OWASP supports many volunteers efforts to produce security libraries which at the same time are used by many companies and developers, in order to secure their applications. This bounty program for Java Encoder project run by OWASP is to determine the protection level claimed by the library and verify that indeed the protected application is not vulnerable to XSS attacks when using the library.

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage.

Rewards

OWASP may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is reputational points. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope).

Getting Started Guide

Targets

In scope

It may also be of use to review the source code for this project here: https://github.com/OWASP/owasp-java-encoder

Report Template

Please be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items:

What type of issue are you reporting? Does it align to the scoped issue?
How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).
What is the impact of your issue?
What are some scenarios where an attacker would be able to leverage this vulnerability?
What would be your suggested fix?
Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of OWASP! However, only those that meet the following eligibility requirements may receive a monetary reward:
*You must be the first reporter of a vulnerability.
*The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).
*We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list).
*You may not publicly disclose the vulnerability prior to our resolution.

About the OWASP Java Encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts (primarily JavaScript) are injected into otherwise trusted web sites. You can read more about Cross Site Scripting here: Cross-site_Scripting_(XSS). One of the primary defenses to stop Cross Site Scripting is a technique called Contextual Output Encoding. You can read more about Cross Site Scripting prevention here: XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.

As of November 2015, there are no issues submitted against this project! https://github.com/OWASP/owasp-java-encoder/issues. We actively track project issues and seek to remediate any issues that arise. The project owners feel this project is stable and ready for production use and are seeking project status promotion.

Access & Reporting

Please, make sure to follow the instructions to obtain a copy of the web application secured by OWASP Java Encoder project here: https://github.com/OWASP/OWASPBugBounty/tree/master/JavaEncoder When submitting a bug be sure to specify the version of the application you are using, the client the vulnerability was found on, and other unique information that might be helpful for us to reproduce the vulnerability.

Scope

The OWASP Java Encoder protects ONLY against XSS attacks, therefore the main purpose of the bounty is to attack the application only against these type of vulnerabilities.

Access

To access the application please go to
*https://github.com/OWASP/OWASPBugBounty/tree/master/JavaEncoder
All the instructions on running the web app in your environment are provided in here.

Credentials

No credentials are necessary to login to the application. It runs a simple HTML form with different fields protected by the OWASP Java Encoder project.

Focus Areas

The following policies have been configured in this application and therefore you should focus on attacking the application with XSS attacks that
- Attempt to inject HTML code, whether in plain text or encoded
- Attempt to inject Javascript code into the fields, whether plain text or encoded

Out-of-Scope

Any type of attack with exception of XSS
The following finding types are specifically excluded from the bounty:

Everything that is not an XSS/HTML injection such as

Descriptive error messages (e.g. Stack Traces, application or server errors).
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Fingerprinting / banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
CSRF on forms that are available to anonymous users (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
Lack of Security Speedbump when leaving the site.
Weak Captcha / Captcha Bypass
Forgot Password page brute force and account lockout not enforced.
OPTIONS HTTP method enabled
Username / email enumeration
via Login Page error message
via Forgot Password error message
Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
Strict-Transport-Security
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
Content-Security-Policy-Report-Only
SSL Issues, e.g.
SSL Attacks such as BEAST, BREACH, Renegotiation attack
SSL Forward secrecy not enabled
SSL weak / insecure cipher suites

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.