<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>I'd suggest you keep old vectors? It would be nice to discuss the evolution and why they are not effective anymore....?<br><br>Eoin Keary<div>BCC Risk Advisory - <span style="font-size: 13pt;">edgescan </span><span style="font-size: 13pt;">CTO</span></div><div><span style="font-size: 13pt;">Gartner "notable vendor" MSSP MQ</span></div><div><span style="font-size: 13pt;"><br></span></div><div><br></div></div><div><br>On 4 Jun 2015, at 20:44, Jim Manico <<a href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>> wrote:<br><br></div><blockquote type="cite"><div>
  
    <meta content="text/html; charset=windows-1252" http-equiv="Content-Type">
  
  
    Also,<br>
    <br>
    Tons of the vectors in this cheat sheet are for older browsers. As
    part of this paid effort, I'd be stoked to see all vectors verified
    against the main browsers in use today.<br>
    <br>
    I am happy to use any budget left from the Cheatsheet series (if we
    have any) to support this effort. The XSS filter evasion cheatsheet
    is one of the top viewed pages in all of OWASP.<br>
    <br>
    Aloha,<br>
    Jim<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 6/1/15 11:20 AM, Josh Sokol wrote:<br>
    </div>
    <blockquote cite="mid:CAFwvDewNXUrwiOOhSJJvauLg3cON_Pnvjf2jS84hAPsDSs-Wjg@mail.gmail.com" type="cite">
      <div dir="ltr">
        <div>Can you get a quote for time and dollars to build this
          out?  Are there other things that we could have this top-tier
          researcher do to add value here?  Demonstration site?  A quick
          guide to XSS?  Just wondering how we can scope this to get the
          most bang for our buck.<br>
          <br>
        </div>
        ~josh<br>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Mon, Jun 1, 2015 at 11:04 AM, Timo
          Goosen <span dir="ltr"><<a moz-do-not-send="true" href="mailto:timo.goosen@owasp.org" target="_blank">timo.goosen@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">I talked to the researcher I that I have in
              mind. He said that the guide should include something
              about including text in the search bar to parse besides
              just talking about filter evasion (in the case of
              reflected XSS.
              <div><br>
              </div>
              <div>He said there is also nothing on the XSS Evasion
                cheat sheet on scriptless or tagless XSS such as:</div>
              <div><a moz-do-not-send="true" href="http://www.darkreading.com/search.asp?q=Kenan%5C%27;%28alert%29%28/0/%29//Brute%5C" target="_blank">http://www.darkreading.com/search.asp?q=Kenan%5C%27;(alert)(/0/)//Brute%5C</a><br>
              </div>
              <div><br>
              </div>
              <div><br>
              </div>
              <div>Regards.</div>
              <span class="HOEnZb"><font color="#888888">
                  <div>Timo</div>
                </font></span></div>
            <div class="HOEnZb">
              <div class="h5">
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Mon, Jun 1, 2015 at 5:42
                    PM, Timo Goosen <span dir="ltr"><<a moz-do-not-send="true" href="mailto:timo.goosen@owasp.org" target="_blank">timo.goosen@owasp.org</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div dir="ltr">
                        <div>I might know of  such a XSS assessment
                          professional. I can ask if he will be willing
                          to update the information in exchange for
                          payment. He is not an OWASP volunteer. How do
                          I go about setting up a budget and requesting
                          funding for such an effort?</div>
                        <span>
                          <div><br>
                          </div>
                          "<span style="font-size:12.8000001907349px">More
                            than money, I think we need top tier XSS
                            assessment professionals to evaluate and
                            expand on the current XSS filter evasion
                            cheat sheet. And more than static payloads
                            I'd love someone to contribute advice on
                            more contextual filter evasion.</span><br style="font-size:12.8000001907349px">
                          <br style="font-size:12.8000001907349px">
                          <span style="font-size:12.8000001907349px">If
                            anyone is interested in working on this or
                            even "owning" this cheat sheet as the lead
                            editor, please drop me a line and let's
                            talk.</span><br style="font-size:12.8000001907349px">
                          <br style="font-size:12.8000001907349px">
                          <span style="font-size:12.8000001907349px">Aloha,</span><br style="font-size:12.8000001907349px">
                          <span style="font-size:12.8000001907349px">Jim"</span>
                          <div><span style="font-size:12.8000001907349px"><br>
                            </span></div>
                        </span></div>
                      <div>
                        <div>
                          <div class="gmail_extra"><br>
                            <div class="gmail_quote">On Fri, May 29,
                              2015 at 10:43 PM, Josh Sokol <span dir="ltr"><<a moz-do-not-send="true" href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>></span>
                              wrote:<br>
                              <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px
                                #ccc solid;padding-left:1ex">
                                <div dir="ltr">
                                  <div>
                                    <div>Timo,<br>
                                      <br>
                                    </div>
                                    Could you please elaborate on what
                                    you would actually use these funds
                                    for and how much you think you need
                                    to update the XSS Evasion Cheat
                                    Sheet?  OWASP Austin donated some
                                    money to the Foundation which we
                                    have been given the opportunity to
                                    choose how it is allocated and this
                                    sounds like it may be an area we can
                                    assist.<span><font color="#888888"><br>
                                        <br>
                                      </font></span></div>
