vrt 0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (14) hide show
  1. checksums.yaml +7 -0
  2. data/lib/data/1.0/vrt.schema.json +62 -0
  3. data/lib/data/1.0/vulnerability-rating-taxonomy.json +1526 -0
  4. data/lib/data/1.1/deprecated-node-mapping.json +8 -0
  5. data/lib/data/1.1/vrt.schema.json +62 -0
  6. data/lib/data/1.1/vulnerability-rating-taxonomy.json +1559 -0
  7. data/lib/generators/vrt.rb +3 -0
  8. data/lib/generators/vrt/install_generator.rb +12 -0
  9. data/lib/vrt.rb +123 -0
  10. data/lib/vrt/cross_version_mapping.rb +45 -0
  11. data/lib/vrt/map.rb +82 -0
  12. data/lib/vrt/node.rb +46 -0
  13. data/lib/vrt/version.rb +3 -0
  14. metadata +116 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 3c883252346b6b621bc6bdcef55ab2be37b6cb7d
4
+ data.tar.gz: 60357154b0e182f895d36faea777817672fdc856
5
+ SHA512:
6
+ metadata.gz: 3cc4ddfb007a6648ff1b31c6874c2f8c48e36d3020d5d78c97c816b281af26a69636fe3e5ef04504fa88d79bcc21fb46e0404c8fe133d5cfec65ff95ed32791e
7
+ data.tar.gz: b8563420dec922ab1dcc82ca543cb5178b4e400c4699f60d2ab794d55eeec1120a8aedda14f77280a187aa7013fd45062c15ea75b324058bd2d8f80cd6d112f1
data/lib/data/1.0/vrt.schema.json ADDED
@@ -0,0 +1,62 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-04/schema#",
3
+ "title": "VRT Taxonomy",
4
+ "description": "VRT",
5
+ "definitions": {
6
+ "VRTmetadata": {
7
+ "type": "object",
8
+ "properties": {
9
+ "release_date": { "type": "string", "format": "date-time" }
10
+ }
11
+ },
12
+ "VRT": {
13
+ "type": "object",
14
+ "properties": {
15
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
16
+ "type": { "type": "string", "enum": [ "category", "subcategory", "variant" ] },
17
+ "name": { "type": "string" },
18
+ "priority": {
19
+ "anyOf": [
20
+ { "type": "number", "minimum": 1, "maximum": 5 },
21
+ { "type": "null" }
22
+ ]
23
+ }
24
+ },
25
+ "required": ["id", "name", "type", "priority"]
26
+ },
27
+ "VRTparent": {
28
+ "type": "object",
29
+ "properties": {
30
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
31
+ "name": { "type": "string" },
32
+ "type": { "type": "string", "enum": [ "category", "subcategory" ] },
33
+ "children": {
34
+ "type": "array",
35
+ "items" : {
36
+ "anyOf": [
37
+ { "$ref": "#/definitions/VRTparent" },
38
+ { "$ref": "#/definitions/VRT" }
39
+ ]
40
+ }
41
+ }
42
+ },
43
+ "required": ["id", "name", "type", "children"]
44
+ }
45
+ },
46
+ "type": "object",
47
+ "required": ["metadata", "content"],
48
+ "properties": {
49
+ "metadata": {
50
+ "$ref": "#/definitions/VRTmetadata"
51
+ },
52
+ "content": {
53
+ "type": "array",
54
+ "items" : {
55
+ "anyOf": [
56
+ { "$ref": "#/definitions/VRTparent" },
57
+ { "$ref": "#/definitions/VRT" }
58
+ ]
59
+ }
60
+ }
61
+ }
62
+ }
data/lib/data/1.0/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,1526 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2017-02-17T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "unsafe_cross_origin_resource_sharing",
13
+ "name": "Unsafe Cross-Origin Resource Sharing",
14
+ "type": "subcategory",
15
+ "priority": null
16
+ },
17
+ {
18
+ "id": "same_site_scripting",
19
+ "name": "Same-Site Scripting",
20
+ "type": "subcategory",
21
+ "priority": 5
22
+ },
23
+ {
24
+ "id": "ssl_attack_breach_poodle_etc",
25
+ "name": "SSL Attack (BREACH, POODLE etc.)",
26
+ "type": "subcategory",
27
+ "priority": null
28
+ },
29
+ {
30
+ "id": "using_default_credentials",
31
+ "name": "Using Default Credentials",
32
+ "type": "subcategory",
33
+ "children": [
34
+ {
35
+ "id": "production_server",
36
+ "name": "Production Server",
37
+ "type": "variant",
38
+ "priority": 1
39
+ },
40
+ {
41
+ "id": "staging_development_server",
42
+ "name": "Staging/Development Server",
43
+ "type": "variant",
44
+ "priority": 2
45
+ }
46
+ ]
47
+ },
48
+ {
49
+ "id": "misconfigured_dns",
50
+ "name": "Misconfigured DNS",
51
+ "type": "subcategory",
52
+ "children": [
53
+ {
54
+ "id": "subdomain_takeover",
55
+ "name": "Subdomain Takeover",
56
+ "type": "variant",
57
+ "priority": 2
58
+ }
59
+ ]
60
+ },
61
+ {
62
+ "id": "mail_server_misconfiguration",
63
+ "name": "Mail Server Misconfiguration",
64
+ "type": "subcategory",
65
+ "children": [
66
+ {
67
+ "id": "missing_spf_on_email_domain",
68
+ "name": "Missing SPF on Email Domain",
69
+ "type": "variant",
70
+ "priority": 3
71
+ },
72
+ {
73
+ "id": "email_spoofable_via_third_party_api_misconfiguration",
74
+ "name": "Email Spoofable Via Third-Party API Misconfiguration",
75
+ "type": "variant",
76
+ "priority": 3
77
+ },
78
+ {
79
+ "id": "missing_spf_on_non_email_domain",
80
+ "name": "Missing SPF on Non-Email Domain",
81
+ "type": "variant",
82
+ "priority": 5
83
+ },
84
+ {
85
+ "id": "spf_uses_a_soft_fail",
