OWASP Foundation main site repository
The website is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
OWASP Foundation main site repository
Home Page: http://owasp.org/
License: Creative Commons Attribution Share Alike 4.0 International
OWASP Foundation main site repository
The website is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
The new site design has an empty div that covers the entire page called "blocker" which means that you can't interact with any of the elements in the page (links, forms, etc) without having to enable JavaScript:
<div id="blocker"></div>
This includes the <noscript>
tag shown at the bottom of the page, which has an unusable link.
Forcing users to enable JavaScript when there's isn't key functionality that requires it is very hostile design, and isn't something that we should be encouraging, especially given that our audience is more security conscious than most people, and will have a higher number of people who block JS for security.
Instead of duplicating project listings and even descriptions, the tab_flagships.md
might be better set up like this:
level: 4
type: code | tool | doc
to get the sub sectionstitle
and their link from the naming convention of www-repospitch
for projects and display that as a description. Projects could then use that in their own page as well to avoid deviating content over time.Currently the supporters are in alphabetic order but there are tags like member, gold / silver sponsor. a gold sponsor is far more valuable than a normal member or inverse right now that is not clear.
either we keep sections and members inside those sections or we simply arrange then by membership levels. Also this page should point to details of membership levels and how sponsors / supporters can become supporters
Can't see if this is related to #11 in general or maybe some pitch
containing unexpected characters. Can we see the build results of Jekyll somewhere maybe?
See image from the search page looks like the CCS is off:
https://www2.owasp.org/search?searchString=London
Note the 'e' in date is not in the button
In my opinion we do need a good replacement for the mediawiki templates.
There is a need to provide OWASP-wide templates and locally managed templates.
I've have found a candidate for such a replacement: https://gohugo.io/content-management/shortcodes/ Sorry I don't have any experience with it. Please verify if it works or give us an other replacement and give us guidelines how to use it.
I am sorry to say, but in my opinion this is a critical factor for any migration.
Cheers Torsten
The Dependency-Track repo has an embedded image. The URL to the image contains a minus sign which is getting stripped out resulting in a 404 and the image not displaying.
This page
https://github.com/OWASP/www-project-dependency-track/blob/master/tab_integrations.md
Refers to this image:
https://raw.githubusercontent.com/DependencyTrack/dependency-track/master/docs/images/integrations.png
But the rendered page from the Integrations tab of
https://www2.owasp.org/www-project-dependency-track/
is referring to:
https://raw.githubusercontent.com/DependencyTrack/dependencytrack/master/docs/images/integrations.png which does not exist.
This is a regression with the site or template, as when the page was created, this image was displaying just fine. A site-wide change in the past month resulted in this regression. Once corrected, there should be tests created to ensure it doesn't happen again.
Steps to reproduce:
Actual result:
See links to www2.owasp.org pages, e.g. https://www2.owasp.org/www-chapter-moscow/
Expected result:
https://owasp.org/www-chapter-moscow/
Search button/icon is missing - it is needed to be there and clearly labelled - not just for a best practice web design, but also for compliance with accessibility standards for visually impaired users. It is also needed to be there for mobile users to click.
https://wiki.owasp.org/index.php/OWASP_New_Zealand_Day_2020#tab=Conference_-_21_February
In the above-mentioned link, the conference schedule is drafted for OWASP NZ day 2020. It is to be held on 21st February 2020 but it looks like there has been a typo mentioning it as 2019.
In my opinion we do need a good replacement for the mediawiki file management.
There is a need to provide OWASP-wide File management to avoid locally managed duplicates and a mass of unknown versions from the same document.
Links to internal OWASP-documents should look dirrerent from external links.
Please deploy a solution and give us guidelines how to use it.
I am sorry to say, but in my opinion this is a critical factor for any migration.
Cheers
Torsten
Currently on project and chapter pages (others as well), there are Github watch, star, and issue buttons. These are specific to the webpage not the project itself. For example:
This looks like a really unpopular project. If I was visiting the site for the first time and saw this, I would not want to use it. I would see that only a few people have stared it, nobody's using it (0 issues), so therefore I wouldn't give it any consideration. The reality is very much different. Same can be said for every flagship project.
I would highly recommend removing these buttons. They do not add any value to the page. If there is some reason why they are there, then I encourage the site template to also include the watchers, stars, and issues from the actual software repos themselves. This might be a bit more difficult as you'll likely need to aggregate them (most projects have more than one repo).
