vrt 0.11.0 → 0.12.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.11/deprecated-node-mapping.json +236 -0
  3. data/lib/data/1.11/mappings/cvss_v3/cvss_v3.json +1250 -0
  4. data/lib/data/1.11/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.11/mappings/cwe/cwe.json +664 -0
  6. data/lib/data/1.11/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.11/mappings/remediation_advice/remediation_advice.json +1811 -0
  8. data/lib/data/1.11/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.11/third-party-mappings/remediation_training/secure-code-warrior-links.json +392 -0
  10. data/lib/data/1.11/vrt.schema.json +63 -0
  11. data/lib/data/1.11/vulnerability-rating-taxonomy.json +2442 -0
  12. data/lib/vrt/mapping.rb +12 -6
  13. data/lib/vrt/node.rb +4 -0
  14. data/lib/vrt/third_party_links.rb +33 -0
  15. data/lib/vrt/version.rb +1 -1
  16. data/lib/vrt.rb +8 -0
  17. metadata +18 -7
data/lib/data/1.11/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,2442 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2023-11-20T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "server_side_request_forgery_ssrf",
13
+ "name": "Server-Side Request Forgery (SSRF)",
14
+ "type": "subcategory",
15
+ "children": [
16
+ {
17
+ "id": "internal_high_impact",
18
+ "name": "Internal High Impact",
19
+ "type": "variant",
20
+ "priority": 2
21
+ },
22
+ {
23
+ "id": "internal_scan_and_or_medium_impact",
24
+ "name": "Internal Scan and/or Medium Impact",
25
+ "type": "variant",
26
+ "priority": 3
27
+ },
28
+ {
29
+ "id": "external_low_impact",
30
+ "name": "External - Low impact",
31
+ "type": "variant",
32
+ "priority": 5
33
+ },
34
+ {
35
+ "id": "external_dns_query_only",
36
+ "name": "External - DNS Query Only",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "unsafe_cross_origin_resource_sharing",
44
+ "name": "Unsafe Cross-Origin Resource Sharing",
45
+ "type": "subcategory",
46
+ "priority": null
47
+ },
48
+ {
49
+ "id": "request_smuggling",
50
+ "name": "HTTP Request Smuggling",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "path_traversal",
56
+ "name": "Path Traversal",
57
+ "type": "subcategory",
58
+ "priority": null
59
+ },
60
+ {
61
+ "id": "directory_listing_enabled",
62
+ "name": "Directory Listing Enabled",
63
+ "type": "subcategory",
64
+ "children": [
65
+ {
66
+ "id": "sensitive_data_exposure",
67
+ "name": "Sensitive Data Exposure",
68
+ "type": "variant",
69
+ "priority": null
70
+ },
71
+ {
72
+ "id": "non_sensitive_data_exposure",
73
+ "name": "Non-Sensitive Data Exposure",
74
+ "type": "variant",
75
+ "priority": 5
76
+ }
77
+ ]
78
+ },
79
+ {
80
+ "id": "same_site_scripting",
81
+ "name": "Same-Site Scripting",
82
+ "type": "subcategory",
83
+ "priority": 5
84
+ },
85
+ {
86
+ "id": "ssl_attack_breach_poodle_etc",
87
+ "name": "SSL Attack (BREACH, POODLE etc.)",
88
+ "type": "subcategory",
89
+ "priority": null
90
+ },
91
+ {
92
+ "id": "using_default_credentials",
93
+ "name": "Using Default Credentials",
94
+ "type": "subcategory",
95
+ "priority": 1
96
+ },
97
+ {
98
+ "id": "misconfigured_dns",
99
+ "name": "Misconfigured DNS",
100
+ "type": "subcategory",
101
+ "children": [
102
+ {
103
+ "id": "basic_subdomain_takeover",
104
+ "name": "Basic Subdomain Takeover",
105
+ "type": "variant",
106
+ "priority": 3
107
+ },
108
+ {
109
+ "id": "high_impact_subdomain_takeover",
110
+ "name": "High Impact Subdomain Takeover",
111
+ "type": "variant",
112
+ "priority": 2
113
+ },
114
+ {
115
+ "id": "zone_transfer",
116
+ "name": "Zone Transfer",
117
+ "type": "variant",
118
+ "priority": 4
119
+ },
120
+ {
121
+ "id": "missing_caa_record",
122
+ "name": "Missing Certification Authority Authorization (CAA) Record",
123
+ "type": "variant",
124
+ "priority": 5
125
+ }
126
+ ]
127
+ },
128
+ {
129
+ "id": "mail_server_misconfiguration",
130
+ "name": "Mail Server Misconfiguration",
131
+ "type": "subcategory",
132
+ "children": [
133
+ {
134
+ "id": "no_spoofing_protection_on_email_domain",
135
+ "name": "No Spoofing Protection on Email Domain",
136
+ "type": "variant",
137
+ "priority": 3
138
+ },
139
+ {
140
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
141
+ "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
142
+ "type": "variant",
143
+ "priority": 4
144
+ },
145
+ {
146
+ "id": "email_spoofing_to_spam_folder",
147
+ "name": "Email Spoofing to Spam Folder",
148
+ "type": "variant",
149
+ "priority": 5
150
+ },
151
+ {
152
+ "id": "missing_or_misconfigured_spf_and_or_dkim",
153
+ "name": "Missing or Misconfigured SPF and/or DKIM",
154
+ "type": "variant",
155
+ "priority": 5
156
+ },
157
+ {
158
+ "id": "email_spoofing_on_non_email_domain",
159
+ "name": "Email Spoofing on Non-Email Domain",
160
+ "type": "variant",
161
+ "priority": 5
162
+ }
163
+ ]
164
+ },
165
+ {
166
+ "id": "dbms_misconfiguration",
167
+ "name": "Database Management System (DBMS) Misconfiguration",
168
+ "type": "subcategory",
169
+ "children": [
170
+ {
171
+ "id": "excessively_privileged_user_dba",
172
+ "name": "Excessively Privileged User / DBA",
173
+ "type": "variant",
174
+ "priority": 4
175
+ }
176
+ ]
177
+ },
178
+ {
179
+ "id": "lack_of_password_confirmation",
180
+ "name": "Lack of Password Confirmation",
181
+ "type": "subcategory",
182
+ "children": [
183
+ {
184
+ "id": "change_email_address",
185
+ "name": "Change Email Address",
186
+ "type": "variant",
187
+ "priority": 5
188
+ },
189
+ {
190
+ "id": "change_password",
191
+ "name": "Change Password",
192
+ "type": "variant",
193
+ "priority": 5
194
+ },
195
+ {
196
+ "id": "delete_account",
197
+ "name": "Delete Account",
198
+ "type": "variant",
199
+ "priority": 4
200
+ },
201
+ {
202
+ "id": "manage_two_fa",
203
+ "name": "Manage 2FA",
204
+ "type": "variant",
205
+ "priority": 5
206
+ }
207
+ ]
208
+ },
209
+ {
210
+ "id": "no_rate_limiting_on_form",
211
+ "name": "No Rate Limiting on Form",
212
+ "type": "subcategory",
213
+ "children": [
214
+ {
215
+ "id": "registration",
216
+ "name": "Registration",
217
+ "type": "variant",
218
+ "priority": 4
219
+ },
220
+ {
221
+ "id": "login",
222
+ "name": "Login",
223
+ "type": "variant",
224
+ "priority": 4
225
+ },
226
+ {
227
+ "id": "email_triggering",
228
+ "name": "Email-Triggering",
229
+ "type": "variant",
230
+ "priority": 4
231
+ },
232
+ {
233
+ "id": "sms_triggering",
234
+ "name": "SMS-Triggering",
235
+ "type": "variant",
236
+ "priority": 4
237
+ },
238
+ {
239
+ "id": "change_password",
240
+ "name": "Change Password",
241
+ "type": "variant",
242
+ "priority": 5
243
+ }
244
+ ]
245
+ },
246
+ {
247
+ "id": "unsafe_file_upload",
248
+ "name": "Unsafe File Upload",
249
+ "type": "subcategory",
250
+ "children": [
251
+ {
252
+ "id": "no_antivirus",
253
+ "name": "No Antivirus",
254
+ "type": "variant",
255
+ "priority": 5
256
+ },
257
+ {
258
+ "id": "no_size_limit",
259
+ "name": "No Size Limit",
260
+ "type": "variant",
261
+ "priority": 5
262
+ },
263
+ {
264
+ "id": "file_extension_filter_bypass",
265
+ "name": "File Extension Filter Bypass",
266
+ "type": "variant",
267
+ "priority": 5
268
+ }
269
+ ]
270
+ },
271
+ {
272
+ "id": "cookie_scoped_to_parent_domain",
273
+ "name": "Cookie Scoped to Parent Domain",
274
+ "type": "subcategory",
275
+ "priority": 5
276
+ },
277
+ {
278
+ "id": "missing_secure_or_httponly_cookie_flag",
279
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
280
+ "type": "subcategory",
281
