[Owasp-portland] FLOSSHack Details and Potential Targets

Wil Clouser clouserw at gmail.com
Wed May 2 17:53:51 UTC 2012


Download finished!  I had to tweak some settings to get the virtualbox
working on OS X (yay ipv6) but it wasn't anything too complex.  It
works as expected - I can load the site and poke around.  I just used
'ushahidi' as the password for everything and it worked - everything
else is in the README that comes with it and they have docs on their
website.

We should probably pull in the latest released code in the VM before
we start to play with it to make sure we're hitting the latest stuff.

Did anyone else try the VM?  Anyone have problems?  We could get
everyone trying to get the VM going this week (or next week), then a
week of playing, and then meet the week after?

If people aren't familiar with VMs this is a good chance to learn too.
 The package I linked to is just a virtualbox image (virtualbox is
free and cross platform - an excellent VM host).

Cheers,

Wil

On Wed, May 2, 2012 at 8:26 AM, Wil Clouser <clouserw at gmail.com> wrote:
> When they approached Michael for help he found a couple problems
> (sounded like CSRF) and told them how to fix them but it sounds like
> there is a lot of surface area left.  Aside from just finding actual
> security holes, they aren't following recommendations like
> implementing HTTPOnly flags and STS.  In the unlikely scenario we
> didn't find anything we could talk about how to add those things to an
> app and why they are important.
>
> Regarding a test environment, you could download the open source
> package or you could let them host the map stuff - the mozilla site I
> linked to earlier is using their hosted option.  On the other hand, I
> did a quick google search and found
> https://github.com/ushahidi/virtual-machines which someone else
> apparently already made :)
>
> I'm downloading it over hotel wi-fi right now so it'll be a while
> (500mb) but if no one else gets there first I'll send an update on how
> it goes.
>
> Cheers,
>
> Wil
>
> On Tue, May 1, 2012 at 5:18 PM, Timothy D. Morgan
> <tmorgan-owasp at vsecurity.com> wrote:
>>
>>> I was actually looking forward to Resourcespace since I use that for our
>>> business, but this sounds like another good opportunity I'd be open to
>>> as well.
>>
>> Yeah, I definitely do want to get back to Resourcespace, since it seems like a
>> good candidate.  Honestly, I thought it might be a better target from an
>> architectural perspective, but the possibility that Ushahidi's people might
>> actively help us get this going is a big attraction for me.
>>
>> As we move forward with more of these, I one thing that would mean a lot to me
>> in terms of priorities, is if one of our members or a project's developers are
>> willing to help us set up the application test environment.  It can be a
>> significant investment in time trying to get an application set up for the first
>> time with all the bells and whistles that are worth testing, so if someone from
>> our group (or the app developer) volunteers to do that, then I'll probably be
>> sold on it. =)
>>
>>
>> Thanks,
>> tim
>> _______________________________________________
>> Owasp-portland mailing list
>> Owasp-portland at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-portland


More information about the Owasp-portland mailing list