├── CRSFGuard ├── Readme.md └── bountyguard.zip ├── JavaEncoder ├── Readme.md ├── app │ ├── .gitignore │ ├── WebContent │ │ ├── WEB-INF │ │ │ └── web.xml │ │ └── index.jsp │ ├── pom.xml │ └── src │ │ └── EncodeAction.java └── war-files │ └── OWASPJavaEncoderTest.war ├── JavaHTMLSanitizer ├── Readme.md ├── app │ ├── .gitignore │ ├── WebContent │ │ ├── WEB-INF │ │ │ └── web.xml │ │ └── index.jsp │ ├── pom.xml │ └── src │ │ └── SanitizeAction.java └── war-files │ └── OWASPHTMLSanitizerTest.war └── README.md /CRSFGuard/Readme.md: -------------------------------------------------------------------------------- 1 | CRSFGuard Bounty 2 | ============================ 3 | 4 | This is a version of Apache Shiro web application using OWASP CRSFGuard to protect forms and Post request with a unique token 5 | 6 | #Bounty Researchers read here: 7 | Bug Hunters please visit BugCrowd page for the scope: 8 | *OWASPCRSFGuard:https://bugcrowd.com/owaspcrsfguard?preview=db24e118ea34e13a78677ea8374f790c05cbd08ef4f0ddcf 9 | 10 | 11 | ##About the project 12 | 13 | This project can be run from Eclipse Mars using Jetty 14 | Eclipse Java EE IDE for Web Developers. 15 | Version: Mars Release (4.5.0) 16 | Build id: 20150621-1200 17 | 18 | Using Eclipse Jetty 3.9.0 19 | Available through the marketplace 20 | 21 | or simply by running from command line : mvn jetty:run 22 | 23 | ##Instructions 24 | The web app is using Stormpath as OAUTH. In order to run this properly you must obtain a apiKey as instructed in the Apache Shiro Documentation to setup Stormpath: 25 | http://shiro.apache.org/webapp-tutorial.html#step2 26 | Make sure you set get an apiKey.properties file with your key 27 | Make sure you edit the information in the Shiro.ini file: 28 | -------------------------------------------------------------------------------- /CRSFGuard/bountyguard.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/OWASPBugBounty/7f05e9565bdbfa05074f0d37af2cea5c12727d1a/CRSFGuard/bountyguard.zip -------------------------------------------------------------------------------- /JavaEncoder/Readme.md: -------------------------------------------------------------------------------- 1 | #OWASP Java Encoder Bug Bounty 2 | 3 | This simple web application is hosting a single web form that is protected from XSS by the OWASP Java Encoder Project. This form will accept input in a variety of different contents in an HTML document and then render that input properly encoded in the reponse. 4 | 5 | ##Details 6 | 7 | The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting! 8 | 9 | -------------------------------------------------------------------------------- /JavaEncoder/app/.gitignore: -------------------------------------------------------------------------------- 1 | /target/ 2 | /.settings/ 3 | .classpath 4 | .project 5 | -------------------------------------------------------------------------------- /JavaEncoder/app/WebContent/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | OWASP Java Encoder Test 4 | 5 | index.html 6 | index.htm 7 | index.jsp 8 | default.html 9 | default.htm 10 | default.jsp 11 | 12 | 13 | Encode 14 | EncodeAction 15 | 16 | 17 | Encode 18 | /EncodeServlet 19 | 20 | -------------------------------------------------------------------------------- /JavaEncoder/app/WebContent/index.jsp: -------------------------------------------------------------------------------- 1 | <%@page language="java" contentType="text/html" pageEncoding="UTF-8"%> 2 | 4 | 5 | 6 | 7 | OWASP Java Encoder Tests 8 | 9 | 10 |

OWASP Java Encoder Test

11 |
12 | <!DOCTYPE html>
13 | <html>
14 | <head>
15 | <title></title>
16 | </head>
17 | <body>
18 | <h1></h1>

19 | <form>
20 | <textarea>

</textarea>
21 | <input type="text" name="address" value="" />
22 | </form>

23 | <div style="width: ; height: 200px; border: 1px solid black;">Style1</div>
24 | <div style="background-image: url(); height: 200px; width: 400px; border: 1px solid black;">Style2</div>

25 | <script type="text/javascript">
26 | var msg = "";
27 | </script>

28 | </body>
29 | </html>
30 | 31 |
32 |

After submitting this form, here is the expected output:

