vrt 0.13.2 → 0.13.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.15/deprecated-node-mapping.json +257 -0
  3. data/lib/data/1.15/mappings/cvss_v3/cvss_v3.json +1461 -0
  4. data/lib/data/1.15/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.15/mappings/cwe/cwe.json +1161 -0
  6. data/lib/data/1.15/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.15/mappings/remediation_advice/remediation_advice.json +2115 -0
  8. data/lib/data/1.15/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.15/third-party-mappings/remediation_training/secure-code-warrior-links.json +490 -0
  10. data/lib/data/1.15/vrt.schema.json +63 -0
  11. data/lib/data/1.15/vulnerability-rating-taxonomy.json +3052 -0
  12. data/lib/vrt/version.rb +1 -1
  13. metadata +12 -2
data/lib/data/1.15/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,3052 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2025-02-12T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "ai_application_security",
8
+ "name": "AI Application Security",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "llm_security",
13
+ "name": "Large Language Model (LLM) Security",
14
+ "type": "subcategory",
15
+ "children": [
16
+ {
17
+ "id": "excessive_agency_permission_manipulation",
18
+ "name": "Excessive Agency/Permission Manipulation",
19
+ "type": "variant",
20
+ "priority": 2
21
+ },
22
+ {
23
+ "id": "llm_output_handling",
24
+ "name": "LLM Output Handling",
25
+ "type": "variant",
26
+ "priority": 1
27
+ },
28
+ {
29
+ "id": "prompt_injection",
30
+ "name": "Prompt Injection",
31
+ "type": "variant",
32
+ "priority": 1
33
+ },
34
+ {
35
+ "id": "training_data_poisoning",
36
+ "name": "Training Data Poisoning",
37
+ "type": "variant",
38
+ "priority": 1
39
+ }
40
+ ]
41
+ }
42
+ ]
43
+ },
44
+ {
45
+ "id": "algorithmic_biases",
46
+ "name": "Algorithmic Biases",
47
+ "type": "category",
48
+ "children": [
49
+ {
50
+ "id": "aggregation_bias",
51
+ "name": "Aggregation Bias",
52
+ "type": "subcategory",
53
+ "priority": null
54
+ },
55
+ {
56
+ "id": "processing_bias",
57
+ "name": "Processing Bias",
58
+ "type": "subcategory",
59
+ "priority": null
60
+ }
61
+ ]
62
+ },
63
+ {
64
+ "id": "application_level_denial_of_service_dos",
65
+ "name": "Application-Level Denial-of-Service (DoS)",
66
+ "type": "category",
67
+ "children": [
68
+ {
69
+ "id": "app_crash",
70
+ "name": "App Crash",
71
+ "type": "subcategory",
72
+ "children": [
73
+ {
74
+ "id": "malformed_android_intents",
75
+ "name": "Malformed Android Intents",
76
+ "type": "variant",
77
+ "priority": 5
78
+ },
79
+ {
80
+ "id": "malformed_ios_url_schemes",
81
+ "name": "Malformed iOS URL Schemes",
82
+ "type": "variant",
83
+ "priority": 5
84
+ }
85
+ ]
86
+ },
87
+ {
88
+ "id": "critical_impact_and_or_easy_difficulty",
89
+ "name": "Critical Impact and/or Easy Difficulty",
90
+ "type": "subcategory",
91
+ "priority": 2
92
+ },
93
+ {
94
+ "id": "excessive_resource_consumption",
95
+ "name": "Excessive Resource Consumption",
96
+ "type": "subcategory",
97
+ "children": [
98
+ {
99
+ "id": "injection_prompt",
100
+ "name": "Injection (Prompt)",
101
+ "type": "variant",
102
+ "priority": null
103
+ }
104
+ ]
105
+ },
106
+ {
107
+ "id": "high_impact_and_or_medium_difficulty",
108
+ "name": "High Impact and/or Medium Difficulty",
109
+ "type": "subcategory",
110
+ "priority": 3
111
+ }
112
+ ]
113
+ },
114
+ {
115
+ "id": "automotive_security_misconfiguration",
116
+ "name": "Automotive Security Misconfiguration",
117
+ "type": "category",
118
+ "children": [
119
+ {
120
+ "id": "abs",
121
+ "name": "Automatic Braking System (ABS)",
122
+ "type": "subcategory",
123
+ "children": [
124
+ {
125
+ "id": "unintended_acceleration_brake",
126
+ "name": "Unintended Acceleration / Brake",
127
+ "type": "variant",
128
+ "priority": 3
129
+ }
130
+ ]
131
+ },
132
+ {
133
+ "id": "battery_management_system",
134
+ "name": "Battery Management System",
135
+ "type": "subcategory",
136
+ "children": [
137
+ {
138
+ "id": "firmware_dump",
139
+ "name": "Firmware Dump",
140
+ "type": "variant",
141
+ "priority": 3
142
+ },
143
+ {
144
+ "id": "fraudulent_interface",
145
+ "name": "Fraudulent Interface",
146
+ "type": "variant",
147
+ "priority": 4
148
+ }
149
+ ]
150
+ },
151
+ {
152
+ "id": "can",
153
+ "name": "CAN",
154
+ "type": "subcategory",
155
+ "children": [
156
+ {
157
+ "id": "injection_basic_safety_message",
158
+ "name": "Injection (Basic Safety Message)",
159
+ "type": "variant",
160
+ "priority": 3
161
+ },
162
+ {
163
+ "id": "injection_battery_management_system",
164
+ "name": "Injection (Battery Management System)",
165
+ "type": "variant",
166
+ "priority": 3
167
+ },
168
+ {
169
+ "id": "injection_disallowed_messages",
170
+ "name": "Injection (Disallowed Messages)",
171
+ "type": "variant",
172
+ "priority": 4
173
+ },
174
+ {
175
+ "id": "injection_dos",
176
+ "name": "Injection (DoS)",
177
+ "type": "variant",
178
+ "priority": 4
179
+ },
180
+ {
181
+ "id": "injection_headlights",
182
+ "name": "Injection (Headlights)",
183
+ "type": "variant",
184
+ "priority": 3
185
+ },
186
+ {
187
+ "id": "injection_powertrain",
188
+ "name": "Injection (Powertrain)",
189
+ "type": "variant",
190
+ "priority": 3
191
+ },
192
+ {
193
+ "id": "injection_pyrotechnical_device_deployment_tool",
194
+ "name": "Injection (Pyrotechnical Device Deployment Tool)",
195
+ "type": "variant",
196
+ "priority": 3
197
+ },
198
+ {
199
+ "id": "injection_sensors",
200
+ "name": "Injection (Sensors)",
201
+ "type": "variant",
202
+ "priority": 3
203
+ },
204
+ {
205
+ "id": "injection_steering_control",
206
+ "name": "Injection (Steering Control)",
207
+ "type": "variant",
208
+ "priority": 3
209
+ },
210
+ {
211
+ "id": "injection_vehicle_anti_theft_systems",
212
+ "name": "Injection (Vehicle Anti-theft Systems)",
213
+ "type": "variant",
214
+ "priority": 3
215
+ }
216
+ ]
217
+ },
218
+ {
219
+ "id": "gnss_gps",
220
+ "name": "GNSS / GPS",
221
+ "type": "subcategory",
222
+ "children": [
223
+ {
224
+ "id": "spoofing",
225
+ "name": "Spoofing",
226
+ "type": "variant",
227
+ "priority": 4
228
+ }
229
+ ]
230
+ },
231
+ {
232
+ "id": "immobilizer",
233
+ "name": "Immobilizer",
234
+ "type": "subcategory",
235
+ "children": [
236
+ {
237
+ "id": "engine_start",
238
+ "name": "Engine Start",
239
+ "type": "variant",
240
+ "priority": 3
241
+ }
242
+ ]
243
+ },
244
+ {
245
+ "id": "infotainment_radio_head_unit",
246
+ "name": "Infotainment, Radio Head Unit",
247
+ "type": "subcategory",
248
+ "children": [
249
+ {
250
+ "id": "code_execution_can_bus_pivot",
251
+ "name": "Code Execution (CAN Bus Pivot)",
252
+ "type": "variant",
253
+ "priority": 2
254
+ },
255
+ {
256
+ "id": "code_execution_no_can_bus_pivot",
257
+ "name": "Code Execution (No CAN Bus Pivot)",
258
+ "type": "variant",
259
+ "priority": 3
260
+ },
261
+ {
262
+ "id": "default_credentials",
263
+ "name": "Default Credentials",
264
+ "type": "variant",
265
+ "priority": 4
266
+ },
267
+ {
268
+ "id": "dos_brick",
269
+ "name": "Denial of Service (DoS / Brick)",
270
+ "type": "variant",
271
+ "priority": 4
272
+ },
273
+ {
274
+ "id": "ota_firmware_manipulation",
275
+ "name": "OTA Firmware Manipulation",
276
+ "type": "variant",
277
+ "priority": 2
278
+ },
279
+ {
280
+ "id": "sensitive_data_leakage_exposure",
281
+ "name": "Sensitive data Leakage/Exposure",
282
+ "type": "variant",
283
+ "priority": 1
284
+ },
285
+ {
286
+ "id": "source_code_dump",
287
+ "name": "Source Code Dump",
288
+ "type": "variant",
289
+ "priority": 4
290
+ },
291
+ {
292
+ "id": "unauthorized_access_to_services",
293
+ "name": "Unauthorized Access to Services (API / Endpoints)",
294
+ "type": "variant",
295
+ "priority": 3
296
+ }
297
+ ]
298
+ },
299
+ {
300
+ "id": "rf_hub",
301
+ "name": "RF Hub",
302
+ "type": "subcategory",
303
+ "children": [
304
+ {
305
+ "id": "can_injection_interaction",
306
+ "name": "CAN Injection / Interaction",
307
+ "type": "variant",
308
+ "priority": 2
309
+ },
310
+ {
311
+ "id": "data_leakage_pull_encryption_mechanism",
312
+ "name": "Data Leakage / Pull Encryption Mechanism",
313
+ "type": "variant",
314
+ "priority": 3
315
+ },
316
+ {
317
+ "id": "key_fob_cloning",
318
+ "name": "Key Fob Cloning",
319
+ "type": "variant",
320
+ "priority": 1
321
+ },
322
+ {
323
+ "id": "relay",
324
+ "name": "Relay",
325
+ "type": "variant",
326
+ "priority": 5
327
+ },
328
+ {
329
+ "id": "replay",
330
+ "name": "Replay",
331
+ "type": "variant",
332
+ "priority": 5
333
+ },
334
+ {
335
+ "id": "roll_jam",
336
+ "name": "Roll Jam",
337
+ "type": "variant",
338
+ "priority": 5
339
+ },
340
+ {
341
+ "id": "unauthorized_access_turn_on",
342
+ "name": "Unauthorized Access / Turn On",
343
+ "type": "variant",
344
+ "priority": 4
345
+ }
346
+ ]
347
+ },
348
+ {
349
+ "id": "rsu",
350
+ "name": "Roadside Unit (RSU)",
351
+ "type": "subcategory",
352
+ "children": [
353
+ {
354
+ "id": "sybil_attack",
355
+ "name": "Sybil Attack",
356
+ "type": "variant",
357
+ "priority": 4
358
+ }
359
+ ]
360
+ }
361
+ ]
362
+ },
363
+ {
364
+ "id": "blockchain_infrastructure_misconfiguration",
365
+ "name": "Blockchain Infrastructure Misconfiguration",
366
+ "type": "category",
367