+ "children": [
282
+ {
283
+ "id": "session_token",
284
+ "name": "Session Token",
285
+ "type": "variant",
286
+ "priority": 4
287
+ },
288
+ {
289
+ "id": "non_session_cookie",
290
+ "name": "Non-Session Cookie",
291
+ "type": "variant",
292
+ "priority": 5
293
+ }
294
+ ]
295
+ },
296
+ {
297
+ "id": "clickjacking",
298
+ "name": "Clickjacking",
299
+ "type": "subcategory",
300
+ "children": [
301
+ {
302
+ "id": "sensitive_action",
303
+ "name": "Sensitive Click-Based Action",
304
+ "type": "variant",
305
+ "priority": 4
306
+ },
307
+ {
308
+ "id": "form_input",
309
+ "name": "Form Input",
310
+ "type": "variant",
311
+ "priority": 5
312
+ },
313
+ {
314
+ "id": "non_sensitive_action",
315
+ "name": "Non-Sensitive Action",
316
+ "type": "variant",
317
+ "priority": 5
318
+ }
319
+ ]
320
+ },
321
+ {
322
+ "id": "oauth_misconfiguration",
323
+ "name": "OAuth Misconfiguration",
324
+ "type": "subcategory",
325
+ "children": [
326
+ {
327
+ "id": "account_takeover",
328
+ "name": "Account Takeover",
329
+ "type": "variant",
330
+ "priority": 2
331
+ },
332
+ {
333
+ "id": "account_squatting",
334
+ "name": "Account Squatting",
335
+ "type": "variant",
336
+ "priority": 4
337
+ },
338
+ {
339
+ "id": "missing_state_parameter",
340
+ "name": "Missing/Broken State Parameter",
341
+ "type": "variant",
342
+ "priority": null
343
+ },
344
+ {
345
+ "id": "insecure_redirect_uri",
346
+ "name": "Insecure Redirect URI",
347
+ "type": "variant",
348
+ "priority": null
349
+ }
350
+ ]
351
+ },
352
+ {
353
+ "id": "captcha",
354
+ "name": "CAPTCHA",
355
+ "type": "subcategory",
356
+ "children": [
357
+ {
358
+ "id": "implementation_vulnerability",
359
+ "name": "Implementation Vulnerability",
360
+ "type": "variant",
361
+ "priority": 4
362
+ },
363
+ {
364
+ "id": "brute_force",
365
+ "name": "Brute Force",
366
+ "type": "variant",
367
+ "priority": 5
368
+ },
369
+ {
370
+ "id": "missing",
371
+ "name": "Missing",
372
+ "type": "variant",
373
+ "priority": 5
374
+ }
375
+ ]
376
+ },
377
+ {
378
+ "id": "exposed_admin_portal",
379
+ "name": "Exposed Admin Portal",
380
+ "type": "subcategory",
381
+ "children": [
382
+ {
383
+ "id": "to_internet",
384
+ "name": "To Internet",
385
+ "type": "variant",
386
+ "priority": 5
387
+ }
388
+ ]
389
+ },
390
+ {
391
+ "id": "missing_dnssec",
392
+ "name": "Missing DNSSEC",
393
+ "type": "subcategory",
394
+ "priority": 5
395
+ },
396
+ {
397
+ "id": "fingerprinting_banner_disclosure",
398
+ "name": "Fingerprinting/Banner Disclosure",
399
+ "type": "subcategory",
400
+ "priority": 5
401
+ },
402
+ {
403
+ "id": "username_enumeration",
404
+ "name": "Username/Email Enumeration",
405
+ "type": "subcategory",
406
+ "children": [
407
+ {
408
+ "id": "brute_force",
409
+ "name": "Brute Force",
410
+ "type": "variant",
411
+ "priority": 5
412
+ }
413
+ ]
414
+ },
415
+ {
416
+ "id": "potentially_unsafe_http_method_enabled",
417
+ "name": "Potentially Unsafe HTTP Method Enabled",
418
+ "type": "subcategory",
419
+ "children": [
420
+ {
421
+ "id": "options",
422
+ "name": "OPTIONS",
423
+ "type": "variant",
424
+ "priority": 5
425
+ },
426
+ {
427
+ "id": "trace",
428
+ "name": "TRACE",
429
+ "type": "variant",
430
+ "priority": 5
431
+ }
432
+ ]
433
+ },
434
+ {
435
+ "id": "insecure_ssl",
436
+ "name": "Insecure SSL",
437
+ "type": "subcategory",
438
+ "children": [
439
+ {
440
+ "id": "lack_of_forward_secrecy",
441
+ "name": "Lack of Forward Secrecy",
442
+ "type": "variant",
443
+ "priority": 5
444
+ },
445
+ {
446
+ "id": "insecure_cipher_suite",
447
+ "name": "Insecure Cipher Suite",
448
+ "type": "variant",
449
+ "priority": 5
450
+ },
451
+ {
452
+ "id": "certificate_error",
453
+ "name": "Certificate Error",
454
+ "type": "variant",
455
+ "priority": 5
456
+ }
457
+ ]
458
+ },
459
+ {
460
+ "id": "rfd",
461
+ "name": "Reflected File Download (RFD)",
462
+ "type": "subcategory",
463
+ "priority": 5
464
+ },
465
+ {
466
+ "id": "lack_of_security_headers",
467
+ "name": "Lack of Security Headers",
468
+ "type": "subcategory",
469
+ "children": [
470
+ {
471
+ "id": "x_frame_options",
472
+ "name": "X-Frame-Options",
473
+ "type": "variant",
474
+ "priority": 5
475
+ },
476
+ {
477
+ "id": "cache_control_for_a_non_sensitive_page",
478
+ "name": "Cache-Control for a Non-Sensitive Page",
479
+ "type": "variant",
480
+ "priority": 5
481
+ },
482
+ {
483
+ "id": "x_xss_protection",
484
+ "name": "X-XSS-Protection",
485
+ "type": "variant",
486
+ "priority": 5
487
+ },
488
+ {
489
+ "id": "strict_transport_security",
490
+ "name": "Strict-Transport-Security",
491
+ "type": "variant",
492
+ "priority": 5
493
+ },
494
+ {
495
+ "id": "x_content_type_options",
496
+ "name": "X-Content-Type-Options",
497
+ "type": "variant",
498
+ "priority": 5
499
+ },
500
+ {
501
+ "id": "content_security_policy",
502
+ "name": "Content-Security-Policy",
503
+ "type": "variant",
504
+ "priority": 5
505
+ },
506
+ {
507
+ "id": "public_key_pins",
508
+ "name": "Public-Key-Pins",
509
+ "type": "variant",
510
+ "priority": 5
511
+ },
512
+ {
513
+ "id": "x_content_security_policy",
514
+ "name": "X-Content-Security-Policy",
515
+ "type": "variant",
516
+ "priority": 5
517
+ },
518
+ {
519
+ "id": "x_webkit_csp",
520
+ "name": "X-Webkit-CSP",
521
+ "type": "variant",
522
+ "priority": 5
523
+ },
524
+ {
525
+ "id": "content_security_policy_report_only",
526
+ "name": "Content-Security-Policy-Report-Only",
527
+ "type": "variant",
528
+ "priority": 5
529
+ },
530
+ {
531
+ "id": "cache_control_for_a_sensitive_page",
532
+ "name": "Cache-Control for a Sensitive Page",
533
+ "type": "variant",
534
+ "priority": 4
535
+ }
536
+ ]
537
+ },
538
+ {
539
+ "id": "waf_bypass",
540
+ "name": "Web Application Firewall (WAF) Bypass",
541
+ "type": "subcategory",
542
+ "children": [
543
+ {
544
+ "id": "direct_server_access",
545
+ "name": "Direct Server Access",
546
+ "type": "variant",
547
+ "priority": 4
548
+ }
549
+ ]
550
+ },
551
+ {
552
+ "id": "race_condition",
553
+ "name": "Race Condition",
554
+ "type": "subcategory",
555
+ "priority": null
556
+ },
557
+ {
558
+ "id": "cache_poisoning",
559
+ "name": "Cache Poisoning",
560
+ "type": "subcategory",
561
+ "priority": null
562
+ },
563
+ {
564
+ "id": "bitsquatting",
565
+ "name": "Bitsquatting",
566
+ "type": "subcategory",
567
+ "priority": 5
568
+ }
569
+ ]
570
+ },
571
+ {
572
+ "id": "server_side_injection",
573
+ "name": "Server-Side Injection",
574
+ "type": "category",
575
+ "children": [
576
+ {
577
+ "id": "file_inclusion",
578
+ "name": "File Inclusion",
579
+ "type": "subcategory",
580
+ "children": [
581
+ {
582
+ "id": "local",
583
+ "name": "Local",
584
+ "type": "variant",
585
+ "priority": 1
586
+ }
587
+ ]
588
+ },
589
+ {
590
+ "id": "parameter_pollution",
591
+ "name": "Parameter Pollution",
592
+ "type": "subcategory",
593
+ "children": [
594
+ {
595
+ "id": "social_media_sharing_buttons",
596
+ "name": "Social Media Sharing Buttons",
597
+ "type": "variant",
598
+ "priority": 5
599
+ }
600
+ ]
601
+ },
602
+ {
603
+ "id": "remote_code_execution_rce",
604
+ "name": "Remote Code Execution (RCE)",
605
+ "type": "subcategory",
606
+ "priority": 1
607
+ },
608
+ {
609
+ "id": "ldap_injection",
610
+ "name": "LDAP Injection",
611
+ "type": "subcategory",
612
+ "priority": null
613
+ },
614
+ {
615
+ "id": "sql_injection",
616
+ "name": "SQL Injection",
617
+ "type": "subcategory",
618
+ "priority": 1
