vrt 0.11.0 → 0.12.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (27) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.11/deprecated-node-mapping.json +236 -0
  3. data/lib/data/1.11/mappings/cvss_v3/cvss_v3.json +1250 -0
  4. data/lib/data/1.11/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.11/mappings/cwe/cwe.json +664 -0
  6. data/lib/data/1.11/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.11/mappings/remediation_advice/remediation_advice.json +1811 -0
  8. data/lib/data/1.11/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.11/third-party-mappings/remediation_training/secure-code-warrior-links.json +392 -0
  10. data/lib/data/1.11/vrt.schema.json +63 -0
  11. data/lib/data/1.11/vulnerability-rating-taxonomy.json +2442 -0
  12. data/lib/data/1.12/deprecated-node-mapping.json +236 -0
  13. data/lib/data/1.12/mappings/cvss_v3/cvss_v3.json +1280 -0
  14. data/lib/data/1.12/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  15. data/lib/data/1.12/mappings/cwe/cwe.json +668 -0
  16. data/lib/data/1.12/mappings/cwe/cwe.schema.json +63 -0
  17. data/lib/data/1.12/mappings/remediation_advice/remediation_advice.json +1850 -0
  18. data/lib/data/1.12/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  19. data/lib/data/1.12/third-party-mappings/remediation_training/secure-code-warrior-links.json +400 -0
  20. data/lib/data/1.12/vrt.schema.json +63 -0
  21. data/lib/data/1.12/vulnerability-rating-taxonomy.json +2493 -0
  22. data/lib/vrt/mapping.rb +12 -6
  23. data/lib/vrt/node.rb +4 -0
  24. data/lib/vrt/third_party_links.rb +33 -0
  25. data/lib/vrt/version.rb +1 -1
  26. data/lib/vrt.rb +8 -0
  27. metadata +28 -7
@@ -0,0 +1,2442 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2023-11-20T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "server_side_request_forgery_ssrf",
13
+ "name": "Server-Side Request Forgery (SSRF)",
14
+ "type": "subcategory",
15
+ "children": [
16
+ {
17
+ "id": "internal_high_impact",
18
+ "name": "Internal High Impact",
19
+ "type": "variant",
20
+ "priority": 2
21
+ },
22
+ {
23
+ "id": "internal_scan_and_or_medium_impact",
24
+ "name": "Internal Scan and/or Medium Impact",
25
+ "type": "variant",
26
+ "priority": 3
27
+ },
28
+ {
29
+ "id": "external_low_impact",
30
+ "name": "External - Low impact",
31
+ "type": "variant",
32
+ "priority": 5
33
+ },
34
+ {
35
+ "id": "external_dns_query_only",
36
+ "name": "External - DNS Query Only",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "unsafe_cross_origin_resource_sharing",
44
+ "name": "Unsafe Cross-Origin Resource Sharing",
45
+ "type": "subcategory",
46
+ "priority": null
47
+ },
48
+ {
49
+ "id": "request_smuggling",
50
+ "name": "HTTP Request Smuggling",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "path_traversal",
56
+ "name": "Path Traversal",
57
+ "type": "subcategory",
58
+ "priority": null
59
+ },
60
+ {
61
+ "id": "directory_listing_enabled",
62
+ "name": "Directory Listing Enabled",
63
+ "type": "subcategory",
64
+ "children": [
65
+ {
66
+ "id": "sensitive_data_exposure",
67
+ "name": "Sensitive Data Exposure",
68
+ "type": "variant",
69
+ "priority": null
70
+ },
71
+ {
72
+ "id": "non_sensitive_data_exposure",
73
+ "name": "Non-Sensitive Data Exposure",
74
+ "type": "variant",
75
+ "priority": 5
76
+ }
77
+ ]
78
+ },
79
+ {
80
+ "id": "same_site_scripting",
81
+ "name": "Same-Site Scripting",
82
+ "type": "subcategory",
83
+ "priority": 5
84
+ },
85
+ {
86
+ "id": "ssl_attack_breach_poodle_etc",
87
+ "name": "SSL Attack (BREACH, POODLE etc.)",
88
+ "type": "subcategory",
89
+ "priority": null
90
+ },
91
+ {
92
+ "id": "using_default_credentials",
93
+ "name": "Using Default Credentials",
94
+ "type": "subcategory",
95
+ "priority": 1
96
+ },
97
+ {
98
+ "id": "misconfigured_dns",
99
+ "name": "Misconfigured DNS",
100
+ "type": "subcategory",
101
+ "children": [
102
+ {
103
+ "id": "basic_subdomain_takeover",
104
+ "name": "Basic Subdomain Takeover",
105
+ "type": "variant",
106
+ "priority": 3
107
+ },
108
+ {
109
+ "id": "high_impact_subdomain_takeover",
110
+ "name": "High Impact Subdomain Takeover",
111
+ "type": "variant",
112
+ "priority": 2
113
+ },
114
+ {
115
+ "id": "zone_transfer",
116
+ "name": "Zone Transfer",
117
+ "type": "variant",
118
+ "priority": 4
119
+ },
120
+ {
121
+ "id": "missing_caa_record",
122
+ "name": "Missing Certification Authority Authorization (CAA) Record",
123
+ "type": "variant",
124
+ "priority": 5
125
+ }
126
+ ]
127
+ },
128
+ {
129
+ "id": "mail_server_misconfiguration",
130
+ "name": "Mail Server Misconfiguration",
131
+ "type": "subcategory",
132
+ "children": [
133
+ {
134
+ "id": "no_spoofing_protection_on_email_domain",
135
+ "name": "No Spoofing Protection on Email Domain",
136
+ "type": "variant",
137
+ "priority": 3
138
+ },
139
+ {
140
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
141
+ "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
142
+ "type": "variant",
143
+ "priority": 4
144
+ },
145
+ {
146
+ "id": "email_spoofing_to_spam_folder",
147
+ "name": "Email Spoofing to Spam Folder",
148
+ "type": "variant",
149
+ "priority": 5
150
+ },
151
+ {
152
+ "id": "missing_or_misconfigured_spf_and_or_dkim",
153
+ "name": "Missing or Misconfigured SPF and/or DKIM",
154
+ "type": "variant",
155
+ "priority": 5
156
+ },
157
+ {
158
+ "id": "email_spoofing_on_non_email_domain",
159
+ "name": "Email Spoofing on Non-Email Domain",
160
+ "type": "variant",
161
+ "priority": 5
162
+ }
163
+ ]
164
+ },
165
+ {
166
+ "id": "dbms_misconfiguration",
167
+ "name": "Database Management System (DBMS) Misconfiguration",
168
+ "type": "subcategory",
169
+ "children": [
170
+ {
171
+ "id": "excessively_privileged_user_dba",
172
+ "name": "Excessively Privileged User / DBA",
173
+ "type": "variant",
174
+ "priority": 4
175
+ }
176
+ ]
177
+ },
178
+ {
179
+ "id": "lack_of_password_confirmation",
180
+ "name": "Lack of Password Confirmation",
181
+ "type": "subcategory",
182
+ "children": [
183
+ {
184
+ "id": "change_email_address",
185
+ "name": "Change Email Address",
186
+ "type": "variant",
187
+ "priority": 5
188
+ },
189
+ {
190
+ "id": "change_password",
191
+ "name": "Change Password",
192
+ "type": "variant",
193
+ "priority": 5
194
+ },
195
+ {
196
+ "id": "delete_account",
197
+ "name": "Delete Account",
198
+ "type": "variant",
199
+ "priority": 4
200
+ },
201
+ {
202
+ "id": "manage_two_fa",
203
+ "name": "Manage 2FA",
204
+ "type": "variant",
205
+ "priority": 5
206
+ }
207
+ ]
208
+ },
209
+ {
210
+ "id": "no_rate_limiting_on_form",
211
+ "name": "No Rate Limiting on Form",
212
+ "type": "subcategory",
213
+ "children": [
214
+ {
215
+ "id": "registration",
216
+ "name": "Registration",
217
+ "type": "variant",
218
+ "priority": 4
219
+ },
220
+ {
221
+ "id": "login",
222
+ "name": "Login",
223
+ "type": "variant",
224
+ "priority": 4
225
+ },
226
+ {
227
+ "id": "email_triggering",
228
+ "name": "Email-Triggering",
229
+ "type": "variant",
230
+ "priority": 4
231
+ },
232
+ {
233
+ "id": "sms_triggering",
234
+ "name": "SMS-Triggering",
235
+ "type": "variant",
236
+ "priority": 4
237
+ },
238
+ {
239
+ "id": "change_password",
240
+ "name": "Change Password",
241
+ "type": "variant",
242
+ "priority": 5
243
+ }
244
+ ]
245
+ },
246
+ {
247
+ "id": "unsafe_file_upload",
248
+ "name": "Unsafe File Upload",
249
+ "type": "subcategory",
250
+ "children": [
251
+ {
252
+ "id": "no_antivirus",
253
+ "name": "No Antivirus",
254
+ "type": "variant",
255
+ "priority": 5