+ "children": [
368
+ {
369
+ "id": "improper_bridge_validation_and_verification_logic",
370
+ "name": "Improper Bridge Validation and Verification Logic",
371
+ "type": "subcategory",
372
+ "priority": null
373
+ }
374
+ ]
375
+ },
376
+ {
377
+ "id": "broken_access_control",
378
+ "name": "Broken Access Control (BAC)",
379
+ "type": "category",
380
+ "children": [
381
+ {
382
+ "id": "exposed_sensitive_android_intent",
383
+ "name": "Exposed Sensitive Android Intent",
384
+ "type": "subcategory",
385
+ "priority": null
386
+ },
387
+ {
388
+ "id": "exposed_sensitive_ios_url_scheme",
389
+ "name": "Exposed Sensitive iOS URL Scheme",
390
+ "type": "subcategory",
391
+ "priority": null
392
+ },
393
+ {
394
+ "id": "idor",
395
+ "name": "Insecure Direct Object References (IDOR)",
396
+ "type": "subcategory",
397
+ "children": [
398
+ {
399
+ "id": "modify_sensitive_information_iterable_object_identifiers",
400
+ "name": "Modify Sensitive Information(Iterable Object Identifiers)",
401
+ "type": "variant",
402
+ "priority": 2
403
+ },
404
+ {
405
+ "id": "modify_view_sensitive_information_guid",
406
+ "name": "Modify/View Sensitive Information(Complex Object Identifiers GUID/UUID)",
407
+ "type": "variant",
408
+ "priority": 4
409
+ },
410
+ {
411
+ "id": "modify_view_sensitive_information_iterable_object_identifiers",
412
+ "name": "Modify/View Sensitive Information(Iterable Object Identifiers)",
413
+ "type": "variant",
414
+ "priority": 1
415
+ },
416
+ {
417
+ "id": "view_non_sensitive_information",
418
+ "name": "View Non-Sensitive Information",
419
+ "type": "variant",
420
+ "priority": 5
421
+ },
422
+ {
423
+ "id": "view_sensitive_information_iterable_object_identifiers",
424
+ "name": "View Sensitive Information(Iterable Object Identifiers)",
425
+ "type": "variant",
426
+ "priority": 3
427
+ }
428
+ ]
429
+ },
430
+ {
431
+ "id": "privilege_escalation",
432
+ "name": "Privilege Escalation",
433
+ "type": "subcategory",
434
+ "priority": null
435
+ },
436
+ {
437
+ "id": "username_enumeration",
438
+ "name": "Username/Email Enumeration",
439
+ "type": "subcategory",
440
+ "children": [
441
+ {
442
+ "id": "non_brute_force",
443
+ "name": "Non-Brute Force",
444
+ "type": "variant",
445
+ "priority": 4
446
+ }
447
+ ]
448
+ }
449
+ ]
450
+ },
451
+ {
452
+ "id": "broken_authentication_and_session_management",
453
+ "name": "Broken Authentication and Session Management",
454
+ "type": "category",
455
+ "children": [
456
+ {
457
+ "id": "authentication_bypass",
458
+ "name": "Authentication Bypass",
459
+ "type": "subcategory",
460
+ "priority": 1
461
+ },
462
+ {
463
+ "id": "cleartext_transmission_of_session_token",
464
+ "name": "Cleartext Transmission of Session Token",
465
+ "type": "subcategory",
466
+ "priority": 4
467
+ },
468
+ {
469
+ "id": "concurrent_logins",
470
+ "name": "Concurrent Logins",
471
+ "type": "subcategory",
472
+ "priority": 5
473
+ },
474
+ {
475
+ "id": "failure_to_invalidate_session",
476
+ "name": "Failure to Invalidate Session",
477
+ "type": "subcategory",
478
+ "children": [
479
+ {
480
+ "id": "all_sessions",
481
+ "name": "Concurrent Sessions On Logout",
482
+ "type": "variant",
483
+ "priority": 5
484
+ },
485
+ {
486
+ "id": "long_timeout",
487
+ "name": "Long Timeout",
488
+ "type": "variant",
489
+ "priority": 5
490
+ },
491
+ {
492
+ "id": "on_email_change",
493
+ "name": "On Email Change",
494
+ "type": "variant",
495
+ "priority": 5
496
+ },
497
+ {
498
+ "id": "on_logout",
499
+ "name": "On Logout (Client and Server-Side)",
500
+ "type": "variant",
501
+ "priority": 4
502
+ },
503
+ {
504
+ "id": "on_logout_server_side_only",
505
+ "name": "On Logout (Server-Side Only)",
506
+ "type": "variant",
507
+ "priority": 5
508
+ },
509
+ {
510
+ "id": "on_password_change",
511
+ "name": "On Password Reset and/or Change",
512
+ "type": "variant",
513
+ "priority": 4
514
+ },
515
+ {
516
+ "id": "on_two_fa_activation_change",
517
+ "name": "On 2FA Activation/Change",
518
+ "type": "variant",
519
+ "priority": 5
520
+ },
521
+ {
522
+ "id": "permission_change",
523
+ "name": "On Permission Change",
524
+ "type": "variant",
525
+ "priority": null
526
+ }
527
+ ]
528
+ },
529
+ {
530
+ "id": "saml_replay",
531
+ "name": "SAML Replay",
532
+ "type": "subcategory",
533
+ "priority": 5
534
+ },
535
+ {
536
+ "id": "session_fixation",
537
+ "name": "Session Fixation",
538
+ "type": "subcategory",
539
+ "children": [
540
+ {
541
+ "id": "local_attack_vector",
542
+ "name": "Local Attack Vector",
543
+ "type": "variant",
544
+ "priority": 5
545
+ },
546
+ {
547
+ "id": "remote_attack_vector",
548
+ "name": "Remote Attack Vector",
549
+ "type": "variant",
550
+ "priority": 3
551
+ }
552
+ ]
553
+ },
554
+ {
555
+ "id": "two_fa_bypass",
556
+ "name": "Second Factor Authentication (2FA) Bypass",
557
+ "type": "subcategory",
558
+ "priority": 3
559
+ },
560
+ {
561
+ "id": "weak_login_function",
562
+ "name": "Weak Login Function",
563
+ "type": "subcategory",
564
+ "children": [
565
+ {
566
+ "id": "not_operational",
567
+ "name": "Not Operational or Intended Public Access",
568
+ "type": "variant",
569
+ "priority": 5
570
+ },
571
+ {
572
+ "id": "other_plaintext_protocol_no_secure_alternative",
573
+ "name": "Other Plaintext Protocol with no Secure Alternative",
574
+ "type": "variant",
575
+ "priority": 4
576
+ },
577
+ {
578
+ "id": "over_http",
579
+ "name": "Over HTTP",
580
+ "type": "variant",
581
+ "priority": 4
582
+ }
583
+ ]
584
+ },
585
+ {
586
+ "id": "weak_registration_implementation",
587
+ "name": "Weak Registration Implementation",
588
+ "type": "subcategory",
589
+ "children": [
590
+ {
591
+ "id": "over_http",
592
+ "name": "Over HTTP",
593
+ "type": "variant",
594
+ "priority": 4
595
+ }
596
+ ]
597
+ }
598
+ ]
599
+ },
600
+ {
601
+ "id": "client_side_injection",
602
+ "name": "Client-Side Injection",
603
+ "type": "category",
604
+ "children": [
605
+ {
606
+ "id": "binary_planting",
607
+ "name": "Binary Planting",
608
+ "type": "subcategory",
609
+ "children": [
610
+ {
611
+ "id": "no_privilege_escalation",
612
+ "name": "No Privilege Escalation",
613
+ "type": "variant",
614
+ "priority": 5
615
+ },
616
+ {
617
+ "id": "non_default_folder_privilege_escalation",
618
+ "name": "Non-Default Folder Privilege Escalation",
619
+ "type": "variant",
620
+ "priority": 5
621
+ },
622
+ {
623
+ "id": "privilege_escalation",
624
+ "name": "Default Folder Privilege Escalation",
625
+ "type": "variant",
626
+ "priority": 3
627
+ }
628
+ ]
629
+ }
630
+ ]
631
+ },
632
+ {
633
+ "id": "cross_site_request_forgery_csrf",
634
+ "name": "Cross-Site Request Forgery (CSRF)",
635
+ "type": "category",
636
+ "children": [
637
+ {
638
+ "id": "action_specific",
639
+ "name": "Action-Specific",
640
+ "type": "subcategory",
641
+ "children": [
642
+ {
643
+ "id": "authenticated_action",
644
+ "name": "Authenticated Action",
645
+ "type": "variant",
646
+ "priority": null
647
+ },
648
+ {
649
+ "id": "logout",
650
+ "name": "Logout",
651
+ "type": "variant",
652
+ "priority": 5
653
+ },
654
+ {
655
+ "id": "unauthenticated_action",
656
+ "name": "Unauthenticated Action",
657
+ "type": "variant",
658
+ "priority": null
659
+ }
660
+ ]
661
+ },
662
+ {
663
+ "id": "application_wide",
664
+ "name": "Application-Wide",
665
+ "type": "subcategory",
666
+ "priority": 2
667
+ },
668
+ {
669
+ "id": "csrf_token_not_unique_per_request",
670
+ "name": "CSRF Token Not Unique Per Request",
671
+ "type": "subcategory",
672
+ "priority": 5
673
+ },
674
+ {
675
+ "id": "flash_based",
676
+ "name": "Flash-Based",
677
+ "type": "subcategory",
678
+ "priority": 5
679
+ }
680
+ ]
681
+ },
682
+ {
683
+ "id": "cross_site_scripting_xss",
684
+ "name": "Cross-Site Scripting (XSS)",
685
+ "type": "category",
686
+ "children": [
687
+ {
688
+ "id": "cookie_based",
689
+ "name": "Cookie-Based",
690
+ "type": "subcategory",
691
+ "priority": 5
692
+ },
693
+ {
694
+ "id": "flash_based",
695
+ "name": "Flash-Based",
696
+ "type": "subcategory",
697
+ "priority": 5
698
+ },
699
+ {
700
+ "id": "ie_only",
701
+ "name": "IE-Only",
702
+ "type": "subcategory",
703
+ "priority": 5
704
+ },
705
+ {
706
+ "id": "off_domain",
707
+ "name": "Off-Domain",
708
+ "type": "subcategory",
709
+ "children": [
710
+ {
711
+ "id": "data_uri",
712
+ "name": "Data URI",
713
+ "type": "variant",
714
+ "priority": 4
715
+ }
716
+ ]
717
+ },
718
+ {
719
+ "id": "referer",
720
+ "name": "Referer",
721
+ "type": "subcategory",
722
+ "priority": 4
723
+ },
724
+ {
725
+ "id": "reflected",
726
+ "name": "Reflected",
727
+ "type": "subcategory",
728
+ "children": [
729
+ {
730
+ "id": "non_self",
731
+ "name": "Non-Self",
732
+ "type": "variant",
733
+ "priority": 3
734
+ },
735
+ {
736
+ "id": "self",
737
+ "name": "Self",
738
+ "type": "variant",
739
+ "priority": 5
740
+ }
741
+ ]
742
+ },
743
+ {
744
+ "id": "stored",
745
+ "name": "Stored",
746
+ "type": "subcategory",
747
+ "children": [
748
+ {
749
+ "id": "non_admin_to_anyone",
750
+ "name": "Non-Privileged User to Anyone",
751
+ "type": "variant",
752
+ "priority": 2
753
+ },
754
+ {
755
+ "id": "privileged_user_to_no_privilege_elevation",
756
+ "name": "Privileged User to No Privilege Elevation",
