vrt 0.12.6 → 0.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (29) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.14/deprecated-node-mapping.json +239 -0
  3. data/lib/data/1.14/mappings/cvss_v3/cvss_v3.json +1441 -0
  4. data/lib/data/1.14/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.14/mappings/cwe/cwe.json +818 -0
  6. data/lib/data/1.14/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.14/mappings/remediation_advice/remediation_advice.json +2080 -0
  8. data/lib/data/1.14/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.14/third-party-mappings/remediation_training/secure-code-warrior-links.json +438 -0
  10. data/lib/data/1.14/vrt.schema.json +63 -0
  11. data/lib/data/1.14/vulnerability-rating-taxonomy.json +2730 -0
  12. data/lib/data/1.14.1/deprecated-node-mapping.json +239 -0
  13. data/lib/data/1.14.1/mappings/cvss_v3/cvss_v3.json +1441 -0
  14. data/lib/data/1.14.1/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  15. data/lib/data/1.14.1/mappings/cwe/cwe.json +818 -0
  16. data/lib/data/1.14.1/mappings/cwe/cwe.schema.json +63 -0
  17. data/lib/data/1.14.1/mappings/remediation_advice/remediation_advice.json +2080 -0
  18. data/lib/data/1.14.1/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  19. data/lib/data/1.14.1/third-party-mappings/remediation_training/secure-code-warrior-links.json +438 -0
  20. data/lib/data/1.14.1/vrt.schema.json +63 -0
  21. data/lib/data/1.14.1/vulnerability-rating-taxonomy.json +2730 -0
  22. data/lib/vrt/cross_version_mapping.rb +2 -2
  23. data/lib/vrt/map.rb +2 -2
  24. data/lib/vrt/mapping.rb +9 -5
  25. data/lib/vrt/node.rb +2 -2
  26. data/lib/vrt/third_party_links.rb +1 -1
  27. data/lib/vrt/version.rb +1 -1
  28. data/lib/vrt.rb +1 -1
  29. metadata +36 -14
data/lib/data/1.14.1/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,2730 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2024-07-18T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "server_side_request_forgery_ssrf",
13
+ "name": "Server-Side Request Forgery (SSRF)",
14
+ "type": "subcategory",
15
+ "children": [
16
+ {
17
+ "id": "internal_high_impact",
18
+ "name": "Internal High Impact",
19
+ "type": "variant",
20
+ "priority": 2
21
+ },
22
+ {
23
+ "id": "internal_scan_and_or_medium_impact",
24
+ "name": "Internal Scan and/or Medium Impact",
25
+ "type": "variant",
26
+ "priority": 3
27
+ },
28
+ {
29
+ "id": "external_low_impact",
30
+ "name": "External - Low impact",
31
+ "type": "variant",
32
+ "priority": 5
33
+ },
34
+ {
35
+ "id": "external_dns_query_only",
36
+ "name": "External - DNS Query Only",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "unsafe_cross_origin_resource_sharing",
44
+ "name": "Unsafe Cross-Origin Resource Sharing",
45
+ "type": "subcategory",
46
+ "priority": null
47
+ },
48
+ {
49
+ "id": "request_smuggling",
50
+ "name": "HTTP Request Smuggling",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "path_traversal",
56
+ "name": "Path Traversal",
57
+ "type": "subcategory",
58
+ "priority": null
59
+ },
60
+ {
61
+ "id": "directory_listing_enabled",
62
+ "name": "Directory Listing Enabled",
63
+ "type": "subcategory",
64
+ "children": [
65
+ {
66
+ "id": "sensitive_data_exposure",
67
+ "name": "Sensitive Data Exposure",
68
+ "type": "variant",
69
+ "priority": null
70
+ },
71
+ {
72
+ "id": "non_sensitive_data_exposure",
73
+ "name": "Non-Sensitive Data Exposure",
74
+ "type": "variant",
75
+ "priority": 5
76
+ }
77
+ ]
78
+ },
79
+ {
80
+ "id": "same_site_scripting",
81
+ "name": "Same-Site Scripting",
82
+ "type": "subcategory",
83
+ "priority": 5
84
+ },
85
+ {
86
+ "id": "ssl_attack_breach_poodle_etc",
87
+ "name": "SSL Attack (BREACH, POODLE etc.)",
88
+ "type": "subcategory",
89
+ "priority": null
90
+ },
91
+ {
92
+ "id": "using_default_credentials",
93
+ "name": "Using Default Credentials",
94
+ "type": "subcategory",
95
+ "priority": 1
96
+ },
97
+ {
98
+ "id": "misconfigured_dns",
99
+ "name": "Misconfigured DNS",
100
+ "type": "subcategory",
101
+ "children": [
102
+ {
103
+ "id": "basic_subdomain_takeover",
104
+ "name": "Basic Subdomain Takeover",
105
+ "type": "variant",
106
+ "priority": 3
107
+ },
108
+ {
109
+ "id": "high_impact_subdomain_takeover",
110
+ "name": "High Impact Subdomain Takeover",
111
+ "type": "variant",
112
+ "priority": 2
113
+ },
114
+ {
115
+ "id": "zone_transfer",
116
+ "name": "Zone Transfer",
117
+ "type": "variant",
118
+ "priority": 4
119
+ },
120
+ {
121
+ "id": "missing_caa_record",
122
+ "name": "Missing Certification Authority Authorization (CAA) Record",
123
+ "type": "variant",
124
+ "priority": 5
125
+ }
126
+ ]
127
+ },
128
+ {
129
+ "id": "mail_server_misconfiguration",
130
+ "name": "Mail Server Misconfiguration",
131
+ "type": "subcategory",
132
+ "children": [
133
+ {
134
+ "id": "no_spoofing_protection_on_email_domain",
135
+ "name": "No Spoofing Protection on Email Domain",
136
+ "type": "variant",
137
+ "priority": 3
138
+ },
139
+ {
140
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
141
+ "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
142
+ "type": "variant",
143
+ "priority": 4
144
+ },
145
+ {
146
+ "id": "email_spoofing_to_spam_folder",
147
+ "name": "Email Spoofing to Spam Folder",
148
+ "type": "variant",
149
+ "priority": 5
150
+ },
151
+ {
152
+ "id": "missing_or_misconfigured_spf_and_or_dkim",
153
+ "name": "Missing or Misconfigured SPF and/or DKIM",
154
+ "type": "variant",
155
+ "priority": 5
156
+ },
157
+ {
158
+ "id": "email_spoofing_on_non_email_domain",
159
+ "name": "Email Spoofing on Non-Email Domain",
160
+ "type": "variant",
161
+ "priority": 5
162
+ }
163
+ ]
164
+ },
165
+ {
166
+ "id": "dbms_misconfiguration",
167
+ "name": "Database Management System (DBMS) Misconfiguration",
168
+ "type": "subcategory",
169
+ "children": [
170
+ {
171
+ "id": "excessively_privileged_user_dba",
172
+ "name": "Excessively Privileged User / DBA",
173
+ "type": "variant",
174
+ "priority": 4
175
+ }
176
+ ]
177
+ },
178
+ {
179
+ "id": "lack_of_password_confirmation",
180
+ "name": "Lack of Password Confirmation",
181
+ "type": "subcategory",
182
+ "children": [
183
+ {
184
+ "id": "change_email_address",
185
+ "name": "Change Email Address",
186
+ "type": "variant",
187
+ "priority": 5
188
+ },
189
+ {
190
+ "id": "change_password",
191
+ "name": "Change Password",
192
+ "type": "variant",
193
+ "priority": 5
194
+ },
195
+ {
196
+ "id": "delete_account",
197
+ "name": "Delete Account",
198
+ "type": "variant",
199
+ "priority": 4
200
+ },
201
+ {
202
+ "id": "manage_two_fa",
203
+ "name": "Manage 2FA",
204
+ "type": "variant",
205
+ "priority": 5
206
+ }
207
+ ]
208
+ },
209
+ {
210
+ "id": "no_rate_limiting_on_form",
211
+ "name": "No Rate Limiting on Form",
212
+ "type": "subcategory",
213
+ "children": [
214
+ {
215
+ "id": "registration",
216
+ "name": "Registration",
217
+ "type": "variant",
218
+ "priority": 4
219
+ },
220
+ {
221
+ "id": "login",
222
+ "name": "Login",
223
+ "type": "variant",
224
+ "priority": 4
225
+ },
226
+ {
227
+ "id": "email_triggering",
228
+ "name": "Email-Triggering",
229
+ "type": "variant",
230
+ "priority": 4
231
+ },
232
+ {
233
+ "id": "sms_triggering",
234
+ "name": "SMS-Triggering",
235
+ "type": "variant",
236
+ "priority": 4
237
+ },
238
+ {
239
+ "id": "change_password",
240
+ "name": "Change Password",
241
+ "type": "variant",
242
+ "priority": 5
243
+ }
244
+ ]
245
+ },
246
+ {
247
+ "id": "unsafe_file_upload",
248
+ "name": "Unsafe File Upload",
249
+ "type": "subcategory",
250
+ "children": [
251
+ {
252
+ "id": "no_antivirus",
253
+ "name": "No Antivirus",
254
+ "type": "variant",
255
+ "priority": 5
256
+ },
257
+ {
258
+ "id": "no_size_limit",
259
+ "name": "No Size Limit",
260
+ "type": "variant",
261
+ "priority": 5
262
+ },
263
+ {
264
+ "id": "file_extension_filter_bypass",
265
+ "name": "File Extension Filter Bypass",
266
+ "type": "variant",
267
+ "priority": 5
268
+ }
269
+ ]
270
+ },
271
+ {
272
+ "id": "cookie_scoped_to_parent_domain",
273
+ "name": "Cookie Scoped to Parent Domain",
274
+ "type": "subcategory",
275
+ "priority": 5
276
+ },
277
+ {
278
+ "id": "missing_secure_or_httponly_cookie_flag",
279
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
280
+ "type": "subcategory",
281
+ "children": [
282
+ {
283
+ "id": "session_token",
284
+ "name": "Session Token",
285
+ "type": "variant",
286
+ "priority": 4
287
+ },
288