256
+ },
257
+ {
258
+ "id": "no_size_limit",
259
+ "name": "No Size Limit",
260
+ "type": "variant",
261
+ "priority": 5
262
+ },
263
+ {
264
+ "id": "file_extension_filter_bypass",
265
+ "name": "File Extension Filter Bypass",
266
+ "type": "variant",
267
+ "priority": 5
268
+ }
269
+ ]
270
+ },
271
+ {
272
+ "id": "cookie_scoped_to_parent_domain",
273
+ "name": "Cookie Scoped to Parent Domain",
274
+ "type": "subcategory",
275
+ "priority": 5
276
+ },
277
+ {
278
+ "id": "missing_secure_or_httponly_cookie_flag",
279
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
280
+ "type": "subcategory",
281
+ "children": [
282
+ {
283
+ "id": "session_token",
284
+ "name": "Session Token",
285
+ "type": "variant",
286
+ "priority": 4
287
+ },
288
+ {
289
+ "id": "non_session_cookie",
290
+ "name": "Non-Session Cookie",
291
+ "type": "variant",
292
+ "priority": 5
293
+ }
294
+ ]
295
+ },
296
+ {
297
+ "id": "clickjacking",
298
+ "name": "Clickjacking",
299
+ "type": "subcategory",
300
+ "children": [
301
+ {
302
+ "id": "sensitive_action",
303
+ "name": "Sensitive Click-Based Action",
304
+ "type": "variant",
305
+ "priority": 4
306
+ },
307
+ {
308
+ "id": "form_input",
309
+ "name": "Form Input",
310
+ "type": "variant",
311
+ "priority": 5
312
+ },
313
+ {
314
+ "id": "non_sensitive_action",
315
+ "name": "Non-Sensitive Action",
316
+ "type": "variant",
317
+ "priority": 5
318
+ }
319
+ ]
320
+ },
321
+ {
322
+ "id": "oauth_misconfiguration",
323
+ "name": "OAuth Misconfiguration",
324
+ "type": "subcategory",
325
+ "children": [
326
+ {
327
+ "id": "account_takeover",
328
+ "name": "Account Takeover",
329
+ "type": "variant",
330
+ "priority": 2
331
+ },
332
+ {
333
+ "id": "account_squatting",
334
+ "name": "Account Squatting",
335
+ "type": "variant",
336
+ "priority": 4
337
+ },
338
+ {
339
+ "id": "missing_state_parameter",
340
+ "name": "Missing/Broken State Parameter",
341
+ "type": "variant",
342
+ "priority": null
343
+ },
344
+ {
345
+ "id": "insecure_redirect_uri",
346
+ "name": "Insecure Redirect URI",
347
+ "type": "variant",
348
+ "priority": null
349
+ }
350
+ ]
351
+ },
352
+ {
353
+ "id": "captcha",
354
+ "name": "CAPTCHA",
355
+ "type": "subcategory",
356
+ "children": [
357
+ {
358
+ "id": "implementation_vulnerability",
359
+ "name": "Implementation Vulnerability",
360
+ "type": "variant",
361
+ "priority": 4
362
+ },
363
+ {
364
+ "id": "brute_force",
365
+ "name": "Brute Force",
366
+ "type": "variant",
367
+ "priority": 5
368
+ },
369
+ {
370
+ "id": "missing",
371
+ "name": "Missing",
372
+ "type": "variant",
373
+ "priority": 5
374
+ }
375
+ ]
376
+ },
377
+ {
378
+ "id": "exposed_admin_portal",
379
+ "name": "Exposed Admin Portal",
380
+ "type": "subcategory",
381
+ "children": [
382
+ {
383
+ "id": "to_internet",
384
+ "name": "To Internet",
385
+ "type": "variant",
386
+ "priority": 5
387
+ }
388
+ ]
389
+ },
390
+ {
391
+ "id": "missing_dnssec",
392
+ "name": "Missing DNSSEC",
393
+ "type": "subcategory",
394
+ "priority": 5
395
+ },
396
+ {
397
+ "id": "fingerprinting_banner_disclosure",
398
+ "name": "Fingerprinting/Banner Disclosure",
399
+ "type": "subcategory",
400
+ "priority": 5
401
+ },
402
+ {
403
+ "id": "username_enumeration",
404
+ "name": "Username/Email Enumeration",
405
+ "type": "subcategory",
406
+ "children": [
407
+ {
408
+ "id": "brute_force",
409
+ "name": "Brute Force",
410
+ "type": "variant",
411
+ "priority": 5
412
+ }
413
+ ]
414
+ },
415
+ {
416
+ "id": "potentially_unsafe_http_method_enabled",
417
+ "name": "Potentially Unsafe HTTP Method Enabled",
418
+ "type": "subcategory",
419
+ "children": [
420
+ {
421
+ "id": "options",
422
+ "name": "OPTIONS",
423
+ "type": "variant",
424
+ "priority": 5
425
+ },
426
+ {
427
+ "id": "trace",
428
+ "name": "TRACE",
429
+ "type": "variant",
430
+ "priority": 5
431
+ }
432
+ ]
433
+ },
434
+ {
435
+ "id": "insecure_ssl",
436
+ "name": "Insecure SSL",
437
+ "type": "subcategory",
438
+ "children": [
439
+ {
440
+ "id": "lack_of_forward_secrecy",
441
+ "name": "Lack of Forward Secrecy",
442
+ "type": "variant",
443
+ "priority": 5
444
+ },
445
+ {
446
+ "id": "insecure_cipher_suite",
447
+ "name": "Insecure Cipher Suite",
448
+ "type": "variant",
449
+ "priority": 5
450
+ },
451
+ {
452
+ "id": "certificate_error",
453
+ "name": "Certificate Error",
454
+ "type": "variant",
455
+ "priority": 5
456
+ }
457
+ ]
458
+ },
459
+ {
460
+ "id": "rfd",
461
+ "name": "Reflected File Download (RFD)",
462
+ "type": "subcategory",
463
+ "priority": 5
464
+ },
465
+ {
466
+ "id": "lack_of_security_headers",
467
+ "name": "Lack of Security Headers",
468
+ "type": "subcategory",
469
+ "children": [
470
+ {
471
+ "id": "x_frame_options",
472
+ "name": "X-Frame-Options",
473
+ "type": "variant",
474
+ "priority": 5
475
+ },
476
+ {
477
+ "id": "cache_control_for_a_non_sensitive_page",
478
+ "name": "Cache-Control for a Non-Sensitive Page",
479
+ "type": "variant",
480
+ "priority": 5
481
+ },
482
+ {
483
+ "id": "x_xss_protection",
484
+ "name": "X-XSS-Protection",
485
+ "type": "variant",
486
+ "priority": 5
487
+ },
488
+ {
489
+ "id": "strict_transport_security",
490
+ "name": "Strict-Transport-Security",
491
+ "type": "variant",
492
+ "priority": 5
493
+ },
494
+ {
495
+ "id": "x_content_type_options",
496
+ "name": "X-Content-Type-Options",
497
+ "type": "variant",
498
+ "priority": 5
499
+ },
500
+ {
501
+ "id": "content_security_policy",
502
+ "name": "Content-Security-Policy",
503
+ "type": "variant",
504
+ "priority": 5
505
+ },
506
+ {
507
+ "id": "public_key_pins",
508
+ "name": "Public-Key-Pins",
509
+ "type": "variant",
510
+ "priority": 5
511
+ },
512
+ {
513
+ "id": "x_content_security_policy",
514
+ "name": "X-Content-Security-Policy",
515
+ "type": "variant",
516
+ "priority": 5
517
+ },
518
+ {
519
+ "id": "x_webkit_csp",
520
+ "name": "X-Webkit-CSP",
521
+ "type": "variant",
522
+ "priority": 5
523
+ },
524
+ {
525
+ "id": "content_security_policy_report_only",
526
+ "name": "Content-Security-Policy-Report-Only",
527
+ "type": "variant",
528
+ "priority": 5
529
+ },
530
+ {
531
+ "id": "cache_control_for_a_sensitive_page",
532
+ "name": "Cache-Control for a Sensitive Page",
533
+ "type": "variant",
534
+ "priority": 4
535
+ }
536
+ ]
537
+ },
538
+ {
539
+ "id": "waf_bypass",
540
+ "name": "Web Application Firewall (WAF) Bypass",
541
+ "type": "subcategory",
542
+ "children": [
543
+ {
544
+ "id": "direct_server_access",
545
+ "name": "Direct Server Access",
546
+ "type": "variant",
547
+ "priority": 4
548
+ }
549
+ ]
550
+ },
551
+ {
552
+ "id": "race_condition",
553
+ "name": "Race Condition",
554
+ "type": "subcategory",
555
+ "priority": null
556
+ },
557
+ {
558
+ "id": "cache_poisoning",
559
+ "name": "Cache Poisoning",
560
+ "type": "subcategory",
561
+ "priority": null
562
+ },
563
+ {
564
+ "id": "bitsquatting",
565
+ "name": "Bitsquatting",
566
+ "type": "subcategory",
567
+ "priority": 5
568
+ }
569
+ ]
570
+ },
571
+ {
572
+ "id": "server_side_injection",
573
+ "name": "Server-Side Injection",
574
+ "type": "category",
575
+ "children": [
576
+ {
577
+ "id": "file_inclusion",
578
+ "name": "File Inclusion",
579
+ "type": "subcategory",
580
+ "children": [
581
+ {
582
+ "id": "local",
583
+ "name": "Local",
584
+ "type": "variant",
585
+ "priority": 1
586
+ }
587
+ ]
588
+ },
589
+ {
590
+ "id": "parameter_pollution",
591
+ "name": "Parameter Pollution",
592
+ "type": "subcategory",
593
+ "children": [
594
+ {
595
+ "id": "social_media_sharing_buttons",
