vrt 0.13.1 → 0.13.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.14.2/deprecated-node-mapping.json +242 -0
  3. data/lib/data/1.14.2/mappings/cvss_v3/cvss_v3.json +1437 -0
  4. data/lib/data/1.14.2/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.14.2/mappings/cwe/cwe.json +818 -0
  6. data/lib/data/1.14.2/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.14.2/mappings/remediation_advice/remediation_advice.json +2073 -0
  8. data/lib/data/1.14.2/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.14.2/third-party-mappings/remediation_training/secure-code-warrior-links.json +437 -0
  10. data/lib/data/1.14.2/vrt.schema.json +63 -0
  11. data/lib/data/1.14.2/vulnerability-rating-taxonomy.json +2724 -0
  12. data/lib/vrt/version.rb +1 -1
  13. metadata +12 -2
data/lib/data/1.14.2/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,2724 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2024-10-25T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "server_side_request_forgery_ssrf",
13
+ "name": "Server-Side Request Forgery (SSRF)",
14
+ "type": "subcategory",
15
+ "children": [
16
+ {
17
+ "id": "internal_high_impact",
18
+ "name": "Internal High Impact",
19
+ "type": "variant",
20
+ "priority": 2
21
+ },
22
+ {
23
+ "id": "internal_scan_and_or_medium_impact",
24
+ "name": "Internal Scan and/or Medium Impact",
25
+ "type": "variant",
26
+ "priority": 3
27
+ },
28
+ {
29
+ "id": "external_low_impact",
30
+ "name": "External - Low impact",
31
+ "type": "variant",
32
+ "priority": 5
33
+ },
34
+ {
35
+ "id": "external_dns_query_only",
36
+ "name": "External - DNS Query Only",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "unsafe_cross_origin_resource_sharing",
44
+ "name": "Unsafe Cross-Origin Resource Sharing",
45
+ "type": "subcategory",
46
+ "priority": null
47
+ },
48
+ {
49
+ "id": "request_smuggling",
50
+ "name": "HTTP Request Smuggling",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "path_traversal",
56
+ "name": "Path Traversal",
57
+ "type": "subcategory",
58
+ "priority": null
59
+ },
60
+ {
61
+ "id": "directory_listing_enabled",
62
+ "name": "Directory Listing Enabled",
63
+ "type": "subcategory",
64
+ "children": [
65
+ {
66
+ "id": "sensitive_data_exposure",
67
+ "name": "Sensitive Data Exposure",
68
+ "type": "variant",
69
+ "priority": null
70
+ },
71
+ {
72
+ "id": "non_sensitive_data_exposure",
73
+ "name": "Non-Sensitive Data Exposure",
74
+ "type": "variant",
75
+ "priority": 5
76
+ }
77
+ ]
78
+ },
79
+ {
80
+ "id": "same_site_scripting",
81
+ "name": "Same-Site Scripting",
82
+ "type": "subcategory",
83
+ "priority": 5
84
+ },
85
+ {
86
+ "id": "ssl_attack_breach_poodle_etc",
87
+ "name": "SSL Attack (BREACH, POODLE etc.)",
88
+ "type": "subcategory",
89
+ "priority": null
90
+ },
91
+ {
92
+ "id": "using_default_credentials",
93
+ "name": "Using Default Credentials",
94
+ "type": "subcategory",
95
+ "priority": 1
96
+ },
97
+ {
98
+ "id": "misconfigured_dns",
99
+ "name": "Misconfigured DNS",
100
+ "type": "subcategory",
101
+ "children": [
102
+ {
103
+ "id": "subdomain_takeover",
104
+ "name": "Subdomain Takeover",
105
+ "type": "variant",
106
+ "priority": 3
107
+ },
108
+ {
109
+ "id": "zone_transfer",
110
+ "name": "Zone Transfer",
111
+ "type": "variant",
112
+ "priority": 4
113
+ },
114
+ {
115
+ "id": "missing_caa_record",
116
+ "name": "Missing Certification Authority Authorization (CAA) Record",
117
+ "type": "variant",
118
+ "priority": 5
119
+ }
120
+ ]
121
+ },
122
+ {
123
+ "id": "mail_server_misconfiguration",
124
+ "name": "Mail Server Misconfiguration",
125
+ "type": "subcategory",
126
+ "children": [
127
+ {
128
+ "id": "no_spoofing_protection_on_email_domain",
129
+ "name": "No Spoofing Protection on Email Domain",
130
+ "type": "variant",
131
+ "priority": 3
132
+ },
133
+ {
134
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
135
+ "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
136
+ "type": "variant",
137
+ "priority": 4
138
+ },
139
+ {
140
+ "id": "email_spoofing_to_spam_folder",
141
+ "name": "Email Spoofing to Spam Folder",
142
+ "type": "variant",
143
+ "priority": 5
144
+ },
145
+ {
146
+ "id": "missing_or_misconfigured_spf_and_or_dkim",
147
+ "name": "Missing or Misconfigured SPF and/or DKIM",
148
+ "type": "variant",
149
+ "priority": 5
150
+ },
151
+ {
152
+ "id": "email_spoofing_on_non_email_domain",
153
+ "name": "Email Spoofing on Non-Email Domain",
154
+ "type": "variant",
155
+ "priority": 5
156
+ }
157
+ ]
158
+ },
159
+ {
160
+ "id": "dbms_misconfiguration",
161
+ "name": "Database Management System (DBMS) Misconfiguration",
162
+ "type": "subcategory",
163
+ "children": [
164
+ {
165
+ "id": "excessively_privileged_user_dba",
166
+ "name": "Excessively Privileged User / DBA",
167
+ "type": "variant",
168
+ "priority": 4
169
+ }
170
+ ]
171
+ },
172
+ {
173
+ "id": "lack_of_password_confirmation",
174
+ "name": "Lack of Password Confirmation",
175
+ "type": "subcategory",
176
+ "children": [
177
+ {
178
+ "id": "change_email_address",
179
+ "name": "Change Email Address",
180
+ "type": "variant",
181
+ "priority": 5
182
+ },
183
+ {
184
+ "id": "change_password",
185
+ "name": "Change Password",
186
+ "type": "variant",
187
+ "priority": 5
188
+ },
189
+ {
190
+ "id": "delete_account",
191
+ "name": "Delete Account",
192
+ "type": "variant",
193
+ "priority": 4
194
+ },
195
+ {
196
+ "id": "manage_two_fa",
197
+ "name": "Manage 2FA",
198
+ "type": "variant",
199
+ "priority": 5
200
+ }
201
+ ]
202
+ },
203
+ {
204
+ "id": "no_rate_limiting_on_form",
205
+ "name": "No Rate Limiting on Form",
206
+ "type": "subcategory",
207
+ "children": [
208
+ {
209
+ "id": "registration",
210
+ "name": "Registration",
211
+ "type": "variant",
212
+ "priority": 4
213
+ },
214
+ {
215
+ "id": "login",
216
+ "name": "Login",
217
+ "type": "variant",
218
+ "priority": 4
219
+ },
220
+ {
221
+ "id": "email_triggering",
222
+ "name": "Email-Triggering",
223
+ "type": "variant",
224
+ "priority": 4
225
+ },
226
+ {
227
+ "id": "sms_triggering",
228
+ "name": "SMS-Triggering",
229
+ "type": "variant",
230
+ "priority": 4
231
+ },
232
+ {
233
+ "id": "change_password",
234
+ "name": "Change Password",
235
+ "type": "variant",
236
+ "priority": 5
237
+ }
238
+ ]
239
+ },
240
+ {
241
+ "id": "unsafe_file_upload",
242
+ "name": "Unsafe File Upload",
243
+ "type": "subcategory",
244
+ "children": [
245
+ {
246
+ "id": "no_antivirus",
247
+ "name": "No Antivirus",
248
+ "type": "variant",
249
+ "priority": 5
250
+ },
251
+ {
252
+ "id": "no_size_limit",
253
+ "name": "No Size Limit",
254
+ "type": "variant",
255
+ "priority": 5
256
+ },
257
+ {
258
+ "id": "file_extension_filter_bypass",
259
+ "name": "File Extension Filter Bypass",
260
+ "type": "variant",
261
+ "priority": 5
262
+ }
263
+ ]
264
+ },
265
+ {
266
+ "id": "cookie_scoped_to_parent_domain",
267
+ "name": "Cookie Scoped to Parent Domain",
268
+ "type": "subcategory",
269
+ "priority": 5
270
+ },
271
+ {
272
+ "id": "missing_secure_or_httponly_cookie_flag",
273
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
274
+ "type": "subcategory",
275
+ "children": [
276
+ {
277
+ "id": "session_token",
278
+ "name": "Session Token",
279
+ "type": "variant",
280
+ "priority": 4
281
+ },
282
+ {
283
+ "id": "non_session_cookie",
284
+ "name": "Non-Session Cookie",
285
+ "type": "variant",
286
+ "priority": 5
287
+ }
288
+ ]
289
+ },
290
+ {
291
+ "id": "clickjacking",
292
+ "name": "Clickjacking",
293
+ "type": "subcategory",
294
+ "children": [
295
+ {
296
+ "id": "sensitive_action",
297
+ "name": "Sensitive Click-Based Action",
298
+ "type": "variant",
299
+ "priority": 4
300
+ },
301
+ {
302
+ "id": "form_input",
303
+ "name": "Form Input",
304
+ "type": "variant",
305
+ "priority": 5
306
+ },
307
+ {
308
+ "id": "non_sensitive_action",
309
+ "name": "Non-Sensitive Action",
310
+ "type": "variant",
311
+ "priority": 5
312
+ }
313
+ ]
314
+ },
315
+ {
316
+ "id": "oauth_misconfiguration",
317
+ "name": "OAuth Misconfiguration",
318
+ "type": "subcategory",
319
+ "children": [
320
+ {
321
+ "id": "account_takeover",
322
+ "name": "Account Takeover",
323
+ "type": "variant",
324
+ "priority": 2
325
+ },
326
+ {
327
+ "id": "account_squatting",
328
+ "name": "Account Squatting",
329