86
+ "name": "SPF Uses a Soft Fail",
87
+ "type": "variant",
88
+ "priority": 5
89
+ },
90
+ {
91
+ "id": "spf_includes_10_lookups",
92
+ "name": "SPF Includes > 10 Lookups",
93
+ "type": "variant",
94
+ "priority": 5
95
+ },
96
+ {
97
+ "id": "missing_dmarc",
98
+ "name": "Missing DMARC",
99
+ "type": "variant",
100
+ "priority": 5
101
+ }
102
+ ]
103
+ },
104
+ {
105
+ "id": "lack_of_password_confirmation",
106
+ "name": "Lack of Password Confirmation",
107
+ "type": "subcategory",
108
+ "children": [
109
+ {
110
+ "id": "change_email_address",
111
+ "name": "Change Email Address",
112
+ "type": "variant",
113
+ "priority": 4
114
+ },
115
+ {
116
+ "id": "change_password",
117
+ "name": "Change Password",
118
+ "type": "variant",
119
+ "priority": 4
120
+ },
121
+ {
122
+ "id": "delete_account",
123
+ "name": "Delete Account",
124
+ "type": "variant",
125
+ "priority": 4
126
+ }
127
+ ]
128
+ },
129
+ {
130
+ "id": "no_rate_limiting_on_form",
131
+ "name": "No Rate Limiting on Form",
132
+ "type": "subcategory",
133
+ "children": [
134
+ {
135
+ "id": "registration",
136
+ "name": "Registration",
137
+ "type": "variant",
138
+ "priority": 4
139
+ },
140
+ {
141
+ "id": "login",
142
+ "name": "Login",
143
+ "type": "variant",
144
+ "priority": 3
145
+ },
146
+ {
147
+ "id": "email_triggering",
148
+ "name": "Email-Triggering",
149
+ "type": "variant",
150
+ "priority": 4
151
+ }
152
+ ]
153
+ },
154
+ {
155
+ "id": "unsafe_file_upload",
156
+ "name": "Unsafe File Upload",
157
+ "type": "subcategory",
158
+ "children": [
159
+ {
160
+ "id": "no_antivirus",
161
+ "name": "No Antivirus",
162
+ "type": "variant",
163
+ "priority": 4
164
+ },
165
+ {
166
+ "id": "no_size_limit",
167
+ "name": "No Size Limit",
168
+ "type": "variant",
169
+ "priority": 4
170
+ },
171
+ {
172
+ "id": "file_extension_filter_bypass",
173
+ "name": "File Extension Filter Bypass",
174
+ "type": "variant",
175
+ "priority": 5
176
+ }
177
+ ]
178
+ },
179
+ {
180
+ "id": "missing_secure_or_httponly_cookie_flag",
181
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
182
+ "type": "subcategory",
183
+ "children": [
184
+ {
185
+ "id": "session_token",
186
+ "name": "Session Token",
187
+ "type": "variant",
188
+ "priority": 4
189
+ },
190
+ {
191
+ "id": "non_session_cookie",
192
+ "name": "Non-Session Cookie",
193
+ "type": "variant",
194
+ "priority": 5
195
+ }
196
+ ]
197
+ },
198
+ {
199
+ "id": "clickjacking",
200
+ "name": "Clickjacking",
201
+ "type": "subcategory",
202
+ "children": [
203
+ {
204
+ "id": "sensitive_action",
205
+ "name": "Sensitive Action",
206
+ "type": "variant",
207
+ "priority": 4
208
+ },
209
+ {
210
+ "id": "non_sensitive_action",
211
+ "name": "Non-Sensitive Action",
212
+ "type": "variant",
213
+ "priority": 5
214
+ }
215
+ ]
216
+ },
217
+ {
218
+ "id": "oauth_misconfiguration",
219
+ "name": "OAuth Misconfiguration",
220
+ "type": "subcategory",
221
+ "children": [
222
+ {
223
+ "id": "missing_state_parameter",
224
+ "name": "Missing State Parameter",
225
+ "type": "variant",
226
+ "priority": 4
227
+ }
228
+ ]
229
+ },
230
+ {
231
+ "id": "captcha_bypass",
232
+ "name": "Captcha Bypass",
233
+ "type": "subcategory",
234
+ "children": [
235
+ {
236
+ "id": "implementation_vulnerability",
237
+ "name": "Implementation Vulnerability",
238
+ "type": "variant",
239
+ "priority": 4
240
+ },
241
+ {
242
+ "id": "brute_force",
243
+ "name": "Brute Force",
244
+ "type": "variant",
245
+ "priority": 5
246
+ }
247
+ ]
248
+ },
249
+ {
250
+ "id": "exposed_admin_portal",
251
+ "name": "Exposed Admin Portal",
252
+ "type": "subcategory",
253
+ "children": [
254
+ {
255
+ "id": "to_internet",
256
+ "name": "To Internet",
257
+ "type": "variant",
258
+ "priority": 5
259
+ }
260
+ ]
261
+ },
262
+ {
263
+ "id": "missing_dnssec",
264
+ "name": "Missing DNSSEC",
265
+ "type": "subcategory",
266
+ "priority": 5
267
+ },
268
+ {
269
+ "id": "username_enumeration",
270
+ "name": "Username Enumeration",
271
+ "type": "subcategory",
272
+ "children": [
273
+ {
274
+ "id": "brute_force",
275
+ "name": "Brute Force",
276
+ "type": "variant",
277
+ "priority": 5
278
+ }
279
+ ]
280
+ },
281
+ {
282
+ "id": "potentially_unsafe_http_method_enabled",
283
+ "name": "Potentially Unsafe HTTP Method Enabled",
284
+ "type": "subcategory",
285
+ "children": [
286
+ {
287
+ "id": "options",
288
+ "name": "OPTIONS",
289
+ "type": "variant",
290
+ "priority": 5
291
+ },
292
+ {
293
+ "id": "trace",
294
+ "name": "TRACE",
295
+ "type": "variant",
296
+ "priority": 5
297
+ }
298
+ ]
299
+ },
300
+ {
301
+ "id": "insecure_ssl",
302
+ "name": "Insecure SSL",
303
+ "type": "subcategory",
304
+ "children": [
305
+ {
306
