vrt 0.10.0 → 0.12.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (37) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.10/deprecated-node-mapping.json +200 -0
  3. data/lib/data/1.10/mappings/cvss_v3/cvss_v3.json +1074 -0
  4. data/lib/data/1.10/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.10/mappings/cwe/cwe.json +477 -0
  6. data/lib/data/1.10/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.10/mappings/remediation_advice/remediation_advice.json +1543 -0
  8. data/lib/data/1.10/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.10/third-party-mappings/remediation_training/secure-code-warriors-links.json +348 -0
  10. data/lib/data/1.10/vrt.schema.json +63 -0
  11. data/lib/data/1.10/vulnerability-rating-taxonomy.json +2171 -0
  12. data/lib/data/1.10.1/deprecated-node-mapping.json +200 -0
  13. data/lib/data/1.10.1/mappings/cvss_v3/cvss_v3.json +1074 -0
  14. data/lib/data/1.10.1/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  15. data/lib/data/1.10.1/mappings/cwe/cwe.json +477 -0
  16. data/lib/data/1.10.1/mappings/cwe/cwe.schema.json +63 -0
  17. data/lib/data/1.10.1/mappings/remediation_advice/remediation_advice.json +1543 -0
  18. data/lib/data/1.10.1/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  19. data/lib/data/1.10.1/third-party-mappings/remediation_training/secure-code-warrior-links.json +348 -0
  20. data/lib/data/1.10.1/vrt.schema.json +63 -0
  21. data/lib/data/1.10.1/vulnerability-rating-taxonomy.json +2171 -0
  22. data/lib/data/1.11/deprecated-node-mapping.json +236 -0
  23. data/lib/data/1.11/mappings/cvss_v3/cvss_v3.json +1250 -0
  24. data/lib/data/1.11/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  25. data/lib/data/1.11/mappings/cwe/cwe.json +664 -0
  26. data/lib/data/1.11/mappings/cwe/cwe.schema.json +63 -0
  27. data/lib/data/1.11/mappings/remediation_advice/remediation_advice.json +1811 -0
  28. data/lib/data/1.11/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  29. data/lib/data/1.11/third-party-mappings/remediation_training/secure-code-warrior-links.json +392 -0
  30. data/lib/data/1.11/vrt.schema.json +63 -0
  31. data/lib/data/1.11/vulnerability-rating-taxonomy.json +2442 -0
  32. data/lib/vrt/mapping.rb +12 -6
  33. data/lib/vrt/node.rb +4 -0
  34. data/lib/vrt/third_party_links.rb +33 -0
  35. data/lib/vrt/version.rb +1 -1
  36. data/lib/vrt.rb +8 -0
  37. metadata +39 -4
@@ -0,0 +1,2171 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2021-03-29T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "unsafe_cross_origin_resource_sharing",
13
+ "name": "Unsafe Cross-Origin Resource Sharing",
14
+ "type": "subcategory",
15
+ "priority": null
16
+ },
17
+ {
18
+ "id": "path_traversal",
19
+ "name": "Path Traversal",
20
+ "type": "subcategory",
21
+ "priority": null
22
+ },
23
+ {
24
+ "id": "directory_listing_enabled",
25
+ "name": "Directory Listing Enabled",
26
+ "type": "subcategory",
27
+ "children": [
28
+ {
29
+ "id": "sensitive_data_exposure",
30
+ "name": "Sensitive Data Exposure",
31
+ "type": "variant",
32
+ "priority": null
33
+ },
34
+ {
35
+ "id": "non_sensitive_data_exposure",
36
+ "name": "Non-Sensitive Data Exposure",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "same_site_scripting",
44
+ "name": "Same-Site Scripting",
45
+ "type": "subcategory",
46
+ "priority": 5
47
+ },
48
+ {
49
+ "id": "ssl_attack_breach_poodle_etc",
50
+ "name": "SSL Attack (BREACH, POODLE etc.)",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "using_default_credentials",
56
+ "name": "Using Default Credentials",
57
+ "type": "subcategory",
58
+ "priority": 1
59
+ },
60
+ {
61
+ "id": "misconfigured_dns",
62
+ "name": "Misconfigured DNS",
63
+ "type": "subcategory",
64
+ "children": [
65
+ {
66
+ "id": "basic_subdomain_takeover",
67
+ "name": "Basic Subdomain Takeover",
68
+ "type": "variant",
69
+ "priority": 3
70
+ },
71
+ {
72
+ "id": "high_impact_subdomain_takeover",
73
+ "name": "High Impact Subdomain Takeover",
74
+ "type": "variant",
75
+ "priority": 2
76
+ },
77
+ {
78
+ "id": "zone_transfer",
79
+ "name": "Zone Transfer",
80
+ "type": "variant",
81
+ "priority": 4
82
+ },
83
+ {
84
+ "id": "missing_caa_record",
85
+ "name": "Missing Certification Authority Authorization (CAA) Record",
86
+ "type": "variant",
87
+ "priority": 5
88
+ }
89
+ ]
90
+ },
91
+ {
92
+ "id": "mail_server_misconfiguration",
93
+ "name": "Mail Server Misconfiguration",
94
+ "type": "subcategory",
95
+ "children": [
96
+ {
97
+ "id": "no_spoofing_protection_on_email_domain",
98
+ "name": "No Spoofing Protection on Email Domain",
99
+ "type": "variant",
100
+ "priority": 3
101
+ },
102
+ {
103
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
104
+ "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
105
+ "type": "variant",
106
+ "priority": 4
107
+ },
108
+ {
109
+ "id": "email_spoofing_to_spam_folder",
110
+ "name": "Email Spoofing to Spam Folder",
111
+ "type": "variant",
112
+ "priority": 5
113
+ },
114
+ {
115
+ "id": "missing_or_misconfigured_spf_and_or_dkim",
116
+ "name": "Missing or Misconfigured SPF and/or DKIM",
117
+ "type": "variant",
118
+ "priority": 5
119
+ },
120
+ {
121
+ "id": "email_spoofing_on_non_email_domain",
122
+ "name": "Email Spoofing on Non-Email Domain",
123
+ "type": "variant",
124
+ "priority": 5
125
+ }
126
+ ]
127
+ },
128
+ {
129
+ "id": "dbms_misconfiguration",
130
+ "name": "Database Management System (DBMS) Misconfiguration",
131
+ "type": "subcategory",
132
+ "children": [
133
+ {
134
+ "id": "excessively_privileged_user_dba",
135
+ "name": "Excessively Privileged User / DBA",
136
+ "type": "variant",
137
+ "priority": 4
138
+ }
139
+ ]
140
+ },
141
+ {
142
+ "id": "lack_of_password_confirmation",
143
+ "name": "Lack of Password Confirmation",
144
+ "type": "subcategory",
145
+ "children": [
146
+ {
147
+ "id": "change_email_address",
148
+ "name": "Change Email Address",
149
+ "type": "variant",
150
+ "priority": 5
151
+ },
152
+ {
153
+ "id": "change_password",
154
+ "name": "Change Password",
155
+ "type": "variant",
156
+ "priority": 5
157
+ },
158
+ {
159
+ "id": "delete_account",
160
+ "name": "Delete Account",
161
+ "type": "variant",
162
+ "priority": 4
163
+ },
164
+ {
165
+ "id": "manage_two_fa",
166
+ "name": "Manage 2FA",
167
+ "type": "variant",
168
+ "priority": 5
169
+ }
170
+ ]
171
+ },
172
+ {
173
+ "id": "no_rate_limiting_on_form",
174
+ "name": "No Rate Limiting on Form",
175
+ "type": "subcategory",
176
+ "children": [
177
+ {
178
+ "id": "registration",
179
+ "name": "Registration",
180
+ "type": "variant",
181
+ "priority": 4
182
+ },
183
+ {
184
+ "id": "login",
185
+ "name": "Login",
186