+ "type": "variant",
330
+ "priority": 4
331
+ },
332
+ {
333
+ "id": "missing_state_parameter",
334
+ "name": "Missing/Broken State Parameter",
335
+ "type": "variant",
336
+ "priority": null
337
+ },
338
+ {
339
+ "id": "insecure_redirect_uri",
340
+ "name": "Insecure Redirect URI",
341
+ "type": "variant",
342
+ "priority": null
343
+ }
344
+ ]
345
+ },
346
+ {
347
+ "id": "captcha",
348
+ "name": "CAPTCHA",
349
+ "type": "subcategory",
350
+ "children": [
351
+ {
352
+ "id": "implementation_vulnerability",
353
+ "name": "Implementation Vulnerability",
354
+ "type": "variant",
355
+ "priority": 4
356
+ },
357
+ {
358
+ "id": "brute_force",
359
+ "name": "Brute Force",
360
+ "type": "variant",
361
+ "priority": 5
362
+ },
363
+ {
364
+ "id": "missing",
365
+ "name": "Missing",
366
+ "type": "variant",
367
+ "priority": 5
368
+ }
369
+ ]
370
+ },
371
+ {
372
+ "id": "exposed_admin_portal",
373
+ "name": "Exposed Admin Portal",
374
+ "type": "subcategory",
375
+ "children": [
376
+ {
377
+ "id": "to_internet",
378
+ "name": "To Internet",
379
+ "type": "variant",
380
+ "priority": 5
381
+ }
382
+ ]
383
+ },
384
+ {
385
+ "id": "missing_dnssec",
386
+ "name": "Missing DNSSEC",
387
+ "type": "subcategory",
388
+ "priority": 5
389
+ },
390
+ {
391
+ "id": "fingerprinting_banner_disclosure",
392
+ "name": "Fingerprinting/Banner Disclosure",
393
+ "type": "subcategory",
394
+ "priority": 5
395
+ },
396
+ {
397
+ "id": "username_enumeration",
398
+ "name": "Username/Email Enumeration",
399
+ "type": "subcategory",
400
+ "children": [
401
+ {
402
+ "id": "brute_force",
403
+ "name": "Brute Force",
404
+ "type": "variant",
405
+ "priority": 5
406
+ }
407
+ ]
408
+ },
409
+ {
410
+ "id": "potentially_unsafe_http_method_enabled",
411
+ "name": "Potentially Unsafe HTTP Method Enabled",
412
+ "type": "subcategory",
413
+ "children": [
414
+ {
415
+ "id": "options",
416
+ "name": "OPTIONS",
417
+ "type": "variant",
418
+ "priority": 5
419
+ },
420
+ {
421
+ "id": "trace",
422
+ "name": "TRACE",
423
+ "type": "variant",
424
+ "priority": 5
425
+ }
426
+ ]
427
+ },
428
+ {
429
+ "id": "insecure_ssl",
430
+ "name": "Insecure SSL",
431
+ "type": "subcategory",
432
+ "children": [
433
+ {
434
+ "id": "lack_of_forward_secrecy",
435
+ "name": "Lack of Forward Secrecy",
436
+ "type": "variant",
437
+ "priority": 5
438
+ },
439
+ {
440
+ "id": "insecure_cipher_suite",
441
+ "name": "Insecure Cipher Suite",
442
+ "type": "variant",
443
+ "priority": 5
444
+ },
445
+ {
446
+ "id": "certificate_error",
447
+ "name": "Certificate Error",
448
+ "type": "variant",
449
+ "priority": 5
450
+ }
451
+ ]
452
+ },
453
+ {
454
+ "id": "rfd",
455
+ "name": "Reflected File Download (RFD)",
456
+ "type": "subcategory",
457
+ "priority": 5
458
+ },
459
+ {
460
+ "id": "lack_of_security_headers",
461
+ "name": "Lack of Security Headers",
462
+ "type": "subcategory",
463
+ "children": [
464
+ {
465
+ "id": "x_frame_options",
466
+ "name": "X-Frame-Options",
467
+ "type": "variant",
468
+ "priority": 5
469
+ },
470
+ {
471
+ "id": "cache_control_for_a_non_sensitive_page",
472
+ "name": "Cache-Control for a Non-Sensitive Page",
473
+ "type": "variant",
474
+ "priority": 5
475
+ },
476
+ {
477
+ "id": "x_xss_protection",
478
+ "name": "X-XSS-Protection",
479
+ "type": "variant",
480
+ "priority": 5
481
+ },
482
+ {
483
+ "id": "strict_transport_security",
484
+ "name": "Strict-Transport-Security",
485
+ "type": "variant",
486
+ "priority": 5
487
+ },
488
+ {
489
+ "id": "x_content_type_options",
490
+ "name": "X-Content-Type-Options",
491
+ "type": "variant",
492
+ "priority": 5
493
+ },
494
+ {
495
+ "id": "content_security_policy",
496
+ "name": "Content-Security-Policy",
497
+ "type": "variant",
498
+ "priority": 5
499
+ },
500
+ {
501
+ "id": "public_key_pins",
502
+ "name": "Public-Key-Pins",
503
+ "type": "variant",
504
+ "priority": 5
505
+ },
506
+ {
507
+ "id": "x_content_security_policy",
508
+ "name": "X-Content-Security-Policy",
509
+ "type": "variant",
510
+ "priority": 5
511
+ },
512
+ {
513
+ "id": "x_webkit_csp",
514
+ "name": "X-Webkit-CSP",
515
+ "type": "variant",
516
+ "priority": 5
517
+ },
518
+ {
519
+ "id": "content_security_policy_report_only",
520
+ "name": "Content-Security-Policy-Report-Only",
521
+ "type": "variant",
522
+ "priority": 5
523
+ },
524
+ {
525
+ "id": "cache_control_for_a_sensitive_page",
526
+ "name": "Cache-Control for a Sensitive Page",
527
+ "type": "variant",
528
+ "priority": 4
529
+ }
530
+ ]
531
+ },
532
+ {
533
+ "id": "waf_bypass",
534
+ "name": "Web Application Firewall (WAF) Bypass",
535
+ "type": "subcategory",
536
+ "children": [
537
+ {
538
+ "id": "direct_server_access",
539
+ "name": "Direct Server Access",
540
+ "type": "variant",
541
+ "priority": 4
542
+ }
543
+ ]
544
+ },
545
+ {
546
+ "id": "race_condition",
547
+ "name": "Race Condition",
548
+ "type": "subcategory",
549
+ "priority": null
550
+ },
551
+ {
552
+ "id": "email_verification_bypass",
553
+ "name": "Email Verification Bypass",
554
+ "type": "subcategory",
555
+ "priority": 5
556
+ },
557
+ {
558
+ "id": "missing_subresource_integrity",
559
+ "name": "Missing Subresource Integrity",
560
+ "type": "subcategory",
561
+ "priority": 5
562
+ },
563
+ {
564
+ "id": "software_package_takeover",
565
+ "name": "Software Package Takeover",
566
+ "type": "subcategory",
567
+ "priority": null
568
+ },
569
+ {
570
+ "id": "cache_poisoning",
571
+ "name": "Cache Poisoning",
572
+ "type": "subcategory",
573
+ "priority": null
574
+ },
575
+ {
576
+ "id": "bitsquatting",
577
+ "name": "Bitsquatting",
578
+ "type": "subcategory",
579
+ "priority": 5
580
+ }
581
+ ]
582
+ },
583
+ {
584
+ "id": "server_side_injection",
585
+ "name": "Server-Side Injection",
586
+ "type": "category",
587
+ "children": [
588
+ {
589
+ "id": "file_inclusion",
590
+ "name": "File Inclusion",
591
+ "type": "subcategory",
592
+ "children": [
593
+ {
594
+ "id": "local",
595
+ "name": "Local",
596
+ "type": "variant",
597
+ "priority": 1
598
+ }
599
+ ]
600
+ },
601
+ {
602
+ "id": "parameter_pollution",
603
+ "name": "Parameter Pollution",
604
+ "type": "subcategory",
605
+ "children": [
606
+ {
607
+ "id": "social_media_sharing_buttons",
608
+ "name": "Social Media Sharing Buttons",
609
+ "type": "variant",
610
+ "priority": 5
611
+ }
612
+ ]
613
+ },
614
+ {
615
+ "id": "remote_code_execution_rce",
616
+ "name": "Remote Code Execution (RCE)",
617
+ "type": "subcategory",
618
+ "priority": 1
619
+ },
620
+ {
621
+ "id": "ldap_injection",
622
+ "name": "LDAP Injection",
623
+ "type": "subcategory",
624
+ "priority": null
625
+ },
626
+ {
627
+ "id": "sql_injection",
628
+ "name": "SQL Injection",
629
+ "type": "subcategory",
630
+ "priority": 1
631
+ },
632
+ {
633
+ "id": "xml_external_entity_injection_xxe",
634
+ "name": "XML External Entity Injection (XXE)",
635
+ "type": "subcategory",
636
+ "priority": 1
637
+ },
638
+ {
639
+ "id": "http_response_manipulation",
640
+ "name": "HTTP Response Manipulation",
641
+ "type": "subcategory",
642
+ "children": [
643
+ {
644
+ "id": "response_splitting_crlf",
645
+ "name": "Response Splitting (CRLF)",
646
+ "type": "variant",
647
+ "priority": 3
648
+ }
649
+ ]
650
+ },
651
+ {
652
+ "id": "content_spoofing",
653
+ "name": "Content Spoofing",
654
+ "type": "subcategory",
655
+ "children": [
656
+ {
657
+ "id": "iframe_injection",
658
+ "name": "iframe Injection",
659
+ "type": "variant",
660
+ "priority": 3
661
+ },
662
+ {
663
+ "id": "impersonation_via_broken_link_hijacking",
664
+ "name": "Impersonation via Broken Link Hijacking",
665
+ "type": "variant",
666
+ "priority": 4
667
+ },
668
+ {
669
+ "id": "external_authentication_injection",
670
+ "name": "External Authentication Injection",
671
+ "type": "variant",
672
+ "priority": 4
673
+ },
674
+ {
675
+ "id": "flash_based_external_authentication_injection",
676
+ "name": "Flash Based External Authentication Injection",
677
+ "type": "variant",
678
+ "priority": 5
679
+ },
680
+ {
681
+ "id": "html_content_injection",
682
+ "name": "HTML Content Injection",
683
+ "type": "variant",
684
+ "priority": 5
685
+ },
686
+ {
687
+ "id": "email_html_injection",
688
+ "name": "Email HTML Injection",
689
+ "type": "variant",
690
+ "priority": 4
691
+ },
692
+ {
693
