vrt 0.13.1 → 0.13.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.14.2/deprecated-node-mapping.json +242 -0
  3. data/lib/data/1.14.2/mappings/cvss_v3/cvss_v3.json +1437 -0
  4. data/lib/data/1.14.2/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.14.2/mappings/cwe/cwe.json +818 -0
  6. data/lib/data/1.14.2/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.14.2/mappings/remediation_advice/remediation_advice.json +2073 -0
  8. data/lib/data/1.14.2/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.14.2/third-party-mappings/remediation_training/secure-code-warrior-links.json +437 -0
  10. data/lib/data/1.14.2/vrt.schema.json +63 -0
  11. data/lib/data/1.14.2/vulnerability-rating-taxonomy.json +2724 -0
  12. data/lib/vrt/version.rb +1 -1
  13. metadata +12 -2
data/lib/data/1.14.2/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,2724 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2024-10-25T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "server_side_request_forgery_ssrf",
13
+ "name": "Server-Side Request Forgery (SSRF)",
14
+ "type": "subcategory",
15
+ "children": [
16
+ {
17
+ "id": "internal_high_impact",
18
+ "name": "Internal High Impact",
19
+ "type": "variant",
20
+ "priority": 2
21
+ },
22
+ {
23
+ "id": "internal_scan_and_or_medium_impact",
24
+ "name": "Internal Scan and/or Medium Impact",
25
+ "type": "variant",
26
+ "priority": 3
27
+ },
28
+ {
29
+ "id": "external_low_impact",
30
+ "name": "External - Low impact",
31
+ "type": "variant",
32
+ "priority": 5
33
+ },
34
+ {
35
+ "id": "external_dns_query_only",
36
+ "name": "External - DNS Query Only",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "unsafe_cross_origin_resource_sharing",
44
+ "name": "Unsafe Cross-Origin Resource Sharing",
45
+ "type": "subcategory",
46
+ "priority": null
47
+ },
48
+ {
49
+ "id": "request_smuggling",
50
+ "name": "HTTP Request Smuggling",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "path_traversal",
56
+ "name": "Path Traversal",
57
+ "type": "subcategory",
58
+ "priority": null
59
+ },
60
+ {
61
+ "id": "directory_listing_enabled",
62
+ "name": "Directory Listing Enabled",
63
+ "type": "subcategory",
64
+ "children": [
65
+ {
66
+ "id": "sensitive_data_exposure",
67
+ "name": "Sensitive Data Exposure",
68
+ "type": "variant",
69
+ "priority": null
70
+ },
71
+ {
72
+ "id": "non_sensitive_data_exposure",
73
+ "name": "Non-Sensitive Data Exposure",
74
+ "type": "variant",
75
+ "priority": 5
76
+ }
77
+ ]
78
+ },
79
+ {
80
+ "id": "same_site_scripting",
81
+ "name": "Same-Site Scripting",
82
+ "type": "subcategory",
83
+ "priority": 5
84
+ },
85
+ {
86
+ "id": "ssl_attack_breach_poodle_etc",
87
+ "name": "SSL Attack (BREACH, POODLE etc.)",
88
+ "type": "subcategory",
89
+ "priority": null
90
+ },
91
+ {
92
+ "id": "using_default_credentials",
93
+ "name": "Using Default Credentials",
94
+ "type": "subcategory",
95
+ "priority": 1
96
+ },
97
+ {
98
+ "id": "misconfigured_dns",
99
+ "name": "Misconfigured DNS",
100
+ "type": "subcategory",
101
+ "children": [
102
+ {
103
+ "id": "subdomain_takeover",
104
+ "name": "Subdomain Takeover",
105
+ "type": "variant",
106
+ "priority": 3
107
+ },
108
+ {
109
+ "id": "zone_transfer",
110
+ "name": "Zone Transfer",
111
+ "type": "variant",
112
+ "priority": 4
113
+ },
114
+ {
115
+ "id": "missing_caa_record",
116
+ "name": "Missing Certification Authority Authorization (CAA) Record",
117
+ "type": "variant",
118
+ "priority": 5
119
+ }
120
+ ]
121
+ },
122
+ {
123
+ "id": "mail_server_misconfiguration",
124
+ "name": "Mail Server Misconfiguration",
125
+ "type": "subcategory",
126
+ "children": [
127
+ {
128
+ "id": "no_spoofing_protection_on_email_domain",
129
+ "name": "No Spoofing Protection on Email Domain",
130
+ "type": "variant",
131
+ "priority": 3
132
+ },
133
+ {
134
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
135
+ "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
136
+ "type": "variant",
137
+ "priority": 4
138
+ },
139
+ {
140
+ "id": "email_spoofing_to_spam_folder",
141
+ "name": "Email Spoofing to Spam Folder",
142
+ "type": "variant",
143
+ "priority": 5
144
+ },
145
+ {
146
+ "id": "missing_or_misconfigured_spf_and_or_dkim",
147
+ "name": "Missing or Misconfigured SPF and/or DKIM",
148
+ "type": "variant",
149
+ "priority": 5
150
+ },
151
+ {
152
+ "id": "email_spoofing_on_non_email_domain",
153
+ "name": "Email Spoofing on Non-Email Domain",
154
+ "type": "variant",
155
+ "priority": 5
156
+ }
157
+ ]
158
+ },
159
+ {
160
+ "id": "dbms_misconfiguration",
161
+ "name": "Database Management System (DBMS) Misconfiguration",
162
+ "type": "subcategory",
163
+ "children": [
164
+ {
165
+ "id": "excessively_privileged_user_dba",
166
+ "name": "Excessively Privileged User / DBA",
167
+ "type": "variant",
168
+ "priority": 4
169
+ }
170
+ ]
171
+ },
172
+ {
173
+ "id": "lack_of_password_confirmation",
174
+ "name": "Lack of Password Confirmation",
175
+ "type": "subcategory",
176
+ "children": [
177
+ {
178
+ "id": "change_email_address",
179
+ "name": "Change Email Address",
180
+ "type": "variant",
181
+ "priority": 5
182
+ },
183
+ {
184
+ "id": "change_password",
185
+ "name": "Change Password",
186
+ "type": "variant",
187
+ "priority": 5
188
+ },
189
+ {
190
+ "id": "delete_account",
191
+ "name": "Delete Account",
192
+ "type": "variant",
193
+ "priority": 4
194
+ },
195
+ {
196
+ "id": "manage_two_fa",
197
+ "name": "Manage 2FA",
198
+ "type": "variant",
199
+ "priority": 5
200
+ }
201
+ ]
202
+ },
203
+ {
204
+ "id": "no_rate_limiting_on_form",
205
+ "name": "No Rate Limiting on Form",
206
+ "type": "subcategory",
207
+ "children": [
208
+ {
209
+ "id": "registration",
210
+ "name": "Registration",
211
+ "type": "variant",
212
+ "priority": 4
213
+ },
214
+ {
215
+ "id": "login",
216
+ "name": "Login",
217
+ "type": "variant",
218
+ "priority": 4
219
+ },
220
+ {
221
+ "id": "email_triggering",
222
+ "name": "Email-Triggering",
223
+ "type": "variant",
224
+ "priority": 4
225
+ },
226
+ {
227
+ "id": "sms_triggering",
228
+ "name": "SMS-Triggering",
229
+ "type": "variant",
230
+ "priority": 4
231
+ },
232
+ {
233
+ "id": "change_password",
234
+ "name": "Change Password",
235
+ "type": "variant",
236
+ "priority": 5
237
+ }
238
+ ]
239
+ },
240
+ {
241
+ "id": "unsafe_file_upload",
242
+ "name": "Unsafe File Upload",
243
+ "type": "subcategory",
244
+ "children": [
245
+ {
246
+ "id": "no_antivirus",
247
+ "name": "No Antivirus",
248
+ "type": "variant",
249
+ "priority": 5
250
+ },
251
+ {
252
+ "id": "no_size_limit",
253
+ "name": "No Size Limit",
254
+ "type": "variant",
255
+ "priority": 5
256
+ },
257
+ {
258
+ "id": "file_extension_filter_bypass",
259
+ "name": "File Extension Filter Bypass",
260
+ "type": "variant",
261
+ "priority": 5
262
+ }
263
+ ]
264
+ },
265
+ {
266
+ "id": "cookie_scoped_to_parent_domain",
267
+ "name": "Cookie Scoped to Parent Domain",
268
+ "type": "subcategory",
269
+ "priority": 5
270
+ },
271
+ {
272
+ "id": "missing_secure_or_httponly_cookie_flag",
273
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
274
+ "type": "subcategory",
275
+ "children": [
276
+ {
277
+ "id": "session_token",
278
+ "name": "Session Token",
279
+ "type": "variant",
280
+ "priority": 4
281
+ },
282
+ {
283
+ "id": "non_session_cookie",
284
+ "name": "Non-Session Cookie",
285
+ "type": "variant",
286
+ "priority": 5
287
+ }
288
+ ]
289
+ },
290
+ {
291
+ "id": "clickjacking",
292
+ "name": "Clickjacking",
293
+ "type": "subcategory",
294
+ "children": [
295
+ {
296
+ "id": "sensitive_action",
297
+ "name": "Sensitive Click-Based Action",
298
+ "type": "variant",
299
+ "priority": 4
300
+ },
301
+ {
302
+ "id": "form_input",
303
+ "name": "Form Input",
304
+ "type": "variant",
305
+ "priority": 5
306
+ },
307
+ {
308
+ "id": "non_sensitive_action",
309
+ "name": "Non-Sensitive Action",
310
+ "type": "variant",
311
+ "priority": 5
312
+ }
313
+ ]
314
+ },
315
+ {
316
+ "id": "oauth_misconfiguration",
317
+ "name": "OAuth Misconfiguration",
318
+ "type": "subcategory",
319
+ "children": [
320
+ {
321
+ "id": "account_takeover",
322
+ "name": "Account Takeover",
323
+ "type": "variant",
324
+ "priority": 2
325
+ },
326
+ {
327
+ "id": "account_squatting",
328
+ "name": "Account Squatting",
329
