[Owasp-infrastructure] [Owasp-website] Eat Our Own Dog Food?

Jim Manico jim.manico at owasp.org
Sat Jul 30 09:53:42 EDT 2011


Eoin,

We recently published the session management cheat-sheet and linked
the AuthN cheat-sheet to it. We are also going to give the original
AuthN work a second pass. I really appreciate how quickly you agreed
to donate you time to build the original work to help get the series
going. If you have time to help us augment your original work then
drop me a line sir, I have a few ideas for the next version.

Michael Coates posted a solid risk management take of this form of
information leakage (below) and I agree with his assessment.

So "all good", everyone.
Back to work! :)

- Jim Manico

On Jul 30, 2011, at 8:41 AM, Eoin <eoin.keary at owasp.org> wrote:

> Indeed but they are not "our rules" but leading practice. The auth cheat sheet was a stab by me to cover off a top 10 item prior to release of the 2010 top 10.
> Most of it was from my head and I did not research too deeply or ref session mgt.
>
>
>
>
> On 29 Jul 2011, at 19:04, Jason Li <jason.li at owasp.org> wrote:
>
>> That's a really good point.
>>
>> I should have read the email more thoroughly and done some further thinking.
>>
>> I just saw the first sentence " It should be noted that we are not
>> following our rules of Authentication as pertaining to "Generic
>> Errors"... mea culpa!
>>
>> -Jason
>>
>> On Fri, Jul 29, 2011 at 12:49 PM, Michael Coates
>> <michael.coates at owasp.org> wrote:
>>> This may be an item we can do without given the risk for our deployment.  Consider the following:
>>>
>>> - The design of our wiki automatically puts every username into the public as part of the page history
>>> - The wiki User pages also provide enumeration https://www.owasp.org/index.php/User:MichaelCoates vs https://www.owasp.org/index.php/User:Foo
>>> - We have other monitoring controls for spam users
>>>
>>> Since the natural function/design of our wiki makes usernames public, and the risk of username enumeration is relatively low, we'll likely have to accept this risk in order to use mediawiki.
>>>
>>>
>>>
>>> Just my .02
>>>
>>> Michael Coates
>>> OWASP
>>>
>>>
>>>
>>> On Jul 29, 2011, at 7:52 AM, Jason Li wrote:
>>>
>>>> Team,
>>>>
>>>> Some folks are reviewing the OWASP Cheat Sheets and it was noted that
>>>> our website doesn't follow our own best practices for authentication
>>>>
>>>> See below regarding the Wiki login.
>>>>
>>>> What will it take to fix this behavior and who wants to do it? :)
>>>>
>>>> -Jason
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Frederick Donovan <fred.donovan at owasp.org>
>>>> Date: Fri, Jul 29, 2011 at 3:48 AM
>>>> Subject: Re: Cheat Sheet Book & OWASP Conferences
>>>> To: Michael Coates <michael.coates at owasp.org>
>>>> Cc: Paulo Coimbra <paulo.coimbra at owasp.org>, Jason Li
>>>> <jason.li at owasp.org>, Kate Hartmann <kate.hartmann at owasp.org>, Eoin
>>>> <eoin.keary at owasp.org>, Lorna Alamri <lorna.alamri at owasp.org>, psiinon
>>>> <psiinon at gmail.com>, Dennis Groves <dennis.groves at owasp.org>, dinis
>>>> cruz <dinis.cruz at owasp.org>, Sherif Koussa <sherif.koussa at owasp.org>
>>>>
>>>>
>>>> So far I've gotten through:
>>>>
>>>> Authentication Cheat Sheet
>>>> Secure Session Management Cheat Sheet
>>>>
>>>> It should be noted that we are not following our rules of
>>>> Authentication as pertaining to "Generic Errors".
>>>> I noticed the following different messages when logging into www.owasp.org:
>>>> Login error
>>>> There is no user by the name "notauser at owasp.org". Check your spelling.
>>>> Login error
>>>> Incorrect password entered. Please try again.
>>>> As you can imagine, the incorrect password error verifies that the
>>>> username was correct.
>>>> I've a good bit of time today and will continue review on the rest of the docs.
>>>> -Fred
>>>
>>>
> _______________________________________________
> Owasp-website mailing list
> Owasp-website at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-website


More information about the Owasp-infrastructure mailing list