+ "id": "lack_of_forward_secrecy",
307
+ "name": "Lack of Forward Secrecy",
308
+ "type": "variant",
309
+ "priority": 5
310
+ },
311
+ {
312
+ "id": "insecure_cipher_suite",
313
+ "name": "Insecure Cipher Suite",
314
+ "type": "variant",
315
+ "priority": 5
316
+ }
317
+ ]
318
+ },
319
+ {
320
+ "id": "lack_of_security_headers",
321
+ "name": "Lack of Security Headers",
322
+ "type": "subcategory",
323
+ "children": [
324
+ {
325
+ "id": "x_frame_options",
326
+ "name": "X-Frame-Options",
327
+ "type": "variant",
328
+ "priority": 5
329
+ },
330
+ {
331
+ "id": "cache_control_for_a_non_sensitive_page",
332
+ "name": "Cache-Control for a Non-Sensitive Page",
333
+ "type": "variant",
334
+ "priority": 5
335
+ },
336
+ {
337
+ "id": "x_xss_protection",
338
+ "name": "X-XSS-Protection",
339
+ "type": "variant",
340
+ "priority": 5
341
+ },
342
+ {
343
+ "id": "strict_transport_security",
344
+ "name": "Strict-Transport-Security",
345
+ "type": "variant",
346
+ "priority": 5
347
+ },
348
+ {
349
+ "id": "x_content_type_options",
350
+ "name": "X-Content-Type-Options",
351
+ "type": "variant",
352
+ "priority": 5
353
+ },
354
+ {
355
+ "id": "content_security_policy",
356
+ "name": "Content-Security-Policy",
357
+ "type": "variant",
358
+ "priority": 5
359
+ },
360
+ {
361
+ "id": "public_key_pins",
362
+ "name": "Public-Key-Pins",
363
+ "type": "variant",
364
+ "priority": 5
365
+ },
366
+ {
367
+ "id": "x_content_security_policy",
368
+ "name": "X-Content-Security-Policy",
369
+ "type": "variant",
370
+ "priority": 5
371
+ },
372
+ {
373
+ "id": "x_webkit_csp",
374
+ "name": "X-Webkit-CSP",
375
+ "type": "variant",
376
+ "priority": 5
377
+ },
378
+ {
379
+ "id": "content_security_policy_report_only",
380
+ "name": "Content-Security-Policy-Report-Only",
381
+ "type": "variant",
382
+ "priority": 5
383
+ },
384
+ {
385
+ "id": "cache_control_for_a_sensitive_page",
386
+ "name": "Cache-Control for a Sensitive Page",
387
+ "type": "variant",
388
+ "priority": 4
389
+ }
390
+ ]
391
+ }
392
+ ]
393
+ },
394
+ {
395
+ "id": "server_side_injection",
396
+ "name": "Server-Side Injection",
397
+ "type": "category",
398
+ "children": [
399
+ {
400
+ "id": "file_inclusion",
401
+ "name": "File Inclusion",
402
+ "type": "subcategory",
403
+ "children": [
404
+ {
405
+ "id": "local",
406
+ "name": "Local",
407
+ "type": "variant",
408
+ "priority": 1
409
+ }
410
+ ]
411
+ },
412
+ {
413
+ "id": "parameter_pollution",
414
+ "name": "Parameter Pollution",
415
+ "type": "subcategory",
416
+ "children": [
417
+ {
418
+ "id": "social_media_sharing_buttons",
419
+ "name": "Social Media Sharing Buttons",
420
+ "type": "variant",
421
+ "priority": 5
422
+ }
423
+ ]
424
+ },
425
+ {
426
+ "id": "remote_code_execution_rce",
427
+ "name": "Remote Code Execution (RCE)",
428
+ "type": "subcategory",
429
+ "priority": 1
430
+ },
431
+ {
432
+ "id": "sql_injection",
433
+ "name": "SQL Injection",
434
+ "type": "subcategory",
435
+ "children": [
436
+ {
437
+ "id": "error_based",
438
+ "name": "Error-Based",
439
+ "type": "variant",
440
+ "priority": 1
441
+ },
442
+ {
443
+ "id": "blind",
444
+ "name": "Blind",
445
+ "type": "variant",
446
+ "priority": 1
447
+ }
448
+ ]
449
+ },
450
+ {
451
+ "id": "xml_external_entity_injection_xxe",
452
+ "name": "XML External Entity Injection (XXE)",
453
+ "type": "subcategory",
454
+ "priority": 1
455
+ },
456
+ {
457
+ "id": "http_response_manipulation",
458
+ "name": "HTTP Response Manipulation",
459
+ "type": "subcategory",
460
+ "children": [
461
+ {
462
+ "id": "response_splitting_crlf",
463
+ "name": "Response Splitting (CRLF)",
464
+ "type": "variant",
465
+ "priority": 3
466
+ }
467
+ ]
468
+ },
469
+ {
470
+ "id": "content_spoofing",
471
+ "name": "Content Spoofing",
472
+ "type": "subcategory",
473
+ "children": [
474
+ {
475
+ "id": "iframe_injection",
476
+ "name": "iframe Injection",
477
+ "type": "variant",
478
+ "priority": 3
479
+ },
480
+ {
481
+ "id": "external_authentication_injection",
482
+ "name": "External Authentication Injection",
483
+ "type": "variant",
484
+ "priority": 4
485
+ },
486
+ {
487
+ "id": "email_html_injection",
488
+ "name": "Email HTML Injection",
489
+ "type": "variant",
490
+ "priority": 4
491
+ },
492
+ {
493
+ "id": "text_injection",
494
+ "name": "Text Injection",
495
+ "type": "variant",
496
+ "priority": 5
497
+ },
498
+ {
499
+ "id": "homograph_idn_based",
500
+ "name": "Homograph/IDN-Based",
501
+ "type": "variant",
502
+ "priority": 5
503
+ }
504
+ ]
505
+ }
506
+ ]
507
+ },
508
+ {
509
+ "id": "broken_authentication_and_session_management",
510
+ "name": "Broken Authentication and Session Management",
511
+ "type": "category",
512
+ "children": [
513
+ {
514
