[Owasp-leaders] Javascript required for OWASP page?

Jim Manico jim.manico at owasp.org
Wed Jan 19 11:24:12 EST 2011

I like where Chris is going with this. Perhaps we could set up a dev server for this assessment with clear rules of play and written permission for those involved?

-Jim Manico

On Jan 19, 2011, at 6:19 AM, Chris Schmidt <chris.schmidt at owasp.org> wrote:

> I'm not 100% sure this is a great idea right now. We have a lot of PR going
> out around the summit, and opening ourselves up to potential attackers
> world-wide at this point would probably be fine for those who are already
> OWASP members as they should execute with some level of integrity, but I
> think that this invites another crowd of people with much less integrity who
> may not simply disclose their issues to us but also deface or otherwise hurt
> our message while we are in the middle of a large PR/Marketing push for the
> summit. It would be fairly embarassing and harmful to our image if someone
> managed to exploit an unpatched vuln, gain root, and change our page to a
> "Pwnd by so and so" page just as some Fortune 500 decided they wanted to
> come to the page and donate to the summit.
> I think that this is a good idea for the summit itself, maybe for an
> all-expense trip to the next major Conference or something like that, but I
> also think it should be restricted to *only* OWASP members.
> Just my $0.154 (accounting for the dollar to euro conversion rate)
> On 1/19/11 9:04 AM, "dinis cruz" <dinis.cruz at owasp.org> wrote:
>> I think we should have a competion to see who can hack the owasp.org
>> website :)
>> The price would be a fully paid (travel+accomodation) ticket to the
>> Summit
>> Extra kudos points would be given for gaining root on the owasp.org
>> server
>> Anybody on this list have the cycles to organize this?
>> Dinis Cruz
>> On 19 Jan 2011, at 15:59, Vlatko Kosturjak <kost at linux.hr> wrote:
>>> On 01/19/2011 04:50 PM, dinis cruz wrote:
>>>> It shows that owasp.org is in the same 'shape' as 90% of the websites
>>>> out there.
>>>> There is a O2 module that shows all the Javascript (files and inline)
>>>> code that is loaded by an owasp.org page (it is quite a list)
>>>> Maybe a good working session for the summit would be to consolidate
>>>> all owasp.org javascripts and add CSP to it
>>>> In fact we should have a 'hack owasp.org and mediawiki' competition
>>>> at
>>>> the Summit ....... :) :) :)
>>> Especially to find bugs like this (as mediawiki is in PHP):
>>> http://gregorkopf.de/slides_berlinsides_2010.pdf
>>> Kost
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> Chris Schmidt
> ESAPI Project Manager (http://www.esapi.org)
> ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
> Blog: http://yet-another-dev.blogspot.com
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list