[Owasp-portland] FLOSSHack Details and Potential Targets

Timothy D. Morgan tmorgan-owasp at vsecurity.com
Sat Apr 28 04:20:00 UTC 2012

Hi everyone,

Based on some feedback I received from my survey, it seems like a LAMP
application would best match peoples' interests in open source project targets.
 Based on recommendations from others and my own research, I'm proposing we do
the first FLOSSHack on one of the following apps:

  ResourceSpace <http://www.resourcespace.org/>
  selfoss <http://selfoss.aditu.de/>
  OpenDocMan <http://www.opendocman.com/>

I haven't actually looked at these terribly closely, but let me know if you have
any strong opinions about them.  In general, I think it would be most useful for
us to look at a project that has some kind of built-in access control system,
allows potentially untrusted users to submit persistent content, and of course
interacts in some way with a SQL database.  Also, projects that are under active
development are also strongly preferred.

I thought I'd also throw out some thoughts I had on how a typical FLOSSHack
session might go:

1. As I mentioned before, we'd choose the application and announce it officially
maybe a week (or more?) before the date of the FLOSSHack session.

2. At the beginning of the session, we may spend up to 30minutes going over
common vulnerabilities that might affect the application.  Perhaps even show
demos in WebGoat or something similar to ensure everyone has a good idea as to
what they are looking for.

3. Share vulnerabilities already found-- for those who have spent the prior week
looking for bugs, now would be the time they could share them with everyone
else.  Much discussion of the flaws, how they were found, and how they could be
exploited would ensue.

4. Start hacking.  A pre-installed version of the application will be provided
in some way, maybe on a VM or remotely.  Collaborate on searching for various
types of bugs.  Occasionally, when folks spot new vulnerabilities, announce it
and describe the bug to others.  Maybe the resulting discussion sparks new ideas
for finding additional flaws.  If things are "slow" in this area, perhaps the
FLOSSHack wrangler can stop everyone once in a while to cover some security
topic relevant to the application.

5. Conclude the session, hopefully, with a pile of security bugs to send off to
the developers in a responsible manner.  If we can find sponsors for this, maybe
we could have some prizes for those who find the most bugs, or the "best" bug
found, as voted on by the participants.

I expect a FLOSSHack session to last at least 2 hours.  I know that's pretty
long for some people's schedules, but it's designed as a workshop and it takes
quite a while to get familiar with an application.

I'm still not sure if it would be best to hold this kind of thing on a weeknight
or on a weekend.  What would people prefer?  If it makes sense, we could even
stretch it out into a longer weekend session (4 hours?) and then invite people
to come and go as they please; whatever fits peoples' schedules. I anticipate
setting up some way for people to join remotely as well.  Perhaps just via IRC,
IM, or some newfangled thing with moving pictures. (I'd appreciate volunteers to
help with this or anything else.)

Let me know what you all think.
Thanks and have a great weekend!

PS - If anyone knows any college students who are interested in computer
security, this would be a great event for them.  Feel free to pass along info
about this event, or just get them signed up to the mailing list.

More information about the Owasp-portland mailing list