596
+ "name": "Social Media Sharing Buttons",
597
+ "type": "variant",
598
+ "priority": 5
599
+ }
600
+ ]
601
+ },
602
+ {
603
+ "id": "remote_code_execution_rce",
604
+ "name": "Remote Code Execution (RCE)",
605
+ "type": "subcategory",
606
+ "priority": 1
607
+ },
608
+ {
609
+ "id": "ldap_injection",
610
+ "name": "LDAP Injection",
611
+ "type": "subcategory",
612
+ "priority": null
613
+ },
614
+ {
615
+ "id": "sql_injection",
616
+ "name": "SQL Injection",
617
+ "type": "subcategory",
618
+ "priority": 1
619
+ },
620
+ {
621
+ "id": "xml_external_entity_injection_xxe",
622
+ "name": "XML External Entity Injection (XXE)",
623
+ "type": "subcategory",
624
+ "priority": 1
625
+ },
626
+ {
627
+ "id": "http_response_manipulation",
628
+ "name": "HTTP Response Manipulation",
629
+ "type": "subcategory",
630
+ "children": [
631
+ {
632
+ "id": "response_splitting_crlf",
633
+ "name": "Response Splitting (CRLF)",
634
+ "type": "variant",
635
+ "priority": 3
636
+ }
637
+ ]
638
+ },
639
+ {
640
+ "id": "content_spoofing",
641
+ "name": "Content Spoofing",
642
+ "type": "subcategory",
643
+ "children": [
644
+ {
645
+ "id": "iframe_injection",
646
+ "name": "iframe Injection",
647
+ "type": "variant",
648
+ "priority": 3
649
+ },
650
+ {
651
+ "id": "impersonation_via_broken_link_hijacking",
652
+ "name": "Impersonation via Broken Link Hijacking",
653
+ "type": "variant",
654
+ "priority": 4
655
+ },
656
+ {
657
+ "id": "external_authentication_injection",
658
+ "name": "External Authentication Injection",
659
+ "type": "variant",
660
+ "priority": 4
661
+ },
662
+ {
663
+ "id": "flash_based_external_authentication_injection",
664
+ "name": "Flash Based External Authentication Injection",
665
+ "type": "variant",
666
+ "priority": 5
667
+ },
668
+ {
669
+ "id": "html_content_injection",
670
+ "name": "HTML Content Injection",
671
+ "type": "variant",
672
+ "priority": 5
673
+ },
674
+ {
675
+ "id": "email_html_injection",
676
+ "name": "Email HTML Injection",
677
+ "type": "variant",
678
+ "priority": 4
679
+ },
680
+ {
681
+ "id": "email_hyperlink_injection_based_on_email_provider",
682
+ "name": "Email Hyperlink Injection Based on Email Provider",
683
+ "type": "variant",
684
+ "priority": 5
685
+ },
686
+ {
687
+ "id": "text_injection",
688
+ "name": "Text Injection",
689
+ "type": "variant",
690
+ "priority": 5
691
+ },
692
+ {
693
+ "id": "homograph_idn_based",
694
+ "name": "Homograph/IDN-Based",
695
+ "type": "variant",
696
+ "priority": 5
697
+ },
698
+ {
699
+ "id": "rtlo",
700
+ "name": "Right-to-Left Override (RTLO)",
701
+ "type": "variant",
702
+ "priority": 5
703
+ }
704
+ ]
705
+ },
706
+ {
707
+ "id": "ssti",
708
+ "name": "Server-Side Template Injection (SSTI)",
709
+ "type": "subcategory",
710
+ "children": [
711
+ {
712
+ "id": "basic",
713
+ "name": "Basic",
714
+ "type": "variant",
715
+ "priority": 4
716
+ },
717
+ {
718
+ "id": "custom",
719
+ "name": "Custom",
720
+ "type": "variant",
721
+ "priority": null
722
+ }
723
+ ]
724
+ }
725
+ ]
726
+ },
727
+ {
728
+ "id": "broken_authentication_and_session_management",
729
+ "name": "Broken Authentication and Session Management",
730
+ "type": "category",
731
+ "children": [
732
+ {
733
+ "id": "authentication_bypass",
734
+ "name": "Authentication Bypass",
735
+ "type": "subcategory",
736
+ "priority": 1
737
+ },
738
+ {
739
+ "id": "two_fa_bypass",
740
+ "name": "Second Factor Authentication (2FA) Bypass",
741
+ "type": "subcategory",
742
+ "priority": 3
743
+ },
744
+ {
745
+ "id": "privilege_escalation",
746
+ "name": "Privilege Escalation",
747
+ "type": "subcategory",
748
+ "priority": null
749
+ },
750
+ {
751
+ "id": "cleartext_transmission_of_session_token",
752
+ "name": "Cleartext Transmission of Session Token",
753
+ "type": "subcategory",
754
+ "priority": 4
755
+ },
756
+ {
757
+ "id": "weak_login_function",
758
+ "name": "Weak Login Function",
759
+ "type": "subcategory",
760
+ "children": [
761
+ {
762
+ "id": "not_operational",
763
+ "name": "Not Operational or Intended Public Access",
764
+ "type": "variant",
765
+ "priority": 5
766
+ },
767
+ {
768
+ "id": "other_plaintext_protocol_no_secure_alternative",
769
+ "name": "Other Plaintext Protocol with no Secure Alternative",
770
+ "type": "variant",
771
+ "priority": 4
772
+ },
773
+ {
774
+ "id": "over_http",
775
+ "name": "Over HTTP",
776
+ "type": "variant",
777
+ "priority": 4
778
+ }
779
+ ]
780
+ },
781
+ {
782
+ "id": "session_fixation",
783
+ "name": "Session Fixation",
784
+ "type": "subcategory",
785
+ "children": [
786
+ {
787
+ "id": "remote_attack_vector",
788
+ "name": "Remote Attack Vector",
789
+ "type": "variant",
790
+ "priority": 3
791
+ },
792
+ {
793
+ "id": "local_attack_vector",
794
+ "name": "Local Attack Vector",
795
+ "type": "variant",
796
+ "priority": 5
797
+ }
798
+ ]
799
+ },
800
+ {
801
+ "id": "failure_to_invalidate_session",
802
+ "name": "Failure to Invalidate Session",
803
+ "type": "subcategory",
804
+ "children": [
805
+ {
806
+ "id": "on_logout",
807
+ "name": "On Logout (Client and Server-Side)",
808
+ "type": "variant",
809
+ "priority": 4
810
+ },
811
+ {
812
+ "id": "permission_change",
813
+ "name": "On Permission Change",
814
+ "type": "variant",
815
+ "priority": null
816
+ },
817
+ {
818
+ "id": "on_logout_server_side_only",
819
+ "name": "On Logout (Server-Side Only)",
820
+ "type": "variant",
821
+ "priority": 5
822
+ },
823
+ {
824
+ "id": "on_password_change",
825
+ "name": "On Password Reset and/or Change",
826
+ "type": "variant",
827
+ "priority": 4
828
+ },
829
+ {
830
+ "id": "all_sessions",
831
+ "name": "Concurrent Sessions On Logout",
832
+ "type": "variant",
833
+ "priority": 5
834
+ },
835
+ {
836
+ "id": "on_email_change",
837
+ "name": "On Email Change",
838
+ "type": "variant",
839
+ "priority": 5
840
+ },
841
+ {
842
+ "id": "on_two_fa_activation_change",
843
+ "name": "On 2FA Activation/Change",
844
+ "type": "variant",
845
+ "priority": 5
846
+ },
847
+ {
848
+ "id": "long_timeout",
849
+ "name": "Long Timeout",
850
+ "type": "variant",
851
+ "priority": 5
852
+ }
853
+ ]
854
+ },
855
+ {
856
+ "id": "concurrent_logins",
857
+ "name": "Concurrent Logins",
858
+ "type": "subcategory",
859
+ "priority": 5
860
+ },
861
+ {
862
+ "id": "weak_registration_implementation",
863
+ "name": "Weak Registration Implementation",
864
+ "type": "subcategory",
865
+ "children": [
866
+ {
867
+ "id": "over_http",
868
+ "name": "Over HTTP",
869
+ "type": "variant",
870
+ "priority": 4
871
+ }
872
+ ]
873
+ }
874
+ ]
875
+ },
876
+ {
877
+ "id": "sensitive_data_exposure",
878
+ "name": "Sensitive Data Exposure",
879
+ "type": "category",
880
+ "children": [
881
+ {
882
+ "id": "disclosure_of_secrets",
883
+ "name": "Disclosure of Secrets",
884
+ "type": "subcategory",
885
+ "children": [
886
+ {
887
+ "id": "for_publicly_accessible_asset",
888
+ "name": "For Publicly Accessible Asset",
889
+ "type": "variant",
890
+ "priority": 1
891
+ },
892
+ {
893
+ "id": "pii_leakage_exposure",
894
+ "name": "PII Leakage/Exposure",
895
+ "type": "variant",
896
+ "priority": null
897
+ },
898
+ {
899
+ "id": "for_internal_asset",
900
+ "name": "For Internal Asset",
901
+ "type": "variant",
902
+ "priority": 3
903
+ },
904
+ {
905
+ "id": "pay_per_use_abuse",
906
+ "name": "Pay-Per-Use Abuse",
907
+ "type": "variant",
908
+ "priority": 4
909
+ },
910
+ {
911
+ "id": "intentionally_public_sample_or_invalid",
912
+ "name": "Intentionally Public, Sample or Invalid",
913
+ "type": "variant",