Easiest way would be to simply remove it.
On attempting to verify membership status the page partially loads with three errors and two warnings.
Error 1
X-Frame-Options may only ?token=c2MAAoge0Lq7XT8mhdL8EogMFmlTHS9GBhHysgaIqKNk7fT92cVHrX890iancl2oykth1ZilT6MW8olgfewbznnDZMQ6efa5W30n7RbCzFzl%2FCdXNbaHveSJ4cFvgdbG%2Bw%3D%3D:19 X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside .
Warning 1
A cookie associated with a cross-site resource at https://m.stripe.com/ was set without the SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None
and Secure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
Warning 2
[Deprecation] Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
Utils.getStringFromFile @ yaml.min.js:1
Error 2
Failed to load resource: billingmanagement:1 the server responded with a status of 500 (Internal Server Error)
Error 3
spread.js:25 Uncaught (in promise) Error: Request failed with status code 500
at e.exports (spread.js:25)
at e.exports (spread.js:25)
at XMLHttpRequest.l.onreadystatechange (spread.js:25)
e.exports @ spread.js:25
e.exports @ spread.js:25
l.onreadystatechange @ spread.js:25
Some blog/news posts may have introductory content that isn't technically excerpt material. For instance, press releases have a lot of "Front content" that shouldn't be in an excerpt. So at some point we should allow for front matter explicit excerpt and if not there, take post down to excerpt delimiter. Technically we could also just truncate at first char(13) for default excerpt unless there's an explicit one.
From google.com I typed "OWASP TLS best practices." Google returned https://owasp.org/www-project-cheat-sheets/cheatsheets/Transport_Layer_Protection_Cheat_Sheet
The resulting link provides Error 404 Not Found. I next went to owasp.org home page and chose Search. I typed TLS Cheat Sheets. Every URL returns with Error 404.
The only way to find OWASP Cheat Sheets is to use a cached version of the Google result. With OWASP search there is no working alternative way to get to a cheat sheet.
Whitesource sponsor image is broken
Would it be possible to add Mega-Linter in the list of Code Quality Tools ?
The content would be the following:
Mega-Linter | Open Source | ย | analyzes 37 languages, 12 formats, 15 tooling formats , copy-pastes and spell in repository sources, generate reports in several formats, and can apply auto-fixes with auto-generated commit or PR, to ensure projects are clean, no matter what IDE/toolbox is used by their developers |
---|
I had a question regarding the status of my membership and sent an email to [email protected], which is listed as the email address if one has questions regarding membership.
Gmail informs that email delivery to [email protected] failed.
Is www-pdf-archive
not indexed?
When you search for say "periodic table" (looking for our periodic table of vulnerabilities), results like: https://www.owasp.org/images/archive/3/38/20130722214916%21OWASP_Periodic_Table_-_Letter_Size.pdf come up before https://owasp.org/www-pdf-archive/OWASP_Periodic_Table_-_Letter_Size.pdf
Hi, I got an email to renew my membership some days ago (Jan. 25th) stating that it will end. "We have good news and bad news. The bad? Your OWASP membership expires today. "
However, I am having a multi year membership which ends next year. I checked then (Jan. 25th) the available membership information which correctly stated:
Manage Your Information
Membership Type: Two Year Membership
Membership Ends On: 1/24/2021
Yesterday (Feb. 2nd) I got another email saying "We are sorry that you decided not to renew your OWASP Foundation Membership."
Seems something is broken on your side. Or maybe this was a phishing attempt as it proposes to see the mail in a browser? I would rather not try a fishy link as us17.campaign-archive.com with cryptic payload. Anyway, please have a look at the membership process as I think these emails might really be from OWASP...
Below the latest screenshot from today which still correctly states that I am a member.
Kind regards,
Roberto
Is there a way to hide/remove the large vendor sponsors banners at the bottom of the page for specific content? While I appreciate that this sponsorship is important (and should be displayed on the main pages of the site), where isn't included with technical content it destroys any appearance of independence and vendor neutrality.
For example, on the cheat sheets project I'm quite happy for a random sponsor logo in the footer of the home page, but if you're viewing a specific cheat sheet (for example, the vulnerable dependency management CS), and at the bottom of the page there's a large vendor logo for a commercial product such as WhiteSource (software to identify vulnerable dependencies) with a paragraph of text about how amazing WhiteSource is, then any attempt at vendor neutrality is complete gone, and the whole CS (which talks about how important vulnerability management in dependencies is) basically just becomes an advert for that company.