619
+ },
620
+ {
621
+ "id": "xml_external_entity_injection_xxe",
622
+ "name": "XML External Entity Injection (XXE)",
623
+ "type": "subcategory",
624
+ "priority": 1
625
+ },
626
+ {
627
+ "id": "http_response_manipulation",
628
+ "name": "HTTP Response Manipulation",
629
+ "type": "subcategory",
630
+ "children": [
631
+ {
632
+ "id": "response_splitting_crlf",
633
+ "name": "Response Splitting (CRLF)",
634
+ "type": "variant",
635
+ "priority": 3
636
+ }
637
+ ]
638
+ },
639
+ {
640
+ "id": "content_spoofing",
641
+ "name": "Content Spoofing",
642
+ "type": "subcategory",
643
+ "children": [
644
+ {
645
+ "id": "iframe_injection",
646
+ "name": "iframe Injection",
647
+ "type": "variant",
648
+ "priority": 3
649
+ },
650
+ {
651
+ "id": "impersonation_via_broken_link_hijacking",
652
+ "name": "Impersonation via Broken Link Hijacking",
653
+ "type": "variant",
654
+ "priority": 4
655
+ },
656
+ {
657
+ "id": "external_authentication_injection",
658
+ "name": "External Authentication Injection",
659
+ "type": "variant",
660
+ "priority": 4
661
+ },
662
+ {
663
+ "id": "flash_based_external_authentication_injection",
664
+ "name": "Flash Based External Authentication Injection",
665
+ "type": "variant",
666
+ "priority": 5
667
+ },
668
+ {
669
+ "id": "html_content_injection",
670
+ "name": "HTML Content Injection",
671
+ "type": "variant",
672
+ "priority": 5
673
+ },
674
+ {
675
+ "id": "email_html_injection",
676
+ "name": "Email HTML Injection",
677
+ "type": "variant",
678
+ "priority": 4
679
+ },
680
+ {
681
+ "id": "email_hyperlink_injection_based_on_email_provider",
682
+ "name": "Email Hyperlink Injection Based on Email Provider",
683
+ "type": "variant",
684
+ "priority": 5
685
+ },
686
+ {
687
+ "id": "text_injection",
688
+ "name": "Text Injection",
689
+ "type": "variant",
690
+ "priority": 5
691
+ },
692
+ {
693
+ "id": "homograph_idn_based",
694
+ "name": "Homograph/IDN-Based",
695
+ "type": "variant",
696
+ "priority": 5
697
+ },
698
+ {
699
+ "id": "rtlo",
700
+ "name": "Right-to-Left Override (RTLO)",
701
+ "type": "variant",
702
+ "priority": 5
703
+ }
704
+ ]
705
+ },
706
+ {
707
+ "id": "ssti",
708
+ "name": "Server-Side Template Injection (SSTI)",
709
+ "type": "subcategory",
710
+ "children": [
711
+ {
712
+ "id": "basic",
713
+ "name": "Basic",
714
+ "type": "variant",
715
+ "priority": 4
716
+ },
717
+ {
718
+ "id": "custom",
719
+ "name": "Custom",
720
+ "type": "variant",
721
+ "priority": null
722
+ }
723
+ ]
724
+ }
725
+ ]
726
+ },
727
+ {
728
+ "id": "broken_authentication_and_session_management",
729
+ "name": "Broken Authentication and Session Management",
730
+ "type": "category",
731
+ "children": [
732
+ {
733
+ "id": "authentication_bypass",
734
+ "name": "Authentication Bypass",
735
+ "type": "subcategory",
736
+ "priority": 1
737
+ },
738
+ {
739
+ "id": "two_fa_bypass",
740
+ "name": "Second Factor Authentication (2FA) Bypass",
741
+ "type": "subcategory",
742
+ "priority": 3
743
+ },
744
+ {
745
+ "id": "privilege_escalation",
746
+ "name": "Privilege Escalation",
747
+ "type": "subcategory",
748
+ "priority": null
749
+ },
750
+ {
751
+ "id": "cleartext_transmission_of_session_token",
752
+ "name": "Cleartext Transmission of Session Token",
753
+ "type": "subcategory",
754
+ "priority": 4
755
+ },
756
+ {
757
+ "id": "weak_login_function",
758
+ "name": "Weak Login Function",
759
+ "type": "subcategory",
760
+ "children": [
761
+ {
762
+ "id": "not_operational",
763
+ "name": "Not Operational or Intended Public Access",
764
+ "type": "variant",
765
+ "priority": 5
766
+ },
767
+ {
768
+ "id": "other_plaintext_protocol_no_secure_alternative",
769
+ "name": "Other Plaintext Protocol with no Secure Alternative",
770
+ "type": "variant",
771
+ "priority": 4
772
+ },
773
+ {
774
+ "id": "over_http",
775
+ "name": "Over HTTP",
776
+ "type": "variant",
777
+ "priority": 4
778
+ }
779
+ ]
780
+ },
781
+ {
782
+ "id": "session_fixation",
783
+ "name": "Session Fixation",
784
+ "type": "subcategory",
785
+ "children": [
786
+ {
787
+ "id": "remote_attack_vector",
788
+ "name": "Remote Attack Vector",
789
+ "type": "variant",
790
+ "priority": 3
791
+ },
792
+ {
793
+ "id": "local_attack_vector",
794
+ "name": "Local Attack Vector",
795
+ "type": "variant",
796
+ "priority": 5
797
+ }
798
+ ]
799
+ },
800
+ {
801
+ "id": "failure_to_invalidate_session",
802
+ "name": "Failure to Invalidate Session",
803
+ "type": "subcategory",
804
+ "children": [
805
+ {
806
+ "id": "on_logout",
807
+ "name": "On Logout (Client and Server-Side)",
808
+ "type": "variant",
809
+ "priority": 4
810
+ },
811
+ {
812
+ "id": "permission_change",
813
+ "name": "On Permission Change",
814
+ "type": "variant",
815
+ "priority": null
816
+ },
817
+ {
818
+ "id": "on_logout_server_side_only",
819
+ "name": "On Logout (Server-Side Only)",
820
+ "type": "variant",
821
+ "priority": 5
822
+ },
823
+ {
824
+ "id": "on_password_change",
825
+ "name": "On Password Reset and/or Change",
826
+ "type": "variant",
827
+ "priority": 4
828
+ },
829
+ {
830
+ "id": "all_sessions",
831
+ "name": "Concurrent Sessions On Logout",
832
+ "type": "variant",
833
+ "priority": 5
834
+ },
835
+ {
836
+ "id": "on_email_change",
837
+ "name": "On Email Change",
838
+ "type": "variant",
839
+ "priority": 5
840
+ },
841
+ {
842
+ "id": "on_two_fa_activation_change",
843
+ "name": "On 2FA Activation/Change",
844
+ "type": "variant",
845
+ "priority": 5
846
+ },
847
+ {
848
+ "id": "long_timeout",
849
+ "name": "Long Timeout",
850
+ "type": "variant",
851
+ "priority": 5
852
+ }
853
+ ]
854
+ },
855
+ {
856
+ "id": "concurrent_logins",
857
+ "name": "Concurrent Logins",
858
+ "type": "subcategory",
859
+ "priority": 5
860
+ },
861
+ {
862
+ "id": "weak_registration_implementation",
863
+ "name": "Weak Registration Implementation",
864
+ "type": "subcategory",
865
+ "children": [
866
+ {
867
+ "id": "over_http",
868
+ "name": "Over HTTP",
869
+ "type": "variant",
870
+ "priority": 4
871
+ }
872
+ ]
873
+ }
874
+ ]
875
+ },
876
+ {
877
+ "id": "sensitive_data_exposure",
878
+ "name": "Sensitive Data Exposure",
879
+ "type": "category",
880
+ "children": [
881
+ {
882
+ "id": "disclosure_of_secrets",
883
+ "name": "Disclosure of Secrets",
884
+ "type": "subcategory",
885
+ "children": [
886
+ {
887
+ "id": "for_publicly_accessible_asset",
888
+ "name": "For Publicly Accessible Asset",
889
+ "type": "variant",
890
+ "priority": 1
891
+ },
892
+ {
893
+ "id": "pii_leakage_exposure",
894
+ "name": "PII Leakage/Exposure",
895
+ "type": "variant",
896
+ "priority": null
897
+ },
898
+ {
899
+ "id": "for_internal_asset",
900
+ "name": "For Internal Asset",
901
+ "type": "variant",
902
+ "priority": 3
903
+ },
904
+ {
905
+ "id": "pay_per_use_abuse",
906
+ "name": "Pay-Per-Use Abuse",
907
+ "type": "variant",
908
+ "priority": 4
909
+ },
910
+ {
911
+ "id": "intentionally_public_sample_or_invalid",
912
+ "name": "Intentionally Public, Sample or Invalid",
913
+ "type": "variant",
914
+ "priority": 5
915
+ },
916
+ {
917
+ "id": "data_traffic_spam",
918
+ "name": "Data/Traffic Spam",
919
+ "type": "variant",
920
+ "priority": 5
921
+ },
922
+ {
923
+ "id": "non_corporate_user",
924
+ "name": "Non-Corporate User",
925
+ "type": "variant",
926
+ "priority": 5
927
+ }
928
+ ]
929
+ },
930
+ {
931
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
932
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
