vrt 0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. checksums.yaml +7 -0
  2. data/lib/data/1.0/vrt.schema.json +62 -0
  3. data/lib/data/1.0/vulnerability-rating-taxonomy.json +1526 -0
  4. data/lib/data/1.1/deprecated-node-mapping.json +8 -0
  5. data/lib/data/1.1/vrt.schema.json +62 -0
  6. data/lib/data/1.1/vulnerability-rating-taxonomy.json +1559 -0
  7. data/lib/generators/vrt.rb +3 -0
  8. data/lib/generators/vrt/install_generator.rb +12 -0
  9. data/lib/vrt.rb +123 -0
  10. data/lib/vrt/cross_version_mapping.rb +45 -0
  11. data/lib/vrt/map.rb +82 -0
  12. data/lib/vrt/node.rb +46 -0
  13. data/lib/vrt/version.rb +3 -0
  14. metadata +116 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 3c883252346b6b621bc6bdcef55ab2be37b6cb7d
4
+ data.tar.gz: 60357154b0e182f895d36faea777817672fdc856
5
+ SHA512:
6
+ metadata.gz: 3cc4ddfb007a6648ff1b31c6874c2f8c48e36d3020d5d78c97c816b281af26a69636fe3e5ef04504fa88d79bcc21fb46e0404c8fe133d5cfec65ff95ed32791e
7
+ data.tar.gz: b8563420dec922ab1dcc82ca543cb5178b4e400c4699f60d2ab794d55eeec1120a8aedda14f77280a187aa7013fd45062c15ea75b324058bd2d8f80cd6d112f1
data/lib/data/1.0/vrt.schema.json ADDED
@@ -0,0 +1,62 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-04/schema#",
3
+ "title": "VRT Taxonomy",
4
+ "description": "VRT",
5
+ "definitions": {
6
+ "VRTmetadata": {
7
+ "type": "object",
8
+ "properties": {
9
+ "release_date": { "type": "string", "format": "date-time" }
10
+ }
11
+ },
12
+ "VRT": {
13
+ "type": "object",
14
+ "properties": {
15
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
16
+ "type": { "type": "string", "enum": [ "category", "subcategory", "variant" ] },
17
+ "name": { "type": "string" },
18
+ "priority": {
19
+ "anyOf": [
20
+ { "type": "number", "minimum": 1, "maximum": 5 },
21
+ { "type": "null" }
22
+ ]
23
+ }
24
+ },
25
+ "required": ["id", "name", "type", "priority"]
26
+ },
27
+ "VRTparent": {
28
+ "type": "object",
29
+ "properties": {
30
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
31
+ "name": { "type": "string" },
32
+ "type": { "type": "string", "enum": [ "category", "subcategory" ] },
33
+ "children": {
34
+ "type": "array",
35
+ "items" : {
36
+ "anyOf": [
37
+ { "$ref": "#/definitions/VRTparent" },
38
+ { "$ref": "#/definitions/VRT" }
39
+ ]
40
+ }
41
+ }
42
+ },
43
+ "required": ["id", "name", "type", "children"]
44
+ }
45
+ },
46
+ "type": "object",
47
+ "required": ["metadata", "content"],
48
+ "properties": {
49
+ "metadata": {
50
+ "$ref": "#/definitions/VRTmetadata"
51
+ },
52
+ "content": {
53
+ "type": "array",
54
+ "items" : {
55
+ "anyOf": [
56
+ { "$ref": "#/definitions/VRTparent" },
57
+ { "$ref": "#/definitions/VRT" }
58
+ ]
59
+ }
60
+ }
61
+ }
62
+ }
data/lib/data/1.0/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,1526 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2017-02-17T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "unsafe_cross_origin_resource_sharing",
13
+ "name": "Unsafe Cross-Origin Resource Sharing",
14
+ "type": "subcategory",
15
+ "priority": null
16
+ },
17
+ {
18
+ "id": "same_site_scripting",
19
+ "name": "Same-Site Scripting",
20
+ "type": "subcategory",
21
+ "priority": 5
22
+ },
23
+ {
24
+ "id": "ssl_attack_breach_poodle_etc",
25
+ "name": "SSL Attack (BREACH, POODLE etc.)",
26
+ "type": "subcategory",
27
+ "priority": null
28
+ },
29
+ {
30
+ "id": "using_default_credentials",
31
+ "name": "Using Default Credentials",
32
+ "type": "subcategory",
33
+ "children": [
34
+ {
35
+ "id": "production_server",
36
+ "name": "Production Server",
37
+ "type": "variant",
38
+ "priority": 1
39
+ },
40
+ {
41
+ "id": "staging_development_server",
42
+ "name": "Staging/Development Server",
43
+ "type": "variant",
44
+ "priority": 2
45
+ }
46
+ ]
47
+ },
48
+ {
49
+ "id": "misconfigured_dns",
50
+ "name": "Misconfigured DNS",
51
+ "type": "subcategory",
52
+ "children": [
53
+ {
54
+ "id": "subdomain_takeover",
55
+ "name": "Subdomain Takeover",
56
+ "type": "variant",
57
+ "priority": 2
58
+ }
59
+ ]
60
+ },
61
+ {
62
+ "id": "mail_server_misconfiguration",
63
+ "name": "Mail Server Misconfiguration",
64
+ "type": "subcategory",
65
+ "children": [
66
+ {
67
+ "id": "missing_spf_on_email_domain",
68
+ "name": "Missing SPF on Email Domain",
69
+ "type": "variant",
70
+ "priority": 3
71
+ },
72
+ {
73
+ "id": "email_spoofable_via_third_party_api_misconfiguration",
74
+ "name": "Email Spoofable Via Third-Party API Misconfiguration",
75
+ "type": "variant",
76
+ "priority": 3
77
+ },
78
+ {
79
+ "id": "missing_spf_on_non_email_domain",
80
+ "name": "Missing SPF on Non-Email Domain",
81
+ "type": "variant",
82
+ "priority": 5
83
+ },
84
+ {
85
+ "id": "spf_uses_a_soft_fail",