757
+ "type": "variant",
758
+ "priority": 4
759
+ },
760
+ {
761
+ "id": "privileged_user_to_privilege_elevation",
762
+ "name": "Privileged User to Privilege Elevation",
763
+ "type": "variant",
764
+ "priority": 3
765
+ },
766
+ {
767
+ "id": "self",
768
+ "name": "Self",
769
+ "type": "variant",
770
+ "priority": 5
771
+ },
772
+ {
773
+ "id": "url_based",
774
+ "name": "CSRF/URL-Based",
775
+ "type": "variant",
776
+ "priority": 3
777
+ }
778
+ ]
779
+ },
780
+ {
781
+ "id": "trace_method",
782
+ "name": "TRACE Method",
783
+ "type": "subcategory",
784
+ "priority": 5
785
+ },
786
+ {
787
+ "id": "universal_uxss",
788
+ "name": "Universal (UXSS)",
789
+ "type": "subcategory",
790
+ "priority": 4
791
+ }
792
+ ]
793
+ },
794
+ {
795
+ "id": "cryptographic_weakness",
796
+ "name": "Cryptographic Weakness",
797
+ "type": "category",
798
+ "children": [
799
+ {
800
+ "id": "broken_cryptography",
801
+ "name": "Broken Cryptography",
802
+ "type": "subcategory",
803
+ "children": [
804
+ {
805
+ "id": "use_of_broken_cryptographic_primitive",
806
+ "name": "Use of Broken Cryptographic Primitive",
807
+ "type": "variant",
808
+ "priority": 3
809
+ },
810
+ {
811
+ "id": "use_of_vulnerable_cryptographic_library",
812
+ "name": "Use of Vulnerable Cryptographic Library",
813
+ "type": "variant",
814
+ "priority": 4
815
+ }
816
+ ]
817
+ },
818
+ {
819
+ "id": "incomplete_cleanup_of_keying_material",
820
+ "name": "Incomplete Cleanup of Keying Material",
821
+ "type": "subcategory",
822
+ "priority": 5
823
+ },
824
+ {
825
+ "id": "insecure_implementation",
826
+ "name": "Insecure Implementation",
827
+ "type": "subcategory",
828
+ "children": [
829
+ {
830
+ "id": "improper_following_of_specification",
831
+ "name": "Improper Following of Specification (Other)",
832
+ "type": "variant",
833
+ "priority": null
834
+ },
835
+ {
836
+ "id": "missing_cryptographic_step",
837
+ "name": "Missing Cryptographic Step",
838
+ "type": "variant",
839
+ "priority": null
840
+ }
841
+ ]
842
+ },
843
+ {
844
+ "id": "insecure_key_generation",
845
+ "name": "Insecure Key Generation",
846
+ "type": "subcategory",
847
+ "children": [
848
+ {
849
+ "id": "improper_asymmetric_exponent_selection",
850
+ "name": "Improper Asymmetric Exponent Selection",
851
+ "type": "variant",
852
+ "priority": null
853
+ },
854
+ {
855
+ "id": "improper_asymmetric_prime_selection",
856
+ "name": "Improper Asymmetric Prime Selection",
857
+ "type": "variant",
858
+ "priority": null
859
+ },
860
+ {
861
+ "id": "insufficient_key_space",
862
+ "name": "Insufficient Key Space",
863
+ "type": "variant",
864
+ "priority": 3
865
+ },
866
+ {
867
+ "id": "insufficient_key_stretching",
868
+ "name": "Insufficient Key Stretching",
869
+ "type": "variant",
870
+ "priority": null
871
+ },
872
+ {
873
+ "id": "key_exchange_without_entity_authentication",
874
+ "name": "Key Exchage Without Entity Authentication",
875
+ "type": "variant",
876
+ "priority": 4
877
+ }
878
+ ]
879
+ },
880
+ {
881
+ "id": "insufficient_entropy",
882
+ "name": "Insufficient Entropy",
883
+ "type": "subcategory",
884
+ "children": [
885
+ {
886
+ "id": "initialization_vector_reuse",
887
+ "name": "Initialization Vector (IV) Reuse",
888
+ "type": "variant",
889
+ "priority": 5
890
+ },
891
+ {
892
+ "id": "limited_rng_entropy_source",
893
+ "name": "Limited Random Number Generator (RNG) Entropy Source",
894
+ "type": "variant",
895
+ "priority": 4
896
+ },
897
+ {
898
+ "id": "predictable_initialization_vector",
899
+ "name": "Predictable Initialization Vector (IV)",
900
+ "type": "variant",
901
+ "priority": 4
902
+ },
903
+ {
904
+ "id": "predictable_prng_seed",
905
+ "name": "Predictable Pseudo-Random Number Generator (PRNG) Seed",
906
+ "type": "variant",
907
+ "priority": 4
908
+ },
909
+ {
910
+ "id": "prng_seed_reuse",
911
+ "name": "Pseudo-Random Number Generator (PRNG) Seed Reuse",
912
+ "type": "variant",
913
+ "priority": 5
914
+ },
915
+ {
916
+ "id": "small_seed_space_in_prng",
917
+ "name": "Small Seed Space in Pseudo-Random Number Generator (PRNG)",
918
+ "type": "variant",
919
+ "priority": 4
920
+ },
921
+ {
922
+ "id": "use_of_trng_for_nonsecurity_purpose",
923
+ "name": "Use of True Random Number Generator (TRNG) for Non-Security Purpose",
924
+ "type": "variant",
925
+ "priority": 5
926
+ }
927
+ ]
928
+ },
929
+ {
930
+ "id": "insufficient_verification_of_data_authenticity",
931
+ "name": "Insufficient Verification of Data Authenticity",
932
+ "type": "subcategory",
933
+ "children": [
934
+ {
935
+ "id": "cryptographic_signature",
936
+ "name": "Cryptographic Signature",
937
+ "type": "variant",
938
+ "priority": null
939
+ },
940
+ {
941
+ "id": "identity_check_value",
942
+ "name": "Integrity Check Value (ICV)",
943
+ "type": "variant",
944
+ "priority": 4
945
+ }
946
+ ]
947
+ },
948
+ {
949
+ "id": "key_reuse",
950
+ "name": "Key Reuse",
951
+ "type": "subcategory",
952
+ "children": [
953
+ {
954
+ "id": "inter_environment",
955
+ "name": "Inter-Environment",
956
+ "type": "variant",
957
+ "priority": 2
958
+ },
959
+ {
960
+ "id": "intra_environment",
961
+ "name": "Intra-Environment",
962
+ "type": "variant",
963
+ "priority": 5
964
+ },
965
+ {
966
+ "id": "lack_of_perfect_forward_secrecy",
967
+ "name": "Lack of Perfect Forward Secrecy",
968
+ "type": "variant",
969
+ "priority": 4
970
+ }
971
+ ]
972
+ },
973
+ {
974
+ "id": "side_channel_attack",
975
+ "name": "Side-Channel Attack",
976
+ "type": "subcategory",
977
+ "children": [
978
+ {
979
+ "id": "differential_fault_analysis",
980
+ "name": "Differential Fault Analysis",
981
+ "type": "variant",
982
+ "priority": null
983
+ },
984
+ {
985
+ "id": "emanations_attack",
986
+ "name": "Emanations Attack",
987
+ "type": "variant",
988
+ "priority": 5
989
+ },
990
+ {
991
+ "id": "padding_oracle_attack",
992
+ "name": "Padding Oracle Attack",
993
+ "type": "variant",
994
+ "priority": 4
995
+ },
996
+ {
997
+ "id": "power_analysis_attack",
998
+ "name": "Power Analysis Attack",
999
+ "type": "variant",
1000
+ "priority": 5
1001
+ },
1002
+ {
1003
+ "id": "timing_attack",
1004
+ "name": "Timing Attack",
1005
+ "type": "variant",
1006
+ "priority": 4
1007
+ }
1008
+ ]
1009
+ },
1010
+ {
1011
+ "id": "use_of_expired_cryptographic_key_or_cert",
1012
+ "name": "Use of Expired Cryptographic Key (or Certificate)",
1013
+ "type": "subcategory",
1014
+ "priority": 4
1015
+ },
1016
+ {
1017
+ "id": "weak_hash",
1018
+ "name": "Weak Hash",
1019
+ "type": "subcategory",
1020
+ "children": [
1021
+ {
1022
+ "id": "lack_of_salt",
1023
+ "name": "Lack of Salt",
1024
+ "type": "variant",
1025
+ "priority": null
1026
+ },
1027
+ {
1028
+ "id": "predictable_hash_collision",
1029
+ "name": "Predictable Hash Collision",
1030
+ "type": "variant",
1031
+ "priority": null
1032
+ },
1033
+ {
1034
+ "id": "use_of_predictable_salt",
1035
+ "name": "Use of Predictable Salt",
1036
+ "type": "variant",
1037
+ "priority": 5
1038
+ }
1039
+ ]
1040
+ }
1041
+ ]
1042
+ },
1043
+ {
1044
+ "id": "data_biases",
1045
+ "name": "Data Biases",
1046
+ "type": "category",
1047
+ "children": [
1048
+ {
1049
+ "id": "pre_existing_bias",
1050
+ "name": "Pre-existing Bias",
1051
+ "type": "subcategory",
1052
+ "priority": null
1053
+ },
1054
+ {
1055
+ "id": "representation_bias",
1056
+ "name": "Representation Bias",
1057
+ "type": "subcategory",
1058
+ "priority": null
1059
+ }
1060
+ ]
1061
+ },
1062
+ {
1063
+ "id": "decentralized_application_misconfiguration",
1064
+ "name": "Decentralized Application Misconfiguration",
1065
+ "type": "category",
1066
+ "children": [
1067
+ {
1068
+ "id": "defi_security",
1069
+ "name": "DeFi Security",
1070
+ "type": "subcategory",
1071
+ "children": [
1072
+ {
1073
+ "id": "flash_loan_attack",
1074
+ "name": "Flash Loan Attack",
1075
+ "type": "variant",
1076
+ "priority": null
1077
+ },
1078
+ {
1079
+ "id": "function_level_accounting_error",
1080
+ "name": "Function-Level Accounting Error",
1081
+ "type": "variant",
1082
+ "priority": null
1083
+ },
1084
+ {
1085
+ "id": "improper_implementation_of_governance",
1086
+ "name": "Improper Implementation of Governance",
1087
+ "type": "variant",
1088
+ "priority": null
1089
+ },
1090
+ {
1091
+ "id": "pricing_oracle_manipulation",
1092
+ "name": "Pricing Oracle Manipulation",
1093
+ "type": "variant",
1094
+ "priority": null
1095
+ }
1096
+ ]
1097
+ },
1098
+ {
1099
+ "id": "improper_authorization",
1100
+ "name": "Improper Authorization",
1101
+ "type": "subcategory",
1102
+ "children": [
1103
+ {
1104
+ "id": "insufficient_signature_validation",
1105
+ "name": "Insufficient Signature Validation",
1106
+ "type": "variant",
1107
+ "priority": null
1108
+ }
1109
+ ]
1110
+ },
1111
+ {
1112
+ "id": "insecure_data_storage",
1113
+ "name": "Insecure Data Storage",
1114
+ "type": "subcategory",
1115
+ "children": [
1116
+ {
1117
+ "id": "plaintext_private_key",
1118
+ "name": "Plaintext Private Key",
1119
+ "type": "variant",
1120
+ "priority": 1
1121
+ },
1122
+ {
1123
+ "id": "sensitive_information_exposure",
1124
+ "name": "Sensitive Information Exposure",
1125
+ "type": "variant",
1126
+ "priority": null
1127
+ }
1128
+ ]
1129
+ },
1130
+ {
1131
+ "id": "marketplace_security",
