[Owasp-leaders] Javascript required for OWASP page?

Justin Clarke justin.clarke at owasp.org
Wed Jan 19 11:33:02 EST 2011


I also like Dinis's idea of implementing CSP for owasp.org.  Not sure how big the task would be, but that would be well worth doing.

Justin

On 19 Jan 2011, at 16:24, Jim Manico wrote:

> I like where Chris is going with this. Perhaps we could set up a dev server for this assessment with clear rules of play and written permission for those involved?
> 
> -Jim Manico
> http://manico.net
> 
> On Jan 19, 2011, at 6:19 AM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
> 
>> I'm not 100% sure this is a great idea right now. We have a lot of PR going
>> out around the summit, and opening ourselves up to potential attackers
>> world-wide at this point would probably be fine for those who are already
>> OWASP members as they should execute with some level of integrity, but I
>> think that this invites another crowd of people with much less integrity who
>> may not simply disclose their issues to us but also deface or otherwise hurt
>> our message while we are in the middle of a large PR/Marketing push for the
>> summit. It would be fairly embarassing and harmful to our image if someone
>> managed to exploit an unpatched vuln, gain root, and change our page to a
>> "Pwnd by so and so" page just as some Fortune 500 decided they wanted to
>> come to the page and donate to the summit.
>> 
>> I think that this is a good idea for the summit itself, maybe for an
>> all-expense trip to the next major Conference or something like that, but I
>> also think it should be restricted to *only* OWASP members.
>> 
>> Just my $0.154 (accounting for the dollar to euro conversion rate)
>> 
>> 
>> On 1/19/11 9:04 AM, "dinis cruz" <dinis.cruz at owasp.org> wrote:
>> 
>>> I think we should have a competion to see who can hack the owasp.org
>>> website :)
>>> 
>>> The price would be a fully paid (travel+accomodation) ticket to the
>>> Summit
>>> 
>>> Extra kudos points would be given for gaining root on the owasp.org
>>> server
>>> 
>>> Anybody on this list have the cycles to organize this?
>>> 
>>> Dinis Cruz
>>> 
>>> On 19 Jan 2011, at 15:59, Vlatko Kosturjak <kost at linux.hr> wrote:
>>> 
>>>> On 01/19/2011 04:50 PM, dinis cruz wrote:
>>>>> It shows that owasp.org is in the same 'shape' as 90% of the websites
>>>>> out there.
>>>>> 
>>>>> There is a O2 module that shows all the Javascript (files and inline)
>>>>> code that is loaded by an owasp.org page (it is quite a list)
>>>>> 
>>>>> Maybe a good working session for the summit would be to consolidate
>>>>> all owasp.org javascripts and add CSP to it
>>>>> 
>>>>> In fact we should have a 'hack owasp.org and mediawiki' competition
>>>>> at
>>>>> the Summit ....... :) :) :)
>>>> 
>>>> Especially to find bugs like this (as mediawiki is in PHP):
>>>> http://gregorkopf.de/slides_berlinsides_2010.pdf
>>>> 
>>>> Kost
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> Chris Schmidt
>> ESAPI Project Manager (http://www.esapi.org)
>> ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
>> Blog: http://yet-another-dev.blogspot.com
>> 
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list