86
+ "name": "SPF Uses a Soft Fail",
87
+ "type": "variant",
88
+ "priority": 5
89
+ },
90
+ {
91
+ "id": "spf_includes_10_lookups",
92
+ "name": "SPF Includes > 10 Lookups",
93
+ "type": "variant",
94
+ "priority": 5
95
+ },
96
+ {
97
+ "id": "missing_dmarc",
98
+ "name": "Missing DMARC",
99
+ "type": "variant",
100
+ "priority": 5
101
+ }
102
+ ]
103
+ },
104
+ {
105
+ "id": "lack_of_password_confirmation",
106
+ "name": "Lack of Password Confirmation",
107
+ "type": "subcategory",
108
+ "children": [
109
+ {
110
+ "id": "change_email_address",
111
+ "name": "Change Email Address",
112
+ "type": "variant",
113
+ "priority": 4
114
+ },
115
+ {
116
+ "id": "change_password",
117
+ "name": "Change Password",
118
+ "type": "variant",
119
+ "priority": 4
120
+ },
121
+ {
122
+ "id": "delete_account",
123
+ "name": "Delete Account",
124
+ "type": "variant",
125
+ "priority": 4
126
+ }
127
+ ]
128
+ },
129
+ {
130
+ "id": "no_rate_limiting_on_form",
131
+ "name": "No Rate Limiting on Form",
132
+ "type": "subcategory",
133
+ "children": [
134
+ {
135
+ "id": "registration",
136
+ "name": "Registration",
137
+ "type": "variant",
138
+ "priority": 4
139
+ },
140
+ {
141
+ "id": "login",
142
+ "name": "Login",
143
+ "type": "variant",
144
+ "priority": 3
145
+ },
146
+ {
147
+ "id": "email_triggering",
148
+ "name": "Email-Triggering",
149
+ "type": "variant",
150
+ "priority": 4
151
+ }
152
+ ]
153
+ },
154
+ {
155
+ "id": "unsafe_file_upload",
156
+ "name": "Unsafe File Upload",
157
+ "type": "subcategory",
158
+ "children": [
159
+ {
160
+ "id": "no_antivirus",
161
+ "name": "No Antivirus",
162
+ "type": "variant",
163
+ "priority": 4
164
+ },
165
+ {
166
+ "id": "no_size_limit",
167
+ "name": "No Size Limit",
168
+ "type": "variant",
169
+ "priority": 4
170
+ },
171
+ {
172
+ "id": "file_extension_filter_bypass",
173
+ "name": "File Extension Filter Bypass",
174
+ "type": "variant",
175
+ "priority": 5
176
+ }
177
+ ]
178
+ },
179
+ {
180
+ "id": "missing_secure_or_httponly_cookie_flag",
181
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
182
+ "type": "subcategory",
183
+ "children": [
184
+ {
185
+ "id": "session_token",
186
+ "name": "Session Token",
187
+ "type": "variant",
188
+ "priority": 4
189
+ },
190
+ {
191
+ "id": "non_session_cookie",
192
+ "name": "Non-Session Cookie",
193
+ "type": "variant",
194
+ "priority": 5
195
+ }
196
+ ]
197
+ },
198
+ {
199
+ "id": "clickjacking",
200
+ "name": "Clickjacking",
201
+ "type": "subcategory",
202
+ "children": [
203
+ {
204
+ "id": "sensitive_action",
205
+ "name": "Sensitive Action",
206
+ "type": "variant",
207
+ "priority": 4
208
+ },
209
+ {
210
+ "id": "non_sensitive_action",
211
+ "name": "Non-Sensitive Action",
212
+ "type": "variant",
213
+ "priority": 5
214
+ }
215
+ ]
216
+ },
217
+ {
218
+ "id": "oauth_misconfiguration",
219
+ "name": "OAuth Misconfiguration",
220
+ "type": "subcategory",
221
+ "children": [
222
+ {
223
+ "id": "missing_state_parameter",
224
+ "name": "Missing State Parameter",
225
+ "type": "variant",
226
+ "priority": 4
227
+ }
228
+ ]
229
+ },
230
+ {
231
+ "id": "captcha_bypass",
232
+ "name": "Captcha Bypass",
233
+ "type": "subcategory",
234
+ "children": [
235
+ {
236
+ "id": "implementation_vulnerability",
237
+ "name": "Implementation Vulnerability",
238
+ "type": "variant",
239
+ "priority": 4
240
+ },
241
+ {
242
+ "id": "brute_force",
243
+ "name": "Brute Force",
244
+ "type": "variant",
245
+ "priority": 5
246
+ }
247
+ ]
248
+ },
249
+ {
250
+ "id": "exposed_admin_portal",
251
+ "name": "Exposed Admin Portal",
252
+ "type": "subcategory",
253
+ "children": [
254
+ {
255
+ "id": "to_internet",
256
+ "name": "To Internet",
257
+ "type": "variant",
258
+ "priority": 5
259
+ }
260
+ ]
261
+ },
262
+ {
263
+ "id": "missing_dnssec",
264
+ "name": "Missing DNSSEC",
265
+ "type": "subcategory",
266
+ "priority": 5
267
+ },
268
+ {
269
+ "id": "username_enumeration",
270
+ "name": "Username Enumeration",
271
+ "type": "subcategory",
272
+ "children": [
273
+ {
274
+ "id": "brute_force",
275
+ "name": "Brute Force",
276
+ "type": "variant",
277
+ "priority": 5
278
+ }
279
+ ]
280
+ },
281
+ {
282
+ "id": "potentially_unsafe_http_method_enabled",
283
+ "name": "Potentially Unsafe HTTP Method Enabled",
284
+ "type": "subcategory",
285
+ "children": [
286
+ {
287
+ "id": "options",
288
+ "name": "OPTIONS",
289
+ "type": "variant",
290
+ "priority": 5
291
+ },
292
+ {
293
+ "id": "trace",
294
+ "name": "TRACE",
295
+ "type": "variant",
296
+ "priority": 5
297
+ }
298
+ ]
299
+ },
300
+ {
301
+ "id": "insecure_ssl",
302
+ "name": "Insecure SSL",
303
+ "type": "subcategory",
304
+ "children": [
305
+ {
306
+ "id": "lack_of_forward_secrecy",