+ {
289
+ "id": "non_session_cookie",
290
+ "name": "Non-Session Cookie",
291
+ "type": "variant",
292
+ "priority": 5
293
+ }
294
+ ]
295
+ },
296
+ {
297
+ "id": "clickjacking",
298
+ "name": "Clickjacking",
299
+ "type": "subcategory",
300
+ "children": [
301
+ {
302
+ "id": "sensitive_action",
303
+ "name": "Sensitive Click-Based Action",
304
+ "type": "variant",
305
+ "priority": 4
306
+ },
307
+ {
308
+ "id": "form_input",
309
+ "name": "Form Input",
310
+ "type": "variant",
311
+ "priority": 5
312
+ },
313
+ {
314
+ "id": "non_sensitive_action",
315
+ "name": "Non-Sensitive Action",
316
+ "type": "variant",
317
+ "priority": 5
318
+ }
319
+ ]
320
+ },
321
+ {
322
+ "id": "oauth_misconfiguration",
323
+ "name": "OAuth Misconfiguration",
324
+ "type": "subcategory",
325
+ "children": [
326
+ {
327
+ "id": "account_takeover",
328
+ "name": "Account Takeover",
329
+ "type": "variant",
330
+ "priority": 2
331
+ },
332
+ {
333
+ "id": "account_squatting",
334
+ "name": "Account Squatting",
335
+ "type": "variant",
336
+ "priority": 4
337
+ },
338
+ {
339
+ "id": "missing_state_parameter",
340
+ "name": "Missing/Broken State Parameter",
341
+ "type": "variant",
342
+ "priority": null
343
+ },
344
+ {
345
+ "id": "insecure_redirect_uri",
346
+ "name": "Insecure Redirect URI",
347
+ "type": "variant",
348
+ "priority": null
349
+ }
350
+ ]
351
+ },
352
+ {
353
+ "id": "captcha",
354
+ "name": "CAPTCHA",
355
+ "type": "subcategory",
356
+ "children": [
357
+ {
358
+ "id": "implementation_vulnerability",
359
+ "name": "Implementation Vulnerability",
360
+ "type": "variant",
361
+ "priority": 4
362
+ },
363
+ {
364
+ "id": "brute_force",
365
+ "name": "Brute Force",
366
+ "type": "variant",
367
+ "priority": 5
368
+ },
369
+ {
370
+ "id": "missing",
371
+ "name": "Missing",
372
+ "type": "variant",
373
+ "priority": 5
374
+ }
375
+ ]
376
+ },
377
+ {
378
+ "id": "exposed_admin_portal",
379
+ "name": "Exposed Admin Portal",
380
+ "type": "subcategory",
381
+ "children": [
382
+ {
383
+ "id": "to_internet",
384
+ "name": "To Internet",
385
+ "type": "variant",
386
+ "priority": 5
387
+ }
388
+ ]
389
+ },
390
+ {
391
+ "id": "missing_dnssec",
392
+ "name": "Missing DNSSEC",
393
+ "type": "subcategory",
394
+ "priority": 5
395
+ },
396
+ {
397
+ "id": "fingerprinting_banner_disclosure",
398
+ "name": "Fingerprinting/Banner Disclosure",
399
+ "type": "subcategory",
400
+ "priority": 5
401
+ },
402
+ {
403
+ "id": "username_enumeration",
404
+ "name": "Username/Email Enumeration",
405
+ "type": "subcategory",
406
+ "children": [
407
+ {
408
+ "id": "brute_force",
409
+ "name": "Brute Force",
410
+ "type": "variant",
411
+ "priority": 5
412
+ }
413
+ ]
414
+ },
415
+ {
416
+ "id": "potentially_unsafe_http_method_enabled",
417
+ "name": "Potentially Unsafe HTTP Method Enabled",
418
+ "type": "subcategory",
419
+ "children": [
420
+ {
421
+ "id": "options",
422
+ "name": "OPTIONS",
423
+ "type": "variant",
424
+ "priority": 5
425
+ },
426
+ {
427
+ "id": "trace",
428
+ "name": "TRACE",
429
+ "type": "variant",
430
+ "priority": 5
431
+ }
432
+ ]
433
+ },
434
+ {
435
+ "id": "insecure_ssl",
436
+ "name": "Insecure SSL",
437
+ "type": "subcategory",
438
+ "children": [
439
+ {
440
+ "id": "lack_of_forward_secrecy",
441
+ "name": "Lack of Forward Secrecy",
442
+ "type": "variant",
443
+ "priority": 5
444
+ },
445
+ {
446
+ "id": "insecure_cipher_suite",
447
+ "name": "Insecure Cipher Suite",
448
+ "type": "variant",
449
+ "priority": 5
450
+ },
451
+ {
452
+ "id": "certificate_error",
453
+ "name": "Certificate Error",
454
+ "type": "variant",
455
+ "priority": 5
456
+ }
457
+ ]
458
+ },
459
+ {
460
+ "id": "rfd",
461
+ "name": "Reflected File Download (RFD)",
462
+ "type": "subcategory",
463
+ "priority": 5
464
+ },
465
+ {
466
+ "id": "lack_of_security_headers",
467
+ "name": "Lack of Security Headers",
468
+ "type": "subcategory",
469
+ "children": [
470
+ {
471
+ "id": "x_frame_options",
472
+ "name": "X-Frame-Options",
473
+ "type": "variant",
474
+ "priority": 5
475
+ },
476
+ {
477
+ "id": "cache_control_for_a_non_sensitive_page",
478
+ "name": "Cache-Control for a Non-Sensitive Page",
479
+ "type": "variant",
480
+ "priority": 5
481
+ },
482
+ {
483
+ "id": "x_xss_protection",
484
+ "name": "X-XSS-Protection",
485
+ "type": "variant",
486
+ "priority": 5
487
+ },
488
+ {
489
+ "id": "strict_transport_security",
490
+ "name": "Strict-Transport-Security",
491
+ "type": "variant",
492
+ "priority": 5
493
+ },
494
+ {
495
+ "id": "x_content_type_options",
496
+ "name": "X-Content-Type-Options",
497
+ "type": "variant",
498
+ "priority": 5
499
+ },
500
+ {
501
+ "id": "content_security_policy",
502
+ "name": "Content-Security-Policy",
503
+ "type": "variant",
504
+ "priority": 5
505
+ },
506
+ {
507
+ "id": "public_key_pins",
508
+ "name": "Public-Key-Pins",
509
+ "type": "variant",
510
+ "priority": 5
511
+ },
512
+ {
513
+ "id": "x_content_security_policy",
514
+ "name": "X-Content-Security-Policy",
515
+ "type": "variant",
516
+ "priority": 5
517
+ },
518
+ {
519
+ "id": "x_webkit_csp",
520
+ "name": "X-Webkit-CSP",
521
+ "type": "variant",
522
+ "priority": 5
523
+ },
524
+ {
525
+ "id": "content_security_policy_report_only",
526
+ "name": "Content-Security-Policy-Report-Only",
527
+ "type": "variant",
528
+ "priority": 5
529
+ },
530
+ {
531
+ "id": "cache_control_for_a_sensitive_page",
532
+ "name": "Cache-Control for a Sensitive Page",
533
+ "type": "variant",
534
+ "priority": 4
535
+ }
536
+ ]
537
+ },
538
+ {
539
+ "id": "waf_bypass",
540
+ "name": "Web Application Firewall (WAF) Bypass",
541
+ "type": "subcategory",
542
+ "children": [
543
+ {
544
+ "id": "direct_server_access",
545
+ "name": "Direct Server Access",
546
+ "type": "variant",
547
+ "priority": 4
548
+ }
549
+ ]
550
+ },
551
+ {
552
+ "id": "race_condition",
553
+ "name": "Race Condition",
554
+ "type": "subcategory",
555
+ "priority": null
556
+ },
557
+ {
558
+ "id": "email_verification_bypass",
559
+ "name": "Email Verification Bypass",
560
+ "type": "subcategory",
561
+ "priority": 5
562
+ },
563
+ {
564
+ "id": "missing_subresource_integrity",
565
+ "name": "Missing Subresource Integrity",
566
+ "type": "subcategory",
567
+ "priority": 5
568
+ },
569
+ {
570
+ "id": "software_package_takeover",
571
+ "name": "Software Package Takeover",
572
+ "type": "subcategory",
573
+ "priority": null
574
+ },
575
+ {
576
+ "id": "cache_poisoning",
577
+ "name": "Cache Poisoning",
578
+ "type": "subcategory",
579
+ "priority": null
580
+ },
581
+ {
582
+ "id": "bitsquatting",
583
+ "name": "Bitsquatting",
584
+ "type": "subcategory",
585
+ "priority": 5
586
+ }
587
+ ]
588
+ },
589
+ {
590
+ "id": "server_side_injection",
591
+ "name": "Server-Side Injection",
592
+ "type": "category",
593
+ "children": [
594
+ {
595
+ "id": "file_inclusion",
596
+ "name": "File Inclusion",
597
+ "type": "subcategory",
598
+ "children": [
599
+ {
600
+ "id": "local",
601
+ "name": "Local",
602
+ "type": "variant",
603
+ "priority": 1
604
+ }
605
+ ]
606
+ },
607
+ {
608
+ "id": "parameter_pollution",
609
+ "name": "Parameter Pollution",
610
+ "type": "subcategory",
611
+ "children": [
612
+ {
613
+ "id": "social_media_sharing_buttons",
614
+ "name": "Social Media Sharing Buttons",
615
+ "type": "variant",
616
+ "priority": 5
617
+ }
618
+ ]
619
+ },
620
+ {
621
+ "id": "remote_code_execution_rce",
622
+ "name": "Remote Code Execution (RCE)",
623
+ "type": "subcategory",
624
+ "priority": 1
625
+ },
626
+ {
627
+ "id": "ldap_injection",
628
+ "name": "LDAP Injection",
629
+ "type": "subcategory",
630
+ "priority": null
631
+ },
632
+ {
633
+ "id": "sql_injection",
634
+ "name": "SQL Injection",
635
+ "type": "subcategory",
636
+ "priority": 1
637
+ },
638
+ {
639
+ "id": "xml_external_entity_injection_xxe",
640
+ "name": "XML External Entity Injection (XXE)",
641
+ "type": "subcategory",
642
+ "priority": 1
643
+ },
644
+ {
645
+ "id": "http_response_manipulation",
646
+ "name": "HTTP Response Manipulation",
647
+ "type": "subcategory",
648
+ "children": [
649
+ {
650
+ "id": "response_splitting_crlf",
651
+ "name": "Response Splitting (CRLF)",
652
+ "type": "variant",
653
+ "priority": 3
654
+ }
655
+ ]
656
+ },
657
+ {
658
+ "id": "content_spoofing",
659
+ "name": "Content Spoofing",
660
+ "type": "subcategory",
661
+ "children": [
662
+ {
663
+ "id": "iframe_injection",
664
+ "name": "iframe Injection",
665
+ "type": "variant",
