bmt 0.7.1 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/bmt/version.rb +1 -1
- data/lib/data/0.9/mappings/templates.json +17 -0
- data/lib/data/0.9/mappings/templates.schema.json +62 -0
- data/lib/data/0.9/methodologies/active_directory.json +426 -0
- data/lib/data/0.9/methodologies/ai_llm.json +280 -0
- data/lib/data/0.9/methodologies/api_testing.json +687 -0
- data/lib/data/0.9/methodologies/binaries.json +252 -0
- data/lib/data/0.9/methodologies/hardware_testing.json +216 -0
- data/lib/data/0.9/methodologies/internal_network.json +454 -0
- data/lib/data/0.9/methodologies/mobile_android.json +514 -0
- data/lib/data/0.9/methodologies/mobile_ios.json +452 -0
- data/lib/data/0.9/methodologies/network.json +207 -0
- data/lib/data/0.9/methodologies/template.json +83 -0
- data/lib/data/0.9/methodologies/website_testing.json +1078 -0
- data/lib/data/0.9/schema.json +124 -0
- metadata +16 -11
- data/lib/data/0.1/LICENSE +0 -201
- data/lib/data/0.1/README.md +0 -20
- data/lib/data/0.1/lib/requirements.txt +0 -4
- data/lib/data/0.1/lib/tests/__init__.py +0 -0
- data/lib/data/0.1/lib/tests/test_.py +0 -28
- data/lib/data/0.1/lib/tests/test_template_mapping.py +0 -55
- data/lib/data/0.1/lib/utils/__init__.py +0 -0
- data/lib/data/0.1/lib/utils/utils.py +0 -14
- data/lib/data/0.1/lib/validate_bmt.py +0 -11
|
@@ -0,0 +1,252 @@
|
|
|
1
|
+
{
|
|
2
|
+
"metadata": {
|
|
3
|
+
"title": "Binary",
|
|
4
|
+
"release_date": "2022-01-10T00:00:00+00:00",
|
|
5
|
+
"description": "Bugcrowd Binary testing methodology",
|
|
6
|
+
"vrt_version": "10.0.1"
|
|
7
|
+
},
|
|
8
|
+
"content": {
|
|
9
|
+
"steps": [
|
|
10
|
+
{
|
|
11
|
+
"key": "insufficient_authentication_authorization",
|
|
12
|
+
"title": "Insufficient Authentication/Authorization",
|
|
13
|
+
"description": "",
|
|
14
|
+
"type": "checklist",
|
|
15
|
+
"items": [
|
|
16
|
+
{
|
|
17
|
+
"description": "",
|
|
18
|
+
"key": "multi_user_environment",
|
|
19
|
+
"caption": "",
|
|
20
|
+
"title": "Assess the application for multi-user environments and ensure it includes functionality for role separation."
|
|
21
|
+
},
|
|
22
|
+
{
|
|
23
|
+
"description": "",
|
|
24
|
+
"key": "password_recovery_mechanism",
|
|
25
|
+
"caption": "",
|
|
26
|
+
"title": "Assess password recovery mechanisms and ensure session management is properly maintained/terminated at the remote endpoint."
|
|
27
|
+
}
|
|
28
|
+
]
|
|
29
|
+
},
|
|
30
|
+
{
|
|
31
|
+
"key": "insecure_network_services",
|
|
32
|
+
"title": "Insecure Network Services",
|
|
33
|
+
"description": "",
|
|
34
|
+
"type": "checklist",
|
|
35
|
+
"items": [
|
|
36
|
+
{
|
|
37
|
+
"description": "",
|
|
38
|
+
"key": "ensure_network_services",
|
|
39
|
+
"caption": "",
|
|
40
|
+
"title": "Assess the application to ensure network services for potentially interesting crashes or denial-of-service conditions that might indicate the presence of a memory corruption issue."
|
|
41
|
+
},
|
|
42
|
+
{
|
|
43
|
+
"description": "",
|
|
44
|
+
"key": "ensure_debugging_services",
|
|
45
|
+
"caption": "",
|
|
46
|
+
"title": "Assess the application to ensure debugging services are not present (and if present, test those services for access controls/default credentials)."
|
|
47
|
+
}
|
|
48
|
+
]
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
"key": "lack_of_transport_encryption",
|
|
52
|
+
"title": "Lack of Transport Encryption",
|
|
53
|
+
"description": "",
|
|
54
|
+
"type": "checklist",
|
|
55
|
+
"items": [
|
|
56
|
+
{
|
|
57
|
+
"description": "",
|
|
58
|
+
"key": "assess_encrypted_communication",
|
|
59
|
+
"caption": "",
|
|
60
|
+
"title": "Assess the application to determine the use of modern encrypted communication between endpoints."
