[Owasp-leaders] Hack OWASP.org as a pre/during SummitCompetition

Chris Schmidt chris.schmidt at owasp.org
Thu Jan 27 09:38:40 EST 2011


Wouldn't this be, for all intents and purposes, a code review of the
MediaWiki project and whatever plugis are installed?


On 1/27/11 7:33 AM, "Jim Manico" <jim.manico at owasp.org> wrote:

> Now personally, I think this is an excellent idea. :) Dinis?
> 
> -Jim Manico
> http://manico.net
> 
> On Jan 27, 2011, at 12:09 AM, Giorgio Fedon <giorgio.fedon at mindedsecurity.com>
> wrote:
> 
>> Dear list,
>> 
>> What about a "secure code review" competition on the owasp.org code, or just
>> the opensource components?
>> 
>> This would be safer and faster to setup
>> 
>> Inviato da iPhone
>> 
>> Il giorno 26/gen/2011, alle ore 18:56, Jim Manico <jim.manico at owasp.org> ha
>> scritto:
>> 
>>> I agree with Larry and others who have tried to steer us away from a
>>> OWASP.org hackathon. Until we have written permission from all of the
>>> hosting and ISP providers, we should hold off.
>>> 
>>> However, if you are interested in helping secure OWASP.org's mediawiki,
>>> please contact Larry off-list. We are indeed a not-for-profit
>>> organization that could use the infrastructure help!
>>> 
>>> Aloha,
>>> Jim
>>> 
>>> 
>>> 
>>>> Setting  up a honeypot of OWASP's site is a real bad idea. As Mark said in
>>>> a
>>>> previous email, this could have potential risks to other areas not part of
>>>> the "Contest".  I would much rather see people who have experience securing
>>>> servers offer assistance in maintaining them. Finding a flaw is the easy
>>>> part, helping to mitigate/prevent them would be more important to me.
>>>> 
>>>> 
>>>> 
>>>> I've heard the argument that OWASP is free and open and with that we should
>>>> fully disclose everything. I don't totally agree with this as this is
>>>> hosted
>>>> at Aspect's facility. On the other hand, the website is Open source, you
>>>> can
>>>> check the wiki for the version number and download it from MediaWiki.
>>>> 
>>>> 
>>>> 
>>>> For those interested in hacking, I suggest Webgoat.
>>>> 
>>>> 
>>>> 
>>>> --Larry
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> From: owasp-leaders-bounces at lists.owasp.org
>>>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matthew
>>>> Chalmers
>>>> Sent: Wednesday, January 26, 2011 11:08 AM
>>>> To: owasp-leaders at lists.owasp.org
>>>> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
>>>> SummitCompetition
>>>> 
>>>> 
>>>> 
>>>> Playing a bit of a devil's advocate here, how do we have a "secure
>>>> owasp.org" competition without allowing people to look for vulnerabilities
>>>> to fix?
>>>> 
>>>> 
>>>> 
>>>> Also, there are generally/broadly two methods for finding vulnerabilities:
>>>> testing and code-review. If OWASP is free and open, should we not publish
>>>> all the code for the website?
>>>> 
>>>> 
>>>> 
>>>> I don't know the details of how owasp.org is hosted but it would probably
>>>> be
>>>> best to stand up physically identical but separate hardware with a
>>>> bit-for-bit mirror image of the site at a given point in time as a 'test
>>>> environment' for this and make sure the Foundation has the OK from any
>>>> third
>>>> parties involved with its hosting. Larry or someone intimately familiar
>>>> with
>>>> the site in all respects might have to cut off any interfaces to make sure
>>>> no on 'accidentally' modifies another production site/file/system that
>>>> trusts the real owasp.org.
>>>> 
>>>> 
>>>> 
>>>> And I'm not saying any of the above will be easy, either.
>>>> 
>>>> 
>>>> 
>>>> Matt
>>>> 
>>>> 
>>>> 
>>>> On Wed, Jan 26, 2011 at 9:46 AM, Colin Watson <colin.watson at owasp.org>
>>>> wrote:
>>>> 
>>>> I agree with Mark.
>>>> 
>>>> I think we should have a "secure OWASP.org" competition first.
>>>> 
>>>> Colin
>>>> 
>>>> 
>>>> On 26 January 2011 15:17, Mark Bristow <mark.bristow at owasp.org> wrote:
>>>>> I must have missed this in the flurry of "request for cycles" emails.
>>>>> 
>>>>> I can't disagree with this initiative more.
>>>>> 
>>>>> First off, there are tons of operational and legal challenges to this.
>>>>> Those of us who to professional web app pen testing know that you really
>>>>> should (and in some countries NEED) clear rules of engagement and hold
>>>>> harmless and other agreements in place to provide cover for these types of
>>>>> activities.  OWASP does not own it's entire infrastructure that supports
>>>> the
>>>>> website.  Even if OWASP provided cart-blanch approval to anyone who wishes
>>>>> to hack the OWASP.org website there could be "collateral dammage" to
>>>>> entities other than OWASP.  As I understand it the production wiki server
>>>> is
>>>>> still housed in an Aspect data center, what if someone, as part of the