+ "type": "variant",
187
+ "priority": 4
188
+ },
189
+ {
190
+ "id": "email_triggering",
191
+ "name": "Email-Triggering",
192
+ "type": "variant",
193
+ "priority": 4
194
+ },
195
+ {
196
+ "id": "sms_triggering",
197
+ "name": "SMS-Triggering",
198
+ "type": "variant",
199
+ "priority": 4
200
+ },
201
+ {
202
+ "id": "change_password",
203
+ "name": "Change Password",
204
+ "type": "variant",
205
+ "priority": 5
206
+ }
207
+ ]
208
+ },
209
+ {
210
+ "id": "unsafe_file_upload",
211
+ "name": "Unsafe File Upload",
212
+ "type": "subcategory",
213
+ "children": [
214
+ {
215
+ "id": "no_antivirus",
216
+ "name": "No Antivirus",
217
+ "type": "variant",
218
+ "priority": 5
219
+ },
220
+ {
221
+ "id": "no_size_limit",
222
+ "name": "No Size Limit",
223
+ "type": "variant",
224
+ "priority": 5
225
+ },
226
+ {
227
+ "id": "file_extension_filter_bypass",
228
+ "name": "File Extension Filter Bypass",
229
+ "type": "variant",
230
+ "priority": 5
231
+ }
232
+ ]
233
+ },
234
+ {
235
+ "id": "cookie_scoped_to_parent_domain",
236
+ "name": "Cookie Scoped to Parent Domain",
237
+ "type": "subcategory",
238
+ "priority": 5
239
+ },
240
+ {
241
+ "id": "missing_secure_or_httponly_cookie_flag",
242
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
243
+ "type": "subcategory",
244
+ "children": [
245
+ {
246
+ "id": "session_token",
247
+ "name": "Session Token",
248
+ "type": "variant",
249
+ "priority": 4
250
+ },
251
+ {
252
+ "id": "non_session_cookie",
253
+ "name": "Non-Session Cookie",
254
+ "type": "variant",
255
+ "priority": 5
256
+ }
257
+ ]
258
+ },
259
+ {
260
+ "id": "clickjacking",
261
+ "name": "Clickjacking",
262
+ "type": "subcategory",
263
+ "children": [
264
+ {
265
+ "id": "sensitive_action",
266
+ "name": "Sensitive Click-Based Action",
267
+ "type": "variant",
268
+ "priority": 4
269
+ },
270
+ {
271
+ "id": "form_input",
272
+ "name": "Form Input",
273
+ "type": "variant",
274
+ "priority": 5
275
+ },
276
+ {
277
+ "id": "non_sensitive_action",
278
+ "name": "Non-Sensitive Action",
279
+ "type": "variant",
280
+ "priority": 5
281
+ }
282
+ ]
283
+ },
284
+ {
285
+ "id": "oauth_misconfiguration",
286
+ "name": "OAuth Misconfiguration",
287
+ "type": "subcategory",
288
+ "children": [
289
+ {
290
+ "id": "account_takeover",
291
+ "name": "Account Takeover",
292
+ "type": "variant",
293
+ "priority": 2
294
+ },
295
+ {
296
+ "id": "account_squatting",
297
+ "name": "Account Squatting",
298
+ "type": "variant",
299
+ "priority": 4
300
+ },
301
+ {
302
+ "id": "missing_state_parameter",
303
+ "name": "Missing/Broken State Parameter",
304
+ "type": "variant",
305
+ "priority": null
306
+ },
307
+ {
308
+ "id": "insecure_redirect_uri",
309
+ "name": "Insecure Redirect URI",
310
+ "type": "variant",
311
+ "priority": null
312
+ }
313
+ ]
314
+ },
315
+ {
316
+ "id": "captcha",
317
+ "name": "CAPTCHA",
318
+ "type": "subcategory",
319
+ "children": [
320
+ {
321
+ "id": "implementation_vulnerability",
322
+ "name": "Implementation Vulnerability",
323
+ "type": "variant",
324
+ "priority": 4
325
+ },
326
+ {
327
+ "id": "brute_force",
328
+ "name": "Brute Force",
329
+ "type": "variant",
330
+ "priority": 5
331
+ },
332
+ {
333
+ "id": "missing",
334
+ "name": "Missing",
335
+ "type": "variant",
336
+ "priority": 5
337
+ }
338
+ ]
339
+ },
340
+ {
341
+ "id": "exposed_admin_portal",
342
+ "name": "Exposed Admin Portal",
343
+ "type": "subcategory",
344
+ "children": [
345
+ {
346
+ "id": "to_internet",
347
+ "name": "To Internet",
348
+ "type": "variant",
349
+ "priority": 5
350
+ }
351
+ ]
352
+ },
353
+ {
354
+ "id": "missing_dnssec",
355
+ "name": "Missing DNSSEC",
356
+ "type": "subcategory",
357
+ "priority": 5
358
+ },
359
+ {
360
+ "id": "fingerprinting_banner_disclosure",
361
+ "name": "Fingerprinting/Banner Disclosure",
362
+ "type": "subcategory",
363
+ "priority": 5
364
+ },
365
+ {
366
+ "id": "username_enumeration",
367
+ "name": "Username/Email Enumeration",
368
+ "type": "subcategory",
369
+ "children": [
370
+ {
371
+ "id": "brute_force",
372
+ "name": "Brute Force",
373
+ "type": "variant",
374
+ "priority": 5
375
+ }
376
+ ]
377
+ },
378
+ {
379
+ "id": "potentially_unsafe_http_method_enabled",
380
+ "name": "Potentially Unsafe HTTP Method Enabled",
381
+ "type": "subcategory",
382
+ "children": [
383
+ {
384
+ "id": "options",
385
+ "name": "OPTIONS",
386
+ "type": "variant",
387
+ "priority": 5
388
+ },
389
+ {
390
+ "id": "trace",
391
+ "name": "TRACE",
392
+ "type": "variant",
393
+ "priority": 5
394
+ }
395
+ ]
396
+ },
397
+ {
398
+ "id": "insecure_ssl",
399
+ "name": "Insecure SSL",
400
+ "type": "subcategory",
401
+ "children": [
402
+ {
403
+ "id": "lack_of_forward_secrecy",
404
+ "name": "Lack of Forward Secrecy",
405
+ "type": "variant",
406
+ "priority": 5
407
+ },
408
+ {
409
+ "id": "insecure_cipher_suite",
410
+ "name": "Insecure Cipher Suite",
411
+ "type": "variant",
412
+ "priority": 5
413
+ },
414
+ {
415
+ "id": "certificate_error",
416
+ "name": "Certificate Error",
417
+ "type": "variant",
418
+ "priority": 5
419
+ }
420
+ ]
421
+ },
422
+ {
423
+ "id": "rfd",
424
+ "name": "Reflected File Download (RFD)",
425
+ "type": "subcategory",
426
+ "priority": 5
427
+ },
428
+ {
429
+ "id": "lack_of_security_headers",
430
+ "name": "Lack of Security Headers",
431
+ "type": "subcategory",
432
+ "children": [
433
+ {
434
+ "id": "x_frame_options",
435
+ "name": "X-Frame-Options",
436
+ "type": "variant",
437
+ "priority": 5
438
+ },
439
+ {
440
+ "id": "cache_control_for_a_non_sensitive_page",
441
+ "name": "Cache-Control for a Non-Sensitive Page",
442
+ "type": "variant",
443
+ "priority": 5
444
+ },
445
+ {
446
+ "id": "x_xss_protection",
447
+ "name": "X-XSS-Protection",
448
+ "type": "variant",
449
+ "priority": 5
450
+ },
451
+ {
452
+ "id": "strict_transport_security",
453
+ "name": "Strict-Transport-Security",
454
+ "type": "variant",
455
+ "priority": 5
456
+ },
457
+ {
458
+ "id": "x_content_type_options",
459
+ "name": "X-Content-Type-Options",
460
+ "type": "variant",
461
+ "priority": 5
462
+ },
463
+ {
464
+ "id": "content_security_policy",
465
+ "name": "Content-Security-Policy",
466
+ "type": "variant",
467
+ "priority": 5
468
+ },
469
+ {
470
+ "id": "public_key_pins",
471
+ "name": "Public-Key-Pins",
472
+ "type": "variant",
473
+ "priority": 5
474
+ },
475
+ {
476
+ "id": "x_content_security_policy",
477
+ "name": "X-Content-Security-Policy",
478
+ "type": "variant",
479
+ "priority": 5
480
+ },
481
+ {
482
+ "id": "x_webkit_csp",
483
+ "name": "X-Webkit-CSP",
484
+ "type": "variant",
485
+ "priority": 5
486
+ },
487
+ {
488
+ "id": "content_security_policy_report_only",
489
