[Owasp-board] Project Platform

Jim Manico jim.manico at owasp.org
Thu Jun 4 19:55:58 UTC 2015


That is fair, I just want to make sure old vectors clearly state which 
browsers they work on. :)

Good call Eoin.

Aloha,
Jim


On 6/4/15 12:51 PM, Eoin Keary wrote:
> I'd suggest you keep old vectors? It would be nice to discuss the 
> evolution and why they are not effective anymore....?
>
> Eoin Keary
> BCC Risk Advisory - edgescan CTO
> Gartner "notable vendor" MSSP MQ
>
>
>
> On 4 Jun 2015, at 20:44, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>> Also,
>>
>> Tons of the vectors in this cheat sheet are for older browsers. As 
>> part of this paid effort, I'd be stoked to see all vectors verified 
>> against the main browsers in use today.
>>
>> I am happy to use any budget left from the Cheatsheet series (if we 
>> have any) to support this effort. The XSS filter evasion cheatsheet 
>> is one of the top viewed pages in all of OWASP.
>>
>> Aloha,
>> Jim
>>
>>
>> On 6/1/15 11:20 AM, Josh Sokol wrote:
>>> Can you get a quote for time and dollars to build this out?  Are 
>>> there other things that we could have this top-tier researcher do to 
>>> add value here? Demonstration site?  A quick guide to XSS?  Just 
>>> wondering how we can scope this to get the most bang for our buck.
>>>
>>> ~josh
>>>
>>> On Mon, Jun 1, 2015 at 11:04 AM, Timo Goosen <timo.goosen at owasp.org 
>>> <mailto:timo.goosen at owasp.org>> wrote:
>>>
>>>     I talked to the researcher I that I have in mind. He said that
>>>     the guide should include something about including text in the
>>>     search bar to parse besides just talking about filter evasion
>>>     (in the case of reflected XSS.
>>>
>>>     He said there is also nothing on the XSS Evasion cheat sheet on
>>>     scriptless or tagless XSS such as:
>>>     http://www.darkreading.com/search.asp?q=Kenan%5C%27;(alert)(/0/)//Brute%5C
>>>     <http://www.darkreading.com/search.asp?q=Kenan%5C%27;%28alert%29%28/0/%29//Brute%5C>
>>>
>>>
>>>     Regards.
>>>     Timo
>>>
>>>     On Mon, Jun 1, 2015 at 5:42 PM, Timo Goosen
>>>     <timo.goosen at owasp.org <mailto:timo.goosen at owasp.org>> wrote:
>>>
>>>         I might know of  such a XSS assessment professional. I can
>>>         ask if he will be willing to update the information in
>>>         exchange for payment. He is not an OWASP volunteer. How do I
>>>         go about setting up a budget and requesting funding for such
>>>         an effort?
>>>
>>>         "More than money, I think we need top tier XSS assessment
>>>         professionals to evaluate and expand on the current XSS
>>>         filter evasion cheat sheet. And more than static payloads
>>>         I'd love someone to contribute advice on more contextual
>>>         filter evasion.
>>>
>>>         If anyone is interested in working on this or even "owning"
>>>         this cheat sheet as the lead editor, please drop me a line
>>>         and let's talk.
>>>
>>>         Aloha,
>>>         Jim"
>>>
>>>
>>>         On Fri, May 29, 2015 at 10:43 PM, Josh Sokol
>>>         <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>>
>>>             Timo,
>>>
>>>             Could you please elaborate on what you would actually
>>>             use these funds for and how much you think you need to
>>>             update the XSS Evasion Cheat Sheet? OWASP Austin donated
>>>             some money to the Foundation which we have been given
>>>             the opportunity to choose how it is allocated and this
>>>             sounds like it may be an area we can assist.
>>>
>>>             ~josh
>>>
>>>             On Fri, May 29, 2015 at 5:29 AM, Timo Goosen
>>>             <timo.goosen at owasp.org <mailto:timo.goosen at owasp.org>>
>>>             wrote:
>>>
>>>                 I support this initiative.
>>>
>>>                 I'd like to see some funds allocated to updating the
>>>                 XSS Evasion Cheat Sheet as well as all the other
>>>                 offensive related cheatsheets.
>>>
>>>                 Attacks are changing all the time and we need to put
>>>                 some money towards having the latest info.
>>>
>>>                 Regards.
>>>                 Timo
>>>
>>>
>>>
>>>                 On Thu, May 28, 2015 at 6:00 PM, Josh Sokol
>>>                 <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>>
>>>                 wrote:
>>>
>>>                     Some great thoughts and ideas here Matt and I
>>>                     agree with pretty much everything you've said.
>>>                     IIRC, I think there were challenges with using
>>>                     Meetup as a platform over in APAC (China?) which
>>>                     I think is why it hasn't received a more global
>>>                     adoption.  In general, I do like the idea of a
>>>                     centralized platform for our chapters to
>>>                     organize events in a way where they are easily
>>>                     found by people in other communities. For
>>>                     example, a search for "security" in Meetup
>>>                     should yield the OWASP meeting in your area.
>>>
>>>                     One thing that I also like about Meetup is the
>>>                     open Discussions forums.  I've tried for years
>>>                     now to get a social platform for OWASP that
>>>                     isn't the mailing list. I've spent quite a bit
>>>                     of personal time with the content on
>>>                     http://my.owasp.org, and promoted it a few
>>>                     times, but despite my best efforts, it seems
>>>                     that OWASP very much prefers these old school