666
+ "priority": 3
667
+ },
668
+ {
669
+ "id": "impersonation_via_broken_link_hijacking",
670
+ "name": "Impersonation via Broken Link Hijacking",
671
+ "type": "variant",
672
+ "priority": 4
673
+ },
674
+ {
675
+ "id": "external_authentication_injection",
676
+ "name": "External Authentication Injection",
677
+ "type": "variant",
678
+ "priority": 4
679
+ },
680
+ {
681
+ "id": "flash_based_external_authentication_injection",
682
+ "name": "Flash Based External Authentication Injection",
683
+ "type": "variant",
684
+ "priority": 5
685
+ },
686
+ {
687
+ "id": "html_content_injection",
688
+ "name": "HTML Content Injection",
689
+ "type": "variant",
690
+ "priority": 5
691
+ },
692
+ {
693
+ "id": "email_html_injection",
694
+ "name": "Email HTML Injection",
695
+ "type": "variant",
696
+ "priority": 4
697
+ },
698
+ {
699
+ "id": "email_hyperlink_injection_based_on_email_provider",
700
+ "name": "Email Hyperlink Injection Based on Email Provider",
701
+ "type": "variant",
702
+ "priority": 5
703
+ },
704
+ {
705
+ "id": "text_injection",
706
+ "name": "Text Injection",
707
+ "type": "variant",
708
+ "priority": 5
709
+ },
710
+ {
711
+ "id": "homograph_idn_based",
712
+ "name": "Homograph/IDN-Based",
713
+ "type": "variant",
714
+ "priority": 5
715
+ },
716
+ {
717
+ "id": "rtlo",
718
+ "name": "Right-to-Left Override (RTLO)",
719
+ "type": "variant",
720
+ "priority": 5
721
+ }
722
+ ]
723
+ },
724
+ {
725
+ "id": "ssti",
726
+ "name": "Server-Side Template Injection (SSTI)",
727
+ "type": "subcategory",
728
+ "children": [
729
+ {
730
+ "id": "basic",
731
+ "name": "Basic",
732
+ "type": "variant",
733
+ "priority": 4
734
+ },
735
+ {
736
+ "id": "custom",
737
+ "name": "Custom",
738
+ "type": "variant",
739
+ "priority": null
740
+ }
741
+ ]
742
+ }
743
+ ]
744
+ },
745
+ {
746
+ "id": "broken_authentication_and_session_management",
747
+ "name": "Broken Authentication and Session Management",
748
+ "type": "category",
749
+ "children": [
750
+ {
751
+ "id": "authentication_bypass",
752
+ "name": "Authentication Bypass",
753
+ "type": "subcategory",
754
+ "priority": 1
755
+ },
756
+ {
757
+ "id": "two_fa_bypass",
758
+ "name": "Second Factor Authentication (2FA) Bypass",
759
+ "type": "subcategory",
760
+ "priority": 3
761
+ },
762
+ {
763
+ "id": "cleartext_transmission_of_session_token",
764
+ "name": "Cleartext Transmission of Session Token",
765
+ "type": "subcategory",
766
+ "priority": 4
767
+ },
768
+ {
769
+ "id": "weak_login_function",
770
+ "name": "Weak Login Function",
771
+ "type": "subcategory",
772
+ "children": [
773
+ {
774
+ "id": "not_operational",
775
+ "name": "Not Operational or Intended Public Access",
776
+ "type": "variant",
777
+ "priority": 5
778
+ },
779
+ {
780
+ "id": "other_plaintext_protocol_no_secure_alternative",
781
+ "name": "Other Plaintext Protocol with no Secure Alternative",
782
+ "type": "variant",
783
+ "priority": 4
784
+ },
785
+ {
786
+ "id": "over_http",
787
+ "name": "Over HTTP",
788
+ "type": "variant",
789
+ "priority": 4
790
+ }
791
+ ]
792
+ },
793
+ {
794
+ "id": "session_fixation",
795
+ "name": "Session Fixation",
796
+ "type": "subcategory",
797
+ "children": [
798
+ {
799
+ "id": "remote_attack_vector",
800
+ "name": "Remote Attack Vector",
801
+ "type": "variant",
802
+ "priority": 3
803
+ },
804
+ {
805
+ "id": "local_attack_vector",
806
+ "name": "Local Attack Vector",
807
+ "type": "variant",
808
+ "priority": 5
809
+ }
810
+ ]
811
+ },
812
+ {
813
+ "id": "failure_to_invalidate_session",
814
+ "name": "Failure to Invalidate Session",
815
+ "type": "subcategory",
816
+ "children": [
817
+ {
818
+ "id": "on_logout",
819
+ "name": "On Logout (Client and Server-Side)",
820
+ "type": "variant",
821
+ "priority": 4
822
+ },
823
+ {
824
+ "id": "permission_change",
825
+ "name": "On Permission Change",
826
+ "type": "variant",
827
+ "priority": null
828
+ },
829
+ {
830
+ "id": "on_logout_server_side_only",
831
+ "name": "On Logout (Server-Side Only)",
832
+ "type": "variant",
833
+ "priority": 5
834
+ },
835
+ {
836
+ "id": "on_password_change",
837
+ "name": "On Password Reset and/or Change",
838
+ "type": "variant",
839
+ "priority": 4
840
+ },
841
+ {
842
+ "id": "all_sessions",
843
+ "name": "Concurrent Sessions On Logout",
844
+ "type": "variant",
845
+ "priority": 5
846
+ },
847
+ {
848
+ "id": "on_email_change",
849
+ "name": "On Email Change",
850
+ "type": "variant",
851
+ "priority": 5
852
+ },
853
+ {
854
+ "id": "on_two_fa_activation_change",
855
+ "name": "On 2FA Activation/Change",
856
+ "type": "variant",
857
+ "priority": 5
858
+ },
859
+ {
860
+ "id": "long_timeout",
861
+ "name": "Long Timeout",
862
+ "type": "variant",
863
+ "priority": 5
864
+ }
865
+ ]
866
+ },
867
+ {
868
+ "id": "concurrent_logins",
869
+ "name": "Concurrent Logins",
870
+ "type": "subcategory",
871
+ "priority": 5
872
+ },
873
+ {
874
+ "id": "weak_registration_implementation",
875
+ "name": "Weak Registration Implementation",
876
+ "type": "subcategory",
877
+ "children": [
878
+ {
879
+ "id": "over_http",
880
+ "name": "Over HTTP",
881
+ "type": "variant",
882
+ "priority": 4
883
+ }
884
+ ]
885
+ }
886
+ ]
887
+ },
888
+ {
889
+ "id": "sensitive_data_exposure",
890
+ "name": "Sensitive Data Exposure",
891
+ "type": "category",
892
+ "children": [
893
+ {
894
+ "id": "disclosure_of_secrets",
895
+ "name": "Disclosure of Secrets",
896
+ "type": "subcategory",
897
+ "children": [
898
+ {
899
+ "id": "for_publicly_accessible_asset",
900
+ "name": "For Publicly Accessible Asset",
901
+ "type": "variant",
902
+ "priority": 1
903
+ },
904
+ {
905
+ "id": "pii_leakage_exposure",
906
+ "name": "PII Leakage/Exposure",
907
+ "type": "variant",
908
+ "priority": null
909
+ },
910
+ {
911
+ "id": "for_internal_asset",
912
+ "name": "For Internal Asset",
913
+ "type": "variant",
914
+ "priority": 3
915
+ },
916
+ {
917
+ "id": "pay_per_use_abuse",
918
+ "name": "Pay-Per-Use Abuse",
919
+ "type": "variant",
920
+ "priority": 4
921
+ },
922
+ {
923
+ "id": "intentionally_public_sample_or_invalid",
924
+ "name": "Intentionally Public, Sample or Invalid",
925
+ "type": "variant",
926
+ "priority": 5
927
+ },
928
+ {
929
+ "id": "data_traffic_spam",
930
+ "name": "Data/Traffic Spam",
931
+ "type": "variant",
932
+ "priority": 5
933
+ },
934
+ {
935
+ "id": "non_corporate_user",
936
+ "name": "Non-Corporate User",
937
+ "type": "variant",
938
+ "priority": 5
939
+ }
940
+ ]
941
+ },
942
+ {
943
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
944
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
945
+ "type": "subcategory",
946
+ "children": [
947
+ {
948
+ "id": "automatic_user_enumeration",
949
+ "name": "Automatic User Enumeration",
950
+ "type": "variant",
951
+ "priority": 3
952
+ },
953
+ {
954
+ "id": "manual_user_enumeration",
955
+ "name": "Manual User Enumeration",
956
+ "type": "variant",
957
+ "priority": 4
958
+ }
959
+ ]
960
+ },
961
+ {
962
+ "id": "visible_detailed_error_page",
963
+ "name": "Visible Detailed Error/Debug Page",
964
+ "type": "subcategory",
965
+ "children": [
966
+ {
967
+ "id": "detailed_server_configuration",
968
+ "name": "Detailed Server Configuration",
969
+ "type": "variant",
970
+ "priority": 4
971
+ },
972
+ {
973
+ "id": "full_path_disclosure",
974
+ "name": "Full Path Disclosure",
975
+ "type": "variant",
976
+ "priority": 5
977
+ },
978
+ {
979
+ "id": "descriptive_stack_trace",
980
+ "name": "Descriptive Stack Trace",
981
+ "type": "variant",
982
+ "priority": 5
983
+ }
984
+ ]
985
+ },
986
+ {
987
+ "id": "disclosure_of_known_public_information",
988
+ "name": "Disclosure of Known Public Information",
989
+ "type": "subcategory",
990
+ "priority": 5
991
+ },
992
+ {
993
+ "id": "token_leakage_via_referer",
994
+ "name": "Token Leakage via Referer",
995
+ "type": "subcategory",
996
+ "children": [
997
+ {
998
+ "id": "trusted_third_party",
999
+ "name": "Trusted 3rd Party",
1000
+ "type": "variant",
1001
+ "priority": 5
1002
+ },
1003
+ {
1004
+ "id": "untrusted_third_party",
1005
+ "name": "Untrusted 3rd Party",
1006
+ "type": "variant",
1007
+ "priority": 4
1008
+ },
1009
+ {
1010
+ "id": "over_http",
1011
+ "name": "Over HTTP",
1012
+ "type": "variant",
1013
+ "priority": 4
1014
+ },
1015
+ {
1016
+ "id": "password_reset_token",
1017
+ "name": "Password Reset Token",
1018
+ "type": "variant",
1019
+ "priority": 5
1020
+ }
1021
+ ]
1022
+ },
1023
+ {
1024