+ "id": "email_hyperlink_injection_based_on_email_provider",
694
+ "name": "Email Hyperlink Injection Based on Email Provider",
695
+ "type": "variant",
696
+ "priority": 5
697
+ },
698
+ {
699
+ "id": "text_injection",
700
+ "name": "Text Injection",
701
+ "type": "variant",
702
+ "priority": 5
703
+ },
704
+ {
705
+ "id": "homograph_idn_based",
706
+ "name": "Homograph/IDN-Based",
707
+ "type": "variant",
708
+ "priority": 5
709
+ },
710
+ {
711
+ "id": "rtlo",
712
+ "name": "Right-to-Left Override (RTLO)",
713
+ "type": "variant",
714
+ "priority": 5
715
+ }
716
+ ]
717
+ },
718
+ {
719
+ "id": "ssti",
720
+ "name": "Server-Side Template Injection (SSTI)",
721
+ "type": "subcategory",
722
+ "children": [
723
+ {
724
+ "id": "basic",
725
+ "name": "Basic",
726
+ "type": "variant",
727
+ "priority": 4
728
+ },
729
+ {
730
+ "id": "custom",
731
+ "name": "Custom",
732
+ "type": "variant",
733
+ "priority": null
734
+ }
735
+ ]
736
+ }
737
+ ]
738
+ },
739
+ {
740
+ "id": "broken_authentication_and_session_management",
741
+ "name": "Broken Authentication and Session Management",
742
+ "type": "category",
743
+ "children": [
744
+ {
745
+ "id": "authentication_bypass",
746
+ "name": "Authentication Bypass",
747
+ "type": "subcategory",
748
+ "priority": 1
749
+ },
750
+ {
751
+ "id": "two_fa_bypass",
752
+ "name": "Second Factor Authentication (2FA) Bypass",
753
+ "type": "subcategory",
754
+ "priority": 3
755
+ },
756
+ {
757
+ "id": "cleartext_transmission_of_session_token",
758
+ "name": "Cleartext Transmission of Session Token",
759
+ "type": "subcategory",
760
+ "priority": 4
761
+ },
762
+ {
763
+ "id": "weak_login_function",
764
+ "name": "Weak Login Function",
765
+ "type": "subcategory",
766
+ "children": [
767
+ {
768
+ "id": "not_operational",
769
+ "name": "Not Operational or Intended Public Access",
770
+ "type": "variant",
771
+ "priority": 5
772
+ },
773
+ {
774
+ "id": "other_plaintext_protocol_no_secure_alternative",
775
+ "name": "Other Plaintext Protocol with no Secure Alternative",
776
+ "type": "variant",
777
+ "priority": 4
778
+ },
779
+ {
780
+ "id": "over_http",
781
+ "name": "Over HTTP",
782
+ "type": "variant",
783
+ "priority": 4
784
+ }
785
+ ]
786
+ },
787
+ {
788
+ "id": "session_fixation",
789
+ "name": "Session Fixation",
790
+ "type": "subcategory",
791
+ "children": [
792
+ {
793
+ "id": "remote_attack_vector",
794
+ "name": "Remote Attack Vector",
795
+ "type": "variant",
796
+ "priority": 3
797
+ },
798
+ {
799
+ "id": "local_attack_vector",
800
+ "name": "Local Attack Vector",
801
+ "type": "variant",
802
+ "priority": 5
803
+ }
804
+ ]
805
+ },
806
+ {
807
+ "id": "failure_to_invalidate_session",
808
+ "name": "Failure to Invalidate Session",
809
+ "type": "subcategory",
810
+ "children": [
811
+ {
812
+ "id": "on_logout",
813
+ "name": "On Logout (Client and Server-Side)",
814
+ "type": "variant",
815
+ "priority": 4
816
+ },
817
+ {
818
+ "id": "permission_change",
819
+ "name": "On Permission Change",
820
+ "type": "variant",
821
+ "priority": null
822
+ },
823
+ {
824
+ "id": "on_logout_server_side_only",
825
+ "name": "On Logout (Server-Side Only)",
826
+ "type": "variant",
827
+ "priority": 5
828
+ },
829
+ {
830
+ "id": "on_password_change",
831
+ "name": "On Password Reset and/or Change",
832
+ "type": "variant",
833
+ "priority": 4
834
+ },
835
+ {
836
+ "id": "all_sessions",
837
+ "name": "Concurrent Sessions On Logout",
838
+ "type": "variant",
839
+ "priority": 5
840
+ },
841
+ {
842
+ "id": "on_email_change",
843
+ "name": "On Email Change",
844
+ "type": "variant",
845
+ "priority": 5
846
+ },
847
+ {
848
+ "id": "on_two_fa_activation_change",
849
+ "name": "On 2FA Activation/Change",
850
+ "type": "variant",
851
+ "priority": 5
852
+ },
853
+ {
854
+ "id": "long_timeout",
855
+ "name": "Long Timeout",
856
+ "type": "variant",
857
+ "priority": 5
858
+ }
859
+ ]
860
+ },
861
+ {
862
+ "id": "concurrent_logins",
863
+ "name": "Concurrent Logins",
864
+ "type": "subcategory",
865
+ "priority": 5
866
+ },
867
+ {
868
+ "id": "weak_registration_implementation",
869
+ "name": "Weak Registration Implementation",
870
+ "type": "subcategory",
871
+ "children": [
872
+ {
873
+ "id": "over_http",
874
+ "name": "Over HTTP",
875
+ "type": "variant",
876
+ "priority": 4
877
+ }
878
+ ]
879
+ }
880
+ ]
881
+ },
882
+ {
883
+ "id": "sensitive_data_exposure",
884
+ "name": "Sensitive Data Exposure",
885
+ "type": "category",
886
+ "children": [
887
+ {
888
+ "id": "disclosure_of_secrets",
889
+ "name": "Disclosure of Secrets",
890
+ "type": "subcategory",
891
+ "children": [
892
+ {
893
+ "id": "for_publicly_accessible_asset",
894
+ "name": "For Publicly Accessible Asset",
895
+ "type": "variant",
896
+ "priority": 1
897
+ },
898
+ {
899
+ "id": "pii_leakage_exposure",
900
+ "name": "PII Leakage/Exposure",
901
+ "type": "variant",
902
+ "priority": null
903
+ },
904
+ {
905
+ "id": "for_internal_asset",
906
+ "name": "For Internal Asset",
907
+ "type": "variant",
908
+ "priority": 3
909
+ },
910
+ {
911
+ "id": "pay_per_use_abuse",
912
+ "name": "Pay-Per-Use Abuse",
913
+ "type": "variant",
914
+ "priority": 4
915
+ },
916
+ {
917
+ "id": "intentionally_public_sample_or_invalid",
918
+ "name": "Intentionally Public, Sample or Invalid",
919
+ "type": "variant",
920
+ "priority": 5
921
+ },
922
+ {
923
+ "id": "data_traffic_spam",
924
+ "name": "Data/Traffic Spam",
925
+ "type": "variant",
926
+ "priority": 5
927
+ },
928
+ {
929
+ "id": "non_corporate_user",
930
+ "name": "Non-Corporate User",
931
+ "type": "variant",
932
+ "priority": 5
933
+ }
934
+ ]
935
+ },
936
+ {
937
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
938
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
939
+ "type": "subcategory",
940
+ "children": [
941
+ {
942
+ "id": "automatic_user_enumeration",
943
+ "name": "Automatic User Enumeration",
944
+ "type": "variant",
945
+ "priority": 3
946
+ },
947
+ {
948
+ "id": "manual_user_enumeration",
949
+ "name": "Manual User Enumeration",
950
+ "type": "variant",
951
+ "priority": 4
952
+ }
953
+ ]
954
+ },
955
+ {
956
+ "id": "visible_detailed_error_page",
957
+ "name": "Visible Detailed Error/Debug Page",
958
+ "type": "subcategory",
959
+ "children": [
960
+ {
961
+ "id": "detailed_server_configuration",
962
+ "name": "Detailed Server Configuration",
963
+ "type": "variant",
964
+ "priority": 4
965
+ },
966
+ {
967
+ "id": "full_path_disclosure",
968
+ "name": "Full Path Disclosure",
969
+ "type": "variant",
970
+ "priority": 5
971
+ },
972
+ {
973
+ "id": "descriptive_stack_trace",
974
+ "name": "Descriptive Stack Trace",
975
+ "type": "variant",
976
+ "priority": 5
977
+ }
978
+ ]
979
+ },
980
+ {
981
+ "id": "disclosure_of_known_public_information",
982
+ "name": "Disclosure of Known Public Information",
983
+ "type": "subcategory",
984
+ "priority": 5
985
+ },
986
+ {
987
+ "id": "token_leakage_via_referer",
988
+ "name": "Token Leakage via Referer",
989
+ "type": "subcategory",
990
+ "children": [
991
+ {
992
+ "id": "trusted_third_party",
993
+ "name": "Trusted 3rd Party",
994
+ "type": "variant",
995
+ "priority": 5
996
+ },
997
+ {
998
+ "id": "untrusted_third_party",
999
+ "name": "Untrusted 3rd Party",
1000
+ "type": "variant",
1001
+ "priority": 4
1002
+ },
1003
+ {
1004
+ "id": "over_http",
1005
+ "name": "Over HTTP",
1006
+ "type": "variant",
1007
+ "priority": 4
1008
+ },
1009
+ {
1010
+ "id": "password_reset_token",
1011
+ "name": "Password Reset Token",
1012
+ "type": "variant",
1013
+ "priority": 5
1014
+ }
1015
+ ]
1016
+ },
1017
+ {
1018
+ "id": "sensitive_token_in_url",
1019
+ "name": "Sensitive Token in URL",
1020
+ "type": "subcategory",
1021
+ "children": [
1022
+ {
1023
+ "id": "user_facing",
1024
+ "name": "User Facing",
1025
+ "type": "variant",
1026
+ "priority": 4
1027
+ },
1028
+ {
1029
+ "id": "in_the_background",
1030
+ "name": "In the Background",
1031
+ "type": "variant",
1032
+ "priority": 5
1033
+ },
1034
+ {
1035
+ "id": "on_password_reset",
1036
+ "name": "On Password Reset",
1037
+ "type": "variant",
1038
+ "priority": 5
1039
+ }
1040
+ ]
1041
+ },
1042
+ {
1043
+ "id": "non_sensitive_token_in_url",
1044
+ "name": "Non-Sensitive Token in URL",
1045
+ "type": "subcategory",
1046
+ "priority": 5
1047
+ },
1048
+ {
1049