+ "type": "variant",
330
+ "priority": 4
331
+ },
332
+ {
333
+ "id": "missing_state_parameter",
334
+ "name": "Missing/Broken State Parameter",
335
+ "type": "variant",
336
+ "priority": null
337
+ },
338
+ {
339
+ "id": "insecure_redirect_uri",
340
+ "name": "Insecure Redirect URI",
341
+ "type": "variant",
342
+ "priority": null
343
+ }
344
+ ]
345
+ },
346
+ {
347
+ "id": "captcha",
348
+ "name": "CAPTCHA",
349
+ "type": "subcategory",
350
+ "children": [
351
+ {
352
+ "id": "implementation_vulnerability",
353
+ "name": "Implementation Vulnerability",
354
+ "type": "variant",
355
+ "priority": 4
356
+ },
357
+ {
358
+ "id": "brute_force",
359
+ "name": "Brute Force",
360
+ "type": "variant",
361
+ "priority": 5
362
+ },
363
+ {
364
+ "id": "missing",
365
+ "name": "Missing",
366
+ "type": "variant",
367
+ "priority": 5
368
+ }
369
+ ]
370
+ },
371
+ {
372
+ "id": "exposed_admin_portal",
373
+ "name": "Exposed Admin Portal",
374
+ "type": "subcategory",
375
+ "children": [
376
+ {
377
+ "id": "to_internet",
378
+ "name": "To Internet",
379
+ "type": "variant",
380
+ "priority": 5
381
+ }
382
+ ]
383
+ },
384
+ {
385
+ "id": "missing_dnssec",
386
+ "name": "Missing DNSSEC",
387
+ "type": "subcategory",
388
+ "priority": 5
389
+ },
390
+ {
391
+ "id": "fingerprinting_banner_disclosure",
392
+ "name": "Fingerprinting/Banner Disclosure",
393
+ "type": "subcategory",
394
+ "priority": 5
395
+ },
396
+ {
397
+ "id": "username_enumeration",
398
+ "name": "Username/Email Enumeration",
399
+ "type": "subcategory",
400
+ "children": [
401
+ {
402
+ "id": "brute_force",
403
+ "name": "Brute Force",
404
+ "type": "variant",
405
+ "priority": 5
406
+ }
407
+ ]
408
+ },
409
+ {
410
+ "id": "potentially_unsafe_http_method_enabled",
411
+ "name": "Potentially Unsafe HTTP Method Enabled",
412
+ "type": "subcategory",
413
+ "children": [
414
+ {
415
+ "id": "options",
416
+ "name": "OPTIONS",
417
+ "type": "variant",
418
+ "priority": 5
419
+ },
420
+ {
421
+ "id": "trace",
422
+ "name": "TRACE",
423
+ "type": "variant",
424
+ "priority": 5
425
+ }
426
+ ]
427
+ },
428
+ {
429
+ "id": "insecure_ssl",
430
+ "name": "Insecure SSL",
431
+ "type": "subcategory",
432
+ "children": [
433
+ {
434
+ "id": "lack_of_forward_secrecy",
435
+ "name": "Lack of Forward Secrecy",
436
+ "type": "variant",
437
+ "priority": 5
438
+ },
439
+ {
440
+ "id": "insecure_cipher_suite",
441
+ "name": "Insecure Cipher Suite",
442
+ "type": "variant",
443
+ "priority": 5
444
+ },
445
+ {
446
+ "id": "certificate_error",
447
+ "name": "Certificate Error",
448
+ "type": "variant",
449
+ "priority": 5
450
+ }
451
+ ]
452
+ },
453
+ {
454
+ "id": "rfd",
455
+ "name": "Reflected File Download (RFD)",
456
+ "type": "subcategory",
457
+ "priority": 5
458
+ },
459
+ {
460
+ "id": "lack_of_security_headers",
461
+ "name": "Lack of Security Headers",
462
+ "type": "subcategory",
463
+ "children": [
464
+ {
465
+ "id": "x_frame_options",
466
+ "name": "X-Frame-Options",
467
+ "type": "variant",
468
+ "priority": 5
469
+ },
470
+ {
471
+ "id": "cache_control_for_a_non_sensitive_page",
472
+ "name": "Cache-Control for a Non-Sensitive Page",
473
+ "type": "variant",
474
+ "priority": 5
475
+ },
476
+ {
477
+ "id": "x_xss_protection",
478
+ "name": "X-XSS-Protection",
479
+ "type": "variant",
480
+ "priority": 5
481
+ },
482
+ {
483
+ "id": "strict_transport_security",
484
+ "name": "Strict-Transport-Security",
485
+ "type": "variant",
486
+ "priority": 5
487
+ },
488
+ {
489
+ "id": "x_content_type_options",
490
+ "name": "X-Content-Type-Options",
491
+ "type": "variant",
492
+ "priority": 5
493
+ },
494
+ {
495
+ "id": "content_security_policy",
496
+ "name": "Content-Security-Policy",
497
+ "type": "variant",
498
+ "priority": 5
499
+ },
500
+ {
501
+ "id": "public_key_pins",
502
+ "name": "Public-Key-Pins",
503
+ "type": "variant",
504
+ "priority": 5
505
+ },
506
+ {
507
+ "id": "x_content_security_policy",
508
+ "name": "X-Content-Security-Policy",
509
+ "type": "variant",
510
+ "priority": 5
511
+ },
512
+ {
513
+ "id": "x_webkit_csp",
514
+ "name": "X-Webkit-CSP",
515
+ "type": "variant",
516
+ "priority": 5
517
+ },
518
+ {
519
+ "id": "content_security_policy_report_only",
520
+ "name": "Content-Security-Policy-Report-Only",
521
+ "type": "variant",
522
+ "priority": 5
523
+ },
524
+ {
525
+ "id": "cache_control_for_a_sensitive_page",
526
+ "name": "Cache-Control for a Sensitive Page",
527
+ "type": "variant",
528
+ "priority": 4
529
+ }
530
+ ]
531
+ },
532
+ {
533
+ "id": "waf_bypass",
534
+ "name": "Web Application Firewall (WAF) Bypass",
535
+ "type": "subcategory",
536
+ "children": [
537
+ {
538
+ "id": "direct_server_access",
539
+ "name": "Direct Server Access",
540
+ "type": "variant",
541
+ "priority": 4
542
+ }
543
+ ]
544
+ },
545
+ {
546
+ "id": "race_condition",
547
+ "name": "Race Condition",
548
+ "type": "subcategory",
549
+ "priority": null
550
+ },
551
+ {
552
+ "id": "email_verification_bypass",
553
+ "name": "Email Verification Bypass",
554
+ "type": "subcategory",
555
+ "priority": 5
556
+ },
557
+ {
558
+ "id": "missing_subresource_integrity",
559
+ "name": "Missing Subresource Integrity",
560
+ "type": "subcategory",
561
+ "priority": 5
562
+ },
563
+ {
564
+ "id": "software_package_takeover",
565
+ "name": "Software Package Takeover",
566
+ "type": "subcategory",
567
+ "priority": null
568
+ },
569
+ {
570
+ "id": "cache_poisoning",
571
+ "name": "Cache Poisoning",
572
+ "type": "subcategory",
573
+ "priority": null
574
+ },
575
+ {
576
+ "id": "bitsquatting",
577
+ "name": "Bitsquatting",
578
+ "type": "subcategory",
579
+ "priority": 5
580
+ }
581
+ ]
582
+ },
583
+ {
584
+ "id": "server_side_injection",
585
+ "name": "Server-Side Injection",
586
+ "type": "category",
587
+ "children": [
588
+ {
589
+ "id": "file_inclusion",
590
+ "name": "File Inclusion",
591
+ "type": "subcategory",
592
+ "children": [
593
+ {
594
+ "id": "local",
595
+ "name": "Local",
596
+ "type": "variant",
597
+ "priority": 1
598
+ }
599
+ ]
600
+ },
601
+ {
602
+ "id": "parameter_pollution",
603
+ "name": "Parameter Pollution",
604
+ "type": "subcategory",
605
+ "children": [
606
+ {
607
+ "id": "social_media_sharing_buttons",
608
+ "name": "Social Media Sharing Buttons",
609
+ "type": "variant",
610
+ "priority": 5
611
+ }
612
+ ]
613
+ },
614
+ {
615
+ "id": "remote_code_execution_rce",
616
+ "name": "Remote Code Execution (RCE)",
617
+ "type": "subcategory",
618
+ "priority": 1
619
+ },
620
+ {
621
+ "id": "ldap_injection",
622
+ "name": "LDAP Injection",
623
+ "type": "subcategory",
624
+ "priority": null
625
+ },
626
+ {
627
+ "id": "sql_injection",
628
+ "name": "SQL Injection",
629
+ "type": "subcategory",
630
+ "priority": 1
631
+ },
632
+ {
633
+ "id": "xml_external_entity_injection_xxe",
634
+ "name": "XML External Entity Injection (XXE)",
635
+ "type": "subcategory",
636
+ "priority": 1
637
+ },
638
+ {
639
+ "id": "http_response_manipulation",
640
+ "name": "HTTP Response Manipulation",
641
+ "type": "subcategory",
642
+ "children": [
643
+ {
644
+ "id": "response_splitting_crlf",
645
+ "name": "Response Splitting (CRLF)",
646
+ "type": "variant",
647
+ "priority": 3
648
+ }
649
+ ]
650
+ },
651
+ {
652
+ "id": "content_spoofing",
653
+ "name": "Content Spoofing",
654
+ "type": "subcategory",
655
+ "children": [
656
+ {
657
+ "id": "iframe_injection",
658
+ "name": "iframe Injection",
659
+ "type": "variant",
660
+ "priority": 3
661
+ },
662
+ {
663
+ "id": "impersonation_via_broken_link_hijacking",
664
+ "name": "Impersonation via Broken Link Hijacking",
665
+ "type": "variant",
666
+ "priority": 4
667
+ },
668
+ {
669
+ "id": "external_authentication_injection",
670
+ "name": "External Authentication Injection",
671
+ "type": "variant",
672
+ "priority": 4
673
+ },
674
+ {
675
+ "id": "flash_based_external_authentication_injection",
676
+ "name": "Flash Based External Authentication Injection",
677
+ "type": "variant",
678
+ "priority": 5
679
+ },
680
+ {
681
+ "id": "html_content_injection",
682
+ "name": "HTML Content Injection",
683
+ "type": "variant",
684
+ "priority": 5
685
+ },
686
+ {
687
+ "id": "email_html_injection",
688
+ "name": "Email HTML Injection",
689
+ "type": "variant",
690
+ "priority": 4
691
+ },
692
+ {
693
