vrt 0.1

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,8 @@
1
+ {
2
+ "poor_physical_security": {
3
+ "1.1": "other"
4
+ },
5
+ "social_engineering": {
6
+ "1.1": "other"
7
+ }
8
+ }
@@ -0,0 +1,62 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-04/schema#",
3
+ "title": "Vulnerability Rating Taxonomy",
4
+ "description": "A Taxonomy of potential vulnerabilities with suggested technical priority rating",
5
+ "definitions": {
6
+ "VRTmetadata": {
7
+ "type": "object",
8
+ "properties": {
9
+ "release_date": { "type": "string", "format": "date-time" }
10
+ }
11
+ },
12
+ "VRT": {
13
+ "type": "object",
14
+ "properties": {
15
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
16
+ "type": { "type": "string", "enum": [ "category", "subcategory", "variant" ] },
17
+ "name": { "type": "string", "pattern": "^[ a-zA-Z0-9-+()\/,.<]*$" },
18
+ "priority": {
19
+ "anyOf": [
20
+ { "type": "number", "minimum": 1, "maximum": 5 },
21
+ { "type": "null" }
22
+ ]
23
+ }
24
+ },
25
+ "required": ["id", "name", "type", "priority"]
26
+ },
27
+ "VRTparent": {
28
+ "type": "object",
29
+ "properties": {
30
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
31
+ "name": { "type": "string", "pattern": "^[ a-zA-Z0-9-+()\/,.<]*$" },
32
+ "type": { "type": "string", "enum": [ "category", "subcategory" ] },
33
+ "children": {
34
+ "type": "array",
35
+ "items" : {
36
+ "anyOf": [
37
+ { "$ref": "#/definitions/VRTparent" },
38
+ { "$ref": "#/definitions/VRT" }
39
+ ]
40
+ }
41
+ }
42
+ },
43
+ "required": ["id", "name", "type", "children"]
44
+ }
45
+ },
46
+ "type": "object",
47
+ "required": ["metadata", "content"],
48
+ "properties": {
49
+ "metadata": {
50
+ "$ref": "#/definitions/VRTmetadata"
51
+ },
52
+ "content": {
53
+ "type": "array",
54
+ "items" : {
55
+ "anyOf": [
56
+ { "$ref": "#/definitions/VRTparent" },
57
+ { "$ref": "#/definitions/VRT" }
58
+ ]
59
+ }
60
+ }
61
+ }
62
+ }
@@ -0,0 +1,1559 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2017-02-17T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "unsafe_cross_origin_resource_sharing",
13
+ "name": "Unsafe Cross-Origin Resource Sharing",
14
+ "type": "subcategory",
15
+ "priority": null
16
+ },
17
+ {
18
+ "id": "path_traversal",
19
+ "name": "Path Traversal",
20
+ "type": "subcategory",
21
+ "priority": null
22
+ },
23
+ {
24
+ "id": "directory_listing_enabled",
25
+ "name": "Directory Listing Enabled",
26
+ "type": "subcategory",
27
+ "children": [
28
+ {
29
+ "id": "sensitive_data_exposure",
30
+ "name": "Sensitive Data Exposure",
31
+ "type": "variant",
32
+ "priority": null
33
+ },
34
+ {
35
+ "id": "non_sensitive_data_exposure",
36
+ "name": "Non-Sensitive Data Exposure",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "same_site_scripting",
44
+ "name": "Same-Site Scripting",
45
+ "type": "subcategory",
46
+ "priority": 5
47
+ },
48
+ {
49
+ "id": "ssl_attack_breach_poodle_etc",
50
+ "name": "SSL Attack (BREACH, POODLE etc.)",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "using_default_credentials",
56
+ "name": "Using Default Credentials",
57
+ "type": "subcategory",
58
+ "children": [
59
+ {
60
+ "id": "production_server",
61
+ "name": "Production Server",
62
+ "type": "variant",
63
+ "priority": 1
64
+ },
65
+ {
66
+ "id": "staging_development_server",
67
+ "name": "Staging/Development Server",
68
+ "type": "variant",
69
+ "priority": 2
70
+ }
71
+ ]
72
+ },
73
+ {
74
+ "id": "misconfigured_dns",
75
+ "name": "Misconfigured DNS",
76
+ "type": "subcategory",
77
+ "children": [
78
+ {
79
+ "id": "subdomain_takeover",
80
+ "name": "Subdomain Takeover",
81
+ "type": "variant",
82
+ "priority": 2
83
+ }
84
+ ]
85
+ },
86
+ {
87
+ "id": "mail_server_misconfiguration",
88
+ "name": "Mail Server Misconfiguration",
89
+ "type": "subcategory",
90
+ "children": [
91
+ {
92
+ "id": "missing_spf_on_email_domain",
93
+ "name": "Missing SPF on Email Domain",
94
+ "type": "variant",
95
+ "priority": 3
96
+ },
97
+ {
98
+ "id": "email_spoofable_via_third_party_api_misconfiguration",
99
+ "name": "Email Spoofable Via Third-Party API Misconfiguration",
100
+ "type": "variant",
101
+ "priority": 3
102
+ },
103
+ {
104
+ "id": "missing_spf_on_non_email_domain",
105
+ "name": "Missing SPF on Non-Email Domain",
106
+ "type": "variant",
107
+ "priority": 5
108
+ },
109
+ {
110
+ "id": "spf_uses_a_soft_fail",
111
+ "name": "SPF Uses a Soft Fail",
112
+ "type": "variant",
113
+ "priority": 5
114
+ },
115
+ {
116
+ "id": "spf_includes_10_lookups",
117
+ "name": "SPF Includes More Than 10 Lookups",
118
+ "type": "variant",
119
+ "priority": 5
120
+ },
121
+ {
122
+ "id": "missing_dmarc",
123
+ "name": "Missing DMARC",
124
