[Owasp-portland] FLOSSHack Details and Potential Targets

Keith Seymour keseymour at gmail.com
Tue May 1 02:59:19 UTC 2012


Both OpenDocMan and ResourceSpace sound sufficiently open to provide lots
of opportunities for security flaws. Since they are both targeted at small
business it would be helpful to the developers to  provide feedback. Unless
of course round two of the workshop will be coding fixes for the problems

I'd be open to a longer session on the weekend but 2 hours in an evening is
also easy to arrage given some lead time.



On Fri, Apr 27, 2012 at 9:20 PM, Timothy D. Morgan <
tmorgan-owasp at vsecurity.com> wrote:

> Hi everyone,
> Based on some feedback I received from my survey, it seems like a LAMP
> application would best match peoples' interests in open source project
> targets.
>  Based on recommendations from others and my own research, I'm proposing
> we do
> the first FLOSSHack on one of the following apps:
>  ResourceSpace <http://www.resourcespace.org/>
>  selfoss <http://selfoss.aditu.de/>
>  OpenDocMan <http://www.opendocman.com/>
> I haven't actually looked at these terribly closely, but let me know if
> you have
> any strong opinions about them.  In general, I think it would be most
> useful for
> us to look at a project that has some kind of built-in access control
> system,
> allows potentially untrusted users to submit persistent content, and of
> course
> interacts in some way with a SQL database.  Also, projects that are under
> active
> development are also strongly preferred.
> I thought I'd also throw out some thoughts I had on how a typical FLOSSHack
> session might go:
> 1. As I mentioned before, we'd choose the application and announce it
> officially
> maybe a week (or more?) before the date of the FLOSSHack session.
> 2. At the beginning of the session, we may spend up to 30minutes going over
> common vulnerabilities that might affect the application.  Perhaps even
> show
> demos in WebGoat or something similar to ensure everyone has a good idea
> as to
> what they are looking for.
> 3. Share vulnerabilities already found-- for those who have spent the
> prior week
> looking for bugs, now would be the time they could share them with everyone
> else.  Much discussion of the flaws, how they were found, and how they
> could be
> exploited would ensue.
> 4. Start hacking.  A pre-installed version of the application will be
> provided
> in some way, maybe on a VM or remotely.  Collaborate on searching for
> various
> types of bugs.  Occasionally, when folks spot new vulnerabilities,
> announce it
> and describe the bug to others.  Maybe the resulting discussion sparks new
> ideas
> for finding additional flaws.  If things are "slow" in this area, perhaps
> the
> FLOSSHack wrangler can stop everyone once in a while to cover some security
> topic relevant to the application.
> 5. Conclude the session, hopefully, with a pile of security bugs to send
> off to
> the developers in a responsible manner.  If we can find sponsors for this,
> maybe
> we could have some prizes for those who find the most bugs, or the "best"
> bug
> found, as voted on by the participants.
> I expect a FLOSSHack session to last at least 2 hours.  I know that's
> pretty
> long for some people's schedules, but it's designed as a workshop and it
> takes
> quite a while to get familiar with an application.
> I'm still not sure if it would be best to hold this kind of thing on a
> weeknight
> or on a weekend.  What would people prefer?  If it makes sense, we could
> even
> stretch it out into a longer weekend session (4 hours?) and then invite
> people
> to come and go as they please; whatever fits peoples' schedules. I
> anticipate
> setting up some way for people to join remotely as well.  Perhaps just via
> IRC,
> IM, or some newfangled thing with moving pictures. (I'd appreciate
> volunteers to
> help with this or anything else.)
> Let me know what you all think.
> Thanks and have a great weekend!
> tim
> PS - If anyone knows any college students who are interested in computer
> security, this would be a great event for them.  Feel free to pass along
> info
> about this event, or just get them signed up to the mailing list.
> _______________________________________________
> Owasp-portland mailing list
> Owasp-portland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-portland

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-portland/attachments/20120430/5d1c1a8d/attachment.html>

More information about the Owasp-portland mailing list