vrt 0.1 → 0.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.2/deprecated-node-mapping.json +50 -0
  3. data/lib/data/1.2/vrt.schema.json +62 -0
  4. data/lib/data/1.2/vulnerability-rating-taxonomy.json +1583 -0
  5. data/lib/vrt/version.rb +1 -1
  6. metadata +5 -2
data/lib/data/1.2/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,1583 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2017-08-04T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "unsafe_cross_origin_resource_sharing",
13
+ "name": "Unsafe Cross-Origin Resource Sharing",
14
+ "type": "subcategory",
15
+ "priority": null
16
+ },
17
+ {
18
+ "id": "path_traversal",
19
+ "name": "Path Traversal",
20
+ "type": "subcategory",
21
+ "priority": null
22
+ },
23
+ {
24
+ "id": "directory_listing_enabled",
25
+ "name": "Directory Listing Enabled",
26
+ "type": "subcategory",
27
+ "children": [
28
+ {
29
+ "id": "sensitive_data_exposure",
30
+ "name": "Sensitive Data Exposure",
31
+ "type": "variant",
32
+ "priority": null
33
+ },
34
+ {
35
+ "id": "non_sensitive_data_exposure",
36
+ "name": "Non-Sensitive Data Exposure",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "same_site_scripting",
44
+ "name": "Same-Site Scripting",
45
+ "type": "subcategory",
46
+ "priority": 5
47
+ },
48
+ {
49
+ "id": "ssl_attack_breach_poodle_etc",
50
+ "name": "SSL Attack (BREACH, POODLE etc.)",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "using_default_credentials",
56
+ "name": "Using Default Credentials",
57
+ "type": "subcategory",
58
+ "children": [
59
+ {
60
+ "id": "production_server",
61
+ "name": "Production Server",
62
+ "type": "variant",
63
+ "priority": 1
64
+ },
65
+ {
66
+ "id": "staging_development_server",
67
+ "name": "Staging/Development Server",
68
+ "type": "variant",
69
+ "priority": 2
70
+ }
71
+ ]
72
+ },
73
+ {
74
+ "id": "misconfigured_dns",
75
+ "name": "Misconfigured DNS",
76
+ "type": "subcategory",
77
+ "children": [
78
+ {
79
+ "id": "subdomain_takeover",
80
+ "name": "Subdomain Takeover",
81
+ "type": "variant",
82
+ "priority": 2
83
+ },
84
+ {
85
+ "id": "zone_transfer",
86
+ "name": "Zone Transfer",
87
+ "type": "variant",
88
+ "priority": 4
89
+ }
90
+ ]
91
+ },
92
+ {
93
+ "id": "mail_server_misconfiguration",
94
+ "name": "Mail Server Misconfiguration",
95
+ "type": "subcategory",
96
+ "children": [
97
+ {
98
+ "id": "missing_spf_on_email_domain",
99
+ "name": "Missing SPF on Email Domain",
100
+ "type": "variant",
101
+ "priority": 3
102
+ },
103
+ {
104
+ "id": "email_spoofable_via_third_party_api_misconfiguration",
105
+ "name": "Email Spoofable Via Third-Party API Misconfiguration",
106
+ "type": "variant",
107
+ "priority": 3
108
+ },
109
+ {
110
+ "id": "missing_spf_on_non_email_domain",
111
+ "name": "Missing SPF on Non-Email Domain",
112
+ "type": "variant",
113
+ "priority": 5
114
+ },
115
+ {
116
+ "id": "spf_uses_a_soft_fail",
117
+ "name": "SPF Uses a Soft Fail",
118
+ "type": "variant",
119
+ "priority": 5
120
+ },
121
+ {
122
+ "id": "spf_includes_10_lookups",
123
+ "name": "SPF Includes More Than 10 Lookups",
124
+ "type": "variant",
125
+ "priority": 5
126
+ },
127
+ {
128
+ "id": "missing_dmarc",
129
+ "name": "Missing DKIM/DMARC",
130
+ "type": "variant",
131
+ "priority": 5
132
+ }
133
+ ]
134
+ },
135
+ {
136
+ "id": "lack_of_password_confirmation",
137
+ "name": "Lack of Password Confirmation",
138
+ "type": "subcategory",
139
+ "children": [
140
+ {
141
+ "id": "change_email_address",
142
+ "name": "Change Email Address",
143
+ "type": "variant",
144
+ "priority": 4
145
+ },
146
+ {
147
+ "id": "change_password",
148
+ "name": "Change Password",
149
+ "type": "variant",
150
+ "priority": 4
151
+ },
152
+ {
153
+ "id": "delete_account",
154
+ "name": "Delete Account",
155
+ "type": "variant",
156
+ "priority": 4
157
+ },
158
+ {
159
+ "id": "manage_two_fa",
160
+ "name": "Manage 2FA",
161
+ "type": "variant",
162
+ "priority": 5
163
+ }
164
+ ]
165
+ },
166
+ {
167
+ "id": "no_rate_limiting_on_form",
168
+ "name": "No Rate Limiting on Form",
169
+ "type": "subcategory",
170
+ "children": [
171
+ {
172
+ "id": "registration",
173
+ "name": "Registration",
174
+ "type": "variant",
175
+ "priority": 4
176
+ },
177
+ {
178
+ "id": "login",
179
+ "name": "Login",
180
+ "type": "variant",
181
+ "priority": 3
182
+ },
183
+ {
184
+ "id": "email_triggering",
185
+ "name": "Email-Triggering",
186
+ "type": "variant",
187
+ "priority": 4
188
+ }
189
+ ]
190
+ },
191
+ {
192
+ "id": "unsafe_file_upload",
193
+ "name": "Unsafe File Upload",
194