+ "id": "weak_password_reset_implementation",
1050
+ "name": "Weak Password Reset Implementation",
1051
+ "type": "subcategory",
1052
+ "children": [
1053
+ {
1054
+ "id": "password_reset_token_sent_over_http",
1055
+ "name": "Password Reset Token Sent Over HTTP",
1056
+ "type": "variant",
1057
+ "priority": 4
1058
+ },
1059
+ {
1060
+ "id": "token_leakage_via_host_header_poisoning",
1061
+ "name": "Token Leakage via Host Header Poisoning",
1062
+ "type": "variant",
1063
+ "priority": 2
1064
+ }
1065
+ ]
1066
+ },
1067
+ {
1068
+ "id": "mixed_content",
1069
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
1070
+ "type": "subcategory",
1071
+ "priority": 5
1072
+ },
1073
+ {
1074
+ "id": "sensitive_data_hardcoded",
1075
+ "name": "Sensitive Data Hardcoded",
1076
+ "type": "subcategory",
1077
+ "children": [
1078
+ {
1079
+ "id": "oauth_secret",
1080
+ "name": "OAuth Secret",
1081
+ "type": "variant",
1082
+ "priority": 5
1083
+ },
1084
+ {
1085
+ "id": "file_paths",
1086
+ "name": "File Paths",
1087
+ "type": "variant",
1088
+ "priority": 5
1089
+ }
1090
+ ]
1091
+ },
1092
+ {
1093
+ "id": "internal_ip_disclosure",
1094
+ "name": "Internal IP Disclosure",
1095
+ "type": "subcategory",
1096
+ "priority": 5
1097
+ },
1098
+ {
1099
+ "id": "xssi",
1100
+ "name": "Cross Site Script Inclusion (XSSI)",
1101
+ "type": "subcategory",
1102
+ "priority": null
1103
+ },
1104
+ {
1105
+ "id": "json_hijacking",
1106
+ "name": "JSON Hijacking",
1107
+ "type": "subcategory",
1108
+ "priority": 5
1109
+ },
1110
+ {
1111
+ "id": "via_localstorage_sessionstorage",
1112
+ "name": "Via localStorage/sessionStorage",
1113
+ "type": "subcategory",
1114
+ "children": [
1115
+ {
1116
+ "id": "sensitive_token",
1117
+ "name": "Sensitive Token",
1118
+ "type": "variant",
1119
+ "priority": 4
1120
+ },
1121
+ {
1122
+ "id": "non_sensitive_token",
1123
+ "name": "Non-Sensitive Token",
1124
+ "type": "variant",
1125
+ "priority": 5
1126
+ }
1127
+ ]
1128
+ }
1129
+ ]
1130
+ },
1131
+ {
1132
+ "id": "cross_site_scripting_xss",
1133
+ "name": "Cross-Site Scripting (XSS)",
1134
+ "type": "category",
1135
+ "children": [
1136
+ {
1137
+ "id": "stored",
1138
+ "name": "Stored",
1139
+ "type": "subcategory",
1140
+ "children": [
1141
+ {
1142
+ "id": "non_admin_to_anyone",
1143
+ "name": "Non-Privileged User to Anyone",
1144
+ "type": "variant",
1145
+ "priority": 2
1146
+ },
1147
+ {
1148
+ "id": "privileged_user_to_privilege_elevation",
1149
+ "name": "Privileged User to Privilege Elevation",
1150
+ "type": "variant",
1151
+ "priority": 3
1152
+ },
1153
+ {
1154
+ "id": "privileged_user_to_no_privilege_elevation",
1155
+ "name": "Privileged User to No Privilege Elevation",
1156
+ "type": "variant",
1157
+ "priority": 4
1158
+ },
1159
+ {
1160
+ "id": "url_based",
1161
+ "name": "CSRF/URL-Based",
1162
+ "type": "variant",
1163
+ "priority": 3
1164
+ },
1165
+ {
1166
+ "id": "self",
1167
+ "name": "Self",
1168
+ "type": "variant",
1169
+ "priority": 5
1170
+ }
1171
+ ]
1172
+ },
1173
+ {
1174
+ "id": "reflected",
1175
+ "name": "Reflected",
1176
+ "type": "subcategory",
1177
+ "children": [
1178
+ {
1179
+ "id": "non_self",
1180
+ "name": "Non-Self",
1181
+ "type": "variant",
1182
+ "priority": 3
1183
+ },
1184
+ {
1185
+ "id": "self",
1186
+ "name": "Self",
1187
+ "type": "variant",
1188
+ "priority": 5
1189
+ }
1190
+ ]
1191
+ },
1192
+ {
1193
+ "id": "flash_based",
1194
+ "name": "Flash-Based",
1195
+ "type": "subcategory",
1196
+ "priority": 5
1197
+ },
1198
+ {
1199
+ "id": "cookie_based",
1200
+ "name": "Cookie-Based",
1201
+ "type": "subcategory",
1202
+ "priority": 5
1203
+ },
1204
+ {
1205
+ "id": "ie_only",
1206
+ "name": "IE-Only",
1207
+ "type": "subcategory",
1208
+ "priority": 5
1209
+ },
1210
+ {
1211
+ "id": "referer",
1212
+ "name": "Referer",
1213
+ "type": "subcategory",
1214
+ "priority": 4
1215
+ },
1216
+ {
1217
+ "id": "trace_method",
1218
+ "name": "TRACE Method",
1219
+ "type": "subcategory",
1220
+ "priority": 5
1221
+ },
1222
+ {
1223
+ "id": "universal_uxss",
1224
+ "name": "Universal (UXSS)",
1225
+ "type": "subcategory",
1226
+ "priority": 4
1227
+ },
1228
+ {
1229
+ "id": "off_domain",
1230
+ "name": "Off-Domain",
1231
+ "type": "subcategory",
1232
+ "children": [
1233
+ {
1234
+ "id": "data_uri",
1235
+ "name": "Data URI",
1236
+ "type": "variant",
1237
+ "priority": 4
1238
+ }
1239
+ ]
1240
+ }
1241
+ ]
1242
+ },
1243
+ {
1244
+ "id": "broken_access_control",
1245
+ "name": "Broken Access Control (BAC)",
1246
+ "type": "category",
1247
+ "children": [
1248
+ {
1249
+ "id": "idor",
1250
+ "name": "Insecure Direct Object References (IDOR)",
1251
+ "type": "subcategory",
1252
+ "children": [
1253
+ {
1254
+ "id": "read_edit_delete_non_sensitive_information",
1255
+ "name": "Read/Edit/Delete Non-Sensitive Information",
1256
+ "type": "variant",
1257
+ "priority": 5
1258
+ },
1259
+ {
1260
+ "id": "read_edit_delete_sensitive_information_guid",
1261
+ "name": "Read/Edit/Delete Sensitive Information/Complex Object Identifiers(GUID)",
1262
+ "type": "variant",
1263
+ "priority": 4
1264
+ },
1265
+ {
1266
+ "id": "read_sensitive_information_iterable_object_identifiers",
1267
+ "name": "Read Sensitive Information/Iterable Object Identifiers",
1268
+ "type": "variant",
1269
+ "priority": 3
1270
+ },
1271
+ {
1272
+ "id": "edit_delete_sensitive_information_iterable_object_identifiers",
1273
+ "name": "Edit/Delete Sensitive Information/Iterable Object Identifiers",
1274
+ "type": "variant",
1275
+ "priority": 2
1276
+ },
1277
+ {
1278
+ "id": "read_edit_delete_sensitive_information_iterable_object_identifiers",
1279
+ "name": "Read/Edit/Delete Sensitive Information/Iterable Object Identifiers",
1280
+ "type": "variant",
1281
+ "priority": 1
1282
+ }
1283
+ ]
1284
+ },
1285
+ {
1286
+ "id": "username_enumeration",
1287
+ "name": "Username/Email Enumeration",
1288
+ "type": "subcategory",
1289
+ "children": [
1290
+ {
1291
+ "id": "non_brute_force",
1292
+ "name": "Non-Brute Force",
1293
+ "type": "variant",
1294
+ "priority": 4
1295
+ }
1296
+ ]
1297
+ },
1298
+ {
1299
+ "id": "exposed_sensitive_android_intent",
1300
+ "name": "Exposed Sensitive Android Intent",
1301
+ "type": "subcategory",
1302
+ "priority": null
1303
+ },
1304
+ {
1305
+ "id": "privilege_escalation",
1306
+ "name": "Privilege Escalation",
1307
+ "type": "subcategory",
1308
+ "priority": null
1309
+ },
1310
+ {
1311
+ "id": "exposed_sensitive_ios_url_scheme",
1312
+ "name": "Exposed Sensitive iOS URL Scheme",
1313
+ "type": "subcategory",
1314
+ "priority": null
1315
+ }
1316
+ ]
1317
+ },
1318
+ {
1319
+ "id": "cross_site_request_forgery_csrf",
1320
+ "name": "Cross-Site Request Forgery (CSRF)",
1321
+ "type": "category",
1322
+ "children": [
1323
+ {
1324
+ "id": "application_wide",
1325
+ "name": "Application-Wide",
1326
+ "type": "subcategory",
1327
+ "priority": 2
1328
+ },
1329
+ {
1330
+ "id": "action_specific",
1331
+ "name": "Action-Specific",
1332
+ "type": "subcategory",
1333
+ "children": [
1334
+ {
1335
+ "id": "authenticated_action",
1336
+ "name": "Authenticated Action",
1337
+ "type": "variant",
1338
+ "priority": null
1339
+ },
1340
+ {
1341
+ "id": "unauthenticated_action",
1342
+ "name": "Unauthenticated Action",
1343
+ "type": "variant",
1344
+ "priority": null
1345
+ },
1346
+ {
1347
+ "id": "logout",
1348
+ "name": "Logout",
1349
+ "type": "variant",
1350
+ "priority": 5
1351
+ }
1352
+ ]
1353
+ },
1354
+ {
1355
+ "id": "csrf_token_not_unique_per_request",
1356
+ "name": "CSRF Token Not Unique Per Request",
1357
+ "type": "subcategory",
1358
+ "priority": 5
1359
+ },
1360
+ {
1361
+ "id": "flash_based",
1362
+ "name": "Flash-Based",
1363
+ "type": "subcategory",
1364
+ "priority": 5
1365
+ }
1366
+ ]
1367
+ },
1368
+ {
1369
+ "id": "application_level_denial_of_service_dos",
1370
+ "name": "Application-Level Denial-of-Service (DoS)",
1371
+ "type": "category",
1372
+ "children": [
1373
+ {
1374
+ "id": "excessive_resource_consumption",
1375
+ "name": "Excessive Resource Consumption",
1376
+ "type": "subcategory",
1377
+ "children": [
1378
+ {
1379
+ "id": "injection_prompt",
1380
+ "name": "Injection (Prompt)",
1381
+ "type": "variant",
1382
+ "priority": null
1383
+ }
1384
+ ]
1385
+ },
1386
+ {
1387
+ "id": "critical_impact_and_or_easy_difficulty",
