vrt 0.12.6 → 0.13.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (29) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.14/deprecated-node-mapping.json +239 -0
  3. data/lib/data/1.14/mappings/cvss_v3/cvss_v3.json +1441 -0
  4. data/lib/data/1.14/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.14/mappings/cwe/cwe.json +818 -0
  6. data/lib/data/1.14/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.14/mappings/remediation_advice/remediation_advice.json +2080 -0
  8. data/lib/data/1.14/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.14/third-party-mappings/remediation_training/secure-code-warrior-links.json +438 -0
  10. data/lib/data/1.14/vrt.schema.json +63 -0
  11. data/lib/data/1.14/vulnerability-rating-taxonomy.json +2730 -0
  12. data/lib/data/1.14.1/deprecated-node-mapping.json +239 -0
  13. data/lib/data/1.14.1/mappings/cvss_v3/cvss_v3.json +1441 -0
  14. data/lib/data/1.14.1/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  15. data/lib/data/1.14.1/mappings/cwe/cwe.json +818 -0
  16. data/lib/data/1.14.1/mappings/cwe/cwe.schema.json +63 -0
  17. data/lib/data/1.14.1/mappings/remediation_advice/remediation_advice.json +2080 -0
  18. data/lib/data/1.14.1/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  19. data/lib/data/1.14.1/third-party-mappings/remediation_training/secure-code-warrior-links.json +438 -0
  20. data/lib/data/1.14.1/vrt.schema.json +63 -0
  21. data/lib/data/1.14.1/vulnerability-rating-taxonomy.json +2730 -0
  22. data/lib/vrt/cross_version_mapping.rb +2 -2
  23. data/lib/vrt/map.rb +2 -2
  24. data/lib/vrt/mapping.rb +9 -5
  25. data/lib/vrt/node.rb +2 -2
  26. data/lib/vrt/third_party_links.rb +1 -1
  27. data/lib/vrt/version.rb +1 -1
  28. data/lib/vrt.rb +1 -1
  29. metadata +36 -14
@@ -0,0 +1,2730 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2024-07-09T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "server_side_request_forgery_ssrf",
13
+ "name": "Server-Side Request Forgery (SSRF)",
14
+ "type": "subcategory",
15
+ "children": [
16
+ {
17
+ "id": "internal_high_impact",
18
+ "name": "Internal High Impact",
19
+ "type": "variant",
20
+ "priority": 2
21
+ },
22
+ {
23
+ "id": "internal_scan_and_or_medium_impact",
24
+ "name": "Internal Scan and/or Medium Impact",
25
+ "type": "variant",
26
+ "priority": 3
27
+ },
28
+ {
29
+ "id": "external_low_impact",
30
+ "name": "External - Low impact",
31
+ "type": "variant",
32
+ "priority": 5
33
+ },
34
+ {
35
+ "id": "external_dns_query_only",
36
+ "name": "External - DNS Query Only",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "unsafe_cross_origin_resource_sharing",
44
+ "name": "Unsafe Cross-Origin Resource Sharing",
45
+ "type": "subcategory",
46
+ "priority": null
47
+ },
48
+ {
49
+ "id": "request_smuggling",
50
+ "name": "HTTP Request Smuggling",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "path_traversal",
56
+ "name": "Path Traversal",
57
+ "type": "subcategory",
58
+ "priority": null
59
+ },
60
+ {
61
+ "id": "directory_listing_enabled",
62
+ "name": "Directory Listing Enabled",
63
+ "type": "subcategory",
64
+ "children": [
65
+ {
66
+ "id": "sensitive_data_exposure",
67
+ "name": "Sensitive Data Exposure",
68
+ "type": "variant",
69
+ "priority": null
70
+ },
71
+ {
72
+ "id": "non_sensitive_data_exposure",
73
+ "name": "Non-Sensitive Data Exposure",
74
+ "type": "variant",
75
+ "priority": 5
76
+ }
77
+ ]
78
+ },
79
+ {
80
+ "id": "same_site_scripting",
81
+ "name": "Same-Site Scripting",
82
+ "type": "subcategory",
83
+ "priority": 5
84
+ },
85
+ {
86
+ "id": "ssl_attack_breach_poodle_etc",
87
+ "name": "SSL Attack (BREACH, POODLE etc.)",
88
+ "type": "subcategory",
89
+ "priority": null
90
+ },
91
+ {
92
+ "id": "using_default_credentials",
93
+ "name": "Using Default Credentials",
94
+ "type": "subcategory",
95
+ "priority": 1
96
+ },
97
+ {
98
+ "id": "misconfigured_dns",
99
+ "name": "Misconfigured DNS",
100
+ "type": "subcategory",
101
+ "children": [
102
+ {
103
+ "id": "basic_subdomain_takeover",
104
+ "name": "Basic Subdomain Takeover",
105
+ "type": "variant",
106
+ "priority": 3
107
+ },
108
+ {
109
+ "id": "high_impact_subdomain_takeover",
110
+ "name": "High Impact Subdomain Takeover",
111
+ "type": "variant",
112
+ "priority": 2
113
+ },
114
+ {
115
+ "id": "zone_transfer",
116
+ "name": "Zone Transfer",
117
+ "type": "variant",
118
+ "priority": 4
119
+ },
120
+ {
121
+ "id": "missing_caa_record",
122
+ "name": "Missing Certification Authority Authorization (CAA) Record",
123
+ "type": "variant",
124
+ "priority": 5
125
+ }
126
+ ]
127
+ },
128
+ {
129
+ "id": "mail_server_misconfiguration",
130
+ "name": "Mail Server Misconfiguration",
131
+ "type": "subcategory",
132
+ "children": [
133
+ {
134
+ "id": "no_spoofing_protection_on_email_domain",
135
+ "name": "No Spoofing Protection on Email Domain",
136
+ "type": "variant",
137
+ "priority": 3
138
+ },
139
+ {
140
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
141
+ "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
142
+ "type": "variant",
143
+ "priority": 4
144
+ },
145
+ {
146
+ "id": "email_spoofing_to_spam_folder",
147
+ "name": "Email Spoofing to Spam Folder",
148
+ "type": "variant",
149
+ "priority": 5
150
+ },
151
+ {
152
+ "id": "missing_or_misconfigured_spf_and_or_dkim",
153
+ "name": "Missing or Misconfigured SPF and/or DKIM",
154
+ "type": "variant",
155
+ "priority": 5
156
+ },
157
+ {
158
+ "id": "email_spoofing_on_non_email_domain",
159
+ "name": "Email Spoofing on Non-Email Domain",
160
+ "type": "variant",
161
+ "priority": 5
162
+ }
163
+ ]
164
+ },
165
+ {
166
+ "id": "dbms_misconfiguration",
167
+ "name": "Database Management System (DBMS) Misconfiguration",
168
+ "type": "subcategory",
169
+ "children": [
170
+ {
171
+ "id": "excessively_privileged_user_dba",
172
+ "name": "Excessively Privileged User / DBA",
173
+ "type": "variant",
174
+ "priority": 4
175
+ }
176
+ ]
177
+ },
178
+ {
179
+ "id": "lack_of_password_confirmation",
180
+ "name": "Lack of Password Confirmation",
181
+ "type": "subcategory",
182
+ "children": [
183
+ {
184
+ "id": "change_email_address",
185
+ "name": "Change Email Address",
186
+ "type": "variant",
187
+ "priority": 5
188
+ },
189
+ {
190
+ "id": "change_password",
191
+ "name": "Change Password",
192
+ "type": "variant",
193
+ "priority": 5
194
+ },
195
+ {
196
+ "id": "delete_account",
197
+ "name": "Delete Account",
198
+ "type": "variant",
199
+ "priority": 4
200
+ },
201
+ {
202
+ "id": "manage_two_fa",
203
+ "name": "Manage 2FA",
204
+ "type": "variant",
205
+ "priority": 5
206
+ }
207
+ ]
208
+ },
209
+ {
210
+ "id": "no_rate_limiting_on_form",
211
+ "name": "No Rate Limiting on Form",
212
+ "type": "subcategory",
213
+ "children": [
214
+ {
215
+ "id": "registration",
216
+ "name": "Registration",
217
+ "type": "variant",
218
+ "priority": 4
219
+ },
220
+ {
221
+ "id": "login",
222
+ "name": "Login",
223
+ "type": "variant",
224
+ "priority": 4
225
+ },
226
+ {
227
+ "id": "email_triggering",
228
+ "name": "Email-Triggering",
229
+ "type": "variant",
230
+ "priority": 4
231
+ },
232
+ {
233
+ "id": "sms_triggering",
234
+ "name": "SMS-Triggering",
235
+ "type": "variant",
236
+ "priority": 4
237
+ },
238
+ {
239
+ "id": "change_password",
240
+ "name": "Change Password",
241
+ "type": "variant",
242
+ "priority": 5
243
+ }
244
+ ]
245
+ },
246
+ {
247
+ "id": "unsafe_file_upload",
248
+ "name": "Unsafe File Upload",
249
+ "type": "subcategory",
250
+ "children": [
251
+ {
252
+ "id": "no_antivirus",
253
+ "name": "No Antivirus",
254
+ "type": "variant",
255
+ "priority": 5
256
+ },
257
+ {
258
+ "id": "no_size_limit",
259
+ "name": "No Size Limit",
260
+ "type": "variant",
261
+ "priority": 5
262
+ },
263
+ {
264
+ "id": "file_extension_filter_bypass",
265
+ "name": "File Extension Filter Bypass",
266
+ "type": "variant",
267
+ "priority": 5
268
+ }
269
+ ]
270
+ },
271
+ {
272
+ "id": "cookie_scoped_to_parent_domain",
273
+ "name": "Cookie Scoped to Parent Domain",
274
+ "type": "subcategory",
275
+ "priority": 5
276
+ },
277
+ {
278
+ "id": "missing_secure_or_httponly_cookie_flag",
279
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
280
+ "type": "subcategory",
281
+ "children": [
282
+ {
283
+ "id": "session_token",
284
+ "name": "Session Token",
285
+ "type": "variant",
286
+ "priority": 4
287
+ },
288
+ {
289
+ "id": "non_session_cookie",
290
