owasp-blt / blt Goto Github PK

View Code? Open in Web Editor NEW

122.0 11.0 126.0 69.85 MB

OWASP BLT is a bug logging tool to report issues and get points, companies are held accountable.

Home Page: https://blt.owasp.org

License: GNU Affero General Public License v3.0

Python 20.54% CSS 9.04% JavaScript 19.89% HTML 50.39% Shell 0.10% Dockerfile 0.03% Procfile 0.01%

django bug devsecops appsec security security-tools bugbounty bug-bounty python bug-tracker

blt's Introduction

OWASP BLT

Report issues and get points, companies are held accountable.

OWASP BLT is a bug logging tool to report issues and get points, companies are held accountable.
Users will get rewards/points for reporting bugs on Organizations / Companies.
Organizations / Companies can launch their bug hunt programs with prize pools.
Read more about BLT
Watch this Video to get detailed motives and features of project BLT.

Development

Make sure to run pre-commit before committing so it formats the code.

Setting Up Development Server

Please follow the development server setup procedure here. Currently, development server can be installed using docker or vagrant. You can also use virtualenv or pipenv install, pipenv shell and then continue with the remaining instructions.

Documentation

use the Installation Docs to get started.
Swagger API Documentations can be found at the root domain /swagger/
Postman API Documentations: Postman Docs.

Resources

Communicate with us on slack #project-blt Join OWASP Slack Channel
Github activity can be seen in Slack #blt-github.
Figma designs:

Other BLT Projects

Coding style guide

Please follow the black code style for the project. It helps us in keeping the codebase consistent and improves readability for other developers. Use pre-commit run command to make sure your changes comply with the standards.

License

The BLT code is released under GNU Affero General Public License v3.0 (AGPL-3.0).

Notes

If you find a bug or have an improvement, use BLT to report it!
for each new issue, create a new branch with issue-382 or similar matching the issue number - when you commit add fixes #288 to link the issue to the pull request
to take a github issue type a comment that says "assign to me" or /assign and it will assign it to you.

blt's People

Contributors

Stargazers

Watchers

Forkers

rafen tarachris ordersys rtgdk pombredanne alphadose roboneet souravbadami sid22 rajat2797 mohitanand001 mcne65 yukiisbored gomgam shubhamsetia annlincodemill canter-nawab srahulbadami dileepdora jrgans1717 arvindrp mahfuz-hasan irikeish zbcmars sinsixx wade1990 l1kw1d ananyanegi ankit2001 apython123 sparsh1212 spiderxm anubisant masterscott ekmixon isabella232 akankshsinhaa sumodgeorge thedudeontitan connectbhawna letsintegreat manishbisht777 suyash5053 solo-daemon iamnishanbhandari frs2304 recursiveway pushkarmondal co-decode kej-r03 pranav-iitr justary27 juhiechandra saurabh11x ayush-regmi bigok666 yashsomalkar thisisms11 deimos-sj shubham-200315 salty-ivy rahulsingh5926 professorabhay atmegabuzz ethicalsecurity-agency kashyapmavani l3aalteshuva daemon-reconfig prakhar-shankar pandey-saurabhp officialarmannqureshi jisanar03 tadash10 mattsilverio busf4ctor caue96 caduroriz rafael-gc tacticalprice hemanthhari2000 arpitkrs eduardo-rfarias manthan-sharma-23 sahildhillon21 ananyasingh2002 ansh7432 likhitha004 anhtudotinfo errorassassin sidling1 americanamanada vkix-7 venkat-737 ha-bhai-noob-hoon hitanshuprasad haniljain kr-2003 piyushs131 lgc33 devesh1709

blt's Issues

Chrome extension is not working for the image.

Google login

Fix leaderboard point count to only show current points for the month.

Have a link to a global leaderboard

Activity stream for logins

Setup email tracking

encrypted code, contains email

Send an email to the domain email when a new bug is found

I can search for domain without entering anything in the domain field and get +1 point, and that will show 500 error for a while.

When adding an issue that has no domain, it adds a blank domain causing an error

add company leaderboard to user profile

Activity stream for issues

Have the leaderboard be weekly

show how responsive a company is, last time link clicked

show tweet count
show date last tweet sent

Ocr the images

https://elements.heroku.com/buildpacks/matteotiziano/heroku-buildpack-tesseract

http://stackoverflow.com/questions/19521976/using-tesseract-on-heroku-with-django

Facebook login

Have the ability to invite people and get a point

Add to the bottom of the page.
Invite two friends and get 1 point.
Email says username invites you to www.bugheist.com
Hold the 2 emails in a table and show the status on the iser profile page.