The cheat sheets (and many other OWASP projects) should be held up as a gold standard for vendor-neutral advice and guidance, and including what are effectively adverts from the sponsors alongside the technical content completely undermines that.
Is there any way that we can host content like the cheat sheets on the new site without having these banners in the page, or any other suggestions about how we can overcome this?
I notice there is no CONTRIBUTING.md for the repo, and contributors may not know how best to go about submitting questions/PR's to the project.
I would be very interested in collating resources like these (to possibly include a "getting started" section in the README), if there's interest.
However, I'm aware that it might not be a current priority for the OWASP team.
Thought I'd ask just in case.
The Donate form does not provide any place to indicate a specific project. That would seem to conflict with messaging all over OWASP that donations to specific projects can be made. Would be nice to have a checkbox called "Donate to a Specific Project" that spawns a drop-down of alphabetized Incubator, Lab, and Flagship projects. (Assumption being we don't want specific donations to inactive projects.)
On a side note, adding a "Comments" textbox would allow us to collect potentially valuable feedback from people donating, such as why and how to improve.
Furthermore, it would be a great feature if the project leaders were automatically notified of the contributor's name, donation amount (incl. one-time or recurring), and comments. This would also necessitate a checkbox for "Share my name, contribution amount, and comments with Project Leaders". (With the disclaimer underneath: "Listing as a Project Contributor is at the discretion of OWASP and Project Leaders.")
I would like a $4.5 monthly membership option so the membership looks more addorable to members who would otherwise not want to pay $50 in one go. This is also slightly more expensive that the annual rate so in the long run it might also increase funding.
I entered a "Other Donation" amount of 59999. The form gave me an error that I cannot use a value greater than 5000. When I changed the value to 1000 it didn't clear the error.
FYI, searching for: https://owasp.org/search/?searchString=intercept+proxies
returns a search result that points to: https://owasp.org/images/d/d8/Intercept-proxies.pdf
... but it's not found.
The correct URL is: https://owasp.org/www-pdf-archive//Intercept-proxies.pdf
this link extracted from search result is broke
OWASP Bilbao link is missing from Europe local chapters. Need to be added.
Additionally, Github info has been updated but not reflected in the URL website (https://owasp.org/www-chapter-bilbao/)
Sponsor spotlight at the bottom of each page: the link "Become a corporate supporter" is not working - taking to the same page:
Hello!
I just noticed that our chapter (https://owasp.org/www-chapter-porto-alegre/) is not listed here https://owasp.org/chapters/#SouthAmerica.
Is there anything I need to do in order to update this list? I was about to submit a pull request by changing these 3 files: _data/chapters.json
, _data/leaders.json
, and sitemap.xml
, but I noticed that _data/chapters.json
is a huge JSON with over 3k lines and it looks like it's generated by a script.
That's the main reason why I'm asking here. Is there another way of updating https://owasp.org/chapters/#SouthAmerica? If so, what are the next steps I should take?
Edit: our chapter was inactive for the past years and is listed as level -1 at _data/chapters.json
Most enterprise environments BLOCK access to GitHub.com and github.io domains from their corporate networks - companies like banks/finance/legal/insurance/pharmaceuticals/utilities etc. This is usually due to data leakage risks and unauthorised software download reasons.
Things like file attachments (e.g. slide decks), images, buttons seemed to be affected the most at the moment.
To make sure that OWASP's new website content is available to everyone we need to CNAME to owasp.org all github.com domains such as:
githubassets.com
GitHub.com
github.io (already implemented)
This repository currently lacks a copyright statement and a public license. Currently there are only 6 contributors https://github.com/OWASP/owasp.github.io/graphs/contributors but you'd better hurry up and add a license before other people start contributing, otherwise OWASP will end up not having copyright on its own website.
Considering that you're importing content from the wiki, which is under CC-BY-SA 4.0 at the moment, you'll need to use the same license.
The user/bot @OWASPFoundation is making commits without any information to describe the changes.
This makes it hard to down faulty change.
(I assume the files are edited by a human since I have seen broken JSON committed.)
This is what I see at the bottom of the site.