33 | "<!DOCTYPE html>"+
34 | "<html><head>\n" +
35 | "<title>" + Encode.forHtml(title) + "</title>\n" +
36 | "</head>\n" +
37 | "<body><h2>Results (Go back to try again!)</h2><hr><br/>\n" +
38 | "<h1>" + Encode.forHtml(h1) + "</h1>\n" +
39 | "<form>" +
40 | "<textarea>" + Encode.forHtmlContent(textarea) + "</textarea><br/>\n" +
41 | "<input type=\"text\" name=\"address\" value=\"" + Encode.forHtmlAttribute(attribute) + "\" /><br/>\n" +
42 | "</form>\n" +
43 | "<div style=\"width: " + Encode.forCssString(csswidth) + "; height: 200px; border: 1px solid black;\">Style1</div>\n" +
44 | "<div style=\"background-image: url(" + Encode.forCssUrl(cssbackground) + "); height: 200px; width: 400px; border: 1px solid black;\">Style2</div>\n" +
45 | "<script type=\"text/javascript\">\nvar msg = \"" + Encode.forJavaScript(javascript) + "\";\n</script>\n" + 46 | "</body>\n" +
47 | "</html>" 48 | 49 | -------------------------------------------------------------------------------- /JavaEncoder/app/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4.0.0 3 | OWASPJavaEncoderTest 4 | OWASPJavaEncoderTest 5 | 0.0.1-SNAPSHOT 6 | war 7 | 8 | src 9 | 10 | 11 | maven-compiler-plugin 12 | 3.1 13 | 14 | 1.7 15 | 1.7 16 | 17 | 18 | 19 | maven-war-plugin 20 | 2.3 21 | 22 | WebContent 23 | false 24 | 25 | 26 | 27 | 28 | 29 | 30 | javax.servlet 31 | javax.servlet-api 32 | 3.0.1 33 | provided 34 | 35 | 36 | org.owasp.encoder 37 | encoder 38 | 1.2 39 | 40 | 41 | -------------------------------------------------------------------------------- /JavaEncoder/app/src/EncodeAction.java: -------------------------------------------------------------------------------- 1 | import java.io.IOException; 2 | import java.io.PrintWriter; 3 | 4 | import javax.servlet.ServletException; 5 | import javax.servlet.http.HttpServlet; 6 | import javax.servlet.http.HttpServletRequest; 7 | import javax.servlet.http.HttpServletResponse; 8 | 9 | import org.owasp.encoder.*; 10 | 11 | public class EncodeAction extends HttpServlet { 12 | private static final long serialVersionUID = 1L; 13 | 14 | /** 15 | * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) 16 | */ 17 | protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { 18 | // TODO Auto-generated method stub 19 | response.getWriter().append("GET out of here!!!"); 20 | } 21 | 22 | /** 23 | * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) 24 | */ 25 | protected void doPost(HttpServletRequest request, 26 | HttpServletResponse response) throws ServletException, IOException 27 | { 28 | //titles 29 | String title = request.getParameter("title_input"); 30 | String h1 = request.getParameter("h1_input"); 31 | 32 | //form 33 | String textarea = request.getParameter("textarea_input"); 34 | String attribute = request.getParameter("attribute_input"); 35 | 36 | //css 37 | String csswidth = request.getParameter("csswidth_input"); 38 | String cssbackground = request.getParameter("cssbackground_input"); 39 | 40 | String javascript = request.getParameter("javascript_input"); 41 | 42 | PrintWriter out = response.getWriter(); 43 | out.println ( 44 | ""+ 45 | "\n" + 46 | "" + Encode.forHtml(title) + "\n" + 47 | "\n" + 48 | "

Results (Go back to try again!)


\n" + 49 | "

" + Encode.forHtml(h1) + "

