[Owasp-leaders] Javascript required for OWASP page?

Michael Coates michael.coates at owasp.org
Wed Jan 19 12:36:16 EST 2011


Brandon Sterne, one of the primary developers of CSP at Mozilla, will be present at the OWASP Summit and available to discuss further. I've also copied him on this email.

Michael Coates
OWASP



On Jan 19, 2011, at 8:33 AM, Justin Clarke wrote:

> I also like Dinis's idea of implementing CSP for owasp.org.  Not sure how big the task would be, but that would be well worth doing.
> 
> Justin
> 
> On 19 Jan 2011, at 16:24, Jim Manico wrote:
> 
>> I like where Chris is going with this. Perhaps we could set up a dev server for this assessment with clear rules of play and written permission for those involved?
>> 
>> -Jim Manico
>> http://manico.net
>> 
>> On Jan 19, 2011, at 6:19 AM, Chris Schmidt <chris.schmidt at owasp.org> wrote:
>> 
>>> I'm not 100% sure this is a great idea right now. We have a lot of PR going
>>> out around the summit, and opening ourselves up to potential attackers
>>> world-wide at this point would probably be fine for those who are already
>>> OWASP members as they should execute with some level of integrity, but I
>>> think that this invites another crowd of people with much less integrity who
>>> may not simply disclose their issues to us but also deface or otherwise hurt
>>> our message while we are in the middle of a large PR/Marketing push for the
>>> summit. It would be fairly embarassing and harmful to our image if someone
>>> managed to exploit an unpatched vuln, gain root, and change our page to a
>>> "Pwnd by so and so" page just as some Fortune 500 decided they wanted to
>>> come to the page and donate to the summit.
>>> 
>>> I think that this is a good idea for the summit itself, maybe for an
>>> all-expense trip to the next major Conference or something like that, but I
>>> also think it should be restricted to *only* OWASP members.
>>> 
>>> Just my $0.154 (accounting for the dollar to euro conversion rate)
>>> 
>>> 
>>> On 1/19/11 9:04 AM, "dinis cruz" <dinis.cruz at owasp.org> wrote:
>>> 
>>>> I think we should have a competion to see who can hack the owasp.org
>>>> website :)
>>>> 
>>>> The price would be a fully paid (travel+accomodation) ticket to the
>>>> Summit
>>>> 
>>>> Extra kudos points would be given for gaining root on the owasp.org
>>>> server
>>>> 
>>>> Anybody on this list have the cycles to organize this?
>>>> 
>>>> Dinis Cruz
>>>> 
>>>> On 19 Jan 2011, at 15:59, Vlatko Kosturjak <kost at linux.hr> wrote:
>>>> 
>>>>> On 01/19/2011 04:50 PM, dinis cruz wrote:
>>>>>> It shows that owasp.org is in the same 'shape' as 90% of the websites
>>>>>> out there.
>>>>>> 
>>>>>> There is a O2 module that shows all the Javascript (files and inline)
>>>>>> code that is loaded by an owasp.org page (it is quite a list)
>>>>>> 
>>>>>> Maybe a good working session for the summit would be to consolidate
>>>>>> all owasp.org javascripts and add CSP to it
>>>>>> 
>>>>>> In fact we should have a 'hack owasp.org and mediawiki' competition
>>>>>> at
>>>>>> the Summit ....... :) :) :)
>>>>> 
>>>>> Especially to find bugs like this (as mediawiki is in PHP):
>>>>> http://gregorkopf.de/slides_berlinsides_2010.pdf
>>>>> 
>>>>> Kost
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>>> Chris Schmidt
>>> ESAPI Project Manager (http://www.esapi.org)
>>> ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
>>> Blog: http://yet-another-dev.blogspot.com
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list