+ "name": "Non-Session Cookie",
291
+ "type": "variant",
292
+ "priority": 5
293
+ }
294
+ ]
295
+ },
296
+ {
297
+ "id": "clickjacking",
298
+ "name": "Clickjacking",
299
+ "type": "subcategory",
300
+ "children": [
301
+ {
302
+ "id": "sensitive_action",
303
+ "name": "Sensitive Click-Based Action",
304
+ "type": "variant",
305
+ "priority": 4
306
+ },
307
+ {
308
+ "id": "form_input",
309
+ "name": "Form Input",
310
+ "type": "variant",
311
+ "priority": 5
312
+ },
313
+ {
314
+ "id": "non_sensitive_action",
315
+ "name": "Non-Sensitive Action",
316
+ "type": "variant",
317
+ "priority": 5
318
+ }
319
+ ]
320
+ },
321
+ {
322
+ "id": "oauth_misconfiguration",
323
+ "name": "OAuth Misconfiguration",
324
+ "type": "subcategory",
325
+ "children": [
326
+ {
327
+ "id": "account_takeover",
328
+ "name": "Account Takeover",
329
+ "type": "variant",
330
+ "priority": 2
331
+ },
332
+ {
333
+ "id": "account_squatting",
334
+ "name": "Account Squatting",
335
+ "type": "variant",
336
+ "priority": 4
337
+ },
338
+ {
339
+ "id": "missing_state_parameter",
340
+ "name": "Missing/Broken State Parameter",
341
+ "type": "variant",
342
+ "priority": null
343
+ },
344
+ {
345
+ "id": "insecure_redirect_uri",
346
+ "name": "Insecure Redirect URI",
347
+ "type": "variant",
348
+ "priority": null
349
+ }
350
+ ]
351
+ },
352
+ {
353
+ "id": "captcha",
354
+ "name": "CAPTCHA",
355
+ "type": "subcategory",
356
+ "children": [
357
+ {
358
+ "id": "implementation_vulnerability",
359
+ "name": "Implementation Vulnerability",
360
+ "type": "variant",
361
+ "priority": 4
362
+ },
363
+ {
364
+ "id": "brute_force",
365
+ "name": "Brute Force",
366
+ "type": "variant",
367
+ "priority": 5
368
+ },
369
+ {
370
+ "id": "missing",
371
+ "name": "Missing",
372
+ "type": "variant",
373
+ "priority": 5
374
+ }
375
+ ]
376
+ },
377
+ {
378
+ "id": "exposed_admin_portal",
379
+ "name": "Exposed Admin Portal",
380
+ "type": "subcategory",
381
+ "children": [
382
+ {
383
+ "id": "to_internet",
384
+ "name": "To Internet",
385
+ "type": "variant",
386
+ "priority": 5
387
+ }
388
+ ]
389
+ },
390
+ {
391
+ "id": "missing_dnssec",
392
+ "name": "Missing DNSSEC",
393
+ "type": "subcategory",
394
+ "priority": 5
395
+ },
396
+ {
397
+ "id": "fingerprinting_banner_disclosure",
398
+ "name": "Fingerprinting/Banner Disclosure",
399
+ "type": "subcategory",
400
+ "priority": 5
401
+ },
402
+ {
403
+ "id": "username_enumeration",
404
+ "name": "Username/Email Enumeration",
405
+ "type": "subcategory",
406
+ "children": [
407
+ {
408
+ "id": "brute_force",
409
+ "name": "Brute Force",
410
+ "type": "variant",
411
+ "priority": 5
412
+ }
413
+ ]
414
+ },
415
+ {
416
+ "id": "potentially_unsafe_http_method_enabled",
417
+ "name": "Potentially Unsafe HTTP Method Enabled",
418
+ "type": "subcategory",
419
+ "children": [
420
+ {
421
+ "id": "options",
422
+ "name": "OPTIONS",
423
+ "type": "variant",
424
+ "priority": 5
425
+ },
426
+ {
427
+ "id": "trace",
428
+ "name": "TRACE",
429
+ "type": "variant",
430
+ "priority": 5
431
+ }
432
+ ]
433
+ },
434
+ {
435
+ "id": "insecure_ssl",
436
+ "name": "Insecure SSL",
437
+ "type": "subcategory",
438
+ "children": [
439
+ {
440
+ "id": "lack_of_forward_secrecy",
441
+ "name": "Lack of Forward Secrecy",
442
+ "type": "variant",
443
+ "priority": 5
444
+ },
445
+ {
446
+ "id": "insecure_cipher_suite",
447
+ "name": "Insecure Cipher Suite",
448
+ "type": "variant",
449
+ "priority": 5
450
+ },
451
+ {
452
+ "id": "certificate_error",
453
+ "name": "Certificate Error",
454
+ "type": "variant",
455
+ "priority": 5
456
+ }
457
+ ]
458
+ },
459
+ {
460
+ "id": "rfd",
461
+ "name": "Reflected File Download (RFD)",
462
+ "type": "subcategory",
463
+ "priority": 5
464
+ },
465
+ {
466
+ "id": "lack_of_security_headers",
467
+ "name": "Lack of Security Headers",
468
+ "type": "subcategory",
469
+ "children": [
470
+ {
471
+ "id": "x_frame_options",
472
+ "name": "X-Frame-Options",
473
+ "type": "variant",
474
+ "priority": 5
475
+ },
476
+ {
477
+ "id": "cache_control_for_a_non_sensitive_page",
478
+ "name": "Cache-Control for a Non-Sensitive Page",
479
+ "type": "variant",
480
+ "priority": 5
481
+ },
482
+ {
483
+ "id": "x_xss_protection",
484
+ "name": "X-XSS-Protection",
485
+ "type": "variant",
486
+ "priority": 5
487
+ },
488
+ {
489
+ "id": "strict_transport_security",
490
+ "name": "Strict-Transport-Security",
491
+ "type": "variant",
492
+ "priority": 5
493
+ },
494
+ {
495
+ "id": "x_content_type_options",
496
+ "name": "X-Content-Type-Options",
497
+ "type": "variant",
498
+ "priority": 5
499
+ },
500
+ {
501
+ "id": "content_security_policy",
502
+ "name": "Content-Security-Policy",
503
+ "type": "variant",
504
+ "priority": 5
505
+ },
506
+ {
507
+ "id": "public_key_pins",
508
+ "name": "Public-Key-Pins",
509
+ "type": "variant",
510
+ "priority": 5
511
+ },
512
+ {
513
+ "id": "x_content_security_policy",
514
+ "name": "X-Content-Security-Policy",
515
+ "type": "variant",
516
+ "priority": 5
517
+ },
518
+ {
519
+ "id": "x_webkit_csp",
520
+ "name": "X-Webkit-CSP",
521
+ "type": "variant",
522
+ "priority": 5
523
+ },
524
+ {
525
+ "id": "content_security_policy_report_only",
526
+ "name": "Content-Security-Policy-Report-Only",
527
+ "type": "variant",
528
+ "priority": 5
529
+ },
530
+ {
531
+ "id": "cache_control_for_a_sensitive_page",
532
+ "name": "Cache-Control for a Sensitive Page",
533
+ "type": "variant",
534
+ "priority": 4
535
+ }
536
+ ]
537
+ },
538
+ {
539
+ "id": "waf_bypass",
540
+ "name": "Web Application Firewall (WAF) Bypass",
541
+ "type": "subcategory",
542
+ "children": [
543
+ {
544
+ "id": "direct_server_access",
545
+ "name": "Direct Server Access",
546
+ "type": "variant",
547
+ "priority": 4
548
+ }
549
+ ]
550
+ },
551
+ {
552
+ "id": "race_condition",
553
+ "name": "Race Condition",
554
+ "type": "subcategory",
555
+ "priority": null
556
+ },
557
+ {
558
+ "id": "email_verification_bypass",
559
+ "name": "Email Verification Bypass",
560
+ "type": "subcategory",
561
+ "priority": 5
562
+ },
563
+ {
564
+ "id": "missing_subresource_integrity",
565
+ "name": "Missing Subresource Integrity",
566
+ "type": "subcategory",
567
+ "priority": 5
568
+ },
569
+ {
570
+ "id": "software_package_takeover",
571
+ "name": "Software Package Takeover",
572
+ "type": "subcategory",
573
+ "priority": null
574
+ },
575
+ {
576
+ "id": "cache_poisoning",
577
+ "name": "Cache Poisoning",
578
+ "type": "subcategory",
579
+ "priority": null
580
+ },
581
+ {
582
+ "id": "bitsquatting",
583
+ "name": "Bitsquatting",
584
+ "type": "subcategory",
585
+ "priority": 5
586
+ }
587
+ ]
588
+ },
589
+ {
590
+ "id": "server_side_injection",
591
+ "name": "Server-Side Injection",
592
+ "type": "category",
593
+ "children": [
594
+ {
595
+ "id": "file_inclusion",
596
+ "name": "File Inclusion",
597
+ "type": "subcategory",
598
+ "children": [
599
+ {
600
+ "id": "local",
601
+ "name": "Local",
602
+ "type": "variant",
603
+ "priority": 1
604
+ }
605
+ ]
606
+ },
607
+ {
608
+ "id": "parameter_pollution",
609
+ "name": "Parameter Pollution",
610
+ "type": "subcategory",
611
+ "children": [
612
+ {
613
+ "id": "social_media_sharing_buttons",
614
+ "name": "Social Media Sharing Buttons",
615
+ "type": "variant",
616
+ "priority": 5
617
+ }
618
+ ]
619
+ },
620
+ {
621
+ "id": "remote_code_execution_rce",
622
+ "name": "Remote Code Execution (RCE)",
623
+ "type": "subcategory",
624
+ "priority": 1
625
+ },
626
+ {
627
+ "id": "ldap_injection",
628
+ "name": "LDAP Injection",
629
+ "type": "subcategory",
630
+ "priority": null
631
+ },
632
+ {
633
+ "id": "sql_injection",
634
+ "name": "SQL Injection",
635
+ "type": "subcategory",
636
+ "priority": 1
637
+ },
638
+ {
639
+ "id": "xml_external_entity_injection_xxe",
640
+ "name": "XML External Entity Injection (XXE)",
641
+ "type": "subcategory",
642
+ "priority": 1
643
+ },
644
+ {
645
+ "id": "http_response_manipulation",
646
+ "name": "HTTP Response Manipulation",
647
+ "type": "subcategory",
648
+ "children": [
649
+ {
650
+ "id": "response_splitting_crlf",
651
+ "name": "Response Splitting (CRLF)",
652
+ "type": "variant",
653
+ "priority": 3
654
+ }
655
+ ]
656
+ },
657
+ {
658
+ "id": "content_spoofing",
659
+ "name": "Content Spoofing",
660
+ "type": "subcategory",
661
+ "children": [
662
+ {
663
+ "id": "iframe_injection",
664
+ "name": "iframe Injection",
665
+ "type": "variant",
666
+ "priority": 3
667
+ },
668
+ {