+ "type": "subcategory",
195
+ "children": [
196
+ {
197
+ "id": "no_antivirus",
198
+ "name": "No Antivirus",
199
+ "type": "variant",
200
+ "priority": 4
201
+ },
202
+ {
203
+ "id": "no_size_limit",
204
+ "name": "No Size Limit",
205
+ "type": "variant",
206
+ "priority": 4
207
+ },
208
+ {
209
+ "id": "file_extension_filter_bypass",
210
+ "name": "File Extension Filter Bypass",
211
+ "type": "variant",
212
+ "priority": 5
213
+ }
214
+ ]
215
+ },
216
+ {
217
+ "id": "cookie_scoped_to_parent_domain",
218
+ "name": "Cookie Scoped to Parent Domain",
219
+ "type": "subcategory",
220
+ "priority": 5
221
+ },
222
+ {
223
+ "id": "missing_secure_or_httponly_cookie_flag",
224
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
225
+ "type": "subcategory",
226
+ "children": [
227
+ {
228
+ "id": "session_token",
229
+ "name": "Session Token",
230
+ "type": "variant",
231
+ "priority": 4
232
+ },
233
+ {
234
+ "id": "non_session_cookie",
235
+ "name": "Non-Session Cookie",
236
+ "type": "variant",
237
+ "priority": 5
238
+ }
239
+ ]
240
+ },
241
+ {
242
+ "id": "clickjacking",
243
+ "name": "Clickjacking",
244
+ "type": "subcategory",
245
+ "children": [
246
+ {
247
+ "id": "sensitive_action",
248
+ "name": "Sensitive Action",
249
+ "type": "variant",
250
+ "priority": 4
251
+ },
252
+ {
253
+ "id": "non_sensitive_action",
254
+ "name": "Non-Sensitive Action",
255
+ "type": "variant",
256
+ "priority": 5
257
+ }
258
+ ]
259
+ },
260
+ {
261
+ "id": "oauth_misconfiguration",
262
+ "name": "OAuth Misconfiguration",
263
+ "type": "subcategory",
264
+ "children": [
265
+ {
266
+ "id": "missing_state_parameter",
267
+ "name": "Missing State Parameter",
268
+ "type": "variant",
269
+ "priority": 4
270
+ }
271
+ ]
272
+ },
273
+ {
274
+ "id": "captcha_bypass",
275
+ "name": "Captcha Bypass",
276
+ "type": "subcategory",
277
+ "children": [
278
+ {
279
+ "id": "implementation_vulnerability",
280
+ "name": "Implementation Vulnerability",
281
+ "type": "variant",
282
+ "priority": 4
283
+ },
284
+ {
285
+ "id": "brute_force",
286
+ "name": "Brute Force",
287
+ "type": "variant",
288
+ "priority": 5
289
+ }
290
+ ]
291
+ },
292
+ {
293
+ "id": "exposed_admin_portal",
294
+ "name": "Exposed Admin Portal",
295
+ "type": "subcategory",
296
+ "children": [
297
+ {
298
+ "id": "to_internet",
299
+ "name": "To Internet",
300
+ "type": "variant",
301
+ "priority": 5
302
+ }
303
+ ]
304
+ },
305
+ {
306
+ "id": "missing_dnssec",
307
+ "name": "Missing DNSSEC",
308
+ "type": "subcategory",
309
+ "priority": 5
310
+ },
311
+ {
312
+ "id": "fingerprinting_banner_disclosure",
313
+ "name": "Fingerprinting/Banner Disclosure",
314
+ "type": "subcategory",
315
+ "priority": 5
316
+ },
317
+ {
318
+ "id": "username_enumeration",
319
+ "name": "Username Enumeration",
320
+ "type": "subcategory",
321
+ "children": [
322
+ {
323
+ "id": "brute_force",
324
+ "name": "Brute Force",
325
+ "type": "variant",
326
+ "priority": 5
327
+ }
328
+ ]
329
+ },
330
+ {
331
+ "id": "potentially_unsafe_http_method_enabled",
332
+ "name": "Potentially Unsafe HTTP Method Enabled",
333
+ "type": "subcategory",
334
+ "children": [
335
+ {
336
+ "id": "options",
337
+ "name": "OPTIONS",
338
+ "type": "variant",
339
+ "priority": 5
340
+ },
341
+ {
342
+ "id": "trace",
343
+ "name": "TRACE",
344
+ "type": "variant",
345
+ "priority": 5
346
+ }
347
+ ]
348
+ },
349
+ {
350
+ "id": "insecure_ssl",
351
+ "name": "Insecure SSL",
352
+ "type": "subcategory",
353
+ "children": [
354
+ {
355
+ "id": "lack_of_forward_secrecy",
356
+ "name": "Lack of Forward Secrecy",
357
+ "type": "variant",
358
+ "priority": 5
359
+ },
360
+ {
361
+ "id": "insecure_cipher_suite",
362
+ "name": "Insecure Cipher Suite",
363
+ "type": "variant",
364
+ "priority": 5
365
+ }
366
+ ]
367
+ },
368
+ {
369
+ "id": "rfd",
370
+ "name": "Reflected File Download (RFD)",
371
+ "type": "subcategory",
372
+ "priority": 5
373
+ },
374
+ {
375
+ "id": "lack_of_security_headers",
376
+ "name": "Lack of Security Headers",
377
+ "type": "subcategory",
378
+ "children": [
379
+ {
380
+ "id": "x_frame_options",
381
+ "name": "X-Frame-Options",
382
+ "type": "variant",
383
+ "priority": 5
384
+ },
385
+ {
386
+ "id": "cache_control_for_a_non_sensitive_page",
387
+ "name": "Cache-Control for a Non-Sensitive Page",
388
+ "type": "variant",
389
+ "priority": 5
390
+ },
391
+ {
392
+ "id": "x_xss_protection",
393
+ "name": "X-XSS-Protection",
394
+ "type": "variant",
395
+ "priority": 5
396
+ },
397
+ {
398
+ "id": "strict_transport_security",
399