+ "name": "Content-Security-Policy-Report-Only",
490
+ "type": "variant",
491
+ "priority": 5
492
+ },
493
+ {
494
+ "id": "cache_control_for_a_sensitive_page",
495
+ "name": "Cache-Control for a Sensitive Page",
496
+ "type": "variant",
497
+ "priority": 4
498
+ }
499
+ ]
500
+ },
501
+ {
502
+ "id": "waf_bypass",
503
+ "name": "Web Application Firewall (WAF) Bypass",
504
+ "type": "subcategory",
505
+ "children": [
506
+ {
507
+ "id": "direct_server_access",
508
+ "name": "Direct Server Access",
509
+ "type": "variant",
510
+ "priority": 4
511
+ }
512
+ ]
513
+ },
514
+ {
515
+ "id": "race_condition",
516
+ "name": "Race Condition",
517
+ "type": "subcategory",
518
+ "priority": null
519
+ },
520
+ {
521
+ "id": "cache_poisoning",
522
+ "name": "Cache Poisoning",
523
+ "type": "subcategory",
524
+ "priority": null
525
+ },
526
+ {
527
+ "id": "bitsquatting",
528
+ "name": "Bitsquatting",
529
+ "type": "subcategory",
530
+ "priority": 5
531
+ }
532
+ ]
533
+ },
534
+ {
535
+ "id": "server_side_injection",
536
+ "name": "Server-Side Injection",
537
+ "type": "category",
538
+ "children": [
539
+ {
540
+ "id": "file_inclusion",
541
+ "name": "File Inclusion",
542
+ "type": "subcategory",
543
+ "children": [
544
+ {
545
+ "id": "local",
546
+ "name": "Local",
547
+ "type": "variant",
548
+ "priority": 1
549
+ }
550
+ ]
551
+ },
552
+ {
553
+ "id": "parameter_pollution",
554
+ "name": "Parameter Pollution",
555
+ "type": "subcategory",
556
+ "children": [
557
+ {
558
+ "id": "social_media_sharing_buttons",
559
+ "name": "Social Media Sharing Buttons",
560
+ "type": "variant",
561
+ "priority": 5
562
+ }
563
+ ]
564
+ },
565
+ {
566
+ "id": "remote_code_execution_rce",
567
+ "name": "Remote Code Execution (RCE)",
568
+ "type": "subcategory",
569
+ "priority": 1
570
+ },
571
+ {
572
+ "id": "sql_injection",
573
+ "name": "SQL Injection",
574
+ "type": "subcategory",
575
+ "priority": 1
576
+ },
577
+ {
578
+ "id": "xml_external_entity_injection_xxe",
579
+ "name": "XML External Entity Injection (XXE)",
580
+ "type": "subcategory",
581
+ "priority": 1
582
+ },
583
+ {
584
+ "id": "http_response_manipulation",
585
+ "name": "HTTP Response Manipulation",
586
+ "type": "subcategory",
587
+ "children": [
588
+ {
589
+ "id": "response_splitting_crlf",
590
+ "name": "Response Splitting (CRLF)",
591
+ "type": "variant",
592
+ "priority": 3
593
+ }
594
+ ]
595
+ },
596
+ {
597
+ "id": "content_spoofing",
598
+ "name": "Content Spoofing",
599
+ "type": "subcategory",
600
+ "children": [
601
+ {
602
+ "id": "iframe_injection",
603
+ "name": "iframe Injection",
604
+ "type": "variant",
605
+ "priority": 3
606
+ },
607
+ {
608
+ "id": "impersonation_via_broken_link_hijacking",
609
+ "name": "Impersonation via Broken Link Hijacking",
610
+ "type": "variant",
611
+ "priority": 4
612
+ },
613
+ {
614
+ "id": "external_authentication_injection",
615
+ "name": "External Authentication Injection",
616
+ "type": "variant",
617
+ "priority": 4
618
+ },
619
+ {
620
+ "id": "flash_based_external_authentication_injection",
621
+ "name": "Flash Based External Authentication Injection",
622
+ "type": "variant",
623
+ "priority": 5
624
+ },
625
+ {
626
+ "id": "email_html_injection",
627
+ "name": "Email HTML Injection",
628
+ "type": "variant",
629
+ "priority": 4
630
+ },
631
+ {
632
+ "id": "email_hyperlink_injection_based_on_email_provider",
633
+ "name": "Email Hyperlink Injection Based on Email Provider",
634
+ "type": "variant",
635
+ "priority": 5
636
+ },
637
+ {
638
+ "id": "text_injection",
639
+ "name": "Text Injection",
640
+ "type": "variant",
641
+ "priority": 5
642
+ },
643
+ {
644
+ "id": "homograph_idn_based",
645
+ "name": "Homograph/IDN-Based",
646
+ "type": "variant",
647
+ "priority": 5
648
+ },
649
+ {
650
+ "id": "rtlo",
651
+ "name": "Right-to-Left Override (RTLO)",
652
+ "type": "variant",
653
+ "priority": 5
654
+ }
655
+ ]
656
+ },
657
+ {
658
+ "id": "ssti",
659
+ "name": "Server-Side Template Injection (SSTI)",
660
+ "type": "subcategory",
661
+ "children": [
662
+ {
663
+ "id": "basic",
664
+ "name": "Basic",
665
+ "type": "variant",
666
+ "priority": 4
667
+ },
668
+ {
669
+ "id": "custom",
670
+ "name": "Custom",
671
+ "type": "variant",
672
+ "priority": null
673
+ }
674
+ ]
675
+ }
676
+ ]
677
+ },
678
+ {
679
+ "id": "broken_authentication_and_session_management",
680
+ "name": "Broken Authentication and Session Management",
681
+ "type": "category",
682
+ "children": [
683
+ {
684
+ "id": "authentication_bypass",
685
+ "name": "Authentication Bypass",
686
+ "type": "subcategory",
687
+ "priority": 1
688
+ },
689
+ {
690
+ "id": "two_fa_bypass",
691
+ "name": "Second Factor Authentication (2FA) Bypass",
692
+ "type": "subcategory",
693
+ "priority": 3
694
+ },
695
+ {
696
+ "id": "privilege_escalation",
697
+ "name": "Privilege Escalation",
698
+ "type": "subcategory",
699
+ "priority": null
700
+ },
701
+ {
702
+ "id": "cleartext_transmission_of_session_token",
703
+ "name": "Cleartext Transmission of Session Token",
704
+ "type": "subcategory",
705
+ "priority": 4
706
+ },
707
+ {
708
+ "id": "weak_login_function",
709
+ "name": "Weak Login Function",
710
+ "type": "subcategory",
711
+ "children": [
712
+ {
713
+ "id": "not_operational",
714
+ "name": "Not Operational or Intended Public Access",
715
+ "type": "variant",
716
+ "priority": 5
717
+ },
718
+ {
719
+ "id": "other_plaintext_protocol_no_secure_alternative",
720
+ "name": "Other Plaintext Protocol with no Secure Alternative",
721
+ "type": "variant",
722
+ "priority": 4
723
+ },
724
+ {
725
+ "id": "over_http",
726
+ "name": "Over HTTP",
727
+ "type": "variant",
728
+ "priority": 4
729
+ }
730
+ ]
731
+ },
732
+ {
733
+ "id": "session_fixation",
734
+ "name": "Session Fixation",
735
+ "type": "subcategory",
736
+ "children": [
737
+ {
738
+ "id": "remote_attack_vector",
739
+ "name": "Remote Attack Vector",
740
+ "type": "variant",
741
+ "priority": 3
742
+ },
743
+ {
744
+ "id": "local_attack_vector",
745
+ "name": "Local Attack Vector",
746
+ "type": "variant",
747
+ "priority": 5
748
+ }
749
+ ]
750
+ },
751
+ {
752
+ "id": "failure_to_invalidate_session",
753
+ "name": "Failure to Invalidate Session",
754
+ "type": "subcategory",
755
+ "children": [
756
+ {
757
+ "id": "on_logout",
758
+ "name": "On Logout (Client and Server-Side)",
759
+ "type": "variant",
760
+ "priority": 4
761
+ },
762
+ {
763
+ "id": "on_logout_server_side_only",
764
+ "name": "On Logout (Server-Side Only)",
765
+ "type": "variant",
766
+ "priority": 5
767
+ },
768
+ {
769
+ "id": "on_password_change",
770
+ "name": "On Password Reset and/or Change",
771
+ "type": "variant",
772