669
+ "id": "impersonation_via_broken_link_hijacking",
670
+ "name": "Impersonation via Broken Link Hijacking",
671
+ "type": "variant",
672
+ "priority": 4
673
+ },
674
+ {
675
+ "id": "external_authentication_injection",
676
+ "name": "External Authentication Injection",
677
+ "type": "variant",
678
+ "priority": 4
679
+ },
680
+ {
681
+ "id": "flash_based_external_authentication_injection",
682
+ "name": "Flash Based External Authentication Injection",
683
+ "type": "variant",
684
+ "priority": 5
685
+ },
686
+ {
687
+ "id": "html_content_injection",
688
+ "name": "HTML Content Injection",
689
+ "type": "variant",
690
+ "priority": 5
691
+ },
692
+ {
693
+ "id": "email_html_injection",
694
+ "name": "Email HTML Injection",
695
+ "type": "variant",
696
+ "priority": 4
697
+ },
698
+ {
699
+ "id": "email_hyperlink_injection_based_on_email_provider",
700
+ "name": "Email Hyperlink Injection Based on Email Provider",
701
+ "type": "variant",
702
+ "priority": 5
703
+ },
704
+ {
705
+ "id": "text_injection",
706
+ "name": "Text Injection",
707
+ "type": "variant",
708
+ "priority": 5
709
+ },
710
+ {
711
+ "id": "homograph_idn_based",
712
+ "name": "Homograph/IDN-Based",
713
+ "type": "variant",
714
+ "priority": 5
715
+ },
716
+ {
717
+ "id": "rtlo",
718
+ "name": "Right-to-Left Override (RTLO)",
719
+ "type": "variant",
720
+ "priority": 5
721
+ }
722
+ ]
723
+ },
724
+ {
725
+ "id": "ssti",
726
+ "name": "Server-Side Template Injection (SSTI)",
727
+ "type": "subcategory",
728
+ "children": [
729
+ {
730
+ "id": "basic",
731
+ "name": "Basic",
732
+ "type": "variant",
733
+ "priority": 4
734
+ },
735
+ {
736
+ "id": "custom",
737
+ "name": "Custom",
738
+ "type": "variant",
739
+ "priority": null
740
+ }
741
+ ]
742
+ }
743
+ ]
744
+ },
745
+ {
746
+ "id": "broken_authentication_and_session_management",
747
+ "name": "Broken Authentication and Session Management",
748
+ "type": "category",
749
+ "children": [
750
+ {
751
+ "id": "authentication_bypass",
752
+ "name": "Authentication Bypass",
753
+ "type": "subcategory",
754
+ "priority": 1
755
+ },
756
+ {
757
+ "id": "two_fa_bypass",
758
+ "name": "Second Factor Authentication (2FA) Bypass",
759
+ "type": "subcategory",
760
+ "priority": 3
761
+ },
762
+ {
763
+ "id": "cleartext_transmission_of_session_token",
764
+ "name": "Cleartext Transmission of Session Token",
765
+ "type": "subcategory",
766
+ "priority": 4
767
+ },
768
+ {
769
+ "id": "weak_login_function",
770
+ "name": "Weak Login Function",
771
+ "type": "subcategory",
772
+ "children": [
773
+ {
774
+ "id": "not_operational",
775
+ "name": "Not Operational or Intended Public Access",
776
+ "type": "variant",
777
+ "priority": 5
778
+ },
779
+ {
780
+ "id": "other_plaintext_protocol_no_secure_alternative",
781
+ "name": "Other Plaintext Protocol with no Secure Alternative",
782
+ "type": "variant",
783
+ "priority": 4
784
+ },
785
+ {
786
+ "id": "over_http",
787
+ "name": "Over HTTP",
788
+ "type": "variant",
789
+ "priority": 4
790
+ }
791
+ ]
792
+ },
793
+ {
794
+ "id": "session_fixation",
795
+ "name": "Session Fixation",
796
+ "type": "subcategory",
797
+ "children": [
798
+ {
799
+ "id": "remote_attack_vector",
800
+ "name": "Remote Attack Vector",
801
+ "type": "variant",
802
+ "priority": 3
803
+ },
804
+ {
805
+ "id": "local_attack_vector",
806
+ "name": "Local Attack Vector",
807
+ "type": "variant",
808
+ "priority": 5
809
+ }
810
+ ]
811
+ },
812
+ {
813
+ "id": "failure_to_invalidate_session",
814
+ "name": "Failure to Invalidate Session",
815
+ "type": "subcategory",
816
+ "children": [
817
+ {
818
+ "id": "on_logout",
819
+ "name": "On Logout (Client and Server-Side)",
820
+ "type": "variant",
821
+ "priority": 4
822
+ },
823
+ {
824
+ "id": "permission_change",
825
+ "name": "On Permission Change",
826
+ "type": "variant",
827
+ "priority": null
828
+ },
829
+ {
830
+ "id": "on_logout_server_side_only",
831
+ "name": "On Logout (Server-Side Only)",
832
+ "type": "variant",
833
+ "priority": 5
834
+ },
835
+ {
836
+ "id": "on_password_change",
837
+ "name": "On Password Reset and/or Change",
838
+ "type": "variant",
839
+ "priority": 4
840
+ },
841
+ {
842
+ "id": "all_sessions",
843
+ "name": "Concurrent Sessions On Logout",
844
+ "type": "variant",
845
+ "priority": 5
846
+ },
847
+ {
848
+ "id": "on_email_change",
849
+ "name": "On Email Change",
850
+ "type": "variant",
851
+ "priority": 5
852
+ },
853
+ {
854
+ "id": "on_two_fa_activation_change",
855
+ "name": "On 2FA Activation/Change",
856
+ "type": "variant",
857
+ "priority": 5
858
+ },
859
+ {
860
+ "id": "long_timeout",
861
+ "name": "Long Timeout",
862
+ "type": "variant",
863
+ "priority": 5
864
+ }
865
+ ]
866
+ },
867
+ {
868
+ "id": "concurrent_logins",
869
+ "name": "Concurrent Logins",
870
+ "type": "subcategory",
871
+ "priority": 5
872
+ },
873
+ {
874
+ "id": "weak_registration_implementation",
875
+ "name": "Weak Registration Implementation",
876
+ "type": "subcategory",
877
+ "children": [
878
+ {
879
+ "id": "over_http",
880
+ "name": "Over HTTP",
881
+ "type": "variant",
882
+ "priority": 4
883
+ }
884
+ ]
885
+ }
886
+ ]
887
+ },
888
+ {
889
+ "id": "sensitive_data_exposure",
890
+ "name": "Sensitive Data Exposure",
891
+ "type": "category",
892
+ "children": [
893
+ {
894
+ "id": "disclosure_of_secrets",
895
+ "name": "Disclosure of Secrets",
896
+ "type": "subcategory",
897
+ "children": [
898
+ {
899
+ "id": "for_publicly_accessible_asset",
900
+ "name": "For Publicly Accessible Asset",
901
+ "type": "variant",
902
+ "priority": 1
903
+ },
904
+ {
905
+ "id": "pii_leakage_exposure",
906
+ "name": "PII Leakage/Exposure",
907
+ "type": "variant",
908
+ "priority": null
909
+ },
910
+ {
911
+ "id": "for_internal_asset",
912
+ "name": "For Internal Asset",
913
+ "type": "variant",
914
+ "priority": 3
915
+ },
916
+ {
917
+ "id": "pay_per_use_abuse",
918
+ "name": "Pay-Per-Use Abuse",
919
+ "type": "variant",
920
+ "priority": 4
921
+ },
922
+ {
923
+ "id": "intentionally_public_sample_or_invalid",
924
+ "name": "Intentionally Public, Sample or Invalid",
925
+ "type": "variant",
926
+ "priority": 5
927
+ },
928
+ {
929
+ "id": "data_traffic_spam",
930
+ "name": "Data/Traffic Spam",
931
+ "type": "variant",
932
+ "priority": 5
933
+ },
934
+ {
935
+ "id": "non_corporate_user",
936
+ "name": "Non-Corporate User",
937
+ "type": "variant",
938
+ "priority": 5
939
+ }
940
+ ]
941
+ },
942
+ {
943
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
944
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
945
+ "type": "subcategory",
946
+ "children": [
947
+ {
948
+ "id": "automatic_user_enumeration",
949
+ "name": "Automatic User Enumeration",
950
+ "type": "variant",
951
+ "priority": 3
952
+ },
953
+ {
954
+ "id": "manual_user_enumeration",
955
+ "name": "Manual User Enumeration",
956
+ "type": "variant",
957
+ "priority": 4
958
+ }
959
+ ]
960
+ },
961
+ {
962
+ "id": "visible_detailed_error_page",
963
+ "name": "Visible Detailed Error/Debug Page",
964
+ "type": "subcategory",
965
+ "children": [
966
+ {
967
+ "id": "detailed_server_configuration",
968
+ "name": "Detailed Server Configuration",
969
+ "type": "variant",
970
+ "priority": 4
971
+ },
972
+ {
973
+ "id": "full_path_disclosure",
974
+ "name": "Full Path Disclosure",
975
+ "type": "variant",
976
+ "priority": 5
977
+ },
978
+ {
979
+ "id": "descriptive_stack_trace",
980
+ "name": "Descriptive Stack Trace",
981
+ "type": "variant",
982
+ "priority": 5
983
+ }
984
+ ]
985
+ },
986
+ {
987
+ "id": "disclosure_of_known_public_information",
988
+ "name": "Disclosure of Known Public Information",
989
+ "type": "subcategory",
990
+ "priority": 5
991
+ },
992
+ {
993
+ "id": "token_leakage_via_referer",
994
+ "name": "Token Leakage via Referer",
995
+ "type": "subcategory",
996
+ "children": [
997
+ {
998
+ "id": "trusted_third_party",
999
+ "name": "Trusted 3rd Party",
1000
+ "type": "variant",
1001
+ "priority": 5
1002
+ },
1003
+ {
1004
+ "id": "untrusted_third_party",
1005
+ "name": "Untrusted 3rd Party",
1006
+ "type": "variant",
1007
+ "priority": 4
1008
+ },
1009
+ {
1010
+ "id": "over_http",
1011
+ "name": "Over HTTP",
1012
+ "type": "variant",
1013
+ "priority": 4
1014
+ },
1015
+ {
1016
+ "id": "password_reset_token",
1017
+ "name": "Password Reset Token",
1018
+ "type": "subcategory",
1019
+ "priority": 5
1020
+ }
1021
+ ]
1022
+ },
1023
+ {
1024
+ "id": "sensitive_token_in_url",