+ "type": "variant",
125
+ "priority": 5
126
+ }
127
+ ]
128
+ },
129
+ {
130
+ "id": "lack_of_password_confirmation",
131
+ "name": "Lack of Password Confirmation",
132
+ "type": "subcategory",
133
+ "children": [
134
+ {
135
+ "id": "change_email_address",
136
+ "name": "Change Email Address",
137
+ "type": "variant",
138
+ "priority": 4
139
+ },
140
+ {
141
+ "id": "change_password",
142
+ "name": "Change Password",
143
+ "type": "variant",
144
+ "priority": 4
145
+ },
146
+ {
147
+ "id": "delete_account",
148
+ "name": "Delete Account",
149
+ "type": "variant",
150
+ "priority": 4
151
+ }
152
+ ]
153
+ },
154
+ {
155
+ "id": "no_rate_limiting_on_form",
156
+ "name": "No Rate Limiting on Form",
157
+ "type": "subcategory",
158
+ "children": [
159
+ {
160
+ "id": "registration",
161
+ "name": "Registration",
162
+ "type": "variant",
163
+ "priority": 4
164
+ },
165
+ {
166
+ "id": "login",
167
+ "name": "Login",
168
+ "type": "variant",
169
+ "priority": 3
170
+ },
171
+ {
172
+ "id": "email_triggering",
173
+ "name": "Email-Triggering",
174
+ "type": "variant",
175
+ "priority": 4
176
+ }
177
+ ]
178
+ },
179
+ {
180
+ "id": "unsafe_file_upload",
181
+ "name": "Unsafe File Upload",
182
+ "type": "subcategory",
183
+ "children": [
184
+ {
185
+ "id": "no_antivirus",
186
+ "name": "No Antivirus",
187
+ "type": "variant",
188
+ "priority": 4
189
+ },
190
+ {
191
+ "id": "no_size_limit",
192
+ "name": "No Size Limit",
193
+ "type": "variant",
194
+ "priority": 4
195
+ },
196
+ {
197
+ "id": "file_extension_filter_bypass",
198
+ "name": "File Extension Filter Bypass",
199
+ "type": "variant",
200
+ "priority": 5
201
+ }
202
+ ]
203
+ },
204
+ {
205
+ "id": "missing_secure_or_httponly_cookie_flag",
206
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
207
+ "type": "subcategory",
208
+ "children": [
209
+ {
210
+ "id": "session_token",
211
+ "name": "Session Token",
212
+ "type": "variant",
213
+ "priority": 4
214
+ },
215
+ {
216
+ "id": "non_session_cookie",
217
+ "name": "Non-Session Cookie",
218
+ "type": "variant",
219
+ "priority": 5
220
+ }
221
+ ]
222
+ },
223
+ {
224
+ "id": "clickjacking",
225
+ "name": "Clickjacking",
226
+ "type": "subcategory",
227
+ "children": [
228
+ {
229
+ "id": "sensitive_action",
230
+ "name": "Sensitive Action",
231
+ "type": "variant",
232
+ "priority": 4
233
+ },
234
+ {
235
+ "id": "non_sensitive_action",
236
+ "name": "Non-Sensitive Action",
237
+ "type": "variant",
238
+ "priority": 5
239
+ }
240
+ ]
241
+ },
242
+ {
243
+ "id": "oauth_misconfiguration",
244
+ "name": "OAuth Misconfiguration",
245
+ "type": "subcategory",
246
+ "children": [
247
+ {
248
+ "id": "missing_state_parameter",
249
+ "name": "Missing State Parameter",
250
+ "type": "variant",
251
+ "priority": 4
252
+ }
253
+ ]
254
+ },
255
+ {
256
+ "id": "captcha_bypass",
257
+ "name": "Captcha Bypass",
258
+ "type": "subcategory",
259
+ "children": [
260
+ {
261
+ "id": "implementation_vulnerability",
262
+ "name": "Implementation Vulnerability",
263
+ "type": "variant",
264
+ "priority": 4
265
+ },
266
+ {
267
+ "id": "brute_force",
268
+ "name": "Brute Force",
269
+ "type": "variant",
270
+ "priority": 5
271
+ }
272
+ ]
273
+ },
274
+ {
275
+ "id": "exposed_admin_portal",
276
+ "name": "Exposed Admin Portal",
277
+ "type": "subcategory",
278
+ "children": [
279
+ {
280
+ "id": "to_internet",
281
+ "name": "To Internet",
282
+ "type": "variant",
283
+ "priority": 5
284
+ }
285
+ ]
286
+ },
287
+ {
288
+ "id": "missing_dnssec",
289
+ "name": "Missing DNSSEC",
290
+ "type": "subcategory",
291
+ "priority": 5
292
+ },
293
+ {
294
+ "id": "username_enumeration",
295
+ "name": "Username Enumeration",
296
+ "type": "subcategory",
297
+ "children": [
298
+ {
299
+ "id": "brute_force",
300
+ "name": "Brute Force",
301
+ "type": "variant",
302
+ "priority": 5
303
+ }
304
+ ]
305
+ },
306
+ {
307
+ "id": "potentially_unsafe_http_method_enabled",
308
+ "name": "Potentially Unsafe HTTP Method Enabled",
309
+ "type": "subcategory",
310
+ "children": [
311
+ {
312
+ "id": "options",
313
+ "name": "OPTIONS",
314
+ "type": "variant",
315
+ "priority": 5
316
+ },
317
+ {
318
+ "id": "trace",
319
+ "name": "TRACE",
320
+ "type": "variant",
321
+ "priority": 5
322
+ }
323
+ ]
324
+ },
325
+ {
326
+ "id": "insecure_ssl",
327
+ "name": "Insecure SSL",
328
+ "type": "subcategory",
329
+ "children": [
330
+ {
331
+ "id": "lack_of_forward_secrecy",
332
+ "name": "Lack of Forward Secrecy",
333
+ "type": "variant",
334
+ "priority": 5
335
+ },
336
+ {
337
+ "id": "insecure_cipher_suite",
338
+ "name": "Insecure Cipher Suite",
339
+ "type": "variant",
340
+ "priority": 5
341
+ }
342
+ ]
343
+ },
344
+ {
345