+ "name": "Strict-Transport-Security",
400
+ "type": "variant",
401
+ "priority": 5
402
+ },
403
+ {
404
+ "id": "x_content_type_options",
405
+ "name": "X-Content-Type-Options",
406
+ "type": "variant",
407
+ "priority": 5
408
+ },
409
+ {
410
+ "id": "content_security_policy",
411
+ "name": "Content-Security-Policy",
412
+ "type": "variant",
413
+ "priority": 5
414
+ },
415
+ {
416
+ "id": "public_key_pins",
417
+ "name": "Public-Key-Pins",
418
+ "type": "variant",
419
+ "priority": 5
420
+ },
421
+ {
422
+ "id": "x_content_security_policy",
423
+ "name": "X-Content-Security-Policy",
424
+ "type": "variant",
425
+ "priority": 5
426
+ },
427
+ {
428
+ "id": "x_webkit_csp",
429
+ "name": "X-Webkit-CSP",
430
+ "type": "variant",
431
+ "priority": 5
432
+ },
433
+ {
434
+ "id": "content_security_policy_report_only",
435
+ "name": "Content-Security-Policy-Report-Only",
436
+ "type": "variant",
437
+ "priority": 5
438
+ },
439
+ {
440
+ "id": "cache_control_for_a_sensitive_page",
441
+ "name": "Cache-Control for a Sensitive Page",
442
+ "type": "variant",
443
+ "priority": 4
444
+ }
445
+ ]
446
+ }
447
+ ]
448
+ },
449
+ {
450
+ "id": "server_side_injection",
451
+ "name": "Server-Side Injection",
452
+ "type": "category",
453
+ "children": [
454
+ {
455
+ "id": "file_inclusion",
456
+ "name": "File Inclusion",
457
+ "type": "subcategory",
458
+ "children": [
459
+ {
460
+ "id": "local",
461
+ "name": "Local",
462
+ "type": "variant",
463
+ "priority": 1
464
+ }
465
+ ]
466
+ },
467
+ {
468
+ "id": "parameter_pollution",
469
+ "name": "Parameter Pollution",
470
+ "type": "subcategory",
471
+ "children": [
472
+ {
473
+ "id": "social_media_sharing_buttons",
474
+ "name": "Social Media Sharing Buttons",
475
+ "type": "variant",
476
+ "priority": 5
477
+ }
478
+ ]
479
+ },
480
+ {
481
+ "id": "remote_code_execution_rce",
482
+ "name": "Remote Code Execution (RCE)",
483
+ "type": "subcategory",
484
+ "priority": 1
485
+ },
486
+ {
487
+ "id": "sql_injection",
488
+ "name": "SQL Injection",
489
+ "type": "subcategory",
490
+ "children": [
491
+ {
492
+ "id": "error_based",
493
+ "name": "Error-Based",
494
+ "type": "variant",
495
+ "priority": 1
496
+ },
497
+ {
498
+ "id": "blind",
499
+ "name": "Blind",
500
+ "type": "variant",
501
+ "priority": 1
502
+ }
503
+ ]
504
+ },
505
+ {
506
+ "id": "xml_external_entity_injection_xxe",
507
+ "name": "XML External Entity Injection (XXE)",
508
+ "type": "subcategory",
509
+ "priority": 1
510
+ },
511
+ {
512
+ "id": "http_response_manipulation",
513
+ "name": "HTTP Response Manipulation",
514
+ "type": "subcategory",
515
+ "children": [
516
+ {
517
+ "id": "response_splitting_crlf",
518
+ "name": "Response Splitting (CRLF)",
519
+ "type": "variant",
520
+ "priority": 3
521
+ }
522
+ ]
523
+ },
524
+ {
525
+ "id": "content_spoofing",
526
+ "name": "Content Spoofing",
527
+ "type": "subcategory",
528
+ "children": [
529
+ {
530
+ "id": "iframe_injection",
531
+ "name": "iframe Injection",
532
+ "type": "variant",
533
+ "priority": 3
534
+ },
535
+ {
536
+ "id": "external_authentication_injection",
537
+ "name": "External Authentication Injection",
538
+ "type": "variant",
539
+ "priority": 4
540
+ },
541
+ {
542
+ "id": "email_html_injection",
543
+ "name": "Email HTML Injection",
544
+ "type": "variant",
545
+ "priority": 4
546
+ },
547
+ {
548
+ "id": "text_injection",
549
+ "name": "Text Injection",
550
+ "type": "variant",
551
+ "priority": 5
552
+ },
553
+ {
554
+ "id": "homograph_idn_based",
555
+ "name": "Homograph/IDN-Based",
556
+ "type": "variant",
557
+ "priority": 5
558
+ }
559
+ ]
560
+ }
561
+ ]
562
+ },
563
+ {
564
+ "id": "broken_authentication_and_session_management",
565
+ "name": "Broken Authentication and Session Management",
566
+ "type": "category",
567
+ "children": [
568
+ {
569
+ "id": "authentication_bypass",
570
+ "name": "Authentication Bypass",
571
+ "type": "subcategory",
572
+ "priority": 1
573
+ },
574
+ {
575
+ "id": "privilege_escalation",
576
+ "name": "Privilege Escalation",
577
+ "type": "subcategory",
578
+ "priority": null
579
+ },
580
+ {
581
+ "id": "weak_login_function",
582
+ "name": "Weak Login Function",
583
+ "type": "subcategory",
584
+ "children": [
585
+ {
586
+ "id": "over_http",
587
+ "name": "Over HTTP",
588
+ "type": "variant",
589
+ "priority": 3
590
+ }
591
+ ]
592
+ },
593
+ {
594
+ "id": "session_fixation",
595
+ "name": "Session Fixation",
596
+ "type": "subcategory",
597
+ "priority": 3
598
+ },
599
+ {
600
+ "id": "failure_to_invalidate_session",
601
+ "name": "Failure to Invalidate Session",