1025
+ "name": "Sensitive Token in URL",
1026
+ "type": "subcategory",
1027
+ "children": [
1028
+ {
1029
+ "id": "user_facing",
1030
+ "name": "User Facing",
1031
+ "type": "variant",
1032
+ "priority": 4
1033
+ },
1034
+ {
1035
+ "id": "in_the_background",
1036
+ "name": "In the Background",
1037
+ "type": "variant",
1038
+ "priority": 5
1039
+ },
1040
+ {
1041
+ "id": "on_password_reset",
1042
+ "name": "On Password Reset",
1043
+ "type": "variant",
1044
+ "priority": 5
1045
+ }
1046
+ ]
1047
+ },
1048
+ {
1049
+ "id": "non_sensitive_token_in_url",
1050
+ "name": "Non-Sensitive Token in URL",
1051
+ "type": "subcategory",
1052
+ "priority": 5
1053
+ },
1054
+ {
1055
+ "id": "weak_password_reset_implementation",
1056
+ "name": "Weak Password Reset Implementation",
1057
+ "type": "subcategory",
1058
+ "children": [
1059
+ {
1060
+ "id": "password_reset_token_sent_over_http",
1061
+ "name": "Password Reset Token Sent Over HTTP",
1062
+ "type": "variant",
1063
+ "priority": 4
1064
+ },
1065
+ {
1066
+ "id": "token_leakage_via_host_header_poisoning",
1067
+ "name": "Token Leakage via Host Header Poisoning",
1068
+ "type": "variant",
1069
+ "priority": 2
1070
+ }
1071
+ ]
1072
+ },
1073
+ {
1074
+ "id": "mixed_content",
1075
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
1076
+ "type": "subcategory",
1077
+ "priority": 5
1078
+ },
1079
+ {
1080
+ "id": "sensitive_data_hardcoded",
1081
+ "name": "Sensitive Data Hardcoded",
1082
+ "type": "subcategory",
1083
+ "children": [
1084
+ {
1085
+ "id": "oauth_secret",
1086
+ "name": "OAuth Secret",
1087
+ "type": "variant",
1088
+ "priority": 5
1089
+ },
1090
+ {
1091
+ "id": "file_paths",
1092
+ "name": "File Paths",
1093
+ "type": "variant",
1094
+ "priority": 5
1095
+ }
1096
+ ]
1097
+ },
1098
+ {
1099
+ "id": "internal_ip_disclosure",
1100
+ "name": "Internal IP Disclosure",
1101
+ "type": "subcategory",
1102
+ "priority": 5
1103
+ },
1104
+ {
1105
+ "id": "xssi",
1106
+ "name": "Cross Site Script Inclusion (XSSI)",
1107
+ "type": "subcategory",
1108
+ "priority": null
1109
+ },
1110
+ {
1111
+ "id": "json_hijacking",
1112
+ "name": "JSON Hijacking",
1113
+ "type": "subcategory",
1114
+ "priority": 5
1115
+ },
1116
+ {
1117
+ "id": "via_localstorage_sessionstorage",
1118
+ "name": "Via localStorage/sessionStorage",
1119
+ "type": "subcategory",
1120
+ "children": [
1121
+ {
1122
+ "id": "sensitive_token",
1123
+ "name": "Sensitive Token",
1124
+ "type": "variant",
1125
+ "priority": 4
1126
+ },
1127
+ {
1128
+ "id": "non_sensitive_token",
1129
+ "name": "Non-Sensitive Token",
1130
+ "type": "variant",
1131
+ "priority": 5
1132
+ }
1133
+ ]
1134
+ }
1135
+ ]
1136
+ },
1137
+ {
1138
+ "id": "cross_site_scripting_xss",
1139
+ "name": "Cross-Site Scripting (XSS)",
1140
+ "type": "category",
1141
+ "children": [
1142
+ {
1143
+ "id": "stored",
1144
+ "name": "Stored",
1145
+ "type": "subcategory",
1146
+ "children": [
1147
+ {
1148
+ "id": "non_admin_to_anyone",
1149
+ "name": "Non-Privileged User to Anyone",
1150
+ "type": "variant",
1151
+ "priority": 2
1152
+ },
1153
+ {
1154
+ "id": "privileged_user_to_privilege_elevation",
1155
+ "name": "Privileged User to Privilege Elevation",
1156
+ "type": "variant",
1157
+ "priority": 3
1158
+ },
1159
+ {
1160
+ "id": "privileged_user_to_no_privilege_elevation",
1161
+ "name": "Privileged User to No Privilege Elevation",
1162
+ "type": "variant",
1163
+ "priority": 4
1164
+ },
1165
+ {
1166
+ "id": "url_based",
1167
+ "name": "CSRF/URL-Based",
1168
+ "type": "variant",
1169
+ "priority": 3
1170
+ },
1171
+ {
1172
+ "id": "self",
1173
+ "name": "Self",
1174
+ "type": "variant",
1175
+ "priority": 5
1176
+ }
1177
+ ]
1178
+ },
1179
+ {
1180
+ "id": "reflected",
1181
+ "name": "Reflected",
1182
+ "type": "subcategory",
1183
+ "children": [
1184
+ {
1185
+ "id": "non_self",
1186
+ "name": "Non-Self",
1187
+ "type": "variant",
1188
+ "priority": 3
1189
+ },
1190
+ {
1191
+ "id": "self",
1192
+ "name": "Self",
1193
+ "type": "variant",
1194
+ "priority": 5
1195
+ }
1196
+ ]
1197
+ },
1198
+ {
1199
+ "id": "flash_based",
1200
+ "name": "Flash-Based",
1201
+ "type": "subcategory",
1202
+ "priority": 5
1203
+ },
1204
+ {
1205
+ "id": "cookie_based",
1206
+ "name": "Cookie-Based",
1207
+ "type": "subcategory",
1208
+ "priority": 5
1209
+ },
1210
+ {
1211
+ "id": "ie_only",
1212
+ "name": "IE-Only",
1213
+ "type": "subcategory",
1214
+ "priority": 5
1215
+ },
1216
+ {
1217
+ "id": "referer",
1218
+ "name": "Referer",
1219
+ "type": "subcategory",
1220
+ "priority": 4
1221
+ },
1222
+ {
1223
+ "id": "trace_method",
1224
+ "name": "TRACE Method",
1225
+ "type": "subcategory",
1226
+ "priority": 5
1227
+ },
1228
+ {
1229
+ "id": "universal_uxss",
1230
+ "name": "Universal (UXSS)",
1231
+ "type": "subcategory",
1232
+ "priority": 4
1233
+ },
1234
+ {
1235
+ "id": "off_domain",
1236
+ "name": "Off-Domain",
1237
+ "type": "subcategory",
1238
+ "children": [
1239
+ {
1240
+ "id": "data_uri",
1241
+ "name": "Data URI",
1242
+ "type": "variant",
1243
+ "priority": 4
1244
+ }
1245
+ ]
1246
+ }
1247
+ ]
1248
+ },
1249
+ {
1250
+ "id": "broken_access_control",
1251
+ "name": "Broken Access Control (BAC)",
1252
+ "type": "category",
1253
+ "children": [
1254
+ {
1255
+ "id": "idor",
1256
+ "name": "Insecure Direct Object References (IDOR)",
1257
+ "type": "subcategory",
1258
+ "children": [
1259
+ {
1260
+ "id": "read_edit_delete_non_sensitive_information",
1261
+ "name": "Read/Edit/Delete Non-Sensitive Information",
1262
+ "type": "variant",
1263
+ "priority": 5
1264
+ },
1265
+ {
1266
+ "id": "read_edit_delete_sensitive_information_guid",
1267
+ "name": "Read/Edit/Delete Sensitive Information/Complex Object Identifiers(GUID)",
1268
+ "type": "variant",
1269
+ "priority": 4
1270
+ },
1271
+ {
1272
+ "id": "read_sensitive_information_iterable_object_identifiers",
1273
+ "name": "Read Sensitive Information/Iterable Object Identifiers",
1274
+ "type": "variant",
1275
+ "priority": 3
1276
+ },
1277
+ {
1278
+ "id": "edit_delete_sensitive_information_iterable_object_identifiers",
1279
+ "name": "Edit/Delete Sensitive Information/Iterable Object Identifiers",
1280
+ "type": "variant",
1281
+ "priority": 2
1282
+ },
1283
+ {
1284
+ "id": "read_edit_delete_sensitive_information_iterable_object_identifiers",
1285
+ "name": "Read/Edit/Delete Sensitive Information/Iterable Object Identifiers",
1286
+ "type": "variant",
1287
+ "priority": 1
1288
+ }
1289
+ ]
1290
+ },
1291
+ {
1292
+ "id": "username_enumeration",
1293
+ "name": "Username/Email Enumeration",
1294
+ "type": "subcategory",
1295
+ "children": [
1296
+ {
1297
+ "id": "non_brute_force",
1298
+ "name": "Non-Brute Force",
1299
+ "type": "variant",
1300
+ "priority": 4
1301
+ }
1302
+ ]
1303
+ },
1304
+ {
1305
+ "id": "exposed_sensitive_android_intent",
1306
+ "name": "Exposed Sensitive Android Intent",
1307
+ "type": "subcategory",
1308
+ "priority": null
1309
+ },
1310
+ {
1311
+ "id": "privilege_escalation",
1312
+ "name": "Privilege Escalation",
1313
+ "type": "subcategory",
1314
+ "priority": null
1315
+ },
1316
+ {
1317
+ "id": "exposed_sensitive_ios_url_scheme",
1318
+ "name": "Exposed Sensitive iOS URL Scheme",
1319
+ "type": "subcategory",
1320
+ "priority": null
1321
+ }
1322
+ ]
1323
+ },
1324
+ {
1325
+ "id": "cross_site_request_forgery_csrf",
1326
+ "name": "Cross-Site Request Forgery (CSRF)",
1327
+ "type": "category",
1328
+ "children": [
1329
+ {
1330
+ "id": "application_wide",
1331
+ "name": "Application-Wide",
1332
+ "type": "subcategory",
1333
+ "priority": 2
1334
+ },
1335
+ {
1336
+ "id": "action_specific",
1337
+ "name": "Action-Specific",
1338
+ "type": "subcategory",
1339
+ "children": [
1340
+ {
1341
+ "id": "authenticated_action",
1342
+ "name": "Authenticated Action",
1343
+ "type": "variant",
1344
+ "priority": null
1345
+ },
1346
+ {
1347
+ "id": "unauthenticated_action",
1348
+ "name": "Unauthenticated Action",
1349
+ "type": "variant",
1350
+ "priority": null
1351
+ },
1352
+ {
1353
+ "id": "logout",
1354
+ "name": "Logout",
1355
+ "type": "variant",
1356
+ "priority": 5
1357
+ }
1358
+ ]
1359
+ },
1360
+ {
1361
+ "id": "csrf_token_not_unique_per_request",
1362
+ "name": "CSRF Token Not Unique Per Request",
1363
+ "type": "subcategory",
1364
+ "priority": 5
1365
+ },
1366
+ {
1367
+ "id": "flash_based",
1368
+ "name": "Flash-Based",
1369
+ "type": "subcategory",
1370
+ "priority": 5
1371
+ }
1372
+ ]
1373
+ },