307
+ "name": "Lack of Forward Secrecy",
308
+ "type": "variant",
309
+ "priority": 5
310
+ },
311
+ {
312
+ "id": "insecure_cipher_suite",
313
+ "name": "Insecure Cipher Suite",
314
+ "type": "variant",
315
+ "priority": 5
316
+ }
317
+ ]
318
+ },
319
+ {
320
+ "id": "lack_of_security_headers",
321
+ "name": "Lack of Security Headers",
322
+ "type": "subcategory",
323
+ "children": [
324
+ {
325
+ "id": "x_frame_options",
326
+ "name": "X-Frame-Options",
327
+ "type": "variant",
328
+ "priority": 5
329
+ },
330
+ {
331
+ "id": "cache_control_for_a_non_sensitive_page",
332
+ "name": "Cache-Control for a Non-Sensitive Page",
333
+ "type": "variant",
334
+ "priority": 5
335
+ },
336
+ {
337
+ "id": "x_xss_protection",
338
+ "name": "X-XSS-Protection",
339
+ "type": "variant",
340
+ "priority": 5
341
+ },
342
+ {
343
+ "id": "strict_transport_security",
344
+ "name": "Strict-Transport-Security",
345
+ "type": "variant",
346
+ "priority": 5
347
+ },
348
+ {
349
+ "id": "x_content_type_options",
350
+ "name": "X-Content-Type-Options",
351
+ "type": "variant",
352
+ "priority": 5
353
+ },
354
+ {
355
+ "id": "content_security_policy",
356
+ "name": "Content-Security-Policy",
357
+ "type": "variant",
358
+ "priority": 5
359
+ },
360
+ {
361
+ "id": "public_key_pins",
362
+ "name": "Public-Key-Pins",
363
+ "type": "variant",
364
+ "priority": 5
365
+ },
366
+ {
367
+ "id": "x_content_security_policy",
368
+ "name": "X-Content-Security-Policy",
369
+ "type": "variant",
370
+ "priority": 5
371
+ },
372
+ {
373
+ "id": "x_webkit_csp",
374
+ "name": "X-Webkit-CSP",
375
+ "type": "variant",
376
+ "priority": 5
377
+ },
378
+ {
379
+ "id": "content_security_policy_report_only",
380
+ "name": "Content-Security-Policy-Report-Only",
381
+ "type": "variant",
382
+ "priority": 5
383
+ },
384
+ {
385
+ "id": "cache_control_for_a_sensitive_page",
386
+ "name": "Cache-Control for a Sensitive Page",
387
+ "type": "variant",
388
+ "priority": 4
389
+ }
390
+ ]
391
+ }
392
+ ]
393
+ },
394
+ {
395
+ "id": "server_side_injection",
396
+ "name": "Server-Side Injection",
397
+ "type": "category",
398
+ "children": [
399
+ {
400
+ "id": "file_inclusion",
401
+ "name": "File Inclusion",
402
+ "type": "subcategory",
403
+ "children": [
404
+ {
405
+ "id": "local",
406
+ "name": "Local",
407
+ "type": "variant",
408
+ "priority": 1
409
+ }
410
+ ]
411
+ },
412
+ {
413
+ "id": "parameter_pollution",
414
+ "name": "Parameter Pollution",
415
+ "type": "subcategory",
416
+ "children": [
417
+ {
418
+ "id": "social_media_sharing_buttons",
419
+ "name": "Social Media Sharing Buttons",
420
+ "type": "variant",
421
+ "priority": 5
422
+ }
423
+ ]
424
+ },
425
+ {
426
+ "id": "remote_code_execution_rce",
427
+ "name": "Remote Code Execution (RCE)",
428
+ "type": "subcategory",
429
+ "priority": 1
430
+ },
431
+ {
432
+ "id": "sql_injection",
433
+ "name": "SQL Injection",
434
+ "type": "subcategory",
435
+ "children": [
436
+ {
437
+ "id": "error_based",
438
+ "name": "Error-Based",
439
+ "type": "variant",
440
+ "priority": 1
441
+ },
442
+ {
443
+ "id": "blind",
444
+ "name": "Blind",
445
+ "type": "variant",
446
+ "priority": 1
447
+ }
448
+ ]
449
+ },
450
+ {
451
+ "id": "xml_external_entity_injection_xxe",
452
+ "name": "XML External Entity Injection (XXE)",
453
+ "type": "subcategory",
454
+ "priority": 1
455
+ },
456
+ {
457
+ "id": "http_response_manipulation",
458
+ "name": "HTTP Response Manipulation",
459
+ "type": "subcategory",
460
+ "children": [
461
+ {
462
+ "id": "response_splitting_crlf",
463
+ "name": "Response Splitting (CRLF)",
464
+ "type": "variant",
465
+ "priority": 3
466
+ }
467
+ ]
468
+ },
469
+ {
470
+ "id": "content_spoofing",
471
+ "name": "Content Spoofing",
472
+ "type": "subcategory",
473
+ "children": [
474
+ {
475
+ "id": "iframe_injection",
476
+ "name": "iframe Injection",
477
+ "type": "variant",
478
+ "priority": 3
479
+ },
480
+ {
481
+ "id": "external_authentication_injection",
482
+ "name": "External Authentication Injection",
483
+ "type": "variant",
484
+ "priority": 4
485
+ },
486
+ {
487
+ "id": "email_html_injection",
488
+ "name": "Email HTML Injection",
489
+ "type": "variant",
490
+ "priority": 4
491
+ },
492
+ {
493
+ "id": "text_injection",
494
+ "name": "Text Injection",
495
+ "type": "variant",
496
+ "priority": 5
497
+ },
498
+ {
499
+ "id": "homograph_idn_based",
500
+ "name": "Homograph/IDN-Based",
501
+ "type": "variant",
502
+ "priority": 5
503
+ }
504
+ ]
505
+ }
506
+ ]
507
+ },
508
+ {
509
+ "id": "broken_authentication_and_session_management",
510
+ "name": "Broken Authentication and Session Management",
511
+ "type": "category",
512
+ "children": [
513
+ {
514
+ "id": "authentication_bypass",