+ "id": "sensitive_token_in_url",
1025
+ "name": "Sensitive Token in URL",
1026
+ "type": "subcategory",
1027
+ "children": [
1028
+ {
1029
+ "id": "user_facing",
1030
+ "name": "User Facing",
1031
+ "type": "variant",
1032
+ "priority": 4
1033
+ },
1034
+ {
1035
+ "id": "in_the_background",
1036
+ "name": "In the Background",
1037
+ "type": "variant",
1038
+ "priority": 5
1039
+ },
1040
+ {
1041
+ "id": "on_password_reset",
1042
+ "name": "On Password Reset",
1043
+ "type": "variant",
1044
+ "priority": 5
1045
+ }
1046
+ ]
1047
+ },
1048
+ {
1049
+ "id": "non_sensitive_token_in_url",
1050
+ "name": "Non-Sensitive Token in URL",
1051
+ "type": "subcategory",
1052
+ "priority": 5
1053
+ },
1054
+ {
1055
+ "id": "weak_password_reset_implementation",
1056
+ "name": "Weak Password Reset Implementation",
1057
+ "type": "subcategory",
1058
+ "children": [
1059
+ {
1060
+ "id": "password_reset_token_sent_over_http",
1061
+ "name": "Password Reset Token Sent Over HTTP",
1062
+ "type": "variant",
1063
+ "priority": 4
1064
+ },
1065
+ {
1066
+ "id": "token_leakage_via_host_header_poisoning",
1067
+ "name": "Token Leakage via Host Header Poisoning",
1068
+ "type": "variant",
1069
+ "priority": 2
1070
+ }
1071
+ ]
1072
+ },
1073
+ {
1074
+ "id": "mixed_content",
1075
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
1076
+ "type": "subcategory",
1077
+ "priority": 5
1078
+ },
1079
+ {
1080
+ "id": "sensitive_data_hardcoded",
1081
+ "name": "Sensitive Data Hardcoded",
1082
+ "type": "subcategory",
1083
+ "children": [
1084
+ {
1085
+ "id": "oauth_secret",
1086
+ "name": "OAuth Secret",
1087
+ "type": "variant",
1088
+ "priority": 5
1089
+ },
1090
+ {
1091
+ "id": "file_paths",
1092
+ "name": "File Paths",
1093
+ "type": "variant",
1094
+ "priority": 5
1095
+ }
1096
+ ]
1097
+ },
1098
+ {
1099
+ "id": "internal_ip_disclosure",
1100
+ "name": "Internal IP Disclosure",
1101
+ "type": "subcategory",
1102
+ "priority": 5
1103
+ },
1104
+ {
1105
+ "id": "xssi",
1106
+ "name": "Cross Site Script Inclusion (XSSI)",
1107
+ "type": "subcategory",
1108
+ "priority": null
1109
+ },
1110
+ {
1111
+ "id": "json_hijacking",
1112
+ "name": "JSON Hijacking",
1113
+ "type": "subcategory",
1114
+ "priority": 5
1115
+ },
1116
+ {
1117
+ "id": "via_localstorage_sessionstorage",
1118
+ "name": "Via localStorage/sessionStorage",
1119
+ "type": "subcategory",
1120
+ "children": [
1121
+ {
1122
+ "id": "sensitive_token",
1123
+ "name": "Sensitive Token",
1124
+ "type": "variant",
1125
+ "priority": 4
1126
+ },
1127
+ {
1128
+ "id": "non_sensitive_token",
1129
+ "name": "Non-Sensitive Token",
1130
+ "type": "variant",
1131
+ "priority": 5
1132
+ }
1133
+ ]
1134
+ }
1135
+ ]
1136
+ },
1137
+ {
1138
+ "id": "cross_site_scripting_xss",
1139
+ "name": "Cross-Site Scripting (XSS)",
1140
+ "type": "category",
1141
+ "children": [
1142
+ {
1143
+ "id": "stored",
1144
+ "name": "Stored",
1145
+ "type": "subcategory",
1146
+ "children": [
1147
+ {
1148
+ "id": "non_admin_to_anyone",
1149
+ "name": "Non-Privileged User to Anyone",
1150
+ "type": "variant",
1151
+ "priority": 2
1152
+ },
1153
+ {
1154
+ "id": "privileged_user_to_privilege_elevation",
1155
+ "name": "Privileged User to Privilege Elevation",
1156
+ "type": "variant",
1157
+ "priority": 3
1158
+ },
1159
+ {
1160
+ "id": "privileged_user_to_no_privilege_elevation",
1161
+ "name": "Privileged User to No Privilege Elevation",
1162
+ "type": "variant",
1163
+ "priority": 4
1164
+ },
1165
+ {
1166
+ "id": "url_based",
1167
+ "name": "CSRF/URL-Based",
1168
+ "type": "variant",
1169
+ "priority": 3
1170
+ },
1171
+ {
1172
+ "id": "self",
1173
+ "name": "Self",
1174
+ "type": "variant",
1175
+ "priority": 5
1176
+ }
1177
+ ]
1178
+ },
1179
+ {
1180
+ "id": "reflected",
1181
+ "name": "Reflected",
1182
+ "type": "subcategory",
1183
+ "children": [
1184
+ {
1185
+ "id": "non_self",
1186
+ "name": "Non-Self",
1187
+ "type": "variant",
1188
+ "priority": 3
1189
+ },
1190
+ {
1191
+ "id": "self",
1192
+ "name": "Self",
1193
+ "type": "variant",
1194
+ "priority": 5
1195
+ }
1196
+ ]
1197
+ },
1198
+ {
1199
+ "id": "flash_based",
1200
+ "name": "Flash-Based",
1201
+ "type": "subcategory",
1202
+ "priority": 5
1203
+ },
1204
+ {
1205
+ "id": "cookie_based",
1206
+ "name": "Cookie-Based",
1207
+ "type": "subcategory",
1208
+ "priority": 5
1209
+ },
1210
+ {
1211
+ "id": "ie_only",
1212
+ "name": "IE-Only",
1213
+ "type": "subcategory",
1214
+ "priority": 5
1215
+ },
1216
+ {
1217
+ "id": "referer",
1218
+ "name": "Referer",
1219
+ "type": "subcategory",
1220
+ "priority": 4
1221
+ },
1222
+ {
1223
+ "id": "trace_method",
1224
+ "name": "TRACE Method",
1225
+ "type": "subcategory",
1226
+ "priority": 5
1227
+ },
1228
+ {
1229
+ "id": "universal_uxss",
1230
+ "name": "Universal (UXSS)",
1231
+ "type": "subcategory",
1232
+ "priority": 4
1233
+ },
1234
+ {
1235
+ "id": "off_domain",
1236
+ "name": "Off-Domain",
1237
+ "type": "subcategory",
1238
+ "children": [
1239
+ {
1240
+ "id": "data_uri",
1241
+ "name": "Data URI",
1242
+ "type": "variant",
1243
+ "priority": 4
1244
+ }
1245
+ ]
1246
+ }
1247
+ ]
1248
+ },
1249
+ {
1250
+ "id": "broken_access_control",
1251
+ "name": "Broken Access Control (BAC)",
1252
+ "type": "category",
1253
+ "children": [
1254
+ {
1255
+ "id": "idor",
1256
+ "name": "Insecure Direct Object References (IDOR)",
1257
+ "type": "subcategory",
1258
+ "children": [
1259
+ {
1260
+ "id": "read_edit_delete_non_sensitive_information",
1261
+ "name": "Read/Edit/Delete Non-Sensitive Information",
1262
+ "type": "variant",
1263
+ "priority": 5
1264
+ },
1265
+ {
1266
+ "id": "read_edit_delete_sensitive_information_guid",
1267
+ "name": "Read/Edit/Delete Sensitive Information/Complex Object Identifiers(GUID)",
1268
+ "type": "variant",
1269
+ "priority": 4
1270
+ },
1271
+ {
1272
+ "id": "read_sensitive_information_iterable_object_identifiers",
1273
+ "name": "Read Sensitive Information/Iterable Object Identifiers",
1274
+ "type": "variant",
1275
+ "priority": 3
1276
+ },
1277
+ {
1278
+ "id": "edit_delete_sensitive_information_iterable_object_identifiers",
1279
+ "name": "Edit/Delete Sensitive Information/Iterable Object Identifiers",
1280
+ "type": "variant",
1281
+ "priority": 2
1282
+ },
1283
+ {
1284
+ "id": "read_edit_delete_sensitive_information_iterable_object_identifiers",
1285
+ "name": "Read/Edit/Delete Sensitive Information/Iterable Object Identifiers",
1286
+ "type": "variant",
1287
+ "priority": 1
1288
+ }
1289
+ ]
1290
+ },
1291
+ {
1292
+ "id": "username_enumeration",
1293
+ "name": "Username/Email Enumeration",
1294
+ "type": "subcategory",
1295
+ "children": [
1296
+ {
1297
+ "id": "non_brute_force",
1298
+ "name": "Non-Brute Force",
1299
+ "type": "variant",
1300
+ "priority": 4
1301
+ }
1302
+ ]
1303
+ },
1304
+ {
1305
+ "id": "exposed_sensitive_android_intent",
1306
+ "name": "Exposed Sensitive Android Intent",
1307
+ "type": "subcategory",
1308
+ "priority": null
1309
+ },
1310
+ {
1311
+ "id": "privilege_escalation",
1312
+ "name": "Privilege Escalation",
1313
+ "type": "subcategory",
1314
+ "priority": null
1315
+ },
1316
+ {
1317
+ "id": "exposed_sensitive_ios_url_scheme",
1318
+ "name": "Exposed Sensitive iOS URL Scheme",
1319
+ "type": "subcategory",
1320
+ "priority": null
1321
+ }
1322
+ ]
1323
+ },
1324
+ {
1325
+ "id": "cross_site_request_forgery_csrf",
1326
+ "name": "Cross-Site Request Forgery (CSRF)",
1327
+ "type": "category",
1328
+ "children": [
1329
+ {
1330
+ "id": "application_wide",
1331
+ "name": "Application-Wide",
1332
+ "type": "subcategory",
1333
+ "priority": 2
1334
+ },
1335
+ {
1336
+ "id": "action_specific",
1337
+ "name": "Action-Specific",
1338
+ "type": "subcategory",
1339
+ "children": [
1340
+ {
1341
+ "id": "authenticated_action",
1342
+ "name": "Authenticated Action",
1343
+ "type": "variant",
1344
+ "priority": null
1345
+ },
1346
+ {
1347
+ "id": "unauthenticated_action",
1348
+ "name": "Unauthenticated Action",
1349
+ "type": "variant",
1350
+ "priority": null
1351
+ },
1352
+ {
1353
+ "id": "logout",
1354
+ "name": "Logout",
1355
+ "type": "variant",
1356
+ "priority": 5
1357
+ }
1358
+ ]
1359
+ },
1360
+ {
1361
+ "id": "csrf_token_not_unique_per_request",
1362
+ "name": "CSRF Token Not Unique Per Request",
1363
+ "type": "subcategory",
1364
+ "priority": 5
1365
+ },
1366
+ {
1367
+ "id": "flash_based",
1368
+ "name": "Flash-Based",
1369
+ "type": "subcategory",
1370
+ "priority": 5