1374
+ {
1375
+ "id": "application_level_denial_of_service_dos",
1376
+ "name": "Application-Level Denial-of-Service (DoS)",
1377
+ "type": "category",
1378
+ "children": [
1379
+ {
1380
+ "id": "excessive_resource_consumption",
1381
+ "name": "Excessive Resource Consumption",
1382
+ "type": "subcategory",
1383
+ "children": [
1384
+ {
1385
+ "id": "injection_prompt",
1386
+ "name": "Injection (Prompt)",
1387
+ "type": "variant",
1388
+ "priority": null
1389
+ }
1390
+ ]
1391
+ },
1392
+ {
1393
+ "id": "critical_impact_and_or_easy_difficulty",
1394
+ "name": "Critical Impact and/or Easy Difficulty",
1395
+ "type": "subcategory",
1396
+ "priority": 2
1397
+ },
1398
+ {
1399
+ "id": "high_impact_and_or_medium_difficulty",
1400
+ "name": "High Impact and/or Medium Difficulty",
1401
+ "type": "subcategory",
1402
+ "priority": 3
1403
+ },
1404
+ {
1405
+ "id": "app_crash",
1406
+ "name": "App Crash",
1407
+ "type": "subcategory",
1408
+ "children": [
1409
+ {
1410
+ "id": "malformed_android_intents",
1411
+ "name": "Malformed Android Intents",
1412
+ "type": "variant",
1413
+ "priority": 5
1414
+ },
1415
+ {
1416
+ "id": "malformed_ios_url_schemes",
1417
+ "name": "Malformed iOS URL Schemes",
1418
+ "type": "variant",
1419
+ "priority": 5
1420
+ }
1421
+ ]
1422
+ }
1423
+ ]
1424
+ },
1425
+ {
1426
+ "id": "unvalidated_redirects_and_forwards",
1427
+ "name": "Unvalidated Redirects and Forwards",
1428
+ "type": "category",
1429
+ "children": [
1430
+ {
1431
+ "id": "open_redirect",
1432
+ "name": "Open Redirect",
1433
+ "type": "subcategory",
1434
+ "children": [
1435
+ {
1436
+ "id": "get_based",
1437
+ "name": "GET-Based",
1438
+ "type": "variant",
1439
+ "priority": 4
1440
+ },
1441
+ {
1442
+ "id": "post_based",
1443
+ "name": "POST-Based",
1444
+ "type": "variant",
1445
+ "priority": 5
1446
+ },
1447
+ {
1448
+ "id": "header_based",
1449
+ "name": "Header-Based",
1450
+ "type": "variant",
1451
+ "priority": 5
1452
+ },
1453
+ {
1454
+ "id": "flash_based",
1455
+ "name": "Flash-Based",
1456
+ "type": "variant",
1457
+ "priority": 5
1458
+ }
1459
+ ]
1460
+ },
1461
+ {
1462
+ "id": "tabnabbing",
1463
+ "name": "Tabnabbing",
1464
+ "type": "subcategory",
1465
+ "priority": 5
1466
+ },
1467
+ {
1468
+ "id": "lack_of_security_speed_bump_page",
1469
+ "name": "Lack of Security Speed Bump Page",
1470
+ "type": "subcategory",
1471
+ "priority": 5
1472
+ }
1473
+ ]
1474
+ },
1475
+ {
1476
+ "id": "external_behavior",
1477
+ "name": "External Behavior",
1478
+ "type": "category",
1479
+ "children": [
1480
+ {
1481
+ "id": "browser_feature",
1482
+ "name": "Browser Feature",
1483
+ "type": "subcategory",
1484
+ "children": [
1485
+ {
1486
+ "id": "plaintext_password_field",
1487
+ "name": "Plaintext Password Field",
1488
+ "type": "variant",
1489
+ "priority": 5
1490
+ },
1491
+ {
1492
+ "id": "save_password",
1493
+ "name": "Save Password",
1494
+ "type": "variant",
1495
+ "priority": 5
1496
+ },
1497
+ {
1498
+ "id": "autocomplete_enabled",
1499
+ "name": "Autocomplete Enabled",
1500
+ "type": "variant",
1501
+ "priority": 5
1502
+ },
1503
+ {
1504
+ "id": "autocorrect_enabled",
1505
+ "name": "Autocorrect Enabled",
1506
+ "type": "variant",
1507
+ "priority": 5
1508
+ },
1509
+ {
1510
+ "id": "aggressive_offline_caching",
1511
+ "name": "Aggressive Offline Caching",
1512
+ "type": "variant",
1513
+ "priority": 5
1514
+ }
1515
+ ]
1516
+ },
1517
+ {
1518
+ "id": "csv_injection",
1519
+ "name": "CSV Injection",
1520
+ "type": "subcategory",
1521
+ "priority": 5
1522
+ },
1523
+ {
1524
+ "id": "captcha_bypass",
1525
+ "name": "Captcha Bypass",
1526
+ "type": "subcategory",
1527
+ "children": [
1528
+ {
1529
+ "id": "crowdsourcing",
1530
+ "name": "Crowdsourcing",
1531
+ "type": "variant",
1532
+ "priority": 5
1533
+ }
1534
+ ]
1535
+ },
1536
+ {
1537
+ "id": "system_clipboard_leak",
1538
+ "name": "System Clipboard Leak",
1539
+ "type": "subcategory",
1540
+ "children": [
1541
+ {
1542
+ "id": "shared_links",
1543
+ "name": "Shared Links",
1544
+ "type": "variant",
1545
+ "priority": 5
1546
+ }
1547
+ ]
1548
+ },
1549
+ {
1550
+ "id": "user_password_persisted_in_memory",
1551
+ "name": "User Password Persisted in Memory",
1552
+ "type": "subcategory",
1553
+ "priority": 5
1554
+ }
1555
+ ]
1556
+ },
1557
+ {
1558
+ "id": "insufficient_security_configurability",
1559
+ "name": "Insufficient Security Configurability",
1560
+ "type": "category",
1561
+ "children": [
1562
+ {
1563
+ "id": "weak_password_policy",
1564
+ "name": "Weak Password Policy",
1565
+ "type": "subcategory",
1566
+ "priority": 5
1567
+ },
1568
+ {
1569
+ "id": "no_password_policy",
1570
+ "name": "No Password Policy",
1571
+ "type": "subcategory",
1572
+ "priority": 4
1573
+ },
1574
+ {
1575
+ "id": "password_policy_bypass",
1576
+ "name": "Password Policy Bypass",
1577
+ "type": "subcategory",
1578
+ "priority": 5
1579
+ },
1580
+ {
1581
+ "id": "weak_password_reset_implementation",
1582
+ "name": "Weak Password Reset Implementation",
1583
+ "type": "subcategory",
1584
+ "children": [
1585
+ {
1586
+ "id": "token_is_not_invalidated_after_use",
1587
+ "name": "Token is Not Invalidated After Use",
1588
+ "type": "variant",
1589
+ "priority": 4
1590
+ },
1591
+ {
1592
+ "id": "token_is_not_invalidated_after_email_change",
1593
+ "name": "Token is Not Invalidated After Email Change",
1594
+ "type": "variant",
1595
+ "priority": 5
1596
+ },
1597
+ {
1598
+ "id": "token_is_not_invalidated_after_password_change",
1599
+ "name": "Token is Not Invalidated After Password Change",
1600
+ "type": "variant",
1601
+ "priority": 5
1602
+ },
1603
+ {
1604
+ "id": "token_has_long_timed_expiry",
1605
+ "name": "Token Has Long Timed Expiry",
1606
+ "type": "variant",
1607
+ "priority": 5
1608
+ },
1609
+ {
1610
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1611
+ "name": "Token is Not Invalidated After New Token is Requested",
1612
+ "type": "variant",
1613
+ "priority": 5
1614
+ },
1615
+ {
1616
+ "id": "token_is_not_invalidated_after_login",
1617
+ "name": "Token is Not Invalidated After Login",
1618
+ "type": "variant",
1619
+ "priority": 5
1620
+ }
1621
+ ]
1622
+ },
1623
+ {
1624
+ "id": "verification_of_contact_method_not_required",
1625
+ "name": "Verification of Contact Method not Required",
1626
+ "type": "subcategory",
1627
+ "priority": 5
1628
+ },
1629
+ {
1630
+ "id": "lack_of_notification_email",
1631
+ "name": "Lack of Notification Email",
1632
+ "type": "subcategory",
1633
+ "priority": 5
1634
+ },
1635
+ {
1636
+ "id": "weak_registration_implementation",
1637
+ "name": "Weak Registration Implementation",
1638
+ "type": "subcategory",
1639
+ "children": [
1640
+ {
1641
+ "id": "allows_disposable_email_addresses",
1642
+ "name": "Allows Disposable Email Addresses",
1643
+ "type": "variant",
1644
+ "priority": 5
1645
+ }
1646
+ ]
1647
+ },
1648
+ {
1649
+ "id": "weak_two_fa_implementation",
1650
+ "name": "Weak 2FA Implementation",
1651
+ "type": "subcategory",
1652
+ "children": [
1653
+ {
1654
+ "id": "two_fa_secret_cannot_be_rotated",
1655
+ "name": "2FA Secret Cannot be Rotated",
1656
+ "type": "variant",
1657
+ "priority": 4
1658
+ },
1659
+ {
1660
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
1661
+ "name": "2FA Secret Remains Obtainable After 2FA is Enabled",
1662
+ "type": "variant",
1663
+ "priority": 4
1664
+ },
1665
+ {
1666
+ "id": "missing_failsafe",
1667
+ "name": "Missing Failsafe",
1668
+ "type": "variant",
1669
+ "priority": 5
1670
+ },
1671
+ {
1672
+ "id": "two_fa_code_is_not_updated_after_new_code_is_requested",
1673
+ "name": "2FA Code is Not Updated After New Code is Requested",
1674
+ "type": "variant",
1675
+ "priority": 5
1676
+ },
1677
+ {
1678
+ "id": "old_two_fa_code_is_not_invalidated_after_new_code_is_generated",
1679
+ "name": "Old 2FA Code is Not Invalidated After New Code is Generated",
1680
+ "type": "variant",
1681
+ "priority": 5
1682
+ }
1683
+ ]
1684
+ }
1685
+ ]
1686
+ },
1687
+ {
1688
+ "id": "using_components_with_known_vulnerabilities",
1689
+ "name": "Using Components with Known Vulnerabilities",
1690
+ "type": "category",
1691
+ "children": [
1692
+ {
1693
+ "id": "rosetta_flash",
1694
+ "name": "Rosetta Flash",
1695
+ "type": "subcategory",
1696
+ "priority": 5
1697
+ },
1698
+ {
1699
+ "id": "outdated_software_version",
1700
+ "name": "Outdated Software Version",
1701
+ "type": "subcategory",
1702
+ "priority": 5
1703
+ },
1704
+ {
1705