                                  <span><font color="#888888">~josh<br>
                                    </font></span></div>
                                <div>
                                  <div>
                                    <div class="gmail_extra"><br>
                                      <div class="gmail_quote">On Fri,
                                        May 29, 2015 at 5:29 AM, Timo
                                        Goosen <span dir="ltr"><<a moz-do-not-send="true" href="mailto:timo.goosen@owasp.org" target="_blank">timo.goosen@owasp.org</a>></span>
                                        wrote:<br>
                                        <blockquote class="gmail_quote" style="margin:0 0 0
                                          .8ex;border-left:1px #ccc
                                          solid;padding-left:1ex">
                                          <div dir="ltr">
                                            <div>I support this
                                              initiative. </div>
                                            <div><br>
                                            </div>
                                            I'd like to see some funds
                                            allocated to updating the
                                            XSS Evasion Cheat Sheet as
                                            well as all the other
                                            offensive related
                                            cheatsheets. 
                                            <div><br>
                                            </div>
                                            <div>Attacks are changing
                                              all the time and we need
                                              to put some money towards
                                              having the latest info.</div>
                                            <div><br>
                                            </div>
                                            <div>Regards.</div>
                                            <span><font color="#888888">
                                                <div>Timo<br>
                                                  <div><br>
                                                  </div>
                                                  <div><br>
                                                  </div>
                                                </div>
                                              </font></span></div>
                                          <div>
                                            <div>
                                              <div class="gmail_extra"><br>
                                                <div class="gmail_quote">On
                                                  Thu, May 28, 2015 at
                                                  6:00 PM, Josh Sokol <span dir="ltr"><<a moz-do-not-send="true" href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>></span>
                                                  wrote:<br>
                                                  <blockquote class="gmail_quote" style="margin:0 0 0
                                                    .8ex;border-left:1px
                                                    #ccc
                                                    solid;padding-left:1ex">
                                                    <div dir="ltr">
                                                      <div>Some great
                                                        thoughts and
                                                        ideas here Matt
                                                        and I agree with
                                                        pretty much
                                                        everything
                                                        you've said. 
                                                        IIRC, I think
                                                        there were
                                                        challenges with
                                                        using Meetup as
                                                        a platform over
                                                        in APAC (China?)
                                                        which I think is
                                                        why it hasn't
                                                        received a more
                                                        global
                                                        adoption.  In
                                                        general, I do
                                                        like the idea of
                                                        a centralized
                                                        platform for our
                                                        chapters to
                                                        organize events
                                                        in a way where
                                                        they are easily
                                                        found by people
                                                        in other
                                                        communities. 
                                                        For example, a
                                                        search for
                                                        "security" in
                                                        Meetup should
                                                        yield the OWASP
                                                        meeting in your
                                                        area.<br>
                                                        <br>
                                                        One thing that I
                                                        also like about
                                                        Meetup is the
                                                        open Discussions
                                                        forums.  I've
                                                        tried for years
                                                        now to get a
                                                        social platform
                                                        for OWASP that
                                                        isn't the
                                                        mailing list. 