Open Web Application Security Project, OWASP, Global AppSec, AppSec Days, AppSec California, SnowFROC, LASCON, and the OWASP logo are trademarks of the OWASP Foundation. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 unless otherwise noted and provided without warranty of service or accuracy. For more information, please refer to our General Disclaimer. Copyright 2020, OWASP Foundation, Inc.
I've bolded the redundant parts.
(Perhaps the same as #47)
I want to renew my membership, log in and get the billing/membership overview on page https://owasp.org/manage-membership. I cannot find anywhere a button or myspace, to start the process of adjusting the information or renew my membership.
Using Windows10/Chrome.
URLs such as https://www2.owasp.org/www-project-dependency-track/ are not acceptable.
Perception is reality. If this URL was published outside of OWASP, the perception would be that we don't know what we're doing. Trust will be questioned, etc.
So, we need friendly URLs. The URLs should NOT forward to the current structure, but simply render the page when using the friendly URL. What are the plans to support them and how can we access them prior to launch? This should be a MVP requirement.
For example:
https://projects.owasp.org/dependency-track
https://dependency-track.owasp.org
https://www.owasp.org/projects/dependency-track
I don't have a preference as long as it isn't https://www2.owasp.org/www-project-dependency-track/ which is quite embarrassing.
The Software Component Verification Standard project will be referenced in a future U.S. govt document. Having a URL such as https://www2.owasp.org/www-project-software-component-verification-standard/ does not exhibit trust. Rather something like:
https://projects.owasp.org/scvs
https://scvs.owasp.org
https://www.owasp.org/projects/scvs
would work much better.
Search result page odd table impact. Also on Corporate Suppoters page in listing.
I'll be submitting a PR for updating the News page to remove the mention of Connect and add a link to the News page to the sitemap.
I'm on the latest Firefox.
From the title: small X doesn't work to close the mobile navigation bar.
Do you mind if I work on this? :)
It's good to have contributor guidelines E.G. - https://github.com/owaspseasides/2020/blob/master/CONTRIBUTING.md
South Africa is not on the list of countries, please fix, and also add them to list of discounted membership countries.
Hi, when I receive automatically generated emails from OWASP they contain links which go against what OWASP stands for. Below 4 email examples coming from @owasp.org.
The manage your account example is legit because it comes a few seconds after you click on the manage your account button on the web site. Still leaves a bad taste afterwards. The other ones also seem to be related with OWASP but who in our community would click on them?
Should be corrected imho because it goes against best practice.
In a real phishing case, everyone would rightfully blame the user having clicked such fishy links.
Kind regards, Roberto
In the notification mail that the membership expires today:
View this email in your browser (https://us17.campaign-archive.com/?u=a...
Notification mail you receive when you click on the manage your account button on the website:
Manage your Account <https://u13...76.ct.sendgrid.net/ls/click?upn=...
Info mail regarding a project summit:
View this email in your browser (https://mailchi.mp/owasp/project-summit-winter-2020-selections?e=d...
Info mail regarding 11 Days till AppSec USA 2018, San Jose, CA:
Have you registered? View this email in your browser (https://mailchi.mp/a8dee6cf9...
At https://owasp.org/manage-membership/ the submit button is blocked. See logfile.
To make it obvious to new (potential) members that the anaual membership price changes depending on their country of residence, can you please include such a note above the prices?
Otherwise global members may not chose to pay for membership becuase the could not afford it.
Looks like the search results on www.owasp.org have www2.owas.org hardcoded in them:
From https://github.com/OWASP/owasp.github.io/graphs/commit-activity it's apparent that the history of the pages has not been imported yet.
If you don't import the history, there are a few issues, chiefly:
See https://www.mediawiki.org/wiki/Help:Export on how to export MediaWiki content.
When trying to signup using country option "Australia" the membership application fails silently.
Error behind the scenes is as follows:
HTTP500: SERVER ERROR - The server encountered an unexpected condition that prevented it from fulfilling the request.
(XHR)POST - https://owaspadmin.azurewebsites.net/api/CreateCheckoutSession?code=ulMNYVfgzBytI1adat1lS6MQ3NabtwKE4IgCJ8yKuhvbFoQh6nOYaw==
Whenever I apply for new membership request via https://owasp.org/membership/?student=yes (yes, I am student)
I am presented with $8 as the membership cost for 1 year
After I checkout , the price get's updated to $20 as
Look's like Developing Economy Membership Pricing isn't applied as mentioned over here https://owasp.org/www-policy/operational/membership
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.