>>>                     mailing lists for communication. It's been a
>>>                     great platform for OWASP Austin, but there's not
>>>                     much activity outside of that, unfortunately. My
>>>                     ideal would be a scenario where content on the
>>>                     mailing list is sync'd to the discussion forums
>>>                     and vice-versa. I'm not sure how possible that
>>>                     would be, but it would certainly make these
>>>                     kinds of conversations more available and
>>>                     searchable to those not "in the know".
>>>
>>>                     ~josh
>>>
>>>                     On Thu, May 28, 2015 at 10:07 AM, Matt Konda
>>>                     <matt.konda at owasp.org
>>>                     <mailto:matt.konda at owasp.org>> wrote:
>>>
>>>                         Hello all,
>>>
>>>                         Sorry in advance for the long email.
>>>
>>>                         Following up on our meeting and some
>>>                         discussions at AppSecEU, I wanted to think
>>>                         more about the OWASP "platform".  I see one
>>>                         role of the board as working to make it easy
>>>                         for the volunteers and leaders to succeed
>>>                         with their projects, events and community
>>>                         building (chapters).
>>>
>>>                         I'm a visual person so I put this
>>>                         presentation together with boxes and colors
>>>                         as a point of reference. I'm interested in
>>>                         your feedback (comments enabled). Please be
>>>                         patient with me, this is just a rough idea
>>>                         and is not intended in any way to be a
>>>                         criticism of where we are and what we are
>>>                         doing!!!  I made notes in the notes area to
>>>                         explain my color choices.
>>>
>>>                         https://docs.google.com/a/owasp.org/presentation/d/1SLd1BG4TxrN75NqQo8_zKLC8CfhYa8WgfkXx7mcerhU/edit?usp=sharing
>>>
>>>                         Getting more concrete, I want to suggest
>>>                         based on this thought process that we invest
>>>                         in Meetup as an organization and hire a
>>>                         technical writer on a 3 month contract basis.
>>>
>>>                         Here is the long story of why:
>>>
>>>                         I asked one successful project leader what
>>>                         OWASP could do to remove obstacles to
>>>                         success and their answer (paraphrasing) was
>>>                         something like this:
>>>
>>>                         "We struggle with:  publicity, documentation
>>>                         and training courses."
>>>
>>>                         This made me think that a concrete
>>>                         investment we could make to support projects
>>>                         would be to hire a contract technical writer
>>>                         to help with documentation across projects
>>>                         and the wiki. Assuming a 3 month, full time
>>>                         gig at a rate of $40 per hour (75th
>>>                         percentile according to this
>>>                         http://www.bls.gov/oes/current/oes273042.htm) would
>>>                         cost approximately 21K.
>>>
>>>                         We could build a list of tasks focused on:
>>>
>>>                           * Documentation for 3 projects
>>>                           * 10 wiki page updates per week (2 per day
>>>                             based on google analytics top hits)
>>>
>>>                         I imagine the person would work closely with
>>>                         the project co-ordinator and community manager.
>>>
>>>                         I don't know just what is realistic, but I
>>>                         am interested in exploring ways that we can
>>>                         model and then build a platform of core
>>>                         services that the foundation can provide to
>>>                         support projects, chapters and events - with
>>>                         the goal of making it easier to have success
>>>                         with our volunteers and leaders.
>>>
>>>                         What do you think? One thing that would help
>>>                         me is if we can think about the metrics we
>>>                         wanted to measure in strategic goals and
>>>                         whether these things would move the needle. 
>>>                         I haven't gotten there yet, but it seems to
>>>                         make sense...
>>>
>>>                         Input appreciated!!!
>>>
>>>                         Matt
>>>
>>>
>>>                         _______________________________________________
>>>                         Owasp-board mailing list
>>>                         Owasp-board at lists.owasp.org
>>>                         <mailto:Owasp-board at lists.owasp.org>
>>>                         https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>>                     _______________________________________________
>>>                     Owasp-board mailing list
>>>                     Owasp-board at lists.owasp.org
>>>                     <mailto:Owasp-board at lists.owasp.org>
>>>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150604/0ff81135/attachment-0001.html>


More information about the Owasp-board mailing list