Testing for OWASP's top ten security issues
This recipe details the automatic testing of Jenkins for well-known security issues with w3af, a penetration testing tool from the Open Web Application Security Project (OWASP, http://w3af.sourceforge.net). The purpose of OWASP is to make application security visible. The OWASP top ten list of insecurities includes:
- A2-Cross Site Scripting (XSS): An XSS attack can occur when an application returns an unescaped input to a client's browser. The Jenkins administrator can do this by default, through the Job description.
- A6-Security Misconfiguration: A Jenkins plugin gives you the power to write custom authentication scripts. It is easy to get the scripts wrong by misconfiguration.
- A7-Insecure Cryptographic ...