+ "id": "lack_of_security_headers",
346
+ "name": "Lack of Security Headers",
347
+ "type": "subcategory",
348
+ "children": [
349
+ {
350
+ "id": "x_frame_options",
351
+ "name": "X-Frame-Options",
352
+ "type": "variant",
353
+ "priority": 5
354
+ },
355
+ {
356
+ "id": "cache_control_for_a_non_sensitive_page",
357
+ "name": "Cache-Control for a Non-Sensitive Page",
358
+ "type": "variant",
359
+ "priority": 5
360
+ },
361
+ {
362
+ "id": "x_xss_protection",
363
+ "name": "X-XSS-Protection",
364
+ "type": "variant",
365
+ "priority": 5
366
+ },
367
+ {
368
+ "id": "strict_transport_security",
369
+ "name": "Strict-Transport-Security",
370
+ "type": "variant",
371
+ "priority": 5
372
+ },
373
+ {
374
+ "id": "x_content_type_options",
375
+ "name": "X-Content-Type-Options",
376
+ "type": "variant",
377
+ "priority": 5
378
+ },
379
+ {
380
+ "id": "content_security_policy",
381
+ "name": "Content-Security-Policy",
382
+ "type": "variant",
383
+ "priority": 5
384
+ },
385
+ {
386
+ "id": "public_key_pins",
387
+ "name": "Public-Key-Pins",
388
+ "type": "variant",
389
+ "priority": 5
390
+ },
391
+ {
392
+ "id": "x_content_security_policy",
393
+ "name": "X-Content-Security-Policy",
394
+ "type": "variant",
395
+ "priority": 5
396
+ },
397
+ {
398
+ "id": "x_webkit_csp",
399
+ "name": "X-Webkit-CSP",
400
+ "type": "variant",
401
+ "priority": 5
402
+ },
403
+ {
404
+ "id": "content_security_policy_report_only",
405
+ "name": "Content-Security-Policy-Report-Only",
406
+ "type": "variant",
407
+ "priority": 5
408
+ },
409
+ {
410
+ "id": "cache_control_for_a_sensitive_page",
411
+ "name": "Cache-Control for a Sensitive Page",
412
+ "type": "variant",
413
+ "priority": 4
414
+ }
415
+ ]
416
+ }
417
+ ]
418
+ },
419
+ {
420
+ "id": "server_side_injection",
421
+ "name": "Server-Side Injection",
422
+ "type": "category",
423
+ "children": [
424
+ {
425
+ "id": "file_inclusion",
426
+ "name": "File Inclusion",
427
+ "type": "subcategory",
428
+ "children": [
429
+ {
430
+ "id": "local",
431
+ "name": "Local",
432
+ "type": "variant",
433
+ "priority": 1
434
+ }
435
+ ]
436
+ },
437
+ {
438
+ "id": "parameter_pollution",
439
+ "name": "Parameter Pollution",
440
+ "type": "subcategory",
441
+ "children": [
442
+ {
443
+ "id": "social_media_sharing_buttons",
444
+ "name": "Social Media Sharing Buttons",
445
+ "type": "variant",
446
+ "priority": 5
447
+ }
448
+ ]
449
+ },
450
+ {
451
+ "id": "remote_code_execution_rce",
452
+ "name": "Remote Code Execution (RCE)",
453
+ "type": "subcategory",
454
+ "priority": 1
455
+ },
456
+ {
457
+ "id": "sql_injection",
458
+ "name": "SQL Injection",
459
+ "type": "subcategory",
460
+ "children": [
461
+ {
462
+ "id": "error_based",
463
+ "name": "Error-Based",
464
+ "type": "variant",
465
+ "priority": 1
466
+ },
467
+ {
468
+ "id": "blind",
469
+ "name": "Blind",
470
+ "type": "variant",
471
+ "priority": 1
472
+ }
473
+ ]
474
+ },
475
+ {
476
+ "id": "xml_external_entity_injection_xxe",
477
+ "name": "XML External Entity Injection (XXE)",
478
+ "type": "subcategory",
479
+ "priority": 1
480
+ },
481
+ {
482
+ "id": "http_response_manipulation",
483
+ "name": "HTTP Response Manipulation",
484
+ "type": "subcategory",
485
+ "children": [
486
+ {
487
+ "id": "response_splitting_crlf",
488
+ "name": "Response Splitting (CRLF)",
489
+ "type": "variant",
490
+ "priority": 3
491
+ }
492
+ ]
493
+ },
494
+ {
495
+ "id": "content_spoofing",
496
+ "name": "Content Spoofing",
497
+ "type": "subcategory",
498
+ "children": [
499
+ {
500
+ "id": "iframe_injection",
501
+ "name": "iframe Injection",
502
+ "type": "variant",
503
+ "priority": 3
504
+ },
505
+ {
506
+ "id": "external_authentication_injection",
507
+ "name": "External Authentication Injection",
508
+ "type": "variant",
509
+ "priority": 4
510
+ },
511
+ {
512
+ "id": "email_html_injection",
513
+ "name": "Email HTML Injection",
514
+ "type": "variant",
515
+ "priority": 4
516
+ },
517
+ {
518
+ "id": "text_injection",
519
+ "name": "Text Injection",
520
+ "type": "variant",
521
+ "priority": 5
522
+ },
523
+ {
524
+ "id": "homograph_idn_based",
525
+ "name": "Homograph/IDN-Based",
526
+ "type": "variant",
527
+ "priority": 5
528
+ }
529
+ ]
530
+ }
531
+ ]
532
+ },
533
+ {
534
+ "id": "broken_authentication_and_session_management",
535
+ "name": "Broken Authentication and Session Management",
536
+ "type": "category",
537
+ "children": [
538
+ {
539
+ "id": "authentication_bypass",
540
+ "name": "Authentication Bypass",
541
+ "type": "subcategory",
542
+ "children": [
543
+ {
544
+ "id": "vertical",
545
+ "name": "Vertical",
546
+ "type": "variant",
547
+ "priority": 1
548
+ },
549
+ {
550
+ "id": "horizontal",
551