1371
+ }
1372
+ ]
1373
+ },
1374
+ {
1375
+ "id": "application_level_denial_of_service_dos",
1376
+ "name": "Application-Level Denial-of-Service (DoS)",
1377
+ "type": "category",
1378
+ "children": [
1379
+ {
1380
+ "id": "excessive_resource_consumption",
1381
+ "name": "Excessive Resource Consumption",
1382
+ "type": "subcategory",
1383
+ "children": [
1384
+ {
1385
+ "id": "injection_prompt",
1386
+ "name": "Injection (Prompt)",
1387
+ "type": "variant",
1388
+ "priority": null
1389
+ }
1390
+ ]
1391
+ },
1392
+ {
1393
+ "id": "critical_impact_and_or_easy_difficulty",
1394
+ "name": "Critical Impact and/or Easy Difficulty",
1395
+ "type": "subcategory",
1396
+ "priority": 2
1397
+ },
1398
+ {
1399
+ "id": "high_impact_and_or_medium_difficulty",
1400
+ "name": "High Impact and/or Medium Difficulty",
1401
+ "type": "subcategory",
1402
+ "priority": 3
1403
+ },
1404
+ {
1405
+ "id": "app_crash",
1406
+ "name": "App Crash",
1407
+ "type": "subcategory",
1408
+ "children": [
1409
+ {
1410
+ "id": "malformed_android_intents",
1411
+ "name": "Malformed Android Intents",
1412
+ "type": "variant",
1413
+ "priority": 5
1414
+ },
1415
+ {
1416
+ "id": "malformed_ios_url_schemes",
1417
+ "name": "Malformed iOS URL Schemes",
1418
+ "type": "variant",
1419
+ "priority": 5
1420
+ }
1421
+ ]
1422
+ }
1423
+ ]
1424
+ },
1425
+ {
1426
+ "id": "unvalidated_redirects_and_forwards",
1427
+ "name": "Unvalidated Redirects and Forwards",
1428
+ "type": "category",
1429
+ "children": [
1430
+ {
1431
+ "id": "open_redirect",
1432
+ "name": "Open Redirect",
1433
+ "type": "subcategory",
1434
+ "children": [
1435
+ {
1436
+ "id": "get_based",
1437
+ "name": "GET-Based",
1438
+ "type": "variant",
1439
+ "priority": 4
1440
+ },
1441
+ {
1442
+ "id": "post_based",
1443
+ "name": "POST-Based",
1444
+ "type": "variant",
1445
+ "priority": 5
1446
+ },
1447
+ {
1448
+ "id": "header_based",
1449
+ "name": "Header-Based",
1450
+ "type": "variant",
1451
+ "priority": 5
1452
+ },
1453
+ {
1454
+ "id": "flash_based",
1455
+ "name": "Flash-Based",
1456
+ "type": "variant",
1457
+ "priority": 5
1458
+ }
1459
+ ]
1460
+ },
1461
+ {
1462
+ "id": "tabnabbing",
1463
+ "name": "Tabnabbing",
1464
+ "type": "subcategory",
1465
+ "priority": 5
1466
+ },
1467
+ {
1468
+ "id": "lack_of_security_speed_bump_page",
1469
+ "name": "Lack of Security Speed Bump Page",
1470
+ "type": "subcategory",
1471
+ "priority": 5
1472
+ }
1473
+ ]
1474
+ },
1475
+ {
1476
+ "id": "external_behavior",
1477
+ "name": "External Behavior",
1478
+ "type": "category",
1479
+ "children": [
1480
+ {
1481
+ "id": "browser_feature",
1482
+ "name": "Browser Feature",
1483
+ "type": "subcategory",
1484
+ "children": [
1485
+ {
1486
+ "id": "plaintext_password_field",
1487
+ "name": "Plaintext Password Field",
1488
+ "type": "variant",
1489
+ "priority": 5
1490
+ },
1491
+ {
1492
+ "id": "save_password",
1493
+ "name": "Save Password",
1494
+ "type": "variant",
1495
+ "priority": 5
1496
+ },
1497
+ {
1498
+ "id": "autocomplete_enabled",
1499
+ "name": "Autocomplete Enabled",
1500
+ "type": "variant",
1501
+ "priority": 5
1502
+ },
1503
+ {
1504
+ "id": "autocorrect_enabled",
1505
+ "name": "Autocorrect Enabled",
1506
+ "type": "variant",
1507
+ "priority": 5
1508
+ },
1509
+ {
1510
+ "id": "aggressive_offline_caching",
1511
+ "name": "Aggressive Offline Caching",
1512
+ "type": "variant",
1513
+ "priority": 5
1514
+ }
1515
+ ]
1516
+ },
1517
+ {
1518
+ "id": "csv_injection",
1519
+ "name": "CSV Injection",
1520
+ "type": "subcategory",
1521
+ "priority": 5
1522
+ },
1523
+ {
1524
+ "id": "captcha_bypass",
1525
+ "name": "Captcha Bypass",
1526
+ "type": "subcategory",
1527
+ "children": [
1528
+ {
1529
+ "id": "crowdsourcing",
1530
+ "name": "Crowdsourcing",
1531
+ "type": "variant",
1532
+ "priority": 5
1533
+ }
1534
+ ]
1535
+ },
1536
+ {
1537
+ "id": "system_clipboard_leak",
1538
+ "name": "System Clipboard Leak",
1539
+ "type": "subcategory",
1540
+ "children": [
1541
+ {
1542
+ "id": "shared_links",
1543
+ "name": "Shared Links",
1544
+ "type": "variant",
1545
+ "priority": 5
1546
+ }
1547
+ ]
1548
+ },
1549
+ {
1550
+ "id": "user_password_persisted_in_memory",
1551
+ "name": "User Password Persisted in Memory",
1552
+ "type": "subcategory",
1553
+ "priority": 5
1554
+ }
1555
+ ]
1556
+ },
1557
+ {
1558
+ "id": "insufficient_security_configurability",
1559
+ "name": "Insufficient Security Configurability",
1560
+ "type": "category",
1561
+ "children": [
1562
+ {
1563
+ "id": "weak_password_policy",
1564
+ "name": "Weak Password Policy",
1565
+ "type": "subcategory",
1566
+ "priority": 5
1567
+ },
1568
+ {
1569
+ "id": "no_password_policy",
1570
+ "name": "No Password Policy",
1571
+ "type": "subcategory",
1572
+ "priority": 4
1573
+ },
1574
+ {
1575
+ "id": "password_policy_bypass",
1576
+ "name": "Password Policy Bypass",
1577
+ "type": "subcategory",
1578
+ "priority": 5
1579
+ },
1580
+ {
1581
+ "id": "weak_password_reset_implementation",
1582
+ "name": "Weak Password Reset Implementation",
1583
+ "type": "subcategory",
1584
+ "children": [
1585
+ {
1586
+ "id": "token_is_not_invalidated_after_use",
1587
+ "name": "Token is Not Invalidated After Use",
1588
+ "type": "variant",
1589
+ "priority": 4
1590
+ },
1591
+ {
1592
+ "id": "token_is_not_invalidated_after_email_change",
1593
+ "name": "Token is Not Invalidated After Email Change",
1594
+ "type": "variant",
1595
+ "priority": 5
1596
+ },
1597
+ {
1598
+ "id": "token_is_not_invalidated_after_password_change",
1599
+ "name": "Token is Not Invalidated After Password Change",
1600
+ "type": "variant",
1601
+ "priority": 5
1602
+ },
1603
+ {
1604
+ "id": "token_has_long_timed_expiry",
1605
+ "name": "Token Has Long Timed Expiry",
1606
+ "type": "variant",
1607
+ "priority": 5
1608
+ },
1609
+ {
1610
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1611
+ "name": "Token is Not Invalidated After New Token is Requested",
1612
+ "type": "variant",
1613
+ "priority": 5
1614
+ },
1615
+ {
1616
+ "id": "token_is_not_invalidated_after_login",
1617
+ "name": "Token is Not Invalidated After Login",
1618
+ "type": "variant",
1619
+ "priority": 5
1620
+ }
1621
+ ]
1622
+ },
1623
+ {
1624
+ "id": "verification_of_contact_method_not_required",
1625
+ "name": "Verification of Contact Method not Required",
1626
+ "type": "subcategory",
1627
+ "priority": 5
1628
+ },
1629
+ {
1630
+ "id": "lack_of_notification_email",
1631
+ "name": "Lack of Notification Email",
1632
+ "type": "subcategory",
1633
+ "priority": 5
1634
+ },
1635
+ {
1636
+ "id": "weak_registration_implementation",
1637
+ "name": "Weak Registration Implementation",
1638
+ "type": "subcategory",
1639
+ "children": [
1640
+ {
1641
+ "id": "allows_disposable_email_addresses",
1642
+ "name": "Allows Disposable Email Addresses",
1643
+ "type": "variant",
1644
+ "priority": 5
1645
+ }
1646
+ ]
1647
+ },
1648
+ {
1649
+ "id": "weak_two_fa_implementation",
1650
+ "name": "Weak 2FA Implementation",
1651
+ "type": "subcategory",
1652
+ "children": [
1653
+ {
1654
+ "id": "two_fa_secret_cannot_be_rotated",
1655
+ "name": "2FA Secret Cannot be Rotated",
1656
+ "type": "variant",
1657
+ "priority": 4
1658
+ },
1659
+ {
1660
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
1661
+ "name": "2FA Secret Remains Obtainable After 2FA is Enabled",
1662
+ "type": "variant",
1663
+ "priority": 4
1664
+ },
1665
+ {
1666
+ "id": "missing_failsafe",
1667
+ "name": "Missing Failsafe",
1668
+ "type": "variant",
1669
+ "priority": 5
1670
+ },
1671
+ {
1672
+ "id": "two_fa_code_is_not_updated_after_new_code_is_requested",
1673
+ "name": "2FA Code is Not Updated After New Code is Requested",
1674
+ "type": "variant",
1675
+ "priority": 5
1676
+ },
1677
+ {
1678
+ "id": "old_two_fa_code_is_not_invalidated_after_new_code_is_generated",
1679
+ "name": "Old 2FA Code is Not Invalidated After New Code is Generated",
1680
+ "type": "variant",
1681
+ "priority": 5
1682
+ }
1683
+ ]
1684
+ }
1685
+ ]
1686
+ },
1687
+ {
1688
+ "id": "using_components_with_known_vulnerabilities",
1689
+ "name": "Using Components with Known Vulnerabilities",
1690
+ "type": "category",
1691
+ "children": [
1692
+ {
1693
+ "id": "rosetta_flash",
1694
+ "name": "Rosetta Flash",
1695
+ "type": "subcategory",
1696
+ "priority": 5
1697
+ },
1698
+ {
1699
+ "id": "outdated_software_version",
1700
+ "name": "Outdated Software Version",
1701
+ "type": "subcategory",
1702
+ "priority": 5