+ "id": "email_hyperlink_injection_based_on_email_provider",
694
+ "name": "Email Hyperlink Injection Based on Email Provider",
695
+ "type": "variant",
696
+ "priority": 5
697
+ },
698
+ {
699
+ "id": "text_injection",
700
+ "name": "Text Injection",
701
+ "type": "variant",
702
+ "priority": 5
703
+ },
704
+ {
705
+ "id": "homograph_idn_based",
706
+ "name": "Homograph/IDN-Based",
707
+ "type": "variant",
708
+ "priority": 5
709
+ },
710
+ {
711
+ "id": "rtlo",
712
+ "name": "Right-to-Left Override (RTLO)",
713
+ "type": "variant",
714
+ "priority": 5
715
+ }
716
+ ]
717
+ },
718
+ {
719
+ "id": "ssti",
720
+ "name": "Server-Side Template Injection (SSTI)",
721
+ "type": "subcategory",
722
+ "children": [
723
+ {
724
+ "id": "basic",
725
+ "name": "Basic",
726
+ "type": "variant",
727
+ "priority": 4
728
+ },
729
+ {
730
+ "id": "custom",
731
+ "name": "Custom",
732
+ "type": "variant",
733
+ "priority": null
734
+ }
735
+ ]
736
+ }
737
+ ]
738
+ },
739
+ {
740
+ "id": "broken_authentication_and_session_management",
741
+ "name": "Broken Authentication and Session Management",
742
+ "type": "category",
743
+ "children": [
744
+ {
745
+ "id": "authentication_bypass",
746
+ "name": "Authentication Bypass",
747
+ "type": "subcategory",
748
+ "priority": 1
749
+ },
750
+ {
751
+ "id": "two_fa_bypass",
752
+ "name": "Second Factor Authentication (2FA) Bypass",
753
+ "type": "subcategory",
754
+ "priority": 3
755
+ },
756
+ {
757
+ "id": "cleartext_transmission_of_session_token",
758
+ "name": "Cleartext Transmission of Session Token",
759
+ "type": "subcategory",
760
+ "priority": 4
761
+ },
762
+ {
763
+ "id": "weak_login_function",
764
+ "name": "Weak Login Function",
765
+ "type": "subcategory",
766
+ "children": [
767
+ {
768
+ "id": "not_operational",
769
+ "name": "Not Operational or Intended Public Access",
770
+ "type": "variant",
771
+ "priority": 5
772
+ },
773
+ {
774
+ "id": "other_plaintext_protocol_no_secure_alternative",
775
+ "name": "Other Plaintext Protocol with no Secure Alternative",
776
+ "type": "variant",
777
+ "priority": 4
778
+ },
779
+ {
780
+ "id": "over_http",
781
+ "name": "Over HTTP",
782
+ "type": "variant",
783
+ "priority": 4
784
+ }
785
+ ]
786
+ },
787
+ {
788
+ "id": "session_fixation",
789
+ "name": "Session Fixation",
790
+ "type": "subcategory",
791
+ "children": [
792
+ {
793
+ "id": "remote_attack_vector",
794
+ "name": "Remote Attack Vector",
795
+ "type": "variant",
796
+ "priority": 3
797
+ },
798
+ {
799
+ "id": "local_attack_vector",
800
+ "name": "Local Attack Vector",
801
+ "type": "variant",
802
+ "priority": 5
803
+ }
804
+ ]
805
+ },
806
+ {
807
+ "id": "failure_to_invalidate_session",
808
+ "name": "Failure to Invalidate Session",
809
+ "type": "subcategory",
810
+ "children": [
811
+ {
812
+ "id": "on_logout",
813
+ "name": "On Logout (Client and Server-Side)",
814
+ "type": "variant",
815
+ "priority": 4
816
+ },
817
+ {
818
+ "id": "permission_change",
819
+ "name": "On Permission Change",
820
+ "type": "variant",
821
+ "priority": null
822
+ },
823
+ {
824
+ "id": "on_logout_server_side_only",
825
+ "name": "On Logout (Server-Side Only)",
826
+ "type": "variant",
827
+ "priority": 5
828
+ },
829
+ {
830
+ "id": "on_password_change",
831
+ "name": "On Password Reset and/or Change",
832
+ "type": "variant",
833
+ "priority": 4
834
+ },
835
+ {
836
+ "id": "all_sessions",
837
+ "name": "Concurrent Sessions On Logout",
838
+ "type": "variant",
839
+ "priority": 5
840
+ },
841
+ {
842
+ "id": "on_email_change",
843
+ "name": "On Email Change",
844
+ "type": "variant",
845
+ "priority": 5
846
+ },
847
+ {
848
+ "id": "on_two_fa_activation_change",
849
+ "name": "On 2FA Activation/Change",
850
+ "type": "variant",
851
+ "priority": 5
852
+ },
853
+ {
854
+ "id": "long_timeout",
855
+ "name": "Long Timeout",
856
+ "type": "variant",
857
+ "priority": 5
858
+ }
859
+ ]
860
+ },
861
+ {
862
+ "id": "concurrent_logins",
863
+ "name": "Concurrent Logins",
864
+ "type": "subcategory",
865
+ "priority": 5
866
+ },
867
+ {
868
+ "id": "weak_registration_implementation",
869
+ "name": "Weak Registration Implementation",
870
+ "type": "subcategory",
871
+ "children": [
872
+ {
873
+ "id": "over_http",
874
+ "name": "Over HTTP",
875
+ "type": "variant",
876
+ "priority": 4
877
+ }
878
+ ]
879
+ }
880
+ ]
881
+ },
882
+ {
883
+ "id": "sensitive_data_exposure",
884
+ "name": "Sensitive Data Exposure",
885
+ "type": "category",
886
+ "children": [
887
+ {
888
+ "id": "disclosure_of_secrets",
889
+ "name": "Disclosure of Secrets",
890
+ "type": "subcategory",
891
+ "children": [
892
+ {
893
+ "id": "for_publicly_accessible_asset",
894
+ "name": "For Publicly Accessible Asset",
895
+ "type": "variant",
896
+ "priority": 1
897
+ },
898
+ {
899
+ "id": "pii_leakage_exposure",
900
+ "name": "PII Leakage/Exposure",
901
+ "type": "variant",
902
+ "priority": null
903
+ },
904
+ {
905
+ "id": "for_internal_asset",
906
+ "name": "For Internal Asset",
907
+ "type": "variant",
908
+ "priority": 3
909
+ },
910
+ {
911
+ "id": "pay_per_use_abuse",
912
+ "name": "Pay-Per-Use Abuse",
913
+ "type": "variant",
914
+ "priority": 4
915
+ },
916
+ {
917
+ "id": "intentionally_public_sample_or_invalid",
918
+ "name": "Intentionally Public, Sample or Invalid",
919
+ "type": "variant",
920
+ "priority": 5
921
+ },
922
+ {
923
+ "id": "data_traffic_spam",
924
+ "name": "Data/Traffic Spam",
925
+ "type": "variant",
926
+ "priority": 5
927
+ },
928
+ {
929
+ "id": "non_corporate_user",
930
+ "name": "Non-Corporate User",
931
+ "type": "variant",
932
+ "priority": 5
933
+ }
934
+ ]
935
+ },
936
+ {
937
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
938
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
939
+ "type": "subcategory",
940
+ "children": [
941
+ {
942
+ "id": "automatic_user_enumeration",
943
+ "name": "Automatic User Enumeration",
944
+ "type": "variant",
945
+ "priority": 3
946
+ },
947
+ {
948
+ "id": "manual_user_enumeration",
949
+ "name": "Manual User Enumeration",
950
+ "type": "variant",
951
+ "priority": 4
952
+ }
953
+ ]
954
+ },
955
+ {
956
+ "id": "visible_detailed_error_page",
957
+ "name": "Visible Detailed Error/Debug Page",
958
+ "type": "subcategory",
959
+ "children": [
960
+ {
961
+ "id": "detailed_server_configuration",
962
+ "name": "Detailed Server Configuration",
963
+ "type": "variant",
964
+ "priority": 4
965
+ },
966
+ {
967
+ "id": "full_path_disclosure",
968
+ "name": "Full Path Disclosure",
969
+ "type": "variant",
970
+ "priority": 5
971
+ },
972
+ {
973
+ "id": "descriptive_stack_trace",
974
+ "name": "Descriptive Stack Trace",
975
+ "type": "variant",
976
+ "priority": 5
977
+ }
978
+ ]
979
+ },
980
+ {
981
+ "id": "disclosure_of_known_public_information",
982
+ "name": "Disclosure of Known Public Information",
983
+ "type": "subcategory",
984
+ "priority": 5
985
+ },
986
+ {
987
+ "id": "token_leakage_via_referer",
988
+ "name": "Token Leakage via Referer",
989
+ "type": "subcategory",
990
+ "children": [
991
+ {
992
+ "id": "trusted_third_party",
993
+ "name": "Trusted 3rd Party",
994
+ "type": "variant",
995
+ "priority": 5
996
+ },
997
+ {
998
+ "id": "untrusted_third_party",
999
+ "name": "Untrusted 3rd Party",
1000
+ "type": "variant",
1001
+ "priority": 4
1002
+ },
1003
+ {
1004
+ "id": "over_http",
1005
+ "name": "Over HTTP",
1006
+ "type": "variant",
1007
+ "priority": 4
1008
+ },
1009
+ {
1010
+ "id": "password_reset_token",
1011
+ "name": "Password Reset Token",
1012
+ "type": "variant",
1013
+ "priority": 5
1014
+ }
1015
+ ]
1016
+ },
1017
+ {
1018
+ "id": "sensitive_token_in_url",
1019
+ "name": "Sensitive Token in URL",
1020
+ "type": "subcategory",
1021
+ "children": [
1022
+ {
1023
+ "id": "user_facing",
1024
+ "name": "User Facing",
1025
+ "type": "variant",
1026
+ "priority": 4
1027
+ },
1028
+ {
1029
+ "id": "in_the_background",
1030
+ "name": "In the Background",
1031
+ "type": "variant",
1032
+ "priority": 5
1033
+ },
1034
+ {
1035
+ "id": "on_password_reset",
1036
+ "name": "On Password Reset",
1037
+ "type": "variant",
1038
+ "priority": 5
1039
+ }
1040
+ ]
1041
+ },
1042
+ {
1043
+ "id": "non_sensitive_token_in_url",
1044
+ "name": "Non-Sensitive Token in URL",
1045
+ "type": "subcategory",
1046
+ "priority": 5
1047
+ },
1048
+ {
1049