+ "name": "Horizontal",
552
+ "type": "variant",
553
+ "priority": 2
554
+ }
555
+ ]
556
+ },
557
+ {
558
+ "id": "weak_login_function",
559
+ "name": "Weak Login Function",
560
+ "type": "subcategory",
561
+ "children": [
562
+ {
563
+ "id": "over_http",
564
+ "name": "Over HTTP",
565
+ "type": "variant",
566
+ "priority": 3
567
+ }
568
+ ]
569
+ },
570
+ {
571
+ "id": "session_fixation",
572
+ "name": "Session Fixation",
573
+ "type": "subcategory",
574
+ "priority": 3
575
+ },
576
+ {
577
+ "id": "failure_to_invalidate_session",
578
+ "name": "Failure to Invalidate Session",
579
+ "type": "subcategory",
580
+ "children": [
581
+ {
582
+ "id": "on_logout",
583
+ "name": "On Logout",
584
+ "type": "variant",
585
+ "priority": 4
586
+ },
587
+ {
588
+ "id": "on_password_reset",
589
+ "name": "On Password Reset",
590
+ "type": "variant",
591
+ "priority": 4
592
+ },
593
+ {
594
+ "id": "on_password_change",
595
+ "name": "On Password Change",
596
+ "type": "variant",
597
+ "priority": 4
598
+ },
599
+ {
600
+ "id": "all_sessions",
601
+ "name": "All Sessions",
602
+ "type": "variant",
603
+ "priority": 5
604
+ },
605
+ {
606
+ "id": "on_email_change",
607
+ "name": "On Email Change",
608
+ "type": "variant",
609
+ "priority": 5
610
+ },
611
+ {
612
+ "id": "long_timeout",
613
+ "name": "Long Timeout",
614
+ "type": "variant",
615
+ "priority": 5
616
+ }
617
+ ]
618
+ },
619
+ {
620
+ "id": "session_token_in_url",
621
+ "name": "Session Token in URL",
622
+ "type": "subcategory",
623
+ "children": [
624
+ {
625
+ "id": "over_http",
626
+ "name": "Over HTTP",
627
+ "type": "variant",
628
+ "priority": 4
629
+ },
630
+ {
631
+ "id": "over_https",
632
+ "name": "Over HTTPS",
633
+ "type": "variant",
634
+ "priority": 5
635
+ }
636
+ ]
637
+ },
638
+ {
639
+ "id": "concurrent_logins",
640
+ "name": "Concurrent Logins",
641
+ "type": "subcategory",
642
+ "priority": 5
643
+ },
644
+ {
645
+ "id": "weak_registration_implementation",
646
+ "name": "Weak Registration Implementation",
647
+ "type": "subcategory",
648
+ "children": [
649
+ {
650
+ "id": "over_http",
651
+ "name": "Over HTTP",
652
+ "type": "variant",
653
+ "priority": 4
654
+ }
655
+ ]
656
+ }
657
+ ]
658
+ },
659
+ {
660
+ "id": "insecure_direct_object_references_idor",
661
+ "name": "Insecure Direct Object References (IDOR)",
662
+ "type": "category",
663
+ "priority": null
664
+ },
665
+ {
666
+ "id": "sensitive_data_exposure",
667
+ "name": "Sensitive Data Exposure",
668
+ "type": "category",
669
+ "children": [
670
+ {
671
+ "id": "critically_sensitive_data",
672
+ "name": "Critically Sensitive Data",
673
+ "type": "subcategory",
674
+ "children": [
675
+ {
676
+ "id": "password_disclosure",
677
+ "name": "Password Disclosure",
678
+ "type": "variant",
679
+ "priority": 1
680
+ },
681
+ {
682
+ "id": "private_api_keys",
683
+ "name": "Private API Keys",
684
+ "type": "variant",
685
+ "priority": 1
686
+ }
687
+ ]
688
+ },
689
+ {
690
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
691
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
692
+ "type": "subcategory",
693
+ "children": [
694
+ {
695
+ "id": "automatic_user_enumeration",
696
+ "name": "Automatic User Enumeration",
697
+ "type": "variant",
698
+ "priority": 3
699
+ },
700
+ {
701
+ "id": "manual_user_enumeration",
702
+ "name": "Manual User Enumeration",
703
+ "type": "variant",
704
+ "priority": 4
705
+ }
706
+ ]
707
+ },
708
+ {
709
+ "id": "visible_detailed_error_page",
710
+ "name": "Visible Detailed Error Page",
711
+ "type": "subcategory",
712
+ "priority": null
713
+ },
714
+ {
715
+ "id": "disclosure_of_known_public_information",
716
+ "name": "Disclosure of Known Public Information",
717
+ "type": "subcategory",
718
+ "priority": 5
719
+ },
720
+ {
721
+ "id": "token_leakage_via_referer",
722
+ "name": "Token Leakage via Referer",
723
+ "type": "subcategory",
724
+ "children": [
725
+ {
726
+ "id": "over_https",
727
+ "name": "Over HTTPS",
728
+ "type": "variant",
729
+ "priority": 5
730
+ },
731
+ {
732
+ "id": "over_http",
733
+ "name": "Over HTTP",
734
+ "type": "variant",
735
+ "priority": 4
736
+ }
737
+ ]
738
+ },
739
+ {
740
+ "id": "sensitive_token_in_url",
741
+ "name": "Sensitive Token in URL",
742
+ "type": "subcategory",
743
+ "priority": 4
744
+ },
745
+ {
746
+ "id": "weak_password_reset_implementation",
747
+ "name": "Weak Password Reset Implementation",
748
+ "type": "subcategory",
749
+ "children": [
750
+ {
751
+ "id": "password_reset_token_sent_over_http",
752
+ "name": "Password Reset Token Sent Over HTTP",
753
+ "type": "variant",
754
+ "priority": 4
755
+ }
756
+ ]
757
+ },
758
+ {
759
+ "id": "mixed_content",
760
+ "name": "Mixed Content",