1703
+ },
1704
+ {
1705
+ "id": "captcha_bypass",
1706
+ "name": "Captcha Bypass",
1707
+ "type": "subcategory",
1708
+ "children": [
1709
+ {
1710
+ "id": "ocr_optical_character_recognition",
1711
+ "name": "OCR (Optical Character Recognition)",
1712
+ "type": "variant",
1713
+ "priority": 5
1714
+ }
1715
+ ]
1716
+ }
1717
+ ]
1718
+ },
1719
+ {
1720
+ "id": "insecure_data_storage",
1721
+ "name": "Insecure Data Storage",
1722
+ "type": "category",
1723
+ "children": [
1724
+ {
1725
+ "id": "sensitive_application_data_stored_unencrypted",
1726
+ "name": "Sensitive Application Data Stored Unencrypted",
1727
+ "type": "subcategory",
1728
+ "children": [
1729
+ {
1730
+ "id": "on_external_storage",
1731
+ "name": "On External Storage",
1732
+ "type": "variant",
1733
+ "priority": 4
1734
+ },
1735
+ {
1736
+ "id": "on_internal_storage",
1737
+ "name": "On Internal Storage",
1738
+ "type": "variant",
1739
+ "priority": 5
1740
+ }
1741
+ ]
1742
+ },
1743
+ {
1744
+ "id": "server_side_credentials_storage",
1745
+ "name": "Server-Side Credentials Storage",
1746
+ "type": "subcategory",
1747
+ "children": [
1748
+ {
1749
+ "id": "plaintext",
1750
+ "name": "Plaintext",
1751
+ "type": "variant",
1752
+ "priority": 4
1753
+ }
1754
+ ]
1755
+ },
1756
+ {
1757
+ "id": "non_sensitive_application_data_stored_unencrypted",
1758
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1759
+ "type": "subcategory",
1760
+ "priority": 5
1761
+ },
1762
+ {
1763
+ "id": "screen_caching_enabled",
1764
+ "name": "Screen Caching Enabled",
1765
+ "type": "subcategory",
1766
+ "priority": 5
1767
+ }
1768
+ ]
1769
+ },
1770
+ {
1771
+ "id": "lack_of_binary_hardening",
1772
+ "name": "Lack of Binary Hardening",
1773
+ "type": "category",
1774
+ "children": [
1775
+ {
1776
+ "id": "lack_of_exploit_mitigations",
1777
+ "name": "Lack of Exploit Mitigations",
1778
+ "type": "subcategory",
1779
+ "priority": 5
1780
+ },
1781
+ {
1782
+ "id": "lack_of_jailbreak_detection",
1783
+ "name": "Lack of Jailbreak Detection",
1784
+ "type": "subcategory",
1785
+ "priority": 5
1786
+ },
1787
+ {
1788
+ "id": "lack_of_obfuscation",
1789
+ "name": "Lack of Obfuscation",
1790
+ "type": "subcategory",
1791
+ "priority": 5
1792
+ },
1793
+ {
1794
+ "id": "runtime_instrumentation_based",
1795
+ "name": "Runtime Instrumentation-Based",
1796
+ "type": "subcategory",
1797
+ "priority": 5
1798
+ }
1799
+ ]
1800
+ },
1801
+ {
1802
+ "id": "insecure_data_transport",
1803
+ "name": "Insecure Data Transport",
1804
+ "type": "category",
1805
+ "children": [
1806
+ {
1807
+ "id": "cleartext_transmission_of_sensitive_data",
1808
+ "name": "Cleartext Transmission of Sensitive Data",
1809
+ "type": "subcategory",
1810
+ "priority": null
1811
+ },
1812
+ {
1813
+ "id": "executable_download",
1814
+ "name": "Executable Download",
1815
+ "type": "subcategory",
1816
+ "children": [
1817
+ {
1818
+ "id": "no_secure_integrity_check",
1819
+ "name": "No Secure Integrity Check",
1820
+ "type": "variant",
1821
+ "priority": 4
1822
+ },
1823
+ {
1824
+ "id": "secure_integrity_check",
1825
+ "name": "Secure Integrity Check",
1826
+ "type": "variant",
1827
+ "priority": 5
1828
+ }
1829
+ ]
1830
+ }
1831
+ ]
1832
+ },
1833
+ {
1834
+ "id": "data_biases",
1835
+ "name": "Data Biases",
1836
+ "type": "category",
1837
+ "children": [
1838
+ {
1839
+ "id": "representation_bias",
1840
+ "name": "Representation Bias",
1841
+ "type": "subcategory",
1842
+ "priority": null
1843
+ },
1844
+ {
1845
+ "id": "pre_existing_bias",
1846
+ "name": "Pre-existing Bias",
1847
+ "type": "subcategory",
1848
+ "priority": null
1849
+ }
1850
+ ]
1851
+ },
1852
+ {
1853
+ "id": "algorithmic_biases",
1854
+ "name": "Algorithmic Biases",
1855
+ "type": "category",
1856
+ "children": [
1857
+ {
1858
+ "id": "processing_bias",
1859
+ "name": "Processing Bias",
1860
+ "type": "subcategory",
1861
+ "priority": null
1862
+ },
1863
+ {
1864
+ "id": "aggregation_bias",
1865
+ "name": "Aggregation Bias",
1866
+ "type": "subcategory",
1867
+ "priority": null
1868
+ }
1869
+ ]
1870
+ },
1871
+ {
1872
+ "id": "societal_biases",
1873
+ "name": "Societal Biases",
1874
+ "type": "category",
1875
+ "children": [
1876
+ {
1877
+ "id": "confirmation_bias",
1878
+ "name": "Confirmation Bias",
1879
+ "type": "subcategory",
1880
+ "priority": null
1881
+ },
1882
+ {
1883
+ "id": "systemic_bias",
1884
+ "name": "Systemic Bias",
1885
+ "type": "subcategory",
1886
+ "priority": null
1887
+ }
1888
+ ]
1889
+ },
1890
+ {
1891
+ "id": "misinterpretation_biases",
1892
+ "name": "Misinterpretation Biases",
1893
+ "type": "category",
1894
+ "children": [
1895
+ {
1896
+ "id": "context_ignorance",
1897
+ "name": "Context Ignorance",
1898
+ "type": "subcategory",
1899
+ "priority": null
1900
+ }
1901
+ ]
1902
+ },
1903
+ {
1904
+ "id": "developer_biases",
1905
+ "name": "Developer Biases",
1906
+ "type": "category",
1907
+ "children": [
1908
+ {
1909
+ "id": "implicit_bias",
1910
+ "name": "Implicit Bias",
1911
+ "type": "subcategory",
1912
+ "priority": null
1913
+ }
1914
+ ]
1915
+ },
1916
+ {
1917
+ "id": "physical_security_issues",
1918
+ "name": "Physical Security Issues",
1919
+ "type": "category",
1920
+ "children": [
1921
+ {
1922
+ "id": "bypass_of_physical_access_control",
1923
+ "name": "Bypass of physical access control",
1924
+ "type": "subcategory",
1925
+ "priority": null
1926
+ },
1927
+ {
1928
+ "id": "weakness_in_physical_access_control",
1929
+ "name": "Weakness in physical access control",
1930
+ "type": "subcategory",
1931
+ "children": [
1932
+ {
1933
+ "id": "cloneable_key",
1934
+ "name": "Cloneable Key",
1935
+ "type": "variant",
1936
+ "priority": null
1937
+ },
1938
+ {
1939
+ "id": "master_key_identification",
1940
+ "name": "Master Key Identification",
1941
+ "type": "variant",
1942
+ "priority": null
1943
+ },
1944
+ {
1945
+ "id": "commonly_keyed_system",
1946
+ "name": "Commonly Keyed System",
1947
+ "type": "variant",
1948
+ "priority": 2
1949
+ }
1950
+ ]
1951
+ }
1952
+ ]
1953
+ },
1954
+ {
1955
+ "id": "insecure_os_firmware",
1956
+ "name": "Insecure OS/Firmware",
1957
+ "type": "category",
1958
+ "children": [
1959
+ {
1960
+ "id": "command_injection",
1961
+ "name": "Command Injection",
1962
+ "type": "subcategory",
1963
+ "priority": 1
1964
+ },
1965
+ {
1966
+ "id": "hardcoded_password",
1967
+ "name": "Hardcoded Password",
1968
+ "type": "subcategory",
1969
+ "children": [
1970
+ {
1971
+ "id": "privileged_user",
1972
+ "name": "Privileged User",
1973
+ "type": "variant",
1974
+ "priority": 1
1975
+ },
1976
+ {
1977
+ "id": "non_privileged_user",
1978
+ "name": "Non-Privileged User",
1979
+ "type": "variant",
1980
+ "priority": 2
1981
+ }
1982
+ ]
1983
+ },
1984
+ {
1985
+ "id": "weakness_in_firmware_updates",
1986
+ "name": "Weakness in Firmware Updates",
1987
+ "type": "subcategory",
1988
+ "children": [
1989
+ {
1990
+ "id": "firmware_cannot_be_updated",
1991
+ "name": "Firmware cannot be updated",
1992
+ "type": "variant",
1993
+ "priority": null
1994
+ },
1995
+ {
1996
+ "id": "firmware_does_not_validate_update_integrity",
1997
+ "name": "Firmware does not validate update integrity",
1998
+ "type": "variant",
1999
+ "priority": 3
2000
+ },
2001
+ {
2002
+ "id": "firmware_is_not_encrypted",
2003
+ "name": "Firmware is not encrypted",
2004
+ "type": "variant",
2005
+ "priority": 5
2006
+ }
2007
+ ]
2008
+ },
2009
+ {
2010
+ "id": "kiosk_escape_or_breakout",
2011
+ "name": "Kiosk Escape or Breakout",
2012
+ "type": "subcategory",
2013
+ "priority": null
2014
+ },
2015
+ {
2016
+ "id": "poorly_configured_disk_encryption",
2017
+ "name": "Poorly Configured Disk Encryption",
2018
+ "type": "subcategory",
2019
+ "priority": null
2020
+ },
2021
+ {
2022
+ "id": "shared_credentials_on_storage",
2023
+ "name": "Shared Credentials on Storage",
2024
+ "type": "subcategory",
2025
+ "priority": 3
2026
+ },
2027
+ {
2028
+ "id": "over_permissioned_credentials_on_storage",
2029
+ "name": "Over-Permissioned Credentials on Storage",
2030
+ "type": "subcategory",
2031
+ "priority": 2
2032
+ },
2033
+ {
2034
+ "id": "local_administrator_on_default_environment",
2035
+ "name": "Local Administrator on default environment",
2036
+ "type": "subcategory",
2037
+ "priority": 2
2038
+ },
2039
+ {
2040
+ "id": "poorly_configured_operating_system_security",
2041
+ "name": "Poorly Configured Operating System Security",
2042
+ "type": "subcategory",
2043
+ "priority": null
