[Owasp-board] Project Platform

Jim Manico jim.manico at owasp.org
Thu Jun 4 19:44:32 UTC 2015


Tons of the vectors in this cheat sheet are for older browsers. As part 
of this paid effort, I'd be stoked to see all vectors verified against 
the main browsers in use today.

I am happy to use any budget left from the Cheatsheet series (if we have 
any) to support this effort. The XSS filter evasion cheatsheet is one of 
the top viewed pages in all of OWASP.


On 6/1/15 11:20 AM, Josh Sokol wrote:
> Can you get a quote for time and dollars to build this out?  Are there 
> other things that we could have this top-tier researcher do to add 
> value here?  Demonstration site?  A quick guide to XSS?  Just 
> wondering how we can scope this to get the most bang for our buck.
> ~josh
> On Mon, Jun 1, 2015 at 11:04 AM, Timo Goosen <timo.goosen at owasp.org 
> <mailto:timo.goosen at owasp.org>> wrote:
>     I talked to the researcher I that I have in mind. He said that the
>     guide should include something about including text in the search
>     bar to parse besides just talking about filter evasion (in the
>     case of reflected XSS.
>     He said there is also nothing on the XSS Evasion cheat sheet on
>     scriptless or tagless XSS such as:
>     http://www.darkreading.com/search.asp?q=Kenan%5C%27;(alert)(/0/)//Brute%5C
>     <http://www.darkreading.com/search.asp?q=Kenan%5C%27;%28alert%29%28/0/%29//Brute%5C>
>     Regards.
>     Timo
>     On Mon, Jun 1, 2015 at 5:42 PM, Timo Goosen <timo.goosen at owasp.org
>     <mailto:timo.goosen at owasp.org>> wrote:
>         I might know of  such a XSS assessment professional. I can ask
>         if he will be willing to update the information in exchange
>         for payment. He is not an OWASP volunteer. How do I go about
>         setting up a budget and requesting funding for such an effort?
>         "More than money, I think we need top tier XSS assessment
>         professionals to evaluate and expand on the current XSS filter
>         evasion cheat sheet. And more than static payloads I'd love
>         someone to contribute advice on more contextual filter evasion.
>         If anyone is interested in working on this or even "owning"
>         this cheat sheet as the lead editor, please drop me a line and
>         let's talk.
>         Aloha,
>         Jim"
>         On Fri, May 29, 2015 at 10:43 PM, Josh Sokol
>         <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>             Timo,
>             Could you please elaborate on what you would actually use
>             these funds for and how much you think you need to update
>             the XSS Evasion Cheat Sheet?  OWASP Austin donated some
>             money to the Foundation which we have been given the
>             opportunity to choose how it is allocated and this sounds
>             like it may be an area we can assist.
>             ~josh
>             On Fri, May 29, 2015 at 5:29 AM, Timo Goosen
>             <timo.goosen at owasp.org <mailto:timo.goosen at owasp.org>> wrote:
>                 I support this initiative.
>                 I'd like to see some funds allocated to updating the
>                 XSS Evasion Cheat Sheet as well as all the other
>                 offensive related cheatsheets.
>                 Attacks are changing all the time and we need to put
>                 some money towards having the latest info.
>                 Regards.
>                 Timo
>                 On Thu, May 28, 2015 at 6:00 PM, Josh Sokol
>                 <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>>
>                 wrote:
>                     Some great thoughts and ideas here Matt and I
>                     agree with pretty much everything you've said.
>                     IIRC, I think there were challenges with using
>                     Meetup as a platform over in APAC (China?) which I
>                     think is why it hasn't received a more global
>                     adoption.  In general, I do like the idea of a
>                     centralized platform for our chapters to organize
>                     events in a way where they are easily found by
>                     people in other communities. For example, a search
>                     for "security" in Meetup should yield the OWASP
>                     meeting in your area.
>                     One thing that I also like about Meetup is the
>                     open Discussions forums.  I've tried for years now
>                     to get a social platform for OWASP that isn't the
>                     mailing list. I've spent quite a bit of personal
>                     time with the content on http://my.owasp.org, and
>                     promoted it a few times, but despite my best
>                     efforts, it seems that OWASP very much prefers
>                     these old school mailing lists for communication.
>                     It's been a great platform for OWASP Austin, but
>                     there's not much activity outside of that,
>                     unfortunately. My ideal would be a scenario where