+ "priority": 4
773
+ },
774
+ {
775
+ "id": "all_sessions",
776
+ "name": "Concurrent Sessions On Logout",
777
+ "type": "variant",
778
+ "priority": 5
779
+ },
780
+ {
781
+ "id": "on_email_change",
782
+ "name": "On Email Change",
783
+ "type": "variant",
784
+ "priority": 5
785
+ },
786
+ {
787
+ "id": "on_two_fa_activation_change",
788
+ "name": "On 2FA Activation/Change",
789
+ "type": "variant",
790
+ "priority": 5
791
+ },
792
+ {
793
+ "id": "long_timeout",
794
+ "name": "Long Timeout",
795
+ "type": "variant",
796
+ "priority": 5
797
+ }
798
+ ]
799
+ },
800
+ {
801
+ "id": "concurrent_logins",
802
+ "name": "Concurrent Logins",
803
+ "type": "subcategory",
804
+ "priority": 5
805
+ },
806
+ {
807
+ "id": "weak_registration_implementation",
808
+ "name": "Weak Registration Implementation",
809
+ "type": "subcategory",
810
+ "children": [
811
+ {
812
+ "id": "over_http",
813
+ "name": "Over HTTP",
814
+ "type": "variant",
815
+ "priority": 4
816
+ }
817
+ ]
818
+ }
819
+ ]
820
+ },
821
+ {
822
+ "id": "sensitive_data_exposure",
823
+ "name": "Sensitive Data Exposure",
824
+ "type": "category",
825
+ "children": [
826
+ {
827
+ "id": "disclosure_of_secrets",
828
+ "name": "Disclosure of Secrets",
829
+ "type": "subcategory",
830
+ "children": [
831
+ {
832
+ "id": "for_publicly_accessible_asset",
833
+ "name": "For Publicly Accessible Asset",
834
+ "type": "variant",
835
+ "priority": 1
836
+ },
837
+ {
838
+ "id": "for_internal_asset",
839
+ "name": "For Internal Asset",
840
+ "type": "variant",
841
+ "priority": 3
842
+ },
843
+ {
844
+ "id": "pay_per_use_abuse",
845
+ "name": "Pay-Per-Use Abuse",
846
+ "type": "variant",
847
+ "priority": 4
848
+ },
849
+ {
850
+ "id": "intentionally_public_sample_or_invalid",
851
+ "name": "Intentionally Public, Sample or Invalid",
852
+ "type": "variant",
853
+ "priority": 5
854
+ },
855
+ {
856
+ "id": "data_traffic_spam",
857
+ "name": "Data/Traffic Spam",
858
+ "type": "variant",
859
+ "priority": 5
860
+ },
861
+ {
862
+ "id": "non_corporate_user",
863
+ "name": "Non-Corporate User",
864
+ "type": "variant",
865
+ "priority": 5
866
+ }
867
+ ]
868
+ },
869
+ {
870
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
871
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
872
+ "type": "subcategory",
873
+ "children": [
874
+ {
875
+ "id": "automatic_user_enumeration",
876
+ "name": "Automatic User Enumeration",
877
+ "type": "variant",
878
+ "priority": 3
879
+ },
880
+ {
881
+ "id": "manual_user_enumeration",
882
+ "name": "Manual User Enumeration",
883
+ "type": "variant",
884
+ "priority": 4
885
+ }
886
+ ]
887
+ },
888
+ {
889
+ "id": "visible_detailed_error_page",
890
+ "name": "Visible Detailed Error/Debug Page",
891
+ "type": "subcategory",
892
+ "children": [
893
+ {
894
+ "id": "detailed_server_configuration",
895
+ "name": "Detailed Server Configuration",
896
+ "type": "variant",
897
+ "priority": 4
898
+ },
899
+ {
900
+ "id": "full_path_disclosure",
901
+ "name": "Full Path Disclosure",
902
+ "type": "variant",
903
+ "priority": 5
904
+ },
905
+ {
906
+ "id": "descriptive_stack_trace",
907
+ "name": "Descriptive Stack Trace",
908
+ "type": "variant",
909
+ "priority": 5
910
+ }
911
+ ]
912
+ },
913
+ {
914
+ "id": "disclosure_of_known_public_information",
915
+ "name": "Disclosure of Known Public Information",
916
+ "type": "subcategory",
917
+ "priority": 5
918
+ },
919
+ {
920
+ "id": "token_leakage_via_referer",
921
+ "name": "Token Leakage via Referer",
922
+ "type": "subcategory",
923
+ "children": [
924
+ {
925
+ "id": "trusted_third_party",
926
+ "name": "Trusted 3rd Party",
927
+ "type": "variant",
928
+ "priority": 5
929
+ },
930
+ {
931
+ "id": "untrusted_third_party",
932
+ "name": "Untrusted 3rd Party",
933
+ "type": "variant",
934
+ "priority": 4
935
+ },
936
+ {
937
+ "id": "over_http",
938
+ "name": "Over HTTP",
939
+ "type": "variant",
940
+ "priority": 4
941
+ }
942
+ ]
943
+ },
944
+ {
945
+ "id": "sensitive_token_in_url",
946
+ "name": "Sensitive Token in URL",
947
+ "type": "subcategory",
948
+ "children": [
949
+ {
950
+ "id": "user_facing",
951
+ "name": "User Facing",
952
+ "type": "variant",
953
+ "priority": 4
954
+ },
955
+ {
956
+ "id": "in_the_background",
957
+ "name": "In the Background",
958
+ "type": "variant",
959
+ "priority": 5
960
+ },
961
+ {
962
+ "id": "on_password_reset",
963
+ "name": "On Password Reset",
964
+ "type": "variant",
965
+ "priority": 5
966
+ }
967
+ ]
968
+ },
969
+ {
970
+ "id": "non_sensitive_token_in_url",
971
+ "name": "Non-Sensitive Token in URL",
972
+ "type": "subcategory",
973
+ "priority": 5
974
+ },
975
+ {
976
+ "id": "weak_password_reset_implementation",
977
+ "name": "Weak Password Reset Implementation",
978
+ "type": "subcategory",
979
+ "children": [
980
+ {
981
+ "id": "password_reset_token_sent_over_http",
982
+ "name": "Password Reset Token Sent Over HTTP",
983
+ "type": "variant",
984
+ "priority": 4
985
+ },
986
+ {
987
+ "id": "token_leakage_via_host_header_poisoning",
988
+ "name": "Token Leakage via Host Header Poisoning",
989
+ "type": "variant",
990
+ "priority": 2
991
+ }
992
+ ]
993
+ },
994
+ {
995
+ "id": "mixed_content",
996
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
997
+ "type": "subcategory",
998
+ "priority": 5
999
+ },
1000
+ {
1001
+ "id": "sensitive_data_hardcoded",
1002
+ "name": "Sensitive Data Hardcoded",
1003
+ "type": "subcategory",
1004
+ "children": [
1005
+ {
1006
+ "id": "oauth_secret",
1007
+ "name": "OAuth Secret",
1008
+ "type": "variant",
1009
+ "priority": 5
1010
+ },
1011
+ {
1012
+ "id": "file_paths",
1013
+ "name": "File Paths",
1014
+ "type": "variant",
1015
+ "priority": 5
1016
+ }
1017
+ ]
1018
+ },
1019
+ {
1020
+ "id": "internal_ip_disclosure",
1021
+ "name": "Internal IP Disclosure",
1022
+ "type": "subcategory",
1023
+ "priority": 5
1024
+ },
1025
+ {
1026
+ "id": "xssi",
1027
+ "name": "Cross Site Script Inclusion (XSSI)",
1028
+ "type": "subcategory",
1029
+ "priority": null
1030
+ },
1031
+ {
1032
+ "id": "json_hijacking",
1033
+ "name": "JSON Hijacking",
1034
+ "type": "subcategory",
1035
+ "priority": 5
1036
+ },
1037
+ {
1038
+ "id": "via_localstorage_sessionstorage",
1039
+ "name": "Via localStorage/sessionStorage",
1040
+ "type": "subcategory",
1041
+ "children": [
1042
+ {
1043
+ "id": "sensitive_token",
1044
+ "name": "Sensitive Token",
1045
+ "type": "variant",
1046
+ "priority": 4
1047
+ },
1048
+ {
1049
+ "id": "non_sensitive_token",
1050
+ "name": "Non-Sensitive Token",
1051
+ "type": "variant",
1052
+ "priority": 5
1053
+ }
1054
+ ]
1055
+ }
1056
+ ]
1057
+ },
1058
+ {
1059
+ "id": "cross_site_scripting_xss",
1060