1388
+ "name": "Critical Impact and/or Easy Difficulty",
1389
+ "type": "subcategory",
1390
+ "priority": 2
1391
+ },
1392
+ {
1393
+ "id": "high_impact_and_or_medium_difficulty",
1394
+ "name": "High Impact and/or Medium Difficulty",
1395
+ "type": "subcategory",
1396
+ "priority": 3
1397
+ },
1398
+ {
1399
+ "id": "app_crash",
1400
+ "name": "App Crash",
1401
+ "type": "subcategory",
1402
+ "children": [
1403
+ {
1404
+ "id": "malformed_android_intents",
1405
+ "name": "Malformed Android Intents",
1406
+ "type": "variant",
1407
+ "priority": 5
1408
+ },
1409
+ {
1410
+ "id": "malformed_ios_url_schemes",
1411
+ "name": "Malformed iOS URL Schemes",
1412
+ "type": "variant",
1413
+ "priority": 5
1414
+ }
1415
+ ]
1416
+ }
1417
+ ]
1418
+ },
1419
+ {
1420
+ "id": "unvalidated_redirects_and_forwards",
1421
+ "name": "Unvalidated Redirects and Forwards",
1422
+ "type": "category",
1423
+ "children": [
1424
+ {
1425
+ "id": "open_redirect",
1426
+ "name": "Open Redirect",
1427
+ "type": "subcategory",
1428
+ "children": [
1429
+ {
1430
+ "id": "get_based",
1431
+ "name": "GET-Based",
1432
+ "type": "variant",
1433
+ "priority": 4
1434
+ },
1435
+ {
1436
+ "id": "post_based",
1437
+ "name": "POST-Based",
1438
+ "type": "variant",
1439
+ "priority": 5
1440
+ },
1441
+ {
1442
+ "id": "header_based",
1443
+ "name": "Header-Based",
1444
+ "type": "variant",
1445
+ "priority": 5
1446
+ },
1447
+ {
1448
+ "id": "flash_based",
1449
+ "name": "Flash-Based",
1450
+ "type": "variant",
1451
+ "priority": 5
1452
+ }
1453
+ ]
1454
+ },
1455
+ {
1456
+ "id": "tabnabbing",
1457
+ "name": "Tabnabbing",
1458
+ "type": "subcategory",
1459
+ "priority": 5
1460
+ },
1461
+ {
1462
+ "id": "lack_of_security_speed_bump_page",
1463
+ "name": "Lack of Security Speed Bump Page",
1464
+ "type": "subcategory",
1465
+ "priority": 5
1466
+ }
1467
+ ]
1468
+ },
1469
+ {
1470
+ "id": "external_behavior",
1471
+ "name": "External Behavior",
1472
+ "type": "category",
1473
+ "children": [
1474
+ {
1475
+ "id": "browser_feature",
1476
+ "name": "Browser Feature",
1477
+ "type": "subcategory",
1478
+ "children": [
1479
+ {
1480
+ "id": "plaintext_password_field",
1481
+ "name": "Plaintext Password Field",
1482
+ "type": "variant",
1483
+ "priority": 5
1484
+ },
1485
+ {
1486
+ "id": "save_password",
1487
+ "name": "Save Password",
1488
+ "type": "variant",
1489
+ "priority": 5
1490
+ },
1491
+ {
1492
+ "id": "autocomplete_enabled",
1493
+ "name": "Autocomplete Enabled",
1494
+ "type": "variant",
1495
+ "priority": 5
1496
+ },
1497
+ {
1498
+ "id": "autocorrect_enabled",
1499
+ "name": "Autocorrect Enabled",
1500
+ "type": "variant",
1501
+ "priority": 5
1502
+ },
1503
+ {
1504
+ "id": "aggressive_offline_caching",
1505
+ "name": "Aggressive Offline Caching",
1506
+ "type": "variant",
1507
+ "priority": 5
1508
+ }
1509
+ ]
1510
+ },
1511
+ {
1512
+ "id": "csv_injection",
1513
+ "name": "CSV Injection",
1514
+ "type": "subcategory",
1515
+ "priority": 5
1516
+ },
1517
+ {
1518
+ "id": "captcha_bypass",
1519
+ "name": "Captcha Bypass",
1520
+ "type": "subcategory",
1521
+ "children": [
1522
+ {
1523
+ "id": "crowdsourcing",
1524
+ "name": "Crowdsourcing",
1525
+ "type": "variant",
1526
+ "priority": 5
1527
+ }
1528
+ ]
1529
+ },
1530
+ {
1531
+ "id": "system_clipboard_leak",
1532
+ "name": "System Clipboard Leak",
1533
+ "type": "subcategory",
1534
+ "children": [
1535
+ {
1536
+ "id": "shared_links",
1537
+ "name": "Shared Links",
1538
+ "type": "variant",
1539
+ "priority": 5
1540
+ }
1541
+ ]
1542
+ },
1543
+ {
1544
+ "id": "user_password_persisted_in_memory",
1545
+ "name": "User Password Persisted in Memory",
1546
+ "type": "subcategory",
1547
+ "priority": 5
1548
+ }
1549
+ ]
1550
+ },
1551
+ {
1552
+ "id": "insufficient_security_configurability",
1553
+ "name": "Insufficient Security Configurability",
1554
+ "type": "category",
1555
+ "children": [
1556
+ {
1557
+ "id": "weak_password_policy",
1558
+ "name": "Weak Password Policy",
1559
+ "type": "subcategory",
1560
+ "priority": 5
1561
+ },
1562
+ {
1563
+ "id": "no_password_policy",
1564
+ "name": "No Password Policy",
1565
+ "type": "subcategory",
1566
+ "priority": 4
1567
+ },
1568
+ {
1569
+ "id": "password_policy_bypass",
1570
+ "name": "Password Policy Bypass",
1571
+ "type": "subcategory",
1572
+ "priority": 5
1573
+ },
1574
+ {
1575
+ "id": "weak_password_reset_implementation",
1576
+ "name": "Weak Password Reset Implementation",
1577
+ "type": "subcategory",
1578
+ "children": [
1579
+ {
1580
+ "id": "token_is_not_invalidated_after_use",
1581
+ "name": "Token is Not Invalidated After Use",
1582
+ "type": "variant",
1583
+ "priority": 4
1584
+ },
1585
+ {
1586
+ "id": "token_is_not_invalidated_after_email_change",
1587
+ "name": "Token is Not Invalidated After Email Change",
1588
+ "type": "variant",
1589
+ "priority": 5
1590
+ },
1591
+ {
1592
+ "id": "token_is_not_invalidated_after_password_change",
1593
+ "name": "Token is Not Invalidated After Password Change",
1594
+ "type": "variant",
1595
+ "priority": 5
1596
+ },
1597
+ {
1598
+ "id": "token_has_long_timed_expiry",
1599
+ "name": "Token Has Long Timed Expiry",
1600
+ "type": "variant",
1601
+ "priority": 5
1602
+ },
1603
+ {
1604
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1605
+ "name": "Token is Not Invalidated After New Token is Requested",
1606
+ "type": "variant",
1607
+ "priority": 5
1608
+ },
1609
+ {
1610
+ "id": "token_is_not_invalidated_after_login",
1611
+ "name": "Token is Not Invalidated After Login",
1612
+ "type": "variant",
1613
+ "priority": 5
1614
+ }
1615
+ ]
1616
+ },
1617
+ {
1618
+ "id": "verification_of_contact_method_not_required",
1619
+ "name": "Verification of Contact Method not Required",
1620
+ "type": "subcategory",
1621
+ "priority": 5
1622
+ },
1623
+ {
1624
+ "id": "lack_of_notification_email",
1625
+ "name": "Lack of Notification Email",
1626
+ "type": "subcategory",
1627
+ "priority": 5
1628
+ },
1629
+ {
1630
+ "id": "weak_registration_implementation",
1631
+ "name": "Weak Registration Implementation",
1632
+ "type": "subcategory",
1633
+ "children": [
1634
+ {
1635
+ "id": "allows_disposable_email_addresses",
1636
+ "name": "Allows Disposable Email Addresses",
1637
+ "type": "variant",
1638
+ "priority": 5
1639
+ }
1640
+ ]
1641
+ },
1642
+ {
1643
+ "id": "weak_two_fa_implementation",
1644
+ "name": "Weak 2FA Implementation",
1645
+ "type": "subcategory",
1646
+ "children": [
1647
+ {
1648
+ "id": "two_fa_secret_cannot_be_rotated",
1649
+ "name": "2FA Secret Cannot be Rotated",
1650
+ "type": "variant",
1651
+ "priority": 4
1652
+ },
1653
+ {
1654
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
1655
+ "name": "2FA Secret Remains Obtainable After 2FA is Enabled",
1656
+ "type": "variant",
1657
+ "priority": 4
1658
+ },
1659
+ {
1660
+ "id": "missing_failsafe",
1661
+ "name": "Missing Failsafe",
1662
+ "type": "variant",
1663
+ "priority": 5
1664
+ },
1665
+ {
1666
+ "id": "two_fa_code_is_not_updated_after_new_code_is_requested",
1667
+ "name": "2FA Code is Not Updated After New Code is Requested",
1668
+ "type": "variant",
1669
+ "priority": 5
1670
+ },
1671
+ {
1672
+ "id": "old_two_fa_code_is_not_invalidated_after_new_code_is_generated",
1673
+ "name": "Old 2FA Code is Not Invalidated After New Code is Generated",
1674
+ "type": "variant",
1675
+ "priority": 5
1676
+ }
1677
+ ]
1678
+ }
1679
+ ]
1680
+ },
1681
+ {
1682
+ "id": "using_components_with_known_vulnerabilities",
1683
+ "name": "Using Components with Known Vulnerabilities",
1684
+ "type": "category",
1685
+ "children": [
1686
+ {
1687
+ "id": "rosetta_flash",
1688
+ "name": "Rosetta Flash",
1689
+ "type": "subcategory",
1690
+ "priority": 5
1691
+ },
1692
+ {
1693
+ "id": "outdated_software_version",
1694
+ "name": "Outdated Software Version",
1695
+ "type": "subcategory",
1696
+ "priority": 5
1697
+ },
1698
+ {
1699
+ "id": "captcha_bypass",
1700
+ "name": "Captcha Bypass",
1701
+ "type": "subcategory",
1702
+ "children": [
1703
+ {
1704
+ "id": "ocr_optical_character_recognition",
1705
+ "name": "OCR (Optical Character Recognition)",
1706
+ "type": "variant",
1707
+ "priority": 5
1708
+ }
1709
+ ]
1710
+ }
1711
+ ]
1712
+ },
1713
+ {
1714
+ "id": "insecure_data_storage",
1715
+ "name": "Insecure Data Storage",
1716