914
+ "priority": 5
915
+ },
916
+ {
917
+ "id": "data_traffic_spam",
918
+ "name": "Data/Traffic Spam",
919
+ "type": "variant",
920
+ "priority": 5
921
+ },
922
+ {
923
+ "id": "non_corporate_user",
924
+ "name": "Non-Corporate User",
925
+ "type": "variant",
926
+ "priority": 5
927
+ }
928
+ ]
929
+ },
930
+ {
931
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
932
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
933
+ "type": "subcategory",
934
+ "children": [
935
+ {
936
+ "id": "automatic_user_enumeration",
937
+ "name": "Automatic User Enumeration",
938
+ "type": "variant",
939
+ "priority": 3
940
+ },
941
+ {
942
+ "id": "manual_user_enumeration",
943
+ "name": "Manual User Enumeration",
944
+ "type": "variant",
945
+ "priority": 4
946
+ }
947
+ ]
948
+ },
949
+ {
950
+ "id": "visible_detailed_error_page",
951
+ "name": "Visible Detailed Error/Debug Page",
952
+ "type": "subcategory",
953
+ "children": [
954
+ {
955
+ "id": "detailed_server_configuration",
956
+ "name": "Detailed Server Configuration",
957
+ "type": "variant",
958
+ "priority": 4
959
+ },
960
+ {
961
+ "id": "full_path_disclosure",
962
+ "name": "Full Path Disclosure",
963
+ "type": "variant",
964
+ "priority": 5
965
+ },
966
+ {
967
+ "id": "descriptive_stack_trace",
968
+ "name": "Descriptive Stack Trace",
969
+ "type": "variant",
970
+ "priority": 5
971
+ }
972
+ ]
973
+ },
974
+ {
975
+ "id": "disclosure_of_known_public_information",
976
+ "name": "Disclosure of Known Public Information",
977
+ "type": "subcategory",
978
+ "priority": 5
979
+ },
980
+ {
981
+ "id": "token_leakage_via_referer",
982
+ "name": "Token Leakage via Referer",
983
+ "type": "subcategory",
984
+ "children": [
985
+ {
986
+ "id": "trusted_third_party",
987
+ "name": "Trusted 3rd Party",
988
+ "type": "variant",
989
+ "priority": 5
990
+ },
991
+ {
992
+ "id": "untrusted_third_party",
993
+ "name": "Untrusted 3rd Party",
994
+ "type": "variant",
995
+ "priority": 4
996
+ },
997
+ {
998
+ "id": "over_http",
999
+ "name": "Over HTTP",
1000
+ "type": "variant",
1001
+ "priority": 4
1002
+ }
1003
+ ]
1004
+ },
1005
+ {
1006
+ "id": "sensitive_token_in_url",
1007
+ "name": "Sensitive Token in URL",
1008
+ "type": "subcategory",
1009
+ "children": [
1010
+ {
1011
+ "id": "user_facing",
1012
+ "name": "User Facing",
1013
+ "type": "variant",
1014
+ "priority": 4
1015
+ },
1016
+ {
1017
+ "id": "in_the_background",
1018
+ "name": "In the Background",
1019
+ "type": "variant",
1020
+ "priority": 5
1021
+ },
1022
+ {
1023
+ "id": "on_password_reset",
1024
+ "name": "On Password Reset",
1025
+ "type": "variant",
1026
+ "priority": 5
1027
+ }
1028
+ ]
1029
+ },
1030
+ {
1031
+ "id": "non_sensitive_token_in_url",
1032
+ "name": "Non-Sensitive Token in URL",
1033
+ "type": "subcategory",
1034
+ "priority": 5
1035
+ },
1036
+ {
1037
+ "id": "weak_password_reset_implementation",
1038
+ "name": "Weak Password Reset Implementation",
1039
+ "type": "subcategory",
1040
+ "children": [
1041
+ {
1042
+ "id": "password_reset_token_sent_over_http",
1043
+ "name": "Password Reset Token Sent Over HTTP",
1044
+ "type": "variant",
1045
+ "priority": 4
1046
+ },
1047
+ {
1048
+ "id": "token_leakage_via_host_header_poisoning",
1049
+ "name": "Token Leakage via Host Header Poisoning",
1050
+ "type": "variant",
1051
+ "priority": 2
1052
+ }
1053
+ ]
1054
+ },
1055
+ {
1056
+ "id": "mixed_content",
1057
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
1058
+ "type": "subcategory",
1059
+ "priority": 5
1060
+ },
1061
+ {
1062
+ "id": "sensitive_data_hardcoded",
1063
+ "name": "Sensitive Data Hardcoded",
1064
+ "type": "subcategory",
1065
+ "children": [
1066
+ {
1067
+ "id": "oauth_secret",
1068
+ "name": "OAuth Secret",
1069
+ "type": "variant",
1070
+ "priority": 5
1071
+ },
1072
+ {
1073
+ "id": "file_paths",
1074
+ "name": "File Paths",
1075
+ "type": "variant",
1076
+ "priority": 5
1077
+ }
1078
+ ]
1079
+ },
1080
+ {
1081
+ "id": "internal_ip_disclosure",
1082
+ "name": "Internal IP Disclosure",
1083
+ "type": "subcategory",
1084
+ "priority": 5
1085
+ },
1086
+ {
1087
+ "id": "xssi",
1088
+ "name": "Cross Site Script Inclusion (XSSI)",
1089
+ "type": "subcategory",
1090
+ "priority": null
1091
+ },
1092
+ {
1093
+ "id": "json_hijacking",
1094
+ "name": "JSON Hijacking",
1095
+ "type": "subcategory",
1096
+ "priority": 5
1097
+ },
1098
+ {
1099
+ "id": "via_localstorage_sessionstorage",
1100
+ "name": "Via localStorage/sessionStorage",
1101
+ "type": "subcategory",
1102
+ "children": [
1103
+ {
1104
+ "id": "sensitive_token",
1105
+ "name": "Sensitive Token",
1106
+ "type": "variant",
1107
+ "priority": 4
1108
+ },
1109
+ {
1110
+ "id": "non_sensitive_token",
1111
+ "name": "Non-Sensitive Token",
1112
+ "type": "variant",
1113
+ "priority": 5
1114
+ }
1115
+ ]
1116
+ }
1117
+ ]
1118
+ },
1119
+ {
1120
+ "id": "cross_site_scripting_xss",
1121
+ "name": "Cross-Site Scripting (XSS)",
1122
+ "type": "category",
1123
+ "children": [
1124
+ {
1125
+ "id": "stored",
1126
+ "name": "Stored",
1127
+ "type": "subcategory",
1128
+ "children": [
1129
+ {
1130
+ "id": "non_admin_to_anyone",
1131
+ "name": "Non-Privileged User to Anyone",
1132
+ "type": "variant",
1133
+ "priority": 2
1134
+ },
1135
+ {
1136
+ "id": "privileged_user_to_privilege_elevation",
1137
+ "name": "Privileged User to Privilege Elevation",
1138
+ "type": "variant",
1139
+ "priority": 3
1140
+ },
1141
+ {
1142
+ "id": "privileged_user_to_no_privilege_elevation",
1143
+ "name": "Privileged User to No Privilege Elevation",
1144
+ "type": "variant",
1145
+ "priority": 4
1146
+ },
1147
+ {
1148
+ "id": "url_based",
1149
+ "name": "CSRF/URL-Based",
1150
+ "type": "variant",
1151
+ "priority": 3
1152
+ },
1153
+ {
1154
+ "id": "self",
1155
+ "name": "Self",
1156
+ "type": "variant",
1157
+ "priority": 5
1158
+ }
1159
+ ]
1160
+ },
1161
+ {
1162
+ "id": "reflected",
1163
+ "name": "Reflected",
1164
+ "type": "subcategory",
1165
+ "children": [
1166
+ {
1167
+ "id": "non_self",
1168
+ "name": "Non-Self",
1169
+ "type": "variant",
1170
+ "priority": 3
1171
+ },
1172
+ {
1173
+ "id": "self",
1174
+ "name": "Self",
1175
+ "type": "variant",
1176
+ "priority": 5
1177
+ }
1178
+ ]
1179
+ },
1180
+ {
1181
+ "id": "flash_based",
1182
+ "name": "Flash-Based",
1183
+ "type": "subcategory",
1184
+ "priority": 5
1185
+ },
1186
+ {
1187
+ "id": "cookie_based",
1188
+ "name": "Cookie-Based",
1189
+ "type": "subcategory",
1190
+ "priority": 5
1191
+ },
1192
+ {
1193
+ "id": "ie_only",
1194
+ "name": "IE-Only",
1195
+ "type": "subcategory",
1196
+ "priority": 5
1197
+ },
1198
+ {
1199
+ "id": "referer",
1200
+ "name": "Referer",
1201
+ "type": "subcategory",
1202
+ "priority": 4
1203
+ },
1204
+ {
1205
+ "id": "trace_method",
1206
+ "name": "TRACE Method",
1207
+ "type": "subcategory",
1208
+ "priority": 5
1209
+ },
1210
+ {
1211
+ "id": "universal_uxss",
1212
+ "name": "Universal (UXSS)",
1213
+ "type": "subcategory",
1214
+ "priority": 4
1215
+ },
1216
+ {
1217
+ "id": "off_domain",
1218
+ "name": "Off-Domain",
1219
+ "type": "subcategory",
1220
+ "children": [
1221
+ {
1222
+ "id": "data_uri",
1223
+ "name": "Data URI",
1224
+ "type": "variant",
1225
+ "priority": 4
1226
+ }
1227
+ ]
1228
+ }
1229
+ ]
1230
+ },
1231
+ {
1232
+ "id": "broken_access_control",
1233
+ "name": "Broken Access Control (BAC)",
1234
+ "type": "category",
1235
+ "children": [
1236
+ {
1237
+ "id": "idor",
1238
+ "name": "Insecure Direct Object References (IDOR)",
1239
+ "type": "subcategory",