+ "name": "Cross-Site Scripting (XSS)",
1061
+ "type": "category",
1062
+ "children": [
1063
+ {
1064
+ "id": "stored",
1065
+ "name": "Stored",
1066
+ "type": "subcategory",
1067
+ "children": [
1068
+ {
1069
+ "id": "non_admin_to_anyone",
1070
+ "name": "Non-Privileged User to Anyone",
1071
+ "type": "variant",
1072
+ "priority": 2
1073
+ },
1074
+ {
1075
+ "id": "privileged_user_to_privilege_elevation",
1076
+ "name": "Privileged User to Privilege Elevation",
1077
+ "type": "variant",
1078
+ "priority": 3
1079
+ },
1080
+ {
1081
+ "id": "privileged_user_to_no_privilege_elevation",
1082
+ "name": "Privileged User to No Privilege Elevation",
1083
+ "type": "variant",
1084
+ "priority": 4
1085
+ },
1086
+ {
1087
+ "id": "url_based",
1088
+ "name": "CSRF/URL-Based",
1089
+ "type": "variant",
1090
+ "priority": 3
1091
+ },
1092
+ {
1093
+ "id": "self",
1094
+ "name": "Self",
1095
+ "type": "variant",
1096
+ "priority": 5
1097
+ }
1098
+ ]
1099
+ },
1100
+ {
1101
+ "id": "reflected",
1102
+ "name": "Reflected",
1103
+ "type": "subcategory",
1104
+ "children": [
1105
+ {
1106
+ "id": "non_self",
1107
+ "name": "Non-Self",
1108
+ "type": "variant",
1109
+ "priority": 3
1110
+ },
1111
+ {
1112
+ "id": "self",
1113
+ "name": "Self",
1114
+ "type": "variant",
1115
+ "priority": 5
1116
+ }
1117
+ ]
1118
+ },
1119
+ {
1120
+ "id": "flash_based",
1121
+ "name": "Flash-Based",
1122
+ "type": "subcategory",
1123
+ "priority": 5
1124
+ },
1125
+ {
1126
+ "id": "cookie_based",
1127
+ "name": "Cookie-Based",
1128
+ "type": "subcategory",
1129
+ "priority": 5
1130
+ },
1131
+ {
1132
+ "id": "ie_only",
1133
+ "name": "IE-Only",
1134
+ "type": "subcategory",
1135
+ "children": [
1136
+ {
1137
+ "id": "ie_eleven",
1138
+ "name": "IE11",
1139
+ "type": "variant",
1140
+ "priority": 4
1141
+ },
1142
+ {
1143
+ "id": "xss_filter_disabled",
1144
+ "name": "XSS Filter Disabled",
1145
+ "type": "variant",
1146
+ "priority": 5
1147
+ },
1148
+ {
1149
+ "id": "older_version_ie_eleven",
1150
+ "name": "Older Version (< IE11)",
1151
+ "type": "variant",
1152
+ "priority": 5
1153
+ }
1154
+ ]
1155
+ },
1156
+ {
1157
+ "id": "referer",
1158
+ "name": "Referer",
1159
+ "type": "subcategory",
1160
+ "priority": 4
1161
+ },
1162
+ {
1163
+ "id": "trace_method",
1164
+ "name": "TRACE Method",
1165
+ "type": "subcategory",
1166
+ "priority": 5
1167
+ },
1168
+ {
1169
+ "id": "universal_uxss",
1170
+ "name": "Universal (UXSS)",
1171
+ "type": "subcategory",
1172
+ "priority": 4
1173
+ },
1174
+ {
1175
+ "id": "off_domain",
1176
+ "name": "Off-Domain",
1177
+ "type": "subcategory",
1178
+ "children": [
1179
+ {
1180
+ "id": "data_uri",
1181
+ "name": "Data URI",
1182
+ "type": "variant",
1183
+ "priority": 4
1184
+ }
1185
+ ]
1186
+ }
1187
+ ]
1188
+ },
1189
+ {
1190
+ "id": "broken_access_control",
1191
+ "name": "Broken Access Control (BAC)",
1192
+ "type": "category",
1193
+ "children": [
1194
+ {
1195
+ "id": "idor",
1196
+ "name": "Insecure Direct Object References (IDOR)",
1197
+ "type": "subcategory",
1198
+ "priority": null
1199
+ },
1200
+ {
1201
+ "id": "server_side_request_forgery_ssrf",
1202
+ "name": "Server-Side Request Forgery (SSRF)",
1203
+ "type": "subcategory",
1204
+ "children": [
1205
+ {
1206
+ "id": "internal_high_impact",
1207
+ "name": "Internal High Impact",
1208
+ "type": "variant",
1209
+ "priority": 2
1210
+ },
1211
+ {
1212
+ "id": "internal_scan_and_or_medium_impact",
1213
+ "name": "Internal Scan and/or Medium Impact",
1214
+ "type": "variant",
1215
+ "priority": 3
1216
+ },
1217
+ {
1218
+ "id": "external",
1219
+ "name": "External",
1220
+ "type": "variant",
1221
+ "priority": 4
1222
+ },
1223
+ {
1224
+ "id": "dns_query_only",
1225
+ "name": "DNS Query Only",
1226
+ "type": "variant",
1227
+ "priority": 5
1228
+ }
1229
+ ]
1230
+ },
1231
+ {
1232
+ "id": "username_enumeration",
1233
+ "name": "Username/Email Enumeration",
1234
+ "type": "subcategory",
1235
+ "children": [
1236
+ {
1237
+ "id": "non_brute_force",
1238
+ "name": "Non-Brute Force",
1239
+ "type": "variant",
1240
+ "priority": 4
1241
+ }
1242
+ ]
1243
+ },
1244
+ {
1245
+ "id": "exposed_sensitive_android_intent",
1246
+ "name": "Exposed Sensitive Android Intent",
1247
+ "type": "subcategory",
1248
+ "priority": null
1249
+ },
1250
+ {
1251
+ "id": "exposed_sensitive_ios_url_scheme",
1252
+ "name": "Exposed Sensitive iOS URL Scheme",
1253
+ "type": "subcategory",
1254
+ "priority": null
1255
+ }
1256
+ ]
1257
+ },
1258
+ {
1259
+ "id": "cross_site_request_forgery_csrf",
1260
+ "name": "Cross-Site Request Forgery (CSRF)",
1261
+ "type": "category",
1262
+ "children": [
1263
+ {
1264
+ "id": "application_wide",
1265
+ "name": "Application-Wide",
1266
+ "type": "subcategory",
1267
+ "priority": 2
1268
+ },
1269
+ {
1270
+ "id": "action_specific",
1271
+ "name": "Action-Specific",
1272
+ "type": "subcategory",
1273
+ "children": [
1274
+ {
1275
+ "id": "authenticated_action",
1276
+ "name": "Authenticated Action",
1277
+ "type": "variant",
1278
+ "priority": null
1279
+ },
1280
+ {
1281
+ "id": "unauthenticated_action",
1282
+ "name": "Unauthenticated Action",
1283
+ "type": "variant",
1284
+ "priority": null
1285
+ },
1286
+ {
1287
+ "id": "logout",
1288
+ "name": "Logout",
1289
+ "type": "variant",
1290
+ "priority": 5
1291
+ }
1292
+ ]
1293
+ },
1294
+ {
1295
+ "id": "csrf_token_not_unique_per_request",
1296
+ "name": "CSRF Token Not Unique Per Request",
1297
+ "type": "subcategory",
1298
+ "priority": 5
1299
+ },
1300
+ {
1301
+ "id": "flash_based",
1302
+ "name": "Flash-Based",
1303
+ "type": "subcategory",
1304
+ "priority": 5
1305
+ }
1306
+ ]
1307
+ },
1308
+ {
1309
+ "id": "application_level_denial_of_service_dos",
1310
+ "name": "Application-Level Denial-of-Service (DoS)",
1311
+ "type": "category",
1312
+ "children": [
1313
+ {
1314
+ "id": "critical_impact_and_or_easy_difficulty",
1315
+ "name": "Critical Impact and/or Easy Difficulty",
1316
+ "type": "subcategory",
1317
+ "priority": 2
1318
+ },
1319
+ {
1320
+ "id": "high_impact_and_or_medium_difficulty",
1321
+ "name": "High Impact and/or Medium Difficulty",
1322
+ "type": "subcategory",
1323
+ "priority": 3
1324
+ },
1325
+ {
1326
+ "id": "app_crash",
1327
+ "name": "App Crash",
1328
+ "type": "subcategory",
1329
+ "children": [
1330
+ {
1331
+ "id": "malformed_android_intents",
1332
+ "name": "Malformed Android Intents",
1333
+ "type": "variant",
1334
+ "priority": 5
1335
+ },
1336
+ {
1337
+ "id": "malformed_ios_url_schemes",
1338
+ "name": "Malformed iOS URL Schemes",
1339
+ "type": "variant",
1340
+ "priority": 5
1341
+ }
1342
+ ]
1343
+ }
1344
+ ]
1345
+ },
1346
+ {
1347
+ "id": "unvalidated_redirects_and_forwards",