+ "id": "weak_password_reset_implementation",
1050
+ "name": "Weak Password Reset Implementation",
1051
+ "type": "subcategory",
1052
+ "children": [
1053
+ {
1054
+ "id": "password_reset_token_sent_over_http",
1055
+ "name": "Password Reset Token Sent Over HTTP",
1056
+ "type": "variant",
1057
+ "priority": 4
1058
+ },
1059
+ {
1060
+ "id": "token_leakage_via_host_header_poisoning",
1061
+ "name": "Token Leakage via Host Header Poisoning",
1062
+ "type": "variant",
1063
+ "priority": 2
1064
+ }
1065
+ ]
1066
+ },
1067
+ {
1068
+ "id": "mixed_content",
1069
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
1070
+ "type": "subcategory",
1071
+ "priority": 5
1072
+ },
1073
+ {
1074
+ "id": "sensitive_data_hardcoded",
1075
+ "name": "Sensitive Data Hardcoded",
1076
+ "type": "subcategory",
1077
+ "children": [
1078
+ {
1079
+ "id": "oauth_secret",
1080
+ "name": "OAuth Secret",
1081
+ "type": "variant",
1082
+ "priority": 5
1083
+ },
1084
+ {
1085
+ "id": "file_paths",
1086
+ "name": "File Paths",
1087
+ "type": "variant",
1088
+ "priority": 5
1089
+ }
1090
+ ]
1091
+ },
1092
+ {
1093
+ "id": "internal_ip_disclosure",
1094
+ "name": "Internal IP Disclosure",
1095
+ "type": "subcategory",
1096
+ "priority": 5
1097
+ },
1098
+ {
1099
+ "id": "xssi",
1100
+ "name": "Cross Site Script Inclusion (XSSI)",
1101
+ "type": "subcategory",
1102
+ "priority": null
1103
+ },
1104
+ {
1105
+ "id": "json_hijacking",
1106
+ "name": "JSON Hijacking",
1107
+ "type": "subcategory",
1108
+ "priority": 5
1109
+ },
1110
+ {
1111
+ "id": "via_localstorage_sessionstorage",
1112
+ "name": "Via localStorage/sessionStorage",
1113
+ "type": "subcategory",
1114
+ "children": [
1115
+ {
1116
+ "id": "sensitive_token",
1117
+ "name": "Sensitive Token",
1118
+ "type": "variant",
1119
+ "priority": 4
1120
+ },
1121
+ {
1122
+ "id": "non_sensitive_token",
1123
+ "name": "Non-Sensitive Token",
1124
+ "type": "variant",
1125
+ "priority": 5
1126
+ }
1127
+ ]
1128
+ }
1129
+ ]
1130
+ },
1131
+ {
1132
+ "id": "cross_site_scripting_xss",
1133
+ "name": "Cross-Site Scripting (XSS)",
1134
+ "type": "category",
1135
+ "children": [
1136
+ {
1137
+ "id": "stored",
1138
+ "name": "Stored",
1139
+ "type": "subcategory",
1140
+ "children": [
1141
+ {
1142
+ "id": "non_admin_to_anyone",
1143
+ "name": "Non-Privileged User to Anyone",
1144
+ "type": "variant",
1145
+ "priority": 2
1146
+ },
1147
+ {
1148
+ "id": "privileged_user_to_privilege_elevation",
1149
+ "name": "Privileged User to Privilege Elevation",
1150
+ "type": "variant",
1151
+ "priority": 3
1152
+ },
1153
+ {
1154
+ "id": "privileged_user_to_no_privilege_elevation",
1155
+ "name": "Privileged User to No Privilege Elevation",
1156
+ "type": "variant",
1157
+ "priority": 4
1158
+ },
1159
+ {
1160
+ "id": "url_based",
1161
+ "name": "CSRF/URL-Based",
1162
+ "type": "variant",
1163
+ "priority": 3
1164
+ },
1165
+ {
1166
+ "id": "self",
1167
+ "name": "Self",
1168
+ "type": "variant",
1169
+ "priority": 5
1170
+ }
1171
+ ]
1172
+ },
1173
+ {
1174
+ "id": "reflected",
1175
+ "name": "Reflected",
1176
+ "type": "subcategory",
1177
+ "children": [
1178
+ {
1179
+ "id": "non_self",
1180
+ "name": "Non-Self",
1181
+ "type": "variant",
1182
+ "priority": 3
1183
+ },
1184
+ {
1185
+ "id": "self",
1186
+ "name": "Self",
1187
+ "type": "variant",
1188
+ "priority": 5
1189
+ }
1190
+ ]
1191
+ },
1192
+ {
1193
+ "id": "flash_based",
1194
+ "name": "Flash-Based",
1195
+ "type": "subcategory",
1196
+ "priority": 5
1197
+ },
1198
+ {
1199
+ "id": "cookie_based",
1200
+ "name": "Cookie-Based",
1201
+ "type": "subcategory",
1202
+ "priority": 5
1203
+ },
1204
+ {
1205
+ "id": "ie_only",
1206
+ "name": "IE-Only",
1207
+ "type": "subcategory",
1208
+ "priority": 5
1209
+ },
1210
+ {
1211
+ "id": "referer",
1212
+ "name": "Referer",
1213
+ "type": "subcategory",
1214
+ "priority": 4
1215
+ },
1216
+ {
1217
+ "id": "trace_method",
1218
+ "name": "TRACE Method",
1219
+ "type": "subcategory",
1220
+ "priority": 5
1221
+ },
1222
+ {
1223
+ "id": "universal_uxss",
1224
+ "name": "Universal (UXSS)",
1225
+ "type": "subcategory",
1226
+ "priority": 4
1227
+ },
1228
+ {
1229
+ "id": "off_domain",
1230
+ "name": "Off-Domain",
1231
+ "type": "subcategory",
1232
+ "children": [
1233
+ {
1234
+ "id": "data_uri",
1235
+ "name": "Data URI",
1236
+ "type": "variant",
1237
+ "priority": 4
1238
+ }
1239
+ ]
1240
+ }
1241
+ ]
1242
+ },
1243
+ {
1244
+ "id": "broken_access_control",
1245
+ "name": "Broken Access Control (BAC)",
1246
+ "type": "category",
1247
+ "children": [
1248
+ {
1249
+ "id": "idor",
1250
+ "name": "Insecure Direct Object References (IDOR)",
1251
+ "type": "subcategory",
1252
+ "children": [
1253
+ {
1254
+ "id": "read_edit_delete_non_sensitive_information",
1255
+ "name": "Read/Edit/Delete Non-Sensitive Information",
1256
+ "type": "variant",
1257
+ "priority": 5
1258
+ },
1259
+ {
1260
+ "id": "read_edit_delete_sensitive_information_guid",
1261
+ "name": "Read/Edit/Delete Sensitive Information/Complex Object Identifiers(GUID)",
1262
+ "type": "variant",
1263
+ "priority": 4
1264
+ },
1265
+ {
1266
+ "id": "read_sensitive_information_iterable_object_identifiers",
1267
+ "name": "Read Sensitive Information/Iterable Object Identifiers",
1268
+ "type": "variant",
1269
+ "priority": 3
1270
+ },
1271
+ {
1272
+ "id": "edit_delete_sensitive_information_iterable_object_identifiers",
1273
+ "name": "Edit/Delete Sensitive Information/Iterable Object Identifiers",
1274
+ "type": "variant",
1275
+ "priority": 2
1276
+ },
1277
+ {
1278
+ "id": "read_edit_delete_sensitive_information_iterable_object_identifiers",
1279
+ "name": "Read/Edit/Delete Sensitive Information/Iterable Object Identifiers",
1280
+ "type": "variant",
1281
+ "priority": 1
1282
+ }
1283
+ ]
1284
+ },
1285
+ {
1286
+ "id": "username_enumeration",
1287
+ "name": "Username/Email Enumeration",
1288
+ "type": "subcategory",
1289
+ "children": [
1290
+ {
1291
+ "id": "non_brute_force",
1292
+ "name": "Non-Brute Force",
1293
+ "type": "variant",
1294
+ "priority": 4
1295
+ }
1296
+ ]
1297
+ },
1298
+ {
1299
+ "id": "exposed_sensitive_android_intent",
1300
+ "name": "Exposed Sensitive Android Intent",
1301
+ "type": "subcategory",
1302
+ "priority": null
1303
+ },
1304
+ {
1305
+ "id": "privilege_escalation",
1306
+ "name": "Privilege Escalation",
1307
+ "type": "subcategory",
1308
+ "priority": null
1309
+ },
1310
+ {
1311
+ "id": "exposed_sensitive_ios_url_scheme",
1312
+ "name": "Exposed Sensitive iOS URL Scheme",
1313
+ "type": "subcategory",
1314
+ "priority": null
1315
+ }
1316
+ ]
1317
+ },
1318
+ {
1319
+ "id": "cross_site_request_forgery_csrf",
1320
+ "name": "Cross-Site Request Forgery (CSRF)",
1321
+ "type": "category",
1322
+ "children": [
1323
+ {
1324
+ "id": "application_wide",
1325
+ "name": "Application-Wide",
1326
+ "type": "subcategory",
1327
+ "priority": 2
1328
+ },
1329
+ {
1330
+ "id": "action_specific",
1331
+ "name": "Action-Specific",
1332
+ "type": "subcategory",
1333
+ "children": [
1334
+ {
1335
+ "id": "authenticated_action",
1336
+ "name": "Authenticated Action",
1337
+ "type": "variant",
1338
+ "priority": null
1339
+ },
1340
+ {
1341
+ "id": "unauthenticated_action",
1342
+ "name": "Unauthenticated Action",
1343
+ "type": "variant",
1344
+ "priority": null
1345
+ },
1346
+ {
1347
+ "id": "logout",
1348
+ "name": "Logout",
1349
+ "type": "variant",
1350
+ "priority": 5
1351
+ }
1352
+ ]
1353
+ },
1354
+ {
1355
+ "id": "csrf_token_not_unique_per_request",
1356
+ "name": "CSRF Token Not Unique Per Request",
1357
+ "type": "subcategory",
1358
+ "priority": 5
1359
+ },
1360
+ {
1361
+ "id": "flash_based",
1362
+ "name": "Flash-Based",
1363
+ "type": "subcategory",
1364
+ "priority": 5
1365
+ }
1366
+ ]
1367
+ },
1368
+ {
1369
+ "id": "application_level_denial_of_service_dos",
1370
+ "name": "Application-Level Denial-of-Service (DoS)",
1371
+ "type": "category",
1372
+ "children": [
1373
+ {
1374
+ "id": "excessive_resource_consumption",
1375
+ "name": "Excessive Resource Consumption",
1376
+ "type": "subcategory",
1377
+ "children": [
1378
+ {
1379
+ "id": "injection_prompt",
1380
+ "name": "Injection (Prompt)",
1381
+ "type": "variant",
1382
+ "priority": null
1383
+ }
1384
+ ]
1385
+ },
1386
+ {
1387
+ "id": "critical_impact_and_or_easy_difficulty",