>>>>> challenge, took down ASPECT's common network?  What if someone used an
>>>>> attack on ASPECT's upstream provider?  This type of activity is usually
>>>>> explicitly forbidden in ISP TOSes, has anyone confirmed that ASPECT's
>>>>> upstream would not (completely legally) pull their network connection for
>>>>> allowing hacking activities?
>>>>> 
>>>>> That doesn't even get into the operational aspects.  So we are inviting
>>>>> people to potentially take down, compromise and/or deface the OWASP wiki?
>>>>> Especially during a time while we are trying to promote the Summit?  What
>>>>> happens when they are sucessful and we can't get the site back for hours,
>>>> or
>>>>> even days?  What if the entire username/password database is compromised?
>>>>> Inviting this behavior against a production system, with "real" data in it
>>>>> is just crazy.
>>>>> 
>>>>> Then I have a fundamental objection.  OWASP is about fixing application
>>>>> security issues through tools and education.  This is solely a "hey, look
>>>>> what I can hack" exercise which IMO does not line up with OWASP core
>>>>> values.  We need to promote more FIX and less HAX.
>>>>> </soapbox>
>>>>> 
>>>>> -Mark
>>>>> 
>>>>> On Wed, Jan 26, 2011 at 10:03 AM, James McGovern <JMcGovern at virtusa.com>
>>>>> wrote:
>>>>>> 
>>>>>> The biggest challenge is that finding solutions to breaking tends to
>>>>>> take a lot longer than the actual breaking itself...
>>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: owasp-leaders-bounces at lists.owasp.org
>>>>>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of
>>>>>> Harisfazillah Jamel
>>>>>> Sent: Wednesday, January 26, 2011 8:13 AM
>>>>>> To: owasp-leaders at lists.owasp.org
>>>>>> Cc: Mancini Lucilla; owasp-leaders-bounces at lists.owasp.org; Ralph
>>>>>> Durkee; Loredana Mancini
>>>>>> Subject: Re: [Owasp-leaders] Hack OWASP.org as a pre/during
>>>>>> SummitCompetition
>>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> I disagree using hacking to find vulnerabilities, as a way of promoting.
>>>>>> 
>>>>>> It's hard to find a contest that relate to hardening of server and
>>>>>> application or making codes better as part of a contest. We already
>>>>>> expose OWASP members with many ways of finding vulnerabilities. Lets
>>>>>> we balance with how to defense ourself from attack.
>>>>>> 
>>>>>> For example. We ask the contestant to fixed problem with all the
>>>>>> vulnerabilities listed and make report on the effort.
>>>>>> 
>>>>>> Or we can balance both. They find the vulnerabilities and do the
>>>>>> reports on how to fix it.
>>>>>> 
>>>>>> Haris ....
>>>>>> 
>>>>>> On Wed, Jan 26, 2011 at 6:18 PM, dinis cruz <dinis.cruz at owasp.org>
>>>>>> wrote:
>>>>>>> This practice is starting to be quite common these days. Google,
>>>>>> Microsoft,
>>>>>>> Mozilla (and others) have similar arrangements.
>>>>>>> 
>>>>>>> But you raise good questions, and we should have answers for it on an
>>>>>> FAQ
>>>>>>> (Loredana can you add an FAQ to that page (here is a good template
>>>>>>> http://www.owasp.org/index.php/Summit_2011_FAQ))
>>>>>>> 
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>> 
>>>>>> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast
>>>>>> 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100
>>>> sub-list
>>>>>> and 2010 FinTech 100 among others.
>>>>>> 
>>>>>> 
>>>>>> 
>>>> 
--------------------------------------------------------------------------->>>>
-
>>>> -----------------
>>>>>> 
>>>>>> This message, including any attachments, contains confidential
>>>> information
>>>>>> intended for a specific individual and purpose, and is intended for the
>>>>>> addressee only. Any unauthorized disclosure, use, dissemination, copying,
>>>> or
>>>>>> distribution of this message or any of its attachments or the information
>>>>>> contained in this e-mail, or the taking of any action based on it, is
>>>>>> strictly prohibited. If you are not the intended recipient, please notify
>>>>>> the sender immediately by return e-mail and delete this message.
>>>>>> 
>>>>>> 
>>>>>> 
>>>> 
--------------------------------------------------------------------------->>>>
-
>>>> -----------------
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> Mark Bristow
>>>>> (703) 596-5175 <tel:+17035965175>
>>>>> mark.bristow at owasp.org
>>>>> 
>>>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>>>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>>>>> AppSec DC Organizer - https://www.appsecdc.org
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> 
>>>>> 
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Chris Schmidt
ESAPI Project Manager (http://www.esapi.org)
ESAPI4JS Project Owner (http://bit.ly/9hRTLH)
Blog: http://yet-another-dev.blogspot.com





More information about the OWASP-Leaders mailing list