933
+ "type": "subcategory",
934
+ "children": [
935
+ {
936
+ "id": "automatic_user_enumeration",
937
+ "name": "Automatic User Enumeration",
938
+ "type": "variant",
939
+ "priority": 3
940
+ },
941
+ {
942
+ "id": "manual_user_enumeration",
943
+ "name": "Manual User Enumeration",
944
+ "type": "variant",
945
+ "priority": 4
946
+ }
947
+ ]
948
+ },
949
+ {
950
+ "id": "visible_detailed_error_page",
951
+ "name": "Visible Detailed Error/Debug Page",
952
+ "type": "subcategory",
953
+ "children": [
954
+ {
955
+ "id": "detailed_server_configuration",
956
+ "name": "Detailed Server Configuration",
957
+ "type": "variant",
958
+ "priority": 4
959
+ },
960
+ {
961
+ "id": "full_path_disclosure",
962
+ "name": "Full Path Disclosure",
963
+ "type": "variant",
964
+ "priority": 5
965
+ },
966
+ {
967
+ "id": "descriptive_stack_trace",
968
+ "name": "Descriptive Stack Trace",
969
+ "type": "variant",
970
+ "priority": 5
971
+ }
972
+ ]
973
+ },
974
+ {
975
+ "id": "disclosure_of_known_public_information",
976
+ "name": "Disclosure of Known Public Information",
977
+ "type": "subcategory",
978
+ "priority": 5
979
+ },
980
+ {
981
+ "id": "token_leakage_via_referer",
982
+ "name": "Token Leakage via Referer",
983
+ "type": "subcategory",
984
+ "children": [
985
+ {
986
+ "id": "trusted_third_party",
987
+ "name": "Trusted 3rd Party",
988
+ "type": "variant",
989
+ "priority": 5
990
+ },
991
+ {
992
+ "id": "untrusted_third_party",
993
+ "name": "Untrusted 3rd Party",
994
+ "type": "variant",
995
+ "priority": 4
996
+ },
997
+ {
998
+ "id": "over_http",
999
+ "name": "Over HTTP",
1000
+ "type": "variant",
1001
+ "priority": 4
1002
+ }
1003
+ ]
1004
+ },
1005
+ {
1006
+ "id": "sensitive_token_in_url",
1007
+ "name": "Sensitive Token in URL",
1008
+ "type": "subcategory",
1009
+ "children": [
1010
+ {
1011
+ "id": "user_facing",
1012
+ "name": "User Facing",
1013
+ "type": "variant",
1014
+ "priority": 4
1015
+ },
1016
+ {
1017
+ "id": "in_the_background",
1018
+ "name": "In the Background",
1019
+ "type": "variant",
1020
+ "priority": 5
1021
+ },
1022
+ {
1023
+ "id": "on_password_reset",
1024
+ "name": "On Password Reset",
1025
+ "type": "variant",
1026
+ "priority": 5
1027
+ }
1028
+ ]
1029
+ },
1030
+ {
1031
+ "id": "non_sensitive_token_in_url",
1032
+ "name": "Non-Sensitive Token in URL",
1033
+ "type": "subcategory",
1034
+ "priority": 5
1035
+ },
1036
+ {
1037
+ "id": "weak_password_reset_implementation",
1038
+ "name": "Weak Password Reset Implementation",
1039
+ "type": "subcategory",
1040
+ "children": [
1041
+ {
1042
+ "id": "password_reset_token_sent_over_http",
1043
+ "name": "Password Reset Token Sent Over HTTP",
1044
+ "type": "variant",
1045
+ "priority": 4
1046
+ },
1047
+ {
1048
+ "id": "token_leakage_via_host_header_poisoning",
1049
+ "name": "Token Leakage via Host Header Poisoning",
1050
+ "type": "variant",
1051
+ "priority": 2
1052
+ }
1053
+ ]
1054
+ },
1055
+ {
1056
+ "id": "mixed_content",
1057
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
1058
+ "type": "subcategory",
1059
+ "priority": 5
1060
+ },
1061
+ {
1062
+ "id": "sensitive_data_hardcoded",
1063
+ "name": "Sensitive Data Hardcoded",
1064
+ "type": "subcategory",
1065
+ "children": [
1066
+ {
1067
+ "id": "oauth_secret",
1068
+ "name": "OAuth Secret",
1069
+ "type": "variant",
1070
+ "priority": 5
1071
+ },
1072
+ {
1073
+ "id": "file_paths",
1074
+ "name": "File Paths",
1075
+ "type": "variant",
1076
+ "priority": 5
1077
+ }
1078
+ ]
1079
+ },
1080
+ {
1081
+ "id": "internal_ip_disclosure",
1082
+ "name": "Internal IP Disclosure",
1083
+ "type": "subcategory",
1084
+ "priority": 5
1085
+ },
1086
+ {
1087
+ "id": "xssi",
1088
+ "name": "Cross Site Script Inclusion (XSSI)",
1089
+ "type": "subcategory",
1090
+ "priority": null
1091
+ },
1092
+ {
1093
+ "id": "json_hijacking",
1094
+ "name": "JSON Hijacking",
1095
+ "type": "subcategory",
1096
+ "priority": 5
1097
+ },
1098
+ {
1099
+ "id": "via_localstorage_sessionstorage",
1100
+ "name": "Via localStorage/sessionStorage",
1101
+ "type": "subcategory",
1102
+ "children": [
1103
+ {
1104
+ "id": "sensitive_token",
1105
+ "name": "Sensitive Token",
1106
+ "type": "variant",
1107
+ "priority": 4
1108
+ },
1109
+ {
1110
+ "id": "non_sensitive_token",
1111
+ "name": "Non-Sensitive Token",
1112
+ "type": "variant",
1113
+ "priority": 5
1114
+ }
1115
+ ]
1116
+ }
1117
+ ]
1118
+ },
1119
+ {
1120
+ "id": "cross_site_scripting_xss",
1121
+ "name": "Cross-Site Scripting (XSS)",
1122
+ "type": "category",
1123
+ "children": [
1124
+ {
1125
+ "id": "stored",
1126
+ "name": "Stored",
1127
+ "type": "subcategory",
1128
+ "children": [
1129
+ {
1130
+ "id": "non_admin_to_anyone",
1131
+ "name": "Non-Privileged User to Anyone",
1132
+ "type": "variant",
1133
+ "priority": 2
1134
+ },
1135
+ {
1136
+ "id": "privileged_user_to_privilege_elevation",
1137
+ "name": "Privileged User to Privilege Elevation",
1138
+ "type": "variant",
1139
+ "priority": 3
1140
+ },
1141
+ {
1142
+ "id": "privileged_user_to_no_privilege_elevation",
1143
+ "name": "Privileged User to No Privilege Elevation",
1144
+ "type": "variant",
1145
+ "priority": 4
1146
+ },
1147
+ {
1148
+ "id": "url_based",
1149
+ "name": "CSRF/URL-Based",
1150
+ "type": "variant",
1151
+ "priority": 3
1152
+ },
1153
+ {
1154
+ "id": "self",
1155
+ "name": "Self",
1156
+ "type": "variant",
1157
+ "priority": 5
1158
+ }
1159
+ ]
1160
+ },
1161
+ {
1162
+ "id": "reflected",
1163
+ "name": "Reflected",
1164
+ "type": "subcategory",
1165
+ "children": [
1166
+ {
1167
+ "id": "non_self",
1168
+ "name": "Non-Self",
1169
+ "type": "variant",
1170
+ "priority": 3
1171
+ },
1172
+ {
1173
+ "id": "self",
1174
+ "name": "Self",
1175
+ "type": "variant",
1176
+ "priority": 5
1177
+ }
1178
+ ]
1179
+ },
1180
+ {
1181
+ "id": "flash_based",
1182
+ "name": "Flash-Based",
1183
+ "type": "subcategory",
1184
+ "priority": 5
1185
+ },
1186
+ {
1187
+ "id": "cookie_based",
1188
+ "name": "Cookie-Based",
1189
+ "type": "subcategory",
1190
+ "priority": 5
1191
+ },
1192
+ {
1193
+ "id": "ie_only",
1194
+ "name": "IE-Only",
1195
+ "type": "subcategory",
1196
+ "priority": 5
1197
+ },
1198
+ {
1199
+ "id": "referer",
1200
+ "name": "Referer",
1201
+ "type": "subcategory",
1202
+ "priority": 4
1203
+ },
1204
+ {
1205
+ "id": "trace_method",
1206
+ "name": "TRACE Method",
1207
+ "type": "subcategory",
1208
+ "priority": 5
1209
+ },
1210
+ {
1211
+ "id": "universal_uxss",
1212
+ "name": "Universal (UXSS)",
1213
+ "type": "subcategory",
1214
+ "priority": 4
1215
+ },
1216
+ {
1217
+ "id": "off_domain",
1218
+ "name": "Off-Domain",
1219
+ "type": "subcategory",
1220
+ "children": [
1221
+ {
1222
+ "id": "data_uri",
1223
+ "name": "Data URI",
1224
+ "type": "variant",
1225
+ "priority": 4
1226
+ }
1227
+ ]
1228
+ }
1229
+ ]
1230
+ },
1231
+ {
1232
+ "id": "broken_access_control",
1233
+ "name": "Broken Access Control (BAC)",
1234
+ "type": "category",
1235
+ "children": [
1236
+ {
1237
+ "id": "idor",
1238
+ "name": "Insecure Direct Object References (IDOR)",
1239
+ "type": "subcategory",
1240
+ "children": [
1241
+ {
1242
+ "id": "read_edit_delete_non_sensitive_information",
1243
+ "name": "Read/Edit/Delete Non-Sensitive Information",
1244
+ "type": "variant",
1245
+ "priority": 5
1246
+ },
1247
+ {
1248
+ "id": "read_edit_delete_sensitive_information_guid",
1249
+ "name": "Read/Edit/Delete Sensitive Information/Complex Object Identifiers(GUID)",