515
+ "name": "Authentication Bypass",
516
+ "type": "subcategory",
517
+ "children": [
518
+ {
519
+ "id": "vertical",
520
+ "name": "Vertical",
521
+ "type": "variant",
522
+ "priority": 1
523
+ },
524
+ {
525
+ "id": "horizontal",
526
+ "name": "Horizontal",
527
+ "type": "variant",
528
+ "priority": 2
529
+ }
530
+ ]
531
+ },
532
+ {
533
+ "id": "weak_login_function",
534
+ "name": "Weak Login Function",
535
+ "type": "subcategory",
536
+ "children": [
537
+ {
538
+ "id": "over_http",
539
+ "name": "Over HTTP",
540
+ "type": "variant",
541
+ "priority": 3
542
+ }
543
+ ]
544
+ },
545
+ {
546
+ "id": "session_fixation",
547
+ "name": "Session Fixation",
548
+ "type": "subcategory",
549
+ "priority": 3
550
+ },
551
+ {
552
+ "id": "failure_to_invalidate_session",
553
+ "name": "Failure to Invalidate Session",
554
+ "type": "subcategory",
555
+ "children": [
556
+ {
557
+ "id": "on_logout",
558
+ "name": "On Logout",
559
+ "type": "variant",
560
+ "priority": 4
561
+ },
562
+ {
563
+ "id": "on_password_reset",
564
+ "name": "On Password Reset",
565
+ "type": "variant",
566
+ "priority": 4
567
+ },
568
+ {
569
+ "id": "on_password_change",
570
+ "name": "On Password Change",
571
+ "type": "variant",
572
+ "priority": 4
573
+ },
574
+ {
575
+ "id": "all_sessions",
576
+ "name": "All Sessions",
577
+ "type": "variant",
578
+ "priority": 5
579
+ },
580
+ {
581
+ "id": "on_email_change",
582
+ "name": "On Email Change",
583
+ "type": "variant",
584
+ "priority": 5
585
+ },
586
+ {
587
+ "id": "long_timeout",
588
+ "name": "Long Timeout",
589
+ "type": "variant",
590
+ "priority": 5
591
+ }
592
+ ]
593
+ },
594
+ {
595
+ "id": "session_token_in_url",
596
+ "name": "Session Token in URL",
597
+ "type": "subcategory",
598
+ "children": [
599
+ {
600
+ "id": "over_http",
601
+ "name": "Over HTTP",
602
+ "type": "variant",
603
+ "priority": 4
604
+ },
605
+ {
606
+ "id": "over_https",
607
+ "name": "Over HTTPS",
608
+ "type": "variant",
609
+ "priority": 5
610
+ }
611
+ ]
612
+ },
613
+ {
614
+ "id": "concurrent_logins",
615
+ "name": "Concurrent Logins",
616
+ "type": "subcategory",
617
+ "priority": 5
618
+ },
619
+ {
620
+ "id": "weak_registration_implementation",
621
+ "name": "Weak Registration Implementation",
622
+ "type": "subcategory",
623
+ "children": [
624
+ {
625
+ "id": "over_http",
626
+ "name": "Over HTTP",
627
+ "type": "variant",
628
+ "priority": 4
629
+ }
630
+ ]
631
+ }
632
+ ]
633
+ },
634
+ {
635
+ "id": "insecure_direct_object_references_idor",
636
+ "name": "Insecure Direct Object References (IDOR)",
637
+ "type": "category",
638
+ "priority": null
639
+ },
640
+ {
641
+ "id": "sensitive_data_exposure",
642
+ "name": "Sensitive Data Exposure",
643
+ "type": "category",
644
+ "children": [
645
+ {
646
+ "id": "critically_sensitive_data",
647
+ "name": "Critically Sensitive Data",
648
+ "type": "subcategory",
649
+ "children": [
650
+ {
651
+ "id": "password_disclosure",
652
+ "name": "Password Disclosure",
653
+ "type": "variant",
654
+ "priority": 1
655
+ },
656
+ {
657
+ "id": "private_api_keys",
658
+ "name": "Private API Keys",
659
+ "type": "variant",
660
+ "priority": 1
661
+ }
662
+ ]
663
+ },
664
+ {
665
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
666
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
667
+ "type": "subcategory",
668
+ "children": [
669
+ {
670
+ "id": "automatic_user_enumeration",
671
+ "name": "Automatic User Enumeration",
672
+ "type": "variant",
673
+ "priority": 3
674
+ },
675
+ {
676
+ "id": "manual_user_enumeration",
677
+ "name": "Manual User Enumeration",
678
+ "type": "variant",
679
+ "priority": 4
680
+ }
681
+ ]
682
+ },
683
+ {
684
+ "id": "visible_detailed_error_page",
685
+ "name": "Visible Detailed Error Page",
686
+ "type": "subcategory",
687
+ "priority": null
688
+ },
689
+ {
690
+ "id": "disclosure_of_known_public_information",
691
+ "name": "Disclosure of Known Public Information",
692
+ "type": "subcategory",
693
+ "priority": 5
694
+ },
695
+ {
696
+ "id": "token_leakage_via_referer",
697
+ "name": "Token Leakage via Referer",
698
+ "type": "subcategory",
699
+ "children": [
700
+ {
701
+ "id": "over_https",
702
+ "name": "Over HTTPS",
703
+ "type": "variant",
704
+ "priority": 5
705
+ },
706
+ {
707
+ "id": "over_http",
708
+ "name": "Over HTTP",
709
+ "type": "variant",
710
+ "priority": 4
711
+ }
712
+ ]
713
+ },
714
+ {
715
+ "id": "sensitive_token_in_url",
716
+ "name": "Sensitive Token in URL",
717
+ "type": "subcategory",
718
+ "priority": 4
719
+ },
720
+ {
721
+ "id": "weak_password_reset_implementation",
722
+ "name": "Weak Password Reset Implementation",
723
+ "type": "subcategory",
724
+ "children": [
725
+ {
726