When the emails both return delivered then issue the point and delete them from the table.

ValueError: The 'screenshot' attribute has no file associated with it.

View details in Rollbar: https://rollbar.com/bugheist/Bugheist/items/26/

Traceback (most recent call last):
  File "/app/.heroku/python/lib/python2.7/site-packages/django/core/handlers/base.py", line 147, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/contrib/auth/decorators.py", line 23, in _wrapped_view
    return view_func(request, *args, **kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/views/generic/base.py", line 68, in view
    return self.dispatch(request, *args, **kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/views/generic/base.py", line 88, in dispatch
    return handler(request, *args, **kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/views/generic/edit.py", line 256, in post
    return super(BaseCreateView, self).post(request, *args, **kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/views/generic/edit.py", line 222, in post
    return self.form_valid(form)
  File "/app/website/views.py", line 74, in form_valid
    obj.save()
  File "/app/.heroku/python/lib/python2.7/site-packages/django/db/models/base.py", line 700, in save
    force_update=force_update, update_fields=update_fields)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/db/models/base.py", line 737, in save_base
    update_fields=update_fields, raw=raw, using=using)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/dispatch/dispatcher.py", line 192, in send
    response = receiver(signal=self, sender=sender, **named)
  File "/app/website/models.py", line 143, in post_to_twitter
    file = default_storage.open(instance.screenshot.file.name, 'rb')
  File "/app/.heroku/python/lib/python2.7/site-packages/django/db/models/fields/files.py", line 49, in _get_file
    self._require_file()
  File "/app/.heroku/python/lib/python2.7/site-packages/django/db/models/fields/files.py", line 46, in _require_file
    raise ValueError("The '%s' attribute has no file associated with it." % self.field.name)
ValueError: The 'screenshot' attribute has no file associated with it.

Add share buttons

Make an about page - Have people know what they are doing and the purpose and benefit of it.

The web app request the server before validating the required fields on the frontend.

The web app send request to the server and refresh the whole page when the user click on the Bug while the required fields are empty.

That should not happen actually, we should not call the server and send request for nothing, this validation should be done on the frontend first, and then send the request in case all the required fields are already filled.

This issue is applicable on both modules "Enter Bug" and "Start Hunting/be sponsored".

Add domain list

Setup screenshot uploading

Github login

Add license file

Do a survey of what people would like to see

Show the company's email

use javascript email script to avoid scraping

Add user avatar

Find info when new domain is added

spider the website
find email addresses automatically
email them

https://www.youtube.com/watch?v=SFas42HBtMg

IOError: File does not exist: filled

View details in Rollbar: https://rollbar.com/bugheist/Bugheist/items/25/

Traceback (most recent call last):
  File "/app/.heroku/python/lib/python2.7/site-packages/django/core/handlers/base.py", line 147, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/contrib/auth/decorators.py", line 23, in _wrapped_view
    return view_func(request, *args, **kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/views/generic/base.py", line 68, in view
    return self.dispatch(request, *args, **kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/views/generic/base.py", line 88, in dispatch
    return handler(request, *args, **kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/views/generic/edit.py", line 256, in post
    return super(BaseCreateView, self).post(request, *args, **kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/views/generic/edit.py", line 221, in post
    if form.is_valid():
  File "/app/.heroku/python/lib/python2.7/site-packages/django/forms/forms.py", line 161, in is_valid
    return self.is_bound and not self.errors
  File "/app/.heroku/python/lib/python2.7/site-packages/django/forms/forms.py", line 153, in errors
    self.full_clean()
  File "/app/.heroku/python/lib/python2.7/site-packages/django/forms/forms.py", line 364, in full_clean
    self._post_clean()
  File "/app/.heroku/python/lib/python2.7/site-packages/django/forms/models.py", line 396, in _post_clean
    self.instance.full_clean(exclude=exclude, validate_unique=False)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/db/models/base.py", line 1114, in full_clean
    self.clean_fields(exclude=exclude)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/db/models/base.py", line 1156, in clean_fields
    setattr(self, f.attname, f.clean(raw_value, self))
  File "/app/.heroku/python/lib/python2.7/site-packages/django/db/models/fields/__init__.py", line 600, in clean
    self.run_validators(value)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/db/models/fields/__init__.py", line 552, in run_validators
    v(value)
  File "/app/website/models.py", line 57, in validate_image
    filesize = fieldfile_obj.file.size
  File "/app/.heroku/python/lib/python2.7/site-packages/django/db/models/fields/files.py", line 51, in _get_file
    self._file = self.storage.open(self.name, 'rb')
  File "/app/.heroku/python/lib/python2.7/site-packages/django/core/files/storage.py", line 37, in open
    return self._open(name, mode)
  File "/app/.heroku/python/lib/python2.7/site-packages/storages/backends/s3boto.py", line 386, in _open
    raise IOError('File does not exist: %s' % name)
IOError: File does not exist: filled