602
+ "type": "subcategory",
603
+ "children": [
604
+ {
605
+ "id": "on_logout",
606
+ "name": "On Logout",
607
+ "type": "variant",
608
+ "priority": 4
609
+ },
610
+ {
611
+ "id": "on_password_reset",
612
+ "name": "On Password Reset",
613
+ "type": "variant",
614
+ "priority": 4
615
+ },
616
+ {
617
+ "id": "on_password_change",
618
+ "name": "On Password Change",
619
+ "type": "variant",
620
+ "priority": 4
621
+ },
622
+ {
623
+ "id": "all_sessions",
624
+ "name": "All Sessions",
625
+ "type": "variant",
626
+ "priority": 5
627
+ },
628
+ {
629
+ "id": "on_email_change",
630
+ "name": "On Email Change",
631
+ "type": "variant",
632
+ "priority": 5
633
+ },
634
+ {
635
+ "id": "long_timeout",
636
+ "name": "Long Timeout",
637
+ "type": "variant",
638
+ "priority": 5
639
+ }
640
+ ]
641
+ },
642
+ {
643
+ "id": "concurrent_logins",
644
+ "name": "Concurrent Logins",
645
+ "type": "subcategory",
646
+ "priority": 5
647
+ },
648
+ {
649
+ "id": "weak_registration_implementation",
650
+ "name": "Weak Registration Implementation",
651
+ "type": "subcategory",
652
+ "children": [
653
+ {
654
+ "id": "over_http",
655
+ "name": "Over HTTP",
656
+ "type": "variant",
657
+ "priority": 4
658
+ }
659
+ ]
660
+ }
661
+ ]
662
+ },
663
+ {
664
+ "id": "insecure_direct_object_references_idor",
665
+ "name": "Insecure Direct Object References (IDOR)",
666
+ "type": "category",
667
+ "priority": null
668
+ },
669
+ {
670
+ "id": "sensitive_data_exposure",
671
+ "name": "Sensitive Data Exposure",
672
+ "type": "category",
673
+ "children": [
674
+ {
675
+ "id": "critically_sensitive_data",
676
+ "name": "Critically Sensitive Data",
677
+ "type": "subcategory",
678
+ "children": [
679
+ {
680
+ "id": "password_disclosure",
681
+ "name": "Password Disclosure",
682
+ "type": "variant",
683
+ "priority": 1
684
+ },
685
+ {
686
+ "id": "private_api_keys",
687
+ "name": "Private API Keys",
688
+ "type": "variant",
689
+ "priority": 1
690
+ }
691
+ ]
692
+ },
693
+ {
694
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
695
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
696
+ "type": "subcategory",
697
+ "children": [
698
+ {
699
+ "id": "automatic_user_enumeration",
700
+ "name": "Automatic User Enumeration",
701
+ "type": "variant",
702
+ "priority": 3
703
+ },
704
+ {
705
+ "id": "manual_user_enumeration",
706
+ "name": "Manual User Enumeration",
707
+ "type": "variant",
708
+ "priority": 4
709
+ }
710
+ ]
711
+ },
712
+ {
713
+ "id": "visible_detailed_error_page",
714
+ "name": "Visible Detailed Error/Debug Page",
715
+ "type": "subcategory",
716
+ "children": [
717
+ {
718
+ "id": "detailed_server_configuration",
719
+ "name": "Detailed Server Configuration",
720
+ "type": "variant",
721
+ "priority": 4
722
+ },
723
+ {
724
+ "id": "full_path_disclosure",
725
+ "name": "Full Path Disclosure",
726
+ "type": "variant",
727
+ "priority": 5
728
+ },
729
+ {
730
+ "id": "descriptive_stack_trace",
731
+ "name": "Descriptive Stack Trace",
732
+ "type": "variant",
733
+ "priority": 5
734
+ }
735
+ ]
736
+ },
737
+ {
738
+ "id": "disclosure_of_known_public_information",
739
+ "name": "Disclosure of Known Public Information",
740
+ "type": "subcategory",
741
+ "priority": 5
742
+ },
743
+ {
744
+ "id": "token_leakage_via_referer",
745
+ "name": "Token Leakage via Referer",
746
+ "type": "subcategory",
747
+ "children": [
748
+ {
749
+ "id": "trusted_3rd_party",
750
+ "name": "Trusted 3rd Party",
751
+ "type": "variant",
752
+ "priority": 5
753
+ },
754
+ {
755
+ "id": "untrusted_3rd_party",
756
+ "name": "Untrusted 3rd Party",
757
+ "type": "variant",
758
+ "priority": 4
759
+ },
760
+ {
761
+ "id": "over_http",
762
+ "name": "Over HTTP",
763
+ "type": "variant",
764
+ "priority": 4
765
+ }
766
+ ]
767
+ },
768
+ {
769
+ "id": "sensitive_token_in_url",
770
+ "name": "Sensitive Token in URL",
771
+ "type": "subcategory",
772
+ "priority": 4
773
+ },
774
+ {
775
+ "id": "non_sensitive_token_in_url",
776
+ "name": "Non-Sensitive Token in URL",
777
+ "type": "subcategory",
778
+ "priority": 5
779
+ },
780
+ {
781
+ "id": "weak_password_reset_implementation",
782
+ "name": "Weak Password Reset Implementation",
783
+ "type": "subcategory",
784
+ "children": [
785
+ {
786
+ "id": "password_reset_token_sent_over_http",
787
+ "name": "Password Reset Token Sent Over HTTP",
788
+ "type": "variant",
789
+ "priority": 4
790
+ }
791
+ ]
792
+ },
793
+ {
794
+ "id": "mixed_content",
795
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
796
+ "type": "subcategory",
797