+ "type": "category",
1717
+ "children": [
1718
+ {
1719
+ "id": "sensitive_application_data_stored_unencrypted",
1720
+ "name": "Sensitive Application Data Stored Unencrypted",
1721
+ "type": "subcategory",
1722
+ "children": [
1723
+ {
1724
+ "id": "on_external_storage",
1725
+ "name": "On External Storage",
1726
+ "type": "variant",
1727
+ "priority": 4
1728
+ },
1729
+ {
1730
+ "id": "on_internal_storage",
1731
+ "name": "On Internal Storage",
1732
+ "type": "variant",
1733
+ "priority": 5
1734
+ }
1735
+ ]
1736
+ },
1737
+ {
1738
+ "id": "server_side_credentials_storage",
1739
+ "name": "Server-Side Credentials Storage",
1740
+ "type": "subcategory",
1741
+ "children": [
1742
+ {
1743
+ "id": "plaintext",
1744
+ "name": "Plaintext",
1745
+ "type": "variant",
1746
+ "priority": 4
1747
+ }
1748
+ ]
1749
+ },
1750
+ {
1751
+ "id": "non_sensitive_application_data_stored_unencrypted",
1752
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1753
+ "type": "subcategory",
1754
+ "priority": 5
1755
+ },
1756
+ {
1757
+ "id": "screen_caching_enabled",
1758
+ "name": "Screen Caching Enabled",
1759
+ "type": "subcategory",
1760
+ "priority": 5
1761
+ }
1762
+ ]
1763
+ },
1764
+ {
1765
+ "id": "lack_of_binary_hardening",
1766
+ "name": "Lack of Binary Hardening",
1767
+ "type": "category",
1768
+ "children": [
1769
+ {
1770
+ "id": "lack_of_exploit_mitigations",
1771
+ "name": "Lack of Exploit Mitigations",
1772
+ "type": "subcategory",
1773
+ "priority": 5
1774
+ },
1775
+ {
1776
+ "id": "lack_of_jailbreak_detection",
1777
+ "name": "Lack of Jailbreak Detection",
1778
+ "type": "subcategory",
1779
+ "priority": 5
1780
+ },
1781
+ {
1782
+ "id": "lack_of_obfuscation",
1783
+ "name": "Lack of Obfuscation",
1784
+ "type": "subcategory",
1785
+ "priority": 5
1786
+ },
1787
+ {
1788
+ "id": "runtime_instrumentation_based",
1789
+ "name": "Runtime Instrumentation-Based",
1790
+ "type": "subcategory",
1791
+ "priority": 5
1792
+ }
1793
+ ]
1794
+ },
1795
+ {
1796
+ "id": "insecure_data_transport",
1797
+ "name": "Insecure Data Transport",
1798
+ "type": "category",
1799
+ "children": [
1800
+ {
1801
+ "id": "cleartext_transmission_of_sensitive_data",
1802
+ "name": "Cleartext Transmission of Sensitive Data",
1803
+ "type": "subcategory",
1804
+ "priority": null
1805
+ },
1806
+ {
1807
+ "id": "executable_download",
1808
+ "name": "Executable Download",
1809
+ "type": "subcategory",
1810
+ "children": [
1811
+ {
1812
+ "id": "no_secure_integrity_check",
1813
+ "name": "No Secure Integrity Check",
1814
+ "type": "variant",
1815
+ "priority": 4
1816
+ },
1817
+ {
1818
+ "id": "secure_integrity_check",
1819
+ "name": "Secure Integrity Check",
1820
+ "type": "variant",
1821
+ "priority": 5
1822
+ }
1823
+ ]
1824
+ }
1825
+ ]
1826
+ },
1827
+ {
1828
+ "id": "data_biases",
1829
+ "name": "Data Biases",
1830
+ "type": "category",
1831
+ "children": [
1832
+ {
1833
+ "id": "representation_bias",
1834
+ "name": "Representation Bias",
1835
+ "type": "subcategory",
1836
+ "priority": null
1837
+ },
1838
+ {
1839
+ "id": "pre_existing_bias",
1840
+ "name": "Pre-existing Bias",
1841
+ "type": "subcategory",
1842
+ "priority": null
1843
+ }
1844
+ ]
1845
+ },
1846
+ {
1847
+ "id": "algorithmic_biases",
1848
+ "name": "Algorithmic Biases",
1849
+ "type": "category",
1850
+ "children": [
1851
+ {
1852
+ "id": "processing_bias",
1853
+ "name": "Processing Bias",
1854
+ "type": "subcategory",
1855
+ "priority": null
1856
+ },
1857
+ {
1858
+ "id": "aggregation_bias",
1859
+ "name": "Aggregation Bias",
1860
+ "type": "subcategory",
1861
+ "priority": null
1862
+ }
1863
+ ]
1864
+ },
1865
+ {
1866
+ "id": "societal_biases",
1867
+ "name": "Societal Biases",
1868
+ "type": "category",
1869
+ "children": [
1870
+ {
1871
+ "id": "confirmation_bias",
1872
+ "name": "Confirmation Bias",
1873
+ "type": "subcategory",
1874
+ "priority": null
1875
+ },
1876
+ {
1877
+ "id": "systemic_bias",
1878
+ "name": "Systemic Bias",
1879
+ "type": "subcategory",
1880
+ "priority": null
1881
+ }
1882
+ ]
1883
+ },
1884
+ {
1885
+ "id": "misinterpretation_biases",
1886
+ "name": "Misinterpretation Biases",
1887
+ "type": "category",
1888
+ "children": [
1889
+ {
1890
+ "id": "context_ignorance",
1891
+ "name": "Context Ignorance",
1892
+ "type": "subcategory",
1893
+ "priority": null
1894
+ }
1895
+ ]
1896
+ },
1897
+ {
1898
+ "id": "developer_biases",
1899
+ "name": "Developer Biases",
1900
+ "type": "category",
1901
+ "children": [
1902
+ {
1903
+ "id": "implicit_bias",
1904
+ "name": "Implicit Bias",
1905
+ "type": "subcategory",
1906
+ "priority": null
1907
+ }
1908
+ ]
1909
+ },
1910
+ {
1911
+ "id": "physical_security_issues",
1912
+ "name": "Physical Security Issues",
1913
+ "type": "category",
1914
+ "children": [
1915
+ {
1916
+ "id": "bypass_of_physical_access_control",
1917
+ "name": "Bypass of physical access control",
1918
+ "type": "subcategory",
1919
+ "priority": null
1920
+ },
1921
+ {
1922
+ "id": "weakness_in_physical_access_control",
1923
+ "name": "Weakness in physical access control",
1924
+ "type": "subcategory",
1925
+ "children": [
1926
+ {
1927
+ "id": "cloneable_key",
1928
+ "name": "Cloneable Key",
1929
+ "type": "variant",
1930
+ "priority": null
1931
+ },
1932
+ {
1933
+ "id": "master_key_identification",
1934
+ "name": "Master Key Identification",
1935
+ "type": "variant",
1936
+ "priority": null
1937
+ },
1938
+ {
1939
+ "id": "commonly_keyed_system",
1940
+ "name": "Commonly Keyed System",
1941
+ "type": "variant",
1942
+ "priority": 2
1943
+ }
1944
+ ]
1945
+ }
1946
+ ]
1947
+ },
1948
+ {
1949
+ "id": "insecure_os_firmware",
1950
+ "name": "Insecure OS/Firmware",
1951
+ "type": "category",
1952
+ "children": [
1953
+ {
1954
+ "id": "command_injection",
1955
+ "name": "Command Injection",
1956
+ "type": "subcategory",
1957
+ "priority": 1
1958
+ },
1959
+ {
1960
+ "id": "hardcoded_password",
1961
+ "name": "Hardcoded Password",
1962
+ "type": "subcategory",
1963
+ "children": [
1964
+ {
1965
+ "id": "privileged_user",
1966
+ "name": "Privileged User",
1967
+ "type": "variant",
1968
+ "priority": 1
1969
+ },
1970
+ {
1971
+ "id": "non_privileged_user",
1972
+ "name": "Non-Privileged User",
1973
+ "type": "variant",
1974
+ "priority": 2
1975
+ }
1976
+ ]
1977
+ },
1978
+ {
1979
+ "id": "weakness_in_firmware_updates",
1980
+ "name": "Weakness in Firmware Updates",
1981
+ "type": "subcategory",
1982
+ "children": [
1983
+ {
1984
+ "id": "firmware_cannot_be_updated",
1985
+ "name": "Firmware cannot be updated",
1986
+ "type": "variant",
1987
+ "priority": null
1988
+ },
1989
+ {
1990
+ "id": "firmware_does_not_validate_update_integrity",
1991
+ "name": "Firmware does not validate update integrity",
1992
+ "type": "variant",
1993
+ "priority": 3
1994
+ },
1995
+ {
1996
+ "id": "firmware_is_not_encrypted",
1997
+ "name": "Firmware is not encrypted",
1998
+ "type": "variant",
1999
+ "priority": 5
2000
+ }
2001
+ ]
2002
+ },
2003
+ {
2004
+ "id": "kiosk_escape_or_breakout",
2005
+ "name": "Kiosk Escape or Breakout",
2006
+ "type": "subcategory",
2007
+ "priority": null
2008
+ },
2009
+ {
2010
+ "id": "poorly_configured_disk_encryption",
2011
+ "name": "Poorly Configured Disk Encryption",
2012
+ "type": "subcategory",
2013
+ "priority": null
2014
+ },
2015
+ {
2016
+ "id": "shared_credentials_on_storage",
2017
+ "name": "Shared Credentials on Storage",
2018
+ "type": "subcategory",
2019
+ "priority": 3
2020
+ },
2021
+ {
2022
+ "id": "over_permissioned_credentials_on_storage",
2023
+ "name": "Over-Permissioned Credentials on Storage",
2024
+ "type": "subcategory",
2025
+ "priority": 2
2026
+ },
2027
+ {
2028
+ "id": "local_administrator_on_default_environment",
2029
+ "name": "Local Administrator on default environment",
2030
+ "type": "subcategory",
2031
+ "priority": 2
2032
+ },
2033
+ {
2034
+ "id": "poorly_configured_operating_system_security",
2035
+ "name": "Poorly Configured Operating System Security",
2036
+ "type": "subcategory",
2037
+ "priority": null
2038
+ },
2039
+ {
2040
+ "id": "recovery_of_disk_contains_sensitive_material",
2041
+ "name": "Recovery of Disk Contains Sensitive Material",
2042
+ "type": "subcategory",
2043
+ "priority": null
2044
+ },
2045
+ {
2046
+ "id": "failure_to_remove_sensitive_artifacts_from_disk",
2047