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"description": "",
|
|
64
|
+
"key": "assess_encrypted_practice",
|
|
65
|
+
"caption": "",
|
|
66
|
+
"title": "Assess the application to determine if accepted encryption practices are used."
|
|
67
|
+
}
|
|
68
|
+
]
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"key": "privacy_concerns",
|
|
72
|
+
"title": "Privacy Concerns",
|
|
73
|
+
"description": "",
|
|
74
|
+
"type": "checklist",
|
|
75
|
+
"items": [
|
|
76
|
+
{
|
|
77
|
+
"description": "",
|
|
78
|
+
"key": "assess_personal_information_collected",
|
|
79
|
+
"caption": "",
|
|
80
|
+
"title": "Assess the application to determine the amount of personal information collected."
|
|
81
|
+
},
|
|
82
|
+
{
|
|
83
|
+
"description": "",
|
|
84
|
+
"key": "assess_personal_data_encryption",
|
|
85
|
+
"caption": "",
|
|
86
|
+
"title": "Assess the application to determine if collected personal data is properly protected using encryption at rest and in transit."
|
|
87
|
+
},
|
|
88
|
+
{
|
|
89
|
+
"description": "",
|
|
90
|
+
"key": "assess_data_de_identified_or_anonymized",
|
|
91
|
+
"caption": "",
|
|
92
|
+
"title": "Assess the application to determine if data is de-identified or anonymized."
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
"description": "",
|
|
96
|
+
"key": "no_sesitive_data",
|
|
97
|
+
"caption": "",
|
|
98
|
+
"title": "No sensitive data, such as passwords or pins, are exposed through the user interface."
|
|
99
|
+
},
|
|
100
|
+
{
|
|
101
|
+
"description": "",
|
|
102
|
+
"key": "no_sensitive_log_info",
|
|
103
|
+
"caption": "",
|
|
104
|
+
"title": "No sensitive information is contained in logs generated by the application."
|
|
105
|
+
},
|
|
106
|
+
{
|
|
107
|
+
"description": "",
|
|
108
|
+
"key": "assess_personal_info_sending_to_remote_location",
|
|
109
|
+
"caption": "",
|
|
110
|
+
"title": "Assess whether the application sends personal/identifying information to a remote location even though it is only required for local use."
|
|
111
|
+
}
|
|
112
|
+
]
|
|
113
|
+
},
|
|
114
|
+
{
|
|
115
|
+
"key": "insecure_cloud_interface",
|
|
116
|
+
"title": "Insecure Cloud Interface (where applicable)",
|
|
117
|
+
"description": "",
|
|
118
|
+
"type": "checklist",
|
|
119
|
+
"items": [
|
|
120
|
+
{
|
|
121
|
+
"description": "",
|
|
122
|
+
"key": "assess_cloud_for_security_vulnerability",
|
|
123
|
+
"caption": "",
|
|
124
|
+
"title": "Assess the cloud interfaces for security vulnerabilities (e.g.testing both API interfaces and cloud-based web interfaces for common (and uncommon) web application issues)."
|
|
125
|
+
},
|
|
126
|
+
{
|
|
127
|
+
"description": "",
|
|
128
|
+
"key": "assess_secure_transport_in_cloud",
|
|
129
|
+
"caption": "",
|
|
130
|
+
"title": "Assess all cloud interfaces to ensure secure transport encryption is used."
|
|
131
|
+
}
|
|
132
|
+
]
|
|
133
|
+
},
|
|
134
|
+
{
|
|
135
|
+
"key": "insecure_software_firmware",
|
|
136
|
+
"title": "Insecure Software/Firmware",
|
|
137
|
+
"description": "",
|
|
138
|
+
"type": "checklist",
|
|
139
|
+
"items": [
|
|
140
|
+
{
|
|
141
|
+
"description": "",
|
|
142
|
+
"key": "assess_application_update_capability",
|
|
143
|
+
"caption": "",
|
|
144
|
+
"title": "Assess the application to ensure it includes update capability and can be updated quickly when vulnerabilities are discovered."