1388
+ "name": "Critical Impact and/or Easy Difficulty",
1389
+ "type": "subcategory",
1390
+ "priority": 2
1391
+ },
1392
+ {
1393
+ "id": "high_impact_and_or_medium_difficulty",
1394
+ "name": "High Impact and/or Medium Difficulty",
1395
+ "type": "subcategory",
1396
+ "priority": 3
1397
+ },
1398
+ {
1399
+ "id": "app_crash",
1400
+ "name": "App Crash",
1401
+ "type": "subcategory",
1402
+ "children": [
1403
+ {
1404
+ "id": "malformed_android_intents",
1405
+ "name": "Malformed Android Intents",
1406
+ "type": "variant",
1407
+ "priority": 5
1408
+ },
1409
+ {
1410
+ "id": "malformed_ios_url_schemes",
1411
+ "name": "Malformed iOS URL Schemes",
1412
+ "type": "variant",
1413
+ "priority": 5
1414
+ }
1415
+ ]
1416
+ }
1417
+ ]
1418
+ },
1419
+ {
1420
+ "id": "unvalidated_redirects_and_forwards",
1421
+ "name": "Unvalidated Redirects and Forwards",
1422
+ "type": "category",
1423
+ "children": [
1424
+ {
1425
+ "id": "open_redirect",
1426
+ "name": "Open Redirect",
1427
+ "type": "subcategory",
1428
+ "children": [
1429
+ {
1430
+ "id": "get_based",
1431
+ "name": "GET-Based",
1432
+ "type": "variant",
1433
+ "priority": 4
1434
+ },
1435
+ {
1436
+ "id": "post_based",
1437
+ "name": "POST-Based",
1438
+ "type": "variant",
1439
+ "priority": 5
1440
+ },
1441
+ {
1442
+ "id": "header_based",
1443
+ "name": "Header-Based",
1444
+ "type": "variant",
1445
+ "priority": 5
1446
+ },
1447
+ {
1448
+ "id": "flash_based",
1449
+ "name": "Flash-Based",
1450
+ "type": "variant",
1451
+ "priority": 5
1452
+ }
1453
+ ]
1454
+ },
1455
+ {
1456
+ "id": "tabnabbing",
1457
+ "name": "Tabnabbing",
1458
+ "type": "subcategory",
1459
+ "priority": 5
1460
+ },
1461
+ {
1462
+ "id": "lack_of_security_speed_bump_page",
1463
+ "name": "Lack of Security Speed Bump Page",
1464
+ "type": "subcategory",
1465
+ "priority": 5
1466
+ }
1467
+ ]
1468
+ },
1469
+ {
1470
+ "id": "external_behavior",
1471
+ "name": "External Behavior",
1472
+ "type": "category",
1473
+ "children": [
1474
+ {
1475
+ "id": "browser_feature",
1476
+ "name": "Browser Feature",
1477
+ "type": "subcategory",
1478
+ "children": [
1479
+ {
1480
+ "id": "plaintext_password_field",
1481
+ "name": "Plaintext Password Field",
1482
+ "type": "variant",
1483
+ "priority": 5
1484
+ },
1485
+ {
1486
+ "id": "save_password",
1487
+ "name": "Save Password",
1488
+ "type": "variant",
1489
+ "priority": 5
1490
+ },
1491
+ {
1492
+ "id": "autocomplete_enabled",
1493
+ "name": "Autocomplete Enabled",
1494
+ "type": "variant",
1495
+ "priority": 5
1496
+ },
1497
+ {
1498
+ "id": "autocorrect_enabled",
1499
+ "name": "Autocorrect Enabled",
1500
+ "type": "variant",
1501
+ "priority": 5
1502
+ },
1503
+ {
1504
+ "id": "aggressive_offline_caching",
1505
+ "name": "Aggressive Offline Caching",
1506
+ "type": "variant",
1507
+ "priority": 5
1508
+ }
1509
+ ]
1510
+ },
1511
+ {
1512
+ "id": "csv_injection",
1513
+ "name": "CSV Injection",
1514
+ "type": "subcategory",
1515
+ "priority": 5
1516
+ },
1517
+ {
1518
+ "id": "captcha_bypass",
1519
+ "name": "Captcha Bypass",
1520
+ "type": "subcategory",
1521
+ "children": [
1522
+ {
1523
+ "id": "crowdsourcing",
1524
+ "name": "Crowdsourcing",
1525
+ "type": "variant",
1526
+ "priority": 5
1527
+ }
1528
+ ]
1529
+ },
1530
+ {
1531
+ "id": "system_clipboard_leak",
1532
+ "name": "System Clipboard Leak",
1533
+ "type": "subcategory",
1534
+ "children": [
1535
+ {
1536
+ "id": "shared_links",
1537
+ "name": "Shared Links",
1538
+ "type": "variant",
1539
+ "priority": 5
1540
+ }
1541
+ ]
1542
+ },
1543
+ {
1544
+ "id": "user_password_persisted_in_memory",
1545
+ "name": "User Password Persisted in Memory",
1546
+ "type": "subcategory",
1547
+ "priority": 5
1548
+ }
1549
+ ]
1550
+ },
1551
+ {
1552
+ "id": "insufficient_security_configurability",
1553
+ "name": "Insufficient Security Configurability",
1554
+ "type": "category",
1555
+ "children": [
1556
+ {
1557
+ "id": "weak_password_policy",
1558
+ "name": "Weak Password Policy",
1559
+ "type": "subcategory",
1560
+ "priority": 5
1561
+ },
1562
+ {
1563
+ "id": "no_password_policy",
1564
+ "name": "No Password Policy",
1565
+ "type": "subcategory",
1566
+ "priority": 4
1567
+ },
1568
+ {
1569
+ "id": "password_policy_bypass",
1570
+ "name": "Password Policy Bypass",
1571
+ "type": "subcategory",
1572
+ "priority": 5
1573
+ },
1574
+ {
1575
+ "id": "weak_password_reset_implementation",
1576
+ "name": "Weak Password Reset Implementation",
1577
+ "type": "subcategory",
1578
+ "children": [
1579
+ {
1580
+ "id": "token_is_not_invalidated_after_use",
1581
+ "name": "Token is Not Invalidated After Use",
1582
+ "type": "variant",
1583
+ "priority": 4
1584
+ },
1585
+ {
1586
+ "id": "token_is_not_invalidated_after_email_change",
1587
+ "name": "Token is Not Invalidated After Email Change",
1588
+ "type": "variant",
1589
+ "priority": 5
1590
+ },
1591
+ {
1592
+ "id": "token_is_not_invalidated_after_password_change",
1593
+ "name": "Token is Not Invalidated After Password Change",
1594
+ "type": "variant",
1595
+ "priority": 5
1596
+ },
1597
+ {
1598
+ "id": "token_has_long_timed_expiry",
1599
+ "name": "Token Has Long Timed Expiry",
1600
+ "type": "variant",
1601
+ "priority": 5
1602
+ },
1603
+ {
1604
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1605
+ "name": "Token is Not Invalidated After New Token is Requested",
1606
+ "type": "variant",
1607
+ "priority": 5
1608
+ },
1609
+ {
1610
+ "id": "token_is_not_invalidated_after_login",
1611
+ "name": "Token is Not Invalidated After Login",
1612
+ "type": "variant",
1613
+ "priority": 5
1614
+ }
1615
+ ]
1616
+ },
1617
+ {
1618
+ "id": "verification_of_contact_method_not_required",
1619
+ "name": "Verification of Contact Method not Required",
1620
+ "type": "subcategory",
1621
+ "priority": 5
1622
+ },
1623
+ {
1624
+ "id": "lack_of_notification_email",
1625
+ "name": "Lack of Notification Email",
1626
+ "type": "subcategory",
1627
+ "priority": 5
1628
+ },
1629
+ {
1630
+ "id": "weak_registration_implementation",
1631
+ "name": "Weak Registration Implementation",
1632
+ "type": "subcategory",
1633
+ "children": [
1634
+ {
1635
+ "id": "allows_disposable_email_addresses",
1636
+ "name": "Allows Disposable Email Addresses",
1637
+ "type": "variant",
1638
+ "priority": 5
1639
+ }
1640
+ ]
1641
+ },
1642
+ {
1643
+ "id": "weak_two_fa_implementation",
1644
+ "name": "Weak 2FA Implementation",
1645
+ "type": "subcategory",
1646
+ "children": [
1647
+ {
1648
+ "id": "two_fa_secret_cannot_be_rotated",
1649
+ "name": "2FA Secret Cannot be Rotated",
1650
+ "type": "variant",
1651
+ "priority": 4
1652
+ },
1653
+ {
1654
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
1655
+ "name": "2FA Secret Remains Obtainable After 2FA is Enabled",
1656
+ "type": "variant",
1657
+ "priority": 4
1658
+ },
1659
+ {
1660
+ "id": "missing_failsafe",
1661
+ "name": "Missing Failsafe",
1662
+ "type": "variant",
1663
+ "priority": 5
1664
+ },
1665
+ {
1666
+ "id": "two_fa_code_is_not_updated_after_new_code_is_requested",
1667
+ "name": "2FA Code is Not Updated After New Code is Requested",
1668
+ "type": "variant",
1669
+ "priority": 5
1670
+ },
1671
+ {
1672
+ "id": "old_two_fa_code_is_not_invalidated_after_new_code_is_generated",
1673
+ "name": "Old 2FA Code is Not Invalidated After New Code is Generated",
1674
+ "type": "variant",
1675
+ "priority": 5
1676
+ }
1677
+ ]
1678
+ }
1679
+ ]
1680
+ },
1681
+ {
1682
+ "id": "using_components_with_known_vulnerabilities",
1683
+ "name": "Using Components with Known Vulnerabilities",
1684
+ "type": "category",
1685
+ "children": [
1686
+ {
1687
+ "id": "rosetta_flash",
1688
+ "name": "Rosetta Flash",
1689
+ "type": "subcategory",
1690
+ "priority": 5
1691
+ },
1692
+ {
1693
+ "id": "outdated_software_version",
1694
+ "name": "Outdated Software Version",
1695
+ "type": "subcategory",
1696
+ "priority": 5
1697
+ },
1698
+ {
1699
+ "id": "captcha_bypass",
1700
+ "name": "Captcha Bypass",
1701
+ "type": "subcategory",
1702
+ "children": [
1703
+ {
1704
+ "id": "ocr_optical_character_recognition",
1705
+ "name": "OCR (Optical Character Recognition)",
1706
+ "type": "variant",
1707
+ "priority": 5
1708
+ }
1709
+ ]
1710
+ }
1711
+ ]
1712
+ },
1713
+ {
1714
+ "id": "insecure_data_storage",
1715
+ "name": "Insecure Data Storage",
1716