1132
+ "name": "Marketplace Security",
1133
+ "type": "subcategory",
1134
+ "children": [
1135
+ {
1136
+ "id": "denial_of_service",
1137
+ "name": "Denial of Service",
1138
+ "type": "variant",
1139
+ "priority": null
1140
+ },
1141
+ {
1142
+ "id": "improper_validation_and_checks_for_deposits_and_withdrawals",
1143
+ "name": "Improper Validation and Checks For Deposits and Withdrawals",
1144
+ "type": "variant",
1145
+ "priority": null
1146
+ },
1147
+ {
1148
+ "id": "malicious_order_offer",
1149
+ "name": "Malicious Order Offer",
1150
+ "type": "variant",
1151
+ "priority": 2
1152
+ },
1153
+ {
1154
+ "id": "miscalculated_accounting_logic",
1155
+ "name": "Miscalculated Accounting Logic",
1156
+ "type": "variant",
1157
+ "priority": null
1158
+ },
1159
+ {
1160
+ "id": "ofac_bypass",
1161
+ "name": "OFAC Bypass",
1162
+ "type": "variant",
1163
+ "priority": 3
1164
+ },
1165
+ {
1166
+ "id": "orderbook_manipulation",
1167
+ "name": "Orderbook Manipulation",
1168
+ "type": "variant",
1169
+ "priority": 1
1170
+ },
1171
+ {
1172
+ "id": "price_or_fee_manipulation",
1173
+ "name": "Price or Fee Manipulation",
1174
+ "type": "variant",
1175
+ "priority": 2
1176
+ },
1177
+ {
1178
+ "id": "signer_account_takeover",
1179
+ "name": "Signer Account Takeover",
1180
+ "type": "variant",
1181
+ "priority": 1
1182
+ },
1183
+ {
1184
+ "id": "unauthorized_asset_transfer",
1185
+ "name": "Unauthorized Asset Transfer",
1186
+ "type": "variant",
1187
+ "priority": 1
1188
+ }
1189
+ ]
1190
+ },
1191
+ {
1192
+ "id": "protocol_security_misconfiguration",
1193
+ "name": "Protocol Security Misconfiguration",
1194
+ "type": "subcategory",
1195
+ "children": [
1196
+ {
1197
+ "id": "node_level_denial_of_service",
1198
+ "name": "Node-level Denial of Service",
1199
+ "type": "variant",
1200
+ "priority": 1
1201
+ }
1202
+ ]
1203
+ }
1204
+ ]
1205
+ },
1206
+ {
1207
+ "id": "developer_biases",
1208
+ "name": "Developer Biases",
1209
+ "type": "category",
1210
+ "children": [
1211
+ {
1212
+ "id": "implicit_bias",
1213
+ "name": "Implicit Bias",
1214
+ "type": "subcategory",
1215
+ "priority": null
1216
+ }
1217
+ ]
1218
+ },
1219
+ {
1220
+ "id": "external_behavior",
1221
+ "name": "External Behavior",
1222
+ "type": "category",
1223
+ "children": [
1224
+ {
1225
+ "id": "browser_feature",
1226
+ "name": "Browser Feature",
1227
+ "type": "subcategory",
1228
+ "children": [
1229
+ {
1230
+ "id": "aggressive_offline_caching",
1231
+ "name": "Aggressive Offline Caching",
1232
+ "type": "variant",
1233
+ "priority": 5
1234
+ },
1235
+ {
1236
+ "id": "autocomplete_enabled",
1237
+ "name": "Autocomplete Enabled",
1238
+ "type": "variant",
1239
+ "priority": 5
1240
+ },
1241
+ {
1242
+ "id": "autocorrect_enabled",
1243
+ "name": "Autocorrect Enabled",
1244
+ "type": "variant",
1245
+ "priority": 5
1246
+ },
1247
+ {
1248
+ "id": "plaintext_password_field",
1249
+ "name": "Plaintext Password Field",
1250
+ "type": "variant",
1251
+ "priority": 5
1252
+ },
1253
+ {
1254
+ "id": "save_password",
1255
+ "name": "Save Password",
1256
+ "type": "variant",
1257
+ "priority": 5
1258
+ }
1259
+ ]
1260
+ },
1261
+ {
1262
+ "id": "captcha_bypass",
1263
+ "name": "Captcha Bypass",
1264
+ "type": "subcategory",
1265
+ "children": [
1266
+ {
1267
+ "id": "crowdsourcing",
1268
+ "name": "Crowdsourcing",
1269
+ "type": "variant",
1270
+ "priority": 5
1271
+ }
1272
+ ]
1273
+ },
1274
+ {
1275
+ "id": "csv_injection",
1276
+ "name": "CSV Injection",
1277
+ "type": "subcategory",
1278
+ "priority": 5
1279
+ },
1280
+ {
1281
+ "id": "system_clipboard_leak",
1282
+ "name": "System Clipboard Leak",
1283
+ "type": "subcategory",
1284
+ "children": [
1285
+ {
1286
+ "id": "shared_links",
1287
+ "name": "Shared Links",
1288
+ "type": "variant",
1289
+ "priority": 5
1290
+ }
1291
+ ]
1292
+ },
1293
+ {
1294
+ "id": "user_password_persisted_in_memory",
1295
+ "name": "User Password Persisted in Memory",
1296
+ "type": "subcategory",
1297
+ "priority": 5
1298
+ }
1299
+ ]
1300
+ },
1301
+ {
1302
+ "id": "indicators_of_compromise",
1303
+ "name": "Indicators of Compromise",
1304
+ "type": "category",
1305
+ "priority": null
1306
+ },
1307
+ {
1308
+ "id": "insecure_data_storage",
1309
+ "name": "Insecure Data Storage",
1310
+ "type": "category",
1311
+ "children": [
1312
+ {
1313
+ "id": "non_sensitive_application_data_stored_unencrypted",
1314
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1315
+ "type": "subcategory",
1316
+ "priority": 5
1317
+ },
1318
+ {
1319
+ "id": "screen_caching_enabled",
1320
+ "name": "Screen Caching Enabled",
1321
+ "type": "subcategory",
1322
+ "priority": 5
1323
+ },
1324
+ {
1325
+ "id": "sensitive_application_data_stored_unencrypted",
1326
+ "name": "Sensitive Application Data Stored Unencrypted",
1327
+ "type": "subcategory",
1328
+ "children": [
1329
+ {
1330
+ "id": "on_external_storage",
1331
+ "name": "On External Storage",
1332
+ "type": "variant",
1333
+ "priority": 4
1334
+ },
1335
+ {
1336
+ "id": "on_internal_storage",
1337
+ "name": "On Internal Storage",
1338
+ "type": "variant",
1339
+ "priority": 5
1340
+ }
1341
+ ]
1342
+ },
1343
+ {
1344
+ "id": "server_side_credentials_storage",
1345
+ "name": "Server-Side Credentials Storage",
1346
+ "type": "subcategory",
1347
+ "children": [
1348
+ {
1349
+ "id": "plaintext",
1350
+ "name": "Plaintext",
1351
+ "type": "variant",
1352
+ "priority": 4
1353
+ }
1354
+ ]
1355
+ }
1356
+ ]
1357
+ },
1358
+ {
1359
+ "id": "insecure_data_transport",
1360
+ "name": "Insecure Data Transport",
1361
+ "type": "category",
1362
+ "children": [
1363
+ {
1364
+ "id": "cleartext_transmission_of_sensitive_data",
1365
+ "name": "Cleartext Transmission of Sensitive Data",
1366
+ "type": "subcategory",
1367
+ "priority": null
1368
+ },
1369
+ {
1370
+ "id": "executable_download",
1371
+ "name": "Executable Download",
1372
+ "type": "subcategory",
1373
+ "children": [
1374
+ {
1375
+ "id": "no_secure_integrity_check",
1376
+ "name": "No Secure Integrity Check",
1377
+ "type": "variant",
1378
+ "priority": 4
1379
+ },
1380
+ {
1381
+ "id": "secure_integrity_check",
1382
+ "name": "Secure Integrity Check",
1383
+ "type": "variant",
1384
+ "priority": 5
1385
+ }
1386
+ ]
1387
+ }
1388
+ ]
1389
+ },
1390
+ {
1391
+ "id": "insecure_os_firmware",
1392
+ "name": "Insecure OS/Firmware",
1393
+ "type": "category",
1394
+ "children": [
1395
+ {
1396
+ "id": "command_injection",
1397
+ "name": "Command Injection",
1398
+ "type": "subcategory",
1399
+ "priority": 1
1400
+ },
1401
+ {
1402
+ "id": "data_not_encrypted_at_rest",
1403
+ "name": "Data not encrypted at rest",
1404
+ "type": "subcategory",
1405
+ "children": [
1406
+ {
1407
+ "id": "non_sensitive",
1408
+ "name": "Non sensitive",
1409
+ "type": "variant",
1410
+ "priority": 5
1411
+ },
1412
+ {
1413
+ "id": "sensitive",
1414
+ "name": "Sensitive",
1415
+ "type": "variant",
1416
+ "priority": null
1417
+ }
1418
+ ]
1419
+ },
1420
+ {
1421
+ "id": "failure_to_remove_sensitive_artifacts_from_disk",
1422
+ "name": "Failure to Remove Sensitive Artifacts from Disk",
1423
+ "type": "subcategory",
1424
+ "priority": null
1425
+ },
1426
+ {
1427
+ "id": "hardcoded_password",
1428
+ "name": "Hardcoded Password",
1429
+ "type": "subcategory",
1430
+ "children": [
1431
+ {
1432
+ "id": "non_privileged_user",
1433
+ "name": "Non-Privileged User",
1434
+ "type": "variant",
1435
+ "priority": 2
1436
+ },
1437
+ {
1438
+ "id": "privileged_user",
1439
+ "name": "Privileged User",
1440
+ "type": "variant",
1441
+ "priority": 1
1442
+ }
1443
+ ]
1444
+ },
1445
+ {
1446
+ "id": "kiosk_escape_or_breakout",
1447
+ "name": "Kiosk Escape or Breakout",
1448
+ "type": "subcategory",
1449
+ "priority": null
1450
+ },
1451
+ {
1452
+ "id": "local_administrator_on_default_environment",
1453
+ "name": "Local Administrator on default environment",
1454
+ "type": "subcategory",
1455
+ "priority": 2
1456
+ },
1457
+ {
1458
+ "id": "over_permissioned_credentials_on_storage",
1459
+ "name": "Over-Permissioned Credentials on Storage",
1460
+ "type": "subcategory",
1461
+ "priority": 2
1462
+ },
1463
+ {
1464
+ "id": "poorly_configured_disk_encryption",
1465
+ "name": "Poorly Configured Disk Encryption",
1466
+ "type": "subcategory",
1467
+ "priority": null
1468
+ },
1469
+ {
1470
+ "id": "poorly_configured_operating_system_security",
1471
+ "name": "Poorly Configured Operating System Security",
1472
+ "type": "subcategory",
1473
+ "priority": null
1474
+ },
1475
+ {
1476
+ "id": "recovery_of_disk_contains_sensitive_material",
1477
+ "name": "Recovery of Disk Contains Sensitive Material",
1478
+ "type": "subcategory",
1479
+ "priority": null
1480
+ },
1481
+ {
1482
+ "id": "shared_credentials_on_storage",
1483
+ "name": "Shared Credentials on Storage",
1484
+ "type": "subcategory",
1485
+ "priority": 3
1486
+ },
1487
+ {
1488
+ "id": "weakness_in_firmware_updates",
1489
+ "name": "Weakness in Firmware Updates",
1490
+ "type": "subcategory",
1491
+ "children": [
1492
+ {
1493
+ "id": "firmware_cannot_be_updated",
1494
+ "name": "Firmware cannot be updated",
1495
+ "type": "variant",
1496
+ "priority": null
1497
+ },
1498
+ {
1499
+ "id": "firmware_does_not_validate_update_integrity",