+ "id": "password_reset_token_sent_over_http",
727
+ "name": "Password Reset Token Sent Over HTTP",
728
+ "type": "variant",
729
+ "priority": 4
730
+ }
731
+ ]
732
+ },
733
+ {
734
+ "id": "mixed_content",
735
+ "name": "Mixed Content",
736
+ "type": "subcategory",
737
+ "children": [
738
+ {
739
+ "id": "sensitive_data_disclosure",
740
+ "name": "Sensitive Data Disclosure",
741
+ "type": "variant",
742
+ "priority": 4
743
+ },
744
+ {
745
+ "id": "requires_being_a_man_in_the_middle",
746
+ "name": "Requires Being a Man-in-the-Middle",
747
+ "type": "variant",
748
+ "priority": 5
749
+ }
750
+ ]
751
+ },
752
+ {
753
+ "id": "sensitive_data_hardcoded",
754
+ "name": "Sensitive Data Hardcoded",
755
+ "type": "subcategory",
756
+ "children": [
757
+ {
758
+ "id": "oauth_secret",
759
+ "name": "OAuth Secret",
760
+ "type": "variant",
761
+ "priority": 5
762
+ },
763
+ {
764
+ "id": "file_paths",
765
+ "name": "File Paths",
766
+ "type": "variant",
767
+ "priority": 5
768
+ }
769
+ ]
770
+ },
771
+ {
772
+ "id": "non_sensitive_token_in_url",
773
+ "name": "Non-Sensitive Token in URL",
774
+ "type": "subcategory",
775
+ "priority": 5
776
+ }
777
+ ]
778
+ },
779
+ {
780
+ "id": "cross_site_scripting_xss",
781
+ "name": "Cross-Site Scripting (XSS)",
782
+ "type": "category",
783
+ "children": [
784
+ {
785
+ "id": "stored",
786
+ "name": "Stored",
787
+ "type": "subcategory",
788
+ "children": [
789
+ {
790
+ "id": "non_admin_to_anyone",
791
+ "name": "Non-Admin to Anyone",
792
+ "type": "variant",
793
+ "priority": 2
794
+ },
795
+ {
796
+ "id": "admin_to_anyone",
797
+ "name": "Admin to Anyone",
798
+ "type": "variant",
799
+ "priority": 3
800
+ },
801
+ {
802
+ "id": "self",
803
+ "name": "Self",
804
+ "type": "variant",
805
+ "priority": 5
806
+ }
807
+ ]
808
+ },
809
+ {
810
+ "id": "reflected",
811
+ "name": "Reflected",
812
+ "type": "subcategory",
813
+ "children": [
814
+ {
815
+ "id": "non_admin_to_anyone",
816
+ "name": "Non-Admin to Anyone",
817
+ "type": "variant",
818
+ "priority": 3
819
+ },
820
+ {
821
+ "id": "admin_to_anyone",
822
+ "name": "Admin to Anyone",
823
+ "type": "variant",
824
+ "priority": 4
825
+ },
826
+ {
827
+ "id": "self",
828
+ "name": "Self",
829
+ "type": "variant",
830
+ "priority": 5
831
+ }
832
+ ]
833
+ },
834
+ {
835
+ "id": "cookie_based",
836
+ "name": "Cookie-Based",
837
+ "type": "subcategory",
838
+ "priority": 4
839
+ },
840
+ {
841
+ "id": "ie_only",
842
+ "name": "IE-Only",
843
+ "type": "subcategory",
844
+ "children": [
845
+ {
846
+ "id": "older_version_ie_10_11",
847
+ "name": "Older Version (IE 10/11)",
848
+ "type": "variant",
849
+ "priority": 4
850
+ },
851
+ {
852
+ "id": "xss_filter_disabled",
853
+ "name": "XSS Filter Disabled",
854
+ "type": "variant",
855
+ "priority": 5
856
+ },
857
+ {
858
+ "id": "older_version_ie10",
859
+ "name": "Older Version (< IE10)",
860
+ "type": "variant",
861
+ "priority": 5
862
+ }
863
+ ]
864
+ },
865
+ {
866
+ "id": "referer",
867
+ "name": "Referer",
868
+ "type": "subcategory",
869
+ "priority": 4
870
+ },
871
+ {
872
+ "id": "trace_method",
873
+ "name": "TRACE Method",
874
+ "type": "subcategory",
875
+ "priority": 5
876
+ },
877
+ {
878
+ "id": "universal_uxss",
879
+ "name": "Universal (UXSS)",
880
+ "type": "subcategory",
881
+ "priority": 4
882
+ },
883
+ {
884
+ "id": "off_domain",
885
+ "name": "Off-Domain",
886
+ "type": "subcategory",
887
+ "children": [
888
+ {
889
+ "id": "data_uri",
890
+ "name": "Data URI",
891
+ "type": "variant",
892
+ "priority": 4
893
+ }
894
+ ]
895
+ }
896
+ ]
897
+ },
898
+ {
899
+ "id": "missing_function_level_access_control",
900
+ "name": "Missing Function Level Access Control",
901
+ "type": "category",
902
+ "children": [
903
+ {
904
+ "id": "server_side_request_forgery_ssrf",
905
+ "name": "Server-Side Request Forgery (SSRF)",
906
+ "type": "subcategory",
907
+ "children": [
908
+ {
909
+ "id": "internal",
910
+ "name": "Internal",
911
+ "type": "variant",
912
+ "priority": 2
913
+ },
914
+ {
915
+ "id": "external",
916
+ "name": "External",
917
+ "type": "variant",
918
+ "priority": 4
919
+ }
920
+ ]
921
+ },
922
+ {
923
+ "id": "username_enumeration",
924
+ "name": "Username Enumeration",
925
+ "type": "subcategory",
926
+ "children": [
927
+ {
928
+ "id": "data_leak",
929
+ "name": "Data Leak",
930
+ "type": "variant",
931
+ "priority": 4
932
+ }
933
+ ]
934
+ },
935
+ {
936
+ "id": "exposed_sensitive_android_intent",
937
+ "name": "Exposed Sensitive Android Intent",
938
+ "type": "subcategory",
939
+ "priority": null
940
+ },
941
+ {
942
+ "id": "exposed_sensitive_ios_url_scheme",
943
+ "name": "Exposed Sensitive iOS URL Scheme",
944
+ "type": "subcategory",
945
+ "priority": null