>                     content on the mailing list is sync'd to the
>                     discussion forums and vice-versa.  I'm not sure
>                     how possible that would be, but it would certainly
>                     make these kinds of conversations more available
>                     and searchable to those not "in the know".
>                     ~josh
>                     On Thu, May 28, 2015 at 10:07 AM, Matt Konda
>                     <matt.konda at owasp.org
>                     <mailto:matt.konda at owasp.org>> wrote:
>                         Hello all,
>                         Sorry in advance for the long email.
>                         Following up on our meeting and some
>                         discussions at AppSecEU, I wanted to think
>                         more about the OWASP "platform".  I see one
>                         role of the board as working to make it easy
>                         for the volunteers and leaders to succeed with
>                         their projects, events and community building
>                         (chapters).
>                         I'm a visual person so I put this presentation
>                         together with boxes and colors as a point of
>                         reference. I'm interested in your feedback
>                         (comments enabled). Please be patient with me,
>                         this is just a rough idea and is not intended
>                         in any way to be a criticism of where we are
>                         and what we are doing!!!  I made notes in the
>                         notes area to explain my color choices.
>                         https://docs.google.com/a/owasp.org/presentation/d/1SLd1BG4TxrN75NqQo8_zKLC8CfhYa8WgfkXx7mcerhU/edit?usp=sharing
>                         Getting more concrete, I want to suggest based
>                         on this thought process that we invest in
>                         Meetup as an organization and hire a technical
>                         writer on a 3 month contract basis.
>                         Here is the long story of why:
>                         I asked one successful project leader what
>                         OWASP could do to remove obstacles to success
>                         and their answer (paraphrasing) was something
>                         like this:
>                         "We struggle with:  publicity, documentation
>                         and training courses."
>                         This made me think that a concrete investment
>                         we could make to support projects would be to
>                         hire a contract technical writer to help with
>                         documentation across projects and the wiki.
>                         Assuming a 3 month, full time gig at a rate of
>                         $40 per hour (75th percentile according to
>                         this
>                         http://www.bls.gov/oes/current/oes273042.htm)
>                         would cost approximately 21K.
>                         We could build a list of tasks focused on:
>                           * Documentation for 3 projects
>                           * 10 wiki page updates per week (2 per day
>                             based on google analytics top hits)
>                         I imagine the person would work closely with
>                         the project co-ordinator and community manager.
>                         I don't know just what is realistic, but I am
>                         interested in exploring ways that we can model
>                         and then build a platform of core services
>                         that the foundation can provide to support
>                         projects, chapters and events - with the goal
>                         of making it easier to have success with our
>                         volunteers and leaders.
>                         What do you think? One thing that would help
>                         me is if we can think about the metrics we
>                         wanted to measure in strategic goals and
>                         whether these things would move the needle.  I
>                         haven't gotten there yet, but it seems to make
>                         sense...
>                         Input appreciated!!!
>                         Matt
>                         _______________________________________________
>                         Owasp-board mailing list
>                         Owasp-board at lists.owasp.org
>                         <mailto:Owasp-board at lists.owasp.org>
>                         https://lists.owasp.org/mailman/listinfo/owasp-board
>                     _______________________________________________
>                     Owasp-board mailing list
>                     Owasp-board at lists.owasp.org
>                     <mailto:Owasp-board at lists.owasp.org>
>                     https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150604/6d3547f1/attachment-0001.html>

More information about the Owasp-board mailing list