1500
+ "name": "Firmware does not validate update integrity",
1501
+ "type": "variant",
1502
+ "priority": 3
1503
+ },
1504
+ {
1505
+ "id": "firmware_is_not_encrypted",
1506
+ "name": "Firmware is not encrypted",
1507
+ "type": "variant",
1508
+ "priority": 5
1509
+ }
1510
+ ]
1511
+ }
1512
+ ]
1513
+ },
1514
+ {
1515
+ "id": "insufficient_security_configurability",
1516
+ "name": "Insufficient Security Configurability",
1517
+ "type": "category",
1518
+ "children": [
1519
+ {
1520
+ "id": "lack_of_notification_email",
1521
+ "name": "Lack of Notification Email",
1522
+ "type": "subcategory",
1523
+ "priority": 5
1524
+ },
1525
+ {
1526
+ "id": "no_password_policy",
1527
+ "name": "No Password Policy",
1528
+ "type": "subcategory",
1529
+ "priority": 4
1530
+ },
1531
+ {
1532
+ "id": "password_policy_bypass",
1533
+ "name": "Password Policy Bypass",
1534
+ "type": "subcategory",
1535
+ "priority": 5
1536
+ },
1537
+ {
1538
+ "id": "verification_of_contact_method_not_required",
1539
+ "name": "Verification of Contact Method not Required",
1540
+ "type": "subcategory",
1541
+ "priority": 5
1542
+ },
1543
+ {
1544
+ "id": "weak_password_policy",
1545
+ "name": "Weak Password Policy",
1546
+ "type": "subcategory",
1547
+ "priority": 5
1548
+ },
1549
+ {
1550
+ "id": "weak_password_reset_implementation",
1551
+ "name": "Weak Password Reset Implementation",
1552
+ "type": "subcategory",
1553
+ "children": [
1554
+ {
1555
+ "id": "token_has_long_timed_expiry",
1556
+ "name": "Token Has Long Timed Expiry",
1557
+ "type": "variant",
1558
+ "priority": 5
1559
+ },
1560
+ {
1561
+ "id": "token_is_not_invalidated_after_email_change",
1562
+ "name": "Token is Not Invalidated After Email Change",
1563
+ "type": "variant",
1564
+ "priority": 5
1565
+ },
1566
+ {
1567
+ "id": "token_is_not_invalidated_after_login",
1568
+ "name": "Token is Not Invalidated After Login",
1569
+ "type": "variant",
1570
+ "priority": 5
1571
+ },
1572
+ {
1573
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1574
+ "name": "Token is Not Invalidated After New Token is Requested",
1575
+ "type": "variant",
1576
+ "priority": 5
1577
+ },
1578
+ {
1579
+ "id": "token_is_not_invalidated_after_password_change",
1580
+ "name": "Token is Not Invalidated After Password Change",
1581
+ "type": "variant",
1582
+ "priority": 5
1583
+ },
1584
+ {
1585
+ "id": "token_is_not_invalidated_after_use",
1586
+ "name": "Token is Not Invalidated After Use",
1587
+ "type": "variant",
1588
+ "priority": 4
1589
+ }
1590
+ ]
1591
+ },
1592
+ {
1593
+ "id": "weak_registration_implementation",
1594
+ "name": "Weak Registration Implementation",
1595
+ "type": "subcategory",
1596
+ "children": [
1597
+ {
1598
+ "id": "allows_disposable_email_addresses",
1599
+ "name": "Allows Disposable Email Addresses",
1600
+ "type": "variant",
1601
+ "priority": 5
1602
+ }
1603
+ ]
1604
+ },
1605
+ {
1606
+ "id": "weak_two_fa_implementation",
1607
+ "name": "Weak 2FA Implementation",
1608
+ "type": "subcategory",
1609
+ "children": [
1610
+ {
1611
+ "id": "missing_failsafe",
1612
+ "name": "Missing Failsafe",
1613
+ "type": "variant",
1614
+ "priority": 5
1615
+ },
1616
+ {
1617
+ "id": "old_two_fa_code_is_not_invalidated_after_new_code_is_generated",
1618
+ "name": "Old 2FA Code is Not Invalidated After New Code is Generated",
1619
+ "type": "variant",
1620
+ "priority": 5
1621
+ },
1622
+ {
1623
+ "id": "two_fa_code_is_not_updated_after_new_code_is_requested",
1624
+ "name": "2FA Code is Not Updated After New Code is Requested",
1625
+ "type": "variant",
1626
+ "priority": 5
1627
+ },
1628
+ {
1629
+ "id": "two_fa_secret_cannot_be_rotated",
1630
+ "name": "2FA Secret Cannot be Rotated",
1631
+ "type": "variant",
1632
+ "priority": 4
1633
+ },
1634
+ {
1635
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
1636
+ "name": "2FA Secret Remains Obtainable After 2FA is Enabled",
1637
+ "type": "variant",
1638
+ "priority": 4
1639
+ }
1640
+ ]
1641
+ }
1642
+ ]
1643
+ },
1644
+ {
1645
+ "id": "lack_of_binary_hardening",
1646
+ "name": "Lack of Binary Hardening",
1647
+ "type": "category",
1648
+ "children": [
1649
+ {
1650
+ "id": "lack_of_exploit_mitigations",
1651
+ "name": "Lack of Exploit Mitigations",
1652
+ "type": "subcategory",
1653
+ "priority": 5
1654
+ },
1655
+ {
1656
+ "id": "lack_of_jailbreak_detection",
1657
+ "name": "Lack of Jailbreak Detection",
1658
+ "type": "subcategory",
1659
+ "priority": 5
1660
+ },
1661
+ {
1662
+ "id": "lack_of_obfuscation",
1663
+ "name": "Lack of Obfuscation",
1664
+ "type": "subcategory",
1665
+ "priority": 5
1666
+ },
1667
+ {
1668
+ "id": "runtime_instrumentation_based",
1669
+ "name": "Runtime Instrumentation-Based",
1670
+ "type": "subcategory",
1671
+ "priority": 5
1672
+ }
1673
+ ]
1674
+ },
1675
+ {
1676
+ "id": "misinterpretation_biases",
1677
+ "name": "Misinterpretation Biases",
1678
+ "type": "category",
1679
+ "children": [
1680
+ {
1681
+ "id": "context_ignorance",
1682
+ "name": "Context Ignorance",
1683
+ "type": "subcategory",
1684
+ "priority": null
1685
+ }
1686
+ ]
1687
+ },
1688
+ {
1689
+ "id": "mobile_security_misconfiguration",
1690
+ "name": "Mobile Security Misconfiguration",
1691
+ "type": "category",
1692
+ "children": [
1693
+ {
1694
+ "id": "auto_backup_allowed_by_default",
1695
+ "name": "Auto Backup Allowed by Default",
1696
+ "type": "subcategory",
1697
+ "priority": 5
1698
+ },
1699
+ {
1700
+ "id": "clipboard_enabled",
1701
+ "name": "Clipboard Enabled",
1702
+ "type": "subcategory",
1703
+ "priority": 5
1704
+ },
1705
+ {
1706
+ "id": "ssl_certificate_pinning",
1707
+ "name": "SSL Certificate Pinning",
1708
+ "type": "subcategory",
1709
+ "children": [
1710
+ {
1711
+ "id": "absent",
1712
+ "name": "Absent",
1713
+ "type": "variant",
1714
+ "priority": 5
1715
+ },
1716
+ {
1717
+ "id": "defeatable",
1718
+ "name": "Defeatable",
1719
+ "type": "variant",
1720
+ "priority": 5
1721
+ }
1722
+ ]
1723
+ },
1724
+ {
1725
+ "id": "tapjacking",
1726
+ "name": "Tapjacking",
1727
+ "type": "subcategory",
1728
+ "priority": 5
1729
+ }
1730
+ ]
1731
+ },
1732
+ {
1733
+ "id": "network_security_misconfiguration",
1734
+ "name": "Network Security Misconfiguration",
1735
+ "type": "category",
1736
+ "children": [
1737
+ {
1738
+ "id": "telnet_enabled",
1739
+ "name": "Telnet Enabled",
1740
+ "type": "subcategory",
1741
+ "priority": 5
1742
+ }
1743
+ ]
1744
+ },
1745
+ {
1746
+ "id": "physical_security_issues",
1747
+ "name": "Physical Security Issues",
1748
+ "type": "category",
1749
+ "children": [
1750
+ {
1751
+ "id": "bypass_of_physical_access_control",
1752
+ "name": "Bypass of physical access control",
1753
+ "type": "subcategory",
1754
+ "priority": null
1755
+ },
1756
+ {
1757
+ "id": "weakness_in_physical_access_control",
1758
+ "name": "Weakness in physical access control",
1759
+ "type": "subcategory",
1760
+ "children": [
1761
+ {
1762
+ "id": "cloneable_key",
1763
+ "name": "Cloneable Key",
1764
+ "type": "variant",
1765
+ "priority": null
1766
+ },
1767
+ {
1768
+ "id": "commonly_keyed_system",
1769
+ "name": "Commonly Keyed System",
1770
+ "type": "variant",
1771
+ "priority": 2
1772
+ },
1773
+ {
1774
+ "id": "master_key_identification",
1775
+ "name": "Master Key Identification",
1776
+ "type": "variant",
1777
+ "priority": null
1778
+ }
1779
+ ]
1780
+ }
1781
+ ]
1782
+ },
1783
+ {
1784
+ "id": "privacy_concerns",
1785
+ "name": "Privacy Concerns",
1786
+ "type": "category",
1787
+ "children": [
1788
+ {
1789
+ "id": "unnecessary_data_collection",
1790
+ "name": "Unnecessary Data Collection",
1791
+ "type": "subcategory",
1792
+ "children": [
1793
+ {
1794
+ "id": "wifi_ssid_password",
1795
+ "name": "WiFi SSID+Password",
1796
+ "type": "variant",
1797
+ "priority": 4
1798
+ }
1799
+ ]
1800
+ }
1801
+ ]
1802
+ },
1803
+ {
1804
+ "id": "protocol_specific_misconfiguration",
1805
+ "name": "Protocol Specific Misconfiguration",
1806
+ "type": "category",
1807
+ "children": [
1808
+ {
1809
+ "id": "frontrunning_enabled_attack",
1810
+ "name": "Frontrunning-Enabled Attack",
1811
+ "type": "subcategory",
1812
+ "priority": 2
1813
+ },
1814
+ {
1815
+ "id": "improper_validation_and_finalization_logic",
1816
+ "name": "Improper Validation and Finalization Logic",
1817
+ "type": "subcategory",
1818
+ "priority": null
1819
+ },
1820
+ {
1821
+ "id": "misconfigured_staking_logic",
1822
+ "name": "Misconfigured Staking Logic",
1823
+ "type": "subcategory",
1824
+ "priority": null
1825
+ },
1826
+ {
1827
+ "id": "sandwich_enabled_attack",
1828
+ "name": "Sandwich-Enabled Attack",
1829
+ "type": "subcategory",
1830
+ "priority": 2
1831
+ }
1832
+ ]
1833
+ },
1834
+ {
1835
+ "id": "sensitive_data_exposure",
1836
+ "name": "Sensitive Data Exposure",
1837
+ "type": "category",
1838
+ "children": [
1839
+ {
1840
+ "id": "disclosure_of_known_public_information",
1841
+ "name": "Disclosure of Known Public Information",
1842
+ "type": "subcategory",
1843
+ "priority": 5
1844
+ },
1845
+ {
1846
+ "id": "disclosure_of_secrets",
1847
+ "name": "Disclosure of Secrets",
1848
+ "type": "subcategory",
1849
+ "children": [
1850
+ {
1851
+ "id": "data_traffic_spam",
1852
+ "name": "Data/Traffic Spam",
1853
+ "type": "variant",
1854
+ "priority": 5
