...
Warning | ||
---|---|---|
| ||
Be sure to read The infamous Java serialize serialization vulnerability page if you use RMI, JMX, Spring, or/and any external librairies within your OFBiz instance |
...
There are other web oriented tools like OWASP Zed Attack, Beef or IBM Security AppScan. But most of the time they are too general, and totally parsing OFBiz can take a lot of time or be quite a challenge if done manually. You can find more penetration tools here
In December 2015, I ran (Jacques Le Roux) a complete (100%) OWASP Zed Attack automated (Quick Start) penetration session against a locale instance of OFBiz backend (trunk head) running on localhost. It started with the same link used for backend demos. No major flaws were discovered.
...