+ "id": "authentication_bypass",
515
+ "name": "Authentication Bypass",
516
+ "type": "subcategory",
517
+ "children": [
518
+ {
519
+ "id": "vertical",
520
+ "name": "Vertical",
521
+ "type": "variant",
522
+ "priority": 1
523
+ },
524
+ {
525
+ "id": "horizontal",
526
+ "name": "Horizontal",
527
+ "type": "variant",
528
+ "priority": 2
529
+ }
530
+ ]
531
+ },
532
+ {
533
+ "id": "weak_login_function",
534
+ "name": "Weak Login Function",
535
+ "type": "subcategory",
536
+ "children": [
537
+ {
538
+ "id": "over_http",
539
+ "name": "Over HTTP",
540
+ "type": "variant",
541
+ "priority": 3
542
+ }
543
+ ]
544
+ },
545
+ {
546
+ "id": "session_fixation",
547
+ "name": "Session Fixation",
548
+ "type": "subcategory",
549
+ "priority": 3
550
+ },
551
+ {
552
+ "id": "failure_to_invalidate_session",
553
+ "name": "Failure to Invalidate Session",
554
+ "type": "subcategory",
555
+ "children": [
556
+ {
557
+ "id": "on_logout",
558
+ "name": "On Logout",
559
+ "type": "variant",
560
+ "priority": 4
561
+ },
562
+ {
563
+ "id": "on_password_reset",
564
+ "name": "On Password Reset",
565
+ "type": "variant",
566
+ "priority": 4
567
+ },
568
+ {
569
+ "id": "on_password_change",
570
+ "name": "On Password Change",
571
+ "type": "variant",
572
+ "priority": 4
573
+ },
574
+ {
575
+ "id": "all_sessions",
576
+ "name": "All Sessions",
577
+ "type": "variant",
578
+ "priority": 5
579
+ },
580
+ {
581
+ "id": "on_email_change",
582
+ "name": "On Email Change",
583
+ "type": "variant",
584
+ "priority": 5
585
+ },
586
+ {
587
+ "id": "long_timeout",
588
+ "name": "Long Timeout",
589
+ "type": "variant",
590
+ "priority": 5
591
+ }
592
+ ]
593
+ },
594
+ {
595
+ "id": "session_token_in_url",
596
+ "name": "Session Token in URL",
597
+ "type": "subcategory",
598
+ "children": [
599
+ {
600
+ "id": "over_http",
601
+ "name": "Over HTTP",
602
+ "type": "variant",
603
+ "priority": 4
604
+ },
605
+ {
606
+ "id": "over_https",
607
+ "name": "Over HTTPS",
608
+ "type": "variant",
609
+ "priority": 5
610
+ }
611
+ ]
612
+ },
613
+ {
614
+ "id": "concurrent_logins",
615
+ "name": "Concurrent Logins",
616
+ "type": "subcategory",
617
+ "priority": 5
618
+ },
619
+ {
620
+ "id": "weak_registration_implementation",
621
+ "name": "Weak Registration Implementation",
622
+ "type": "subcategory",
623
+ "children": [
624
+ {
625
+ "id": "over_http",
626
+ "name": "Over HTTP",
627
+ "type": "variant",
628
+ "priority": 4
629
+ }
630
+ ]
631
+ }
632
+ ]
633
+ },
634
+ {
635
+ "id": "insecure_direct_object_references_idor",
636
+ "name": "Insecure Direct Object References (IDOR)",
637
+ "type": "category",
638
+ "priority": null
639
+ },
640
+ {
641
+ "id": "sensitive_data_exposure",
642
+ "name": "Sensitive Data Exposure",
643
+ "type": "category",
644
+ "children": [
645
+ {
646
+ "id": "critically_sensitive_data",
647
+ "name": "Critically Sensitive Data",
648
+ "type": "subcategory",
649
+ "children": [
650
+ {
651
+ "id": "password_disclosure",
652
+ "name": "Password Disclosure",
653
+ "type": "variant",
654
+ "priority": 1
655
+ },
656
+ {
657
+ "id": "private_api_keys",
658
+ "name": "Private API Keys",
659
+ "type": "variant",
660
+ "priority": 1
661
+ }
662
+ ]
663
+ },
664
+ {
665
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
666
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
667
+ "type": "subcategory",
668
+ "children": [
669
+ {
670
+ "id": "automatic_user_enumeration",
671
+ "name": "Automatic User Enumeration",
672
+ "type": "variant",
673
+ "priority": 3
674
+ },
675
+ {
676
+ "id": "manual_user_enumeration",
677
+ "name": "Manual User Enumeration",
678
+ "type": "variant",
679
+ "priority": 4
680
+ }
681
+ ]
682
+ },
683
+ {
684
+ "id": "visible_detailed_error_page",
685
+ "name": "Visible Detailed Error Page",
686
+ "type": "subcategory",
687
+ "priority": null
688
+ },
689
+ {
690
+ "id": "disclosure_of_known_public_information",
691
+ "name": "Disclosure of Known Public Information",
692
+ "type": "subcategory",
693
+ "priority": 5
694
+ },
695
+ {
696
+ "id": "token_leakage_via_referer",
697
+ "name": "Token Leakage via Referer",
698
+ "type": "subcategory",
699
+ "children": [
700
+ {
701
+ "id": "over_https",
702
+ "name": "Over HTTPS",
703
+ "type": "variant",
704
+ "priority": 5
705
+ },
706
+ {
707
+ "id": "over_http",
708
+ "name": "Over HTTP",
709
+ "type": "variant",
710
+ "priority": 4
711
+ }
712
+ ]
713
+ },
714
+ {
715
+ "id": "sensitive_token_in_url",
716
+ "name": "Sensitive Token in URL",
717
+ "type": "subcategory",
718
+ "priority": 4
719
+ },
720
+ {
721
+ "id": "weak_password_reset_implementation",
722
+ "name": "Weak Password Reset Implementation",
723
+ "type": "subcategory",
724
+ "children": [
725
