[Owasp-leaders] Hack OWASP.org as a pre/during Summit Competition

Ralph Durkee ralph.durkee at owasp.org
Wed Jan 26 05:13:47 EST 2011


I hope I'm misunderstanding, but if not this is a dangerous approach for
a hacking contest. There needs to be a clear scope, rules of engagement
and registration with rules and specific permission given.  What this
will accomplish is to make the owasp.org web site unavailable for the
duration, most likely violate the hosting agreement for all of the ISPs
involved, and make it difficult for OWASP to get hosting services in the
future.  Generally the easiest approach for these contests is to have a
private local in-person network, where you an control the contest, and
grant permission for hacking specific systems on the lcoal network, but
if you want to do it globally, you need preregistration with the scope
limited to only systems accessed via an individually authenticated VPN.

It is a cruel world, and with lot's of lawyers.

-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GCIA, GPEN
Rochester OWASP


On 1/26/2011 3:41 AM, dinis cruz wrote:
> Loredana has taken the lead on this one and created the page
> http://www.owasp.org/index.php/Summit_2011/Competition/Hack_OWASP.ORG
> with details about this competition (she will also be the main point
> of contact for this competition)
>
> Before I submit this to the OWASP board for vote, can you please take
> a look and chip in with your ideas (for example I think that the scope
> should include offline MediaWiki exploits/vulns and the competition
> should also continue during the Summit (we are going to set up a
> 'hacking room' just like we did at the last Summit (we need to think
> about the prices for the vulns discovered during the Summit))
>
> Dinis Cruz
>
>
> On 21 January 2011 11:02, Loredana Mancini
> <loredana.mancini at business-e.it
> <mailto:loredana.mancini at business-e.it>> wrote:
>
>     Hi all,
>
>      
>
>     I would like to pick up this task, and step forward to organise it
>     if you think it still interesting, bye Loredana.
>
>
>     -----Messaggio originale-----
>     Da: owasp-leaders-bounces at lists.owasp.org
>     <mailto:owasp-leaders-bounces at lists.owasp.org>
>     [mailto:owasp-leaders-bounces at lists.owasp.org] Per conto di dinis cruz
>     Inviato: mercoledì 19 gennaio 2011 17.05
>     A: Vlatko Kosturjak
>     Cc: owasp-leaders at lists.owasp.org
>     <mailto:owasp-leaders at lists.owasp.org>
>     Oggetto: Re: [Owasp-leaders] Javascript required for OWASP page?
>
>     I think we should have a competion to see who can hack the
>     owasp.org <http://owasp.org>
>     website :)
>
>     The price would be a fully paid (travel+accomodation) ticket to the
>     Summit
>
>     Extra kudos points would be given for gaining root on the
>     owasp.org <http://owasp.org>
>     server
>
>     Anybody on this list have the cycles to organize this?
>
>     Dinis Cruz
>
>     On 19 Jan 2011, at 15:59, Vlatko Kosturjak <kost at linux.hr
>     <mailto:kost at linux.hr>> wrote:
>
>     > On 01/19/2011 04:50 PM, dinis cruz wrote:
>     >> It shows that owasp.org <http://owasp.org> is in the same
>     'shape' as 90% of the websites
>     >> out there.
>     >>
>     >> There is a O2 module that shows all the Javascript (files and
>     inline)
>     >> code that is loaded by an owasp.org <http://owasp.org> page (it
>     is quite a list)
>     >>
>     >> Maybe a good working session for the summit would be to consolidate
>     >> all owasp.org <http://owasp.org> javascripts and add CSP to it
>     >>
>     >> In fact we should have a 'hack owasp.org <http://owasp.org> and
>     mediawiki' competition
>     >> at
>     >> the Summit ....... :) :) :)
>     >
>     > Especially to find bugs like this (as mediawiki is in PHP):
>     > http://gregorkopf.de/slides_berlinsides_2010.pdf
>     >
>     > Kost
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110126/99f628d9/attachment.html 


More information about the OWASP-Leaders mailing list