|
|
145
|
+
},
|
|
146
|
+
{
|
|
147
|
+
"description": "",
|
|
148
|
+
"key": "assess_encrypted_file_transfer",
|
|
149
|
+
"caption": "",
|
|
150
|
+
"title": "Assess the application to ensure it uses encrypted update files and that the files are transmitted using encryption."
|
|
151
|
+
},
|
|
152
|
+
{
|
|
153
|
+
"description": "",
|
|
154
|
+
"key": "assess_signed_files",
|
|
155
|
+
"caption": "",
|
|
156
|
+
"title": "Assess the application to ensure it uses signed files and then validates those files before installation."
|
|
157
|
+
},
|
|
158
|
+
{
|
|
159
|
+
"description": "",
|
|
160
|
+
"key": "assess_insecure_function_calls",
|
|
161
|
+
"caption": "",
|
|
162
|
+
"title": "Assess the application for insecure/dangerous function calls."
|
|
163
|
+
},
|
|
164
|
+
{
|
|
165
|
+
"description": "",
|
|
166
|
+
"key": "assess_user_input_sanitization",
|
|
167
|
+
"caption": "",
|
|
168
|
+
"title": "Assess the application to ensure ensure all user-controllable input data is sanitized prior to use."
|
|
169
|
+
},
|
|
170
|
+
{
|
|
171
|
+
"description": "",
|
|
172
|
+
"key": "ensure_all_third_party_components",
|
|
173
|
+
"caption": "",
|
|
174
|
+
"title": "Ensure all third party components used by the application, such as libraries and frameworks, are identified, and checked for known vulnerabilities."
|
|
175
|
+
},
|
|
176
|
+
{
|
|
177
|
+
"description": "",
|
|
178
|
+
"key": "assess_hardcoded_sensitive_info",
|
|
179
|
+
"caption": "",
|
|
180
|
+
"title": "Assess the application for signs of hardcoded sensitive information - e.g. credentials, URLs, API keys, etc."
|
|
181
|
+
},
|
|
182
|
+
{
|
|
183
|
+
"description": "",
|
|
184
|
+
"key": "assess_secure_random_number_generator",
|
|
185
|
+
"caption": "",
|
|
186
|
+
"title": "Assess the application to ensure all random values are generated using a sufficiently secure random number generator."
|
|
187
|
+
},
|
|
188
|
+
{
|
|
189
|
+
"description": "",
|
|
190
|
+
"key": "assess_input_via_dynamic_testing",
|
|
191
|
+
"caption": "",
|
|
192
|
+
"title": "Assess inputs on the application via dynamic testing (e.g. fuzzing) to identify potentially interesting crashes or denial-of-service conditions that might suggest the presence of a memory corruption or command injection issue."
|
|
193
|
+
},
|
|
194
|
+
{
|
|
195
|
+
"description": "",
|
|
196
|
+
"key": "assess_misconfigured_permission",
|
|
197
|
+
"caption": "",
|
|
198
|
+
"title": "Assess the application for misconfigured permissions, allowing for the escalation of privileges (e.g. DLL spoofing/hijacking, etc)."
|
|
199
|
+
},
|
|
200
|
+
{
|
|
201
|
+
"description": "",
|
|
202
|
+
"key": "assess_minimal_permissions",
|
|
203
|
+
"caption": "",
|
|
204
|
+
"title": "Assess the application to ensure it only uses the minimum set of permissions necessary."
|
|
205
|
+
},
|
|
206
|
+
{
|
|
207
|
+
"description": "",
|
|
208
|
+
"key": "assess_object_deserialization",
|
|
209
|
+
"caption": "",
|
|
210
|
+
"title": "Assess the application for unsafe object deserialization behavior that might lead to command injection."