1240
+ "children": [
1241
+ {
1242
+ "id": "read_edit_delete_non_sensitive_information",
1243
+ "name": "Read/Edit/Delete Non-Sensitive Information",
1244
+ "type": "variant",
1245
+ "priority": 5
1246
+ },
1247
+ {
1248
+ "id": "read_edit_delete_sensitive_information_guid",
1249
+ "name": "Read/Edit/Delete Sensitive Information/Complex Object Identifiers(GUID)",
1250
+ "type": "variant",
1251
+ "priority": 4
1252
+ },
1253
+ {
1254
+ "id": "read_sensitive_information_iterable_object_identifiers",
1255
+ "name": "Read Sensitive Information/Iterable Object Identifiers",
1256
+ "type": "variant",
1257
+ "priority": 3
1258
+ },
1259
+ {
1260
+ "id": "edit_delete_sensitive_information_iterable_object_identifiers",
1261
+ "name": "Edit/Delete Sensitive Information/Iterable Object Identifiers",
1262
+ "type": "variant",
1263
+ "priority": 2
1264
+ },
1265
+ {
1266
+ "id": "read_edit_delete_sensitive_information_iterable_object_identifiers",
1267
+ "name": "Read/Edit/Delete Sensitive Information/Iterable Object Identifiers",
1268
+ "type": "variant",
1269
+ "priority": 1
1270
+ }
1271
+ ]
1272
+ },
1273
+ {
1274
+ "id": "username_enumeration",
1275
+ "name": "Username/Email Enumeration",
1276
+ "type": "subcategory",
1277
+ "children": [
1278
+ {
1279
+ "id": "non_brute_force",
1280
+ "name": "Non-Brute Force",
1281
+ "type": "variant",
1282
+ "priority": 4
1283
+ }
1284
+ ]
1285
+ },
1286
+ {
1287
+ "id": "exposed_sensitive_android_intent",
1288
+ "name": "Exposed Sensitive Android Intent",
1289
+ "type": "subcategory",
1290
+ "priority": null
1291
+ },
1292
+ {
1293
+ "id": "exposed_sensitive_ios_url_scheme",
1294
+ "name": "Exposed Sensitive iOS URL Scheme",
1295
+ "type": "subcategory",
1296
+ "priority": null
1297
+ }
1298
+ ]
1299
+ },
1300
+ {
1301
+ "id": "cross_site_request_forgery_csrf",
1302
+ "name": "Cross-Site Request Forgery (CSRF)",
1303
+ "type": "category",
1304
+ "children": [
1305
+ {
1306
+ "id": "application_wide",
1307
+ "name": "Application-Wide",
1308
+ "type": "subcategory",
1309
+ "priority": 2
1310
+ },
1311
+ {
1312
+ "id": "action_specific",
1313
+ "name": "Action-Specific",
1314
+ "type": "subcategory",
1315
+ "children": [
1316
+ {
1317
+ "id": "authenticated_action",
1318
+ "name": "Authenticated Action",
1319
+ "type": "variant",
1320
+ "priority": null
1321
+ },
1322
+ {
1323
+ "id": "unauthenticated_action",
1324
+ "name": "Unauthenticated Action",
1325
+ "type": "variant",
1326
+ "priority": null
1327
+ },
1328
+ {
1329
+ "id": "logout",
1330
+ "name": "Logout",
1331
+ "type": "variant",
1332
+ "priority": 5
1333
+ }
1334
+ ]
1335
+ },
1336
+ {
1337
+ "id": "csrf_token_not_unique_per_request",
1338
+ "name": "CSRF Token Not Unique Per Request",
1339
+ "type": "subcategory",
1340
+ "priority": 5
1341
+ },
1342
+ {
1343
+ "id": "flash_based",
1344
+ "name": "Flash-Based",
1345
+ "type": "subcategory",
1346
+ "priority": 5
1347
+ }
1348
+ ]
1349
+ },
1350
+ {
1351
+ "id": "application_level_denial_of_service_dos",
1352
+ "name": "Application-Level Denial-of-Service (DoS)",
1353
+ "type": "category",
1354
+ "children": [
1355
+ {
1356
+ "id": "critical_impact_and_or_easy_difficulty",
1357
+ "name": "Critical Impact and/or Easy Difficulty",
1358
+ "type": "subcategory",
1359
+ "priority": 2
1360
+ },
1361
+ {
1362
+ "id": "high_impact_and_or_medium_difficulty",
1363
+ "name": "High Impact and/or Medium Difficulty",
1364
+ "type": "subcategory",
1365
+ "priority": 3
1366
+ },
1367
+ {
1368
+ "id": "app_crash",
1369
+ "name": "App Crash",
1370
+ "type": "subcategory",
1371
+ "children": [
1372
+ {
1373
+ "id": "malformed_android_intents",
1374
+ "name": "Malformed Android Intents",
1375
+ "type": "variant",
1376
+ "priority": 5
1377
+ },
1378
+ {
1379
+ "id": "malformed_ios_url_schemes",
1380
+ "name": "Malformed iOS URL Schemes",
1381
+ "type": "variant",
1382
+ "priority": 5
1383
+ }
1384
+ ]
1385
+ }
1386
+ ]
1387
+ },
1388
+ {
1389
+ "id": "unvalidated_redirects_and_forwards",
1390
+ "name": "Unvalidated Redirects and Forwards",
1391
+ "type": "category",
1392
+ "children": [
1393
+ {
1394
+ "id": "open_redirect",
1395
+ "name": "Open Redirect",
1396
+ "type": "subcategory",
1397
+ "children": [
1398
+ {
1399
+ "id": "get_based",
1400
+ "name": "GET-Based",
1401
+ "type": "variant",
1402
+ "priority": 4
1403
+ },
1404
+ {
1405
+ "id": "post_based",
1406
+ "name": "POST-Based",
1407
+ "type": "variant",
1408
+ "priority": 5
1409
+ },
1410
+ {
1411
+ "id": "header_based",
1412
+ "name": "Header-Based",
1413
+ "type": "variant",
1414
+ "priority": 5
1415
+ },
1416
+ {
1417
+ "id": "flash_based",
1418
+ "name": "Flash-Based",
1419
+ "type": "variant",
1420
+ "priority": 5
1421
+ }
1422
+ ]
1423
+ },
1424
+ {
1425
+ "id": "tabnabbing",
1426
+ "name": "Tabnabbing",
1427
+ "type": "subcategory",
1428
+ "priority": 5
1429
+ },
1430
+ {
1431
+ "id": "lack_of_security_speed_bump_page",
1432
+ "name": "Lack of Security Speed Bump Page",
1433
+ "type": "subcategory",
1434
+ "priority": 5
1435
+ }
1436
+ ]
1437
+ },
1438
+ {
1439
+ "id": "external_behavior",
1440
+ "name": "External Behavior",
1441
+ "type": "category",
1442
+ "children": [
1443
+ {
1444
+ "id": "browser_feature",
1445
+ "name": "Browser Feature",
1446
+ "type": "subcategory",
1447
+ "children": [
1448
+ {
1449
+ "id": "plaintext_password_field",
1450
+ "name": "Plaintext Password Field",
1451
+ "type": "variant",
1452
+ "priority": 5
1453
+ },
1454
+ {
1455
+ "id": "save_password",
1456
+ "name": "Save Password",
1457
+ "type": "variant",
1458
+ "priority": 5
1459
+ },
1460
+ {
1461
+ "id": "autocomplete_enabled",
1462
+ "name": "Autocomplete Enabled",
1463
+ "type": "variant",
1464
+ "priority": 5
1465
+ },
1466
+ {
1467
+ "id": "autocorrect_enabled",
1468
+ "name": "Autocorrect Enabled",
1469
+ "type": "variant",
1470
+ "priority": 5
1471
+ },
1472
+ {
1473
+ "id": "aggressive_offline_caching",
1474
+ "name": "Aggressive Offline Caching",
1475
+ "type": "variant",
1476
+ "priority": 5
1477
+ }
1478
+ ]
1479
+ },
1480
+ {
1481
+ "id": "csv_injection",
1482
+ "name": "CSV Injection",
1483
+ "type": "subcategory",
1484
+ "priority": 5
1485
+ },
1486
+ {
1487
+ "id": "captcha_bypass",
1488
+ "name": "Captcha Bypass",
1489
+ "type": "subcategory",
1490
+ "children": [
1491
+ {
1492
+ "id": "crowdsourcing",
1493
+ "name": "Crowdsourcing",
1494
+ "type": "variant",
1495
+ "priority": 5
1496
+ }
1497
+ ]
1498
+ },
1499
+ {
1500
+ "id": "system_clipboard_leak",
1501
+ "name": "System Clipboard Leak",
1502
+ "type": "subcategory",
1503
+ "children": [
1504
+ {
1505
+ "id": "shared_links",
1506
+ "name": "Shared Links",
1507
+ "type": "variant",
1508
+ "priority": 5
1509
+ }
1510
+ ]
1511
+ },
1512
+ {
1513
+ "id": "user_password_persisted_in_memory",
1514
+ "name": "User Password Persisted in Memory",
1515
+ "type": "subcategory",
1516
+ "priority": 5
1517
+ }
1518
+ ]
1519
+ },
1520
+ {
1521
+ "id": "insufficient_security_configurability",
1522
+ "name": "Insufficient Security Configurability",
1523
+ "type": "category",
1524
+ "children": [
1525
+ {
1526
+ "id": "weak_password_policy",
1527
+ "name": "Weak Password Policy",
1528
+ "type": "subcategory",
1529
+ "priority": 5
1530
+ },
1531
+ {
1532
+ "id": "no_password_policy",
1533
+ "name": "No Password Policy",
1534
+ "type": "subcategory",
1535
+ "priority": 4
1536
+ },
1537
+ {
1538
+ "id": "password_policy_bypass",
1539
+ "name": "Password Policy Bypass",
1540
+ "type": "subcategory",
1541
+ "priority": 5
1542
+ },
1543
+ {