                                                        I've spent quite
                                                        a bit of
                                                        personal time
                                                        with the content
                                                        on <a moz-do-not-send="true" href="http://my.owasp.org" target="_blank">http://my.owasp.org</a>, and
                                                        promoted it a
                                                        few times, but
                                                        despite my best
                                                        efforts, it
                                                        seems that OWASP
                                                        very much
                                                        prefers these
                                                        old school
                                                        mailing lists
                                                        for
                                                        communication. 
                                                        It's been a
                                                        great platform
                                                        for OWASP
                                                        Austin, but
                                                        there's not much
                                                        activity outside
                                                        of that,
                                                        unfortunately. 
                                                        My ideal would
                                                        be a scenario
                                                        where content on
                                                        the mailing list
                                                        is sync'd to the
                                                        discussion
                                                        forums and
                                                        vice-versa.  I'm
                                                        not sure how
                                                        possible that
                                                        would be, but it
                                                        would certainly
                                                        make these kinds
                                                        of conversations
                                                        more available
                                                        and searchable
                                                        to those not "in
                                                        the know".<span><font color="#888888"><br>
                                                          <br>
                                                          </font></span></div>
                                                      <span><font color="#888888">~josh<br>
                                                        </font></span></div>
                                                    <div class="gmail_extra"><br>
                                                      <div class="gmail_quote">
                                                        <div>
                                                          <div>On Thu,
                                                          May 28, 2015
                                                          at 10:07 AM,
                                                          Matt Konda <span dir="ltr"><<a moz-do-not-send="true" href="mailto:matt.konda@owasp.org" target="_blank">matt.konda@owasp.org</a>></span>
                                                          wrote:<br>
                                                          </div>
                                                        </div>
                                                        <blockquote class="gmail_quote" style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div>
                                                          <div>
                                                          <div dir="ltr">Hello
                                                          all,
                                                          <div><br>
                                                          </div>
                                                          <div>Sorry in
                                                          advance for
                                                          the long
                                                          email.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Following
                                                          up on our
                                                          meeting and
                                                          some
                                                          discussions at
                                                          AppSecEU, I
                                                          wanted to
                                                          think more
                                                          about the
                                                          OWASP
                                                          "platform".  I
                                                          see one role
                                                          of the board
                                                          as working to
                                                          make it easy
                                                          for the
                                                          volunteers and
                                                          leaders to
                                                          succeed with
                                                          their
                                                          projects,
                                                          events and
                                                          community
                                                          building
                                                          (chapters).</div>
                                                          <div><br>
                                                          </div>
                                                          <div>I'm a
                                                          visual person
                                                          so I put this
                                                          presentation
                                                          together with
                                                          boxes and
                                                          colors as a
                                                          point of
                                                          reference. 
                                                          I'm interested
                                                          in your
                                                          feedback
                                                          (comments
                                                          enabled). 
                                                          Please be
                                                          patient with
                                                          me, this is
                                                          just a rough
                                                          idea and is
                                                          not intended
                                                          in any way to
                                                          be a criticism
                                                          of where we
                                                          are and what
                                                          we are
                                                          doing!!!  I
                                                          made notes in
                                                          the notes area
                                                          to explain my
                                                          color choices.</div>
                                                          <div><br>
                                                          </div>
                                                          <div><a moz-do-not-send="true" href="https://docs.google.com/a/owasp.org/presentation/d/1SLd1BG4TxrN75NqQo8_zKLC8CfhYa8WgfkXx7mcerhU/edit?usp=sharing" target="_blank">https://docs.google.com/a/owasp.org/presentation/d/1SLd1BG4TxrN75NqQo8_zKLC8CfhYa8WgfkXx7mcerhU/edit?usp=sharing</a><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>Getting
                                                          more concrete,
                                                          I want to
                                                          suggest based
                                                          on this
                                                          thought
                                                          process that
                                                          we invest in
                                                          Meetup as an
                                                          organization
                                                          and hire a
                                                          technical
                                                          writer on a 3
                                                          month contract
                                                          basis.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Here is
                                                          the long story
                                                          of why: </div>
                                                          <div><br>
                                                          </div>
                                                          <div>I asked
                                                          one successful
                                                          project leader
                                                          what OWASP
                                                          could do to
                                                          remove
                                                          obstacles to
                                                          success and
                                                          their answer
                                                          (paraphrasing)
                                                          was something
                                                          like this: <br>
                                                          </div>
                                                          <div>
                                                          <div><br>
                                                          </div>
                                                          <div>"We
                                                          struggle with:
                                                           publicity,
                                                          documentation
                                                          and training
                                                          courses."</div>
                                                          <div><br>
                                                          </div>
                                                          <div>This made
                                                          me think that
                                                          a concrete
                                                          investment we
                                                          could make to
                                                          support
                                                          projects would
                                                          be to hire a
                                                          contract
                                                          technical
                                                          writer to help
                                                          with
                                                          documentation
                                                          across
                                                          projects and
                                                          the wiki. 
