[Owasp-infrastructure] Eat Our Own Dog Food?

Jason Li jason.li at owasp.org
Fri Jul 29 10:52:04 EDT 2011


Team,

Some folks are reviewing the OWASP Cheat Sheets and it was noted that
our website doesn't follow our own best practices for authentication.

See below regarding the Wiki login.

What will it take to fix this behavior and who wants to do it? :)

-Jason

---------- Forwarded message ----------
From: Frederick Donovan <fred.donovan at owasp.org>
Date: Fri, Jul 29, 2011 at 3:48 AM
Subject: Re: Cheat Sheet Book & OWASP Conferences
To: Michael Coates <michael.coates at owasp.org>
Cc: Paulo Coimbra <paulo.coimbra at owasp.org>, Jason Li
<jason.li at owasp.org>, Kate Hartmann <kate.hartmann at owasp.org>, Eoin
<eoin.keary at owasp.org>, Lorna Alamri <lorna.alamri at owasp.org>, psiinon
<psiinon at gmail.com>, Dennis Groves <dennis.groves at owasp.org>, dinis
cruz <dinis.cruz at owasp.org>, Sherif Koussa <sherif.koussa at owasp.org>


So far I've gotten through:

Authentication Cheat Sheet
Secure Session Management Cheat Sheet

It should be noted that we are not following our rules of
Authentication as pertaining to "Generic Errors".
I noticed the following different messages when logging into www.owasp.org:
Login error
There is no user by the name "notauser at owasp.org". Check your spelling.
Login error
Incorrect password entered. Please try again.
As you can imagine, the incorrect password error verifies that the
username was correct.
I've a good bit of time today and will continue review on the rest of the docs.
-Fred


More information about the Owasp-infrastructure mailing list