\n" + 50 | "
" + 51 | "
\n" + 52 | "
\n" + 53 | "
\n" + 54 | "
Style1
\n" + 55 | "
Style2
\n" + 56 | "\n" + 57 | "\n" + 58 | "" 59 | ); 60 | } 61 | } -------------------------------------------------------------------------------- /JavaEncoder/war-files/OWASPJavaEncoderTest.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/OWASPBugBounty/7f05e9565bdbfa05074f0d37af2cea5c12727d1a/JavaEncoder/war-files/OWASPJavaEncoderTest.war -------------------------------------------------------------------------------- /JavaHTMLSanitizer/Readme.md: -------------------------------------------------------------------------------- 1 | #OWASP Java HTML Sanitizer Bug Bounty 2 | 3 | This simple web application is hosting a single web form that is protected from XSS by the OWASP Java HTML Sanitizer. This form will accept HTML input and directly render that HTML input in the response - after that HTML has been sanitized! 4 | 5 | ##Details 6 | 7 | This library protects against XSS attacks using a configurable policy. This test uses the default "Slashdot policy" (defined here https://github.com/OWASP/java-html-sanitizer/blob/master/src/main/java/org/owasp/html/examples/SlashdotPolicyExample.java) allows the following tags ("a", "p", "div", "i", "b", "em", "blockquote", "tt", "strong"n "br", "ul", "ol", "li") and only certain attributes. This policy also allows for the custom slashdot tags, "quote" and "ecode". 8 | 9 | 10 | ##Scope 11 | Researchers please refer to BugCrowd bounty page to read about the scope of this bounty: 12 | https://bugcrowd.com/owaspjavasanitizer 13 | 14 | -------------------------------------------------------------------------------- /JavaHTMLSanitizer/app/.gitignore: -------------------------------------------------------------------------------- 1 | /target/ 2 | /.settings/ 3 | .classpath 4 | .project 5 | -------------------------------------------------------------------------------- /JavaHTMLSanitizer/app/WebContent/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | OWASPHTMLSanitizerTest 4 | 5 | index.html 6 | index.htm 7 | index.jsp 8 | default.html 9 | default.htm 10 | default.jsp 11 | 12 | 13 | Sanitize 14 | SanitizeAction 15 | 16 | 17 | Sanitize 18 | /SanitizeServlet 19 | 20 | -------------------------------------------------------------------------------- /JavaHTMLSanitizer/app/WebContent/index.jsp: -------------------------------------------------------------------------------- 1 | <%@page language="java" contentType="text/html" pageEncoding="UTF-8"%> 2 | 4 | 5 | 6 | 7 | OWASP XSS Tests 8 | 9 | 10 |

OWASP HTML Sanitizer Test

11 |
12 | Please enter some HTML and try to XSS the server-side sanitizer!

13 | The current server-side policy allows the following tags ("a", "p", "div", "i", "b", "em",
14 | "blockquote", "tt", "strong", "br", "ul", "ol", "li") and only certain attributes.
15 | We have also enabled "allowStyling" so you can test against our new CSS sanitization.
16 | Good luck!

17 |
18 | 19 |
20 |

Policy in use

21 | org.owasp.html.PolicyFactory sanitizer = new HtmlPolicyBuilder()
22 | .allowStandardUrlProtocols()
23 | // Allow title="..." on any element.
24 | .allowAttributes("title").globally()
25 | // Allow href="..." on <a> elements.
26 | .allowAttributes("href").onElements("a")
27 | // Defeat link spammers.
28 | .requireRelNofollowOnLinks()
29 | // Allow lang= with an alphabetic value on any element.
30 | .allowAttributes("lang").matching(Pattern.compile("[a-zA-Z]{2,20}"))
31 | .globally()
32 | // The align attribute on <p> elements can have any value below.
33 | .allowAttributes("align")
34 | .matching(true, "center", "left", "right", "justify", "char")
35 | .onElements("p")
36 | // These elements are allowed.
37 | .allowElements(
38 | "a", "p", "div", "i", "b", "em", "blockquote", "tt", "strong",
39 | "br", "ul", "ol", "li")
40 | // Custom slashdot tags.
41 | // These could be rewritten in the sanitizer using an ElementPolicy.
42 | .allowElements("quote", "ecode")
43 | // Allows for tests against new CSS sanitization
44 | .allowStyling()
45 | .toFactory();
46 |
47 | 48 | -------------------------------------------------------------------------------- /JavaHTMLSanitizer/app/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4.0.0 3 | OWASPHTMLSanitizerTest 4 | OWASPHTMLSanitizerTest 5 | 0.1.3-SNAPSHOT 6 | war 7 | 8 | src 9 | 10 | 11 | maven-compiler-plugin 12 | 3.1 13 | 14 | 1.7 15 | 1.7 16 | 17 | 18 | 19 | maven-war-plugin 20 | 2.3 21 | 22 | WebContent 23 | false 24 | 25 | 26 | 27 | 28 | 29 | 30 | javax.servlet 31 | javax.servlet-api 32 | 3.0.1 33 | provided 34 | 35 | 36 | com.googlecode.owasp-java-html-sanitizer 37 | owasp-java-html-sanitizer 38 | 20160924.1 39 | 40 | 41 | com.google.guava 42 | guava 43 | 19.0 44 | 45 | 46 | -------------------------------------------------------------------------------- /JavaHTMLSanitizer/app/src/SanitizeAction.java: -------------------------------------------------------------------------------- 1 | import java.io.IOException; 2 | import java.io.PrintWriter; 3 | import java.util.regex.Pattern; 4 | 5 | import javax.servlet.ServletException; 6 | import javax.servlet.http.HttpServlet; 7 | import javax.servlet.http.HttpServletRequest; 8 | import javax.servlet.http.HttpServletResponse; 9 | 10 | import org.owasp.html.HtmlPolicyBuilder; 11 | 12 | public class SanitizeAction extends HttpServlet { 13 | private static final long serialVersionUID = 1L; 14 | 15 | /** 16 | * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) 17 | */ 18 | protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { 19 | // TODO Auto-generated method stub 20 | response.getWriter().append("GET out of here!"); 21 | } 22 | 23 | /** 24 | * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) 25 | */ 26 | protected void doPost(HttpServletRequest request, 27 | HttpServletResponse response) throws ServletException, IOException 28 | { 29 | // building a policy described in https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project#tab=Creating_a_HTML_Policy 30 | org.owasp.html.PolicyFactory sanitizer = new HtmlPolicyBuilder() 31 | .allowStandardUrlProtocols() 32 | // Allow title="..." on any element. 33 | .allowAttributes("title").globally() 34 | // Allow href="..." on elements. 35 | .allowAttributes("href").onElements("a") 36 | // Defeat link spammers. 37 | .requireRelNofollowOnLinks() 38 | // Allow lang= with an alphabetic value on any element. 39 | .allowAttributes("lang").matching(Pattern.compile("[a-zA-Z]{2,20}")) 40 | .globally() 41 | // The align attribute on