1348
+ "name": "Unvalidated Redirects and Forwards",
1349
+ "type": "category",
1350
+ "children": [
1351
+ {
1352
+ "id": "open_redirect",
1353
+ "name": "Open Redirect",
1354
+ "type": "subcategory",
1355
+ "children": [
1356
+ {
1357
+ "id": "get_based",
1358
+ "name": "GET-Based",
1359
+ "type": "variant",
1360
+ "priority": 4
1361
+ },
1362
+ {
1363
+ "id": "post_based",
1364
+ "name": "POST-Based",
1365
+ "type": "variant",
1366
+ "priority": 5
1367
+ },
1368
+ {
1369
+ "id": "header_based",
1370
+ "name": "Header-Based",
1371
+ "type": "variant",
1372
+ "priority": 5
1373
+ },
1374
+ {
1375
+ "id": "flash_based",
1376
+ "name": "Flash-Based",
1377
+ "type": "variant",
1378
+ "priority": 5
1379
+ }
1380
+ ]
1381
+ },
1382
+ {
1383
+ "id": "tabnabbing",
1384
+ "name": "Tabnabbing",
1385
+ "type": "subcategory",
1386
+ "priority": 5
1387
+ },
1388
+ {
1389
+ "id": "lack_of_security_speed_bump_page",
1390
+ "name": "Lack of Security Speed Bump Page",
1391
+ "type": "subcategory",
1392
+ "priority": 5
1393
+ }
1394
+ ]
1395
+ },
1396
+ {
1397
+ "id": "external_behavior",
1398
+ "name": "External Behavior",
1399
+ "type": "category",
1400
+ "children": [
1401
+ {
1402
+ "id": "browser_feature",
1403
+ "name": "Browser Feature",
1404
+ "type": "subcategory",
1405
+ "children": [
1406
+ {
1407
+ "id": "plaintext_password_field",
1408
+ "name": "Plaintext Password Field",
1409
+ "type": "variant",
1410
+ "priority": 5
1411
+ },
1412
+ {
1413
+ "id": "save_password",
1414
+ "name": "Save Password",
1415
+ "type": "variant",
1416
+ "priority": 5
1417
+ },
1418
+ {
1419
+ "id": "autocomplete_enabled",
1420
+ "name": "Autocomplete Enabled",
1421
+ "type": "variant",
1422
+ "priority": 5
1423
+ },
1424
+ {
1425
+ "id": "autocorrect_enabled",
1426
+ "name": "Autocorrect Enabled",
1427
+ "type": "variant",
1428
+ "priority": 5
1429
+ },
1430
+ {
1431
+ "id": "aggressive_offline_caching",
1432
+ "name": "Aggressive Offline Caching",
1433
+ "type": "variant",
1434
+ "priority": 5
1435
+ }
1436
+ ]
1437
+ },
1438
+ {
1439
+ "id": "csv_injection",
1440
+ "name": "CSV Injection",
1441
+ "type": "subcategory",
1442
+ "priority": 5
1443
+ },
1444
+ {
1445
+ "id": "captcha_bypass",
1446
+ "name": "Captcha Bypass",
1447
+ "type": "subcategory",
1448
+ "children": [
1449
+ {
1450
+ "id": "crowdsourcing",
1451
+ "name": "Crowdsourcing",
1452
+ "type": "variant",
1453
+ "priority": 5
1454
+ }
1455
+ ]
1456
+ },
1457
+ {
1458
+ "id": "system_clipboard_leak",
1459
+ "name": "System Clipboard Leak",
1460
+ "type": "subcategory",
1461
+ "children": [
1462
+ {
1463
+ "id": "shared_links",
1464
+ "name": "Shared Links",
1465
+ "type": "variant",
1466
+ "priority": 5
1467
+ }
1468
+ ]
1469
+ },
1470
+ {
1471
+ "id": "user_password_persisted_in_memory",
1472
+ "name": "User Password Persisted in Memory",
1473
+ "type": "subcategory",
1474
+ "priority": 5
1475
+ }
1476
+ ]
1477
+ },
1478
+ {
1479
+ "id": "insufficient_security_configurability",
1480
+ "name": "Insufficient Security Configurability",
1481
+ "type": "category",
1482
+ "children": [
1483
+ {
1484
+ "id": "weak_password_policy",
1485
+ "name": "Weak Password Policy",
1486
+ "type": "subcategory",
1487
+ "priority": 5
1488
+ },
1489
+ {
1490
+ "id": "no_password_policy",
1491
+ "name": "No Password Policy",
1492
+ "type": "subcategory",
1493
+ "priority": 4
1494
+ },
1495
+ {
1496
+ "id": "password_policy_bypass",
1497
+ "name": "Password Policy Bypass",
1498
+ "type": "subcategory",
1499
+ "priority": 5
1500
+ },
1501
+ {
1502
+ "id": "weak_password_reset_implementation",
1503
+ "name": "Weak Password Reset Implementation",
1504
+ "type": "subcategory",
1505
+ "children": [
1506
+ {
1507
+ "id": "token_is_not_invalidated_after_use",
1508
+ "name": "Token is Not Invalidated After Use",
1509
+ "type": "variant",
1510
+ "priority": 4
1511
+ },
1512
+ {
1513
+ "id": "token_is_not_invalidated_after_email_change",
1514
+ "name": "Token is Not Invalidated After Email Change",
1515
+ "type": "variant",
1516
+ "priority": 5
1517
+ },
1518
+ {
1519
+ "id": "token_is_not_invalidated_after_password_change",
1520
+ "name": "Token is Not Invalidated After Password Change",
1521
+ "type": "variant",
1522
+ "priority": 5
1523
+ },
1524
+ {
1525
+ "id": "token_has_long_timed_expiry",
1526
+ "name": "Token Has Long Timed Expiry",
1527
+ "type": "variant",
1528
+ "priority": 5
1529
+ },
1530
+ {
1531
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1532
+ "name": "Token is Not Invalidated After New Token is Requested",
1533
+ "type": "variant",
1534
+ "priority": 5
1535
+ },
1536
+ {
1537
+ "id": "token_is_not_invalidated_after_login",
1538
+ "name": "Token is Not Invalidated After Login",
1539
+ "type": "variant",
1540
+ "priority": 5
1541
+ }
1542
+ ]
1543
+ },
1544
+ {
1545
+ "id": "verification_of_contact_method_not_required",
1546
+ "name": "Verification of Contact Method not Required",
1547
+ "type": "subcategory",
1548
+ "priority": 5
1549
+ },
1550
+ {
1551
+ "id": "lack_of_notification_email",
1552
+ "name": "Lack of Notification Email",
1553
+ "type": "subcategory",
1554
+ "priority": 5
1555
+ },
1556
+ {
1557
+ "id": "weak_registration_implementation",
1558
+ "name": "Weak Registration Implementation",
1559
+ "type": "subcategory",
1560
+ "children": [
1561
+ {
1562
+ "id": "allows_disposable_email_addresses",
1563
+ "name": "Allows Disposable Email Addresses",
1564
+ "type": "variant",
1565
+ "priority": 5
1566
+ }
1567
+ ]
1568
+ },
1569
+ {
1570
+ "id": "weak_two_fa_implementation",
1571
+ "name": "Weak 2FA Implementation",
1572
+ "type": "subcategory",
1573
+ "children": [
1574
+ {
1575
+ "id": "two_fa_secret_cannot_be_rotated",
1576
+ "name": "2FA Secret Cannot be Rotated",
1577
+ "type": "variant",
1578
+ "priority": 4
1579
+ },
1580
+ {
1581
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
1582
+ "name": "2FA Secret Remains Obtainable After 2FA is Enabled",
1583
+ "type": "variant",
1584
+ "priority": 4
1585
+ },
1586
+ {
1587
+ "id": "missing_failsafe",
1588
+ "name": "Missing Failsafe",
1589
+ "type": "variant",
1590
+ "priority": 5
1591
+ },
1592
+ {
1593
+ "id": "two_fa_code_is_not_updated_after_new_code_is_requested",
1594
+ "name": "2FA Code is Not Updated After New Code is Requested",
1595
+ "type": "variant",
1596
+ "priority": 5
1597
+ },
1598
+ {
1599
+ "id": "old_two_fa_code_is_not_invalidated_after_new_code_is_generated",
1600
+ "name": "Old 2FA Code is Not Invalidated After New Code is Generated",
1601
+ "type": "variant",
1602
+ "priority": 5
1603
+ }
1604
+ ]
1605
+ }
1606
+ ]
1607
+ },
1608
+ {
1609
+ "id": "using_components_with_known_vulnerabilities",
1610
