[Owasp-leaders] Hack OWASP.org as a pre/during Summit Competition

dinis cruz dinis.cruz at owasp.org
Wed Jan 26 14:12:00 EST 2011

Fair enough Michael ( & others) let's drop this idea

It would be great if we could capture the ideas presented in this thread at
a Summit's Working session

Dinis Cruz

On 26 Jan 2011, at 18:08, Michael Coates <michael.coates at owasp.org> wrote:

Short summary: We should not do this before the summit.

Full email:

There is an overwhelming response from OWASP against this idea - not because
it isn't a good idea, but because of the many potential outcomes.

As someone very familiar with bug bounty programs, I'd like to throw out a
few thoughts.

1. Bug bounty programs are great
2. You better know what you are getting into

With both of those items said, I strongly advise that we *do not* launch a
HACK OWASP project until we have thoroughly discussed the issue, and
especially not in a 2 week window right before the summit.  Nothing should
happen with lots of planning, consideration, virtual test servers, response
resources, monitoring controls, available blocking and more.  I have plenty
more to share and would be happy to do so during appropriate planning calls.
However, this should be given the time and planning it deserves.  Attempting
to launch a program in a matter of weeks will result in many bad outcomes.

Michael Coates

On Jan 26, 2011, at 12:41 AM, dinis cruz wrote:

Loredana has taken the lead on this one and created the page
http://www.owasp.org/index.php/Summit_2011/Competition/Hack_OWASP.ORG with
details about this competition (she will also be the main point of contact
for this competition)

Before I submit this to the OWASP board for vote, can you please take a look
and chip in with your ideas (for example I think that the scope should
include offline MediaWiki exploits/vulns and the competition should also
continue during the Summit (we are going to set up a 'hacking room' just
like we did at the last Summit (we need to think about the prices for the
vulns discovered during the Summit))

Dinis Cruz

On 21 January 2011 11:02, Loredana Mancini
<loredana.mancini at business-e.it>wrote:

>  Hi all,
> I would like to pick up this task, and step forward to organise it if you
> think it still interesting, bye Loredana.
> -----Messaggio originale-----
> Da: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org<owasp-leaders-bounces at lists.owasp.org><owasp-leaders-bounces at lists.owasp.org>]
> Per conto di dinis cruz
> Inviato: mercoledì 19 gennaio 2011 17.05
> A: Vlatko Kosturjak
> Cc: owasp-leaders at lists.owasp.org
> Oggetto: Re: [Owasp-leaders] Javascript required for OWASP page?
> I think we should have a competion to see who can hack the owasp.org
> website :)
> The price would be a fully paid (travel+accomodation) ticket to the
> Summit
> Extra kudos points would be given for gaining root on the owasp.org
> server
> Anybody on this list have the cycles to organize this?
> Dinis Cruz
> On 19 Jan 2011, at 15:59, Vlatko Kosturjak <kost at linux.hr> wrote:
> > On 01/19/2011 04:50 PM, dinis cruz wrote:
> >> It shows that owasp.org is in the same 'shape' as 90% of the websites
> >> out there.
> >>
> >> There is a O2 module that shows all the Javascript (files and inline)
> >> code that is loaded by an owasp.org page (it is quite a list)
> >>
> >> Maybe a good working session for the summit would be to consolidate
> >> all owasp.org javascripts and add CSP to it
> >>
> >> In fact we should have a 'hack owasp.org and mediawiki' competition
> >> at
> >> the Summit ....... :) :) :)
> >
> > Especially to find bugs like this (as mediawiki is in PHP):
> > http://gregorkopf.de/slides_berlinsides_2010.pdf
> >
> > Kost
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110126/f8f617e4/attachment-0001.html 

More information about the OWASP-Leaders mailing list