+ "priority": 5
798
+ },
799
+ {
800
+ "id": "sensitive_data_hardcoded",
801
+ "name": "Sensitive Data Hardcoded",
802
+ "type": "subcategory",
803
+ "children": [
804
+ {
805
+ "id": "oauth_secret",
806
+ "name": "OAuth Secret",
807
+ "type": "variant",
808
+ "priority": 5
809
+ },
810
+ {
811
+ "id": "file_paths",
812
+ "name": "File Paths",
813
+ "type": "variant",
814
+ "priority": 5
815
+ }
816
+ ]
817
+ },
818
+ {
819
+ "id": "internal_ip_disclosure",
820
+ "name": "Internal IP Disclosure",
821
+ "type": "subcategory",
822
+ "priority": 5
823
+ },
824
+ {
825
+ "id": "xssi",
826
+ "name": "Cross Site Script Inclusion (XSSI)",
827
+ "type": "subcategory",
828
+ "priority": null
829
+ },
830
+ {
831
+ "id": "json_hijacking",
832
+ "name": "JSON Hijacking",
833
+ "type": "subcategory",
834
+ "priority": 5
835
+ }
836
+ ]
837
+ },
838
+ {
839
+ "id": "cross_site_scripting_xss",
840
+ "name": "Cross-Site Scripting (XSS)",
841
+ "type": "category",
842
+ "children": [
843
+ {
844
+ "id": "stored",
845
+ "name": "Stored",
846
+ "type": "subcategory",
847
+ "children": [
848
+ {
849
+ "id": "non_admin_to_anyone",
850
+ "name": "Non-Admin to Anyone",
851
+ "type": "variant",
852
+ "priority": 2
853
+ },
854
+ {
855
+ "id": "admin_to_anyone",
856
+ "name": "Admin to Anyone",
857
+ "type": "variant",
858
+ "priority": 3
859
+ },
860
+ {
861
+ "id": "self",
862
+ "name": "Self",
863
+ "type": "variant",
864
+ "priority": 5
865
+ }
866
+ ]
867
+ },
868
+ {
869
+ "id": "reflected",
870
+ "name": "Reflected",
871
+ "type": "subcategory",
872
+ "children": [
873
+ {
874
+ "id": "non_self",
875
+ "name": "Non-Self",
876
+ "type": "variant",
877
+ "priority": 3
878
+ },
879
+ {
880
+ "id": "self",
881
+ "name": "Self",
882
+ "type": "variant",
883
+ "priority": 5
884
+ }
885
+ ]
886
+ },
887
+ {
888
+ "id": "cookie_based",
889
+ "name": "Cookie-Based",
890
+ "type": "subcategory",
891
+ "priority": 5
892
+ },
893
+ {
894
+ "id": "ie_only",
895
+ "name": "IE-Only",
896
+ "type": "subcategory",
897
+ "children": [
898
+ {
899
+ "id": "older_version_ie_10_11",
900
+ "name": "Older Version (IE 10/11)",
901
+ "type": "variant",
902
+ "priority": 4
903
+ },
904
+ {
905
+ "id": "xss_filter_disabled",
906
+ "name": "XSS Filter Disabled",
907
+ "type": "variant",
908
+ "priority": 5
909
+ },
910
+ {
911
+ "id": "older_version_ie10",
912
+ "name": "Older Version (< IE10)",
913
+ "type": "variant",
914
+ "priority": 5
915
+ }
916
+ ]
917
+ },
918
+ {
919
+ "id": "referer",
920
+ "name": "Referer",
921
+ "type": "subcategory",
922
+ "priority": 4
923
+ },
924
+ {
925
+ "id": "trace_method",
926
+ "name": "TRACE Method",
927
+ "type": "subcategory",
928
+ "priority": 5
929
+ },
930
+ {
931
+ "id": "universal_uxss",
932
+ "name": "Universal (UXSS)",
933
+ "type": "subcategory",
934
+ "priority": 4
935
+ },
936
+ {
937
+ "id": "off_domain",
938
+ "name": "Off-Domain",
939
+ "type": "subcategory",
940
+ "children": [
941
+ {
942
+ "id": "data_uri",
943
+ "name": "Data URI",
944
+ "type": "variant",
945
+ "priority": 4
946
+ }
947
+ ]
948
+ }
949
+ ]
950
+ },
951
+ {
952
+ "id": "missing_function_level_access_control",
953
+ "name": "Missing Function Level Access Control",
954
+ "type": "category",
955
+ "children": [
956
+ {
957
+ "id": "server_side_request_forgery_ssrf",
958
+ "name": "Server-Side Request Forgery (SSRF)",
959
+ "type": "subcategory",
960
+ "children": [
961
+ {
962
+ "id": "internal",
963
+ "name": "Internal",
964
+ "type": "variant",
965
+ "priority": 2
966
+ },
967
+ {
968
+ "id": "external",
969
+ "name": "External",
970
+ "type": "variant",
971
+ "priority": 4
972
+ }
973
+ ]
974
+ },
975
+ {
976
+ "id": "username_enumeration",
977
+ "name": "Username Enumeration",
978
+ "type": "subcategory",
979
+ "children": [
980
+ {
981
+ "id": "data_leak",
982
+ "name": "Data Leak",
983
+ "type": "variant",
984
+ "priority": 4
985
+ }
986
+ ]
987
+ },
988
+ {
989
+ "id": "exposed_sensitive_android_intent",
990
+ "name": "Exposed Sensitive Android Intent",
991
+ "type": "subcategory",
992
+ "priority": null
993
+ },
994
+ {
995
+ "id": "exposed_sensitive_ios_url_scheme",
996
+ "name": "Exposed Sensitive iOS URL Scheme",
997
+ "type": "subcategory",
998
+ "priority": null
999
+ }
1000
+ ]
1001
+ },
1002
+ {
1003
+ "id": "cross_site_request_forgery_csrf",
1004
+ "name": "Cross-Site Request Forgery (CSRF)",
1005
+ "type": "category",
1006
+ "children": [
1007
+ {
1008
+ "id": "application_wide",
1009
+ "name": "Applicaton-Wide",
1010
+ "type": "subcategory",
1011
+ "priority": 2
