[Owasp-leaders] Hack OWASP.org as a pre/during Summit Competition

dinis cruz dinis.cruz at owasp.org
Wed Jan 26 05:18:36 EST 2011


This practice is starting to be quite common these days. Google, Microsoft,
Mozilla (and others) have similar arrangements.

But you raise good questions, and we should have answers for it on an FAQ
(Loredana can you add an FAQ to that page (here is a good template
http://www.owasp.org/index.php/Summit_2011_FAQ))

Dinis Cruz


On 26 January 2011 10:13, Ralph Durkee <ralph.durkee at owasp.org> wrote:

>  I hope I'm misunderstanding, but if not this is a dangerous approach for a
> hacking contest. There needs to be a clear scope, rules of engagement and
> registration with rules and specific permission given.  What this will
> accomplish is to make the owasp.org web site unavailable for the duration,
> most likely violate the hosting agreement for all of the ISPs involved, and
> make it difficult for OWASP to get hosting services in the future.
> Generally the easiest approach for these contests is to have a private local
> in-person network, where you an control the contest, and grant permission
> for hacking specific systems on the lcoal network, but if you want to do it
> globally, you need preregistration with the scope limited to only systems
> accessed via an individually authenticated VPN.
>
> It is a cruel world, and with lot's of lawyers.
>
> -- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GCIA, GPEN
> Rochester OWASP
>
>
> On 1/26/2011 3:41 AM, dinis cruz wrote:
>
> Loredana has taken the lead on this one and created the page
> http://www.owasp.org/index.php/Summit_2011/Competition/Hack_OWASP.ORG with
> details about this competition (she will also be the main point of contact
> for this competition)
>
> Before I submit this to the OWASP board for vote, can you please take a
> look and chip in with your ideas (for example I think that the scope should
> include offline MediaWiki exploits/vulns and the competition should also
> continue during the Summit (we are going to set up a 'hacking room' just
> like we did at the last Summit (we need to think about the prices for the
> vulns discovered during the Summit))
>
> Dinis Cruz
>
>
> On 21 January 2011 11:02, Loredana Mancini <loredana.mancini at business-e.it
> > wrote:
>
>>  Hi all,
>>
>>
>>
>> I would like to pick up this task, and step forward to organise it if you
>> think it still interesting, bye Loredana.
>>
>>
>> -----Messaggio originale-----
>> Da: owasp-leaders-bounces at lists.owasp.org
>> [mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org>]
>> Per conto di dinis cruz
>> Inviato: mercoledì 19 gennaio 2011 17.05
>> A: Vlatko Kosturjak
>> Cc: owasp-leaders at lists.owasp.org
>> Oggetto: Re: [Owasp-leaders] Javascript required for OWASP page?
>>
>> I think we should have a competion to see who can hack the owasp.org
>> website :)
>>
>> The price would be a fully paid (travel+accomodation) ticket to the
>> Summit
>>
>> Extra kudos points would be given for gaining root on the owasp.org
>> server
>>
>> Anybody on this list have the cycles to organize this?
>>
>> Dinis Cruz
>>
>> On 19 Jan 2011, at 15:59, Vlatko Kosturjak <kost at linux.hr> wrote:
>>
>> > On 01/19/2011 04:50 PM, dinis cruz wrote:
>> >> It shows that owasp.org is in the same 'shape' as 90% of the websites
>> >> out there.
>> >>
>> >> There is a O2 module that shows all the Javascript (files and inline)
>> >> code that is loaded by an owasp.org page (it is quite a list)
>> >>
>> >> Maybe a good working session for the summit would be to consolidate
>> >> all owasp.org javascripts and add CSP to it
>> >>
>> >> In fact we should have a 'hack owasp.org and mediawiki' competition
>> >> at
>> >> the Summit ....... :) :) :)
>> >
>> > Especially to find bugs like this (as mediawiki is in PHP):
>> > http://gregorkopf.de/slides_berlinsides_2010.pdf
>> >
>> > Kost
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110126/dfa49976/attachment-0001.html 


More information about the OWASP-Leaders mailing list