+ "id": "captcha_bypass",
1706
+ "name": "Captcha Bypass",
1707
+ "type": "subcategory",
1708
+ "children": [
1709
+ {
1710
+ "id": "ocr_optical_character_recognition",
1711
+ "name": "OCR (Optical Character Recognition)",
1712
+ "type": "variant",
1713
+ "priority": 5
1714
+ }
1715
+ ]
1716
+ }
1717
+ ]
1718
+ },
1719
+ {
1720
+ "id": "insecure_data_storage",
1721
+ "name": "Insecure Data Storage",
1722
+ "type": "category",
1723
+ "children": [
1724
+ {
1725
+ "id": "sensitive_application_data_stored_unencrypted",
1726
+ "name": "Sensitive Application Data Stored Unencrypted",
1727
+ "type": "subcategory",
1728
+ "children": [
1729
+ {
1730
+ "id": "on_external_storage",
1731
+ "name": "On External Storage",
1732
+ "type": "variant",
1733
+ "priority": 4
1734
+ },
1735
+ {
1736
+ "id": "on_internal_storage",
1737
+ "name": "On Internal Storage",
1738
+ "type": "variant",
1739
+ "priority": 5
1740
+ }
1741
+ ]
1742
+ },
1743
+ {
1744
+ "id": "server_side_credentials_storage",
1745
+ "name": "Server-Side Credentials Storage",
1746
+ "type": "subcategory",
1747
+ "children": [
1748
+ {
1749
+ "id": "plaintext",
1750
+ "name": "Plaintext",
1751
+ "type": "variant",
1752
+ "priority": 4
1753
+ }
1754
+ ]
1755
+ },
1756
+ {
1757
+ "id": "non_sensitive_application_data_stored_unencrypted",
1758
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1759
+ "type": "subcategory",
1760
+ "priority": 5
1761
+ },
1762
+ {
1763
+ "id": "screen_caching_enabled",
1764
+ "name": "Screen Caching Enabled",
1765
+ "type": "subcategory",
1766
+ "priority": 5
1767
+ }
1768
+ ]
1769
+ },
1770
+ {
1771
+ "id": "lack_of_binary_hardening",
1772
+ "name": "Lack of Binary Hardening",
1773
+ "type": "category",
1774
+ "children": [
1775
+ {
1776
+ "id": "lack_of_exploit_mitigations",
1777
+ "name": "Lack of Exploit Mitigations",
1778
+ "type": "subcategory",
1779
+ "priority": 5
1780
+ },
1781
+ {
1782
+ "id": "lack_of_jailbreak_detection",
1783
+ "name": "Lack of Jailbreak Detection",
1784
+ "type": "subcategory",
1785
+ "priority": 5
1786
+ },
1787
+ {
1788
+ "id": "lack_of_obfuscation",
1789
+ "name": "Lack of Obfuscation",
1790
+ "type": "subcategory",
1791
+ "priority": 5
1792
+ },
1793
+ {
1794
+ "id": "runtime_instrumentation_based",
1795
+ "name": "Runtime Instrumentation-Based",
1796
+ "type": "subcategory",
1797
+ "priority": 5
1798
+ }
1799
+ ]
1800
+ },
1801
+ {
1802
+ "id": "insecure_data_transport",
1803
+ "name": "Insecure Data Transport",
1804
+ "type": "category",
1805
+ "children": [
1806
+ {
1807
+ "id": "cleartext_transmission_of_sensitive_data",
1808
+ "name": "Cleartext Transmission of Sensitive Data",
1809
+ "type": "subcategory",
1810
+ "priority": null
1811
+ },
1812
+ {
1813
+ "id": "executable_download",
1814
+ "name": "Executable Download",
1815
+ "type": "subcategory",
1816
+ "children": [
1817
+ {
1818
+ "id": "no_secure_integrity_check",
1819
+ "name": "No Secure Integrity Check",
1820
+ "type": "variant",
1821
+ "priority": 4
1822
+ },
1823
+ {
1824
+ "id": "secure_integrity_check",
1825
+ "name": "Secure Integrity Check",
1826
+ "type": "variant",
1827
+ "priority": 5
1828
+ }
1829
+ ]
1830
+ }
1831
+ ]
1832
+ },
1833
+ {
1834
+ "id": "data_biases",
1835
+ "name": "Data Biases",
1836
+ "type": "category",
1837
+ "children": [
1838
+ {
1839
+ "id": "representation_bias",
1840
+ "name": "Representation Bias",
1841
+ "type": "subcategory",
1842
+ "priority": null
1843
+ },
1844
+ {
1845
+ "id": "pre_existing_bias",
1846
+ "name": "Pre-existing Bias",
1847
+ "type": "subcategory",
1848
+ "priority": null
1849
+ }
1850
+ ]
1851
+ },
1852
+ {
1853
+ "id": "algorithmic_biases",
1854
+ "name": "Algorithmic Biases",
1855
+ "type": "category",
1856
+ "children": [
1857
+ {
1858
+ "id": "processing_bias",
1859
+ "name": "Processing Bias",
1860
+ "type": "subcategory",
1861
+ "priority": null
1862
+ },
1863
+ {
1864
+ "id": "aggregation_bias",
1865
+ "name": "Aggregation Bias",
1866
+ "type": "subcategory",
1867
+ "priority": null
1868
+ }
1869
+ ]
1870
+ },
1871
+ {
1872
+ "id": "societal_biases",
1873
+ "name": "Societal Biases",
1874
+ "type": "category",
1875
+ "children": [
1876
+ {
1877
+ "id": "confirmation_bias",
1878
+ "name": "Confirmation Bias",
1879
+ "type": "subcategory",
1880
+ "priority": null
1881
+ },
1882
+ {
1883
+ "id": "systemic_bias",
1884
+ "name": "Systemic Bias",
1885
+ "type": "subcategory",
1886
+ "priority": null
1887
+ }
1888
+ ]
1889
+ },
1890
+ {
1891
+ "id": "misinterpretation_biases",
1892
+ "name": "Misinterpretation Biases",
1893
+ "type": "category",
1894
+ "children": [
1895
+ {
1896
+ "id": "context_ignorance",
1897
+ "name": "Context Ignorance",
1898
+ "type": "subcategory",
1899
+ "priority": null
1900
+ }
1901
+ ]
1902
+ },
1903
+ {
1904
+ "id": "developer_biases",
1905
+ "name": "Developer Biases",
1906
+ "type": "category",
1907
+ "children": [
1908
+ {
1909
+ "id": "implicit_bias",
1910
+ "name": "Implicit Bias",
1911
+ "type": "subcategory",
1912
+ "priority": null
1913
+ }
1914
+ ]
1915
+ },
1916
+ {
1917
+ "id": "physical_security_issues",
1918
+ "name": "Physical Security Issues",
1919
+ "type": "category",
1920
+ "children": [
1921
+ {
1922
+ "id": "bypass_of_physical_access_control",
1923
+ "name": "Bypass of physical access control",
1924
+ "type": "subcategory",
1925
+ "priority": null
1926
+ },
1927
+ {
1928
+ "id": "weakness_in_physical_access_control",
1929
+ "name": "Weakness in physical access control",
1930
+ "type": "subcategory",
1931
+ "children": [
1932
+ {
1933
+ "id": "cloneable_key",
1934
+ "name": "Cloneable Key",
1935
+ "type": "variant",
1936
+ "priority": null
1937
+ },
1938
+ {
1939
+ "id": "master_key_identification",
1940
+ "name": "Master Key Identification",
1941
+ "type": "variant",
1942
+ "priority": null
1943
+ },
1944
+ {
1945
+ "id": "commonly_keyed_system",
1946
+ "name": "Commonly Keyed System",
1947
+ "type": "variant",
1948
+ "priority": 2
1949
+ }
1950
+ ]
1951
+ }
1952
+ ]
1953
+ },
1954
+ {
1955
+ "id": "insecure_os_firmware",
1956
+ "name": "Insecure OS/Firmware",
1957
+ "type": "category",
1958
+ "children": [
1959
+ {
1960
+ "id": "command_injection",
1961
+ "name": "Command Injection",
1962
+ "type": "subcategory",
1963
+ "priority": 1
1964
+ },
1965
+ {
1966
+ "id": "hardcoded_password",
1967
+ "name": "Hardcoded Password",
1968
+ "type": "subcategory",
1969
+ "children": [
1970
+ {
1971
+ "id": "privileged_user",
1972
+ "name": "Privileged User",
1973
+ "type": "variant",
1974
+ "priority": 1
1975
+ },
1976
+ {
1977
+ "id": "non_privileged_user",
1978
+ "name": "Non-Privileged User",
1979
+ "type": "variant",
1980
+ "priority": 2
1981
+ }
1982
+ ]
1983
+ },
1984
+ {
1985
+ "id": "weakness_in_firmware_updates",
1986
+ "name": "Weakness in Firmware Updates",
1987
+ "type": "subcategory",
1988
+ "children": [
1989
+ {
1990
+ "id": "firmware_cannot_be_updated",
1991
+ "name": "Firmware cannot be updated",
1992
+ "type": "variant",
1993
+ "priority": null
1994
+ },
1995
+ {
1996
+ "id": "firmware_does_not_validate_update_integrity",
1997
+ "name": "Firmware does not validate update integrity",
1998
+ "type": "variant",
1999
+ "priority": 3
2000
+ },
2001
+ {
2002
+ "id": "firmware_is_not_encrypted",
2003
+ "name": "Firmware is not encrypted",
2004
+ "type": "variant",
2005
+ "priority": 5
2006
+ }
2007
+ ]
2008
+ },
2009
+ {
2010
+ "id": "kiosk_escape_or_breakout",
2011
+ "name": "Kiosk Escape or Breakout",
2012
+ "type": "subcategory",
2013
+ "priority": null
2014
+ },
2015
+ {
2016
+ "id": "poorly_configured_disk_encryption",
2017
+ "name": "Poorly Configured Disk Encryption",
2018
+ "type": "subcategory",
2019
+ "priority": null
2020
+ },
2021
+ {
2022
+ "id": "shared_credentials_on_storage",
2023
+ "name": "Shared Credentials on Storage",
2024
+ "type": "subcategory",
2025
+ "priority": 3
2026
+ },
2027
+ {
2028
+ "id": "over_permissioned_credentials_on_storage",
2029
+ "name": "Over-Permissioned Credentials on Storage",
2030
+ "type": "subcategory",
2031
+ "priority": 2
2032
+ },
2033
+ {
2034
+ "id": "local_administrator_on_default_environment",
2035
+ "name": "Local Administrator on default environment",
2036
+ "type": "subcategory",
2037
+ "priority": 2
2038
+ },
2039
+ {
2040
+ "id": "poorly_configured_operating_system_security",
2041
+ "name": "Poorly Configured Operating System Security",
2042
+ "type": "subcategory",
2043
+ "priority": null
2044
+ },
2045