|
|
211
|
+
},
|
|
212
|
+
{
|
|
213
|
+
"description": "",
|
|
214
|
+
"key": "assess_compiler_os_exploit_mitigation",
|
|
215
|
+
"caption": "",
|
|
216
|
+
"title": "Assess the application to ensure Basic OS/compiler exploit mitigation features, such stack protection/exploit mitigation (DEP, ASLR, stack canaries, etc) are activated."
|
|
217
|
+
},
|
|
218
|
+
{
|
|
219
|
+
"description": "",
|
|
220
|
+
"key": "assess_authentication_bypass",
|
|
221
|
+
"caption": "",
|
|
222
|
+
"title": "Assess the application for authentication bypasses and backdoors, allowing for access to functions/features outside of intended-use flows."
|
|
223
|
+
},
|
|
224
|
+
{
|
|
225
|
+
"description": "",
|
|
226
|
+
"key": "assess_application_for_internal_use",
|
|
227
|
+
"caption": "",
|
|
228
|
+
"title": "Assess the application for ability to access/use components meant for internal or administrative use (e.g. leftover debugging functionality not intended to exist in production)."
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"description": "",
|
|
232
|
+
"key": "assess_for_undocumented_api_endpoints",
|
|
233
|
+
"caption": "",
|
|
234
|
+
"title": "Assess the application for undocumented API endpoints, and assess those for common vulnerabilities, as well as authentication bypasses."
|
|
235
|
+
}
|
|
236
|
+
]
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
"key": "upload_logs",
|
|
240
|
+
"title": "Upload logs",
|
|
241
|
+
"description": "This should include all associated traffic associated to the in-scope targets.",
|
|
242
|
+
"type": "large_upload"
|
|
243
|
+
},
|
|
244
|
+
{
|
|
245
|
+
"key": "executive_summary",
|
|
246
|
+
"title": "Executive summary",
|
|
247
|
+
"description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
|
|
248
|
+
"type": "executive_summary"
|
|
249
|
+
}
|
|
250
|
+
]
|
|
251
|
+
}
|
|
252
|
+
}
|
|
@@ -0,0 +1,216 @@
|
|
|
1
|
+
{
|
|
2
|
+
"metadata": {
|
|
3
|
+
"title": "Hardware",
|
|
4
|
+
"release_date": "2025-08-29T00:00:00+00:00",
|
|
5
|
+
"description": "Bugcrowd Hardware Testing Methodology",
|
|
6
|
+
"vrt_version": "1.17"
|
|
7
|
+
},
|
|
8
|
+
"content": {
|
|
9
|
+
"steps": [
|
|
10
|
+
{
|
|
11
|
+
"key": "passive_recon",
|
|
12
|
+
"title": "Passive Recon",
|
|
13
|
+
"description": "Information gathering before turning off or opening the device",
|
|
14
|
+
"type": "checklist",
|
|
15
|
+
"items": [
|
|
16
|
+
{
|
|
17
|
+
"key": "open_source_intelligence",
|
|
18
|
+
"title": "Open Source Intelligence",
|
|
19
|
+
"caption": "",
|
|
20
|
+
"description": "Gathering information using search engines to find publicly available information about the device",
|
|
21
|
+
"tools": "Google Dorking components/device, FCC Database (fccid.io or fcc.io), Patents (patents.google.com, worldwide.espacenet.com/patent, appft.uspto.gov), Chinese OSINT (baidu.com, qichacha.com, right.com.cn, codechina.csdn.net, pudn.com, search.gitee.com), Finding datasheets for components",
|
|
22
|
+
"vrt_category": "sensitive_data_exposure"
|
|
23
|
+
},
|
|
24
|
+
{
|
|
25
|
+
"key": "network_scanning",
|
|
26
|
+
"title": "Network Scanning",
|
|
27
|
+
"caption": "",
|
|
28
|
+
"description": "Scan the network for devices to find the one being tested, identify wireless protocols in use",
|
|
29
|
+
"tools": "NMAP, Wireshark, tcpdump"
|
|
30
|
+
},
|
|
31
|
+
{
|
|
32
|
+
"key": "rf_scanning",
|
|
33
|
+
"title": "Radio Frequency Scanning",
|
|
34
|
+
"caption": "",
|
|
35
|
+
"description": "Identify any radio communications, frequencies, modulation the device might be using, identify wireless protocols in use",