1544
+ "id": "weak_password_reset_implementation",
1545
+ "name": "Weak Password Reset Implementation",
1546
+ "type": "subcategory",
1547
+ "children": [
1548
+ {
1549
+ "id": "token_is_not_invalidated_after_use",
1550
+ "name": "Token is Not Invalidated After Use",
1551
+ "type": "variant",
1552
+ "priority": 4
1553
+ },
1554
+ {
1555
+ "id": "token_is_not_invalidated_after_email_change",
1556
+ "name": "Token is Not Invalidated After Email Change",
1557
+ "type": "variant",
1558
+ "priority": 5
1559
+ },
1560
+ {
1561
+ "id": "token_is_not_invalidated_after_password_change",
1562
+ "name": "Token is Not Invalidated After Password Change",
1563
+ "type": "variant",
1564
+ "priority": 5
1565
+ },
1566
+ {
1567
+ "id": "token_has_long_timed_expiry",
1568
+ "name": "Token Has Long Timed Expiry",
1569
+ "type": "variant",
1570
+ "priority": 5
1571
+ },
1572
+ {
1573
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1574
+ "name": "Token is Not Invalidated After New Token is Requested",
1575
+ "type": "variant",
1576
+ "priority": 5
1577
+ },
1578
+ {
1579
+ "id": "token_is_not_invalidated_after_login",
1580
+ "name": "Token is Not Invalidated After Login",
1581
+ "type": "variant",
1582
+ "priority": 5
1583
+ }
1584
+ ]
1585
+ },
1586
+ {
1587
+ "id": "verification_of_contact_method_not_required",
1588
+ "name": "Verification of Contact Method not Required",
1589
+ "type": "subcategory",
1590
+ "priority": 5
1591
+ },
1592
+ {
1593
+ "id": "lack_of_notification_email",
1594
+ "name": "Lack of Notification Email",
1595
+ "type": "subcategory",
1596
+ "priority": 5
1597
+ },
1598
+ {
1599
+ "id": "weak_registration_implementation",
1600
+ "name": "Weak Registration Implementation",
1601
+ "type": "subcategory",
1602
+ "children": [
1603
+ {
1604
+ "id": "allows_disposable_email_addresses",
1605
+ "name": "Allows Disposable Email Addresses",
1606
+ "type": "variant",
1607
+ "priority": 5
1608
+ }
1609
+ ]
1610
+ },
1611
+ {
1612
+ "id": "weak_two_fa_implementation",
1613
+ "name": "Weak 2FA Implementation",
1614
+ "type": "subcategory",
1615
+ "children": [
1616
+ {
1617
+ "id": "two_fa_secret_cannot_be_rotated",
1618
+ "name": "2FA Secret Cannot be Rotated",
1619
+ "type": "variant",
1620
+ "priority": 4
1621
+ },
1622
+ {
1623
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
1624
+ "name": "2FA Secret Remains Obtainable After 2FA is Enabled",
1625
+ "type": "variant",
1626
+ "priority": 4
1627
+ },
1628
+ {
1629
+ "id": "missing_failsafe",
1630
+ "name": "Missing Failsafe",
1631
+ "type": "variant",
1632
+ "priority": 5
1633
+ },
1634
+ {
1635
+ "id": "two_fa_code_is_not_updated_after_new_code_is_requested",
1636
+ "name": "2FA Code is Not Updated After New Code is Requested",
1637
+ "type": "variant",
1638
+ "priority": 5
1639
+ },
1640
+ {
1641
+ "id": "old_two_fa_code_is_not_invalidated_after_new_code_is_generated",
1642
+ "name": "Old 2FA Code is Not Invalidated After New Code is Generated",
1643
+ "type": "variant",
1644
+ "priority": 5
1645
+ }
1646
+ ]
1647
+ }
1648
+ ]
1649
+ },
1650
+ {
1651
+ "id": "using_components_with_known_vulnerabilities",
1652
+ "name": "Using Components with Known Vulnerabilities",
1653
+ "type": "category",
1654
+ "children": [
1655
+ {
1656
+ "id": "rosetta_flash",
1657
+ "name": "Rosetta Flash",
1658
+ "type": "subcategory",
1659
+ "priority": 5
1660
+ },
1661
+ {
1662
+ "id": "outdated_software_version",
1663
+ "name": "Outdated Software Version",
1664
+ "type": "subcategory",
1665
+ "priority": 5
1666
+ },
1667
+ {
1668
+ "id": "captcha_bypass",
1669
+ "name": "Captcha Bypass",
1670
+ "type": "subcategory",
1671
+ "children": [
1672
+ {
1673
+ "id": "ocr_optical_character_recognition",
1674
+ "name": "OCR (Optical Character Recognition)",
1675
+ "type": "variant",
1676
+ "priority": 5
1677
+ }
1678
+ ]
1679
+ }
1680
+ ]
1681
+ },
1682
+ {
1683
+ "id": "insecure_data_storage",
1684
+ "name": "Insecure Data Storage",
1685
+ "type": "category",
1686
+ "children": [
1687
+ {
1688
+ "id": "sensitive_application_data_stored_unencrypted",
1689
+ "name": "Sensitive Application Data Stored Unencrypted",
1690
+ "type": "subcategory",
1691
+ "children": [
1692
+ {
1693
+ "id": "on_external_storage",
1694
+ "name": "On External Storage",
1695
+ "type": "variant",
1696
+ "priority": 4
1697
+ },
1698
+ {
1699
+ "id": "on_internal_storage",
1700
+ "name": "On Internal Storage",
1701
+ "type": "variant",
1702
+ "priority": 5
1703
+ }
1704
+ ]
1705
+ },
1706
+ {
1707
+ "id": "server_side_credentials_storage",
1708
+ "name": "Server-Side Credentials Storage",
1709
+ "type": "subcategory",
1710
+ "children": [
1711
+ {
1712
+ "id": "plaintext",
1713
+ "name": "Plaintext",
1714
+ "type": "variant",
1715
+ "priority": 4
1716
+ }
1717
+ ]
1718
+ },
1719
+ {
1720
+ "id": "non_sensitive_application_data_stored_unencrypted",
1721
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1722
+ "type": "subcategory",
1723
+ "priority": 5
1724
+ },
1725
+ {
1726
+ "id": "screen_caching_enabled",
1727
+ "name": "Screen Caching Enabled",
1728
+ "type": "subcategory",
1729
+ "priority": 5
1730
+ }
1731
+ ]
1732
+ },
1733
+ {
1734
+ "id": "lack_of_binary_hardening",
1735
+ "name": "Lack of Binary Hardening",
1736
+ "type": "category",
1737
+ "children": [
1738
+ {
1739
+ "id": "lack_of_exploit_mitigations",
1740
+ "name": "Lack of Exploit Mitigations",
1741
+ "type": "subcategory",
1742
+ "priority": 5
1743
+ },
1744
+ {
1745
+ "id": "lack_of_jailbreak_detection",
1746
+ "name": "Lack of Jailbreak Detection",
1747
+ "type": "subcategory",
1748
+ "priority": 5
1749
+ },
1750
+ {
1751
+ "id": "lack_of_obfuscation",
1752
+ "name": "Lack of Obfuscation",
1753
+ "type": "subcategory",
1754
+ "priority": 5
1755
+ },
1756
+ {
1757
+ "id": "runtime_instrumentation_based",
1758
+ "name": "Runtime Instrumentation-Based",
1759
+ "type": "subcategory",
1760
+ "priority": 5
1761
+ }
1762
+ ]
1763
+ },
1764
+ {
1765
+ "id": "insecure_data_transport",
1766
+ "name": "Insecure Data Transport",
1767
+ "type": "category",
1768
+ "children": [
1769
+ {
1770
+ "id": "cleartext_transmission_of_sensitive_data",
1771
+ "name": "Cleartext Transmission of Sensitive Data",
1772
+ "type": "subcategory",
1773
+ "priority": null
1774
+ },
1775
+ {
1776
+ "id": "executable_download",
1777
+ "name": "Executable Download",
1778
+ "type": "subcategory",
1779
+ "children": [
1780
+ {
1781
+ "id": "no_secure_integrity_check",
1782
+ "name": "No Secure Integrity Check",
1783
+ "type": "variant",
1784
+ "priority": 4
1785
+ },
1786
+ {
1787
+ "id": "secure_integrity_check",
1788
+ "name": "Secure Integrity Check",
1789
+ "type": "variant",
1790
+ "priority": 5
1791
+ }
1792
+ ]
1793
+ }
1794
+ ]
1795
+ },
1796
+ {
1797
+ "id": "insecure_os_firmware",
1798
+ "name": "Insecure OS/Firmware",
1799
+ "type": "category",
1800
+ "children": [
1801
+ {
1802
+ "id": "command_injection",
1803
+ "name": "Command Injection",
1804
+ "type": "subcategory",
1805
+ "priority": 1
1806
+ },
1807
+ {
1808
+ "id": "hardcoded_password",
1809
+ "name": "Hardcoded Password",
1810
+ "type": "subcategory",
1811
+ "children": [
1812
+ {
1813
+ "id": "privileged_user",
1814
+ "name": "Privileged User",
1815
+ "type": "variant",
1816
+ "priority": 1
1817
+ },
1818
+ {
1819
+ "id": "non_privileged_user",
1820
+ "name": "Non-Privileged User",
1821
+ "type": "variant",
1822
+ "priority": 2
1823
+ }
1824
+ ]
1825
+ }
1826
+ ]
1827
+ },
1828
+ {
1829
+ "id": "cryptographic_weakness",
1830
+ "name": "Cryptographic Weakness",