                                                          Assuming a 3
                                                          month, full
                                                          time gig at a
                                                          rate of $40
                                                          per hour (75th
                                                          percentile
                                                          according to
                                                          this <a moz-do-not-send="true" href="http://www.bls.gov/oes/current/oes273042.htm" target="_blank">http://www.bls.gov/oes/current/oes273042.htm</a>)
                                                          would cost
                                                          approximately
                                                          21K.  </div>
                                                          <div><br>
                                                          </div>
                                                          <div>We could
                                                          build a list
                                                          of tasks
                                                          focused on:  </div>
                                                          <div>
                                                          <ul>
                                                          <li>Documentation
                                                          for 3 projects</li>
                                                          <li>10 wiki
                                                          page updates
                                                          per week (2
                                                          per day based
                                                          on google
                                                          analytics top
                                                          hits)</li>
                                                          </ul>
                                                          </div>
                                                          <div>I imagine
                                                          the person
                                                          would work
                                                          closely with
                                                          the project
                                                          co-ordinator
                                                          and community
                                                          manager.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>I don't
                                                          know just what
                                                          is realistic,
                                                          but I am
                                                          interested in
                                                          exploring ways
                                                          that we can
                                                          model and then
                                                          build a
                                                          platform of
                                                          core services
                                                          that the
                                                          foundation can
                                                          provide to
                                                          support
                                                          projects,
                                                          chapters and
                                                          events - with
                                                          the goal of
                                                          making it
                                                          easier to have
                                                          success with
                                                          our volunteers
                                                          and leaders.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>What do
                                                          you think? 
                                                          One thing that
                                                          would help me
                                                          is if we can
                                                          think about
                                                          the metrics we
                                                          wanted to
                                                          measure in
                                                          strategic
                                                          goals and
                                                          whether these
                                                          things would
                                                          move the
                                                          needle.  I
                                                          haven't gotten
                                                          there yet, but
                                                          it seems to
                                                          make sense...</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Input
                                                          appreciated!!!</div>
                                                          <span><font color="#888888">
                                                          <div><br>
                                                          </div>
                                                          <div>Matt</div>
                                                          <div><br>
                                                          </div>
                                                          </font></span></div>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          <span>_______________________________________________<br>
                                                          Owasp-board
                                                          mailing list<br>
                                                          <a moz-do-not-send="true" href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a><br>
                                                          <a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                                                          <br>
                                                          </span></blockquote>
                                                      </div>
                                                      <br>
                                                    </div>
                                                    <br>
_______________________________________________<br>
                                                    Owasp-board mailing
                                                    list<br>
                                                    <a moz-do-not-send="true" href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a><br>
                                                    <a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                                                    <br>
                                                  </blockquote>
                                                </div>
                                                <br>
                                              </div>
                                            </div>
                                          </div>
                                        </blockquote>
                                      </div>
                                      <br>
                                    </div>
                                  </div>
                                </div>
                              </blockquote>
                            </div>
                            <br>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Owasp-board mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
    </blockquote>
    <br>
  

</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Owasp-board mailing list</span><br><span><a href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a></span><br><span><a href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a></span><br></div></blockquote></body></html>