1855
+ },
1856
+ {
1857
+ "id": "for_internal_asset",
1858
+ "name": "For Internal Asset",
1859
+ "type": "variant",
1860
+ "priority": 3
1861
+ },
1862
+ {
1863
+ "id": "for_publicly_accessible_asset",
1864
+ "name": "For Publicly Accessible Asset",
1865
+ "type": "variant",
1866
+ "priority": 1
1867
+ },
1868
+ {
1869
+ "id": "intentionally_public_sample_or_invalid",
1870
+ "name": "Intentionally Public, Sample or Invalid",
1871
+ "type": "variant",
1872
+ "priority": 5
1873
+ },
1874
+ {
1875
+ "id": "non_corporate_user",
1876
+ "name": "Non-Corporate User",
1877
+ "type": "variant",
1878
+ "priority": 5
1879
+ },
1880
+ {
1881
+ "id": "pay_per_use_abuse",
1882
+ "name": "Pay-Per-Use Abuse",
1883
+ "type": "variant",
1884
+ "priority": 4
1885
+ },
1886
+ {
1887
+ "id": "pii_leakage_exposure",
1888
+ "name": "PII Leakage/Exposure",
1889
+ "type": "variant",
1890
+ "priority": null
1891
+ }
1892
+ ]
1893
+ },
1894
+ {
1895
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
1896
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
1897
+ "type": "subcategory",
1898
+ "children": [
1899
+ {
1900
+ "id": "automatic_user_enumeration",
1901
+ "name": "Automatic User Enumeration",
1902
+ "type": "variant",
1903
+ "priority": 3
1904
+ },
1905
+ {
1906
+ "id": "manual_user_enumeration",
1907
+ "name": "Manual User Enumeration",
1908
+ "type": "variant",
1909
+ "priority": 4
1910
+ }
1911
+ ]
1912
+ },
1913
+ {
1914
+ "id": "internal_ip_disclosure",
1915
+ "name": "Internal IP Disclosure",
1916
+ "type": "subcategory",
1917
+ "priority": 5
1918
+ },
1919
+ {
1920
+ "id": "json_hijacking",
1921
+ "name": "JSON Hijacking",
1922
+ "type": "subcategory",
1923
+ "priority": 5
1924
+ },
1925
+ {
1926
+ "id": "mixed_content",
1927
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
1928
+ "type": "subcategory",
1929
+ "priority": 5
1930
+ },
1931
+ {
1932
+ "id": "non_sensitive_token_in_url",
1933
+ "name": "Non-Sensitive Token in URL",
1934
+ "type": "subcategory",
1935
+ "priority": 5
1936
+ },
1937
+ {
1938
+ "id": "sensitive_data_hardcoded",
1939
+ "name": "Sensitive Data Hardcoded",
1940
+ "type": "subcategory",
1941
+ "children": [
1942
+ {
1943
+ "id": "file_paths",
1944
+ "name": "File Paths",
1945
+ "type": "variant",
1946
+ "priority": 5
1947
+ },
1948
+ {
1949
+ "id": "oauth_secret",
1950
+ "name": "OAuth Secret",
1951
+ "type": "variant",
1952
+ "priority": 5
1953
+ }
1954
+ ]
1955
+ },
1956
+ {
1957
+ "id": "sensitive_token_in_url",
1958
+ "name": "Sensitive Token in URL",
1959
+ "type": "subcategory",
1960
+ "children": [
1961
+ {
1962
+ "id": "in_the_background",
1963
+ "name": "In the Background",
1964
+ "type": "variant",
1965
+ "priority": 5
1966
+ },
1967
+ {
1968
+ "id": "on_password_reset",
1969
+ "name": "On Password Reset",
1970
+ "type": "variant",
1971
+ "priority": 5
1972
+ },
1973
+ {
1974
+ "id": "user_facing",
1975
+ "name": "User Facing",
1976
+ "type": "variant",
1977
+ "priority": 4
1978
+ }
1979
+ ]
1980
+ },
1981
+ {
1982
+ "id": "token_leakage_via_referer",
1983
+ "name": "Token Leakage via Referer",
1984
+ "type": "subcategory",
1985
+ "children": [
1986
+ {
1987
+ "id": "over_http",
1988
+ "name": "Over HTTP",
1989
+ "type": "variant",
1990
+ "priority": 4
1991
+ },
1992
+ {
1993
+ "id": "password_reset_token",
1994
+ "name": "Password Reset Token",
1995
+ "type": "variant",
1996
+ "priority": 5
1997
+ },
1998
+ {
1999
+ "id": "trusted_third_party",
2000
+ "name": "Trusted 3rd Party",
2001
+ "type": "variant",
2002
+ "priority": 5
2003
+ },
2004
+ {
2005
+ "id": "untrusted_third_party",
2006
+ "name": "Untrusted 3rd Party",
2007
+ "type": "variant",
2008
+ "priority": 4
2009
+ }
2010
+ ]
2011
+ },
2012
+ {
2013
+ "id": "via_localstorage_sessionstorage",
2014
+ "name": "Via localStorage/sessionStorage",
2015
+ "type": "subcategory",
2016
+ "children": [
2017
+ {
2018
+ "id": "non_sensitive_token",
2019
+ "name": "Non-Sensitive Token",
2020
+ "type": "variant",
2021
+ "priority": 5
2022
+ },
2023
+ {
2024
+ "id": "sensitive_token",
2025
+ "name": "Sensitive Token",
2026
+ "type": "variant",
2027
+ "priority": 4
2028
+ }
2029
+ ]
2030
+ },
2031
+ {
2032
+ "id": "visible_detailed_error_page",
2033
+ "name": "Visible Detailed Error/Debug Page",
2034
+ "type": "subcategory",
2035
+ "children": [
2036
+ {
2037
+ "id": "descriptive_stack_trace",
2038
+ "name": "Descriptive Stack Trace",
2039
+ "type": "variant",
2040
+ "priority": 5
2041
+ },
2042
+ {
2043
+ "id": "detailed_server_configuration",
2044
+ "name": "Detailed Server Configuration",
2045
+ "type": "variant",
2046
+ "priority": 4
2047
+ },
2048
+ {
2049
+ "id": "full_path_disclosure",
2050
+ "name": "Full Path Disclosure",
2051
+ "type": "variant",
2052
+ "priority": 5
2053
+ }
2054
+ ]
2055
+ },
2056
+ {
2057
+ "id": "weak_password_reset_implementation",
2058
+ "name": "Weak Password Reset Implementation",
2059
+ "type": "subcategory",
2060
+ "children": [
2061
+ {
2062
+ "id": "password_reset_token_sent_over_http",
2063
+ "name": "Password Reset Token Sent Over HTTP",
2064
+ "type": "variant",
2065
+ "priority": 4
2066
+ },
2067
+ {
2068
+ "id": "token_leakage_via_host_header_poisoning",
2069
+ "name": "Token Leakage via Host Header Poisoning",
2070
+ "type": "variant",
2071
+ "priority": 2
2072
+ }
2073
+ ]
2074
+ },
2075
+ {
2076
+ "id": "xssi",
2077
+ "name": "Cross Site Script Inclusion (XSSI)",
2078
+ "type": "subcategory",
2079
+ "priority": null
2080
+ }
2081
+ ]
2082
+ },
2083
+ {
2084
+ "id": "server_security_misconfiguration",
2085
+ "name": "Server Security Misconfiguration",
2086
+ "type": "category",
2087
+ "children": [
2088
+ {
2089
+ "id": "bitsquatting",
2090
+ "name": "Bitsquatting",
2091
+ "type": "subcategory",
2092
+ "priority": 5
2093
+ },
2094
+ {
2095
+ "id": "cache_poisoning",
2096
+ "name": "Cache Poisoning",
2097
+ "type": "subcategory",
2098
+ "priority": null
2099
+ },
2100
+ {
2101
+ "id": "captcha",
2102
+ "name": "CAPTCHA",
2103
+ "type": "subcategory",
2104
+ "children": [
2105
+ {
2106
+ "id": "brute_force",
2107
+ "name": "Brute Force",
2108
+ "type": "variant",
2109
+ "priority": 5
2110
+ },
2111
+ {
2112
+ "id": "implementation_vulnerability",
2113
+ "name": "Implementation Vulnerability",
2114
+ "type": "variant",
2115
+ "priority": 4
2116
+ },
2117
+ {
2118
+ "id": "missing",
2119
+ "name": "Missing",
2120
+ "type": "variant",
2121
+ "priority": 5
2122
+ }
2123
+ ]
2124
+ },
2125
+ {
2126
+ "id": "clickjacking",
2127
+ "name": "Clickjacking",
2128
+ "type": "subcategory",
2129
+ "children": [
2130
+ {
2131
+ "id": "form_input",
2132
+ "name": "Form Input",
2133
+ "type": "variant",
2134
+ "priority": 5
2135
+ },
2136
+ {
2137
+ "id": "non_sensitive_action",
2138
+ "name": "Non-Sensitive Action",
2139
+ "type": "variant",
2140
+ "priority": 5
2141
+ },
2142
+ {
2143
+ "id": "sensitive_action",
2144
+ "name": "Sensitive Click-Based Action",
2145
+ "type": "variant",
2146
+ "priority": 4
2147
+ }
2148
+ ]
2149
+ },
2150
+ {
2151
+ "id": "cookie_scoped_to_parent_domain",
2152
+ "name": "Cookie Scoped to Parent Domain",
2153
+ "type": "subcategory",
2154
+ "priority": 5
2155
+ },
2156
+ {
2157
+ "id": "dbms_misconfiguration",
2158
+ "name": "Database Management System (DBMS) Misconfiguration",
2159
+ "type": "subcategory",
2160
+ "children": [
2161
+ {
2162
+ "id": "excessively_privileged_user_dba",
2163
+ "name": "Excessively Privileged User / DBA",
2164
+ "type": "variant",
2165
+ "priority": 4
2166
+ }
2167
+ ]
2168
+ },
2169
+ {
2170
+ "id": "directory_listing_enabled",
2171
+ "name": "Directory Listing Enabled",
2172
+ "type": "subcategory",
2173
+ "children": [
2174
+ {
2175
+ "id": "non_sensitive_data_exposure",
2176
+ "name": "Non-Sensitive Data Exposure",
2177
+ "type": "variant",
2178
+ "priority": 5
2179
+ },
2180
+ {
2181
+ "id": "sensitive_data_exposure",
2182
+ "name": "Sensitive Data Exposure",
2183
+ "type": "variant",
2184
+ "priority": null
2185
+ }
2186
+ ]
2187
+ },
2188
+ {
2189
+ "id": "email_verification_bypass",
2190
+ "name": "Email Verification Bypass",
2191
+ "type": "subcategory",
2192
+ "priority": 5
2193
+ },
2194
+ {
2195
+ "id": "exposed_admin_portal",
2196
+ "name": "Exposed Admin Portal",
2197
+ "type": "subcategory",
2198
+ "children": [
2199
+ {
2200
+ "id": "to_internet",
2201
+ "name": "To Internet",
2202
+ "type": "variant",
2203
+ "priority": 5
2204
+ }
2205
+ ]
2206
+ },
2207
+ {
2208
+ "id": "fingerprinting_banner_disclosure",
2209
+ "name": "Fingerprinting/Banner Disclosure",
2210
+ "type": "subcategory",
2211
+ "priority": 5
2212
+ },
2213
+ {
2214
+ "id": "insecure_ssl",
2215
+ "name": "Insecure SSL",
2216
+ "type": "subcategory",
2217
+ "children": [
2218
+ {
2219
+ "id": "certificate_error",
2220
+ "name": "Certificate Error",
2221
+ "type": "variant",
2222
+ "priority": 5
2223
+ },
2224
+ {
2225
+ "id": "insecure_cipher_suite",
2226
+ "name": "Insecure Cipher Suite",
2227
+ "type": "variant",
2228
+ "priority": 5
2229
+ },
2230
+ {
2231
+ "id": "lack_of_forward_secrecy",
2232
+ "name": "Lack of Forward Secrecy",
2233
+ "type": "variant",
2234
+ "priority": 5
2235
+ }
2236
+ ]
2237
+ },
2238
+ {
2239
+ "id": "lack_of_password_confirmation",
2240