2044
+ },
2045
+ {
2046
+ "id": "recovery_of_disk_contains_sensitive_material",
2047
+ "name": "Recovery of Disk Contains Sensitive Material",
2048
+ "type": "subcategory",
2049
+ "priority": null
2050
+ },
2051
+ {
2052
+ "id": "failure_to_remove_sensitive_artifacts_from_disk",
2053
+ "name": "Failure to Remove Sensitive Artifacts from Disk",
2054
+ "type": "subcategory",
2055
+ "priority": null
2056
+ },
2057
+ {
2058
+ "id": "data_not_encrypted_at_rest",
2059
+ "name": "Data not encrypted at rest",
2060
+ "type": "subcategory",
2061
+ "children": [
2062
+ {
2063
+ "id": "sensitive",
2064
+ "name": "Sensitive",
2065
+ "type": "variant",
2066
+ "priority": null
2067
+ },
2068
+ {
2069
+ "id": "non_sensitive",
2070
+ "name": "Non sensitive",
2071
+ "type": "variant",
2072
+ "priority": 5
2073
+ }
2074
+ ]
2075
+ }
2076
+ ]
2077
+ },
2078
+ {
2079
+ "id": "cryptographic_weakness",
2080
+ "name": "Cryptographic Weakness",
2081
+ "type": "category",
2082
+ "children": [
2083
+ {
2084
+ "id": "insufficient_entropy",
2085
+ "name": "Insufficient Entropy",
2086
+ "type": "subcategory",
2087
+ "children": [
2088
+ {
2089
+ "id": "limited_rng_entropy_source",
2090
+ "name": "Limited Random Number Generator (RNG) Entropy Source",
2091
+ "type": "variant",
2092
+ "priority": 4
2093
+ },
2094
+ {
2095
+ "id": "use_of_trng_for_nonsecurity_purpose",
2096
+ "name": "Use of True Random Number Generator (TRNG) for Non-Security Purpose",
2097
+ "type": "variant",
2098
+ "priority": 5
2099
+ },
2100
+ {
2101
+ "id": "prng_seed_reuse",
2102
+ "name": "Pseudo-Random Number Generator (PRNG) Seed Reuse",
2103
+ "type": "variant",
2104
+ "priority": 5
2105
+ },
2106
+ {
2107
+ "id": "predictable_prng_seed",
2108
+ "name": "Predictable Pseudo-Random Number Generator (PRNG) Seed",
2109
+ "type": "variant",
2110
+ "priority": 4
2111
+ },
2112
+ {
2113
+ "id": "small_seed_space_in_prng",
2114
+ "name": "Small Seed Space in Pseudo-Random Number Generator (PRNG)",
2115
+ "type": "variant",
2116
+ "priority": 4
2117
+ },
2118
+ {
2119
+ "id": "initialization_vector_reuse",
2120
+ "name": "Initialization Vector (IV) Reuse",
2121
+ "type": "variant",
2122
+ "priority": 5
2123
+ },
2124
+ {
2125
+ "id": "predictable_initialization_vector",
2126
+ "name": "Predictable Initialization Vector (IV)",
2127
+ "type": "variant",
2128
+ "priority": 4
2129
+ }
2130
+ ]
2131
+ },
2132
+ {
2133
+ "id": "insecure_implementation",
2134
+ "name": "Insecure Implementation",
2135
+ "type": "subcategory",
2136
+ "children": [
2137
+ {
2138
+ "id": "missing_cryptographic_step",
2139
+ "name": "Missing Cryptographic Step",
2140
+ "type": "variant",
2141
+ "priority": null
2142
+ },
2143
+ {
2144
+ "id": "improper_following_of_specification",
2145
+ "name": "Improper Following of Specification (Other)",
2146
+ "type": "variant",
2147
+ "priority": null
2148
+ }
2149
+ ]
2150
+ },
2151
+ {
2152
+ "id": "weak_hash",
2153
+ "name": "Weak Hash",
2154
+ "type": "subcategory",
2155
+ "children": [
2156
+ {
2157
+ "id": "lack_of_salt",
2158
+ "name": "Lack of Salt",
2159
+ "type": "variant",
2160
+ "priority": null
2161
+ },
2162
+ {
2163
+ "id": "use_of_predictable_salt",
2164
+ "name": "Use of Predictable Salt",
2165
+ "type": "variant",
2166
+ "priority": 5
2167
+ },
2168
+ {
2169
+ "id": "predictable_hash_collision",
2170
+ "name": "Predictable Hash Collision",
2171
+ "type": "variant",
2172
+ "priority": null
2173
+ }
2174
+ ]
2175
+ },
2176
+ {
2177
+ "id": "insufficient_verification_of_data_authenticity",
2178
+ "name": "Insufficient Verification of Data Authenticity",
2179
+ "type": "subcategory",
2180
+ "children": [
2181
+ {
2182
+ "id": "identity_check_value",
2183
+ "name": "Integrity Check Value (ICV)",
2184
+ "type": "variant",
2185
+ "priority": 4
2186
+ },
2187
+ {
2188
+ "id": "cryptographic_signature",
2189
+ "name": "Cryptographic Signature",
2190
+ "type": "variant",
2191
+ "priority": null
2192
+ }
2193
+ ]
2194
+ },
2195
+ {
2196
+ "id": "insecure_key_generation",
2197
+ "name": "Insecure Key Generation",
2198
+ "type": "subcategory",
2199
+ "children": [
2200
+ {
2201
+ "id": "improper_asymmetric_prime_selection",
2202
+ "name": "Improper Asymmetric Prime Selection",
2203
+ "type": "variant",
2204
+ "priority": null
2205
+ },
2206
+ {
2207
+ "id": "improper_asymmetric_exponent_selection",
2208
+ "name": "Improper Asymmetric Exponent Selection",
2209
+ "type": "variant",
2210
+ "priority": null
2211
+ },
2212
+ {
2213
+ "id": "insufficient_key_stretching",
2214
+ "name": "Insufficient Key Stretching",
2215
+ "type": "variant",
2216
+ "priority": null
2217
+ },
2218
+ {
2219
+ "id": "insufficient_key_space",
2220
+ "name": "Insufficient Key Space",
2221
+ "type": "variant",
2222
+ "priority": 3
2223
+ },
2224
+ {
2225
+ "id": "key_exchange_without_entity_authentication",
2226
+ "name": "Key Exchage Without Entity Authentication",
2227
+ "type": "variant",
2228
+ "priority": 4
2229
+ }
2230
+ ]
2231
+ },
2232
+ {
2233
+ "id": "key_reuse",
2234
+ "name": "Key Reuse",
2235
+ "type": "subcategory",
2236
+ "children": [
2237
+ {
2238
+ "id": "lack_of_perfect_forward_secrecy",
2239
+ "name": "Lack of Perfect Forward Secrecy",
2240
+ "type": "variant",
2241
+ "priority": 4
2242
+ },
2243
+ {
2244
+ "id": "intra_environment",
2245
+ "name": "Intra-Environment",
2246
+ "type": "variant",
2247
+ "priority": 5
2248
+ },
2249
+ {
2250
+ "id": "inter_environment",
2251
+ "name": "Inter-Environment",
2252
+ "type": "variant",
2253
+ "priority": 2
2254
+ }
2255
+ ]
2256
+ },
2257
+ {
2258
+ "id": "broken_cryptography",
2259
+ "name": "Broken Cryptography",
2260
+ "type": "subcategory",
2261
+ "children": [
2262
+ {
2263
+ "id": "use_of_broken_cryptographic_primitive",
2264
+ "name": "Use of Broken Cryptographic Primitive",
2265
+ "type": "variant",
2266
+ "priority": 3
2267
+ },
2268
+ {
2269
+ "id": "use_of_vulnerable_cryptographic_library",
2270
+ "name": "Use of Vulnerable Cryptographic Library",
2271
+ "type": "variant",
2272
+ "priority": 4
2273
+ }
2274
+ ]
2275
+ },
2276
+ {
2277
+ "id": "side_channel_attack",
2278
+ "name": "Side-Channel Attack",
2279
+ "type": "subcategory",
2280
+ "children": [
2281
+ {
2282
+ "id": "padding_oracle_attack",
2283
+ "name": "Padding Oracle Attack",
2284
+ "type": "variant",
2285
+ "priority": 4
2286
+ },
2287
+ {
2288
+ "id": "timing_attack",
2289
+ "name": "Timing Attack",
2290
+ "type": "variant",
2291
+ "priority": 4
2292
+ },
2293
+ {
2294
+ "id": "power_analysis_attack",
2295
+ "name": "Power Analysis Attack",
2296
+ "type": "variant",
2297
+ "priority": 5
2298
+ },
2299
+ {
2300
+ "id": "emanations_attack",
2301
+ "name": "Emanations Attack",
2302
+ "type": "variant",
2303
+ "priority": 5
2304
+ },
2305
+ {
2306
+ "id": "differential_fault_analysis",
2307
+ "name": "Differential Fault Analysis",
2308
+ "type": "variant",
2309
+ "priority": null
2310
+ }
2311
+ ]
2312
+ },
2313
+ {
2314
+ "id": "use_of_expired_cryptographic_key_or_cert",
2315
+ "name": "Use of Expired Cryptographic Key (or Certificate)",
2316
+ "type": "subcategory",
2317
+ "priority": 4
2318
+ },
2319
+ {
2320
+ "id": "incomplete_cleanup_of_keying_material",
2321
+ "name": "Incomplete Cleanup of Keying Material",
2322
+ "type": "subcategory",
2323
+ "priority": 5
2324
+ }
2325
+ ]
2326
+ },
2327
+ {
2328
+ "id": "privacy_concerns",
2329
+ "name": "Privacy Concerns",
2330
+ "type": "category",
2331
+ "children": [
2332
+ {
2333
+ "id": "unnecessary_data_collection",
2334
+ "name": "Unnecessary Data Collection",
2335
+ "type": "subcategory",
2336
+ "children": [
2337
+ {
2338
+ "id": "wifi_ssid_password",
2339
+ "name": "WiFi SSID+Password",
2340
+ "type": "variant",
2341
+ "priority": 4
2342
+ }
2343
+ ]
2344
+ }
2345
+ ]
2346
+ },
2347
+ {
2348
+ "id": "network_security_misconfiguration",
2349
+ "name": "Network Security Misconfiguration",
2350
+ "type": "category",
2351
+ "children": [
2352
+ {
2353
+ "id": "telnet_enabled",
2354
+ "name": "Telnet Enabled",
2355
+ "type": "subcategory",
2356
+ "priority": 5
2357
+ }
2358
+ ]
2359
+ },
2360
+ {
2361
+ "id": "mobile_security_misconfiguration",
2362
+ "name": "Mobile Security Misconfiguration",
2363
+ "type": "category",
2364
+ "children": [
2365
+ {
2366
+ "id": "ssl_certificate_pinning",
2367
+ "name": "SSL Certificate Pinning",
2368
+ "type": "subcategory",
2369
+ "children": [
2370
+ {
2371
+ "id": "absent",
2372
+ "name": "Absent",
2373
