[Owasp-board] Project Platform

Timo Goosen timo.goosen at owasp.org
Mon Jun 1 16:04:25 UTC 2015


I talked to the researcher I that I have in mind. He said that the guide
should include something about including text in the search bar to parse
besides just talking about filter evasion (in the case of reflected XSS.

He said there is also nothing on the XSS Evasion cheat sheet on scriptless
or tagless XSS such as:
http://www.darkreading.com/search.asp?q=Kenan%5C%27;(alert)(/0/)//Brute%5C


Regards.
Timo

On Mon, Jun 1, 2015 at 5:42 PM, Timo Goosen <timo.goosen at owasp.org> wrote:

> I might know of  such a XSS assessment professional. I can ask if he will
> be willing to update the information in exchange for payment. He is not an
> OWASP volunteer. How do I go about setting up a budget and requesting
> funding for such an effort?
>
> "More than money, I think we need top tier XSS assessment professionals
> to evaluate and expand on the current XSS filter evasion cheat sheet. And
> more than static payloads I'd love someone to contribute advice on more
> contextual filter evasion.
>
> If anyone is interested in working on this or even "owning" this cheat
> sheet as the lead editor, please drop me a line and let's talk.
>
> Aloha,
> Jim"
>
>
> On Fri, May 29, 2015 at 10:43 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Timo,
>>
>> Could you please elaborate on what you would actually use these funds for
>> and how much you think you need to update the XSS Evasion Cheat Sheet?
>> OWASP Austin donated some money to the Foundation which we have been given
>> the opportunity to choose how it is allocated and this sounds like it may
>> be an area we can assist.
>>
>> ~josh
>>
>> On Fri, May 29, 2015 at 5:29 AM, Timo Goosen <timo.goosen at owasp.org>
>> wrote:
>>
>>> I support this initiative.
>>>
>>> I'd like to see some funds allocated to updating the XSS Evasion Cheat
>>> Sheet as well as all the other offensive related cheatsheets.
>>>
>>> Attacks are changing all the time and we need to put some money towards
>>> having the latest info.
>>>
>>> Regards.
>>> Timo
>>>
>>>
>>>
>>> On Thu, May 28, 2015 at 6:00 PM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>>
>>>> Some great thoughts and ideas here Matt and I agree with pretty much
>>>> everything you've said.  IIRC, I think there were challenges with using
>>>> Meetup as a platform over in APAC (China?) which I think is why it hasn't
>>>> received a more global adoption.  In general, I do like the idea of a
>>>> centralized platform for our chapters to organize events in a way where
>>>> they are easily found by people in other communities.  For example, a
>>>> search for "security" in Meetup should yield the OWASP meeting in your area.
>>>>
>>>> One thing that I also like about Meetup is the open Discussions
>>>> forums.  I've tried for years now to get a social platform for OWASP that
>>>> isn't the mailing list.  I've spent quite a bit of personal time with the
>>>> content on http://my.owasp.org, and promoted it a few times, but
>>>> despite my best efforts, it seems that OWASP very much prefers these old
>>>> school mailing lists for communication.  It's been a great platform for
>>>> OWASP Austin, but there's not much activity outside of that,
>>>> unfortunately.  My ideal would be a scenario where content on the mailing
>>>> list is sync'd to the discussion forums and vice-versa.  I'm not sure how
>>>> possible that would be, but it would certainly make these kinds of
>>>> conversations more available and searchable to those not "in the know".
>>>>
>>>> ~josh
>>>>
>>>> On Thu, May 28, 2015 at 10:07 AM, Matt Konda <matt.konda at owasp.org>
>>>> wrote:
>>>>
>>>>> Hello all,
>>>>>
>>>>> Sorry in advance for the long email.
>>>>>
>>>>> Following up on our meeting and some discussions at AppSecEU, I wanted
>>>>> to think more about the OWASP "platform".  I see one role of the board as
>>>>> working to make it easy for the volunteers and leaders to succeed with
>>>>> their projects, events and community building (chapters).
>>>>>
>>>>> I'm a visual person so I put this presentation together with boxes and
>>>>> colors as a point of reference.  I'm interested in your feedback (comments
>>>>> enabled).  Please be patient with me, this is just a rough idea and is not
>>>>> intended in any way to be a criticism of where we are and what we are
>>>>> doing!!!  I made notes in the notes area to explain my color choices.
>>>>>
>>>>>
>>>>> https://docs.google.com/a/owasp.org/presentation/d/1SLd1BG4TxrN75NqQo8_zKLC8CfhYa8WgfkXx7mcerhU/edit?usp=sharing
>>>>>
>>>>> Getting more concrete, I want to suggest based on this thought process
>>>>> that we invest in Meetup as an organization and hire a technical writer on
>>>>> a 3 month contract basis.
>>>>>
>>>>> Here is the long story of why:
>>>>>
>>>>> I asked one successful project leader what OWASP could do to remove
>>>>> obstacles to success and their answer (paraphrasing) was something like
>>>>> this:
>>>>>
>>>>> "We struggle with:  publicity, documentation and training courses."
>>>>>
>>>>> This made me think that a concrete investment we could make to support
>>>>> projects would be to hire a contract technical writer to help with
>>>>> documentation across projects and the wiki.  Assuming a 3 month, full time
>>>>> gig at a rate of $40 per hour (75th percentile according to this
>>>>> http://www.bls.gov/oes/current/oes273042.htm) would cost
>>>>> approximately 21K.
>>>>>
>>>>> We could build a list of tasks focused on:
>>>>>
>>>>>    - Documentation for 3 projects
>>>>>    - 10 wiki page updates per week (2 per day based on google
>>>>>    analytics top hits)
>>>>>
>>>>> I imagine the person would work closely with the project co-ordinator
>>>>> and community manager.
>>>>>
>>>>> I don't know just what is realistic, but I am interested in exploring
>>>>> ways that we can model and then build a platform of core services that the
>>>>> foundation can provide to support projects, chapters and events - with the
>>>>> goal of making it easier to have success with our volunteers and leaders.
>>>>>
>>>>> What do you think?  One thing that would help me is if we can think
>>>>> about the metrics we wanted to measure in strategic goals and whether these
>>>>> things would move the needle.  I haven't gotten there yet, but it seems to
>>>>> make sense...
>>>>>
>>>>> Input appreciated!!!
>>>>>
>>>>> Matt
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150601/c0d29bd9/attachment.html>


More information about the Owasp-board mailing list