+ "name": "Using Components with Known Vulnerabilities",
1611
+ "type": "category",
1612
+ "children": [
1613
+ {
1614
+ "id": "rosetta_flash",
1615
+ "name": "Rosetta Flash",
1616
+ "type": "subcategory",
1617
+ "priority": 5
1618
+ },
1619
+ {
1620
+ "id": "outdated_software_version",
1621
+ "name": "Outdated Software Version",
1622
+ "type": "subcategory",
1623
+ "priority": 5
1624
+ },
1625
+ {
1626
+ "id": "captcha_bypass",
1627
+ "name": "Captcha Bypass",
1628
+ "type": "subcategory",
1629
+ "children": [
1630
+ {
1631
+ "id": "ocr_optical_character_recognition",
1632
+ "name": "OCR (Optical Character Recognition)",
1633
+ "type": "variant",
1634
+ "priority": 5
1635
+ }
1636
+ ]
1637
+ }
1638
+ ]
1639
+ },
1640
+ {
1641
+ "id": "insecure_data_storage",
1642
+ "name": "Insecure Data Storage",
1643
+ "type": "category",
1644
+ "children": [
1645
+ {
1646
+ "id": "sensitive_application_data_stored_unencrypted",
1647
+ "name": "Sensitive Application Data Stored Unencrypted",
1648
+ "type": "subcategory",
1649
+ "children": [
1650
+ {
1651
+ "id": "on_external_storage",
1652
+ "name": "On External Storage",
1653
+ "type": "variant",
1654
+ "priority": 4
1655
+ },
1656
+ {
1657
+ "id": "on_internal_storage",
1658
+ "name": "On Internal Storage",
1659
+ "type": "variant",
1660
+ "priority": 5
1661
+ }
1662
+ ]
1663
+ },
1664
+ {
1665
+ "id": "server_side_credentials_storage",
1666
+ "name": "Server-Side Credentials Storage",
1667
+ "type": "subcategory",
1668
+ "children": [
1669
+ {
1670
+ "id": "plaintext",
1671
+ "name": "Plaintext",
1672
+ "type": "variant",
1673
+ "priority": 4
1674
+ }
1675
+ ]
1676
+ },
1677
+ {
1678
+ "id": "non_sensitive_application_data_stored_unencrypted",
1679
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1680
+ "type": "subcategory",
1681
+ "priority": 5
1682
+ },
1683
+ {
1684
+ "id": "screen_caching_enabled",
1685
+ "name": "Screen Caching Enabled",
1686
+ "type": "subcategory",
1687
+ "priority": 5
1688
+ }
1689
+ ]
1690
+ },
1691
+ {
1692
+ "id": "lack_of_binary_hardening",
1693
+ "name": "Lack of Binary Hardening",
1694
+ "type": "category",
1695
+ "children": [
1696
+ {
1697
+ "id": "lack_of_exploit_mitigations",
1698
+ "name": "Lack of Exploit Mitigations",
1699
+ "type": "subcategory",
1700
+ "priority": 5
1701
+ },
1702
+ {
1703
+ "id": "lack_of_jailbreak_detection",
1704
+ "name": "Lack of Jailbreak Detection",
1705
+ "type": "subcategory",
1706
+ "priority": 5
1707
+ },
1708
+ {
1709
+ "id": "lack_of_obfuscation",
1710
+ "name": "Lack of Obfuscation",
1711
+ "type": "subcategory",
1712
+ "priority": 5
1713
+ },
1714
+ {
1715
+ "id": "runtime_instrumentation_based",
1716
+ "name": "Runtime Instrumentation-Based",
1717
+ "type": "subcategory",
1718
+ "priority": 5
1719
+ }
1720
+ ]
1721
+ },
1722
+ {
1723
+ "id": "insecure_data_transport",
1724
+ "name": "Insecure Data Transport",
1725
+ "type": "category",
1726
+ "children": [
1727
+ {
1728
+ "id": "cleartext_transmission_of_sensitive_data",
1729
+ "name": "Cleartext Transmission of Sensitive Data",
1730
+ "type": "subcategory",
1731
+ "priority": null
1732
+ },
1733
+ {
1734
+ "id": "executable_download",
1735
+ "name": "Executable Download",
1736
+ "type": "subcategory",
1737
+ "children": [
1738
+ {
1739
+ "id": "no_secure_integrity_check",
1740
+ "name": "No Secure Integrity Check",
1741
+ "type": "variant",
1742
+ "priority": 4
1743
+ },
1744
+ {
1745
+ "id": "secure_integrity_check",
1746
+ "name": "Secure Integrity Check",
1747
+ "type": "variant",
1748
+ "priority": 5
1749
+ }
1750
+ ]
1751
+ }
1752
+ ]
1753
+ },
1754
+ {
1755
+ "id": "insecure_os_firmware",
1756
+ "name": "Insecure OS/Firmware",
1757
+ "type": "category",
1758
+ "children": [
1759
+ {
1760
+ "id": "command_injection",
1761
+ "name": "Command Injection",
1762
+ "type": "subcategory",
1763
+ "priority": 1
1764
+ },
1765
+ {
1766
+ "id": "hardcoded_password",
1767
+ "name": "Hardcoded Password",
1768
+ "type": "subcategory",
1769
+ "children": [
1770
+ {
1771
+ "id": "privileged_user",
1772
+ "name": "Privileged User",
1773
+ "type": "variant",
1774
+ "priority": 1
1775
+ },
1776
+ {
1777
+ "id": "non_privileged_user",
1778
+ "name": "Non-Privileged User",
1779
+ "type": "variant",
1780
+ "priority": 2
1781
+ }
1782
+ ]
1783
+ }
1784
+ ]
1785
+ },
1786
+ {
1787
+ "id": "broken_cryptography",
1788
+ "name": "Broken Cryptography",
1789
+ "type": "category",
1790
+ "children": [
1791
+ {
1792
+ "id": "cryptographic_flaw",
1793
+ "name": "Cryptographic Flaw",
1794
+ "type": "subcategory",
1795
+ "children": [
1796
+ {
1797
+ "id": "incorrect_usage",
1798
+ "name": "Incorrect Usage",
1799
+ "type": "variant",
1800
+ "priority": 1
1801
+ }
1802
+ ]
1803
+ }
1804
+ ]
1805
+ },
1806
+ {
1807
+ "id": "privacy_concerns",
1808
+ "name": "Privacy Concerns",
1809
+ "type": "category",
1810
+ "children": [
1811
+ {
1812
+ "id": "unnecessary_data_collection",
1813
+ "name": "Unnecessary Data Collection",
1814
+ "type": "subcategory",
1815
+ "children": [
1816
+ {
1817
+ "id": "wifi_ssid_password",
1818
+ "name": "WiFi SSID+Password",
1819
+ "type": "variant",
1820
+ "priority": 4
1821
+ }
1822
+ ]
1823
+ }
1824
+ ]
1825
+ },
1826
+ {
1827
+ "id": "network_security_misconfiguration",
1828
+ "name": "Network Security Misconfiguration",
1829
+ "type": "category",
1830
+ "children": [
1831
+ {
1832
+ "id": "telnet_enabled",
1833
+ "name": "Telnet Enabled",
1834
+ "type": "subcategory",
1835
+ "priority": 5
1836
+ }
1837
+ ]
1838
+ },
1839
+ {
1840
+ "id": "mobile_security_misconfiguration",
1841
+ "name": "Mobile Security Misconfiguration",
1842
+ "type": "category",
1843
+ "children": [
1844
+ {
1845
+ "id": "ssl_certificate_pinning",
1846
+ "name": "SSL Certificate Pinning",
1847
+ "type": "subcategory",
1848
+ "children": [
1849
+ {
1850
+ "id": "absent",
1851
+ "name": "Absent",
1852
+ "type": "variant",
1853
+ "priority": 5
1854
+ },
1855
+ {
1856
+ "id": "defeatable",
1857
+ "name": "Defeatable",
1858
+ "type": "variant",
1859
+ "priority": 5
1860
+ }
1861
+ ]
1862
+ },
1863
+ {
1864
+ "id": "tapjacking",
1865
+ "name": "Tapjacking",
1866
+ "type": "subcategory",
1867
+ "priority": 5
1868
+ },
1869
+ {
1870
+ "id": "clipboard_enabled",
1871
+ "name": "Clipboard Enabled",
1872
+ "type": "subcategory",
1873
+ "priority": 5
1874
+ },
1875
+ {
1876
+ "id": "auto_backup_allowed_by_default",
1877
+ "name": "Auto Backup Allowed by Default",
1878
+ "type": "subcategory",
1879
+ "priority": 5
1880
+ }
1881
+ ]
1882
+ },
1883
+ {
1884
+ "id": "client_side_injection",
1885
+ "name": "Client-Side Injection",
1886
+ "type": "category",
1887
+ "children": [
1888
+ {
1889
+ "id": "binary_planting",