946
+ }
947
+ ]
948
+ },
949
+ {
950
+ "id": "cross_site_request_forgery_csrf",
951
+ "name": "Cross-Site Request Forgery (CSRF)",
952
+ "type": "category",
953
+ "priority": null
954
+ },
955
+ {
956
+ "id": "application_level_denial_of_service_dos",
957
+ "name": "Application-Level Denial-of-Service (DoS)",
958
+ "type": "category",
959
+ "children": [
960
+ {
961
+ "id": "critical_impact_and_or_easy_difficulty",
962
+ "name": "Critical Impact and/or Easy Difficulty",
963
+ "type": "subcategory",
964
+ "priority": 2
965
+ },
966
+ {
967
+ "id": "high_impact_and_or_medium_difficulty",
968
+ "name": "High Impact and/or Medium Difficulty",
969
+ "type": "subcategory",
970
+ "priority": 3
971
+ },
972
+ {
973
+ "id": "app_crash",
974
+ "name": "App Crash",
975
+ "type": "subcategory",
976
+ "children": [
977
+ {
978
+ "id": "malformed_android_intents",
979
+ "name": "Malformed Android Intents",
980
+ "type": "variant",
981
+ "priority": 5
982
+ },
983
+ {
984
+ "id": "malformed_ios_url_schemes",
985
+ "name": "Malformed iOS URL Schemes",
986
+ "type": "variant",
987
+ "priority": 5
988
+ }
989
+ ]
990
+ }
991
+ ]
992
+ },
993
+ {
994
+ "id": "unvalidated_redirects_and_forwards",
995
+ "name": "Unvalidated Redirects and Forwards",
996
+ "type": "category",
997
+ "children": [
998
+ {
999
+ "id": "open_redirect",
1000
+ "name": "Open Redirect",
1001
+ "type": "subcategory",
1002
+ "children": [
1003
+ {
1004
+ "id": "get_based_all_users",
1005
+ "name": "GET-Based (All Users)",
1006
+ "type": "variant",
1007
+ "priority": 3
1008
+ },
1009
+ {
1010
+ "id": "get_based_authenticated",
1011
+ "name": "GET-Based (Authenticated)",
1012
+ "type": "variant",
1013
+ "priority": 4
1014
+ },
1015
+ {
1016
+ "id": "get_based_unauthenticated",
1017
+ "name": "GET-Based (Unauthenticated)",
1018
+ "type": "variant",
1019
+ "priority": 4
1020
+ },
1021
+ {
1022
+ "id": "post_based",
1023
+ "name": "POST-Based",
1024
+ "type": "variant",
1025
+ "priority": 5
1026
+ },
1027
+ {
1028
+ "id": "header_based",
1029
+ "name": "Header-Based",
1030
+ "type": "variant",
1031
+ "priority": 5
1032
+ }
1033
+ ]
1034
+ },
1035
+ {
1036
+ "id": "tabnabbing",
1037
+ "name": "Tabnabbing",
1038
+ "type": "subcategory",
1039
+ "priority": 5
1040
+ },
1041
+ {
1042
+ "id": "lack_of_security_speed_bump_page",
1043
+ "name": "Lack of Security Speed Bump Page",
1044
+ "type": "subcategory",
1045
+ "priority": 5
1046
+ }
1047
+ ]
1048
+ },
1049
+ {
1050
+ "id": "external_behavior",
1051
+ "name": "External Behavior",
1052
+ "type": "category",
1053
+ "children": [
1054
+ {
1055
+ "id": "browser_feature",
1056
+ "name": "Browser Feature",
1057
+ "type": "subcategory",
1058
+ "children": [
1059
+ {
1060
+ "id": "plaintext_password_field",
1061
+ "name": "Plaintext Password Field",
1062
+ "type": "variant",
1063
+ "priority": 5
1064
+ },
1065
+ {
1066
+ "id": "save_password",
1067
+ "name": "Save Password",
1068
+ "type": "variant",
1069
+ "priority": 5
1070
+ },
1071
+ {
1072
+ "id": "autocomplete_enabled",
1073
+ "name": "Autocomplete Enabled",
1074
+ "type": "variant",
1075
+ "priority": 5
1076
+ },
1077
+ {
1078
+ "id": "autocorrect_enabled",
1079
+ "name": "Autocorrect Enabled",
1080
+ "type": "variant",
1081
+ "priority": 5
1082
+ },
1083
+ {
1084
+ "id": "aggressive_offline_caching",
1085
+ "name": "Aggressive Offline Caching",
1086
+ "type": "variant",
1087
+ "priority": 5
1088
+ }
1089
+ ]
1090
+ },
1091
+ {
1092
+ "id": "csv_injection",
1093
+ "name": "CSV Injection",
1094
+ "type": "subcategory",
1095
+ "priority": 5
1096
+ },
1097
+ {
1098
+ "id": "captcha_bypass",
1099
+ "name": "Captcha Bypass",
1100
+ "type": "subcategory",
1101
+ "children": [
1102
+ {
1103
+ "id": "crowdsourcing",
1104
+ "name": "Crowdsourcing",
1105
+ "type": "variant",
1106
+ "priority": 5
1107
+ }
1108
+ ]
1109
+ },
1110
+ {
1111
+ "id": "system_clipboard_leak",
1112
+ "name": "System Clipboard Leak",
1113
+ "type": "subcategory",
1114
+ "children": [
1115
+ {
1116
+ "id": "shared_links",
1117
+ "name": "Shared Links",
1118
+ "type": "variant",
1119
+ "priority": 5
1120
+ }
1121
+ ]
1122
+ },
1123
+ {
1124
+ "id": "user_password_persisted_in_memory",
1125
+ "name": "User Password Persisted in Memory",
1126
+ "type": "subcategory",
1127
+ "priority": 5
1128
+ }
1129
+ ]
1130
+ },
1131
+ {
1132
+ "id": "insufficient_security_configurability",
1133
+ "name": "Insufficient Security Configurability",
1134
+ "type": "category",
1135
+ "children": [
1136
+ {
1137
+ "id": "weak_password_policy",
1138
+ "name": "Weak Password Policy",
1139
+ "type": "subcategory",
1140
+ "children": [
1141
+ {
1142
+ "id": "complexity_both_length_and_char_type_not_enforced",
1143