+ "type": "category",
1717
+ "children": [
1718
+ {
1719
+ "id": "sensitive_application_data_stored_unencrypted",
1720
+ "name": "Sensitive Application Data Stored Unencrypted",
1721
+ "type": "subcategory",
1722
+ "children": [
1723
+ {
1724
+ "id": "on_external_storage",
1725
+ "name": "On External Storage",
1726
+ "type": "variant",
1727
+ "priority": 4
1728
+ },
1729
+ {
1730
+ "id": "on_internal_storage",
1731
+ "name": "On Internal Storage",
1732
+ "type": "variant",
1733
+ "priority": 5
1734
+ }
1735
+ ]
1736
+ },
1737
+ {
1738
+ "id": "server_side_credentials_storage",
1739
+ "name": "Server-Side Credentials Storage",
1740
+ "type": "subcategory",
1741
+ "children": [
1742
+ {
1743
+ "id": "plaintext",
1744
+ "name": "Plaintext",
1745
+ "type": "variant",
1746
+ "priority": 4
1747
+ }
1748
+ ]
1749
+ },
1750
+ {
1751
+ "id": "non_sensitive_application_data_stored_unencrypted",
1752
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1753
+ "type": "subcategory",
1754
+ "priority": 5
1755
+ },
1756
+ {
1757
+ "id": "screen_caching_enabled",
1758
+ "name": "Screen Caching Enabled",
1759
+ "type": "subcategory",
1760
+ "priority": 5
1761
+ }
1762
+ ]
1763
+ },
1764
+ {
1765
+ "id": "lack_of_binary_hardening",
1766
+ "name": "Lack of Binary Hardening",
1767
+ "type": "category",
1768
+ "children": [
1769
+ {
1770
+ "id": "lack_of_exploit_mitigations",
1771
+ "name": "Lack of Exploit Mitigations",
1772
+ "type": "subcategory",
1773
+ "priority": 5
1774
+ },
1775
+ {
1776
+ "id": "lack_of_jailbreak_detection",
1777
+ "name": "Lack of Jailbreak Detection",
1778
+ "type": "subcategory",
1779
+ "priority": 5
1780
+ },
1781
+ {
1782
+ "id": "lack_of_obfuscation",
1783
+ "name": "Lack of Obfuscation",
1784
+ "type": "subcategory",
1785
+ "priority": 5
1786
+ },
1787
+ {
1788
+ "id": "runtime_instrumentation_based",
1789
+ "name": "Runtime Instrumentation-Based",
1790
+ "type": "subcategory",
1791
+ "priority": 5
1792
+ }
1793
+ ]
1794
+ },
1795
+ {
1796
+ "id": "insecure_data_transport",
1797
+ "name": "Insecure Data Transport",
1798
+ "type": "category",
1799
+ "children": [
1800
+ {
1801
+ "id": "cleartext_transmission_of_sensitive_data",
1802
+ "name": "Cleartext Transmission of Sensitive Data",
1803
+ "type": "subcategory",
1804
+ "priority": null
1805
+ },
1806
+ {
1807
+ "id": "executable_download",
1808
+ "name": "Executable Download",
1809
+ "type": "subcategory",
1810
+ "children": [
1811
+ {
1812
+ "id": "no_secure_integrity_check",
1813
+ "name": "No Secure Integrity Check",
1814
+ "type": "variant",
1815
+ "priority": 4
1816
+ },
1817
+ {
1818
+ "id": "secure_integrity_check",
1819
+ "name": "Secure Integrity Check",
1820
+ "type": "variant",
1821
+ "priority": 5
1822
+ }
1823
+ ]
1824
+ }
1825
+ ]
1826
+ },
1827
+ {
1828
+ "id": "data_biases",
1829
+ "name": "Data Biases",
1830
+ "type": "category",
1831
+ "children": [
1832
+ {
1833
+ "id": "representation_bias",
1834
+ "name": "Representation Bias",
1835
+ "type": "subcategory",
1836
+ "priority": null
1837
+ },
1838
+ {
1839
+ "id": "pre_existing_bias",
1840
+ "name": "Pre-existing Bias",
1841
+ "type": "subcategory",
1842
+ "priority": null
1843
+ }
1844
+ ]
1845
+ },
1846
+ {
1847
+ "id": "algorithmic_biases",
1848
+ "name": "Algorithmic Biases",
1849
+ "type": "category",
1850
+ "children": [
1851
+ {
1852
+ "id": "processing_bias",
1853
+ "name": "Processing Bias",
1854
+ "type": "subcategory",
1855
+ "priority": null
1856
+ },
1857
+ {
1858
+ "id": "aggregation_bias",
1859
+ "name": "Aggregation Bias",
1860
+ "type": "subcategory",
1861
+ "priority": null
1862
+ }
1863
+ ]
1864
+ },
1865
+ {
1866
+ "id": "societal_biases",
1867
+ "name": "Societal Biases",
1868
+ "type": "category",
1869
+ "children": [
1870
+ {
1871
+ "id": "confirmation_bias",
1872
+ "name": "Confirmation Bias",
1873
+ "type": "subcategory",
1874
+ "priority": null
1875
+ },
1876
+ {
1877
+ "id": "systemic_bias",
1878
+ "name": "Systemic Bias",
1879
+ "type": "subcategory",
1880
+ "priority": null
1881
+ }
1882
+ ]
1883
+ },
1884
+ {
1885
+ "id": "misinterpretation_biases",
1886
+ "name": "Misinterpretation Biases",
1887
+ "type": "category",
1888
+ "children": [
1889
+ {
1890
+ "id": "context_ignorance",
1891
+ "name": "Context Ignorance",
1892
+ "type": "subcategory",
1893
+ "priority": null
1894
+ }
1895
+ ]
1896
+ },
1897
+ {
1898
+ "id": "developer_biases",
1899
+ "name": "Developer Biases",
1900
+ "type": "category",
1901
+ "children": [
1902
+ {
1903
+ "id": "implicit_bias",
1904
+ "name": "Implicit Bias",
1905
+ "type": "subcategory",
1906
+ "priority": null
1907
+ }
1908
+ ]
1909
+ },
1910
+ {
1911
+ "id": "physical_security_issues",
1912
+ "name": "Physical Security Issues",
1913
+ "type": "category",
1914
+ "children": [
1915
+ {
1916
+ "id": "bypass_of_physical_access_control",
1917
+ "name": "Bypass of physical access control",
1918
+ "type": "subcategory",
1919
+ "priority": null
1920
+ },
1921
+ {
1922
+ "id": "weakness_in_physical_access_control",
1923
+ "name": "Weakness in physical access control",
1924
+ "type": "subcategory",
1925
+ "children": [
1926
+ {
1927
+ "id": "cloneable_key",
1928
+ "name": "Cloneable Key",
1929
+ "type": "variant",
1930
+ "priority": null
1931
+ },
1932
+ {
1933
+ "id": "master_key_identification",
1934
+ "name": "Master Key Identification",
1935
+ "type": "variant",
1936
+ "priority": null
1937
+ },
1938
+ {
1939
+ "id": "commonly_keyed_system",
1940
+ "name": "Commonly Keyed System",
1941
+ "type": "variant",
1942
+ "priority": 2
1943
+ }
1944
+ ]
1945
+ }
1946
+ ]
1947
+ },
1948
+ {
1949
+ "id": "insecure_os_firmware",
1950
+ "name": "Insecure OS/Firmware",
1951
+ "type": "category",
1952
+ "children": [
1953
+ {
1954
+ "id": "command_injection",
1955
+ "name": "Command Injection",
1956
+ "type": "subcategory",
1957
+ "priority": 1
1958
+ },
1959
+ {
1960
+ "id": "hardcoded_password",
1961
+ "name": "Hardcoded Password",
1962
+ "type": "subcategory",
1963
+ "children": [
1964
+ {
1965
+ "id": "privileged_user",
1966
+ "name": "Privileged User",
1967
+ "type": "variant",
1968
+ "priority": 1
1969
+ },
1970
+ {
1971
+ "id": "non_privileged_user",
1972
+ "name": "Non-Privileged User",
1973
+ "type": "variant",
1974
+ "priority": 2
1975
+ }
1976
+ ]
1977
+ },
1978
+ {
1979
+ "id": "weakness_in_firmware_updates",
1980
+ "name": "Weakness in Firmware Updates",
1981
+ "type": "subcategory",
1982
+ "children": [
1983
+ {
1984
+ "id": "firmware_cannot_be_updated",
1985
+ "name": "Firmware cannot be updated",
1986
+ "type": "variant",
1987
+ "priority": null
1988
+ },
1989
+ {
1990
+ "id": "firmware_does_not_validate_update_integrity",
1991
+ "name": "Firmware does not validate update integrity",
1992
+ "type": "variant",
1993
+ "priority": 3
1994
+ },
1995
+ {
1996
+ "id": "firmware_is_not_encrypted",
1997
+ "name": "Firmware is not encrypted",
1998
+ "type": "variant",
1999
+ "priority": 5
2000
+ }
2001
+ ]
2002
+ },
2003
+ {
2004
+ "id": "kiosk_escape_or_breakout",
2005
+ "name": "Kiosk Escape or Breakout",
2006
+ "type": "subcategory",
2007
+ "priority": null
2008
+ },
2009
+ {
2010
+ "id": "poorly_configured_disk_encryption",
2011
+ "name": "Poorly Configured Disk Encryption",
2012
+ "type": "subcategory",
2013
+ "priority": null
2014
+ },
2015
+ {
2016
+ "id": "shared_credentials_on_storage",
2017
+ "name": "Shared Credentials on Storage",
2018
+ "type": "subcategory",
2019
+ "priority": 3
2020
+ },
2021
+ {
2022
+ "id": "over_permissioned_credentials_on_storage",
2023
+ "name": "Over-Permissioned Credentials on Storage",
2024
+ "type": "subcategory",
2025
+ "priority": 2
2026
+ },
2027
+ {
2028
+ "id": "local_administrator_on_default_environment",
2029
+ "name": "Local Administrator on default environment",
2030
+ "type": "subcategory",
2031
+ "priority": 2
2032
+ },
2033
+ {
2034
+ "id": "poorly_configured_operating_system_security",
2035
+ "name": "Poorly Configured Operating System Security",
2036
+ "type": "subcategory",
2037
+ "priority": null
2038
+ },
2039
+ {
2040
+ "id": "recovery_of_disk_contains_sensitive_material",
2041
+ "name": "Recovery of Disk Contains Sensitive Material",
2042
+ "type": "subcategory",
2043
+ "priority": null
2044
+ },
2045
+ {
2046
+ "id": "failure_to_remove_sensitive_artifacts_from_disk",
2047