|
|
36
|
+
"tools": "HackRF, LimeSDR, BladeRF, Universal Radio Hacker (URH), other various rf sniffers",
|
|
37
|
+
"type": "checklist",
|
|
38
|
+
"items": [
|
|
39
|
+
{
|
|
40
|
+
"key": "bluetooth_ble",
|
|
41
|
+
"title": "Bluetooth and BLE",
|
|
42
|
+
"caption": "",
|
|
43
|
+
"description": "Try to sniff the communication, check if it's encrypted, can it be decrypted, are replay attacks possible, check if sensitive information being transmitted in plaintext",
|
|
44
|
+
"tools": "Flipper, Ubertooth, Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), btmon (linux), Bluetooth Virtual Sniffer (Windows)"
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"key": "zigbee_lora",
|
|
48
|
+
"title": "ZigBee and LoRa",
|
|
49
|
+
"caption": "",
|
|
50
|
+
"description": "For ZigBee and LoRa devices, try to sniff the communication, capture the encryption key exchange (during active recon see if it's hardcoded on the device), check if the communication can be decrypted, and determine if replay attacks are possible. For LoRa, also check for LoRaWAN-specific vulnerabilities, such as weak join procedures, unencrypted payloads, and improper key management.",
|
|
51
|
+
"tools": "Nordic nRF, Wireshark (might need to install an additional plugin and/or connect external hardware), ZT-CHK, TI SmartRF Protocol Packet Sniffer (SPPS) software, Semtech LoRaWAN sniffer, TTN Packet Forwarder, SDR tools supporting LoRa (HackRF, LimeSDR, BladeRF), Universal Radio Hacker (URH)"
|
|
52
|
+
},
|
|
53
|
+
{
|
|
54
|
+
"key": "near_field_communication",
|
|
55
|
+
"title": "NFC Testing",
|
|
56
|
+
"caption": "",
|
|
57
|
+
"description": "For card readers like access control locks and credit cards, can also be used in mobile testing. Try to read the information on the card, is it encrypted, can it be decrypted, can you forge a request, does the reader allow you to write to it so it will accept forged messages",
|
|
58
|
+
"tools": "Flipper (base model is limited, additional hardware can be installed), Proxmark"
|
|
59
|
+
}
|
|
60
|
+
]
|
|
61
|
+
}
|
|
62
|
+
]
|
|
63
|
+
},
|
|
64
|
+
{
|
|
65
|
+
"key": "active_recon",
|
|
66
|
+
"title": "Active Recon - Opening up the Device Under Test",
|
|
67
|
+
"description": "Open up the device to identify the various components and find data sheets online for the various components, map out PCB, find open ports (UART, JTAG). Use tools like screwdrivers, anti-tamper bits, prying tools, soldering iron, desoldering workstation, multimeter, XRAY, probes, oscilloscope, magnifying glass, and logic analyzer.",
|
|
68
|
+
"type": "checklist",
|
|
69
|
+
"items": [
|
|
70
|
+
{
|
|
71
|
+
"key": "visual_component_identification",
|
|
72
|
+
"title": "Visual Component Identification",
|
|
73
|
+
"caption": "",
|
|
74
|
+
"description": "Using a magnifying glass identify the various components on the PCB in the device, determine what they do and how they connect together, look up datasheets for important components online and read through them",
|
|
75
|
+
"tools": "magnifying glass, Search Engines"
|
|
76
|
+
},
|
|
77
|
+
{
|
|
78
|
+
"key": "measure_voltage_resistance_continuity",
|
|
79
|
+
"title": "Measuring Voltage, Resistance, and Continuity",
|
|
80
|
+
"caption": "",
|
|
81
|
+
"description": "Using a multimeter identify GND, Vcc, N/C, Pull-Up resistors to help map out the board, verify the different pins identified in the datasheets, and enumerate debug ports",
|
|
82
|
+
"tools": "multimeter"
|
|
83
|
+
},
|
|
84
|
+
{
|
|
85
|
+
"key": "id_debug_ports",
|
|
86
|
+
"title": "ID Debug Ports",
|
|
