[Owasp-infrastructure] Eat Our Own Dog Food?
jason.li at owasp.org
Fri Jul 29 14:04:15 EDT 2011
That's a really good point.
I should have read the email more thoroughly and done some further thinking.
I just saw the first sentence " It should be noted that we are not
following our rules of Authentication as pertaining to "Generic
Errors"... mea culpa!
On Fri, Jul 29, 2011 at 12:49 PM, Michael Coates
<michael.coates at owasp.org> wrote:
> This may be an item we can do without given the risk for our deployment. Consider the following:
> - The design of our wiki automatically puts every username into the public as part of the page history
> - The wiki User pages also provide enumeration https://www.owasp.org/index.php/User:MichaelCoates vs https://www.owasp.org/index.php/User:Foo
> - We have other monitoring controls for spam users
> Since the natural function/design of our wiki makes usernames public, and the risk of username enumeration is relatively low, we'll likely have to accept this risk in order to use mediawiki.
> Just my .02
> Michael Coates
> On Jul 29, 2011, at 7:52 AM, Jason Li wrote:
>> Some folks are reviewing the OWASP Cheat Sheets and it was noted that
>> our website doesn't follow our own best practices for authentication
>> See below regarding the Wiki login.
>> What will it take to fix this behavior and who wants to do it? :)
>> ---------- Forwarded message ----------
>> From: Frederick Donovan <fred.donovan at owasp.org>
>> Date: Fri, Jul 29, 2011 at 3:48 AM
>> Subject: Re: Cheat Sheet Book & OWASP Conferences
>> To: Michael Coates <michael.coates at owasp.org>
>> Cc: Paulo Coimbra <paulo.coimbra at owasp.org>, Jason Li
>> <jason.li at owasp.org>, Kate Hartmann <kate.hartmann at owasp.org>, Eoin
>> <eoin.keary at owasp.org>, Lorna Alamri <lorna.alamri at owasp.org>, psiinon
>> <psiinon at gmail.com>, Dennis Groves <dennis.groves at owasp.org>, dinis
>> cruz <dinis.cruz at owasp.org>, Sherif Koussa <sherif.koussa at owasp.org>
>> So far I've gotten through:
>> Authentication Cheat Sheet
>> Secure Session Management Cheat Sheet
>> It should be noted that we are not following our rules of
>> Authentication as pertaining to "Generic Errors".
>> I noticed the following different messages when logging into www.owasp.org:
>> Login error
>> There is no user by the name "notauser at owasp.org". Check your spelling.
>> Login error
>> Incorrect password entered. Please try again.
>> As you can imagine, the incorrect password error verifies that the
>> username was correct.
>> I've a good bit of time today and will continue review on the rest of the docs.
More information about the Owasp-infrastructure