OWASP supports many volunteers efforts to produce security libraries which at the same time are used by many companies and developers, in order to secure their applications. This bounty program for CRSFGuard run by OWASP is to determine the protection level claimed by the library and verify that indeed the protected application is not vulnerable to CRSF attacks when using the library.
OWASP may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is reputational points.
About OWASP CSRFGuard
The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.
Access & Reporting
When submitting a bug be sure to specify the version of the application you are using, the client the vulnerability was found on, and other unique information that might be helpful for us to reproduce the vulnerability.
The program focuses on finding CSRF attacks ONLY of the following form:
*JS token injector not properly injecting into the dom 
* Token with weak crypto 
* Server side not enforcing the token properly on POST Request 
 Excluding CSRF attacks with the help of XSS.
The CSRFGuard library purpose is to protect against CRSF attacks - therefore any other kind of vulnerability is excluded from this program
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
*Attacks requiring physical access to a user's device
*Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
*Invalid or missing SPF (Sender Policy Framework) records
*Content spoofing / text injection
*Issues related to software or protocols not under OWASP control
*Bypass of URL malware detection
*Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
*Social engineering of OWASP staff or contractors
*Any physical attempts against OWASP property or server
*Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages
Please be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report.
- What type of issue are you reporting? Does it align to the scoped issue?
- How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).
- What is the impact of your issue?
- What are some scenarios where an attacker would be able to leverage this vulnerability?
- What would be your suggested fix?
Eligibility and Responsible Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security of OWASP! However, only those that meet the following eligibility requirements may receive a monetary reward:
*You must be the first reporter of a vulnerability.
*The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).
*We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list).
*You may not publicly disclose the vulnerability prior to our resolution.
This bounty follows Bugcrowd’s standard disclosure terms.
This bounty requires explicit permission to disclose the results of a submission.