1012
+ },
1013
+ {
1014
+ "id": "action_specific",
1015
+ "name": "Action-Specific",
1016
+ "type": "subcategory",
1017
+ "children": [
1018
+ {
1019
+ "id": "authenticated_action",
1020
+ "name": "Authenticated Action",
1021
+ "type": "variant",
1022
+ "priority": null
1023
+ },
1024
+ {
1025
+ "id": "unauthenticated_action",
1026
+ "name": "Unauthenticated Action",
1027
+ "type": "variant",
1028
+ "priority": null
1029
+ },
1030
+ {
1031
+ "id": "logout",
1032
+ "name": "Logout",
1033
+ "type": "variant",
1034
+ "priority": 5
1035
+ }
1036
+ ]
1037
+ }
1038
+ ]
1039
+ },
1040
+ {
1041
+ "id": "application_level_denial_of_service_dos",
1042
+ "name": "Application-Level Denial-of-Service (DoS)",
1043
+ "type": "category",
1044
+ "children": [
1045
+ {
1046
+ "id": "critical_impact_and_or_easy_difficulty",
1047
+ "name": "Critical Impact and/or Easy Difficulty",
1048
+ "type": "subcategory",
1049
+ "priority": 2
1050
+ },
1051
+ {
1052
+ "id": "high_impact_and_or_medium_difficulty",
1053
+ "name": "High Impact and/or Medium Difficulty",
1054
+ "type": "subcategory",
1055
+ "priority": 3
1056
+ },
1057
+ {
1058
+ "id": "app_crash",
1059
+ "name": "App Crash",
1060
+ "type": "subcategory",
1061
+ "children": [
1062
+ {
1063
+ "id": "malformed_android_intents",
1064
+ "name": "Malformed Android Intents",
1065
+ "type": "variant",
1066
+ "priority": 5
1067
+ },
1068
+ {
1069
+ "id": "malformed_ios_url_schemes",
1070
+ "name": "Malformed iOS URL Schemes",
1071
+ "type": "variant",
1072
+ "priority": 5
1073
+ }
1074
+ ]
1075
+ }
1076
+ ]
1077
+ },
1078
+ {
1079
+ "id": "unvalidated_redirects_and_forwards",
1080
+ "name": "Unvalidated Redirects and Forwards",
1081
+ "type": "category",
1082
+ "children": [
1083
+ {
1084
+ "id": "open_redirect",
1085
+ "name": "Open Redirect",
1086
+ "type": "subcategory",
1087
+ "children": [
1088
+ {
1089
+ "id": "get_based",
1090
+ "name": "GET-Based",
1091
+ "type": "variant",
1092
+ "priority": 4
1093
+ },
1094
+ {
1095
+ "id": "post_based",
1096
+ "name": "POST-Based",
1097
+ "type": "variant",
1098
+ "priority": 5
1099
+ },
1100
+ {
1101
+ "id": "header_based",
1102
+ "name": "Header-Based",
1103
+ "type": "variant",
1104
+ "priority": 5
1105
+ }
1106
+ ]
1107
+ },
1108
+ {
1109
+ "id": "tabnabbing",
1110
+ "name": "Tabnabbing",
1111
+ "type": "subcategory",
1112
+ "priority": 5
1113
+ },
1114
+ {
1115
+ "id": "lack_of_security_speed_bump_page",
1116
+ "name": "Lack of Security Speed Bump Page",
1117
+ "type": "subcategory",
1118
+ "priority": 5
1119
+ }
1120
+ ]
1121
+ },
1122
+ {
1123
+ "id": "external_behavior",
1124
+ "name": "External Behavior",
1125
+ "type": "category",
1126
+ "children": [
1127
+ {
1128
+ "id": "browser_feature",
1129
+ "name": "Browser Feature",
1130
+ "type": "subcategory",
1131
+ "children": [
1132
+ {
1133
+ "id": "plaintext_password_field",
1134
+ "name": "Plaintext Password Field",
1135
+ "type": "variant",
1136
+ "priority": 5
1137
+ },
1138
+ {
1139
+ "id": "save_password",
1140
+ "name": "Save Password",
1141
+ "type": "variant",
1142
+ "priority": 5
1143
+ },
1144
+ {
1145
+ "id": "autocomplete_enabled",
1146
+ "name": "Autocomplete Enabled",
1147
+ "type": "variant",
1148
+ "priority": 5
1149
+ },
1150
+ {
1151
+ "id": "autocorrect_enabled",
1152
+ "name": "Autocorrect Enabled",
1153
+ "type": "variant",
1154
+ "priority": 5
1155
+ },
1156
+ {
1157
+ "id": "aggressive_offline_caching",
1158
+ "name": "Aggressive Offline Caching",
1159
+ "type": "variant",
1160
+ "priority": 5
1161
+ }
1162
+ ]
1163
+ },
1164
+ {
1165
+ "id": "csv_injection",
1166
+ "name": "CSV Injection",
1167
+ "type": "subcategory",
1168
+ "priority": 5
1169
+ },
1170
+ {
1171
+ "id": "captcha_bypass",
1172
+ "name": "Captcha Bypass",
1173
+ "type": "subcategory",
1174
+ "children": [
1175
+ {
1176
+ "id": "crowdsourcing",
1177
+ "name": "Crowdsourcing",
1178
+ "type": "variant",
1179
+ "priority": 5
1180
+ }
1181
+ ]
1182
+ },
1183
+ {
1184
+ "id": "system_clipboard_leak",
1185
+ "name": "System Clipboard Leak",
1186
+ "type": "subcategory",
1187
+ "children": [
1188
+ {
1189
+ "id": "shared_links",
1190
+ "name": "Shared Links",
1191
+ "type": "variant",
1192
+ "priority": 5
1193
+ }
1194
+ ]
1195
+ },
1196
+ {
1197
+ "id": "user_password_persisted_in_memory",
1198
+ "name": "User Password Persisted in Memory",
1199
+ "type": "subcategory",
1200
+ "priority": 5
1201
+ }
1202
+ ]
1203
+ },
1204
+ {
1205
+ "id": "insufficient_security_configurability",
1206
+ "name": "Insufficient Security Configurability",
1207