+ "name": "Complexity, Both Length and Char Type Not Enforced",
1144
+ "type": "variant",
1145
+ "priority": 3
1146
+ },
1147
+ {
1148
+ "id": "complexity_length_not_enforced",
1149
+ "name": "Complexity, Length Not Enforced",
1150
+ "type": "variant",
1151
+ "priority": 4
1152
+ },
1153
+ {
1154
+ "id": "complexity_char_type_not_enforced",
1155
+ "name": "Complexity, Char Type Not Enforced",
1156
+ "type": "variant",
1157
+ "priority": 4
1158
+ },
1159
+ {
1160
+ "id": "allows_reuse_of_old_passwords",
1161
+ "name": "Allows Reuse of Old Passwords",
1162
+ "type": "variant",
1163
+ "priority": 5
1164
+ },
1165
+ {
1166
+ "id": "allows_password_to_be_same_as_email_username",
1167
+ "name": "Allows Password to be Same as Email/Username",
1168
+ "type": "variant",
1169
+ "priority": 5
1170
+ }
1171
+ ]
1172
+ },
1173
+ {
1174
+ "id": "weak_password_reset_implementation",
1175
+ "name": "Weak Password Reset Implementation",
1176
+ "type": "subcategory",
1177
+ "children": [
1178
+ {
1179
+ "id": "token_is_not_invalidated_after_use",
1180
+ "name": "Token is Not Invalidated After Use",
1181
+ "type": "variant",
1182
+ "priority": 4
1183
+ },
1184
+ {
1185
+ "id": "token_is_not_invalidated_after_email_change",
1186
+ "name": "Token is Not Invalidated After Email Change",
1187
+ "type": "variant",
1188
+ "priority": 5
1189
+ },
1190
+ {
1191
+ "id": "token_is_not_invalidated_after_password_change",
1192
+ "name": "Token is Not Invalidated After Password Change",
1193
+ "type": "variant",
1194
+ "priority": 5
1195
+ },
1196
+ {
1197
+ "id": "token_has_long_timed_expiry",
1198
+ "name": "Token Has Long Timed Expiry",
1199
+ "type": "variant",
1200
+ "priority": 5
1201
+ },
1202
+ {
1203
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1204
+ "name": "Token is Not Invalidated After New Token is Requested",
1205
+ "type": "variant",
1206
+ "priority": 5
1207
+ }
1208
+ ]
1209
+ },
1210
+ {
1211
+ "id": "lack_of_verification_email",
1212
+ "name": "Lack of Verification Email",
1213
+ "type": "subcategory",
1214
+ "priority": 5
1215
+ },
1216
+ {
1217
+ "id": "lack_of_notification_email",
1218
+ "name": "Lack of Notification Email",
1219
+ "type": "subcategory",
1220
+ "priority": 5
1221
+ },
1222
+ {
1223
+ "id": "weak_registration_implementation",
1224
+ "name": "Weak Registration Implementation",
1225
+ "type": "subcategory",
1226
+ "children": [
1227
+ {
1228
+ "id": "allows_disposable_email_addresses",
1229
+ "name": "Allows Disposable Email Addresses",
1230
+ "type": "variant",
1231
+ "priority": 5
1232
+ }
1233
+ ]
1234
+ },
1235
+ {
1236
+ "id": "weak_2fa_implementation",
1237
+ "name": "Weak 2FA Implementation",
1238
+ "type": "subcategory",
1239
+ "children": [
1240
+ {
1241
+ "id": "missing_failsafe",
1242
+ "name": "Missing Failsafe",
1243
+ "type": "variant",
1244
+ "priority": 5
1245
+ }
1246
+ ]
1247
+ }
1248
+ ]
1249
+ },
1250
+ {
1251
+ "id": "using_components_with_known_vulnerabilities",
1252
+ "name": "Using Components with Known Vulnerabilities",
1253
+ "type": "category",
1254
+ "children": [
1255
+ {
1256
+ "id": "rosetta_flash",
1257
+ "name": "Rosetta Flash",
1258
+ "type": "subcategory",
1259
+ "priority": 4
1260
+ },
1261
+ {
1262
+ "id": "outdated_software_version",
1263
+ "name": "Outdated Software Version",
1264
+ "type": "subcategory",
1265
+ "priority": 5
1266
+ },
1267
+ {
1268
+ "id": "captcha_bypass",
1269
+ "name": "Captcha Bypass",
1270
+ "type": "subcategory",
1271
+ "children": [
1272
+ {
1273
+ "id": "ocr_optical_character_recognition",
1274
+ "name": "OCR (Optical Character Recognition)",
1275
+ "type": "variant",
1276
+ "priority": 5
1277
+ }
1278
+ ]
1279
+ }
1280
+ ]
1281
+ },
1282
+ {
1283
+ "id": "insecure_data_storage",
1284
+ "name": "Insecure Data Storage",
1285
+ "type": "category",
1286
+ "children": [
1287
+ {
1288
+ "id": "credentials_stored_unencrypted",
1289
+ "name": "Credentials Stored Unencrypted",
1290
+ "type": "subcategory",
1291
+ "children": [
1292
+ {
1293
+ "id": "on_external_storage",
1294
+ "name": "On External Storage",
1295
+ "type": "variant",
1296
+ "priority": 4
1297
+ },
1298
+ {
1299
+ "id": "on_internal_storage",
1300
+ "name": "On Internal Storage",
1301
+ "type": "variant",
1302
+ "priority": 5
1303
+ }
1304
+ ]
1305
+ },
1306
+ {
1307
+ "id": "sensitive_application_data_stored_unencrypted",
1308
+ "name": "Sensitive Application Data Stored Unencrypted",
1309
+ "type": "subcategory",
1310
+ "children": [
1311
+ {
1312
+ "id": "on_external_storage",
1313
+ "name": "On External Storage",
1314
+ "type": "variant",
1315
+ "priority": 4
1316
+ },
1317
+ {
1318
+ "id": "on_internal_storage",
1319
+ "name": "On Internal Storage",
1320
+ "type": "variant",
1321
