[Owasp-leaders] Javascript required for OWASP page?

Justin Clarke justin.clarke at owasp.org
Wed Jan 19 11:33:02 EST 2011

I also like Dinis's idea of implementing CSP for owasp.org.  Not sure how big the task would be, but that would be well worth doing.


On 19 Jan 2011, at 16:24, Jim Manico wrote:

> I like where Chris is going with this. Perhaps we could set up a dev server for this assessment with clear rules of play and written permission for those involved?
> -Jim Manico
> http://manico.net
> On Jan 19, 2011, at 6:19 AM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
>> I'm not 100% sure this is a great idea right now. We have a lot of PR going
>> out around the summit, and opening ourselves up to potential attackers
>> world-wide at this point would probably be fine for those who are already
>> OWASP members as they should execute with some level of integrity, but I
>> think that this invites another crowd of people with much less integrity who
>> may not simply disclose their issues to us but also deface or otherwise hurt
>> our message while we are in the middle of a large PR/Marketing push for the
>> summit. It would be fairly embarassing and harmful to our image if someone
>> managed to exploit an unpatched vuln, gain root, and change our page to a
>> "Pwnd by so and so" page just as some Fortune 500 decided they wanted to
>> come to the page and donate to the summit.
>> I think that this is a good idea for the summit itself, maybe for an
>> all-expense trip to the next major Conference or something like that, but I
>> also think it should be restricted to *only* OWASP members.
>> Just my $0.154 (accounting for the dollar to euro conversion rate)
>> On 1/19/11 9:04 AM, "dinis cruz" <dinis.cruz at owasp.org> wrote:
>>> I think we should have a competion to see who can hack the owasp.org
>>> website :)
>>> The price would be a fully paid (travel+accomodation) ticket to the
>>> Summit
>>> Extra kudos points would be given for gaining root on the owasp.org
>>> server
>>> Anybody on this list have the cycles to organize this?
>>> Dinis Cruz
>>> On 19 Jan 2011, at 15:59, Vlatko Kosturjak <kost at linux.hr> wrote:
>>>> On 01/19/2011 04:50 PM, dinis cruz wrote:
>>>>> It shows that owasp.org is in the same 'shape' as 90% of the websites
>>>>> out there.
>>>>> There is a O2 module that shows all the Javascript (files and inline)
>>>>> code that is loaded by an owasp.org page (it is quite a list)
>>>>> Maybe a good working session for the summit would be to consolidate
>>>>> all owasp.org javascripts and add CSP to it
>>>>> In fact we should have a 'hack owasp.org and mediawiki' competition
>>>>> at
>>>>> the Summit ....... :) :) :)
>>>> Especially to find bugs like this (as mediawiki is in PHP):
>>>> http://gregorkopf.de/slides_berlinsides_2010.pdf
>>>> Kost
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> Chris Schmidt
>> ESAPI Project Manager (http://www.esapi.org)
>> ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
>> Blog: http://yet-another-dev.blogspot.com
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list