1831
+ "type": "category",
1832
+ "children": [
1833
+ {
1834
+ "id": "insufficient_entropy",
1835
+ "name": "Insufficient Entropy",
1836
+ "type": "subcategory",
1837
+ "children": [
1838
+ {
1839
+ "id": "limited_rng_entropy_source",
1840
+ "name": "Limited Random Number Generator (RNG) Entropy Source",
1841
+ "type": "variant",
1842
+ "priority": 4
1843
+ },
1844
+ {
1845
+ "id": "use_of_trng_for_nonsecurity_purpose",
1846
+ "name": "Use of True Random Number Generator (TRNG) for Non-Security Purpose",
1847
+ "type": "variant",
1848
+ "priority": 5
1849
+ },
1850
+ {
1851
+ "id": "prng_seed_reuse",
1852
+ "name": "Pseudo-Random Number Generator (PRNG) Seed Reuse",
1853
+ "type": "variant",
1854
+ "priority": 5
1855
+ },
1856
+ {
1857
+ "id": "predictable_prng_seed",
1858
+ "name": "Predictable Pseudo-Random Number Generator (PRNG) Seed",
1859
+ "type": "variant",
1860
+ "priority": 4
1861
+ },
1862
+ {
1863
+ "id": "small_seed_space_in_prng",
1864
+ "name": "Small Seed Space in Pseudo-Random Number Generator (PRNG)",
1865
+ "type": "variant",
1866
+ "priority": 4
1867
+ },
1868
+ {
1869
+ "id": "initialization_vector_reuse",
1870
+ "name": "Initialization Vector (IV) Reuse",
1871
+ "type": "variant",
1872
+ "priority": 5
1873
+ },
1874
+ {
1875
+ "id": "predictable_initialization_vector",
1876
+ "name": "Predictable Initialization Vector (IV)",
1877
+ "type": "variant",
1878
+ "priority": 4
1879
+ }
1880
+ ]
1881
+ },
1882
+ {
1883
+ "id": "insecure_implementation",
1884
+ "name": "Insecure Implementation",
1885
+ "type": "subcategory",
1886
+ "children": [
1887
+ {
1888
+ "id": "missing_cryptographic_step",
1889
+ "name": "Missing Cryptographic Step",
1890
+ "type": "variant",
1891
+ "priority": null
1892
+ },
1893
+ {
1894
+ "id": "improper_following_of_specification",
1895
+ "name": "Improper Following of Specification (Other)",
1896
+ "type": "variant",
1897
+ "priority": null
1898
+ }
1899
+ ]
1900
+ },
1901
+ {
1902
+ "id": "weak_hash",
1903
+ "name": "Weak Hash",
1904
+ "type": "subcategory",
1905
+ "children": [
1906
+ {
1907
+ "id": "lack_of_salt",
1908
+ "name": "Lack of Salt",
1909
+ "type": "variant",
1910
+ "priority": null
1911
+ },
1912
+ {
1913
+ "id": "use_of_predictable_salt",
1914
+ "name": "Use of Predictable Salt",
1915
+ "type": "variant",
1916
+ "priority": 5
1917
+ },
1918
+ {
1919
+ "id": "predictable_hash_collision",
1920
+ "name": "Predictable Hash Collision",
1921
+ "type": "variant",
1922
+ "priority": null
1923
+ }
1924
+ ]
1925
+ },
1926
+ {
1927
+ "id": "insufficient_verification_of_data_authenticity",
1928
+ "name": "Insufficient Verification of Data Authenticity",
1929
+ "type": "subcategory",
1930
+ "children": [
1931
+ {
1932
+ "id": "identity_check_value",
1933
+ "name": "Integrity Check Value (ICV)",
1934
+ "type": "variant",
1935
+ "priority": 4
1936
+ },
1937
+ {
1938
+ "id": "cryptographic_signature",
1939
+ "name": "Cryptographic Signature",
1940
+ "type": "variant",
1941
+ "priority": null
1942
+ }
1943
+ ]
1944
+ },
1945
+ {
1946
+ "id": "insecure_key_generation",
1947
+ "name": "Insecure Key Generation",
1948
+ "type": "subcategory",
1949
+ "children": [
1950
+ {
1951
+ "id": "improper_asymmetric_prime_selection",
1952
+ "name": "Improper Asymmetric Prime Selection",
1953
+ "type": "variant",
1954
+ "priority": null
1955
+ },
1956
+ {
1957
+ "id": "improper_asymmetric_exponent_selection",
1958
+ "name": "Improper Asymmetric Exponent Selection",
1959
+ "type": "variant",
1960
+ "priority": null
1961
+ },
1962
+ {
1963
+ "id": "insufficient_key_stretching",
1964
+ "name": "Insufficient Key Stretching",
1965
+ "type": "variant",
1966
+ "priority": null
1967
+ },
1968
+ {
1969
+ "id": "insufficient_key_space",
1970
+ "name": "Insufficient Key Space",
1971
+ "type": "variant",
1972
+ "priority": 3
1973
+ },
1974
+ {
1975
+ "id": "key_exchange_without_entity_authentication",
1976
+ "name": "Key Exchage Without Entity Authentication",
1977
+ "type": "variant",
1978
+ "priority": 4
1979
+ }
1980
+ ]
1981
+ },
1982
+ {
1983
+ "id": "key_reuse",
1984
+ "name": "Key Reuse",
1985
+ "type": "subcategory",
1986
+ "children": [
1987
+ {
1988
+ "id": "lack_of_perfect_forward_secrecy",
1989
+ "name": "Lack of Perfect Forward Secrecy",
1990
+ "type": "variant",
1991
+ "priority": 4
1992
+ },
1993
+ {
1994
+ "id": "intra_environment",
1995
+ "name": "Intra-Environment",
1996
+ "type": "variant",
1997
+ "priority": 5
1998
+ },
1999
+ {
2000
+ "id": "inter_environment",
2001
+ "name": "Inter-Environment",
2002
+ "type": "variant",
2003
+ "priority": 2
2004
+ }
2005
+ ]
2006
+ },
2007
+ {
2008
+ "id": "broken_cryptography",
2009
+ "name": "Broken Cryptography",
2010
+ "type": "subcategory",
2011
+ "children": [
2012
+ {
2013
+ "id": "use_of_broken_cryptographic_primitive",
2014
+ "name": "Use of Broken Cryptographic Primitive",
2015
+ "type": "variant",
2016
+ "priority": 3
2017
+ },
2018
+ {
2019
+ "id": "use_of_vulnerable_cryptographic_library",
2020
+ "name": "Use of Vulnerable Cryptographic Library",
2021
+ "type": "variant",
2022
+ "priority": 4
2023
+ }
2024
+ ]
2025
+ },
2026
+ {
2027
+ "id": "side_channel_attack",
2028
+ "name": "Side-Channel Attack",
2029
+ "type": "subcategory",
2030
+ "children": [
2031
+ {
2032
+ "id": "padding_oracle_attack",
2033
+ "name": "Padding Oracle Attack",
2034
+ "type": "variant",
2035
+ "priority": 4
2036
+ },
2037
+ {
2038
+ "id": "timing_attack",
2039
+ "name": "Timing Attack",
2040
+ "type": "variant",
2041
+ "priority": 4
2042
+ },
2043
+ {
2044
+ "id": "power_analysis_attack",
2045
+ "name": "Power Analysis Attack",
2046
+ "type": "variant",
2047
+ "priority": 5
2048
+ },
2049
+ {
2050
+ "id": "emanations_attack",
2051
+ "name": "Emanations Attack",
2052
+ "type": "variant",
2053
+ "priority": 5
2054
+ },
2055
+ {
2056
+ "id": "differential_fault_analysis",
2057
+ "name": "Differential Fault Analysis",
2058
+ "type": "variant",
2059
+ "priority": null
2060
+ }
2061
+ ]
2062
+ },
2063
+ {
2064
+ "id": "use_of_expired_cryptographic_key_or_cert",
2065
+ "name": "Use of Expired Cryptographic Key (or Certificate)",
2066
+ "type": "subcategory",
2067
+ "priority": 4
2068
+ },
2069
+ {
2070
+ "id": "incomplete_cleanup_of_keying_material",
2071
+ "name": "Incomplete Cleanup of Keying Material",
2072
+ "type": "subcategory",
2073
+ "priority": 5
2074
+ }
2075
+ ]
2076
+ },
2077
+ {
2078
+ "id": "privacy_concerns",
2079
+ "name": "Privacy Concerns",
2080
+ "type": "category",
2081
+ "children": [
2082
+ {
2083
+ "id": "unnecessary_data_collection",
2084
+ "name": "Unnecessary Data Collection",
2085
+ "type": "subcategory",
2086
+ "children": [
2087
+ {
2088
+ "id": "wifi_ssid_password",
2089
+ "name": "WiFi SSID+Password",
2090
+ "type": "variant",
2091
+ "priority": 4
2092
+ }
2093
+ ]
2094
+ }
2095
+ ]
2096
+ },
2097
+ {
2098
+ "id": "network_security_misconfiguration",
2099
+ "name": "Network Security Misconfiguration",
2100
+ "type": "category",
2101
+ "children": [
2102
+ {
2103
+ "id": "telnet_enabled",
2104
+ "name": "Telnet Enabled",
2105
+ "type": "subcategory",
2106
+ "priority": 5
2107
+ }
2108
+ ]
2109
+ },
2110
+ {
2111
+ "id": "mobile_security_misconfiguration",
2112
+ "name": "Mobile Security Misconfiguration",
2113
+ "type": "category",
2114
+ "children": [
2115
+ {
2116
+ "id": "ssl_certificate_pinning",
2117
+ "name": "SSL Certificate Pinning",
2118
+ "type": "subcategory",
2119
+ "children": [
2120
+ {
2121
+ "id": "absent",
2122
+ "name": "Absent",
2123