+ {
726
+ "id": "password_reset_token_sent_over_http",
727
+ "name": "Password Reset Token Sent Over HTTP",
728
+ "type": "variant",
729
+ "priority": 4
730
+ }
731
+ ]
732
+ },
733
+ {
734
+ "id": "mixed_content",
735
+ "name": "Mixed Content",
736
+ "type": "subcategory",
737
+ "children": [
738
+ {
739
+ "id": "sensitive_data_disclosure",
740
+ "name": "Sensitive Data Disclosure",
741
+ "type": "variant",
742
+ "priority": 4
743
+ },
744
+ {
745
+ "id": "requires_being_a_man_in_the_middle",
746
+ "name": "Requires Being a Man-in-the-Middle",
747
+ "type": "variant",
748
+ "priority": 5
749
+ }
750
+ ]
751
+ },
752
+ {
753
+ "id": "sensitive_data_hardcoded",
754
+ "name": "Sensitive Data Hardcoded",
755
+ "type": "subcategory",
756
+ "children": [
757
+ {
758
+ "id": "oauth_secret",
759
+ "name": "OAuth Secret",
760
+ "type": "variant",
761
+ "priority": 5
762
+ },
763
+ {
764
+ "id": "file_paths",
765
+ "name": "File Paths",
766
+ "type": "variant",
767
+ "priority": 5
768
+ }
769
+ ]
770
+ },
771
+ {
772
+ "id": "non_sensitive_token_in_url",
773
+ "name": "Non-Sensitive Token in URL",
774
+ "type": "subcategory",
775
+ "priority": 5
776
+ }
777
+ ]
778
+ },
779
+ {
780
+ "id": "cross_site_scripting_xss",
781
+ "name": "Cross-Site Scripting (XSS)",
782
+ "type": "category",
783
+ "children": [
784
+ {
785
+ "id": "stored",
786
+ "name": "Stored",
787
+ "type": "subcategory",
788
+ "children": [
789
+ {
790
+ "id": "non_admin_to_anyone",
791
+ "name": "Non-Admin to Anyone",
792
+ "type": "variant",
793
+ "priority": 2
794
+ },
795
+ {
796
+ "id": "admin_to_anyone",
797
+ "name": "Admin to Anyone",
798
+ "type": "variant",
799
+ "priority": 3
800
+ },
801
+ {
802
+ "id": "self",
803
+ "name": "Self",
804
+ "type": "variant",
805
+ "priority": 5
806
+ }
807
+ ]
808
+ },
809
+ {
810
+ "id": "reflected",
811
+ "name": "Reflected",
812
+ "type": "subcategory",
813
+ "children": [
814
+ {
815
+ "id": "non_admin_to_anyone",
816
+ "name": "Non-Admin to Anyone",
817
+ "type": "variant",
818
+ "priority": 3
819
+ },
820
+ {
821
+ "id": "admin_to_anyone",
822
+ "name": "Admin to Anyone",
823
+ "type": "variant",
824
+ "priority": 4
825
+ },
826
+ {
827
+ "id": "self",
828
+ "name": "Self",
829
+ "type": "variant",
830
+ "priority": 5
831
+ }
832
+ ]
833
+ },
834
+ {
835
+ "id": "cookie_based",
836
+ "name": "Cookie-Based",
837
+ "type": "subcategory",
838
+ "priority": 4
839
+ },
840
+ {
841
+ "id": "ie_only",
842
+ "name": "IE-Only",
843
+ "type": "subcategory",
844
+ "children": [
845
+ {
846
+ "id": "older_version_ie_10_11",
847
+ "name": "Older Version (IE 10/11)",
848
+ "type": "variant",
849
+ "priority": 4
850
+ },
851
+ {
852
+ "id": "xss_filter_disabled",
853
+ "name": "XSS Filter Disabled",
854
+ "type": "variant",
855
+ "priority": 5
856
+ },
857
+ {
858
+ "id": "older_version_ie10",
859
+ "name": "Older Version (< IE10)",
860
+ "type": "variant",
861
+ "priority": 5
862
+ }
863
+ ]
864
+ },
865
+ {
866
+ "id": "referer",
867
+ "name": "Referer",
868
+ "type": "subcategory",
869
+ "priority": 4
870
+ },
871
+ {
872
+ "id": "trace_method",
873
+ "name": "TRACE Method",
874
+ "type": "subcategory",
875
+ "priority": 5
876
+ },
877
+ {
878
+ "id": "universal_uxss",
879
+ "name": "Universal (UXSS)",
880
+ "type": "subcategory",
881
+ "priority": 4
882
+ },
883
+ {
884
+ "id": "off_domain",
885
+ "name": "Off-Domain",
886
+ "type": "subcategory",
887
+ "children": [
888
+ {
889
+ "id": "data_uri",
890
+ "name": "Data URI",
891
+ "type": "variant",
892
+ "priority": 4
893
+ }
894
+ ]
895
+ }
896
+ ]
897
+ },
898
+ {
899
+ "id": "missing_function_level_access_control",
900
+ "name": "Missing Function Level Access Control",
901
+ "type": "category",
902
+ "children": [
903
+ {
904
+ "id": "server_side_request_forgery_ssrf",
905
+ "name": "Server-Side Request Forgery (SSRF)",
906
+ "type": "subcategory",
907
+ "children": [
908
+ {
909
+ "id": "internal",
910
+ "name": "Internal",
911
+ "type": "variant",
912
+ "priority": 2
913
+ },
914
+ {
915
+ "id": "external",
916
+ "name": "External",
917
+ "type": "variant",
918
+ "priority": 4
919
+ }
920
+ ]
921
+ },
922
+ {
923
+ "id": "username_enumeration",
924
+ "name": "Username Enumeration",
925
+ "type": "subcategory",
926
+ "children": [
927
+ {
928
+ "id": "data_leak",
929
+ "name": "Data Leak",
930
+ "type": "variant",
931
+ "priority": 4
932
+ }
933
+ ]
934
+ },
935
+ {
936
+ "id": "exposed_sensitive_android_intent",
937
+ "name": "Exposed Sensitive Android Intent",
938
+ "type": "subcategory",
939
+ "priority": null
940
+ },
941
+ {
942
+ "id": "exposed_sensitive_ios_url_scheme",
943
+ "name": "Exposed Sensitive iOS URL Scheme",
944
+ "type": "subcategory",
945