761
+ "type": "subcategory",
762
+ "children": [
763
+ {
764
+ "id": "sensitive_data_disclosure",
765
+ "name": "Sensitive Data Disclosure",
766
+ "type": "variant",
767
+ "priority": 4
768
+ },
769
+ {
770
+ "id": "requires_being_a_man_in_the_middle",
771
+ "name": "Requires Being a Man-in-the-Middle",
772
+ "type": "variant",
773
+ "priority": 5
774
+ }
775
+ ]
776
+ },
777
+ {
778
+ "id": "sensitive_data_hardcoded",
779
+ "name": "Sensitive Data Hardcoded",
780
+ "type": "subcategory",
781
+ "children": [
782
+ {
783
+ "id": "oauth_secret",
784
+ "name": "OAuth Secret",
785
+ "type": "variant",
786
+ "priority": 5
787
+ },
788
+ {
789
+ "id": "file_paths",
790
+ "name": "File Paths",
791
+ "type": "variant",
792
+ "priority": 5
793
+ }
794
+ ]
795
+ },
796
+ {
797
+ "id": "non_sensitive_token_in_url",
798
+ "name": "Non-Sensitive Token in URL",
799
+ "type": "subcategory",
800
+ "priority": 5
801
+ }
802
+ ]
803
+ },
804
+ {
805
+ "id": "cross_site_scripting_xss",
806
+ "name": "Cross-Site Scripting (XSS)",
807
+ "type": "category",
808
+ "children": [
809
+ {
810
+ "id": "stored",
811
+ "name": "Stored",
812
+ "type": "subcategory",
813
+ "children": [
814
+ {
815
+ "id": "non_admin_to_anyone",
816
+ "name": "Non-Admin to Anyone",
817
+ "type": "variant",
818
+ "priority": 2
819
+ },
820
+ {
821
+ "id": "admin_to_anyone",
822
+ "name": "Admin to Anyone",
823
+ "type": "variant",
824
+ "priority": 3
825
+ },
826
+ {
827
+ "id": "self",
828
+ "name": "Self",
829
+ "type": "variant",
830
+ "priority": 5
831
+ }
832
+ ]
833
+ },
834
+ {
835
+ "id": "reflected",
836
+ "name": "Reflected",
837
+ "type": "subcategory",
838
+ "children": [
839
+ {
840
+ "id": "non_self",
841
+ "name": "Non-Self",
842
+ "type": "variant",
843
+ "priority": 3
844
+ },
845
+ {
846
+ "id": "self",
847
+ "name": "Self",
848
+ "type": "variant",
849
+ "priority": 5
850
+ }
851
+ ]
852
+ },
853
+ {
854
+ "id": "cookie_based",
855
+ "name": "Cookie-Based",
856
+ "type": "subcategory",
857
+ "priority": 5
858
+ },
859
+ {
860
+ "id": "ie_only",
861
+ "name": "IE-Only",
862
+ "type": "subcategory",
863
+ "children": [
864
+ {
865
+ "id": "older_version_ie_10_11",
866
+ "name": "Older Version (IE 10/11)",
867
+ "type": "variant",
868
+ "priority": 4
869
+ },
870
+ {
871
+ "id": "xss_filter_disabled",
872
+ "name": "XSS Filter Disabled",
873
+ "type": "variant",
874
+ "priority": 5
875
+ },
876
+ {
877
+ "id": "older_version_ie10",
878
+ "name": "Older Version (< IE10)",
879
+ "type": "variant",
880
+ "priority": 5
881
+ }
882
+ ]
883
+ },
884
+ {
885
+ "id": "referer",
886
+ "name": "Referer",
887
+ "type": "subcategory",
888
+ "priority": 4
889
+ },
890
+ {
891
+ "id": "trace_method",
892
+ "name": "TRACE Method",
893
+ "type": "subcategory",
894
+ "priority": 5
895
+ },
896
+ {
897
+ "id": "universal_uxss",
898
+ "name": "Universal (UXSS)",
899
+ "type": "subcategory",
900
+ "priority": 4
901
+ },
902
+ {
903
+ "id": "off_domain",
904
+ "name": "Off-Domain",
905
+ "type": "subcategory",
906
+ "children": [
907
+ {
908
+ "id": "data_uri",
909
+ "name": "Data URI",
910
+ "type": "variant",
911
+ "priority": 4
912
+ }
913
+ ]
914
+ }
915
+ ]
916
+ },
917
+ {
918
+ "id": "missing_function_level_access_control",
919
+ "name": "Missing Function Level Access Control",
920
+ "type": "category",
921
+ "children": [
922
+ {
923
+ "id": "server_side_request_forgery_ssrf",
924
+ "name": "Server-Side Request Forgery (SSRF)",
925
+ "type": "subcategory",
926
+ "children": [
927
+ {
928
+ "id": "internal",
929
+ "name": "Internal",
930
+ "type": "variant",
931
+ "priority": 2
932
+ },
933
+ {
934
+ "id": "external",
935
+ "name": "External",
936
+ "type": "variant",
937
+ "priority": 4
938
+ }
939
+ ]
940
+ },
941
+ {
942
+ "id": "username_enumeration",
943
+ "name": "Username Enumeration",
944
+ "type": "subcategory",
945
+ "children": [
946
+ {
947
+ "id": "data_leak",
948
+ "name": "Data Leak",
949
+ "type": "variant",
950
+ "priority": 4
951
+ }
952
+ ]
953
+ },
954
+ {
955
+ "id": "exposed_sensitive_android_intent",
956
+ "name": "Exposed Sensitive Android Intent",
957
+ "type": "subcategory",
958
+ "priority": null
959
+ },
960
+ {
961
+ "id": "exposed_sensitive_ios_url_scheme",
962
+ "name": "Exposed Sensitive iOS URL Scheme",
963
+ "type": "subcategory",
964
+ "priority": null
965
+ }
966
+ ]
967
+ },
968
+ {
969
+ "id": "cross_site_request_forgery_csrf",
970
+ "name": "Cross-Site Request Forgery (CSRF)",
971
+ "type": "category",
972
+ "children": [
973
+ {
974
+ "id": "application_wide",
975
+ "name": "Applicaton-Wide",
976
+ "type": "subcategory",
977
+ "priority": 2
978
+ },
979
+ {
980
+ "id": "action_specific",
981