elements can have any value below. 42 | .allowAttributes("align") 43 | .matching(true, "center", "left", "right", "justify", "char") 44 | .onElements("p") 45 | // These elements are allowed. 46 | .allowElements( 47 | "a", "p", "div", "i", "b", "em", "blockquote", "tt", "strong", 48 | "br", "ul", "ol", "li") 49 | // Custom slashdot tags. 50 | // These could be rewritten in the sanitizer using an ElementPolicy. 51 | .allowElements("quote", "ecode") 52 | // Allows for tests against new CSS sanitization 53 | .allowStyling() 54 | .toFactory(); 55 | 56 | //accepting user content and converting nulls to empty strings 57 | String usercontent = request.getParameter("usercontent"); 58 | if (usercontent == null) usercontent = ""; 59 | 60 | PrintWriter out = response.getWriter(); 61 | out.println ( 62 | ""+ 63 | " \n" + 64 | " \n" + 65 | "\n" + 66 | "Can you XSS the OWASP HTML Sanitizer?\n" + 67 | " \n" + 68 | "

Results (Go back to try again!)


\n" + sanitizer.sanitize(usercontent) + "\n \n" + 69 | "" 70 | ); 71 | } 72 | } -------------------------------------------------------------------------------- /JavaHTMLSanitizer/war-files/OWASPHTMLSanitizerTest.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/OWASPBugBounty/7f05e9565bdbfa05074f0d37af2cea5c12727d1a/JavaHTMLSanitizer/war-files/OWASPHTMLSanitizerTest.war -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OWASP Bug Bounty for Projects 2 | 3 | ##Introduction 4 | Many developers and companies looking to implement security are turning towards OWASP to use Defender libraries that they can implement to secure their critical applications. Since this implies a form of trust in OWASP, many users of these projects might forget or not be aware that many of them are Open Source and lack an expected security assurance review, which at the moment is not done by OWASP. 5 | 6 | ##Repository 7 | This repository contains web applications protected by OWASP projects that are running a Bug Bounty. 8 | Researchers can download and run locally these applications in order to test their security. 9 | Explanation regarding each bounty scope please visit each project page at BugCrowd Bounty Source pages here: 10 | ####Running at the moment: 11 | *OWASP Java HTML Sanitizer: https://bugcrowd.com/owaspjavasanitizer 12 | 13 | *OWASPCRSFGuard:https://bugcrowd.com/owaspcrsfguard 14 | 15 | #Issues 16 | If you are having issues running the applications,please report your problem as an issue 17 | 18 | ##FAQ 19 | 20 | ###I'm a Bug Hunter, how can I participate? 21 | Please contact BugCrowd as our Bug Bounty is working through their portal. 22 | This Github repository is hosting the web applications for each project, so you can download it and run it into your own ennvironment. If you have issues running the application, please create an issue in this repository. 23 | 24 | For additional inquiries about the OWASP Bug Bounty program, contact support@bugcrowd.com. 25 | 26 | ###Is the Bug Bounty open to all Researchers? 27 | Yes, just keep in mind that you need to be registered as researcher on the Bugcrowd platform. 28 | --------------------------------------------------------------------------------