+ "name": "Failure to Remove Sensitive Artifacts from Disk",
2048
+ "type": "subcategory",
2049
+ "priority": null
2050
+ },
2051
+ {
2052
+ "id": "data_not_encrypted_at_rest",
2053
+ "name": "Data not encrypted at rest",
2054
+ "type": "subcategory",
2055
+ "children": [
2056
+ {
2057
+ "id": "sensitive",
2058
+ "name": "Sensitive",
2059
+ "type": "variant",
2060
+ "priority": null
2061
+ },
2062
+ {
2063
+ "id": "non_sensitive",
2064
+ "name": "Non sensitive",
2065
+ "type": "variant",
2066
+ "priority": 5
2067
+ }
2068
+ ]
2069
+ }
2070
+ ]
2071
+ },
2072
+ {
2073
+ "id": "cryptographic_weakness",
2074
+ "name": "Cryptographic Weakness",
2075
+ "type": "category",
2076
+ "children": [
2077
+ {
2078
+ "id": "insufficient_entropy",
2079
+ "name": "Insufficient Entropy",
2080
+ "type": "subcategory",
2081
+ "children": [
2082
+ {
2083
+ "id": "limited_rng_entropy_source",
2084
+ "name": "Limited Random Number Generator (RNG) Entropy Source",
2085
+ "type": "variant",
2086
+ "priority": 4
2087
+ },
2088
+ {
2089
+ "id": "use_of_trng_for_nonsecurity_purpose",
2090
+ "name": "Use of True Random Number Generator (TRNG) for Non-Security Purpose",
2091
+ "type": "variant",
2092
+ "priority": 5
2093
+ },
2094
+ {
2095
+ "id": "prng_seed_reuse",
2096
+ "name": "Pseudo-Random Number Generator (PRNG) Seed Reuse",
2097
+ "type": "variant",
2098
+ "priority": 5
2099
+ },
2100
+ {
2101
+ "id": "predictable_prng_seed",
2102
+ "name": "Predictable Pseudo-Random Number Generator (PRNG) Seed",
2103
+ "type": "variant",
2104
+ "priority": 4
2105
+ },
2106
+ {
2107
+ "id": "small_seed_space_in_prng",
2108
+ "name": "Small Seed Space in Pseudo-Random Number Generator (PRNG)",
2109
+ "type": "variant",
2110
+ "priority": 4
2111
+ },
2112
+ {
2113
+ "id": "initialization_vector_reuse",
2114
+ "name": "Initialization Vector (IV) Reuse",
2115
+ "type": "variant",
2116
+ "priority": 5
2117
+ },
2118
+ {
2119
+ "id": "predictable_initialization_vector",
2120
+ "name": "Predictable Initialization Vector (IV)",
2121
+ "type": "variant",
2122
+ "priority": 4
2123
+ }
2124
+ ]
2125
+ },
2126
+ {
2127
+ "id": "insecure_implementation",
2128
+ "name": "Insecure Implementation",
2129
+ "type": "subcategory",
2130
+ "children": [
2131
+ {
2132
+ "id": "missing_cryptographic_step",
2133
+ "name": "Missing Cryptographic Step",
2134
+ "type": "variant",
2135
+ "priority": null
2136
+ },
2137
+ {
2138
+ "id": "improper_following_of_specification",
2139
+ "name": "Improper Following of Specification (Other)",
2140
+ "type": "variant",
2141
+ "priority": null
2142
+ }
2143
+ ]
2144
+ },
2145
+ {
2146
+ "id": "weak_hash",
2147
+ "name": "Weak Hash",
2148
+ "type": "subcategory",
2149
+ "children": [
2150
+ {
2151
+ "id": "lack_of_salt",
2152
+ "name": "Lack of Salt",
2153
+ "type": "variant",
2154
+ "priority": null
2155
+ },
2156
+ {
2157
+ "id": "use_of_predictable_salt",
2158
+ "name": "Use of Predictable Salt",
2159
+ "type": "variant",
2160
+ "priority": 5
2161
+ },
2162
+ {
2163
+ "id": "predictable_hash_collision",
2164
+ "name": "Predictable Hash Collision",
2165
+ "type": "variant",
2166
+ "priority": null
2167
+ }
2168
+ ]
2169
+ },
2170
+ {
2171
+ "id": "insufficient_verification_of_data_authenticity",
2172
+ "name": "Insufficient Verification of Data Authenticity",
2173
+ "type": "subcategory",
2174
+ "children": [
2175
+ {
2176
+ "id": "identity_check_value",
2177
+ "name": "Integrity Check Value (ICV)",
2178
+ "type": "variant",
2179
+ "priority": 4
2180
+ },
2181
+ {
2182
+ "id": "cryptographic_signature",
2183
+ "name": "Cryptographic Signature",
2184
+ "type": "variant",
2185
+ "priority": null
2186
+ }
2187
+ ]
2188
+ },
2189
+ {
2190
+ "id": "insecure_key_generation",
2191
+ "name": "Insecure Key Generation",
2192
+ "type": "subcategory",
2193
+ "children": [
2194
+ {
2195
+ "id": "improper_asymmetric_prime_selection",
2196
+ "name": "Improper Asymmetric Prime Selection",
2197
+ "type": "variant",
2198
+ "priority": null
2199
+ },
2200
+ {
2201
+ "id": "improper_asymmetric_exponent_selection",
2202
+ "name": "Improper Asymmetric Exponent Selection",
2203
+ "type": "variant",
2204
+ "priority": null
2205
+ },
2206
+ {
2207
+ "id": "insufficient_key_stretching",
2208
+ "name": "Insufficient Key Stretching",
2209
+ "type": "variant",
2210
+ "priority": null
2211
+ },
2212
+ {
2213
+ "id": "insufficient_key_space",
2214
+ "name": "Insufficient Key Space",
2215
+ "type": "variant",
2216
+ "priority": 3
2217
+ },
2218
+ {
2219
+ "id": "key_exchange_without_entity_authentication",
2220
+ "name": "Key Exchage Without Entity Authentication",
2221
+ "type": "variant",
2222
+ "priority": 4
2223
+ }
2224
+ ]
2225
+ },
2226
+ {
2227
+ "id": "key_reuse",
2228
+ "name": "Key Reuse",
2229
+ "type": "subcategory",
2230
+ "children": [
2231
+ {
2232
+ "id": "lack_of_perfect_forward_secrecy",
2233
+ "name": "Lack of Perfect Forward Secrecy",
2234
+ "type": "variant",
2235
+ "priority": 4
2236
+ },
2237
+ {
2238
+ "id": "intra_environment",
2239
+ "name": "Intra-Environment",
2240
+ "type": "variant",
2241
+ "priority": 5
2242
+ },
2243
+ {
2244
+ "id": "inter_environment",
2245
+ "name": "Inter-Environment",
2246
+ "type": "variant",
2247
+ "priority": 2
2248
+ }
2249
+ ]
2250
+ },
2251
+ {
2252
+ "id": "broken_cryptography",
2253
+ "name": "Broken Cryptography",
2254
+ "type": "subcategory",
2255
+ "children": [
2256
+ {
2257
+ "id": "use_of_broken_cryptographic_primitive",
2258
+ "name": "Use of Broken Cryptographic Primitive",
2259
+ "type": "variant",
2260
+ "priority": 3
2261
+ },
2262
+ {
2263
+ "id": "use_of_vulnerable_cryptographic_library",
2264
+ "name": "Use of Vulnerable Cryptographic Library",
2265
+ "type": "variant",
2266
+ "priority": 4
2267
+ }
2268
+ ]
2269
+ },
2270
+ {
2271
+ "id": "side_channel_attack",
2272
+ "name": "Side-Channel Attack",
2273
+ "type": "subcategory",
2274
+ "children": [
2275
+ {
2276
+ "id": "padding_oracle_attack",
2277
+ "name": "Padding Oracle Attack",
2278
+ "type": "variant",
2279
+ "priority": 4
2280
+ },
2281
+ {
2282
+ "id": "timing_attack",
2283
+ "name": "Timing Attack",
2284
+ "type": "variant",
2285
+ "priority": 4
2286
+ },
2287
+ {
2288
+ "id": "power_analysis_attack",
2289
+ "name": "Power Analysis Attack",
2290
+ "type": "variant",
2291
+ "priority": 5
2292
+ },
2293
+ {
2294
+ "id": "emanations_attack",
2295
+ "name": "Emanations Attack",
2296
+ "type": "variant",
2297
+ "priority": 5
2298
+ },
2299
+ {
2300
+ "id": "differential_fault_analysis",
2301
+ "name": "Differential Fault Analysis",
2302
+ "type": "variant",
2303
+ "priority": null
2304
+ }
2305
+ ]
2306
+ },
2307
+ {
2308
+ "id": "use_of_expired_cryptographic_key_or_cert",
2309
+ "name": "Use of Expired Cryptographic Key (or Certificate)",
2310
+ "type": "subcategory",
2311
+ "priority": 4
2312
+ },
2313
+ {
2314
+ "id": "incomplete_cleanup_of_keying_material",
2315
+ "name": "Incomplete Cleanup of Keying Material",
2316
+ "type": "subcategory",
2317
+ "priority": 5
2318
+ }
2319
+ ]
2320
+ },
2321
+ {
2322
+ "id": "privacy_concerns",
2323
+ "name": "Privacy Concerns",
2324
+ "type": "category",
2325
+ "children": [
2326
+ {
2327
+ "id": "unnecessary_data_collection",
2328
+ "name": "Unnecessary Data Collection",
2329
+ "type": "subcategory",
2330
+ "children": [
2331
+ {
2332
+ "id": "wifi_ssid_password",
2333
+ "name": "WiFi SSID+Password",
2334
+ "type": "variant",
2335
+ "priority": 4
2336
+ }
2337
+ ]
2338
+ }
2339
+ ]
2340
+ },
2341
+ {
2342
+ "id": "network_security_misconfiguration",
2343
+ "name": "Network Security Misconfiguration",
2344
+ "type": "category",
2345
+ "children": [
2346
+ {
2347
+ "id": "telnet_enabled",
2348
+ "name": "Telnet Enabled",
2349
+ "type": "subcategory",
2350
+ "priority": 5
2351
+ }
2352
+ ]
2353
+ },
2354
+ {
2355
+ "id": "mobile_security_misconfiguration",
2356
+ "name": "Mobile Security Misconfiguration",
2357
+ "type": "category",
2358
+ "children": [
2359
+ {
2360
+ "id": "ssl_certificate_pinning",
2361
+ "name": "SSL Certificate Pinning",
2362
+ "type": "subcategory",
2363
+ "children": [
2364
+ {
2365
+ "id": "absent",
2366
+ "name": "Absent",
2367
+ "type": "variant",
2368
+ "priority": 5
2369
+ },
2370
+ {
2371
+ "id": "defeatable",
2372
+ "name": "Defeatable",
2373
+ "type": "variant",
2374