+ "priority": null
946
+ }
947
+ ]
948
+ },
949
+ {
950
+ "id": "cross_site_request_forgery_csrf",
951
+ "name": "Cross-Site Request Forgery (CSRF)",
952
+ "type": "category",
953
+ "priority": null
954
+ },
955
+ {
956
+ "id": "application_level_denial_of_service_dos",
957
+ "name": "Application-Level Denial-of-Service (DoS)",
958
+ "type": "category",
959
+ "children": [
960
+ {
961
+ "id": "critical_impact_and_or_easy_difficulty",
962
+ "name": "Critical Impact and/or Easy Difficulty",
963
+ "type": "subcategory",
964
+ "priority": 2
965
+ },
966
+ {
967
+ "id": "high_impact_and_or_medium_difficulty",
968
+ "name": "High Impact and/or Medium Difficulty",
969
+ "type": "subcategory",
970
+ "priority": 3
971
+ },
972
+ {
973
+ "id": "app_crash",
974
+ "name": "App Crash",
975
+ "type": "subcategory",
976
+ "children": [
977
+ {
978
+ "id": "malformed_android_intents",
979
+ "name": "Malformed Android Intents",
980
+ "type": "variant",
981
+ "priority": 5
982
+ },
983
+ {
984
+ "id": "malformed_ios_url_schemes",
985
+ "name": "Malformed iOS URL Schemes",
986
+ "type": "variant",
987
+ "priority": 5
988
+ }
989
+ ]
990
+ }
991
+ ]
992
+ },
993
+ {
994
+ "id": "unvalidated_redirects_and_forwards",
995
+ "name": "Unvalidated Redirects and Forwards",
996
+ "type": "category",
997
+ "children": [
998
+ {
999
+ "id": "open_redirect",
1000
+ "name": "Open Redirect",
1001
+ "type": "subcategory",
1002
+ "children": [
1003
+ {
1004
+ "id": "get_based_all_users",
1005
+ "name": "GET-Based (All Users)",
1006
+ "type": "variant",
1007
+ "priority": 3
1008
+ },
1009
+ {
1010
+ "id": "get_based_authenticated",
1011
+ "name": "GET-Based (Authenticated)",
1012
+ "type": "variant",
1013
+ "priority": 4
1014
+ },
1015
+ {
1016
+ "id": "get_based_unauthenticated",
1017
+ "name": "GET-Based (Unauthenticated)",
1018
+ "type": "variant",
1019
+ "priority": 4
1020
+ },
1021
+ {
1022
+ "id": "post_based",
1023
+ "name": "POST-Based",
1024
+ "type": "variant",
1025
+ "priority": 5
1026
+ },
1027
+ {
1028
+ "id": "header_based",
1029
+ "name": "Header-Based",
1030
+ "type": "variant",
1031
+ "priority": 5
1032
+ }
1033
+ ]
1034
+ },
1035
+ {
1036
+ "id": "tabnabbing",
1037
+ "name": "Tabnabbing",
1038
+ "type": "subcategory",
1039
+ "priority": 5
1040
+ },
1041
+ {
1042
+ "id": "lack_of_security_speed_bump_page",
1043
+ "name": "Lack of Security Speed Bump Page",
1044
+ "type": "subcategory",
1045
+ "priority": 5
1046
+ }
1047
+ ]
1048
+ },
1049
+ {
1050
+ "id": "external_behavior",
1051
+ "name": "External Behavior",
1052
+ "type": "category",
1053
+ "children": [
1054
+ {
1055
+ "id": "browser_feature",
1056
+ "name": "Browser Feature",
1057
+ "type": "subcategory",
1058
+ "children": [
1059
+ {
1060
+ "id": "plaintext_password_field",
1061
+ "name": "Plaintext Password Field",
1062
+ "type": "variant",
1063
+ "priority": 5
1064
+ },
1065
+ {
1066
+ "id": "save_password",
1067
+ "name": "Save Password",
1068
+ "type": "variant",
1069
+ "priority": 5
1070
+ },
1071
+ {
1072
+ "id": "autocomplete_enabled",
1073
+ "name": "Autocomplete Enabled",
1074
+ "type": "variant",
1075
+ "priority": 5
1076
+ },
1077
+ {
1078
+ "id": "autocorrect_enabled",
1079
+ "name": "Autocorrect Enabled",
1080
+ "type": "variant",
1081
+ "priority": 5
1082
+ },
1083
+ {
1084
+ "id": "aggressive_offline_caching",
1085
+ "name": "Aggressive Offline Caching",
1086
+ "type": "variant",
1087
+ "priority": 5
1088
+ }
1089
+ ]
1090
+ },
1091
+ {
1092
+ "id": "csv_injection",
1093
+ "name": "CSV Injection",
1094
+ "type": "subcategory",
1095
+ "priority": 5
1096
+ },
1097
+ {
1098
+ "id": "captcha_bypass",
1099
+ "name": "Captcha Bypass",
1100
+ "type": "subcategory",
1101
+ "children": [
1102
+ {
1103
+ "id": "crowdsourcing",
1104
+ "name": "Crowdsourcing",
1105
+ "type": "variant",
1106
+ "priority": 5
1107
+ }
1108
+ ]
1109
+ },
1110
+ {
1111
+ "id": "system_clipboard_leak",
1112
+ "name": "System Clipboard Leak",
1113
+ "type": "subcategory",
1114
+ "children": [
1115
+ {
1116
+ "id": "shared_links",
1117
+ "name": "Shared Links",
1118
+ "type": "variant",
1119
+ "priority": 5
1120
+ }
1121
+ ]
1122
+ },
1123
+ {
1124
+ "id": "user_password_persisted_in_memory",
1125
+ "name": "User Password Persisted in Memory",
1126
+ "type": "subcategory",
1127
+ "priority": 5
1128
+ }
1129
+ ]
1130
+ },
1131
+ {
1132
+ "id": "insufficient_security_configurability",
1133
+ "name": "Insufficient Security Configurability",
1134
+ "type": "category",
1135
+ "children": [
1136
+ {
1137
+ "id": "weak_password_policy",
1138
+ "name": "Weak Password Policy",
1139
+ "type": "subcategory",
1140
+ "children": [
1141
+ {
1142
+ "id": "complexity_both_length_and_char_type_not_enforced",
1143
