OWASP TOP 10 vulnerabilities

Hallo Matomo team,

I would like to know if the vulnerability scan of the web application that Matomo uses includes a scan against the OWASP TOP 10 vulnerabilities?

Best Regards
Faysal

Hey @SteveG

Is this something you could answer?
Sounds like an interesting question.

Thank you,
Patrick

I am really not sure what you are referring to. Matomo does no vulnerability checking on the tracked site and even if it did, no automated tool can check reliably against the OWASP TOP 10. (https://owasp.org/www-project-top-ten/)

There is no way for software to know if the programmers of an application did not consider the threats correctly and did insecure decisions during the design phase of the application (§4). No software can tell you if you set up a config file incorrectly just by looking at the public site as Matomo does (§5). It would be impossible to know for Matomo if your application is accidentally logging sensitive data to its log files (§9) and it is completely impossible to know know if all cryptography in your web application is implemented correctly just by doing some automated scan (§2).

Thank you Lukas for the detailed answer.

The question was asked by one of our customer. I needed to get in touch with Matomo before i give him a reply.

Best Regard