Have browser extension take screenshot

Add subscription for bug hunters

allow them to get notifications of new bugs from specific companies or all companies

Allow companies to click acknowledge

Have ability for website to "acknowledge" that a bug was reported... show the time it took and avg acknowledgement time

Add email status returned from sengrid API to the domain table

Send a new tweet when an issue is posted.

Have ability for website to "acknowledge" that a bug was reported... show the time it took and avg acknowledgement time

Ability to auto report issues on github

Have the ability to edit issues you've created

Setup a monthly email announcing that the leaderboard has been reset, show summary of bugs for the month

show chrome installs on stats

Allow companies to get points for fixing the bugs

Show a company leaderboard and display closed, open, email_event, date_modified

consolidate domains into domain table

I can add "Sponsored Bug Hunts" before purchase any plan.

Actually I see many issues along of this process, I am not sure even if I can add Sponsored Bug Hunts and removed the already exiting Sponsors. The steps below will describe some of those functional and UX issues.

1- Click on "Start Hunting".
2- You will be navigated to the start bug hunting page "http://www.bugheist.com/start/"
3- Nothing there says that you are adding new "Sponsors".
4- Add URL and Image (it says squared image 1:1 with it's not squared on the homepage actually).
5- Click on "Start" from the bottom of the page (the blue one), or on "start" from any of the mentioned plans.
6- You will be navigated to PayPal login page! nothing told the user that you will navigated to the PP or checkout page, that's really weird UX.
7- On PP login page, I see the name of the merchant "CoderBountry" I am not sure if that intended.
8- Now, if you back to the homepage, you will see your added URLs and logos dispalyed under the "Sponsored Bug Hunts" and the old ones have been removed, it seems it shows only 5 sponsors.
9- The user will be surprised, how those have been added!
10- We need to add more clear path, and more communication messages for this path.
11- Also, the user is able to add the same Sponsor more than one, and cannot edit the already existing ones.

Traceback (most recent call last):
  File "/app/.heroku/python/lib/python2.7/site-packages/django/core/handlers/base.py", line 147, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/contrib/auth/decorators.py", line 23, in _wrapped_view
    return view_func(request, *args, **kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/views/generic/base.py", line 68, in view
    return self.dispatch(request, *args, **kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/views/generic/base.py", line 88, in dispatch
    return handler(request, *args, **kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/views/generic/edit.py", line 256, in post
    return super(BaseCreateView, self).post(request, *args, **kwargs)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/views/generic/edit.py", line 222, in post
    return self.form_valid(form)
  File "/app/website/views.py", line 75, in form_valid
    obj.save()
  File "/app/.heroku/python/lib/python2.7/site-packages/django/db/models/base.py", line 700, in save
    force_update=force_update, update_fields=update_fields)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/db/models/base.py", line 737, in save_base
    update_fields=update_fields, raw=raw, using=using)
  File "/app/.heroku/python/lib/python2.7/site-packages/django/dispatch/dispatcher.py", line 192, in send
    response = receiver(signal=self, sender=sender, **named)
  File "/app/website/models.py", line 138, in post_to_twitter
    media_ids = api.media_upload(filename=instance.screenshot.file.name, file=file)
  File "/app/.heroku/python/lib/python2.7/site-packages/tweepy/api.py", line 201, in media_upload
    headers, post_data = API._pack_image(filename, 3072, form_field='media', f=f)
  File "/app/.heroku/python/lib/python2.7/site-packages/tweepy/api.py", line 1313, in _pack_image
    raise TweepError('File is too big, must be less than %skb.' % max_size)
TweepError: File is too big, must be less than 3072kb.