in-ofbiz.-Changing-order---in-URL-allows-other-orders-to-be-viewed...-td8713953.html#a8723123[6]
http://www.nabble.com/XSS-exploit-countermeasure--Filtering-user-input-td16364314.html#a16364314[7]
http://www.nabble.com/SQL-Injection-risks-with-entity-API-td5222868.html#a5222868[8]
http://www.nabble.com/Ofbiz-Test-Automation-Services-Offered-td8638186.html#a8638186[9]
http://www.nabble.com/More-on-automating-testing-td6038820.html#a6100352[10]
http://www.nabble.com/Dev---Automated-regression-testing-tool-for-Java-API-td3075269.html#a3075269[11]
http://www.nabble.com/More-on-testing-td7653601.html#a7655166[12]
http://www.nabble.com/Preparing-Test-Data-for-OFBiz-JUnit-Tests-td16021567.html#a16063190[13]
http://www.nabble.com/OFBiz-Testing-Initiative-td7119966.html#a7146151[14]
http://www.nabble.com/Selenium-td8635367.html#a8687470--
<NO> OOXML - Say NO To Microsoft Office broken standard
http://www.noooxml.org