+ {
2046
+ "id": "recovery_of_disk_contains_sensitive_material",
2047
+ "name": "Recovery of Disk Contains Sensitive Material",
2048
+ "type": "subcategory",
2049
+ "priority": null
2050
+ },
2051
+ {
2052
+ "id": "failure_to_remove_sensitive_artifacts_from_disk",
2053
+ "name": "Failure to Remove Sensitive Artifacts from Disk",
2054
+ "type": "subcategory",
2055
+ "priority": null
2056
+ },
2057
+ {
2058
+ "id": "data_not_encrypted_at_rest",
2059
+ "name": "Data not encrypted at rest",
2060
+ "type": "subcategory",
2061
+ "children": [
2062
+ {
2063
+ "id": "sensitive",
2064
+ "name": "Sensitive",
2065
+ "type": "variant",
2066
+ "priority": null
2067
+ },
2068
+ {
2069
+ "id": "non_sensitive",
2070
+ "name": "Non sensitive",
2071
+ "type": "variant",
2072
+ "priority": 5
2073
+ }
2074
+ ]
2075
+ }
2076
+ ]
2077
+ },
2078
+ {
2079
+ "id": "cryptographic_weakness",
2080
+ "name": "Cryptographic Weakness",
2081
+ "type": "category",
2082
+ "children": [
2083
+ {
2084
+ "id": "insufficient_entropy",
2085
+ "name": "Insufficient Entropy",
2086
+ "type": "subcategory",
2087
+ "children": [
2088
+ {
2089
+ "id": "limited_rng_entropy_source",
2090
+ "name": "Limited Random Number Generator (RNG) Entropy Source",
2091
+ "type": "variant",
2092
+ "priority": 4
2093
+ },
2094
+ {
2095
+ "id": "use_of_trng_for_nonsecurity_purpose",
2096
+ "name": "Use of True Random Number Generator (TRNG) for Non-Security Purpose",
2097
+ "type": "variant",
2098
+ "priority": 5
2099
+ },
2100
+ {
2101
+ "id": "prng_seed_reuse",
2102
+ "name": "Pseudo-Random Number Generator (PRNG) Seed Reuse",
2103
+ "type": "variant",
2104
+ "priority": 5
2105
+ },
2106
+ {
2107
+ "id": "predictable_prng_seed",
2108
+ "name": "Predictable Pseudo-Random Number Generator (PRNG) Seed",
2109
+ "type": "variant",
2110
+ "priority": 4
2111
+ },
2112
+ {
2113
+ "id": "small_seed_space_in_prng",
2114
+ "name": "Small Seed Space in Pseudo-Random Number Generator (PRNG)",
2115
+ "type": "variant",
2116
+ "priority": 4
2117
+ },
2118
+ {
2119
+ "id": "initialization_vector_reuse",
2120
+ "name": "Initialization Vector (IV) Reuse",
2121
+ "type": "variant",
2122
+ "priority": 5
2123
+ },
2124
+ {
2125
+ "id": "predictable_initialization_vector",
2126
+ "name": "Predictable Initialization Vector (IV)",
2127
+ "type": "variant",
2128
+ "priority": 4
2129
+ }
2130
+ ]
2131
+ },
2132
+ {
2133
+ "id": "insecure_implementation",
2134
+ "name": "Insecure Implementation",
2135
+ "type": "subcategory",
2136
+ "children": [
2137
+ {
2138
+ "id": "missing_cryptographic_step",
2139
+ "name": "Missing Cryptographic Step",
2140
+ "type": "variant",
2141
+ "priority": null
2142
+ },
2143
+ {
2144
+ "id": "improper_following_of_specification",
2145
+ "name": "Improper Following of Specification (Other)",
2146
+ "type": "variant",
2147
+ "priority": null
2148
+ }
2149
+ ]
2150
+ },
2151
+ {
2152
+ "id": "weak_hash",
2153
+ "name": "Weak Hash",
2154
+ "type": "subcategory",
2155
+ "children": [
2156
+ {
2157
+ "id": "lack_of_salt",
2158
+ "name": "Lack of Salt",
2159
+ "type": "variant",
2160
+ "priority": null
2161
+ },
2162
+ {
2163
+ "id": "use_of_predictable_salt",
2164
+ "name": "Use of Predictable Salt",
2165
+ "type": "variant",
2166
+ "priority": 5
2167
+ },
2168
+ {
2169
+ "id": "predictable_hash_collision",
2170
+ "name": "Predictable Hash Collision",
2171
+ "type": "variant",
2172
+ "priority": null
2173
+ }
2174
+ ]
2175
+ },
2176
+ {
2177
+ "id": "insufficient_verification_of_data_authenticity",
2178
+ "name": "Insufficient Verification of Data Authenticity",
2179
+ "type": "subcategory",
2180
+ "children": [
2181
+ {
2182
+ "id": "identity_check_value",
2183
+ "name": "Integrity Check Value (ICV)",
2184
+ "type": "variant",
2185
+ "priority": 4
2186
+ },
2187
+ {
2188
+ "id": "cryptographic_signature",
2189
+ "name": "Cryptographic Signature",
2190
+ "type": "variant",
2191
+ "priority": null
2192
+ }
2193
+ ]
2194
+ },
2195
+ {
2196
+ "id": "insecure_key_generation",
2197
+ "name": "Insecure Key Generation",
2198
+ "type": "subcategory",
2199
+ "children": [
2200
+ {
2201
+ "id": "improper_asymmetric_prime_selection",
2202
+ "name": "Improper Asymmetric Prime Selection",
2203
+ "type": "variant",
2204
+ "priority": null
2205
+ },
2206
+ {
2207
+ "id": "improper_asymmetric_exponent_selection",
2208
+ "name": "Improper Asymmetric Exponent Selection",
2209
+ "type": "variant",
2210
+ "priority": null
2211
+ },
2212
+ {
2213
+ "id": "insufficient_key_stretching",
2214
+ "name": "Insufficient Key Stretching",
2215
+ "type": "variant",
2216
+ "priority": null
2217
+ },
2218
+ {
2219
+ "id": "insufficient_key_space",
2220
+ "name": "Insufficient Key Space",
2221
+ "type": "variant",
2222
+ "priority": 3
2223
+ },
2224
+ {
2225
+ "id": "key_exchange_without_entity_authentication",
2226
+ "name": "Key Exchage Without Entity Authentication",
2227
+ "type": "variant",
2228
+ "priority": 4
2229
+ }
2230
+ ]
2231
+ },
2232
+ {
2233
+ "id": "key_reuse",
2234
+ "name": "Key Reuse",
2235
+ "type": "subcategory",
2236
+ "children": [
2237
+ {
2238
+ "id": "lack_of_perfect_forward_secrecy",
2239
+ "name": "Lack of Perfect Forward Secrecy",
2240
+ "type": "variant",
2241
+ "priority": 4
2242
+ },
2243
+ {
2244
+ "id": "intra_environment",
2245
+ "name": "Intra-Environment",
2246
+ "type": "variant",
2247
+ "priority": 5
2248
+ },
2249
+ {
2250
+ "id": "inter_environment",
2251
+ "name": "Inter-Environment",
2252
+ "type": "variant",
2253
+ "priority": 2
2254
+ }
2255
+ ]
2256
+ },
2257
+ {
2258
+ "id": "broken_cryptography",
2259
+ "name": "Broken Cryptography",
2260
+ "type": "subcategory",
2261
+ "children": [
2262
+ {
2263
+ "id": "use_of_broken_cryptographic_primitive",
2264
+ "name": "Use of Broken Cryptographic Primitive",
2265
+ "type": "variant",
2266
+ "priority": 3
2267
+ },
2268
+ {
2269
+ "id": "use_of_vulnerable_cryptographic_library",
2270
+ "name": "Use of Vulnerable Cryptographic Library",
2271
+ "type": "variant",
2272
+ "priority": 4
2273
+ }
2274
+ ]
2275
+ },
2276
+ {
2277
+ "id": "side_channel_attack",
2278
+ "name": "Side-Channel Attack",
2279
+ "type": "subcategory",
2280
+ "children": [
2281
+ {
2282
+ "id": "padding_oracle_attack",
2283
+ "name": "Padding Oracle Attack",
2284
+ "type": "variant",
2285
+ "priority": 4
2286
+ },
2287
+ {
2288
+ "id": "timing_attack",
2289
+ "name": "Timing Attack",
2290
+ "type": "variant",
2291
+ "priority": 4
2292
+ },
2293
+ {
2294
+ "id": "power_analysis_attack",
2295
+ "name": "Power Analysis Attack",
2296
+ "type": "variant",
2297
+ "priority": 5
2298
+ },
2299
+ {
2300
+ "id": "emanations_attack",
2301
+ "name": "Emanations Attack",
2302
+ "type": "variant",
2303
+ "priority": 5
2304
+ },
2305
+ {
2306
+ "id": "differential_fault_analysis",
2307
+ "name": "Differential Fault Analysis",
2308
+ "type": "variant",
2309
+ "priority": null
2310
+ }
2311
+ ]
2312
+ },
2313
+ {
2314
+ "id": "use_of_expired_cryptographic_key_or_cert",
2315
+ "name": "Use of Expired Cryptographic Key (or Certificate)",
2316
+ "type": "subcategory",
2317
+ "priority": 4
2318
+ },
2319
+ {
2320
+ "id": "incomplete_cleanup_of_keying_material",
2321
+ "name": "Incomplete Cleanup of Keying Material",
2322
+ "type": "subcategory",
2323
+ "priority": 5
2324
+ }
2325
+ ]
2326
+ },
2327
+ {
2328
+ "id": "privacy_concerns",
2329
+ "name": "Privacy Concerns",
2330
+ "type": "category",
2331
+ "children": [
2332
+ {
2333
+ "id": "unnecessary_data_collection",
2334
+ "name": "Unnecessary Data Collection",
2335
+ "type": "subcategory",
2336
+ "children": [
2337
+ {
2338
+ "id": "wifi_ssid_password",
2339
+ "name": "WiFi SSID+Password",
2340
+ "type": "variant",
2341
+ "priority": 4
2342
+ }
2343
+ ]
2344
+ }
2345
+ ]
2346
+ },
2347
+ {
2348
+ "id": "network_security_misconfiguration",
2349
+ "name": "Network Security Misconfiguration",
2350
+ "type": "category",
2351
+ "children": [
2352
+ {
2353
+ "id": "telnet_enabled",
2354
+ "name": "Telnet Enabled",
2355
+ "type": "subcategory",
2356
+ "priority": 5
2357
+ }
2358
+ ]
2359
+ },
2360
+ {
2361
+ "id": "mobile_security_misconfiguration",
2362
+ "name": "Mobile Security Misconfiguration",
2363
+ "type": "category",
2364
+ "children": [
2365
+ {
2366
+ "id": "ssl_certificate_pinning",
2367
+ "name": "SSL Certificate Pinning",
2368
+ "type": "subcategory",
2369
+ "children": [
2370
+ {
2371
+ "id": "absent",
2372
+ "name": "Absent",
2373
+ "type": "variant",