+ "type": "variant",
2124
+ "priority": 5
2125
+ },
2126
+ {
2127
+ "id": "defeatable",
2128
+ "name": "Defeatable",
2129
+ "type": "variant",
2130
+ "priority": 5
2131
+ }
2132
+ ]
2133
+ },
2134
+ {
2135
+ "id": "tapjacking",
2136
+ "name": "Tapjacking",
2137
+ "type": "subcategory",
2138
+ "priority": 5
2139
+ },
2140
+ {
2141
+ "id": "clipboard_enabled",
2142
+ "name": "Clipboard Enabled",
2143
+ "type": "subcategory",
2144
+ "priority": 5
2145
+ },
2146
+ {
2147
+ "id": "auto_backup_allowed_by_default",
2148
+ "name": "Auto Backup Allowed by Default",
2149
+ "type": "subcategory",
2150
+ "priority": 5
2151
+ }
2152
+ ]
2153
+ },
2154
+ {
2155
+ "id": "client_side_injection",
2156
+ "name": "Client-Side Injection",
2157
+ "type": "category",
2158
+ "children": [
2159
+ {
2160
+ "id": "binary_planting",
2161
+ "name": "Binary Planting",
2162
+ "type": "subcategory",
2163
+ "children": [
2164
+ {
2165
+ "id": "privilege_escalation",
2166
+ "name": "Default Folder Privilege Escalation",
2167
+ "type": "variant",
2168
+ "priority": 3
2169
+ },
2170
+ {
2171
+ "id": "non_default_folder_privilege_escalation",
2172
+ "name": "Non-Default Folder Privilege Escalation",
2173
+ "type": "variant",
2174
+ "priority": 5
2175
+ },
2176
+ {
2177
+ "id": "no_privilege_escalation",
2178
+ "name": "No Privilege Escalation",
2179
+ "type": "variant",
2180
+ "priority": 5
2181
+ }
2182
+ ]
2183
+ }
2184
+ ]
2185
+ },
2186
+ {
2187
+ "id": "automotive_security_misconfiguration",
2188
+ "name": "Automotive Security Misconfiguration",
2189
+ "type": "category",
2190
+ "children": [
2191
+ {
2192
+ "id": "infotainment_radio_head_unit",
2193
+ "name": "Infotainment, Radio Head Unit",
2194
+ "type": "subcategory",
2195
+ "children": [
2196
+ {
2197
+ "id": "sensitive_data_leakage_exposure",
2198
+ "name": "Sensitive data Leakage/Exposure",
2199
+ "type": "variant",
2200
+ "priority": 1
2201
+ },
2202
+ {
2203
+ "id": "ota_firmware_manipulation",
2204
+ "name": "OTA Firmware Manipulation",
2205
+ "type": "variant",
2206
+ "priority": 2
2207
+ },
2208
+ {
2209
+ "id": "code_execution_can_bus_pivot",
2210
+ "name": "Code Execution (CAN Bus Pivot)",
2211
+ "type": "variant",
2212
+ "priority": 2
2213
+ },
2214
+ {
2215
+ "id": "code_execution_no_can_bus_pivot",
2216
+ "name": "Code Execution (No CAN Bus Pivot)",
2217
+ "type": "variant",
2218
+ "priority": 3
2219
+ },
2220
+ {
2221
+ "id": "unauthorized_access_to_services",
2222
+ "name": "Unauthorized Access to Services (API / Endpoints)",
2223
+ "type": "variant",
2224
+ "priority": 3
2225
+ },
2226
+ {
2227
+ "id": "source_code_dump",
2228
+ "name": "Source Code Dump",
2229
+ "type": "variant",
2230
+ "priority": 4
2231
+ },
2232
+ {
2233
+ "id": "dos_brick",
2234
+ "name": "Denial of Service (DoS / Brick)",
2235
+ "type": "variant",
2236
+ "priority": 4
2237
+ },
2238
+ {
2239
+ "id": "default_credentials",
2240
+ "name": "Default Credentials",
2241
+ "type": "variant",
2242
+ "priority": 4
2243
+ }
2244
+ ]
2245
+ },
2246
+ {
2247
+ "id": "rf_hub",
2248
+ "name": "RF Hub",
2249
+ "type": "subcategory",
2250
+ "children": [
2251
+ {
2252
+ "id": "key_fob_cloning",
2253
+ "name": "Key Fob Cloning",
2254
+ "type": "variant",
2255
+ "priority": 1
2256
+ },
2257
+ {
2258
+ "id": "can_injection_interaction",
2259
+ "name": "CAN Injection / Interaction",
2260
+ "type": "variant",
2261
+ "priority": 2
2262
+ },
2263
+ {
2264
+ "id": "data_leakage_pull_encryption_mechanism",
2265
+ "name": "Data Leakage / Pull Encryption Mechanism",
2266
+ "type": "variant",
2267
+ "priority": 3
2268
+ },
2269
+ {
2270
+ "id": "unauthorized_access_turn_on",
2271
+ "name": "Unauthorized Access / Turn On",
2272
+ "type": "variant",
2273
+ "priority": 4
2274
+ },
2275
+ {
2276
+ "id": "roll_jam",
2277
+ "name": "Roll Jam",
2278
+ "type": "variant",
2279
+ "priority": 5
2280
+ },
2281
+ {
2282
+ "id": "replay",
2283
+ "name": "Replay",
2284
+ "type": "variant",
2285
+ "priority": 5
2286
+ },
2287
+ {
2288
+ "id": "relay",
2289
+ "name": "Relay",
2290
+ "type": "variant",
2291
+ "priority": 5
2292
+ }
2293
+ ]
2294
+ },
2295
+ {
2296
+ "id": "can",
2297
+ "name": "CAN",
2298
+ "type": "subcategory",
2299
+ "children": [
2300
+ {
2301
+ "id": "injection_battery_management_system",
2302
+ "name": "Injection (Battery Management System)",
2303
+ "type": "variant",
2304
+ "priority": 3
2305
+ },
2306
+ {
2307
+ "id": "injection_steering_control",
2308
+ "name": "Injection (Steering Control)",
2309
+ "type": "variant",
2310
+ "priority": 3
2311
+ },
2312
+ {
2313
+ "id": "injection_pyrotechnical_device_deployment_tool",
2314
+ "name": "Injection (Pyrotechnical Device Deployment Tool)",
2315
+ "type": "variant",
2316
+ "priority": 3
2317
+ },
2318
+ {
2319
+ "id": "injection_headlights",
2320
+ "name": "Injection (Headlights)",
2321
+ "type": "variant",
2322
+ "priority": 3
2323
+ },
2324
+ {
2325
+ "id": "injection_sensors",
2326
+ "name": "Injection (Sensors)",
2327
+ "type": "variant",
2328
+ "priority": 3
2329
+ },
2330
+ {
2331
+ "id": "injection_vehicle_anti_theft_systems",
2332
+ "name": "Injection (Vehicle Anti-theft Systems)",
2333
+ "type": "variant",
2334
+ "priority": 3
2335
+ },
2336
+ {
2337
+ "id": "injection_powertrain",
2338
+ "name": "Injection (Powertrain)",
2339
+ "type": "variant",
2340
+ "priority": 3
2341
+ },
2342
+ {
2343
+ "id": "injection_basic_safety_message",
2344
+ "name": "Injection (Basic Safety Message)",
2345
+ "type": "variant",
2346
+ "priority": 3
2347
+ },
2348
+ {
2349
+ "id": "injection_disallowed_messages",
2350
+ "name": "Injection (Disallowed Messages)",
2351
+ "type": "variant",
2352
+ "priority": 4
2353
+ },
2354
+ {
2355
+ "id": "injection_dos",
2356
+ "name": "Injection (DoS)",
2357
+ "type": "variant",
2358
+ "priority": 4
2359
+ }
2360
+ ]
2361
+ },
2362
+ {
2363
+ "id": "battery_management_system",
2364
+ "name": "Battery Management System",
2365
+ "type": "subcategory",
2366
+ "children": [
2367
+ {
2368
+ "id": "firmware_dump",
2369
+ "name": "Firmware Dump",
2370
+ "type": "variant",
2371
+ "priority": 3
2372
+ },
2373
+ {
2374
+ "id": "fraudulent_interface",
2375
+ "name": "Fraudulent Interface",
2376
+ "type": "variant",
2377
+ "priority": 4
2378
+ }
2379
+ ]
2380
+ },
2381
+ {
2382
+ "id": "gnss_gps",
2383
+ "name": "GNSS / GPS",
2384
+ "type": "subcategory",
2385
+ "children": [
2386
+ {
2387
+ "id": "spoofing",
2388
+ "name": "Spoofing",
2389
+ "type": "variant",
2390
+ "priority": 4
2391
+ }
2392
+ ]
2393
+ },
2394
+ {
2395
+ "id": "immobilizer",
2396
+ "name": "Immobilizer",
2397
+ "type": "subcategory",
2398
+ "children": [
2399
+ {
2400
+ "id": "engine_start",
2401
+ "name": "Engine Start",
2402
+ "type": "variant",
2403
+ "priority": 3
2404
+ }
2405
+ ]
2406
+ },
2407
+ {
2408
+ "id": "abs",
2409
+ "name": "Automatic Braking System (ABS)",
2410
+ "type": "subcategory",
2411
+ "children": [
2412
+ {
2413
+ "id": "unintended_acceleration_brake",
2414
+ "name": "Unintended Acceleration / Brake",
2415
+ "type": "variant",
2416
+ "priority": 3
2417
+ }
2418
+ ]
2419
+ },
2420
+ {
2421
+ "id": "rsu",
2422
+ "name": "Roadside Unit (RSU)",
2423
+ "type": "subcategory",
2424
+ "children": [
2425
+ {
2426
+ "id": "sybil_attack",
2427
+ "name": "Sybil Attack",
2428
+ "type": "variant",
2429
+ "priority": 4
2430
+ }
2431
+ ]
2432
+ }
2433
+ ]
2434
+ },
2435
+ {
2436
+ "id": "indicators_of_compromise",
2437
+ "name": "Indicators of Compromise",
2438
+ "type": "category",
2439
+ "priority": null
2440
+ }
2441
+ ]
2442
+ }