+ "name": "Failure to Remove Sensitive Artifacts from Disk",
2048
+ "type": "subcategory",
2049
+ "priority": null
2050
+ },
2051
+ {
2052
+ "id": "data_not_encrypted_at_rest",
2053
+ "name": "Data not encrypted at rest",
2054
+ "type": "subcategory",
2055
+ "children": [
2056
+ {
2057
+ "id": "sensitive",
2058
+ "name": "Sensitive",
2059
+ "type": "variant",
2060
+ "priority": null
2061
+ },
2062
+ {
2063
+ "id": "non_sensitive",
2064
+ "name": "Non sensitive",
2065
+ "type": "variant",
2066
+ "priority": 5
2067
+ }
2068
+ ]
2069
+ }
2070
+ ]
2071
+ },
2072
+ {
2073
+ "id": "cryptographic_weakness",
2074
+ "name": "Cryptographic Weakness",
2075
+ "type": "category",
2076
+ "children": [
2077
+ {
2078
+ "id": "insufficient_entropy",
2079
+ "name": "Insufficient Entropy",
2080
+ "type": "subcategory",
2081
+ "children": [
2082
+ {
2083
+ "id": "limited_rng_entropy_source",
2084
+ "name": "Limited Random Number Generator (RNG) Entropy Source",
2085
+ "type": "variant",
2086
+ "priority": 4
2087
+ },
2088
+ {
2089
+ "id": "use_of_trng_for_nonsecurity_purpose",
2090
+ "name": "Use of True Random Number Generator (TRNG) for Non-Security Purpose",
2091
+ "type": "variant",
2092
+ "priority": 5
2093
+ },
2094
+ {
2095
+ "id": "prng_seed_reuse",
2096
+ "name": "Pseudo-Random Number Generator (PRNG) Seed Reuse",
2097
+ "type": "variant",
2098
+ "priority": 5
2099
+ },
2100
+ {
2101
+ "id": "predictable_prng_seed",
2102
+ "name": "Predictable Pseudo-Random Number Generator (PRNG) Seed",
2103
+ "type": "variant",
2104
+ "priority": 4
2105
+ },
2106
+ {
2107
+ "id": "small_seed_space_in_prng",
2108
+ "name": "Small Seed Space in Pseudo-Random Number Generator (PRNG)",
2109
+ "type": "variant",
2110
+ "priority": 4
2111
+ },
2112
+ {
2113
+ "id": "initialization_vector_reuse",
2114
+ "name": "Initialization Vector (IV) Reuse",
2115
+ "type": "variant",
2116
+ "priority": 5
2117
+ },
2118
+ {
2119
+ "id": "predictable_initialization_vector",
2120
+ "name": "Predictable Initialization Vector (IV)",
2121
+ "type": "variant",
2122
+ "priority": 4
2123
+ }
2124
+ ]
2125
+ },
2126
+ {
2127
+ "id": "insecure_implementation",
2128
+ "name": "Insecure Implementation",
2129
+ "type": "subcategory",
2130
+ "children": [
2131
+ {
2132
+ "id": "missing_cryptographic_step",
2133
+ "name": "Missing Cryptographic Step",
2134
+ "type": "variant",
2135
+ "priority": null
2136
+ },
2137
+ {
2138
+ "id": "improper_following_of_specification",
2139
+ "name": "Improper Following of Specification (Other)",
2140
+ "type": "variant",
2141
+ "priority": null
2142
+ }
2143
+ ]
2144
+ },
2145
+ {
2146
+ "id": "weak_hash",
2147
+ "name": "Weak Hash",
2148
+ "type": "subcategory",
2149
+ "children": [
2150
+ {
2151
+ "id": "lack_of_salt",
2152
+ "name": "Lack of Salt",
2153
+ "type": "variant",
2154
+ "priority": null
2155
+ },
2156
+ {
2157
+ "id": "use_of_predictable_salt",
2158
+ "name": "Use of Predictable Salt",
2159
+ "type": "variant",
2160
+ "priority": 5
2161
+ },
2162
+ {
2163
+ "id": "predictable_hash_collision",
2164
+ "name": "Predictable Hash Collision",
2165
+ "type": "variant",
2166
+ "priority": null
2167
+ }
2168
+ ]
2169
+ },
2170
+ {
2171
+ "id": "insufficient_verification_of_data_authenticity",
2172
+ "name": "Insufficient Verification of Data Authenticity",
2173
+ "type": "subcategory",
2174
+ "children": [
2175
+ {
2176
+ "id": "identity_check_value",
2177
+ "name": "Integrity Check Value (ICV)",
2178
+ "type": "variant",
2179
+ "priority": 4
2180
+ },
2181
+ {
2182
+ "id": "cryptographic_signature",
2183
+ "name": "Cryptographic Signature",
2184
+ "type": "variant",
2185
+ "priority": null
2186
+ }
2187
+ ]
2188
+ },
2189
+ {
2190
+ "id": "insecure_key_generation",
2191
+ "name": "Insecure Key Generation",
2192
+ "type": "subcategory",
2193
+ "children": [
2194
+ {
2195
+ "id": "improper_asymmetric_prime_selection",
2196
+ "name": "Improper Asymmetric Prime Selection",
2197
+ "type": "variant",
2198
+ "priority": null
2199
+ },
2200
+ {
2201
+ "id": "improper_asymmetric_exponent_selection",
2202
+ "name": "Improper Asymmetric Exponent Selection",
2203
+ "type": "variant",
2204
+ "priority": null
2205
+ },
2206
+ {
2207
+ "id": "insufficient_key_stretching",
2208
+ "name": "Insufficient Key Stretching",
2209
+ "type": "variant",
2210
+ "priority": null
2211
+ },
2212
+ {
2213
+ "id": "insufficient_key_space",
2214
+ "name": "Insufficient Key Space",
2215
+ "type": "variant",
2216
+ "priority": 3
2217
+ },
2218
+ {
2219
+ "id": "key_exchange_without_entity_authentication",
2220
+ "name": "Key Exchage Without Entity Authentication",
2221
+ "type": "variant",
2222
+ "priority": 4
2223
+ }
2224
+ ]
2225
+ },
2226
+ {
2227
+ "id": "key_reuse",
2228
+ "name": "Key Reuse",
2229
+ "type": "subcategory",
2230
+ "children": [
2231
+ {
2232
+ "id": "lack_of_perfect_forward_secrecy",
2233
+ "name": "Lack of Perfect Forward Secrecy",
2234
+ "type": "variant",
2235
+ "priority": 4
2236
+ },
2237
+ {
2238
+ "id": "intra_environment",
2239
+ "name": "Intra-Environment",
2240
+ "type": "variant",
2241
+ "priority": 5
2242
+ },
2243
+ {
2244
+ "id": "inter_environment",
2245
+ "name": "Inter-Environment",
2246
+ "type": "variant",
2247
+ "priority": 2
2248
+ }
2249
+ ]
2250
+ },
2251
+ {
2252
+ "id": "broken_cryptography",
2253
+ "name": "Broken Cryptography",
2254
+ "type": "subcategory",
2255
+ "children": [
2256
+ {
2257
+ "id": "use_of_broken_cryptographic_primitive",
2258
+ "name": "Use of Broken Cryptographic Primitive",
2259
+ "type": "variant",
2260
+ "priority": 3
2261
+ },
2262
+ {
2263
+ "id": "use_of_vulnerable_cryptographic_library",
2264
+ "name": "Use of Vulnerable Cryptographic Library",
2265
+ "type": "variant",
2266
+ "priority": 4
2267
+ }
2268
+ ]
2269
+ },
2270
+ {
2271
+ "id": "side_channel_attack",
2272
+ "name": "Side-Channel Attack",
2273
+ "type": "subcategory",
2274
+ "children": [
2275
+ {
2276
+ "id": "padding_oracle_attack",
2277
+ "name": "Padding Oracle Attack",
2278
+ "type": "variant",
2279
+ "priority": 4
2280
+ },
2281
+ {
2282
+ "id": "timing_attack",
2283
+ "name": "Timing Attack",
2284
+ "type": "variant",
2285
+ "priority": 4
2286
+ },
2287
+ {
2288
+ "id": "power_analysis_attack",
2289
+ "name": "Power Analysis Attack",
2290
+ "type": "variant",
2291
+ "priority": 5
2292
+ },
2293
+ {
2294
+ "id": "emanations_attack",
2295
+ "name": "Emanations Attack",
2296
+ "type": "variant",
2297
+ "priority": 5
2298
+ },
2299
+ {
2300
+ "id": "differential_fault_analysis",
2301
+ "name": "Differential Fault Analysis",
2302
+ "type": "variant",
2303
+ "priority": null
2304
+ }
2305
+ ]
2306
+ },
2307
+ {
2308
+ "id": "use_of_expired_cryptographic_key_or_cert",
2309
+ "name": "Use of Expired Cryptographic Key (or Certificate)",
2310
+ "type": "subcategory",
2311
+ "priority": 4
2312
+ },
2313
+ {
2314
+ "id": "incomplete_cleanup_of_keying_material",
2315
+ "name": "Incomplete Cleanup of Keying Material",
2316
+ "type": "subcategory",
2317
+ "priority": 5
2318
+ }
2319
+ ]
2320
+ },
2321
+ {
2322
+ "id": "privacy_concerns",
2323
+ "name": "Privacy Concerns",
2324
+ "type": "category",
2325
+ "children": [
2326
+ {
2327
+ "id": "unnecessary_data_collection",
2328
+ "name": "Unnecessary Data Collection",
2329
+ "type": "subcategory",
2330
+ "children": [
2331
+ {
2332
+ "id": "wifi_ssid_password",
2333
+ "name": "WiFi SSID+Password",
2334
+ "type": "variant",
2335
+ "priority": 4
2336
+ }
2337
+ ]
2338
+ }
2339
+ ]
2340
+ },
2341
+ {
2342
+ "id": "network_security_misconfiguration",
2343
+ "name": "Network Security Misconfiguration",
2344
+ "type": "category",
2345
+ "children": [
2346
+ {
2347
+ "id": "telnet_enabled",
2348
+ "name": "Telnet Enabled",
2349
+ "type": "subcategory",
2350
+ "priority": 5
2351
+ }
2352
+ ]
2353
+ },
2354
+ {
2355
+ "id": "mobile_security_misconfiguration",
2356
+ "name": "Mobile Security Misconfiguration",
2357
+ "type": "category",
2358
+ "children": [
2359
+ {
2360
+ "id": "ssl_certificate_pinning",
2361
+ "name": "SSL Certificate Pinning",
2362
+ "type": "subcategory",
2363
+ "children": [
2364
+ {
2365
+ "id": "absent",
2366
+ "name": "Absent",
2367
+ "type": "variant",
2368
+ "priority": 5
2369
+ },
2370
+ {
2371
+ "id": "defeatable",
2372
+ "name": "Defeatable",
2373
+ "type": "variant",
2374