+ "priority": 5
2375
+ }
2376
+ ]
2377
+ },
2378
+ {
2379
+ "id": "tapjacking",
2380
+ "name": "Tapjacking",
2381
+ "type": "subcategory",
2382
+ "priority": 5
2383
+ },
2384
+ {
2385
+ "id": "clipboard_enabled",
2386
+ "name": "Clipboard Enabled",
2387
+ "type": "subcategory",
2388
+ "priority": 5
2389
+ },
2390
+ {
2391
+ "id": "auto_backup_allowed_by_default",
2392
+ "name": "Auto Backup Allowed by Default",
2393
+ "type": "subcategory",
2394
+ "priority": 5
2395
+ }
2396
+ ]
2397
+ },
2398
+ {
2399
+ "id": "client_side_injection",
2400
+ "name": "Client-Side Injection",
2401
+ "type": "category",
2402
+ "children": [
2403
+ {
2404
+ "id": "binary_planting",
2405
+ "name": "Binary Planting",
2406
+ "type": "subcategory",
2407
+ "children": [
2408
+ {
2409
+ "id": "privilege_escalation",
2410
+ "name": "Default Folder Privilege Escalation",
2411
+ "type": "variant",
2412
+ "priority": 3
2413
+ },
2414
+ {
2415
+ "id": "non_default_folder_privilege_escalation",
2416
+ "name": "Non-Default Folder Privilege Escalation",
2417
+ "type": "variant",
2418
+ "priority": 5
2419
+ },
2420
+ {
2421
+ "id": "no_privilege_escalation",
2422
+ "name": "No Privilege Escalation",
2423
+ "type": "variant",
2424
+ "priority": 5
2425
+ }
2426
+ ]
2427
+ }
2428
+ ]
2429
+ },
2430
+ {
2431
+ "id": "automotive_security_misconfiguration",
2432
+ "name": "Automotive Security Misconfiguration",
2433
+ "type": "category",
2434
+ "children": [
2435
+ {
2436
+ "id": "infotainment_radio_head_unit",
2437
+ "name": "Infotainment, Radio Head Unit",
2438
+ "type": "subcategory",
2439
+ "children": [
2440
+ {
2441
+ "id": "sensitive_data_leakage_exposure",
2442
+ "name": "Sensitive data Leakage/Exposure",
2443
+ "type": "variant",
2444
+ "priority": 1
2445
+ },
2446
+ {
2447
+ "id": "ota_firmware_manipulation",
2448
+ "name": "OTA Firmware Manipulation",
2449
+ "type": "variant",
2450
+ "priority": 2
2451
+ },
2452
+ {
2453
+ "id": "code_execution_can_bus_pivot",
2454
+ "name": "Code Execution (CAN Bus Pivot)",
2455
+ "type": "variant",
2456
+ "priority": 2
2457
+ },
2458
+ {
2459
+ "id": "code_execution_no_can_bus_pivot",
2460
+ "name": "Code Execution (No CAN Bus Pivot)",
2461
+ "type": "variant",
2462
+ "priority": 3
2463
+ },
2464
+ {
2465
+ "id": "unauthorized_access_to_services",
2466
+ "name": "Unauthorized Access to Services (API / Endpoints)",
2467
+ "type": "variant",
2468
+ "priority": 3
2469
+ },
2470
+ {
2471
+ "id": "source_code_dump",
2472
+ "name": "Source Code Dump",
2473
+ "type": "variant",
2474
+ "priority": 4
2475
+ },
2476
+ {
2477
+ "id": "dos_brick",
2478
+ "name": "Denial of Service (DoS / Brick)",
2479
+ "type": "variant",
2480
+ "priority": 4
2481
+ },
2482
+ {
2483
+ "id": "default_credentials",
2484
+ "name": "Default Credentials",
2485
+ "type": "variant",
2486
+ "priority": 4
2487
+ }
2488
+ ]
2489
+ },
2490
+ {
2491
+ "id": "rf_hub",
2492
+ "name": "RF Hub",
2493
+ "type": "subcategory",
2494
+ "children": [
2495
+ {
2496
+ "id": "key_fob_cloning",
2497
+ "name": "Key Fob Cloning",
2498
+ "type": "variant",
2499
+ "priority": 1
2500
+ },
2501
+ {
2502
+ "id": "can_injection_interaction",
2503
+ "name": "CAN Injection / Interaction",
2504
+ "type": "variant",
2505
+ "priority": 2
2506
+ },
2507
+ {
2508
+ "id": "data_leakage_pull_encryption_mechanism",
2509
+ "name": "Data Leakage / Pull Encryption Mechanism",
2510
+ "type": "variant",
2511
+ "priority": 3
2512
+ },
2513
+ {
2514
+ "id": "unauthorized_access_turn_on",
2515
+ "name": "Unauthorized Access / Turn On",
2516
+ "type": "variant",
2517
+ "priority": 4
2518
+ },
2519
+ {
2520
+ "id": "roll_jam",
2521
+ "name": "Roll Jam",
2522
+ "type": "variant",
2523
+ "priority": 5
2524
+ },
2525
+ {
2526
+ "id": "replay",
2527
+ "name": "Replay",
2528
+ "type": "variant",
2529
+ "priority": 5
2530
+ },
2531
+ {
2532
+ "id": "relay",
2533
+ "name": "Relay",
2534
+ "type": "variant",
2535
+ "priority": 5
2536
+ }
2537
+ ]
2538
+ },
2539
+ {
2540
+ "id": "can",
2541
+ "name": "CAN",
2542
+ "type": "subcategory",
2543
+ "children": [
2544
+ {
2545
+ "id": "injection_battery_management_system",
2546
+ "name": "Injection (Battery Management System)",
2547
+ "type": "variant",
2548
+ "priority": 3
2549
+ },
2550
+ {
2551
+ "id": "injection_steering_control",
2552
+ "name": "Injection (Steering Control)",
2553
+ "type": "variant",
2554
+ "priority": 3
2555
+ },
2556
+ {
2557
+ "id": "injection_pyrotechnical_device_deployment_tool",
2558
+ "name": "Injection (Pyrotechnical Device Deployment Tool)",
2559
+ "type": "variant",
2560
+ "priority": 3
2561
+ },
2562
+ {
2563
+ "id": "injection_headlights",
2564
+ "name": "Injection (Headlights)",
2565
+ "type": "variant",
2566
+ "priority": 3
2567
+ },
2568
+ {
2569
+ "id": "injection_sensors",
2570
+ "name": "Injection (Sensors)",
2571
+ "type": "variant",
2572
+ "priority": 3
2573
+ },
2574
+ {
2575
+ "id": "injection_vehicle_anti_theft_systems",
2576
+ "name": "Injection (Vehicle Anti-theft Systems)",
2577
+ "type": "variant",
2578
+ "priority": 3
2579
+ },
2580
+ {
2581
+ "id": "injection_powertrain",
2582
+ "name": "Injection (Powertrain)",
2583
+ "type": "variant",
2584
+ "priority": 3
2585
+ },
2586
+ {
2587
+ "id": "injection_basic_safety_message",
2588
+ "name": "Injection (Basic Safety Message)",
2589
+ "type": "variant",
2590
+ "priority": 3
2591
+ },
2592
+ {
2593
+ "id": "injection_disallowed_messages",
2594
+ "name": "Injection (Disallowed Messages)",
2595
+ "type": "variant",
2596
+ "priority": 4
2597
+ },
2598
+ {
2599
+ "id": "injection_dos",
2600
+ "name": "Injection (DoS)",
2601
+ "type": "variant",
2602
+ "priority": 4
2603
+ }
2604
+ ]
2605
+ },
2606
+ {
2607
+ "id": "battery_management_system",
2608
+ "name": "Battery Management System",
2609
+ "type": "subcategory",
2610
+ "children": [
2611
+ {
2612
+ "id": "firmware_dump",
2613
+ "name": "Firmware Dump",
2614
+ "type": "variant",
2615
+ "priority": 3
2616
+ },
2617
+ {
2618
+ "id": "fraudulent_interface",
2619
+ "name": "Fraudulent Interface",
2620
+ "type": "variant",
2621
+ "priority": 4
2622
+ }
2623
+ ]
2624
+ },
2625
+ {
2626
+ "id": "gnss_gps",
2627
+ "name": "GNSS / GPS",
2628
+ "type": "subcategory",
2629
+ "children": [
2630
+ {
2631
+ "id": "spoofing",
2632
+ "name": "Spoofing",
2633
+ "type": "variant",
2634
+ "priority": 4
2635
+ }
2636
+ ]
2637
+ },
2638
+ {
2639
+ "id": "immobilizer",
2640
+ "name": "Immobilizer",
2641
+ "type": "subcategory",
2642
+ "children": [
2643
+ {
2644
+ "id": "engine_start",
2645
+ "name": "Engine Start",
2646
+ "type": "variant",
2647
+ "priority": 3
2648
+ }
2649
+ ]
2650
+ },
2651
+ {
2652
+ "id": "abs",
2653
+ "name": "Automatic Braking System (ABS)",
2654
+ "type": "subcategory",
2655
+ "children": [
2656
+ {
2657
+ "id": "unintended_acceleration_brake",
2658
+ "name": "Unintended Acceleration / Brake",
2659
+ "type": "variant",
2660
+ "priority": 3
2661
+ }
2662
+ ]
2663
+ },
2664
+ {
2665
+ "id": "rsu",
2666
+ "name": "Roadside Unit (RSU)",
2667
+ "type": "subcategory",
2668
+ "children": [
2669
+ {
2670
+ "id": "sybil_attack",
2671
+ "name": "Sybil Attack",
2672
+ "type": "variant",
2673
+ "priority": 4
2674
+ }
2675
+ ]
2676
+ }
2677
+ ]
2678
+ },
2679
+ {
2680
+ "id": "ai_application_security",
2681
+ "name": "AI Application Security",
2682
+ "type": "category",
2683
+ "children": [
2684
+ {
2685
+ "id": "llm_security",
2686
+ "name": "Large Language Model (LLM) Security",
2687
+ "type": "subcategory",
2688
+ "children": [
2689
+ {
2690
+ "id": "prompt_injection",
2691
+ "name": "Prompt Injection",
2692
+ "type": "variant",
2693
+ "priority": 1
2694
+ },
2695
+ {
2696
+ "id": "llm_output_handling",
2697
+ "name": "LLM Output Handling",
2698
+ "type": "variant",
2699
+ "priority": 1
2700
+ },
2701
+ {
2702
+ "id": "training_data_poisoning",
2703
+ "name": "Training Data Poisoning",
2704
+ "type": "variant",
2705
+ "priority": 1
2706
+ },
2707
+ {
2708
+ "id": "excessive_agency_permission_manipulation",
2709
+ "name": "Excessive Agency/Permission Manipulation",
2710
+ "type": "variant",
2711
+ "priority": 2
2712
+ }
2713
+ ]
2714
+ }
2715
+ ]
2716
+ },
2717
+ {
2718
+ "id": "indicators_of_compromise",
2719
+ "name": "Indicators of Compromise",
2720
+ "type": "category",
2721
+ "priority": null
2722
+ }
2723
+ ]
2724
+ }