[Owasp-infrastructure] Eat Our Own Dog Food?

Jason Li jason.li at owasp.org
Fri Jul 29 14:04:15 EDT 2011


That's a really good point.

I should have read the email more thoroughly and done some further thinking.

I just saw the first sentence " It should be noted that we are not
following our rules of Authentication as pertaining to "Generic
Errors"... mea culpa!

-Jason

On Fri, Jul 29, 2011 at 12:49 PM, Michael Coates
<michael.coates at owasp.org> wrote:
> This may be an item we can do without given the risk for our deployment.  Consider the following:
>
> - The design of our wiki automatically puts every username into the public as part of the page history
> - The wiki User pages also provide enumeration https://www.owasp.org/index.php/User:MichaelCoates vs https://www.owasp.org/index.php/User:Foo
> - We have other monitoring controls for spam users
>
> Since the natural function/design of our wiki makes usernames public, and the risk of username enumeration is relatively low, we'll likely have to accept this risk in order to use mediawiki.
>
>
>
> Just my .02
>
> Michael Coates
> OWASP
>
>
>
> On Jul 29, 2011, at 7:52 AM, Jason Li wrote:
>
>> Team,
>>
>> Some folks are reviewing the OWASP Cheat Sheets and it was noted that
>> our website doesn't follow our own best practices for authentication
>>
>> See below regarding the Wiki login.
>>
>> What will it take to fix this behavior and who wants to do it? :)
>>
>> -Jason
>>
>> ---------- Forwarded message ----------
>> From: Frederick Donovan <fred.donovan at owasp.org>
>> Date: Fri, Jul 29, 2011 at 3:48 AM
>> Subject: Re: Cheat Sheet Book & OWASP Conferences
>> To: Michael Coates <michael.coates at owasp.org>
>> Cc: Paulo Coimbra <paulo.coimbra at owasp.org>, Jason Li
>> <jason.li at owasp.org>, Kate Hartmann <kate.hartmann at owasp.org>, Eoin
>> <eoin.keary at owasp.org>, Lorna Alamri <lorna.alamri at owasp.org>, psiinon
>> <psiinon at gmail.com>, Dennis Groves <dennis.groves at owasp.org>, dinis
>> cruz <dinis.cruz at owasp.org>, Sherif Koussa <sherif.koussa at owasp.org>
>>
>>
>> So far I've gotten through:
>>
>> Authentication Cheat Sheet
>> Secure Session Management Cheat Sheet
>>
>> It should be noted that we are not following our rules of
>> Authentication as pertaining to "Generic Errors".
>> I noticed the following different messages when logging into www.owasp.org:
>> Login error
>> There is no user by the name "notauser at owasp.org". Check your spelling.
>> Login error
>> Incorrect password entered. Please try again.
>> As you can imagine, the incorrect password error verifies that the
>> username was correct.
>> I've a good bit of time today and will continue review on the rest of the docs.
>> -Fred
>
>


More information about the Owasp-infrastructure mailing list