+ "name": "Complexity, Both Length and Char Type Not Enforced",
1144
+ "type": "variant",
1145
+ "priority": 3
1146
+ },
1147
+ {
1148
+ "id": "complexity_length_not_enforced",
1149
+ "name": "Complexity, Length Not Enforced",
1150
+ "type": "variant",
1151
+ "priority": 4
1152
+ },
1153
+ {
1154
+ "id": "complexity_char_type_not_enforced",
1155
+ "name": "Complexity, Char Type Not Enforced",
1156
+ "type": "variant",
1157
+ "priority": 4
1158
+ },
1159
+ {
1160
+ "id": "allows_reuse_of_old_passwords",
1161
+ "name": "Allows Reuse of Old Passwords",
1162
+ "type": "variant",
1163
+ "priority": 5
1164
+ },
1165
+ {
1166
+ "id": "allows_password_to_be_same_as_email_username",
1167
+ "name": "Allows Password to be Same as Email/Username",
1168
+ "type": "variant",
1169
+ "priority": 5
1170
+ }
1171
+ ]
1172
+ },
1173
+ {
1174
+ "id": "weak_password_reset_implementation",
1175
+ "name": "Weak Password Reset Implementation",
1176
+ "type": "subcategory",
1177
+ "children": [
1178
+ {
1179
+ "id": "token_is_not_invalidated_after_use",
1180
+ "name": "Token is Not Invalidated After Use",
1181
+ "type": "variant",
1182
+ "priority": 4
1183
+ },
1184
+ {
1185
+ "id": "token_is_not_invalidated_after_email_change",
1186
+ "name": "Token is Not Invalidated After Email Change",
1187
+ "type": "variant",
1188
+ "priority": 5
1189
+ },
1190
+ {
1191
+ "id": "token_is_not_invalidated_after_password_change",
1192
+ "name": "Token is Not Invalidated After Password Change",
1193
+ "type": "variant",
1194
+ "priority": 5
1195
+ },
1196
+ {
1197
+ "id": "token_has_long_timed_expiry",
1198
+ "name": "Token Has Long Timed Expiry",
1199
+ "type": "variant",
1200
+ "priority": 5
1201
+ },
1202
+ {
1203
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1204
+ "name": "Token is Not Invalidated After New Token is Requested",
1205
+ "type": "variant",
1206
+ "priority": 5
1207
+ }
1208
+ ]
1209
+ },
1210
+ {
1211
+ "id": "lack_of_verification_email",
1212
+ "name": "Lack of Verification Email",
1213
+ "type": "subcategory",
1214
+ "priority": 5
1215
+ },
1216
+ {
1217
+ "id": "lack_of_notification_email",
1218
+ "name": "Lack of Notification Email",
1219
+ "type": "subcategory",
1220
+ "priority": 5
1221
+ },
1222
+ {
1223
+ "id": "weak_registration_implementation",
1224
+ "name": "Weak Registration Implementation",
1225
+ "type": "subcategory",
1226
+ "children": [
1227
+ {
1228
+ "id": "allows_disposable_email_addresses",
1229
+ "name": "Allows Disposable Email Addresses",
1230
+ "type": "variant",
1231
+ "priority": 5
1232
+ }
1233
+ ]
1234
+ },
1235
+ {
1236
+ "id": "weak_2fa_implementation",
1237
+ "name": "Weak 2FA Implementation",
1238
+ "type": "subcategory",
1239
+ "children": [
1240
+ {
1241
+ "id": "missing_failsafe",
1242
+ "name": "Missing Failsafe",
1243
+ "type": "variant",
1244
+ "priority": 5
1245
+ }
1246
+ ]
1247
+ }
1248
+ ]
1249
+ },
1250
+ {
1251
+ "id": "using_components_with_known_vulnerabilities",
1252
+ "name": "Using Components with Known Vulnerabilities",
1253
+ "type": "category",
1254
+ "children": [
1255
+ {
1256
+ "id": "rosetta_flash",
1257
+ "name": "Rosetta Flash",
1258
+ "type": "subcategory",
1259
+ "priority": 4
1260
+ },
1261
+ {
1262
+ "id": "outdated_software_version",
1263
+ "name": "Outdated Software Version",
1264
+ "type": "subcategory",
1265
+ "priority": 5
1266
+ },
1267
+ {
1268
+ "id": "captcha_bypass",
1269
+ "name": "Captcha Bypass",
1270
+ "type": "subcategory",
1271
+ "children": [
1272
+ {
1273
+ "id": "ocr_optical_character_recognition",
1274
+ "name": "OCR (Optical Character Recognition)",
1275
+ "type": "variant",
1276
+ "priority": 5
1277
+ }
1278
+ ]
1279
+ }
1280
+ ]
1281
+ },
1282
+ {
1283
+ "id": "insecure_data_storage",
1284
+ "name": "Insecure Data Storage",
1285
+ "type": "category",
1286
+ "children": [
1287
+ {
1288
+ "id": "credentials_stored_unencrypted",
1289
+ "name": "Credentials Stored Unencrypted",
1290
+ "type": "subcategory",
1291
+ "children": [
1292
+ {
1293
+ "id": "on_external_storage",
1294
+ "name": "On External Storage",
1295
+ "type": "variant",
1296
+ "priority": 4
1297
+ },
1298
+ {
1299
+ "id": "on_internal_storage",
1300
+ "name": "On Internal Storage",
1301
+ "type": "variant",
1302
+ "priority": 5
1303
+ }
1304
+ ]
1305
+ },
1306
+ {
1307
+ "id": "sensitive_application_data_stored_unencrypted",
1308
+ "name": "Sensitive Application Data Stored Unencrypted",
1309
+ "type": "subcategory",
1310
+ "children": [
1311
+ {
1312
+ "id": "on_external_storage",
1313
+ "name": "On External Storage",
1314
+ "type": "variant",
1315
+ "priority": 4
1316
+ },
1317
+ {
1318
+ "id": "on_internal_storage",
1319
+ "name": "On Internal Storage",
1320
+ "type": "variant",
1321