2374
+ "priority": 5
2375
+ },
2376
+ {
2377
+ "id": "defeatable",
2378
+ "name": "Defeatable",
2379
+ "type": "variant",
2380
+ "priority": 5
2381
+ }
2382
+ ]
2383
+ },
2384
+ {
2385
+ "id": "tapjacking",
2386
+ "name": "Tapjacking",
2387
+ "type": "subcategory",
2388
+ "priority": 5
2389
+ },
2390
+ {
2391
+ "id": "clipboard_enabled",
2392
+ "name": "Clipboard Enabled",
2393
+ "type": "subcategory",
2394
+ "priority": 5
2395
+ },
2396
+ {
2397
+ "id": "auto_backup_allowed_by_default",
2398
+ "name": "Auto Backup Allowed by Default",
2399
+ "type": "subcategory",
2400
+ "priority": 5
2401
+ }
2402
+ ]
2403
+ },
2404
+ {
2405
+ "id": "client_side_injection",
2406
+ "name": "Client-Side Injection",
2407
+ "type": "category",
2408
+ "children": [
2409
+ {
2410
+ "id": "binary_planting",
2411
+ "name": "Binary Planting",
2412
+ "type": "subcategory",
2413
+ "children": [
2414
+ {
2415
+ "id": "privilege_escalation",
2416
+ "name": "Default Folder Privilege Escalation",
2417
+ "type": "variant",
2418
+ "priority": 3
2419
+ },
2420
+ {
2421
+ "id": "non_default_folder_privilege_escalation",
2422
+ "name": "Non-Default Folder Privilege Escalation",
2423
+ "type": "variant",
2424
+ "priority": 5
2425
+ },
2426
+ {
2427
+ "id": "no_privilege_escalation",
2428
+ "name": "No Privilege Escalation",
2429
+ "type": "variant",
2430
+ "priority": 5
2431
+ }
2432
+ ]
2433
+ }
2434
+ ]
2435
+ },
2436
+ {
2437
+ "id": "automotive_security_misconfiguration",
2438
+ "name": "Automotive Security Misconfiguration",
2439
+ "type": "category",
2440
+ "children": [
2441
+ {
2442
+ "id": "infotainment_radio_head_unit",
2443
+ "name": "Infotainment, Radio Head Unit",
2444
+ "type": "subcategory",
2445
+ "children": [
2446
+ {
2447
+ "id": "sensitive_data_leakage_exposure",
2448
+ "name": "Sensitive data Leakage/Exposure",
2449
+ "type": "variant",
2450
+ "priority": 1
2451
+ },
2452
+ {
2453
+ "id": "ota_firmware_manipulation",
2454
+ "name": "OTA Firmware Manipulation",
2455
+ "type": "variant",
2456
+ "priority": 2
2457
+ },
2458
+ {
2459
+ "id": "code_execution_can_bus_pivot",
2460
+ "name": "Code Execution (CAN Bus Pivot)",
2461
+ "type": "variant",
2462
+ "priority": 2
2463
+ },
2464
+ {
2465
+ "id": "code_execution_no_can_bus_pivot",
2466
+ "name": "Code Execution (No CAN Bus Pivot)",
2467
+ "type": "variant",
2468
+ "priority": 3
2469
+ },
2470
+ {
2471
+ "id": "unauthorized_access_to_services",
2472
+ "name": "Unauthorized Access to Services (API / Endpoints)",
2473
+ "type": "variant",
2474
+ "priority": 3
2475
+ },
2476
+ {
2477
+ "id": "source_code_dump",
2478
+ "name": "Source Code Dump",
2479
+ "type": "variant",
2480
+ "priority": 4
2481
+ },
2482
+ {
2483
+ "id": "dos_brick",
2484
+ "name": "Denial of Service (DoS / Brick)",
2485
+ "type": "variant",
2486
+ "priority": 4
2487
+ },
2488
+ {
2489
+ "id": "default_credentials",
2490
+ "name": "Default Credentials",
2491
+ "type": "variant",
2492
+ "priority": 4
2493
+ }
2494
+ ]
2495
+ },
2496
+ {
2497
+ "id": "rf_hub",
2498
+ "name": "RF Hub",
2499
+ "type": "subcategory",
2500
+ "children": [
2501
+ {
2502
+ "id": "key_fob_cloning",
2503
+ "name": "Key Fob Cloning",
2504
+ "type": "variant",
2505
+ "priority": 1
2506
+ },
2507
+ {
2508
+ "id": "can_injection_interaction",
2509
+ "name": "CAN Injection / Interaction",
2510
+ "type": "variant",
2511
+ "priority": 2
2512
+ },
2513
+ {
2514
+ "id": "data_leakage_pull_encryption_mechanism",
2515
+ "name": "Data Leakage / Pull Encryption Mechanism",
2516
+ "type": "variant",
2517
+ "priority": 3
2518
+ },
2519
+ {
2520
+ "id": "unauthorized_access_turn_on",
2521
+ "name": "Unauthorized Access / Turn On",
2522
+ "type": "variant",
2523
+ "priority": 4
2524
+ },
2525
+ {
2526
+ "id": "roll_jam",
2527
+ "name": "Roll Jam",
2528
+ "type": "variant",
2529
+ "priority": 5
2530
+ },
2531
+ {
2532
+ "id": "replay",
2533
+ "name": "Replay",
2534
+ "type": "variant",
2535
+ "priority": 5
2536
+ },
2537
+ {
2538
+ "id": "relay",
2539
+ "name": "Relay",
2540
+ "type": "variant",
2541
+ "priority": 5
2542
+ }
2543
+ ]
2544
+ },
2545
+ {
2546
+ "id": "can",
2547
+ "name": "CAN",
2548
+ "type": "subcategory",
2549
+ "children": [
2550
+ {
2551
+ "id": "injection_battery_management_system",
2552
+ "name": "Injection (Battery Management System)",
2553
+ "type": "variant",
2554
+ "priority": 3
2555
+ },
2556
+ {
2557
+ "id": "injection_steering_control",
2558
+ "name": "Injection (Steering Control)",
2559
+ "type": "variant",
2560
+ "priority": 3
2561
+ },
2562
+ {
2563
+ "id": "injection_pyrotechnical_device_deployment_tool",
2564
+ "name": "Injection (Pyrotechnical Device Deployment Tool)",
2565
+ "type": "variant",
2566
+ "priority": 3
2567
+ },
2568
+ {
2569
+ "id": "injection_headlights",
2570
+ "name": "Injection (Headlights)",
2571
+ "type": "variant",
2572
+ "priority": 3
2573
+ },
2574
+ {
2575
+ "id": "injection_sensors",
2576
+ "name": "Injection (Sensors)",
2577
+ "type": "variant",
2578
+ "priority": 3
2579
+ },
2580
+ {
2581
+ "id": "injection_vehicle_anti_theft_systems",
2582
+ "name": "Injection (Vehicle Anti-theft Systems)",
2583
+ "type": "variant",
2584
+ "priority": 3
2585
+ },
2586
+ {
2587
+ "id": "injection_powertrain",
2588
+ "name": "Injection (Powertrain)",
2589
+ "type": "variant",
2590
+ "priority": 3
2591
+ },
2592
+ {
2593
+ "id": "injection_basic_safety_message",
2594
+ "name": "Injection (Basic Safety Message)",
2595
+ "type": "variant",
2596
+ "priority": 3
2597
+ },
2598
+ {
2599
+ "id": "injection_disallowed_messages",
2600
+ "name": "Injection (Disallowed Messages)",
2601
+ "type": "variant",
2602
+ "priority": 4
2603
+ },
2604
+ {
2605
+ "id": "injection_dos",
2606
+ "name": "Injection (DoS)",
2607
+ "type": "variant",
2608
+ "priority": 4
2609
+ }
2610
+ ]
2611
+ },
2612
+ {
2613
+ "id": "battery_management_system",
2614
+ "name": "Battery Management System",
2615
+ "type": "subcategory",
2616
+ "children": [
2617
+ {
2618
+ "id": "firmware_dump",
2619
+ "name": "Firmware Dump",
2620
+ "type": "variant",
2621
+ "priority": 3
2622
+ },
2623
+ {
2624
+ "id": "fraudulent_interface",
2625
+ "name": "Fraudulent Interface",
2626
+ "type": "variant",
2627
+ "priority": 4
2628
+ }
2629
+ ]
2630
+ },
2631
+ {
2632
+ "id": "gnss_gps",
2633
+ "name": "GNSS / GPS",
2634
+ "type": "subcategory",
2635
+ "children": [
2636
+ {
2637
+ "id": "spoofing",
2638
+ "name": "Spoofing",
2639
+ "type": "variant",
2640
+ "priority": 4
2641
+ }
2642
+ ]
2643
+ },
2644
+ {
2645
+ "id": "immobilizer",
2646
+ "name": "Immobilizer",
2647
+ "type": "subcategory",
2648
+ "children": [
2649
+ {
2650
+ "id": "engine_start",
2651
+ "name": "Engine Start",
2652
+ "type": "variant",
2653
+ "priority": 3
2654
+ }
2655
+ ]
2656
+ },
2657
+ {
2658
+ "id": "abs",
2659
+ "name": "Automatic Braking System (ABS)",
2660
+ "type": "subcategory",
2661
+ "children": [
2662
+ {
2663
+ "id": "unintended_acceleration_brake",
2664
+ "name": "Unintended Acceleration / Brake",
2665
+ "type": "variant",
2666
+ "priority": 3
2667
+ }
2668
+ ]
2669
+ },
2670
+ {
2671
+ "id": "rsu",
2672
+ "name": "Roadside Unit (RSU)",
2673
+ "type": "subcategory",
2674
+ "children": [
2675
+ {
2676
+ "id": "sybil_attack",
2677
+ "name": "Sybil Attack",
2678
+ "type": "variant",
2679
+ "priority": 4
2680
+ }
2681
+ ]
2682
+ }
2683
+ ]
2684
+ },
2685
+ {
2686
+ "id": "ai_application_security",
2687
+ "name": "AI Application Security",
2688
+ "type": "category",
2689
+ "children": [
2690
+ {
2691
+ "id": "llm_security",
2692
+ "name": "Large Language Model (LLM) Security",
2693
+ "type": "subcategory",
2694
+ "children": [
2695
+ {
2696
+ "id": "prompt_injection",
2697
+ "name": "Prompt Injection",
2698
+ "type": "variant",
2699
+ "priority": 1
2700
+ },
2701
+ {
2702
+ "id": "llm_output_handling",
2703
+ "name": "LLM Output Handling",
2704
+ "type": "variant",
2705
+ "priority": 1
2706
+ },
2707
+ {
2708
+ "id": "training_data_poisoning",
2709
+ "name": "Training Data Poisoning",
2710
+ "type": "variant",
2711
+ "priority": 1
2712
+ },
2713
+ {
2714
+ "id": "excessive_agency_permission_manipulation",
2715
+ "name": "Excessive Agency/Permission Manipulation",
2716
+ "type": "variant",
2717
+ "priority": 2
2718
+ }
2719
+ ]
2720
+ }
2721
+ ]
2722
+ },
2723
+ {
2724
+ "id": "indicators_of_compromise",
2725
+ "name": "Indicators of Compromise",
2726
+ "type": "category",
2727
+ "priority": null
2728
+ }
2729
+ ]
2730
+ }