+ "name": "Action-Specific",
982
+ "type": "subcategory",
983
+ "children": [
984
+ {
985
+ "id": "authenticated_action",
986
+ "name": "Authenticated Action",
987
+ "type": "variant",
988
+ "priority": null
989
+ },
990
+ {
991
+ "id": "unauthenticated_action",
992
+ "name": "Unauthenticated Action",
993
+ "type": "variant",
994
+ "priority": null
995
+ }
996
+ ]
997
+ }
998
+ ]
999
+ },
1000
+ {
1001
+ "id": "application_level_denial_of_service_dos",
1002
+ "name": "Application-Level Denial-of-Service (DoS)",
1003
+ "type": "category",
1004
+ "children": [
1005
+ {
1006
+ "id": "critical_impact_and_or_easy_difficulty",
1007
+ "name": "Critical Impact and/or Easy Difficulty",
1008
+ "type": "subcategory",
1009
+ "priority": 2
1010
+ },
1011
+ {
1012
+ "id": "high_impact_and_or_medium_difficulty",
1013
+ "name": "High Impact and/or Medium Difficulty",
1014
+ "type": "subcategory",
1015
+ "priority": 3
1016
+ },
1017
+ {
1018
+ "id": "app_crash",
1019
+ "name": "App Crash",
1020
+ "type": "subcategory",
1021
+ "children": [
1022
+ {
1023
+ "id": "malformed_android_intents",
1024
+ "name": "Malformed Android Intents",
1025
+ "type": "variant",
1026
+ "priority": 5
1027
+ },
1028
+ {
1029
+ "id": "malformed_ios_url_schemes",
1030
+ "name": "Malformed iOS URL Schemes",
1031
+ "type": "variant",
1032
+ "priority": 5
1033
+ }
1034
+ ]
1035
+ }
1036
+ ]
1037
+ },
1038
+ {
1039
+ "id": "unvalidated_redirects_and_forwards",
1040
+ "name": "Unvalidated Redirects and Forwards",
1041
+ "type": "category",
1042
+ "children": [
1043
+ {
1044
+ "id": "open_redirect",
1045
+ "name": "Open Redirect",
1046
+ "type": "subcategory",
1047
+ "children": [
1048
+ {
1049
+ "id": "get_based_all_users",
1050
+ "name": "GET-Based (All Users)",
1051
+ "type": "variant",
1052
+ "priority": 3
1053
+ },
1054
+ {
1055
+ "id": "get_based_authenticated",
1056
+ "name": "GET-Based (Authenticated)",
1057
+ "type": "variant",
1058
+ "priority": 4
1059
+ },
1060
+ {
1061
+ "id": "get_based_unauthenticated",
1062
+ "name": "GET-Based (Unauthenticated)",
1063
+ "type": "variant",
1064
+ "priority": 4
1065
+ },
1066
+ {
1067
+ "id": "post_based",
1068
+ "name": "POST-Based",
1069
+ "type": "variant",
1070
+ "priority": 5
1071
+ },
1072
+ {
1073
+ "id": "header_based",
1074
+ "name": "Header-Based",
1075
+ "type": "variant",
1076
+ "priority": 5
1077
+ }
1078
+ ]
1079
+ },
1080
+ {
1081
+ "id": "tabnabbing",
1082
+ "name": "Tabnabbing",
1083
+ "type": "subcategory",
1084
+ "priority": 5
1085
+ },
1086
+ {
1087
+ "id": "lack_of_security_speed_bump_page",
1088
+ "name": "Lack of Security Speed Bump Page",
1089
+ "type": "subcategory",
1090
+ "priority": 5
1091
+ }
1092
+ ]
1093
+ },
1094
+ {
1095
+ "id": "external_behavior",
1096
+ "name": "External Behavior",
1097
+ "type": "category",
1098
+ "children": [
1099
+ {
1100
+ "id": "browser_feature",
1101
+ "name": "Browser Feature",
1102
+ "type": "subcategory",
1103
+ "children": [
1104
+ {
1105
+ "id": "plaintext_password_field",
1106
+ "name": "Plaintext Password Field",
1107
+ "type": "variant",
1108
+ "priority": 5
1109
+ },
1110
+ {
1111
+ "id": "save_password",
1112
+ "name": "Save Password",
1113
+ "type": "variant",
1114
+ "priority": 5
1115
+ },
1116
+ {
1117
+ "id": "autocomplete_enabled",
1118
+ "name": "Autocomplete Enabled",
1119
+ "type": "variant",
1120
+ "priority": 5
1121
+ },
1122
+ {
1123
+ "id": "autocorrect_enabled",
1124
+ "name": "Autocorrect Enabled",
1125
+ "type": "variant",
1126
+ "priority": 5
1127
+ },
1128
+ {
1129
+ "id": "aggressive_offline_caching",
1130
+ "name": "Aggressive Offline Caching",
1131
+ "type": "variant",
1132
+ "priority": 5
1133
+ }
1134
+ ]
1135
+ },
1136
+ {
1137
+ "id": "csv_injection",
1138
+ "name": "CSV Injection",
1139
+ "type": "subcategory",
1140
+ "priority": 5
1141
+ },
1142
+ {
1143
+ "id": "captcha_bypass",
1144
+ "name": "Captcha Bypass",
1145
+ "type": "subcategory",
1146
+ "children": [
1147
+ {
1148
+ "id": "crowdsourcing",
1149
+ "name": "Crowdsourcing",
1150
+ "type": "variant",
1151
+ "priority": 5
1152
+ }
1153
+ ]
1154
+ },
1155
+ {
1156
+ "id": "system_clipboard_leak",
1157
+ "name": "System Clipboard Leak",
1158
+ "type": "subcategory",
1159
+ "children": [
1160
+ {
1161
+ "id": "shared_links",
1162
+ "name": "Shared Links",
1163
+ "type": "variant",
1164
+ "priority": 5
1165
+ }
1166
+ ]
1167
+ },
1168
+ {
1169
+ "id": "user_password_persisted_in_memory",
1170
+ "name": "User Password Persisted in Memory",
1171
+ "type": "subcategory",
1172
+ "priority": 5
1173
+ }
1174
+ ]
1175
+ },
1176
+ {
1177
+ "id": "insufficient_security_configurability",
1178
+ "name": "Insufficient Security Configurability",
1179
+ "type": "category",