+ "type": "variant",
2374
+ "priority": 5
2375
+ },
2376
+ {
2377
+ "id": "defeatable",
2378
+ "name": "Defeatable",
2379
+ "type": "variant",
2380
+ "priority": 5
2381
+ }
2382
+ ]
2383
+ },
2384
+ {
2385
+ "id": "tapjacking",
2386
+ "name": "Tapjacking",
2387
+ "type": "subcategory",
2388
+ "priority": 5
2389
+ },
2390
+ {
2391
+ "id": "clipboard_enabled",
2392
+ "name": "Clipboard Enabled",
2393
+ "type": "subcategory",
2394
+ "priority": 5
2395
+ },
2396
+ {
2397
+ "id": "auto_backup_allowed_by_default",
2398
+ "name": "Auto Backup Allowed by Default",
2399
+ "type": "subcategory",
2400
+ "priority": 5
2401
+ }
2402
+ ]
2403
+ },
2404
+ {
2405
+ "id": "client_side_injection",
2406
+ "name": "Client-Side Injection",
2407
+ "type": "category",
2408
+ "children": [
2409
+ {
2410
+ "id": "binary_planting",
2411
+ "name": "Binary Planting",
2412
+ "type": "subcategory",
2413
+ "children": [
2414
+ {
2415
+ "id": "privilege_escalation",
2416
+ "name": "Default Folder Privilege Escalation",
2417
+ "type": "variant",
2418
+ "priority": 3
2419
+ },
2420
+ {
2421
+ "id": "non_default_folder_privilege_escalation",
2422
+ "name": "Non-Default Folder Privilege Escalation",
2423
+ "type": "variant",
2424
+ "priority": 5
2425
+ },
2426
+ {
2427
+ "id": "no_privilege_escalation",
2428
+ "name": "No Privilege Escalation",
2429
+ "type": "variant",
2430
+ "priority": 5
2431
+ }
2432
+ ]
2433
+ }
2434
+ ]
2435
+ },
2436
+ {
2437
+ "id": "automotive_security_misconfiguration",
2438
+ "name": "Automotive Security Misconfiguration",
2439
+ "type": "category",
2440
+ "children": [
2441
+ {
2442
+ "id": "infotainment_radio_head_unit",
2443
+ "name": "Infotainment, Radio Head Unit",
2444
+ "type": "subcategory",
2445
+ "children": [
2446
+ {
2447
+ "id": "sensitive_data_leakage_exposure",
2448
+ "name": "Sensitive data Leakage/Exposure",
2449
+ "type": "variant",
2450
+ "priority": 1
2451
+ },
2452
+ {
2453
+ "id": "ota_firmware_manipulation",
2454
+ "name": "OTA Firmware Manipulation",
2455
+ "type": "variant",
2456
+ "priority": 2
2457
+ },
2458
+ {
2459
+ "id": "code_execution_can_bus_pivot",
2460
+ "name": "Code Execution (CAN Bus Pivot)",
2461
+ "type": "variant",
2462
+ "priority": 2
2463
+ },
2464
+ {
2465
+ "id": "code_execution_no_can_bus_pivot",
2466
+ "name": "Code Execution (No CAN Bus Pivot)",
2467
+ "type": "variant",
2468
+ "priority": 3
2469
+ },
2470
+ {
2471
+ "id": "unauthorized_access_to_services",
2472
+ "name": "Unauthorized Access to Services (API / Endpoints)",
2473
+ "type": "variant",
2474
+ "priority": 3
2475
+ },
2476
+ {
2477
+ "id": "source_code_dump",
2478
+ "name": "Source Code Dump",
2479
+ "type": "variant",
2480
+ "priority": 4
2481
+ },
2482
+ {
2483
+ "id": "dos_brick",
2484
+ "name": "Denial of Service (DoS / Brick)",
2485
+ "type": "variant",
2486
+ "priority": 4
2487
+ },
2488
+ {
2489
+ "id": "default_credentials",
2490
+ "name": "Default Credentials",
2491
+ "type": "variant",
2492
+ "priority": 4
2493
+ }
2494
+ ]
2495
+ },
2496
+ {
2497
+ "id": "rf_hub",
2498
+ "name": "RF Hub",
2499
+ "type": "subcategory",
2500
+ "children": [
2501
+ {
2502
+ "id": "key_fob_cloning",
2503
+ "name": "Key Fob Cloning",
2504
+ "type": "variant",
2505
+ "priority": 1
2506
+ },
2507
+ {
2508
+ "id": "can_injection_interaction",
2509
+ "name": "CAN Injection / Interaction",
2510
+ "type": "variant",
2511
+ "priority": 2
2512
+ },
2513
+ {
2514
+ "id": "data_leakage_pull_encryption_mechanism",
2515
+ "name": "Data Leakage / Pull Encryption Mechanism",
2516
+ "type": "variant",
2517
+ "priority": 3
2518
+ },
2519
+ {
2520
+ "id": "unauthorized_access_turn_on",
2521
+ "name": "Unauthorized Access / Turn On",
2522
+ "type": "variant",
2523
+ "priority": 4
2524
+ },
2525
+ {
2526
+ "id": "roll_jam",
2527
+ "name": "Roll Jam",
2528
+ "type": "variant",
2529
+ "priority": 5
2530
+ },
2531
+ {
2532
+ "id": "replay",
2533
+ "name": "Replay",
2534
+ "type": "variant",
2535
+ "priority": 5
2536
+ },
2537
+ {
2538
+ "id": "relay",
2539
+ "name": "Relay",
2540
+ "type": "variant",
2541
+ "priority": 5
2542
+ }
2543
+ ]
2544
+ },
2545
+ {
2546
+ "id": "can",
2547
+ "name": "CAN",
2548
+ "type": "subcategory",
2549
+ "children": [
2550
+ {
2551
+ "id": "injection_battery_management_system",
2552
+ "name": "Injection (Battery Management System)",
2553
+ "type": "variant",
2554
+ "priority": 3
2555
+ },
2556
+ {
2557
+ "id": "injection_steering_control",
2558
+ "name": "Injection (Steering Control)",
2559
+ "type": "variant",
2560
+ "priority": 3
2561
+ },
2562
+ {
2563
+ "id": "injection_pyrotechnical_device_deployment_tool",
2564
+ "name": "Injection (Pyrotechnical Device Deployment Tool)",
2565
+ "type": "variant",
2566
+ "priority": 3
2567
+ },
2568
+ {
2569
+ "id": "injection_headlights",
2570
+ "name": "Injection (Headlights)",
2571
+ "type": "variant",
2572
+ "priority": 3
2573
+ },
2574
+ {
2575
+ "id": "injection_sensors",
2576
+ "name": "Injection (Sensors)",
2577
+ "type": "variant",
2578
+ "priority": 3
2579
+ },
2580
+ {
2581
+ "id": "injection_vehicle_anti_theft_systems",
2582
+ "name": "Injection (Vehicle Anti-theft Systems)",
2583
+ "type": "variant",
2584
+ "priority": 3
2585
+ },
2586
+ {
2587
+ "id": "injection_powertrain",
2588
+ "name": "Injection (Powertrain)",
2589
+ "type": "variant",
2590
+ "priority": 3
2591
+ },
2592
+ {
2593
+ "id": "injection_basic_safety_message",
2594
+ "name": "Injection (Basic Safety Message)",
2595
+ "type": "variant",
2596
+ "priority": 3
2597
+ },
2598
+ {
2599
+ "id": "injection_disallowed_messages",
2600
+ "name": "Injection (Disallowed Messages)",
2601
+ "type": "variant",
2602
+ "priority": 4
2603
+ },
2604
+ {
2605
+ "id": "injection_dos",
2606
+ "name": "Injection (DoS)",
2607
+ "type": "variant",
2608
+ "priority": 4
2609
+ }
2610
+ ]
2611
+ },
2612
+ {
2613
+ "id": "battery_management_system",
2614
+ "name": "Battery Management System",
2615
+ "type": "subcategory",
2616
+ "children": [
2617
+ {
2618
+ "id": "firmware_dump",
2619
+ "name": "Firmware Dump",
2620
+ "type": "variant",
2621
+ "priority": 3
2622
+ },
2623
+ {
2624
+ "id": "fraudulent_interface",
2625
+ "name": "Fraudulent Interface",
2626
+ "type": "variant",
2627
+ "priority": 4
2628
+ }
2629
+ ]
2630
+ },
2631
+ {
2632
+ "id": "gnss_gps",
2633
+ "name": "GNSS / GPS",
2634
+ "type": "subcategory",
2635
+ "children": [
2636
+ {
2637
+ "id": "spoofing",
2638
+ "name": "Spoofing",
2639
+ "type": "variant",
2640
+ "priority": 4
2641
+ }
2642
+ ]
2643
+ },
2644
+ {
2645
+ "id": "immobilizer",
2646
+ "name": "Immobilizer",
2647
+ "type": "subcategory",
2648
+ "children": [
2649
+ {
2650
+ "id": "engine_start",
2651
+ "name": "Engine Start",
2652
+ "type": "variant",
2653
+ "priority": 3
2654
+ }
2655
+ ]
2656
+ },
2657
+ {
2658
+ "id": "abs",
2659
+ "name": "Automatic Braking System (ABS)",
2660
+ "type": "subcategory",
2661
+ "children": [
2662
+ {
2663
+ "id": "unintended_acceleration_brake",
2664
+ "name": "Unintended Acceleration / Brake",
2665
+ "type": "variant",
2666
+ "priority": 3
2667
+ }
2668
+ ]
2669
+ },
2670
+ {
2671
+ "id": "rsu",
2672
+ "name": "Roadside Unit (RSU)",
2673
+ "type": "subcategory",
2674
+ "children": [
2675
+ {
2676
+ "id": "sybil_attack",
2677
+ "name": "Sybil Attack",
2678
+ "type": "variant",
2679
+ "priority": 4
2680
+ }
2681
+ ]
2682
+ }
2683
+ ]
2684
+ },
2685
+ {
2686
+ "id": "ai_application_security",
2687
+ "name": "AI Application Security",
2688
+ "type": "category",
2689
+ "children": [
2690
+ {
2691
+ "id": "llm_security",
2692
+ "name": "Large Language Model (LLM) Security",
2693
+ "type": "subcategory",
2694
+ "children": [
2695
+ {
2696
+ "id": "prompt_injection",
2697
+ "name": "Prompt Injection",
2698
+ "type": "variant",
2699
+ "priority": 1
2700
+ },
2701
+ {
2702
+ "id": "llm_output_handling",
2703
+ "name": "LLM Output Handling",
2704
+ "type": "variant",
2705
+ "priority": 1
2706
+ },
2707
+ {
2708
+ "id": "training_data_poisoning",
2709
+ "name": "Training Data Poisoning",
2710
+ "type": "variant",
2711
+ "priority": 1
2712
+ },
2713
+ {
2714
+ "id": "excessive_agency_permission_manipulation",
2715
+ "name": "Excessive Agency/Permission Manipulation",
2716
+ "type": "variant",
2717
+ "priority": 2
2718
+ }
2719
+ ]
2720
+ }
2721
+ ]
2722
+ },
2723
+ {
2724
+ "id": "indicators_of_compromise",
2725
+ "name": "Indicators of Compromise",
2726
+ "type": "category",
2727
+ "priority": null
2728
+ }
2729
+ ]
2730
+ }