+ "priority": 5
1322
+ }
1323
+ ]
1324
+ },
1325
+ {
1326
+ "id": "non_sensitive_application_data_stored_unencrypted",
1327
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1328
+ "type": "subcategory",
1329
+ "priority": 5
1330
+ },
1331
+ {
1332
+ "id": "screen_caching_enabled",
1333
+ "name": "Screen Caching Enabled",
1334
+ "type": "subcategory",
1335
+ "priority": 5
1336
+ },
1337
+ {
1338
+ "id": "insecure_data_storage",
1339
+ "name": "Insecure Data Storage",
1340
+ "type": "subcategory",
1341
+ "children": [
1342
+ {
1343
+ "id": "password",
1344
+ "name": "Password",
1345
+ "type": "variant",
1346
+ "priority": 2
1347
+ }
1348
+ ]
1349
+ }
1350
+ ]
1351
+ },
1352
+ {
1353
+ "id": "lack_of_binary_hardening",
1354
+ "name": "Lack of Binary Hardening",
1355
+ "type": "category",
1356
+ "children": [
1357
+ {
1358
+ "id": "lack_of_exploit_mitigations",
1359
+ "name": "Lack of Exploit Mitigations",
1360
+ "type": "subcategory",
1361
+ "priority": 5
1362
+ },
1363
+ {
1364
+ "id": "lack_of_jailbreak_detection",
1365
+ "name": "Lack of Jailbreak Detection",
1366
+ "type": "subcategory",
1367
+ "priority": 5
1368
+ },
1369
+ {
1370
+ "id": "lack_of_obfuscation",
1371
+ "name": "Lack of Obfuscation",
1372
+ "type": "subcategory",
1373
+ "priority": 5
1374
+ },
1375
+ {
1376
+ "id": "runtime_instrumentation_based",
1377
+ "name": "Runtime Instrumentation-Based",
1378
+ "type": "subcategory",
1379
+ "priority": 5
1380
+ }
1381
+ ]
1382
+ },
1383
+ {
1384
+ "id": "insecure_data_transport",
1385
+ "name": "Insecure Data Transport",
1386
+ "type": "category",
1387
+ "children": [
1388
+ {
1389
+ "id": "ssl_certificate_pinning",
1390
+ "name": "SSL Certificate Pinning",
1391
+ "type": "subcategory",
1392
+ "children": [
1393
+ {
1394
+ "id": "absent",
1395
+ "name": "Absent",
1396
+ "type": "variant",
1397
+ "priority": 5
1398
+ },
1399
+ {
1400
+ "id": "defeatable",
1401
+ "name": "Defeatable",
1402
+ "type": "variant",
1403
+ "priority": 5
1404
+ }
1405
+ ]
1406
+ }
1407
+ ]
1408
+ },
1409
+ {
1410
+ "id": "insecure_os_firmware",
1411
+ "name": "Insecure OS/Firmware",
1412
+ "type": "category",
1413
+ "children": [
1414
+ {
1415
+ "id": "command_injection",
1416
+ "name": "Command Injection",
1417
+ "type": "subcategory",
1418
+ "priority": 1
1419
+ },
1420
+ {
1421
+ "id": "hardcoded_password",
1422
+ "name": "Hardcoded Password",
1423
+ "type": "subcategory",
1424
+ "children": [
1425
+ {
1426
+ "id": "privileged_user",
1427
+ "name": "Privileged User",
1428
+ "type": "variant",
1429
+ "priority": 1
1430
+ },
1431
+ {
1432
+ "id": "non_privileged_user",
1433
+ "name": "Non-Privileged User",
1434
+ "type": "variant",
1435
+ "priority": 2
1436
+ }
1437
+ ]
1438
+ }
1439
+ ]
1440
+ },
1441
+ {
1442
+ "id": "broken_cryptography",
1443
+ "name": "Broken Cryptography",
1444
+ "type": "category",
1445
+ "children": [
1446
+ {
1447
+ "id": "cryptographic_flaw",
1448
+ "name": "Cryptographic Flaw",
1449
+ "type": "subcategory",
1450
+ "children": [
1451
+ {
1452
+ "id": "incorrect_usage",
1453
+ "name": "Incorrect Usage",
1454
+ "type": "variant",
1455
+ "priority": 1
1456
+ }
1457
+ ]
1458
+ }
1459
+ ]
1460
+ },
1461
+ {
1462
+ "id": "privacy_concerns",
1463
+ "name": "Privacy Concerns",
1464
+ "type": "category",
1465
+ "children": [
1466
+ {
1467
+ "id": "unnecessary_data_collection",
1468
+ "name": "Unnecessary Data Collection",
1469
+ "type": "subcategory",
1470
+ "children": [
1471
+ {
1472
+ "id": "wifi_ssid_password",
1473
+ "name": "WiFi SSID+Password",
1474
+ "type": "variant",
1475
+ "priority": 4
1476
+ }
1477
+ ]
1478
+ }
1479
+ ]
1480
+ },
1481
+ {
1482
+ "id": "network_security_misconfiguration",
1483
+ "name": "Network Security Misconfiguration",
1484
+ "type": "category",
1485
+ "children": [
1486
+ {
1487
+ "id": "telnet_enabled",
1488
+ "name": "Telnet Enabled",
1489
+ "type": "subcategory",
1490
+ "children": [
1491
+ {
1492
+ "id": "credentials_required",
1493
+ "name": "Credentials Required",
1494
+ "type": "variant",
1495
+ "priority": 4
1496
+ }
1497
+ ]
1498
+ }
1499
+ ]
1500
+ },
1501
+ {
1502
+ "id": "mobile_security_misconfiguration",
1503
+ "name": "Mobile Security Misconfiguration",
1504
+ "type": "category",
1505
+ "priority": null
1506
+ },
1507
+ {
1508
+ "id": "poor_physical_security",
1509
+ "name": "Poor Physical Security",
1510
+ "type": "category",
1511
+ "priority": null
1512
+ },
1513
+ {
1514
+ "id": "social_engineering",
1515
+ "name": "Social Engineering",
1516
+ "type": "category",
1517
+ "priority": null
1518
+ },
1519
+ {
1520
+ "id": "client_side_injection",
1521
+ "name": "Client-Side Injection",
1522
+ "type": "category",
1523
+ "priority": null
1524
+ }
1525
+ ]
1526
+ }