+ "type": "category",
1208
+ "children": [
1209
+ {
1210
+ "id": "weak_password_policy",
1211
+ "name": "Weak Password Policy",
1212
+ "type": "subcategory",
1213
+ "priority": 5
1214
+ },
1215
+ {
1216
+ "id": "no_password_policy",
1217
+ "name": "No Password Policy",
1218
+ "type": "subcategory",
1219
+ "priority": 4
1220
+ },
1221
+ {
1222
+ "id": "weak_password_reset_implementation",
1223
+ "name": "Weak Password Reset Implementation",
1224
+ "type": "subcategory",
1225
+ "children": [
1226
+ {
1227
+ "id": "token_is_not_invalidated_after_use",
1228
+ "name": "Token is Not Invalidated After Use",
1229
+ "type": "variant",
1230
+ "priority": 4
1231
+ },
1232
+ {
1233
+ "id": "token_is_not_invalidated_after_email_change",
1234
+ "name": "Token is Not Invalidated After Email Change",
1235
+ "type": "variant",
1236
+ "priority": 5
1237
+ },
1238
+ {
1239
+ "id": "token_is_not_invalidated_after_password_change",
1240
+ "name": "Token is Not Invalidated After Password Change",
1241
+ "type": "variant",
1242
+ "priority": 5
1243
+ },
1244
+ {
1245
+ "id": "token_has_long_timed_expiry",
1246
+ "name": "Token Has Long Timed Expiry",
1247
+ "type": "variant",
1248
+ "priority": 5
1249
+ },
1250
+ {
1251
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1252
+ "name": "Token is Not Invalidated After New Token is Requested",
1253
+ "type": "variant",
1254
+ "priority": 5
1255
+ }
1256
+ ]
1257
+ },
1258
+ {
1259
+ "id": "lack_of_verification_email",
1260
+ "name": "Lack of Verification Email",
1261
+ "type": "subcategory",
1262
+ "priority": 5
1263
+ },
1264
+ {
1265
+ "id": "lack_of_notification_email",
1266
+ "name": "Lack of Notification Email",
1267
+ "type": "subcategory",
1268
+ "priority": 5
1269
+ },
1270
+ {
1271
+ "id": "weak_registration_implementation",
1272
+ "name": "Weak Registration Implementation",
1273
+ "type": "subcategory",
1274
+ "children": [
1275
+ {
1276
+ "id": "allows_disposable_email_addresses",
1277
+ "name": "Allows Disposable Email Addresses",
1278
+ "type": "variant",
1279
+ "priority": 5
1280
+ }
1281
+ ]
1282
+ },
1283
+ {
1284
+ "id": "weak_2fa_implementation",
1285
+ "name": "Weak 2FA Implementation",
1286
+ "type": "subcategory",
1287
+ "children": [
1288
+ {
1289
+ "id": "missing_failsafe",
1290
+ "name": "Missing Failsafe",
1291
+ "type": "variant",
1292
+ "priority": 5
1293
+ }
1294
+ ]
1295
+ }
1296
+ ]
1297
+ },
1298
+ {
1299
+ "id": "using_components_with_known_vulnerabilities",
1300
+ "name": "Using Components with Known Vulnerabilities",
1301
+ "type": "category",
1302
+ "children": [
1303
+ {
1304
+ "id": "rosetta_flash",
1305
+ "name": "Rosetta Flash",
1306
+ "type": "subcategory",
1307
+ "priority": 4
1308
+ },
1309
+ {
1310
+ "id": "outdated_software_version",
1311
+ "name": "Outdated Software Version",
1312
+ "type": "subcategory",
1313
+ "priority": 5
1314
+ },
1315
+ {
1316
+ "id": "captcha_bypass",
1317
+ "name": "Captcha Bypass",
1318
+ "type": "subcategory",
1319
+ "children": [
1320
+ {
1321
+ "id": "ocr_optical_character_recognition",
1322
+ "name": "OCR (Optical Character Recognition)",
1323
+ "type": "variant",
1324
+ "priority": 5
1325
+ }
1326
+ ]
1327
+ }
1328
+ ]
1329
+ },
1330
+ {
1331
+ "id": "insecure_data_storage",
1332
+ "name": "Insecure Data Storage",
1333
+ "type": "category",
1334
+ "children": [
1335
+ {
1336
+ "id": "sensitive_application_data_stored_unencrypted",
1337
+ "name": "Sensitive Application Data Stored Unencrypted",
1338
+ "type": "subcategory",
1339
+ "children": [
1340
+ {
1341
+ "id": "on_external_storage",
1342
+ "name": "On External Storage",
1343
+ "type": "variant",
1344
+ "priority": 4
1345
+ },
1346
+ {
1347
+ "id": "on_internal_storage",
1348
+ "name": "On Internal Storage",
1349
+ "type": "variant",
1350
+ "priority": 5
1351
+ }
1352
+ ]
1353
+ },
1354
+ {
1355
+ "id": "server_side_credentials_storage",
1356
+ "name": "Server-Side Credentials Storage",
1357
+ "type": "subcategory",
1358
+ "children": [
1359
+ {
1360
+ "id": "plaintext",
1361
+ "name": "Plaintext",
1362
+ "type": "variant",
1363
+ "priority": 4
1364
+ }
1365
+ ]
1366
+ },
1367
+ {
1368
+ "id": "non_sensitive_application_data_stored_unencrypted",
1369
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1370
+ "type": "subcategory",
1371
+ "priority": 5
1372
+ },
1373
+ {
1374
+ "id": "screen_caching_enabled",
1375
+ "name": "Screen Caching Enabled",
1376
+ "type": "subcategory",
1377
+ "priority": 5
1378
+ }
1379
+ ]
1380
+ },
1381
+ {
1382
+ "id": "lack_of_binary_hardening",
1383
+ "name": "Lack of Binary Hardening",