87
|
+
"caption": "",
|
|
88
|
+
"description": "Determine which debug protocols are being used, UART, JTAG, SPI, I2C, SWD, and/or NAND/MMC and find out which pins can be used to access those ports. In some cases you may need to desolder the ports and solder header pins to them to access them",
|
|
89
|
+
"tools": "multimeter, logic analyzer, oscilloscope, soldering iron"
|
|
90
|
+
}
|
|
91
|
+
]
|
|
92
|
+
},
|
|
93
|
+
{
|
|
94
|
+
"key": "firmware",
|
|
95
|
+
"title": "Accessing and Analysing Firmware",
|
|
96
|
+
"description": "Using info gathered during active and passive recon access and reverse engineer the firmware for the device.",
|
|
97
|
+
"type": "checklist",
|
|
98
|
+
"items": [
|
|
99
|
+
{
|
|
100
|
+
"key": "dump_download_firmware",
|
|
101
|
+
"title": "Dump or Download Firmware for Analysis",
|
|
102
|
+
"caption": "",
|
|
103
|
+
"description": "Using the identified debug ports try to dump the firmware from the device for reverse engineering. Desoldering the SPI flash and using a tool to dump the firmware from it directly. Try downloading the firmware from the vendor site, however it might be encrypted.",
|
|
104
|
+
"tools": "desoldering station, JTAGulator, Minicom, PuTTy, Bus Pirate, Raspberry Pi Pico"
|
|
105
|
+
},
|
|
106
|
+
{
|
|
107
|
+
"key":"firmware_analysis",
|
|
108
|
+
"title":"Firmware Analysis",
|
|
109
|
+
"caption": "",
|
|
110
|
+
"description":"Reverse engineering the dumped firmware. Identify encryption if used and try to decrypt it. Use emulation software to help analyze it. Analyze and search the firmware for hardcoded passwords/keys and other sensitive information.",
|
|
111
|
+
"tools":"binwalk, QEMU, Ghidra, grep, strings, hexdump, readelf"
|
|
112
|
+
}
|
|
113
|
+
]
|
|
114
|
+
},
|
|
115
|
+
{
|
|
116
|
+
"key":"testing_device",
|
|
117
|
+
"title":"Testing the Device",
|
|
118
|
+
"description":"Using all of the information gathered start testing the device for security vulnerabilities.",
|
|
119
|
+
"type":"checklist",
|
|
120
|
+
"items": [
|
|
121
|
+
{
|
|
122
|
+
"key":"replay_attacks",
|
|
123
|
+
"title":"Replay Attacks",
|
|
124
|
+
"caption": "",
|
|
125
|
+
"description":"Using the sniffed traffic, determine if replay attacks are possible. Check if the device accepts modified requests and if you can make changes to the configuration. Verify if the device uses unencrypted communication.",
|
|
126
|
+
"tools":"Wireshark, HackRF, python"
|
|
127
|
+
},
|
|
128
|
+
{
|
|
129
|
+
"key":"shared_resources",
|
|
130
|
+
"title":"Improper Isolation of Shared Resources",
|
|
131
|
+
"caption": "",
|
|
132
|
+
"description":"A SOC may use pin multiplexing allowing an untrusted agent to access assets/info intended to trusted agents only",
|
|
133
|
+
"CWE": ["CWE-1189"]
|
|
134
|
+
},
|
|
135
|
+
{
|
|
136
|
+
"key":"bac_on_chip_debugger",
|
|
137
|
+
"title":"Broken Access Control for On-Chip Debugger",
|
|
138
|
+
"caption": "",
|
|
139
|
+
"description":"Unauthenticated access to the on chip debugger through the JTAG, allowing root access or access to sensitive information. Or not implementing proper access control during different boot stages.",
|
|
140
|
+
"CWE": ["CWE-1191", "CWE-1244"],
|
|
141
|
+
"tools":"JTAGulator, SOIC-8 clip"
|
|
142
|
+
},
|
|
143
|
+
{
|
|
144
|
+
"key":"improper_lock_bit_protection",
|
|
145
|
+
"title":"Improper Lock Bit Protection",
|
|
146
|
+
"caption": "",
|
|
147
|
+
"description":"Assess the integrated circuit trusted lock bit to see if it's missing or can be modified by software later giving access to protected registers, address regions, systems and features that should be protected.",