1250
+ "type": "variant",
1251
+ "priority": 4
1252
+ },
1253
+ {
1254
+ "id": "read_sensitive_information_iterable_object_identifiers",
1255
+ "name": "Read Sensitive Information/Iterable Object Identifiers",
1256
+ "type": "variant",
1257
+ "priority": 3
1258
+ },
1259
+ {
1260
+ "id": "edit_delete_sensitive_information_iterable_object_identifiers",
1261
+ "name": "Edit/Delete Sensitive Information/Iterable Object Identifiers",
1262
+ "type": "variant",
1263
+ "priority": 2
1264
+ },
1265
+ {
1266
+ "id": "read_edit_delete_sensitive_information_iterable_object_identifiers",
1267
+ "name": "Read/Edit/Delete Sensitive Information/Iterable Object Identifiers",
1268
+ "type": "variant",
1269
+ "priority": 1
1270
+ }
1271
+ ]
1272
+ },
1273
+ {
1274
+ "id": "username_enumeration",
1275
+ "name": "Username/Email Enumeration",
1276
+ "type": "subcategory",
1277
+ "children": [
1278
+ {
1279
+ "id": "non_brute_force",
1280
+ "name": "Non-Brute Force",
1281
+ "type": "variant",
1282
+ "priority": 4
1283
+ }
1284
+ ]
1285
+ },
1286
+ {
1287
+ "id": "exposed_sensitive_android_intent",
1288
+ "name": "Exposed Sensitive Android Intent",
1289
+ "type": "subcategory",
1290
+ "priority": null
1291
+ },
1292
+ {
1293
+ "id": "exposed_sensitive_ios_url_scheme",
1294
+ "name": "Exposed Sensitive iOS URL Scheme",
1295
+ "type": "subcategory",
1296
+ "priority": null
1297
+ }
1298
+ ]
1299
+ },
1300
+ {
1301
+ "id": "cross_site_request_forgery_csrf",
1302
+ "name": "Cross-Site Request Forgery (CSRF)",
1303
+ "type": "category",
1304
+ "children": [
1305
+ {
1306
+ "id": "application_wide",
1307
+ "name": "Application-Wide",
1308
+ "type": "subcategory",
1309
+ "priority": 2
1310
+ },
1311
+ {
1312
+ "id": "action_specific",
1313
+ "name": "Action-Specific",
1314
+ "type": "subcategory",
1315
+ "children": [
1316
+ {
1317
+ "id": "authenticated_action",
1318
+ "name": "Authenticated Action",
1319
+ "type": "variant",
1320
+ "priority": null
1321
+ },
1322
+ {
1323
+ "id": "unauthenticated_action",
1324
+ "name": "Unauthenticated Action",
1325
+ "type": "variant",
1326
+ "priority": null
1327
+ },
1328
+ {
1329
+ "id": "logout",
1330
+ "name": "Logout",
1331
+ "type": "variant",
1332
+ "priority": 5
1333
+ }
1334
+ ]
1335
+ },
1336
+ {
1337
+ "id": "csrf_token_not_unique_per_request",
1338
+ "name": "CSRF Token Not Unique Per Request",
1339
+ "type": "subcategory",
1340
+ "priority": 5
1341
+ },
1342
+ {
1343
+ "id": "flash_based",
1344
+ "name": "Flash-Based",
1345
+ "type": "subcategory",
1346
+ "priority": 5
1347
+ }
1348
+ ]
1349
+ },
1350
+ {
1351
+ "id": "application_level_denial_of_service_dos",
1352
+ "name": "Application-Level Denial-of-Service (DoS)",
1353
+ "type": "category",
1354
+ "children": [
1355
+ {
1356
+ "id": "critical_impact_and_or_easy_difficulty",
1357
+ "name": "Critical Impact and/or Easy Difficulty",
1358
+ "type": "subcategory",
1359
+ "priority": 2
1360
+ },
1361
+ {
1362
+ "id": "high_impact_and_or_medium_difficulty",
1363
+ "name": "High Impact and/or Medium Difficulty",
1364
+ "type": "subcategory",
1365
+ "priority": 3
1366
+ },
1367
+ {
1368
+ "id": "app_crash",
1369
+ "name": "App Crash",
1370
+ "type": "subcategory",
1371
+ "children": [
1372
+ {
1373
+ "id": "malformed_android_intents",
1374
+ "name": "Malformed Android Intents",
1375
+ "type": "variant",
1376
+ "priority": 5
1377
+ },
1378
+ {
1379
+ "id": "malformed_ios_url_schemes",
1380
+ "name": "Malformed iOS URL Schemes",
1381
+ "type": "variant",
1382
+ "priority": 5
1383
+ }
1384
+ ]
1385
+ }
1386
+ ]
1387
+ },
1388
+ {
1389
+ "id": "unvalidated_redirects_and_forwards",
1390
+ "name": "Unvalidated Redirects and Forwards",
1391
+ "type": "category",
1392
+ "children": [
1393
+ {
1394
+ "id": "open_redirect",
1395
+ "name": "Open Redirect",
1396
+ "type": "subcategory",
1397
+ "children": [
1398
+ {
1399
+ "id": "get_based",
1400
+ "name": "GET-Based",
1401
+ "type": "variant",
1402
+ "priority": 4
1403
+ },
1404
+ {
1405
+ "id": "post_based",
1406
+ "name": "POST-Based",
1407
+ "type": "variant",
1408
+ "priority": 5
1409
+ },
1410
+ {
1411
+ "id": "header_based",
1412
+ "name": "Header-Based",
1413
+ "type": "variant",
1414
+ "priority": 5
1415
+ },
1416
+ {
1417
+ "id": "flash_based",
1418
+ "name": "Flash-Based",
1419
+ "type": "variant",
1420
+ "priority": 5
1421
+ }
1422
+ ]
1423
+ },
1424
+ {
1425
+ "id": "tabnabbing",
1426
+ "name": "Tabnabbing",
1427
+ "type": "subcategory",
1428
+ "priority": 5
1429
+ },
1430
+ {
1431
+ "id": "lack_of_security_speed_bump_page",
1432
+ "name": "Lack of Security Speed Bump Page",
1433
+ "type": "subcategory",
1434
+ "priority": 5
1435
+ }
1436
+ ]
1437
+ },
1438
+ {
1439
+ "id": "external_behavior",
1440
+ "name": "External Behavior",
1441
+ "type": "category",
1442
+ "children": [
1443
+ {
1444
+ "id": "browser_feature",
1445
+ "name": "Browser Feature",
1446
+ "type": "subcategory",
1447
+ "children": [
1448
+ {
1449
+ "id": "plaintext_password_field",
1450
+ "name": "Plaintext Password Field",
1451
+ "type": "variant",
1452
+ "priority": 5
1453
+ },
1454
+ {
1455
+ "id": "save_password",
1456
+ "name": "Save Password",
1457
+ "type": "variant",
1458
+ "priority": 5
1459
+ },
1460
+ {
1461
+ "id": "autocomplete_enabled",
1462
+ "name": "Autocomplete Enabled",
1463
+ "type": "variant",
1464
+ "priority": 5
1465
+ },
1466
+ {
1467
+ "id": "autocorrect_enabled",
1468
+ "name": "Autocorrect Enabled",
1469
+ "type": "variant",
1470
+ "priority": 5
1471
+ },
1472
+ {
1473
+ "id": "aggressive_offline_caching",
1474
+ "name": "Aggressive Offline Caching",
1475
+ "type": "variant",
1476
+ "priority": 5
1477
+ }
1478
+ ]
1479
+ },
1480
+ {
1481
+ "id": "csv_injection",
1482
+ "name": "CSV Injection",
1483
+ "type": "subcategory",
1484
+ "priority": 5
1485
+ },
1486
+ {
1487
+ "id": "captcha_bypass",
1488
+ "name": "Captcha Bypass",
1489
+ "type": "subcategory",
1490
+ "children": [
1491
+ {
1492
+ "id": "crowdsourcing",
1493
+ "name": "Crowdsourcing",
1494
+ "type": "variant",
1495
+ "priority": 5
1496
+ }
1497
+ ]
1498
+ },
1499
+ {
1500
+ "id": "system_clipboard_leak",
1501
+ "name": "System Clipboard Leak",
1502
+ "type": "subcategory",
1503
+ "children": [
1504
+ {
1505
+ "id": "shared_links",
1506
+ "name": "Shared Links",
1507
+ "type": "variant",
1508
+ "priority": 5
1509
+ }
1510
+ ]
1511
+ },
1512
+ {
1513
+ "id": "user_password_persisted_in_memory",
1514
+ "name": "User Password Persisted in Memory",
1515
+ "type": "subcategory",
1516
+ "priority": 5
1517
+ }
1518
+ ]
1519
+ },
1520
+ {
1521
+ "id": "insufficient_security_configurability",
1522
+ "name": "Insufficient Security Configurability",
1523
+ "type": "category",
1524
+ "children": [
1525
+ {
1526
+ "id": "weak_password_policy",
1527
+ "name": "Weak Password Policy",
1528
+ "type": "subcategory",
1529
+ "priority": 5
1530
+ },
1531
+ {
1532
+ "id": "no_password_policy",
1533
+ "name": "No Password Policy",
1534
+ "type": "subcategory",
1535
+ "priority": 4
1536
+ },
1537
+ {
1538
+ "id": "password_policy_bypass",
1539
+ "name": "Password Policy Bypass",
1540
+ "type": "subcategory",
1541
+ "priority": 5
1542
+ },
1543
+ {
1544
+ "id": "weak_password_reset_implementation",
1545
+ "name": "Weak Password Reset Implementation",
1546
+ "type": "subcategory",
1547
+ "children": [
1548
+ {
1549
+ "id": "token_is_not_invalidated_after_use",
1550
+ "name": "Token is Not Invalidated After Use",