1384
+ "type": "category",
1385
+ "children": [
1386
+ {
1387
+ "id": "lack_of_exploit_mitigations",
1388
+ "name": "Lack of Exploit Mitigations",
1389
+ "type": "subcategory",
1390
+ "priority": 5
1391
+ },
1392
+ {
1393
+ "id": "lack_of_jailbreak_detection",
1394
+ "name": "Lack of Jailbreak Detection",
1395
+ "type": "subcategory",
1396
+ "priority": 5
1397
+ },
1398
+ {
1399
+ "id": "lack_of_obfuscation",
1400
+ "name": "Lack of Obfuscation",
1401
+ "type": "subcategory",
1402
+ "priority": 5
1403
+ },
1404
+ {
1405
+ "id": "runtime_instrumentation_based",
1406
+ "name": "Runtime Instrumentation-Based",
1407
+ "type": "subcategory",
1408
+ "priority": 5
1409
+ }
1410
+ ]
1411
+ },
1412
+ {
1413
+ "id": "insecure_data_transport",
1414
+ "name": "Insecure Data Transport",
1415
+ "type": "category",
1416
+ "children": [
1417
+ {
1418
+ "id": "executable_download",
1419
+ "name": "Executable Download",
1420
+ "type": "subcategory",
1421
+ "children": [
1422
+ {
1423
+ "id": "no_secure_integrity_check",
1424
+ "name": "No Secure Integrity Check",
1425
+ "type": "variant",
1426
+ "priority": 4
1427
+ },
1428
+ {
1429
+ "id": "secure_integrity_check",
1430
+ "name": "Secure Integrity Check",
1431
+ "type": "variant",
1432
+ "priority": 5
1433
+ }
1434
+ ]
1435
+ }
1436
+ ]
1437
+ },
1438
+ {
1439
+ "id": "insecure_os_firmware",
1440
+ "name": "Insecure OS/Firmware",
1441
+ "type": "category",
1442
+ "children": [
1443
+ {
1444
+ "id": "command_injection",
1445
+ "name": "Command Injection",
1446
+ "type": "subcategory",
1447
+ "priority": 1
1448
+ },
1449
+ {
1450
+ "id": "hardcoded_password",
1451
+ "name": "Hardcoded Password",
1452
+ "type": "subcategory",
1453
+ "children": [
1454
+ {
1455
+ "id": "privileged_user",
1456
+ "name": "Privileged User",
1457
+ "type": "variant",
1458
+ "priority": 1
1459
+ },
1460
+ {
1461
+ "id": "non_privileged_user",
1462
+ "name": "Non-Privileged User",
1463
+ "type": "variant",
1464
+ "priority": 2
1465
+ }
1466
+ ]
1467
+ }
1468
+ ]
1469
+ },
1470
+ {
1471
+ "id": "broken_cryptography",
1472
+ "name": "Broken Cryptography",
1473
+ "type": "category",
1474
+ "children": [
1475
+ {
1476
+ "id": "cryptographic_flaw",
1477
+ "name": "Cryptographic Flaw",
1478
+ "type": "subcategory",
1479
+ "children": [
1480
+ {
1481
+ "id": "incorrect_usage",
1482
+ "name": "Incorrect Usage",
1483
+ "type": "variant",
1484
+ "priority": 1
1485
+ }
1486
+ ]
1487
+ }
1488
+ ]
1489
+ },
1490
+ {
1491
+ "id": "privacy_concerns",
1492
+ "name": "Privacy Concerns",
1493
+ "type": "category",
1494
+ "children": [
1495
+ {
1496
+ "id": "unnecessary_data_collection",
1497
+ "name": "Unnecessary Data Collection",
1498
+ "type": "subcategory",
1499
+ "children": [
1500
+ {
1501
+ "id": "wifi_ssid_password",
1502
+ "name": "WiFi SSID+Password",
1503
+ "type": "variant",
1504
+ "priority": 4
1505
+ }
1506
+ ]
1507
+ }
1508
+ ]
1509
+ },
1510
+ {
1511
+ "id": "network_security_misconfiguration",
1512
+ "name": "Network Security Misconfiguration",
1513
+ "type": "category",
1514
+ "children": [
1515
+ {
1516
+ "id": "telnet_enabled",
1517
+ "name": "Telnet Enabled",
1518
+ "type": "subcategory",
1519
+ "children": [
1520
+ {
1521
+ "id": "credentials_required",
1522
+ "name": "Credentials Required",
1523
+ "type": "variant",
1524
+ "priority": 4
1525
+ }
1526
+ ]
1527
+ }
1528
+ ]
1529
+ },
1530
+ {
1531
+ "id": "mobile_security_misconfiguration",
1532
+ "name": "Mobile Security Misconfiguration",
1533
+ "type": "category",
1534
+ "children": [
1535
+ {
1536
+ "id": "ssl_certificate_pinning",
1537
+ "name": "SSL Certificate Pinning",
1538
+ "type": "subcategory",
1539
+ "children": [
1540
+ {
1541
+ "id": "absent",
1542
+ "name": "Absent",
1543
+ "type": "variant",
1544
+ "priority": 5
1545
+ },
1546
+ {
1547
+ "id": "defeatable",
1548
+ "name": "Defeatable",
1549
+ "type": "variant",
1550
+ "priority": 5
1551
+ }
1552
+ ]
1553
+ }
1554
+ ]
1555
+ },
1556
+ {
1557
+ "id": "client_side_injection",
1558
+ "name": "Client-Side Injection",
1559
+ "type": "category",
1560
+ "children": [
1561
+ {
1562
+ "id": "binary_planting",
1563
+ "name": "Binary Planting",
1564
+ "type": "subcategory",
1565
+ "children": [
1566
+ {
1567
+ "id": "privilege_escalation",
1568
+ "name": "Privilege Escalation",
1569
+ "type": "variant",
1570
+ "priority": 4
1571
+ },
1572
+ {
1573
+ "id": "no_privilege_escalation",
1574
+ "name": "No Privilege Escalation",
1575
+ "type": "variant",
1576
+ "priority": 5
1577
+ }
1578
+ ]
1579
+ }
1580
+ ]
1581
+ }
1582
+ ]
1583
+ }