[Owasp-portland] FLOSSHack Details and Potential Targets

Timothy D. Morgan tmorgan-owasp at vsecurity.com
Tue May 1 23:45:57 UTC 2012

It looks like an excellent project to test and contribute to.  It is also great
that they are proactively seeking help with testing.  Thanks for bring this to
our attention Wil.

My only initial concern is that maybe their platform is quite solid and we might
have a hard time finding bugs.  Or the only bugs we'll find are esoteric and not
really the kind to help newbie auditors cut their teeth on.  Just don't want to
make it a frustrating experience.  I really have no idea what level of
experience our attendees will have, but I guess there's no way to know that
until we do our first one.

Anyway, I'm game to do Ushahidi first.  I think from a technical perspective,
the easiest way for us to ensure we get good access to an installation of the
application and exercise it's full features would be if the Ushahidi folks could
provide a preinstalled VM that is somehow set up to accept feeds from all of the
sources they support (within reason).  That way we'll have lots of potential
vectors to supply malicious data.

As for scheduling, I'm not in a huge rush.  I did want to try to have it this
month, but I want to make sure we have all the pieces in place first.  More on
that shortly...


On 05/01/2012 04:29 PM, Wil Clouser wrote:
> I asked if next week would be too soon and it sounds like that would
> work fine.  By the time we figured out our schedule I imagine they'd
> be good to go.
> Wil
> On Tue, May 1, 2012 at 4:06 PM, Matthew Lapworth <matthewl at bit-shift.net> wrote:
>> That sounds like a great project for our first FLOSSHack. How soon were they
>> looking to start the review?
>> On Tue, May 1, 2012 at 4:01 PM, Wil Clouser <clouserw at gmail.com> wrote:
>>> I was talking with Michael Coates today and he mentioned that he was
>>> trying to get some security review and responsible pen-testing on
>>> www.ushahidi.com 's project which is a young open source mapping
>>> platform.  It sounded like a good opportunity for us since there
>>> hasn't been a security review of their code before, they've asked for
>>> help, it's a limited code size, and it's for an open source non-profit
>>> company.  You can see an example at mozilla.crowdmap.com .
>>> Michael wanted to coordinate a bit with Ushahidi first and also
>>> offered to be available during our session via skype when we were
>>> looking at the app.  I think it would be a good opportunity (Micheal
>>> is the Chairman of the Board for OWASP and Director of Security
>>> Assurance at Mozilla Corp).
>>> I'm happy to work as coordinator between all of us if this project is
>>> something we're interested in looking at.
>>> Cheers,
>>> Wil
>>> On Fri, Apr 27, 2012 at 9:20 PM, Timothy D. Morgan
>>> <tmorgan-owasp at vsecurity.com> wrote:
>>>> Hi everyone,
>>>> Based on some feedback I received from my survey, it seems like a LAMP
>>>> application would best match peoples' interests in open source project
>>>> targets.
>>>>  Based on recommendations from others and my own research, I'm proposing
>>>> we do
>>>> the first FLOSSHack on one of the following apps:
>>>>  ResourceSpace <http://www.resourcespace.org/>
>>>>  selfoss <http://selfoss.aditu.de/>
>>>>  OpenDocMan <http://www.opendocman.com/>
>>>> I haven't actually looked at these terribly closely, but let me know if
>>>> you have
>>>> any strong opinions about them.  In general, I think it would be most
>>>> useful for
>>>> us to look at a project that has some kind of built-in access control
>>>> system,
>>>> allows potentially untrusted users to submit persistent content, and of
>>>> course
>>>> interacts in some way with a SQL database.  Also, projects that are
>>>> under active
>>>> development are also strongly preferred.
>>>> I thought I'd also throw out some thoughts I had on how a typical
>>>> FLOSSHack
>>>> session might go:
>>>> 1. As I mentioned before, we'd choose the application and announce it
>>>> officially
>>>> maybe a week (or more?) before the date of the FLOSSHack session.
>>>> 2. At the beginning of the session, we may spend up to 30minutes going
>>>> over
>>>> common vulnerabilities that might affect the application.  Perhaps even
>>>> show
>>>> demos in WebGoat or something similar to ensure everyone has a good idea
>>>> as to
>>>> what they are looking for.
>>>> 3. Share vulnerabilities already found-- for those who have spent the
>>>> prior week
>>>> looking for bugs, now would be the time they could share them with
>>>> everyone
>>>> else.  Much discussion of the flaws, how they were found, and how they
>>>> could be
>>>> exploited would ensue.
>>>> 4. Start hacking.  A pre-installed version of the application will be
>>>> provided
>>>> in some way, maybe on a VM or remotely.  Collaborate on searching for
>>>> various
>>>> types of bugs.  Occasionally, when folks spot new vulnerabilities,
>>>> announce it
>>>> and describe the bug to others.  Maybe the resulting discussion sparks
>>>> new ideas
>>>> for finding additional flaws.  If things are "slow" in this area,
>>>> perhaps the
>>>> FLOSSHack wrangler can stop everyone once in a while to cover some
>>>> security
>>>> topic relevant to the application.
>>>> 5. Conclude the session, hopefully, with a pile of security bugs to send
>>>> off to
>>>> the developers in a responsible manner.  If we can find sponsors for
>>>> this, maybe
>>>> we could have some prizes for those who find the most bugs, or the
>>>> "best" bug
>>>> found, as voted on by the participants.
>>>> I expect a FLOSSHack session to last at least 2 hours.  I know that's
>>>> pretty
>>>> long for some people's schedules, but it's designed as a workshop and it
>>>> takes
>>>> quite a while to get familiar with an application.
>>>> I'm still not sure if it would be best to hold this kind of thing on a
>>>> weeknight
>>>> or on a weekend.  What would people prefer?  If it makes sense, we could
>>>> even
>>>> stretch it out into a longer weekend session (4 hours?) and then invite
>>>> people
>>>> to come and go as they please; whatever fits peoples' schedules. I
>>>> anticipate
>>>> setting up some way for people to join remotely as well.  Perhaps just
>>>> via IRC,
>>>> IM, or some newfangled thing with moving pictures. (I'd appreciate
>>>> volunteers to
>>>> help with this or anything else.)
>>>> Let me know what you all think.
>>>> Thanks and have a great weekend!
>>>> tim
>>>> PS - If anyone knows any college students who are interested in computer
>>>> security, this would be a great event for them.  Feel free to pass along
>>>> info
>>>> about this event, or just get them signed up to the mailing list.

More information about the Owasp-portland mailing list