1551
+ "type": "variant",
1552
+ "priority": 4
1553
+ },
1554
+ {
1555
+ "id": "token_is_not_invalidated_after_email_change",
1556
+ "name": "Token is Not Invalidated After Email Change",
1557
+ "type": "variant",
1558
+ "priority": 5
1559
+ },
1560
+ {
1561
+ "id": "token_is_not_invalidated_after_password_change",
1562
+ "name": "Token is Not Invalidated After Password Change",
1563
+ "type": "variant",
1564
+ "priority": 5
1565
+ },
1566
+ {
1567
+ "id": "token_has_long_timed_expiry",
1568
+ "name": "Token Has Long Timed Expiry",
1569
+ "type": "variant",
1570
+ "priority": 5
1571
+ },
1572
+ {
1573
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1574
+ "name": "Token is Not Invalidated After New Token is Requested",
1575
+ "type": "variant",
1576
+ "priority": 5
1577
+ },
1578
+ {
1579
+ "id": "token_is_not_invalidated_after_login",
1580
+ "name": "Token is Not Invalidated After Login",
1581
+ "type": "variant",
1582
+ "priority": 5
1583
+ }
1584
+ ]
1585
+ },
1586
+ {
1587
+ "id": "verification_of_contact_method_not_required",
1588
+ "name": "Verification of Contact Method not Required",
1589
+ "type": "subcategory",
1590
+ "priority": 5
1591
+ },
1592
+ {
1593
+ "id": "lack_of_notification_email",
1594
+ "name": "Lack of Notification Email",
1595
+ "type": "subcategory",
1596
+ "priority": 5
1597
+ },
1598
+ {
1599
+ "id": "weak_registration_implementation",
1600
+ "name": "Weak Registration Implementation",
1601
+ "type": "subcategory",
1602
+ "children": [
1603
+ {
1604
+ "id": "allows_disposable_email_addresses",
1605
+ "name": "Allows Disposable Email Addresses",
1606
+ "type": "variant",
1607
+ "priority": 5
1608
+ }
1609
+ ]
1610
+ },
1611
+ {
1612
+ "id": "weak_two_fa_implementation",
1613
+ "name": "Weak 2FA Implementation",
1614
+ "type": "subcategory",
1615
+ "children": [
1616
+ {
1617
+ "id": "two_fa_secret_cannot_be_rotated",
1618
+ "name": "2FA Secret Cannot be Rotated",
1619
+ "type": "variant",
1620
+ "priority": 4
1621
+ },
1622
+ {
1623
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
1624
+ "name": "2FA Secret Remains Obtainable After 2FA is Enabled",
1625
+ "type": "variant",
1626
+ "priority": 4
1627
+ },
1628
+ {
1629
+ "id": "missing_failsafe",
1630
+ "name": "Missing Failsafe",
1631
+ "type": "variant",
1632
+ "priority": 5
1633
+ },
1634
+ {
1635
+ "id": "two_fa_code_is_not_updated_after_new_code_is_requested",
1636
+ "name": "2FA Code is Not Updated After New Code is Requested",
1637
+ "type": "variant",
1638
+ "priority": 5
1639
+ },
1640
+ {
1641
+ "id": "old_two_fa_code_is_not_invalidated_after_new_code_is_generated",
1642
+ "name": "Old 2FA Code is Not Invalidated After New Code is Generated",
1643
+ "type": "variant",
1644
+ "priority": 5
1645
+ }
1646
+ ]
1647
+ }
1648
+ ]
1649
+ },
1650
+ {
1651
+ "id": "using_components_with_known_vulnerabilities",
1652
+ "name": "Using Components with Known Vulnerabilities",
1653
+ "type": "category",
1654
+ "children": [
1655
+ {
1656
+ "id": "rosetta_flash",
1657
+ "name": "Rosetta Flash",
1658
+ "type": "subcategory",
1659
+ "priority": 5
1660
+ },
1661
+ {
1662
+ "id": "outdated_software_version",
1663
+ "name": "Outdated Software Version",
1664
+ "type": "subcategory",
1665
+ "priority": 5
1666
+ },
1667
+ {
1668
+ "id": "captcha_bypass",
1669
+ "name": "Captcha Bypass",
1670
+ "type": "subcategory",
1671
+ "children": [
1672
+ {
1673
+ "id": "ocr_optical_character_recognition",
1674
+ "name": "OCR (Optical Character Recognition)",
1675
+ "type": "variant",
1676
+ "priority": 5
1677
+ }
1678
+ ]
1679
+ }
1680
+ ]
1681
+ },
1682
+ {
1683
+ "id": "insecure_data_storage",
1684
+ "name": "Insecure Data Storage",
1685
+ "type": "category",
1686
+ "children": [
1687
+ {
1688
+ "id": "sensitive_application_data_stored_unencrypted",
1689
+ "name": "Sensitive Application Data Stored Unencrypted",
1690
+ "type": "subcategory",
1691
+ "children": [
1692
+ {
1693
+ "id": "on_external_storage",
1694
+ "name": "On External Storage",
1695
+ "type": "variant",
1696
+ "priority": 4
1697
+ },
1698
+ {
1699
+ "id": "on_internal_storage",
1700
+ "name": "On Internal Storage",
1701
+ "type": "variant",
1702
+ "priority": 5
1703
+ }
1704
+ ]
1705
+ },
1706
+ {
1707
+ "id": "server_side_credentials_storage",
1708
+ "name": "Server-Side Credentials Storage",
1709
+ "type": "subcategory",
1710
+ "children": [
1711
+ {
1712
+ "id": "plaintext",
1713
+ "name": "Plaintext",
1714
+ "type": "variant",
1715
+ "priority": 4
1716
+ }
1717
+ ]
1718
+ },
1719
+ {
1720
+ "id": "non_sensitive_application_data_stored_unencrypted",
1721
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1722
+ "type": "subcategory",
1723
+ "priority": 5
1724
+ },
1725
+ {
1726
+ "id": "screen_caching_enabled",
1727
+ "name": "Screen Caching Enabled",
1728
+ "type": "subcategory",
1729
+ "priority": 5
1730
+ }
1731
+ ]
1732
+ },
1733
+ {
1734
+ "id": "lack_of_binary_hardening",
1735
+ "name": "Lack of Binary Hardening",
1736
+ "type": "category",
1737
+ "children": [
1738
+ {
1739
+ "id": "lack_of_exploit_mitigations",
1740
+ "name": "Lack of Exploit Mitigations",
1741
+ "type": "subcategory",
1742
+ "priority": 5
1743
+ },
1744
+ {
1745
+ "id": "lack_of_jailbreak_detection",
1746
+ "name": "Lack of Jailbreak Detection",
1747
+ "type": "subcategory",
1748
+ "priority": 5
1749
+ },
1750
+ {
1751
+ "id": "lack_of_obfuscation",
1752
+ "name": "Lack of Obfuscation",
1753
+ "type": "subcategory",
1754
+ "priority": 5
1755
+ },
1756
+ {
1757
+ "id": "runtime_instrumentation_based",
1758
+ "name": "Runtime Instrumentation-Based",
1759
+ "type": "subcategory",
1760
+ "priority": 5
1761
+ }
1762
+ ]
1763
+ },
1764
+ {
1765
+ "id": "insecure_data_transport",
1766
+ "name": "Insecure Data Transport",
1767
+ "type": "category",
1768
+ "children": [
1769
+ {
1770
+ "id": "cleartext_transmission_of_sensitive_data",
1771
+ "name": "Cleartext Transmission of Sensitive Data",
1772
+ "type": "subcategory",
1773
+ "priority": null
1774
+ },
1775
+ {
1776
+ "id": "executable_download",
1777
+ "name": "Executable Download",
1778
+ "type": "subcategory",
1779
+ "children": [
1780
+ {
1781
+ "id": "no_secure_integrity_check",
1782
+ "name": "No Secure Integrity Check",
1783
+ "type": "variant",
1784
+ "priority": 4
1785
+ },
1786
+ {
1787
+ "id": "secure_integrity_check",
1788
+ "name": "Secure Integrity Check",
1789
+ "type": "variant",
1790
+ "priority": 5
1791
+ }
1792
+ ]
1793
+ }
1794
+ ]
1795
+ },
1796
+ {
1797
+ "id": "insecure_os_firmware",
1798
+ "name": "Insecure OS/Firmware",
1799
+ "type": "category",
1800
+ "children": [
1801
+ {
1802
+ "id": "command_injection",
1803
+ "name": "Command Injection",
1804
+ "type": "subcategory",
1805
+ "priority": 1
1806
+ },
1807
+ {
1808
+ "id": "hardcoded_password",
1809
+ "name": "Hardcoded Password",
1810
+ "type": "subcategory",
1811
+ "children": [
1812
+ {
1813
+ "id": "privileged_user",
1814
+ "name": "Privileged User",
1815
+ "type": "variant",
1816
+ "priority": 1
1817
+ },
1818
+ {
1819
+ "id": "non_privileged_user",
1820
+ "name": "Non-Privileged User",
1821
+ "type": "variant",
1822
+ "priority": 2
1823
+ }
1824
+ ]
1825
+ }
1826
+ ]
1827
+ },
1828
+ {
1829
+ "id": "cryptographic_weakness",
1830
+ "name": "Cryptographic Weakness",
1831
+ "type": "category",
1832
+ "children": [
1833
+ {
1834
+ "id": "insufficient_entropy",
1835
+ "name": "Insufficient Entropy",
1836
+ "type": "subcategory",