1180
+ "children": [
1181
+ {
1182
+ "id": "weak_password_policy",
1183
+ "name": "Weak Password Policy",
1184
+ "type": "subcategory",
1185
+ "children": [
1186
+ {
1187
+ "id": "complexity_both_length_and_char_type_not_enforced",
1188
+ "name": "Complexity, Both Length and Char Type Not Enforced",
1189
+ "type": "variant",
1190
+ "priority": 3
1191
+ },
1192
+ {
1193
+ "id": "complexity_length_not_enforced",
1194
+ "name": "Complexity, Length Not Enforced",
1195
+ "type": "variant",
1196
+ "priority": 4
1197
+ },
1198
+ {
1199
+ "id": "complexity_char_type_not_enforced",
1200
+ "name": "Complexity, Char Type Not Enforced",
1201
+ "type": "variant",
1202
+ "priority": 4
1203
+ },
1204
+ {
1205
+ "id": "allows_reuse_of_old_passwords",
1206
+ "name": "Allows Reuse of Old Passwords",
1207
+ "type": "variant",
1208
+ "priority": 5
1209
+ },
1210
+ {
1211
+ "id": "allows_password_to_be_same_as_email_username",
1212
+ "name": "Allows Password to be Same as Email/Username",
1213
+ "type": "variant",
1214
+ "priority": 5
1215
+ }
1216
+ ]
1217
+ },
1218
+ {
1219
+ "id": "weak_password_reset_implementation",
1220
+ "name": "Weak Password Reset Implementation",
1221
+ "type": "subcategory",
1222
+ "children": [
1223
+ {
1224
+ "id": "token_is_not_invalidated_after_use",
1225
+ "name": "Token is Not Invalidated After Use",
1226
+ "type": "variant",
1227
+ "priority": 4
1228
+ },
1229
+ {
1230
+ "id": "token_is_not_invalidated_after_email_change",
1231
+ "name": "Token is Not Invalidated After Email Change",
1232
+ "type": "variant",
1233
+ "priority": 5
1234
+ },
1235
+ {
1236
+ "id": "token_is_not_invalidated_after_password_change",
1237
+ "name": "Token is Not Invalidated After Password Change",
1238
+ "type": "variant",
1239
+ "priority": 5
1240
+ },
1241
+ {
1242
+ "id": "token_has_long_timed_expiry",
1243
+ "name": "Token Has Long Timed Expiry",
1244
+ "type": "variant",
1245
+ "priority": 5
1246
+ },
1247
+ {
1248
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1249
+ "name": "Token is Not Invalidated After New Token is Requested",
1250
+ "type": "variant",
1251
+ "priority": 5
1252
+ }
1253
+ ]
1254
+ },
1255
+ {
1256
+ "id": "lack_of_verification_email",
1257
+ "name": "Lack of Verification Email",
1258
+ "type": "subcategory",
1259
+ "priority": 5
1260
+ },
1261
+ {
1262
+ "id": "lack_of_notification_email",
1263
+ "name": "Lack of Notification Email",
1264
+ "type": "subcategory",
1265
+ "priority": 5
1266
+ },
1267
+ {
1268
+ "id": "weak_registration_implementation",
1269
+ "name": "Weak Registration Implementation",
1270
+ "type": "subcategory",
1271
+ "children": [
1272
+ {
1273
+ "id": "allows_disposable_email_addresses",
1274
+ "name": "Allows Disposable Email Addresses",
1275
+ "type": "variant",
1276
+ "priority": 5
1277
+ }
1278
+ ]
1279
+ },
1280
+ {
1281
+ "id": "weak_2fa_implementation",
1282
+ "name": "Weak 2FA Implementation",
1283
+ "type": "subcategory",
1284
+ "children": [
1285
+ {
1286
+ "id": "missing_failsafe",
1287
+ "name": "Missing Failsafe",
1288
+ "type": "variant",
1289
+ "priority": 5
1290
+ }
1291
+ ]
1292
+ }
1293
+ ]
1294
+ },
1295
+ {
1296
+ "id": "using_components_with_known_vulnerabilities",
1297
+ "name": "Using Components with Known Vulnerabilities",
1298
+ "type": "category",
1299
+ "children": [
1300
+ {
1301
+ "id": "rosetta_flash",
1302
+ "name": "Rosetta Flash",
1303
+ "type": "subcategory",
1304
+ "priority": 4
1305
+ },
1306
+ {
1307
+ "id": "outdated_software_version",
1308
+ "name": "Outdated Software Version",
1309
+ "type": "subcategory",
1310
+ "priority": 5
1311
+ },
1312
+ {
1313
+ "id": "captcha_bypass",
1314
+ "name": "Captcha Bypass",
1315
+ "type": "subcategory",
1316
+ "children": [
1317
+ {
1318
+ "id": "ocr_optical_character_recognition",
1319
+ "name": "OCR (Optical Character Recognition)",
1320
+ "type": "variant",
1321
+ "priority": 5
1322
+ }
1323
+ ]
1324
+ }
1325
+ ]
1326
+ },
1327
+ {
1328
+ "id": "insecure_data_storage",
1329
+ "name": "Insecure Data Storage",
1330
+ "type": "category",
1331
+ "children": [
1332
+ {
1333
+ "id": "credentials_stored_unencrypted",
1334
+ "name": "Credentials Stored Unencrypted",
1335
+ "type": "subcategory",
1336
+ "children": [
1337
+ {
1338
+ "id": "on_external_storage",
1339
+ "name": "On External Storage",
1340
+ "type": "variant",
1341
+ "priority": 4
1342
+ },
1343
+ {
1344
+ "id": "on_internal_storage",
1345
+ "name": "On Internal Storage",
1346
+ "type": "variant",
1347
+ "priority": 5
1348
+ }
1349
+ ]
1350
+ },
1351
+ {
1352
+ "id": "sensitive_application_data_stored_unencrypted",
1353
+ "name": "Sensitive Application Data Stored Unencrypted",
1354
+ "type": "subcategory",
1355