1890
+ "name": "Binary Planting",
1891
+ "type": "subcategory",
1892
+ "children": [
1893
+ {
1894
+ "id": "privilege_escalation",
1895
+ "name": "Default Folder Privilege Escalation",
1896
+ "type": "variant",
1897
+ "priority": 3
1898
+ },
1899
+ {
1900
+ "id": "non_default_folder_privilege_escalation",
1901
+ "name": "Non-Default Folder Privilege Escalation",
1902
+ "type": "variant",
1903
+ "priority": 5
1904
+ },
1905
+ {
1906
+ "id": "no_privilege_escalation",
1907
+ "name": "No Privilege Escalation",
1908
+ "type": "variant",
1909
+ "priority": 5
1910
+ }
1911
+ ]
1912
+ }
1913
+ ]
1914
+ },
1915
+ {
1916
+ "id": "automotive_security_misconfiguration",
1917
+ "name": "Automotive Security Misconfiguration",
1918
+ "type": "category",
1919
+ "children": [
1920
+ {
1921
+ "id": "infotainment_radio_head_unit",
1922
+ "name": "Infotainment, Radio Head Unit",
1923
+ "type": "subcategory",
1924
+ "children": [
1925
+ {
1926
+ "id": "pii_leakage",
1927
+ "name": "PII Leakage",
1928
+ "type": "variant",
1929
+ "priority": 1
1930
+ },
1931
+ {
1932
+ "id": "ota_firmware_manipulation",
1933
+ "name": "OTA Firmware Manipulation",
1934
+ "type": "variant",
1935
+ "priority": 2
1936
+ },
1937
+ {
1938
+ "id": "code_execution_can_bus_pivot",
1939
+ "name": "Code Execution (CAN Bus Pivot)",
1940
+ "type": "variant",
1941
+ "priority": 2
1942
+ },
1943
+ {
1944
+ "id": "code_execution_no_can_bus_pivot",
1945
+ "name": "Code Execution (No CAN Bus Pivot)",
1946
+ "type": "variant",
1947
+ "priority": 3
1948
+ },
1949
+ {
1950
+ "id": "unauthorized_access_to_services",
1951
+ "name": "Unauthorized Access to Services (API / Endpoints)",
1952
+ "type": "variant",
1953
+ "priority": 3
1954
+ },
1955
+ {
1956
+ "id": "source_code_dump",
1957
+ "name": "Source Code Dump",
1958
+ "type": "variant",
1959
+ "priority": 4
1960
+ },
1961
+ {
1962
+ "id": "dos_brick",
1963
+ "name": "Denial of Service (DoS / Brick)",
1964
+ "type": "variant",
1965
+ "priority": 4
1966
+ },
1967
+ {
1968
+ "id": "default_credentials",
1969
+ "name": "Default Credentials",
1970
+ "type": "variant",
1971
+ "priority": 4
1972
+ }
1973
+ ]
1974
+ },
1975
+ {
1976
+ "id": "rf_hub",
1977
+ "name": "RF Hub",
1978
+ "type": "subcategory",
1979
+ "children": [
1980
+ {
1981
+ "id": "key_fob_cloning",
1982
+ "name": "Key Fob Cloning",
1983
+ "type": "variant",
1984
+ "priority": 1
1985
+ },
1986
+ {
1987
+ "id": "can_injection_interaction",
1988
+ "name": "CAN Injection / Interaction",
1989
+ "type": "variant",
1990
+ "priority": 2
1991
+ },
1992
+ {
1993
+ "id": "data_leakage_pull_encryption_mechanism",
1994
+ "name": "Data Leakage / Pull Encryption Mechanism",
1995
+ "type": "variant",
1996
+ "priority": 3
1997
+ },
1998
+ {
1999
+ "id": "unauthorized_access_turn_on",
2000
+ "name": "Unauthorized Access / Turn On",
2001
+ "type": "variant",
2002
+ "priority": 4
2003
+ },
2004
+ {
2005
+ "id": "roll_jam",
2006
+ "name": "Roll Jam",
2007
+ "type": "variant",
2008
+ "priority": 5
2009
+ },
2010
+ {
2011
+ "id": "replay",
2012
+ "name": "Replay",
2013
+ "type": "variant",
2014
+ "priority": 5
2015
+ },
2016
+ {
2017
+ "id": "relay",
2018
+ "name": "Relay",
2019
+ "type": "variant",
2020
+ "priority": 5
2021
+ }
2022
+ ]
2023
+ },
2024
+ {
2025
+ "id": "can",
2026
+ "name": "CAN",
2027
+ "type": "subcategory",
2028
+ "children": [
2029
+ {
2030
+ "id": "injection_battery_management_system",
2031
+ "name": "Injection (Battery Management System)",
2032
+ "type": "variant",
2033
+ "priority": 3
2034
+ },
2035
+ {
2036
+ "id": "injection_steering_control",
2037
+ "name": "Injection (Steering Control)",
2038
+ "type": "variant",
2039
+ "priority": 3
2040
+ },
2041
+ {
2042
+ "id": "injection_pyrotechnical_device_deployment_tool",
2043
+ "name": "Injection (Pyrotechnical Device Deployment Tool)",
2044
+ "type": "variant",
2045
+ "priority": 3
2046
+ },
2047
+ {
2048
+ "id": "injection_headlights",
2049
+ "name": "Injection (Headlights)",
2050
+ "type": "variant",
2051
+ "priority": 3
2052
+ },
2053
+ {
2054
+ "id": "injection_sensors",
2055
+ "name": "Injection (Sensors)",
2056
+ "type": "variant",
2057
+ "priority": 3
2058
+ },
2059
+ {
2060
+ "id": "injection_vehicle_anti_theft_systems",
2061
+ "name": "Injection (Vehicle Anti-theft Systems)",
2062
+ "type": "variant",
2063
+ "priority": 3
2064
+ },
2065
+ {
2066
+ "id": "injection_powertrain",
2067
+ "name": "Injection (Powertrain)",
2068
+ "type": "variant",
2069
+ "priority": 3
2070
+ },
2071
+ {
2072
+ "id": "injection_basic_safety_message",
2073
+ "name": "Injection (Basic Safety Message)",
2074
+ "type": "variant",
2075
+ "priority": 3
2076
+ },
2077
+ {
2078
+ "id": "injection_disallowed_messages",
2079
+ "name": "Injection (Disallowed Messages)",
2080
+ "type": "variant",
2081
+ "priority": 4
2082
+ },
2083
+ {
2084
+ "id": "injection_dos",
2085
+ "name": "Injection (DoS)",
2086
+ "type": "variant",
2087
+ "priority": 4
2088
+ }
2089
+ ]
2090
+ },
2091
+ {
2092
+ "id": "battery_management_system",
2093
+ "name": "Battery Management System",
2094
+ "type": "subcategory",
2095
+ "children": [
2096
+ {
2097
+ "id": "firmware_dump",
2098
+ "name": "Firmware Dump",
2099
+ "type": "variant",
2100
+ "priority": 3
2101
+ },
2102
+ {
2103
+ "id": "fraudulent_interface",
2104
+ "name": "Fraudulent Interface",
2105
+ "type": "variant",
2106
+ "priority": 4
2107
+ }
2108
+ ]
2109
+ },
2110
+ {
2111
+ "id": "gnss_gps",
2112
+ "name": "GNSS / GPS",
2113
+ "type": "subcategory",
2114
+ "children": [
2115
+ {
2116
+ "id": "spoofing",
2117
+ "name": "Spoofing",
2118
+ "type": "variant",
2119
+ "priority": 4
2120
+ }
2121
+ ]
2122
+ },
2123
+ {
2124
+ "id": "immobilizer",
2125
+ "name": "Immobilizer",
2126
+ "type": "subcategory",
2127
+ "children": [
2128
+ {
2129
+ "id": "engine_start",
2130
+ "name": "Engine Start",
2131
+ "type": "variant",
2132
+ "priority": 3
2133
+ }
2134
+ ]
2135
+ },
2136
+ {
2137
+ "id": "abs",
2138
+ "name": "Automatic Braking System (ABS)",
2139
+ "type": "subcategory",
2140
+ "children": [
2141
+ {
2142
+ "id": "unintended_acceleration_brake",
2143
+ "name": "Unintended Acceleration / Brake",
2144
+ "type": "variant",
2145
+ "priority": 3
2146
+ }
2147
+ ]
2148
+ },
2149
+ {
2150
+ "id": "rsu",
2151
+ "name": "Roadside Unit (RSU)",
2152
+ "type": "subcategory",
2153
+ "children": [
2154
+ {
2155
+ "id": "sybil_attack",
2156
+ "name": "Sybil Attack",
2157
+ "type": "variant",
2158
+ "priority": 4
2159
+ }
2160
+ ]
2161
+ }
2162
+ ]
2163
+ },
2164
+ {
2165
+ "id": "indicators_of_compromise",
2166
+ "name": "Indicators of Compromise",
2167
+ "type": "category",
2168
+ "priority": null
2169
+ }
2170
+ ]
2171
+ }