1837
+ "children": [
1838
+ {
1839
+ "id": "limited_rng_entropy_source",
1840
+ "name": "Limited Random Number Generator (RNG) Entropy Source",
1841
+ "type": "variant",
1842
+ "priority": 4
1843
+ },
1844
+ {
1845
+ "id": "use_of_trng_for_nonsecurity_purpose",
1846
+ "name": "Use of True Random Number Generator (TRNG) for Non-Security Purpose",
1847
+ "type": "variant",
1848
+ "priority": 5
1849
+ },
1850
+ {
1851
+ "id": "prng_seed_reuse",
1852
+ "name": "Pseudo-Random Number Generator (PRNG) Seed Reuse",
1853
+ "type": "variant",
1854
+ "priority": 5
1855
+ },
1856
+ {
1857
+ "id": "predictable_prng_seed",
1858
+ "name": "Predictable Pseudo-Random Number Generator (PRNG) Seed",
1859
+ "type": "variant",
1860
+ "priority": 4
1861
+ },
1862
+ {
1863
+ "id": "small_seed_space_in_prng",
1864
+ "name": "Small Seed Space in Pseudo-Random Number Generator (PRNG)",
1865
+ "type": "variant",
1866
+ "priority": 4
1867
+ },
1868
+ {
1869
+ "id": "initialization_vector_reuse",
1870
+ "name": "Initialization Vector (IV) Reuse",
1871
+ "type": "variant",
1872
+ "priority": 5
1873
+ },
1874
+ {
1875
+ "id": "predictable_initialization_vector",
1876
+ "name": "Predictable Initialization Vector (IV)",
1877
+ "type": "variant",
1878
+ "priority": 4
1879
+ }
1880
+ ]
1881
+ },
1882
+ {
1883
+ "id": "insecure_implementation",
1884
+ "name": "Insecure Implementation",
1885
+ "type": "subcategory",
1886
+ "children": [
1887
+ {
1888
+ "id": "missing_cryptographic_step",
1889
+ "name": "Missing Cryptographic Step",
1890
+ "type": "variant",
1891
+ "priority": null
1892
+ },
1893
+ {
1894
+ "id": "improper_following_of_specification",
1895
+ "name": "Improper Following of Specification (Other)",
1896
+ "type": "variant",
1897
+ "priority": null
1898
+ }
1899
+ ]
1900
+ },
1901
+ {
1902
+ "id": "weak_hash",
1903
+ "name": "Weak Hash",
1904
+ "type": "subcategory",
1905
+ "children": [
1906
+ {
1907
+ "id": "lack_of_salt",
1908
+ "name": "Lack of Salt",
1909
+ "type": "variant",
1910
+ "priority": null
1911
+ },
1912
+ {
1913
+ "id": "use_of_predictable_salt",
1914
+ "name": "Use of Predictable Salt",
1915
+ "type": "variant",
1916
+ "priority": 5
1917
+ },
1918
+ {
1919
+ "id": "predictable_hash_collision",
1920
+ "name": "Predictable Hash Collision",
1921
+ "type": "variant",
1922
+ "priority": null
1923
+ }
1924
+ ]
1925
+ },
1926
+ {
1927
+ "id": "insufficient_verification_of_data_authenticity",
1928
+ "name": "Insufficient Verification of Data Authenticity",
1929
+ "type": "subcategory",
1930
+ "children": [
1931
+ {
1932
+ "id": "identity_check_value",
1933
+ "name": "Integrity Check Value (ICV)",
1934
+ "type": "variant",
1935
+ "priority": 4
1936
+ },
1937
+ {
1938
+ "id": "cryptographic_signature",
1939
+ "name": "Cryptographic Signature",
1940
+ "type": "variant",
1941
+ "priority": null
1942
+ }
1943
+ ]
1944
+ },
1945
+ {
1946
+ "id": "insecure_key_generation",
1947
+ "name": "Insecure Key Generation",
1948
+ "type": "subcategory",
1949
+ "children": [
1950
+ {
1951
+ "id": "improper_asymmetric_prime_selection",
1952
+ "name": "Improper Asymmetric Prime Selection",
1953
+ "type": "variant",
1954
+ "priority": null
1955
+ },
1956
+ {
1957
+ "id": "improper_asymmetric_exponent_selection",
1958
+ "name": "Improper Asymmetric Exponent Selection",
1959
+ "type": "variant",
1960
+ "priority": null
1961
+ },
1962
+ {
1963
+ "id": "insufficient_key_stretching",
1964
+ "name": "Insufficient Key Stretching",
1965
+ "type": "variant",
1966
+ "priority": null
1967
+ },
1968
+ {
1969
+ "id": "insufficient_key_space",
1970
+ "name": "Insufficient Key Space",
1971
+ "type": "variant",
1972
+ "priority": 3
1973
+ },
1974
+ {
1975
+ "id": "key_exchange_without_entity_authentication",
1976
+ "name": "Key Exchage Without Entity Authentication",
1977
+ "type": "variant",
1978
+ "priority": 4
1979
+ }
1980
+ ]
1981
+ },
1982
+ {
1983
+ "id": "key_reuse",
1984
+ "name": "Key Reuse",
1985
+ "type": "subcategory",
1986
+ "children": [
1987
+ {
1988
+ "id": "lack_of_perfect_forward_secrecy",
1989
+ "name": "Lack of Perfect Forward Secrecy",
1990
+ "type": "variant",
1991
+ "priority": 4
1992
+ },
1993
+ {
1994
+ "id": "intra_environment",
1995
+ "name": "Intra-Environment",
1996
+ "type": "variant",
1997
+ "priority": 5
1998
+ },
1999
+ {
2000
+ "id": "inter_environment",
2001
+ "name": "Inter-Environment",
2002
+ "type": "variant",
2003
+ "priority": 2
2004
+ }
2005
+ ]
2006
+ },
2007
+ {
2008
+ "id": "broken_cryptography",
2009
+ "name": "Broken Cryptography",
2010
+ "type": "subcategory",
2011
+ "children": [
2012
+ {
2013
+ "id": "use_of_broken_cryptographic_primitive",
2014
+ "name": "Use of Broken Cryptographic Primitive",
2015
+ "type": "variant",
2016
+ "priority": 3
2017
+ },
2018
+ {
2019
+ "id": "use_of_vulnerable_cryptographic_library",
2020
+ "name": "Use of Vulnerable Cryptographic Library",
2021
+ "type": "variant",
2022
+ "priority": 4
2023
+ }
2024
+ ]
2025
+ },
2026
+ {
2027
+ "id": "side_channel_attack",
2028
+ "name": "Side-Channel Attack",
2029
+ "type": "subcategory",
2030
+ "children": [
2031
+ {
2032
+ "id": "padding_oracle_attack",
2033
+ "name": "Padding Oracle Attack",
2034
+ "type": "variant",
2035
+ "priority": 4
2036
+ },
2037
+ {
2038
+ "id": "timing_attack",
2039
+ "name": "Timing Attack",
2040
+ "type": "variant",
2041
+ "priority": 4
2042
+ },
2043
+ {
2044
+ "id": "power_analysis_attack",
2045
+ "name": "Power Analysis Attack",
2046
+ "type": "variant",
2047
+ "priority": 5
2048
+ },
2049
+ {
2050
+ "id": "emanations_attack",
2051
+ "name": "Emanations Attack",
2052
+ "type": "variant",
2053
+ "priority": 5
2054
+ },
2055
+ {
2056
+ "id": "differential_fault_analysis",
2057
+ "name": "Differential Fault Analysis",
2058
+ "type": "variant",
2059
+ "priority": null
2060
+ }
2061
+ ]
2062
+ },
2063
+ {
2064
+ "id": "use_of_expired_cryptographic_key_or_cert",
2065
+ "name": "Use of Expired Cryptographic Key (or Certificate)",
2066
+ "type": "subcategory",
2067
+ "priority": 4
2068
+ },
2069
+ {
2070
+ "id": "incomplete_cleanup_of_keying_material",
2071
+ "name": "Incomplete Cleanup of Keying Material",
2072
+ "type": "subcategory",
2073
+ "priority": 5
2074
+ }
2075
+ ]
2076
+ },
2077
+ {
2078
+ "id": "privacy_concerns",
2079
+ "name": "Privacy Concerns",
2080
+ "type": "category",
2081
+ "children": [
2082
+ {
2083
+ "id": "unnecessary_data_collection",
2084
+ "name": "Unnecessary Data Collection",
2085
+ "type": "subcategory",
2086
+ "children": [
2087
+ {
2088
+ "id": "wifi_ssid_password",
2089
+ "name": "WiFi SSID+Password",
2090
+ "type": "variant",
2091
+ "priority": 4
2092
+ }
2093
+ ]
2094
+ }
2095
+ ]
2096
+ },
2097
+ {
2098
+ "id": "network_security_misconfiguration",
2099
+ "name": "Network Security Misconfiguration",
2100
+ "type": "category",
2101
+ "children": [
2102
+ {
2103
+ "id": "telnet_enabled",
2104
+ "name": "Telnet Enabled",
2105
+ "type": "subcategory",
2106
+ "priority": 5
2107
+ }
2108
+ ]
2109
+ },
2110
+ {
2111
+ "id": "mobile_security_misconfiguration",
2112
+ "name": "Mobile Security Misconfiguration",
2113
+ "type": "category",
2114
+ "children": [
2115
+ {
2116
+ "id": "ssl_certificate_pinning",
2117
+ "name": "SSL Certificate Pinning",
2118
+ "type": "subcategory",
2119
+ "children": [
2120
+ {
2121
+ "id": "absent",
2122
+ "name": "Absent",
2123
+ "type": "variant",
2124
+ "priority": 5
2125
+ },
2126
+ {
2127
+ "id": "defeatable",
2128