+ "children": [
1356
+ {
1357
+ "id": "on_external_storage",
1358
+ "name": "On External Storage",
1359
+ "type": "variant",
1360
+ "priority": 4
1361
+ },
1362
+ {
1363
+ "id": "on_internal_storage",
1364
+ "name": "On Internal Storage",
1365
+ "type": "variant",
1366
+ "priority": 5
1367
+ }
1368
+ ]
1369
+ },
1370
+ {
1371
+ "id": "non_sensitive_application_data_stored_unencrypted",
1372
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1373
+ "type": "subcategory",
1374
+ "priority": 5
1375
+ },
1376
+ {
1377
+ "id": "screen_caching_enabled",
1378
+ "name": "Screen Caching Enabled",
1379
+ "type": "subcategory",
1380
+ "priority": 5
1381
+ },
1382
+ {
1383
+ "id": "insecure_data_storage",
1384
+ "name": "Insecure Data Storage",
1385
+ "type": "subcategory",
1386
+ "children": [
1387
+ {
1388
+ "id": "password",
1389
+ "name": "Password",
1390
+ "type": "variant",
1391
+ "priority": 2
1392
+ }
1393
+ ]
1394
+ }
1395
+ ]
1396
+ },
1397
+ {
1398
+ "id": "lack_of_binary_hardening",
1399
+ "name": "Lack of Binary Hardening",
1400
+ "type": "category",
1401
+ "children": [
1402
+ {
1403
+ "id": "lack_of_exploit_mitigations",
1404
+ "name": "Lack of Exploit Mitigations",
1405
+ "type": "subcategory",
1406
+ "priority": 5
1407
+ },
1408
+ {
1409
+ "id": "lack_of_jailbreak_detection",
1410
+ "name": "Lack of Jailbreak Detection",
1411
+ "type": "subcategory",
1412
+ "priority": 5
1413
+ },
1414
+ {
1415
+ "id": "lack_of_obfuscation",
1416
+ "name": "Lack of Obfuscation",
1417
+ "type": "subcategory",
1418
+ "priority": 5
1419
+ },
1420
+ {
1421
+ "id": "runtime_instrumentation_based",
1422
+ "name": "Runtime Instrumentation-Based",
1423
+ "type": "subcategory",
1424
+ "priority": 5
1425
+ }
1426
+ ]
1427
+ },
1428
+ {
1429
+ "id": "insecure_data_transport",
1430
+ "name": "Insecure Data Transport",
1431
+ "type": "category",
1432
+ "children": [
1433
+ {
1434
+ "id": "ssl_certificate_pinning",
1435
+ "name": "SSL Certificate Pinning",
1436
+ "type": "subcategory",
1437
+ "children": [
1438
+ {
1439
+ "id": "absent",
1440
+ "name": "Absent",
1441
+ "type": "variant",
1442
+ "priority": 5
1443
+ },
1444
+ {
1445
+ "id": "defeatable",
1446
+ "name": "Defeatable",
1447
+ "type": "variant",
1448
+ "priority": 5
1449
+ }
1450
+ ]
1451
+ }
1452
+ ]
1453
+ },
1454
+ {
1455
+ "id": "insecure_os_firmware",
1456
+ "name": "Insecure OS/Firmware",
1457
+ "type": "category",
1458
+ "children": [
1459
+ {
1460
+ "id": "command_injection",
1461
+ "name": "Command Injection",
1462
+ "type": "subcategory",
1463
+ "priority": 1
1464
+ },
1465
+ {
1466
+ "id": "hardcoded_password",
1467
+ "name": "Hardcoded Password",
1468
+ "type": "subcategory",
1469
+ "children": [
1470
+ {
1471
+ "id": "privileged_user",
1472
+ "name": "Privileged User",
1473
+ "type": "variant",
1474
+ "priority": 1
1475
+ },
1476
+ {
1477
+ "id": "non_privileged_user",
1478
+ "name": "Non-Privileged User",
1479
+ "type": "variant",
1480
+ "priority": 2
1481
+ }
1482
+ ]
1483
+ }
1484
+ ]
1485
+ },
1486
+ {
1487
+ "id": "broken_cryptography",
1488
+ "name": "Broken Cryptography",
1489
+ "type": "category",
1490
+ "children": [
1491
+ {
1492
+ "id": "cryptographic_flaw",
1493
+ "name": "Cryptographic Flaw",
1494
+ "type": "subcategory",
1495
+ "children": [
1496
+ {
1497
+ "id": "incorrect_usage",
1498
+ "name": "Incorrect Usage",
1499
+ "type": "variant",
1500
+ "priority": 1
1501
+ }
1502
+ ]
1503
+ }
1504
+ ]
1505
+ },
1506
+ {
1507
+ "id": "privacy_concerns",
1508
+ "name": "Privacy Concerns",
1509
+ "type": "category",
1510
+ "children": [
1511
+ {
1512
+ "id": "unnecessary_data_collection",
1513
+ "name": "Unnecessary Data Collection",
1514
+ "type": "subcategory",
1515
+ "children": [
1516
+ {
1517
+ "id": "wifi_ssid_password",
1518
+ "name": "WiFi SSID+Password",
1519
+ "type": "variant",
1520
+ "priority": 4
1521
+ }
1522
+ ]
1523
+ }
1524
+ ]
1525
+ },
1526
+ {
1527
+ "id": "network_security_misconfiguration",
1528
+ "name": "Network Security Misconfiguration",
1529
+ "type": "category",
1530
+ "children": [
1531
+ {
1532
+ "id": "telnet_enabled",
1533
+ "name": "Telnet Enabled",
1534
+ "type": "subcategory",
1535
+ "children": [
1536
+ {
1537
+ "id": "credentials_required",
1538
+ "name": "Credentials Required",
1539
+ "type": "variant",
1540
+ "priority": 4
1541
+ }
1542
+ ]
1543
+ }
1544
+ ]
1545
+ },
1546
+ {
1547
+ "id": "mobile_security_misconfiguration",
1548
+ "name": "Mobile Security Misconfiguration",
1549
+ "type": "category",
1550
+ "priority": null
1551
+ },
1552
+ {
1553
+ "id": "client_side_injection",
1554
+ "name": "Client-Side Injection",
1555
+ "type": "category",
1556
+ "priority": null
1557
+ }
1558
+ ]
1559
+ }