[Owasp-leaders] Hack OWASP.org as a pre/during Summit Competition

Jim Manico jim.manico at owasp.org
Wed Jan 26 13:17:48 EST 2011


Well said, Michael (Larry and others).

Would you like to host a working session on this topic? And not just for
OWASP, but for the entire community...

- Jim

> Short summary: We should not do this before the summit.
> 
> Full email:
> 
> There is an overwhelming response from OWASP against this idea - not because it isn't a good idea, but because of the many potential outcomes. 
> 
> As someone very familiar with bug bounty programs, I'd like to throw out a few thoughts.
> 
> 1. Bug bounty programs are great 
> 2. You better know what you are getting into
> 
> With both of those items said, I strongly advise that we do not launch a HACK OWASP project until we have thoroughly discussed the issue, and especially not in a 2 week window right before the summit.  Nothing should happen with lots of planning, consideration, virtual test servers, response resources, monitoring controls, available blocking and more.  I have plenty more to share and would be happy to do so during appropriate planning calls. However, this should be given the time and planning it deserves.  Attempting to launch a program in a matter of weeks will result in many bad outcomes.
> 
> 
> 
> Michael Coates
> OWASP
> 
> 
> 
> On Jan 26, 2011, at 12:41 AM, dinis cruz wrote:
> 
>> Loredana has taken the lead on this one and created the page http://www.owasp.org/index.php/Summit_2011/Competition/Hack_OWASP.ORG with details about this competition (she will also be the main point of contact for this competition)
>>
>> Before I submit this to the OWASP board for vote, can you please take a look and chip in with your ideas (for example I think that the scope should include offline MediaWiki exploits/vulns and the competition should also continue during the Summit (we are going to set up a 'hacking room' just like we did at the last Summit (we need to think about the prices for the vulns discovered during the Summit))
>>
>> Dinis Cruz
>>
>>
>> On 21 January 2011 11:02, Loredana Mancini <loredana.mancini at business-e.it> wrote:
>> Hi all,
>>
>>  
>> I would like to pick up this task, and step forward to organise it if you think it still interesting, bye Loredana.
>>
>>
>> -----Messaggio originale-----
>> Da: owasp-leaders-bounces at lists.owasp.org
>> [mailto:owasp-leaders-bounces at lists.owasp.org] Per conto di dinis cruz
>> Inviato: mercoledì 19 gennaio 2011 17.05
>> A: Vlatko Kosturjak
>> Cc: owasp-leaders at lists.owasp.org
>> Oggetto: Re: [Owasp-leaders] Javascript required for OWASP page?
>>
>> I think we should have a competion to see who can hack the owasp.org
>> website :)
>>
>> The price would be a fully paid (travel+accomodation) ticket to the
>> Summit
>>
>> Extra kudos points would be given for gaining root on the owasp.org
>> server
>>
>> Anybody on this list have the cycles to organize this?
>>
>> Dinis Cruz
>>
>> On 19 Jan 2011, at 15:59, Vlatko Kosturjak <kost at linux.hr> wrote:
>>
>>> On 01/19/2011 04:50 PM, dinis cruz wrote:
>>>> It shows that owasp.org is in the same 'shape' as 90% of the websites
>>>> out there.
>>>>
>>>> There is a O2 module that shows all the Javascript (files and inline)
>>>> code that is loaded by an owasp.org page (it is quite a list)
>>>>
>>>> Maybe a good working session for the summit would be to consolidate
>>>> all owasp.org javascripts and add CSP to it
>>>>
>>>> In fact we should have a 'hack owasp.org and mediawiki' competition
>>>> at
>>>> the Summit ....... :) :) :)
>>>
>>> Especially to find bugs like this (as mediawiki is in PHP):
>>> http://gregorkopf.de/slides_berlinsides_2010.pdf
>>>
>>> Kost
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list