+ "name": "Lack of Password Confirmation",
2241
+ "type": "subcategory",
2242
+ "children": [
2243
+ {
2244
+ "id": "change_email_address",
2245
+ "name": "Change Email Address",
2246
+ "type": "variant",
2247
+ "priority": 5
2248
+ },
2249
+ {
2250
+ "id": "change_password",
2251
+ "name": "Change Password",
2252
+ "type": "variant",
2253
+ "priority": 5
2254
+ },
2255
+ {
2256
+ "id": "delete_account",
2257
+ "name": "Delete Account",
2258
+ "type": "variant",
2259
+ "priority": 4
2260
+ },
2261
+ {
2262
+ "id": "manage_two_fa",
2263
+ "name": "Manage 2FA",
2264
+ "type": "variant",
2265
+ "priority": 5
2266
+ }
2267
+ ]
2268
+ },
2269
+ {
2270
+ "id": "lack_of_security_headers",
2271
+ "name": "Lack of Security Headers",
2272
+ "type": "subcategory",
2273
+ "children": [
2274
+ {
2275
+ "id": "cache_control_for_a_non_sensitive_page",
2276
+ "name": "Cache-Control for a Non-Sensitive Page",
2277
+ "type": "variant",
2278
+ "priority": 5
2279
+ },
2280
+ {
2281
+ "id": "cache_control_for_a_sensitive_page",
2282
+ "name": "Cache-Control for a Sensitive Page",
2283
+ "type": "variant",
2284
+ "priority": 4
2285
+ },
2286
+ {
2287
+ "id": "content_security_policy",
2288
+ "name": "Content-Security-Policy",
2289
+ "type": "variant",
2290
+ "priority": 5
2291
+ },
2292
+ {
2293
+ "id": "content_security_policy_report_only",
2294
+ "name": "Content-Security-Policy-Report-Only",
2295
+ "type": "variant",
2296
+ "priority": 5
2297
+ },
2298
+ {
2299
+ "id": "public_key_pins",
2300
+ "name": "Public-Key-Pins",
2301
+ "type": "variant",
2302
+ "priority": 5
2303
+ },
2304
+ {
2305
+ "id": "strict_transport_security",
2306
+ "name": "Strict-Transport-Security",
2307
+ "type": "variant",
2308
+ "priority": 5
2309
+ },
2310
+ {
2311
+ "id": "x_content_security_policy",
2312
+ "name": "X-Content-Security-Policy",
2313
+ "type": "variant",
2314
+ "priority": 5
2315
+ },
2316
+ {
2317
+ "id": "x_content_type_options",
2318
+ "name": "X-Content-Type-Options",
2319
+ "type": "variant",
2320
+ "priority": 5
2321
+ },
2322
+ {
2323
+ "id": "x_frame_options",
2324
+ "name": "X-Frame-Options",
2325
+ "type": "variant",
2326
+ "priority": 5
2327
+ },
2328
+ {
2329
+ "id": "x_webkit_csp",
2330
+ "name": "X-Webkit-CSP",
2331
+ "type": "variant",
2332
+ "priority": 5
2333
+ },
2334
+ {
2335
+ "id": "x_xss_protection",
2336
+ "name": "X-XSS-Protection",
2337
+ "type": "variant",
2338
+ "priority": 5
2339
+ }
2340
+ ]
2341
+ },
2342
+ {
2343
+ "id": "mail_server_misconfiguration",
2344
+ "name": "Mail Server Misconfiguration",
2345
+ "type": "subcategory",
2346
+ "children": [
2347
+ {
2348
+ "id": "email_spoofing_on_non_email_domain",
2349
+ "name": "Email Spoofing on Non-Email Domain",
2350
+ "type": "variant",
2351
+ "priority": 5
2352
+ },
2353
+ {
2354
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
2355
+ "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
2356
+ "type": "variant",
2357
+ "priority": 4
2358
+ },
2359
+ {
2360
+ "id": "email_spoofing_to_spam_folder",
2361
+ "name": "Email Spoofing to Spam Folder",
2362
+ "type": "variant",
2363
+ "priority": 5
2364
+ },
2365
+ {
2366
+ "id": "missing_or_misconfigured_spf_and_or_dkim",
2367
+ "name": "Missing or Misconfigured SPF and/or DKIM",
2368
+ "type": "variant",
2369
+ "priority": 5
2370
+ },
2371
+ {
2372
+ "id": "no_spoofing_protection_on_email_domain",
2373
+ "name": "No Spoofing Protection on Email Domain",
2374
+ "type": "variant",
2375
+ "priority": 3
2376
+ }
2377
+ ]
2378
+ },
2379
+ {
2380
+ "id": "misconfigured_dns",
2381
+ "name": "Misconfigured DNS",
2382
+ "type": "subcategory",
2383
+ "children": [
2384
+ {
2385
+ "id": "missing_caa_record",
2386
+ "name": "Missing Certification Authority Authorization (CAA) Record",
2387
+ "type": "variant",
2388
+ "priority": 5
2389
+ },
2390
+ {
2391
+ "id": "subdomain_takeover",
2392
+ "name": "Subdomain Takeover",
2393
+ "type": "variant",
2394
+ "priority": 3
2395
+ },
2396
+ {
2397
+ "id": "zone_transfer",
2398
+ "name": "Zone Transfer",
2399
+ "type": "variant",
2400
+ "priority": 4
2401
+ }
2402
+ ]
2403
+ },
2404
+ {
2405
+ "id": "missing_dnssec",
2406
+ "name": "Missing DNSSEC",
2407
+ "type": "subcategory",
2408
+ "priority": 5
2409
+ },
2410
+ {
2411
+ "id": "missing_secure_or_httponly_cookie_flag",
2412
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
2413
+ "type": "subcategory",
2414
+ "children": [
2415
+ {
2416
+ "id": "non_session_cookie",
2417
+ "name": "Non-Session Cookie",
2418
+ "type": "variant",
2419
+ "priority": 5
2420
+ },
2421
+ {
2422
+ "id": "session_token",
2423
+ "name": "Session Token",
2424
+ "type": "variant",
2425
+ "priority": 4
2426
+ }
2427
+ ]
2428
+ },
2429
+ {
2430
+ "id": "missing_subresource_integrity",
2431
+ "name": "Missing Subresource Integrity",
2432
+ "type": "subcategory",
2433
+ "priority": 5
2434
+ },
2435
+ {
2436
+ "id": "no_rate_limiting_on_form",
2437
+ "name": "No Rate Limiting on Form",
2438
+ "type": "subcategory",
2439
+ "children": [
2440
+ {
2441
+ "id": "change_password",
2442
+ "name": "Change Password",
2443
+ "type": "variant",
2444
+ "priority": 5
2445
+ },
2446
+ {
2447
+ "id": "email_triggering",
2448
+ "name": "Email-Triggering",
2449
+ "type": "variant",
2450
+ "priority": 4
2451
+ },
2452
+ {
2453
+ "id": "login",
2454
+ "name": "Login",
2455
+ "type": "variant",
2456
+ "priority": 4
2457
+ },
2458
+ {
2459
+ "id": "registration",
2460
+ "name": "Registration",
2461
+ "type": "variant",
2462
+ "priority": 4
2463
+ },
2464
+ {
2465
+ "id": "sms_triggering",
2466
+ "name": "SMS-Triggering",
2467
+ "type": "variant",
2468
+ "priority": 4
2469
+ }
2470
+ ]
2471
+ },
2472
+ {
2473
+ "id": "oauth_misconfiguration",
2474
+ "name": "OAuth Misconfiguration",
2475
+ "type": "subcategory",
2476
+ "children": [
2477
+ {
2478
+ "id": "account_squatting",
2479
+ "name": "Account Squatting",
2480
+ "type": "variant",
2481
+ "priority": 4
2482
+ },
2483
+ {
2484
+ "id": "account_takeover",
2485
+ "name": "Account Takeover",
2486
+ "type": "variant",
2487
+ "priority": 2
2488
+ },
2489
+ {
2490
+ "id": "insecure_redirect_uri",
2491
+ "name": "Insecure Redirect URI",
2492
+ "type": "variant",
2493
+ "priority": null
2494
+ },
2495
+ {
2496
+ "id": "missing_state_parameter",
2497
+ "name": "Missing/Broken State Parameter",
2498
+ "type": "variant",
2499
+ "priority": null
2500
+ }
2501
+ ]
2502
+ },
2503
+ {
2504
+ "id": "path_traversal",
2505
+ "name": "Path Traversal",
2506
+ "type": "subcategory",
2507
+ "priority": null
2508
+ },
2509
+ {
2510
+ "id": "potentially_unsafe_http_method_enabled",
2511
+ "name": "Potentially Unsafe HTTP Method Enabled",
2512
+ "type": "subcategory",
2513
+ "children": [
2514
+ {
2515
+ "id": "options",
2516
+ "name": "OPTIONS",
2517
+ "type": "variant",
2518
+ "priority": 5
2519
+ },
2520
+ {
2521
+ "id": "trace",
2522
+ "name": "TRACE",
2523
+ "type": "variant",
2524
+ "priority": 5
2525
+ }
2526
+ ]
2527
+ },
2528
+ {
2529
+ "id": "race_condition",
2530
+ "name": "Race Condition",
2531
+ "type": "subcategory",
2532
+ "priority": null
2533
+ },
2534
+ {
2535
+ "id": "request_smuggling",
2536
+ "name": "HTTP Request Smuggling",
2537
+ "type": "subcategory",
2538
+ "priority": null
2539
+ },
2540
+ {
2541
+ "id": "rfd",
2542
+ "name": "Reflected File Download (RFD)",
2543
+ "type": "subcategory",
2544
+ "priority": 5
2545
+ },
2546
+ {
2547
+ "id": "same_site_scripting",
2548
+ "name": "Same-Site Scripting",
2549
+ "type": "subcategory",
2550
+ "priority": 5
2551
+ },
2552
+ {
2553
+ "id": "server_side_request_forgery_ssrf",
2554
+ "name": "Server-Side Request Forgery (SSRF)",
2555
+ "type": "subcategory",
2556
+ "children": [
2557
+ {
2558
+ "id": "external_dns_query_only",
2559
+ "name": "External - DNS Query Only",
2560
+ "type": "variant",
2561
+ "priority": 5
2562
+ },
2563
+ {
2564
+ "id": "external_low_impact",
2565
+ "name": "External - Low impact",
2566
+ "type": "variant",
2567
+ "priority": 5
2568
+ },
2569
+ {
2570
+ "id": "internal_high_impact",
2571
+ "name": "Internal High Impact",
2572
+ "type": "variant",
2573
+ "priority": 2
2574
+ },
2575
+ {
2576
+ "id": "internal_scan_and_or_medium_impact",
2577
+ "name": "Internal Scan and/or Medium Impact",
2578
+ "type": "variant",
2579
+ "priority": 3
2580
+ }
2581
+ ]
2582
+ },
2583
+ {
2584
+ "id": "software_package_takeover",
2585
+ "name": "Software Package Takeover",
2586
+ "type": "subcategory",
2587
+ "priority": null
2588
+ },
2589
+ {
2590
+ "id": "ssl_attack_breach_poodle_etc",
2591
+ "name": "SSL Attack (BREACH, POODLE etc.)",
2592
+ "type": "subcategory",
2593
+ "priority": null
2594
+ },
2595
+ {
2596
+ "id": "unsafe_cross_origin_resource_sharing",
2597
+ "name": "Unsafe Cross-Origin Resource Sharing",
2598
+ "type": "subcategory",
2599
+ "priority": null
2600
+ },
2601
+ {
2602
+ "id": "unsafe_file_upload",
2603
+ "name": "Unsafe File Upload",
2604
+ "type": "subcategory",
2605
+ "children": [
2606
+ {
2607
+ "id": "file_extension_filter_bypass",
2608
+ "name": "File Extension Filter Bypass",
2609
+ "type": "variant",
2610
+ "priority": 5
2611
+ },
2612
+ {
2613
+ "id": "no_antivirus",
2614
+ "name": "No Antivirus",
2615
+ "type": "variant",
2616
+ "priority": 5
2617
+ },
