<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    I hope I'm misunderstanding, but if not this is a dangerous approach
    for a hacking contest. There needs to be a clear scope, rules of
    engagement and registration with rules and specific permission
    given.&nbsp; What this will accomplish is to make the owasp.org web site
    unavailable for the duration, most likely violate the hosting
    agreement for all of the ISPs involved, and make it difficult for
    OWASP to get hosting services in the future.&nbsp; Generally the easiest
    approach for these contests is to have a private local in-person
    network, where you an control the contest, and grant permission for
    hacking specific systems on the lcoal network, but if you want to do
    it globally, you need preregistration with the scope limited to only
    systems accessed via an individually authenticated VPN.<br>
    <br>
    It is a cruel world, and with lot's of lawyers.<br>
    <pre class="moz-signature" cols="72">-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GCIA, GPEN
Rochester OWASP
</pre>
    <br>
    On 1/26/2011 3:41 AM, dinis cruz wrote:
    <blockquote
      cite="mid:AANLkTi=NGd5PoAW+R_7dfydAcSxr6LjeAchHsC4hBwrK@mail.gmail.com"
      type="cite">Loredana has taken the lead on this one and created
      the page <a moz-do-not-send="true"
href="http://www.owasp.org/index.php/Summit_2011/Competition/Hack_OWASP.ORG">http://www.owasp.org/index.php/Summit_2011/Competition/Hack_OWASP.ORG</a>
      with details about this competition (she will also be the main
      point of contact for this competition)<br>
      <br>
      Before I submit this to the OWASP board for vote, can you please
      take a look and chip in with your ideas (for example I think that
      the scope should include offline MediaWiki exploits/vulns and the
      competition should also continue during the Summit (we are going
      to set up a 'hacking room' just like we did at the last Summit (we
      need to think about the prices for the vulns discovered during the
      Summit))<br clear="all">
      <br>
      Dinis Cruz<br>
      <br>
      <br>
      <div class="gmail_quote">On 21 January 2011 11:02, Loredana
        Mancini <span dir="ltr">&lt;<a moz-do-not-send="true"
            href="mailto:loredana.mancini@business-e.it">loredana.mancini@business-e.it</a>&gt;</span>
        wrote:<br>
        <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
          0.8ex; border-left: 1px solid rgb(204, 204, 204);
          padding-left: 1ex;">
          <div link="blue" vlink="blue" lang="IT">
            <div>
              <p class="MsoNormal"><font size="2" color="navy"
                  face="Arial"><span style="font-size: 10pt;
                    font-family: Arial; color: navy;">Hi all,</span></font></p>
              <p class="MsoNormal"><font size="2" color="navy"
                  face="Arial"><span style="font-size: 10pt;
                    font-family: Arial; color: navy;">&nbsp;</span></font></p>
              <p class="MsoNormal"><font size="2" color="navy"
                  face="Arial"><span style="font-size: 10pt;
                    font-family: Arial; color: navy;" lang="EN-GB">I
                    would like to pick up
                    this task, and step forward to organise it if you
                    think it still interesting,
                    bye Loredana.</span></font></p>
              <div>
                <p style="margin-bottom: 12pt;"><font size="2"
                    face="Times New Roman"><span style="font-size:
                      10pt;" lang="EN-GB"><br>
                    </span></font><font size="2"><span style="font-size:
                      10pt;">-----Messaggio
                      originale-----<br>
                      Da: <a moz-do-not-send="true"
                        href="mailto:owasp-leaders-bounces@lists.owasp.org"
                        target="_blank">owasp-leaders-bounces@lists.owasp.org</a><br>
                      [<a moz-do-not-send="true"
                        href="mailto:owasp-leaders-bounces@lists.owasp.org"
                        target="_blank">mailto:owasp-leaders-bounces@lists.owasp.org</a>]
                      Per conto di dinis cruz<br>
                      Inviato: mercoled&igrave; 19 gennaio 2011 17.05<br>
                      A: Vlatko Kosturjak<br>
                      Cc: <a moz-do-not-send="true"
                        href="mailto:owasp-leaders@lists.owasp.org"
                        target="_blank">owasp-leaders@lists.owasp.org</a><br>
                      Oggetto: Re: [Owasp-leaders] Javascript required
                      for OWASP page?<br>
                      <br>
                      I think we should have a competion to see who can
                      hack the <a moz-do-not-send="true"
                        href="http://owasp.org" target="_blank">owasp.org</a><br>
                      website :)<br>
                      <br>
                      The price would be a fully paid
                      (travel+accomodation) ticket to the<br>
                      Summit<br>
                      <br>
                      Extra kudos points would be given for gaining root
                      on the <a moz-do-not-send="true"
                        href="http://owasp.org" target="_blank">owasp.org</a><br>
                      server<br>
                      <br>
                      Anybody on this list have the cycles to organize
                      this?<br>
                      <br>
                      Dinis Cruz<br>
                      <br>
                      On 19 Jan 2011, at 15:59, Vlatko Kosturjak &lt;<a
                        moz-do-not-send="true"
                        href="mailto:kost@linux.hr" target="_blank">kost@linux.hr</a>&gt;
                      wrote:<br>
                      <br>
                      &gt; On 01/19/2011 04:50 PM, dinis cruz wrote:<br>
                      &gt;&gt; It shows that <a moz-do-not-send="true"
                        href="http://owasp.org" target="_blank">owasp.org</a>
                      is in the same 'shape' as 90% of the websites<br>
                      &gt;&gt; out there.<br>
                      &gt;&gt;<br>
                      &gt;&gt; There is a O2 module that shows all the
                      Javascript (files and inline)<br>
                      &gt;&gt; code that is loaded by an <a
                        moz-do-not-send="true" href="http://owasp.org"
                        target="_blank">owasp.org</a> page (it is quite
                      a list)<br>
                      &gt;&gt;<br>
                      &gt;&gt; Maybe a good working session for the
                      summit would be to consolidate<br>
                      &gt;&gt; all <a moz-do-not-send="true"
                        href="http://owasp.org" target="_blank">owasp.org</a>
                      javascripts and add CSP to it<br>
                      &gt;&gt;<br>
                      &gt;&gt; In fact we should have a 'hack <a
                        moz-do-not-send="true" href="http://owasp.org"
                        target="_blank">owasp.org</a> and mediawiki'
                      competition<br>
                      &gt;&gt; at<br>
                      &gt;&gt; the Summit ....... :) :) :)<br>
                      &gt;<br>
                      &gt; Especially to find bugs like this (as
                      mediawiki is in PHP):<br>
                      &gt; <a moz-do-not-send="true"
                        href="http://gregorkopf.de/slides_berlinsides_2010.pdf"
                        target="_blank">http://gregorkopf.de/slides_berlinsides_2010.pdf</a><br>
                      &gt;<br>
                      &gt; Kost<br>
                      _______________________________________________<br>
                      OWASP-Leaders mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:OWASP-Leaders@lists.owasp.org"
                        target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                      <a moz-do-not-send="true"
                        href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                        target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span></font></p>
              </div>
            </div>
          </div>
        </blockquote>
      </div>
      <br>
      <pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
OWASP-Leaders mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
  </body>
</html>