|
|
148
|
+
"CWE": ["CWE-1231", "CWE-1233"]
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"key":"cryptographic_implementation",
|
|
152
|
+
"title":"Cryptographic Implementation",
|
|
153
|
+
"caption": "",
|
|
154
|
+
"description":"Assess if the cryptographic algorithm in use is non-standard or a disallowed/non-compliant version.",
|
|
155
|
+
"CWE": ["CWE-1240"]
|
|
156
|
+
},
|
|
157
|
+
{
|
|
158
|
+
"key": "fault_injection_and_side_channel_attacks",
|
|
159
|
+
"title": "Fault Injection and Side Channel Attacks",
|
|
160
|
+
"caption": "",
|
|
161
|
+
"description": "Test for fault injection and side channel attacks that can bypass security measures to dump firmware, access sensitive information, perform code execution, skip authentication, or escalate privileges.",
|
|
162
|
+
"CWE": ["CWE-1256", "CWE-1300"],
|
|
163
|
+
"tools": "chipwhisperer, oscilloscope, pcb workstation with nano probes"
|
|
164
|
+
},
|
|
165
|
+
{
|
|
166
|
+
"key":"memory_overlap",
|
|
167
|
+
"title":"Improper Handling of Memory Overlap",
|
|
168
|
+
"caption": "",
|
|
169
|
+
"description":"Assess if isolated memory regions and access control policies allow software with low privileges to make changes to overlapping memory also used by software running with higher privileges.",
|
|
170
|
+
"CWE": ["CWE-1260"]
|
|
171
|
+
},
|
|
172
|
+
{
|
|
173
|
+
"key":"clearing_memory_during_state_transition",
|
|
174
|
+
"title":"Sensitive Information Uncleared Before State Transition",
|
|
175
|
+
"caption": "",
|
|
176
|
+
"description":"Assess if sensitive information only needed for one state is cleared after transitioning to the next state, such as during boot or waking up from sleep mode.",
|
|
177
|
+
"CWE": ["CWE-1272"]
|
|
178
|
+
},
|
|
179
|
+
{
|
|
180
|
+
"key":"volatile_memory_boot_code",
|
|
181
|
+
"title":"Improper Access Control for Volatile Memory for Boot Code",
|
|
182
|
+
"caption": "",
|
|
183
|
+
"description":"Assess if the secure boot process can be bypassed to execute untrusted malicious boot code",
|
|
184
|
+
"CWE": ["CWE-1274"]
|
|
185
|
+
},
|
|
186
|
+
{
|
|
187
|
+
"key":"firmware_not_updating",
|
|
188
|
+
"title":"Firmware Not Getting Updates",
|
|
189
|
+
"caption": "",
|
|
190
|
+
"description":"Verify if the firmware can receive regular updates as vulnerabilities are discovered in the future.",
|
|
191
|
+
"CWE": ["CWE-1277"]
|
|
192
|
+
},
|
|
193
|
+
{
|
|
194
|
+
"key":"root_shell",
|
|
195
|
+
"title":"Root Shell Access",
|
|
196
|
+
"caption": "",
|
|
197
|
+
"description":"Try to gain root shell access on the device using an enabled communication protocol, i.e. telnet or ssh, or using an open debug port to interrupt the boot process.",
|
|
198
|
+
"tools":"SOIC-8 clip, Burp, Caido, GNU Screen"
|
|
199
|
+
}
|
|
200
|
+
]
|
|
201
|
+
},
|
|
202
|
+
{
|
|
203
|
+
"key": "upload_logs",
|
|
204
|
+
"title": "Upload logs",
|
|
205
|
+
"description": "This should include all associated traffic associated to the in-scope targets.",
|
|
206
|
+
"type": "large_upload"
|
|
207
|
+
},
|
|
208
|
+
{
|
|
209
|
+
"key": "executive_summary",
|
|
210
|
+
"title": "Executive summary",
|
|
211
|
+
"description": "The executive summary should be written with a high-level view of both risk and business impact. It should be concise and clear, therefore it is important to use plain English. This ensures that non-technical readers can gain insight into security concerns outlined in your report.",
|
|
212
|
+
"type": "executive_summary"
|
|
213
|
+
}
|
|
214
|
+
]
|
|
215
|
+
}
|
|
216
|
+
}
|