+ "priority": 5
2375
+ }
2376
+ ]
2377
+ },
2378
+ {
2379
+ "id": "tapjacking",
2380
+ "name": "Tapjacking",
2381
+ "type": "subcategory",
2382
+ "priority": 5
2383
+ },
2384
+ {
2385
+ "id": "clipboard_enabled",
2386
+ "name": "Clipboard Enabled",
2387
+ "type": "subcategory",
2388
+ "priority": 5
2389
+ },
2390
+ {
2391
+ "id": "auto_backup_allowed_by_default",
2392
+ "name": "Auto Backup Allowed by Default",
2393
+ "type": "subcategory",
2394
+ "priority": 5
2395
+ }
2396
+ ]
2397
+ },
2398
+ {
2399
+ "id": "client_side_injection",
2400
+ "name": "Client-Side Injection",
2401
+ "type": "category",
2402
+ "children": [
2403
+ {
2404
+ "id": "binary_planting",
2405
+ "name": "Binary Planting",
2406
+ "type": "subcategory",
2407
+ "children": [
2408
+ {
2409
+ "id": "privilege_escalation",
2410
+ "name": "Default Folder Privilege Escalation",
2411
+ "type": "variant",
2412
+ "priority": 3
2413
+ },
2414
+ {
2415
+ "id": "non_default_folder_privilege_escalation",
2416
+ "name": "Non-Default Folder Privilege Escalation",
2417
+ "type": "variant",
2418
+ "priority": 5
2419
+ },
2420
+ {
2421
+ "id": "no_privilege_escalation",
2422
+ "name": "No Privilege Escalation",
2423
+ "type": "variant",
2424
+ "priority": 5
2425
+ }
2426
+ ]
2427
+ }
2428
+ ]
2429
+ },
2430
+ {
2431
+ "id": "automotive_security_misconfiguration",
2432
+ "name": "Automotive Security Misconfiguration",
2433
+ "type": "category",
2434
+ "children": [
2435
+ {
2436
+ "id": "infotainment_radio_head_unit",
2437
+ "name": "Infotainment, Radio Head Unit",
2438
+ "type": "subcategory",
2439
+ "children": [
2440
+ {
2441
+ "id": "sensitive_data_leakage_exposure",
2442
+ "name": "Sensitive data Leakage/Exposure",
2443
+ "type": "variant",
2444
+ "priority": 1
2445
+ },
2446
+ {
2447
+ "id": "ota_firmware_manipulation",
2448
+ "name": "OTA Firmware Manipulation",
2449
+ "type": "variant",
2450
+ "priority": 2
2451
+ },
2452
+ {
2453
+ "id": "code_execution_can_bus_pivot",
2454
+ "name": "Code Execution (CAN Bus Pivot)",
2455
+ "type": "variant",
2456
+ "priority": 2
2457
+ },
2458
+ {
2459
+ "id": "code_execution_no_can_bus_pivot",
2460
+ "name": "Code Execution (No CAN Bus Pivot)",
2461
+ "type": "variant",
2462
+ "priority": 3
2463
+ },
2464
+ {
2465
+ "id": "unauthorized_access_to_services",
2466
+ "name": "Unauthorized Access to Services (API / Endpoints)",
2467
+ "type": "variant",
2468
+ "priority": 3
2469
+ },
2470
+ {
2471
+ "id": "source_code_dump",
2472
+ "name": "Source Code Dump",
2473
+ "type": "variant",
2474
+ "priority": 4
2475
+ },
2476
+ {
2477
+ "id": "dos_brick",
2478
+ "name": "Denial of Service (DoS / Brick)",
2479
+ "type": "variant",
2480
+ "priority": 4
2481
+ },
2482
+ {
2483
+ "id": "default_credentials",
2484
+ "name": "Default Credentials",
2485
+ "type": "variant",
2486
+ "priority": 4
2487
+ }
2488
+ ]
2489
+ },
2490
+ {
2491
+ "id": "rf_hub",
2492
+ "name": "RF Hub",
2493
+ "type": "subcategory",
2494
+ "children": [
2495
+ {
2496
+ "id": "key_fob_cloning",
2497
+ "name": "Key Fob Cloning",
2498
+ "type": "variant",
2499
+ "priority": 1
2500
+ },
2501
+ {
2502
+ "id": "can_injection_interaction",
2503
+ "name": "CAN Injection / Interaction",
2504
+ "type": "variant",
2505
+ "priority": 2
2506
+ },
2507
+ {
2508
+ "id": "data_leakage_pull_encryption_mechanism",
2509
+ "name": "Data Leakage / Pull Encryption Mechanism",
2510
+ "type": "variant",
2511
+ "priority": 3
2512
+ },
2513
+ {
2514
+ "id": "unauthorized_access_turn_on",
2515
+ "name": "Unauthorized Access / Turn On",
2516
+ "type": "variant",
2517
+ "priority": 4
2518
+ },
2519
+ {
2520
+ "id": "roll_jam",
2521
+ "name": "Roll Jam",
2522
+ "type": "variant",
2523
+ "priority": 5
2524
+ },
2525
+ {
2526
+ "id": "replay",
2527
+ "name": "Replay",
2528
+ "type": "variant",
2529
+ "priority": 5
2530
+ },
2531
+ {
2532
+ "id": "relay",
2533
+ "name": "Relay",
2534
+ "type": "variant",
2535
+ "priority": 5
2536
+ }
2537
+ ]
2538
+ },
2539
+ {
2540
+ "id": "can",
2541
+ "name": "CAN",
2542
+ "type": "subcategory",
2543
+ "children": [
2544
+ {
2545
+ "id": "injection_battery_management_system",
2546
+ "name": "Injection (Battery Management System)",
2547
+ "type": "variant",
2548
+ "priority": 3
2549
+ },
2550
+ {
2551
+ "id": "injection_steering_control",
2552
+ "name": "Injection (Steering Control)",
2553
+ "type": "variant",
2554
+ "priority": 3
2555
+ },
2556
+ {
2557
+ "id": "injection_pyrotechnical_device_deployment_tool",
2558
+ "name": "Injection (Pyrotechnical Device Deployment Tool)",
2559
+ "type": "variant",
2560
+ "priority": 3
2561
+ },
2562
+ {
2563
+ "id": "injection_headlights",
2564
+ "name": "Injection (Headlights)",
2565
+ "type": "variant",
2566
+ "priority": 3
2567
+ },
2568
+ {
2569
+ "id": "injection_sensors",
2570
+ "name": "Injection (Sensors)",
2571
+ "type": "variant",
2572
+ "priority": 3
2573
+ },
2574
+ {
2575
+ "id": "injection_vehicle_anti_theft_systems",
2576
+ "name": "Injection (Vehicle Anti-theft Systems)",
2577
+ "type": "variant",
2578
+ "priority": 3
2579
+ },
2580
+ {
2581
+ "id": "injection_powertrain",
2582
+ "name": "Injection (Powertrain)",
2583
+ "type": "variant",
2584
+ "priority": 3
2585
+ },
2586
+ {
2587
+ "id": "injection_basic_safety_message",
2588
+ "name": "Injection (Basic Safety Message)",
2589
+ "type": "variant",
2590
+ "priority": 3
2591
+ },
2592
+ {
2593
+ "id": "injection_disallowed_messages",
2594
+ "name": "Injection (Disallowed Messages)",
2595
+ "type": "variant",
2596
+ "priority": 4
2597
+ },
2598
+ {
2599
+ "id": "injection_dos",
2600
+ "name": "Injection (DoS)",
2601
+ "type": "variant",
2602
+ "priority": 4
2603
+ }
2604
+ ]
2605
+ },
2606
+ {
2607
+ "id": "battery_management_system",
2608
+ "name": "Battery Management System",
2609
+ "type": "subcategory",
2610
+ "children": [
2611
+ {
2612
+ "id": "firmware_dump",
2613
+ "name": "Firmware Dump",
2614
+ "type": "variant",
2615
+ "priority": 3
2616
+ },
2617
+ {
2618
+ "id": "fraudulent_interface",
2619
+ "name": "Fraudulent Interface",
2620
+ "type": "variant",
2621
+ "priority": 4
2622
+ }
2623
+ ]
2624
+ },
2625
+ {
2626
+ "id": "gnss_gps",
2627
+ "name": "GNSS / GPS",
2628
+ "type": "subcategory",
2629
+ "children": [
2630
+ {
2631
+ "id": "spoofing",
2632
+ "name": "Spoofing",
2633
+ "type": "variant",
2634
+ "priority": 4
2635
+ }
2636
+ ]
2637
+ },
2638
+ {
2639
+ "id": "immobilizer",
2640
+ "name": "Immobilizer",
2641
+ "type": "subcategory",
2642
+ "children": [
2643
+ {
2644
+ "id": "engine_start",
2645
+ "name": "Engine Start",
2646
+ "type": "variant",
2647
+ "priority": 3
2648
+ }
2649
+ ]
2650
+ },
2651
+ {
2652
+ "id": "abs",
2653
+ "name": "Automatic Braking System (ABS)",
2654
+ "type": "subcategory",
2655
+ "children": [
2656
+ {
2657
+ "id": "unintended_acceleration_brake",
2658
+ "name": "Unintended Acceleration / Brake",
2659
+ "type": "variant",
2660
+ "priority": 3
2661
+ }
2662
+ ]
2663
+ },
2664
+ {
2665
+ "id": "rsu",
2666
+ "name": "Roadside Unit (RSU)",
2667
+ "type": "subcategory",
2668
+ "children": [
2669
+ {
2670
+ "id": "sybil_attack",
2671
+ "name": "Sybil Attack",
2672
+ "type": "variant",
2673
+ "priority": 4
2674
+ }
2675
+ ]
2676
+ }
2677
+ ]
2678
+ },
2679
+ {
2680
+ "id": "ai_application_security",
2681
+ "name": "AI Application Security",
2682
+ "type": "category",
2683
+ "children": [
2684
+ {
2685
+ "id": "llm_security",
2686
+ "name": "Large Language Model (LLM) Security",
2687
+ "type": "subcategory",
2688
+ "children": [
2689
+ {
2690
+ "id": "prompt_injection",
2691
+ "name": "Prompt Injection",
2692
+ "type": "variant",
2693
+ "priority": 1
2694
+ },
2695
+ {
2696
+ "id": "llm_output_handling",
2697
+ "name": "LLM Output Handling",
2698
+ "type": "variant",
2699
+ "priority": 1
2700
+ },
2701
+ {
2702
+ "id": "training_data_poisoning",
2703
+ "name": "Training Data Poisoning",
2704
+ "type": "variant",
2705
+ "priority": 1
2706
+ },
2707
+ {
2708
+ "id": "excessive_agency_permission_manipulation",
2709
+ "name": "Excessive Agency/Permission Manipulation",
2710
+ "type": "variant",
2711
+ "priority": 2
2712
+ }
2713
+ ]
2714
+ }
2715
+ ]
2716
+ },
2717
+ {
2718
+ "id": "indicators_of_compromise",
2719
+ "name": "Indicators of Compromise",
2720
+ "type": "category",
2721
+ "priority": null
2722
+ }
2723
+ ]
2724
+ }