[Owasp-leaders] Javascript required for OWASP page?

Chris Schmidt chris.schmidt at owasp.org
Wed Jan 19 11:19:23 EST 2011


I'm not 100% sure this is a great idea right now. We have a lot of PR going
out around the summit, and opening ourselves up to potential attackers
world-wide at this point would probably be fine for those who are already
OWASP members as they should execute with some level of integrity, but I
think that this invites another crowd of people with much less integrity who
may not simply disclose their issues to us but also deface or otherwise hurt
our message while we are in the middle of a large PR/Marketing push for the
summit. It would be fairly embarassing and harmful to our image if someone
managed to exploit an unpatched vuln, gain root, and change our page to a
"Pwnd by so and so" page just as some Fortune 500 decided they wanted to
come to the page and donate to the summit.

I think that this is a good idea for the summit itself, maybe for an
all-expense trip to the next major Conference or something like that, but I
also think it should be restricted to *only* OWASP members.

Just my $0.154 (accounting for the dollar to euro conversion rate)


On 1/19/11 9:04 AM, "dinis cruz" <dinis.cruz at owasp.org> wrote:

> I think we should have a competion to see who can hack the owasp.org
> website :)
> 
> The price would be a fully paid (travel+accomodation) ticket to the
> Summit
> 
> Extra kudos points would be given for gaining root on the owasp.org
> server
> 
> Anybody on this list have the cycles to organize this?
> 
> Dinis Cruz
> 
> On 19 Jan 2011, at 15:59, Vlatko Kosturjak <kost at linux.hr> wrote:
> 
>> On 01/19/2011 04:50 PM, dinis cruz wrote:
>>> It shows that owasp.org is in the same 'shape' as 90% of the websites
>>> out there.
>>> 
>>> There is a O2 module that shows all the Javascript (files and inline)
>>> code that is loaded by an owasp.org page (it is quite a list)
>>> 
>>> Maybe a good working session for the summit would be to consolidate
>>> all owasp.org javascripts and add CSP to it
>>> 
>>> In fact we should have a 'hack owasp.org and mediawiki' competition
>>> at
>>> the Summit ....... :) :) :)
>> 
>> Especially to find bugs like this (as mediawiki is in PHP):
>> http://gregorkopf.de/slides_berlinsides_2010.pdf
>> 
>> Kost
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Chris Schmidt
ESAPI Project Manager (http://www.esapi.org)
ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
Blog: http://yet-another-dev.blogspot.com





More information about the OWASP-Leaders mailing list