+ "name": "Defeatable",
2129
+ "type": "variant",
2130
+ "priority": 5
2131
+ }
2132
+ ]
2133
+ },
2134
+ {
2135
+ "id": "tapjacking",
2136
+ "name": "Tapjacking",
2137
+ "type": "subcategory",
2138
+ "priority": 5
2139
+ },
2140
+ {
2141
+ "id": "clipboard_enabled",
2142
+ "name": "Clipboard Enabled",
2143
+ "type": "subcategory",
2144
+ "priority": 5
2145
+ },
2146
+ {
2147
+ "id": "auto_backup_allowed_by_default",
2148
+ "name": "Auto Backup Allowed by Default",
2149
+ "type": "subcategory",
2150
+ "priority": 5
2151
+ }
2152
+ ]
2153
+ },
2154
+ {
2155
+ "id": "client_side_injection",
2156
+ "name": "Client-Side Injection",
2157
+ "type": "category",
2158
+ "children": [
2159
+ {
2160
+ "id": "binary_planting",
2161
+ "name": "Binary Planting",
2162
+ "type": "subcategory",
2163
+ "children": [
2164
+ {
2165
+ "id": "privilege_escalation",
2166
+ "name": "Default Folder Privilege Escalation",
2167
+ "type": "variant",
2168
+ "priority": 3
2169
+ },
2170
+ {
2171
+ "id": "non_default_folder_privilege_escalation",
2172
+ "name": "Non-Default Folder Privilege Escalation",
2173
+ "type": "variant",
2174
+ "priority": 5
2175
+ },
2176
+ {
2177
+ "id": "no_privilege_escalation",
2178
+ "name": "No Privilege Escalation",
2179
+ "type": "variant",
2180
+ "priority": 5
2181
+ }
2182
+ ]
2183
+ }
2184
+ ]
2185
+ },
2186
+ {
2187
+ "id": "automotive_security_misconfiguration",
2188
+ "name": "Automotive Security Misconfiguration",
2189
+ "type": "category",
2190
+ "children": [
2191
+ {
2192
+ "id": "infotainment_radio_head_unit",
2193
+ "name": "Infotainment, Radio Head Unit",
2194
+ "type": "subcategory",
2195
+ "children": [
2196
+ {
2197
+ "id": "sensitive_data_leakage_exposure",
2198
+ "name": "Sensitive data Leakage/Exposure",
2199
+ "type": "variant",
2200
+ "priority": 1
2201
+ },
2202
+ {
2203
+ "id": "ota_firmware_manipulation",
2204
+ "name": "OTA Firmware Manipulation",
2205
+ "type": "variant",
2206
+ "priority": 2
2207
+ },
2208
+ {
2209
+ "id": "code_execution_can_bus_pivot",
2210
+ "name": "Code Execution (CAN Bus Pivot)",
2211
+ "type": "variant",
2212
+ "priority": 2
2213
+ },
2214
+ {
2215
+ "id": "code_execution_no_can_bus_pivot",
2216
+ "name": "Code Execution (No CAN Bus Pivot)",
2217
+ "type": "variant",
2218
+ "priority": 3
2219
+ },
2220
+ {
2221
+ "id": "unauthorized_access_to_services",
2222
+ "name": "Unauthorized Access to Services (API / Endpoints)",
2223
+ "type": "variant",
2224
+ "priority": 3
2225
+ },
2226
+ {
2227
+ "id": "source_code_dump",
2228
+ "name": "Source Code Dump",
2229
+ "type": "variant",
2230
+ "priority": 4
2231
+ },
2232
+ {
2233
+ "id": "dos_brick",
2234
+ "name": "Denial of Service (DoS / Brick)",
2235
+ "type": "variant",
2236
+ "priority": 4
2237
+ },
2238
+ {
2239
+ "id": "default_credentials",
2240
+ "name": "Default Credentials",
2241
+ "type": "variant",
2242
+ "priority": 4
2243
+ }
2244
+ ]
2245
+ },
2246
+ {
2247
+ "id": "rf_hub",
2248
+ "name": "RF Hub",
2249
+ "type": "subcategory",
2250
+ "children": [
2251
+ {
2252
+ "id": "key_fob_cloning",
2253
+ "name": "Key Fob Cloning",
2254
+ "type": "variant",
2255
+ "priority": 1
2256
+ },
2257
+ {
2258
+ "id": "can_injection_interaction",
2259
+ "name": "CAN Injection / Interaction",
2260
+ "type": "variant",
2261
+ "priority": 2
2262
+ },
2263
+ {
2264
+ "id": "data_leakage_pull_encryption_mechanism",
2265
+ "name": "Data Leakage / Pull Encryption Mechanism",
2266
+ "type": "variant",
2267
+ "priority": 3
2268
+ },
2269
+ {
2270
+ "id": "unauthorized_access_turn_on",
2271
+ "name": "Unauthorized Access / Turn On",
2272
+ "type": "variant",
2273
+ "priority": 4
2274
+ },
2275
+ {
2276
+ "id": "roll_jam",
2277
+ "name": "Roll Jam",
2278
+ "type": "variant",
2279
+ "priority": 5
2280
+ },
2281
+ {
2282
+ "id": "replay",
2283
+ "name": "Replay",
2284
+ "type": "variant",
2285
+ "priority": 5
2286
+ },
2287
+ {
2288
+ "id": "relay",
2289
+ "name": "Relay",
2290
+ "type": "variant",
2291
+ "priority": 5
2292
+ }
2293
+ ]
2294
+ },
2295
+ {
2296
+ "id": "can",
2297
+ "name": "CAN",
2298
+ "type": "subcategory",
2299
+ "children": [
2300
+ {
2301
+ "id": "injection_battery_management_system",
2302
+ "name": "Injection (Battery Management System)",
2303
+ "type": "variant",
2304
+ "priority": 3
2305
+ },
2306
+ {
2307
+ "id": "injection_steering_control",
2308
+ "name": "Injection (Steering Control)",
2309
+ "type": "variant",
2310
+ "priority": 3
2311
+ },
2312
+ {
2313
+ "id": "injection_pyrotechnical_device_deployment_tool",
2314
+ "name": "Injection (Pyrotechnical Device Deployment Tool)",
2315
+ "type": "variant",
2316
+ "priority": 3
2317
+ },
2318
+ {
2319
+ "id": "injection_headlights",
2320
+ "name": "Injection (Headlights)",
2321
+ "type": "variant",
2322
+ "priority": 3
2323
+ },
2324
+ {
2325
+ "id": "injection_sensors",
2326
+ "name": "Injection (Sensors)",
2327
+ "type": "variant",
2328
+ "priority": 3
2329
+ },
2330
+ {
2331
+ "id": "injection_vehicle_anti_theft_systems",
2332
+ "name": "Injection (Vehicle Anti-theft Systems)",
2333
+ "type": "variant",
2334
+ "priority": 3
2335
+ },
2336
+ {
2337
+ "id": "injection_powertrain",
2338
+ "name": "Injection (Powertrain)",
2339
+ "type": "variant",
2340
+ "priority": 3
2341
+ },
2342
+ {
2343
+ "id": "injection_basic_safety_message",
2344
+ "name": "Injection (Basic Safety Message)",
2345
+ "type": "variant",
2346
+ "priority": 3
2347
+ },
2348
+ {
2349
+ "id": "injection_disallowed_messages",
2350
+ "name": "Injection (Disallowed Messages)",
2351
+ "type": "variant",
2352
+ "priority": 4
2353
+ },
2354
+ {
2355
+ "id": "injection_dos",
2356
+ "name": "Injection (DoS)",
2357
+ "type": "variant",
2358
+ "priority": 4
2359
+ }
2360
+ ]
2361
+ },
2362
+ {
2363
+ "id": "battery_management_system",
2364
+ "name": "Battery Management System",
2365
+ "type": "subcategory",
2366
+ "children": [
2367
+ {
2368
+ "id": "firmware_dump",
2369
+ "name": "Firmware Dump",
2370
+ "type": "variant",
2371
+ "priority": 3
2372
+ },
2373
+ {
2374
+ "id": "fraudulent_interface",
2375
+ "name": "Fraudulent Interface",
2376
+ "type": "variant",
2377
+ "priority": 4
2378
+ }
2379
+ ]
2380
+ },
2381
+ {
2382
+ "id": "gnss_gps",
2383
+ "name": "GNSS / GPS",
2384
+ "type": "subcategory",
2385
+ "children": [
2386
+ {
2387
+ "id": "spoofing",
2388
+ "name": "Spoofing",
2389
+ "type": "variant",
2390
+ "priority": 4
2391
+ }
2392
+ ]
2393
+ },
2394
+ {
2395
+ "id": "immobilizer",
2396
+ "name": "Immobilizer",
2397
+ "type": "subcategory",
2398
+ "children": [
2399
+ {
2400
+ "id": "engine_start",
2401
+ "name": "Engine Start",
2402
+ "type": "variant",
2403
+ "priority": 3
2404
+ }
2405
+ ]
2406
+ },
2407
+ {
2408
+ "id": "abs",
2409
+ "name": "Automatic Braking System (ABS)",
2410
+ "type": "subcategory",
2411
+ "children": [
2412
+ {
2413
+ "id": "unintended_acceleration_brake",
2414
+ "name": "Unintended Acceleration / Brake",
2415
+ "type": "variant",
2416
+ "priority": 3
2417
+ }
2418
+ ]
2419
+ },
2420
+ {
2421
+ "id": "rsu",
2422
+ "name": "Roadside Unit (RSU)",
2423
+ "type": "subcategory",
2424
+ "children": [
2425
+ {
2426
+ "id": "sybil_attack",
2427
+ "name": "Sybil Attack",
2428
+ "type": "variant",
2429
+ "priority": 4
2430
+ }
2431
+ ]
2432
+ }
2433
+ ]
2434
+ },
2435
+ {
2436
+ "id": "indicators_of_compromise",
2437
+ "name": "Indicators of Compromise",
2438
+ "type": "category",
2439
+ "priority": null
2440
+ }
2441
+ ]
2442
+ }