+ "priority": 5
1322
+ }
1323
+ ]
1324
+ },
1325
+ {
1326
+ "id": "non_sensitive_application_data_stored_unencrypted",
1327
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1328
+ "type": "subcategory",
1329
+ "priority": 5
1330
+ },
1331
+ {
1332
+ "id": "screen_caching_enabled",
1333
+ "name": "Screen Caching Enabled",
1334
+ "type": "subcategory",
1335
+ "priority": 5
1336
+ },
1337
+ {
1338
+ "id": "insecure_data_storage",
1339
+ "name": "Insecure Data Storage",
1340
+ "type": "subcategory",
1341
+ "children": [
1342
+ {
1343
+ "id": "password",
1344
+ "name": "Password",
1345
+ "type": "variant",
1346
+ "priority": 2
1347
+ }
1348
+ ]
1349
+ }
1350
+ ]
1351
+ },
1352
+ {
1353
+ "id": "lack_of_binary_hardening",
1354
+ "name": "Lack of Binary Hardening",
1355
+ "type": "category",
1356
+ "children": [
1357
+ {
1358
+ "id": "lack_of_exploit_mitigations",
1359
+ "name": "Lack of Exploit Mitigations",
1360
+ "type": "subcategory",
1361
+ "priority": 5
1362
+ },
1363
+ {
1364
+ "id": "lack_of_jailbreak_detection",
1365
+ "name": "Lack of Jailbreak Detection",
1366
+ "type": "subcategory",
1367
+ "priority": 5
1368
+ },
1369
+ {
1370
+ "id": "lack_of_obfuscation",
1371
+ "name": "Lack of Obfuscation",
1372
+ "type": "subcategory",
1373
+ "priority": 5
1374
+ },
1375
+ {
1376
+ "id": "runtime_instrumentation_based",
1377
+ "name": "Runtime Instrumentation-Based",
1378
+ "type": "subcategory",
1379
+ "priority": 5
1380
+ }
1381
+ ]
1382
+ },
1383
+ {
1384
+ "id": "insecure_data_transport",
1385
+ "name": "Insecure Data Transport",
1386
+ "type": "category",
1387
+ "children": [
1388
+ {
1389
+ "id": "ssl_certificate_pinning",
1390
+ "name": "SSL Certificate Pinning",
1391
+ "type": "subcategory",
1392
+ "children": [
1393
+ {
1394
+ "id": "absent",
1395
+ "name": "Absent",
1396
+ "type": "variant",
1397
+ "priority": 5
1398
+ },
1399
+ {
1400
+ "id": "defeatable",
1401
+ "name": "Defeatable",
1402
+ "type": "variant",
1403
+ "priority": 5
1404
+ }
1405
+ ]
1406
+ }
1407
+ ]
1408
+ },
1409
+ {
1410
+ "id": "insecure_os_firmware",
1411
+ "name": "Insecure OS/Firmware",
1412
+ "type": "category",
1413
+ "children": [
1414
+ {
1415
+ "id": "command_injection",
1416
+ "name": "Command Injection",
1417
+ "type": "subcategory",
1418
+ "priority": 1
1419
+ },
1420
+ {
1421
+ "id": "hardcoded_password",
1422
+ "name": "Hardcoded Password",
1423
+ "type": "subcategory",
1424
+ "children": [
1425
+ {
1426
+ "id": "privileged_user",
1427
+ "name": "Privileged User",
1428
+ "type": "variant",
1429
+ "priority": 1
1430
+ },
1431
+ {
1432
+ "id": "non_privileged_user",
1433
+ "name": "Non-Privileged User",
1434
+ "type": "variant",
1435
+ "priority": 2
1436
+ }
1437
+ ]
1438
+ }
1439
+ ]
1440
+ },
1441
+ {
1442
+ "id": "broken_cryptography",
1443
+ "name": "Broken Cryptography",
1444
+ "type": "category",
1445
+ "children": [
1446
+ {
1447
+ "id": "cryptographic_flaw",
1448
+ "name": "Cryptographic Flaw",
1449
+ "type": "subcategory",
1450
+ "children": [
1451
+ {
1452
+ "id": "incorrect_usage",
1453
+ "name": "Incorrect Usage",
1454
+ "type": "variant",
1455
+ "priority": 1
1456
+ }
1457
+ ]
1458
+ }
1459
+ ]
1460
+ },
1461
+ {
1462
+ "id": "privacy_concerns",
1463
+ "name": "Privacy Concerns",
1464
+ "type": "category",
1465
+ "children": [
1466
+ {
1467
+ "id": "unnecessary_data_collection",
1468
+ "name": "Unnecessary Data Collection",
1469
+ "type": "subcategory",
1470
+ "children": [
1471
+ {
1472
+ "id": "wifi_ssid_password",
1473
+ "name": "WiFi SSID+Password",
1474
+ "type": "variant",
1475
+ "priority": 4
1476
+ }
1477
+ ]
1478
+ }
1479
+ ]
1480
+ },
1481
+ {
1482
+ "id": "network_security_misconfiguration",
1483
+ "name": "Network Security Misconfiguration",
1484
+ "type": "category",
1485
+ "children": [
1486
+ {
1487
+ "id": "telnet_enabled",
1488
+ "name": "Telnet Enabled",
1489
+ "type": "subcategory",
1490
+ "children": [
1491
+ {
1492
+ "id": "credentials_required",
1493
+ "name": "Credentials Required",
1494
+ "type": "variant",
1495
+ "priority": 4
1496
+ }
1497
+ ]
1498
+ }
1499
+ ]
1500
+ },
1501
+ {
1502
+ "id": "mobile_security_misconfiguration",
1503
+ "name": "Mobile Security Misconfiguration",
1504
+ "type": "category",
1505
+ "priority": null
1506
+ },
1507
+ {
1508
+ "id": "poor_physical_security",
1509
+ "name": "Poor Physical Security",
1510
+ "type": "category",
1511
+ "priority": null
1512
+ },
1513
+ {
1514
+ "id": "social_engineering",
1515
+ "name": "Social Engineering",
1516
+ "type": "category",
1517
+ "priority": null
1518
+ },
1519
+ {
1520
+ "id": "client_side_injection",
1521
+ "name": "Client-Side Injection",
1522
+ "type": "category",
1523
+ "priority": null
1524
+ }
1525
+ ]
1526
+ }