2618
+ {
2619
+ "id": "no_size_limit",
2620
+ "name": "No Size Limit",
2621
+ "type": "variant",
2622
+ "priority": 5
2623
+ }
2624
+ ]
2625
+ },
2626
+ {
2627
+ "id": "username_enumeration",
2628
+ "name": "Username/Email Enumeration",
2629
+ "type": "subcategory",
2630
+ "children": [
2631
+ {
2632
+ "id": "brute_force",
2633
+ "name": "Brute Force",
2634
+ "type": "variant",
2635
+ "priority": 5
2636
+ }
2637
+ ]
2638
+ },
2639
+ {
2640
+ "id": "using_default_credentials",
2641
+ "name": "Using Default Credentials",
2642
+ "type": "subcategory",
2643
+ "priority": 1
2644
+ },
2645
+ {
2646
+ "id": "waf_bypass",
2647
+ "name": "Web Application Firewall (WAF) Bypass",
2648
+ "type": "subcategory",
2649
+ "children": [
2650
+ {
2651
+ "id": "direct_server_access",
2652
+ "name": "Direct Server Access",
2653
+ "type": "variant",
2654
+ "priority": 4
2655
+ }
2656
+ ]
2657
+ }
2658
+ ]
2659
+ },
2660
+ {
2661
+ "id": "server_side_injection",
2662
+ "name": "Server-Side Injection",
2663
+ "type": "category",
2664
+ "children": [
2665
+ {
2666
+ "id": "content_spoofing",
2667
+ "name": "Content Spoofing",
2668
+ "type": "subcategory",
2669
+ "children": [
2670
+ {
2671
+ "id": "email_html_injection",
2672
+ "name": "Email HTML Injection",
2673
+ "type": "variant",
2674
+ "priority": 4
2675
+ },
2676
+ {
2677
+ "id": "email_hyperlink_injection_based_on_email_provider",
2678
+ "name": "Email Hyperlink Injection Based on Email Provider",
2679
+ "type": "variant",
2680
+ "priority": 5
2681
+ },
2682
+ {
2683
+ "id": "external_authentication_injection",
2684
+ "name": "External Authentication Injection",
2685
+ "type": "variant",
2686
+ "priority": 4
2687
+ },
2688
+ {
2689
+ "id": "flash_based_external_authentication_injection",
2690
+ "name": "Flash Based External Authentication Injection",
2691
+ "type": "variant",
2692
+ "priority": 5
2693
+ },
2694
+ {
2695
+ "id": "homograph_idn_based",
2696
+ "name": "Homograph/IDN-Based",
2697
+ "type": "variant",
2698
+ "priority": 5
2699
+ },
2700
+ {
2701
+ "id": "html_content_injection",
2702
+ "name": "HTML Content Injection",
2703
+ "type": "variant",
2704
+ "priority": 5
2705
+ },
2706
+ {
2707
+ "id": "iframe_injection",
2708
+ "name": "iframe Injection",
2709
+ "type": "variant",
2710
+ "priority": 3
2711
+ },
2712
+ {
2713
+ "id": "impersonation_via_broken_link_hijacking",
2714
+ "name": "Impersonation via Broken Link Hijacking",
2715
+ "type": "variant",
2716
+ "priority": 4
2717
+ },
2718
+ {
2719
+ "id": "rtlo",
2720
+ "name": "Right-to-Left Override (RTLO)",
2721
+ "type": "variant",
2722
+ "priority": 5
2723
+ },
2724
+ {
2725
+ "id": "text_injection",
2726
+ "name": "Text Injection",
2727
+ "type": "variant",
2728
+ "priority": 5
2729
+ }
2730
+ ]
2731
+ },
2732
+ {
2733
+ "id": "file_inclusion",
2734
+ "name": "File Inclusion",
2735
+ "type": "subcategory",
2736
+ "children": [
2737
+ {
2738
+ "id": "local",
2739
+ "name": "Local",
2740
+ "type": "variant",
2741
+ "priority": 1
2742
+ }
2743
+ ]
2744
+ },
2745
+ {
2746
+ "id": "http_response_manipulation",
2747
+ "name": "HTTP Response Manipulation",
2748
+ "type": "subcategory",
2749
+ "children": [
2750
+ {
2751
+ "id": "response_splitting_crlf",
2752
+ "name": "Response Splitting (CRLF)",
2753
+ "type": "variant",
2754
+ "priority": 3
2755
+ }
2756
+ ]
2757
+ },
2758
+ {
2759
+ "id": "ldap_injection",
2760
+ "name": "LDAP Injection",
2761
+ "type": "subcategory",
2762
+ "priority": null
2763
+ },
2764
+ {
2765
+ "id": "parameter_pollution",
2766
+ "name": "Parameter Pollution",
2767
+ "type": "subcategory",
2768
+ "children": [
2769
+ {
2770
+ "id": "social_media_sharing_buttons",
2771
+ "name": "Social Media Sharing Buttons",
2772
+ "type": "variant",
2773
+ "priority": 5
2774
+ }
2775
+ ]
2776
+ },
2777
+ {
2778
+ "id": "remote_code_execution_rce",
2779
+ "name": "Remote Code Execution (RCE)",
2780
+ "type": "subcategory",
2781
+ "priority": 1
2782
+ },
2783
+ {
2784
+ "id": "sql_injection",
2785
+ "name": "SQL Injection",
2786
+ "type": "subcategory",
2787
+ "priority": 1
2788
+ },
2789
+ {
2790
+ "id": "ssti",
2791
+ "name": "Server-Side Template Injection (SSTI)",
2792
+ "type": "subcategory",
2793
+ "children": [
2794
+ {
2795
+ "id": "basic",
2796
+ "name": "Basic",
2797
+ "type": "variant",
2798
+ "priority": 4
2799
+ },
2800
+ {
2801
+ "id": "custom",
2802
+ "name": "Custom",
2803
+ "type": "variant",
2804
+ "priority": null
2805
+ }
2806
+ ]
2807
+ },
2808
+ {
2809
+ "id": "xml_external_entity_injection_xxe",
2810
+ "name": "XML External Entity Injection (XXE)",
2811
+ "type": "subcategory",
2812
+ "priority": 1
2813
+ }
2814
+ ]
2815
+ },
2816
+ {
2817
+ "id": "smart_contract_misconfiguration",
2818
+ "name": "Smart Contract Misconfiguration",
2819
+ "type": "category",
2820
+ "children": [
2821
+ {
2822
+ "id": "bypass_of_function_modifiers_and_checks",
2823
+ "name": "Bypass of Function Modifiers and Checks",
2824
+ "type": "subcategory",
2825
+ "priority": null
2826
+ },
2827
+ {
2828
+ "id": "function_level_denial_of_service",
2829
+ "name": "Function-level Denial of Service",
2830
+ "type": "subcategory",
2831
+ "priority": 3
2832
+ },
2833
+ {
2834
+ "id": "improper_decimals_implementation",
2835
+ "name": "Improper Decimals Implementation",
2836
+ "type": "subcategory",
2837
+ "priority": 4
2838
+ },
2839
+ {
2840
+ "id": "improper_fee_implementation",
2841
+ "name": "Improper Fee Implementation",
2842
+ "type": "subcategory",
2843
+ "priority": 3
2844
+ },
2845
+ {
2846
+ "id": "improper_use_of_modifier",
2847
+ "name": "Improper Use of Modifier",
2848
+ "type": "subcategory",
2849
+ "priority": 4
2850
+ },
2851
+ {
2852
+ "id": "inaccurate_rounding_calculation",
2853
+ "name": "Inaccurate Rounding Calculation",
2854
+ "type": "subcategory",
2855
+ "priority": null
2856
+ },
2857
+ {
2858
+ "id": "integer_overflow_underflow",
2859
+ "name": "Integer Overflow / Underflow",
2860
+ "type": "subcategory",
2861
+ "priority": 2
2862
+ },
2863
+ {
2864
+ "id": "irreversible_function_call",
2865
+ "name": "Irreversible Function Call",
2866
+ "type": "subcategory",
2867
+ "priority": 3
2868
+ },
2869
+ {
2870
+ "id": "malicious_superuser_risk",
2871
+ "name": "Malicious Superuser Risk",
2872
+ "type": "subcategory",
2873
+ "priority": 3
2874
+ },
2875
+ {
2876
+ "id": "reentrancy_attack",
2877
+ "name": "Reentrancy Attack",
2878
+ "type": "subcategory",
2879
+ "priority": 1
2880
+ },
2881
+ {
2882
+ "id": "smart_contract_owner_takeover",
2883
+ "name": "Smart Contract Owner Takeover",
2884
+ "type": "subcategory",
2885
+ "priority": 1
2886
+ },
2887
+ {
2888
+ "id": "unauthorized_smart_contract_approval",
2889
+ "name": "Unauthorized Smart Contract Approval",
2890
+ "type": "subcategory",
2891
+ "priority": 2
2892
+ },
2893
+ {
2894
+ "id": "unauthorized_transfer_of_funds",
2895
+ "name": "Unauthorized Transfer of Funds",
2896
+ "type": "subcategory",
2897
+ "priority": 1
2898
+ },
2899
+ {
2900
+ "id": "uninitialized_variables",
2901
+ "name": "Uninitialized Variables",
2902
+ "type": "subcategory",
2903
+ "priority": 1
2904
+ }
2905
+ ]
2906
+ },
2907
+ {
2908
+ "id": "societal_biases",
2909
+ "name": "Societal Biases",
2910
+ "type": "category",
2911
+ "children": [
2912
+ {
2913
+ "id": "confirmation_bias",
2914
+ "name": "Confirmation Bias",
2915
+ "type": "subcategory",
2916
+ "priority": null
2917
+ },
2918
+ {
2919
+ "id": "systemic_bias",
2920
+ "name": "Systemic Bias",
2921
+ "type": "subcategory",
2922
+ "priority": null
2923
+ }
2924
+ ]
2925
+ },
2926
+ {
2927
+ "id": "unvalidated_redirects_and_forwards",
2928
+ "name": "Unvalidated Redirects and Forwards",
2929
+ "type": "category",
2930
+ "children": [
2931
+ {
2932
+ "id": "lack_of_security_speed_bump_page",
2933
+ "name": "Lack of Security Speed Bump Page",
2934
+ "type": "subcategory",
2935
+ "priority": 5
2936
+ },
2937
+ {
2938
+ "id": "open_redirect",
2939
+ "name": "Open Redirect",
2940
+ "type": "subcategory",
2941
+ "children": [
2942
+ {
2943
+ "id": "flash_based",
2944
+ "name": "Flash-Based",
2945
+ "type": "variant",
2946
+ "priority": 5
2947
+ },
2948
+ {
2949
+ "id": "get_based",
2950
+ "name": "GET-Based",
2951
+ "type": "variant",
2952
+ "priority": 4
2953
+ },
2954
+ {
2955
+ "id": "header_based",
2956
+ "name": "Header-Based",
2957
+ "type": "variant",
2958
+ "priority": 5
2959
+ },
2960
+ {
2961
+ "id": "post_based",
2962
+ "name": "POST-Based",
2963
+ "type": "variant",
2964
+ "priority": 5
2965
+ }
2966
+ ]
2967
+ },
2968
+ {
2969
+ "id": "tabnabbing",
2970
+ "name": "Tabnabbing",
2971
+ "type": "subcategory",
2972
+ "priority": 5
2973
+ }
2974
+ ]
2975
+ },
2976
+ {
2977
+ "id": "using_components_with_known_vulnerabilities",
2978
+ "name": "Using Components with Known Vulnerabilities",
2979
+ "type": "category",
2980
+ "children": [
2981
+ {
2982
+ "id": "captcha_bypass",
2983
+ "name": "Captcha Bypass",
2984
+ "type": "subcategory",
2985
+ "children": [
2986
+ {
2987
+ "id": "ocr_optical_character_recognition",
2988
+ "name": "OCR (Optical Character Recognition)",
2989
+ "type": "variant",
2990
+ "priority": 5
2991
+ }
2992
+ ]
2993
+ },
2994
+ {
2995
+ "id": "outdated_software_version",
2996
+ "name": "Outdated Software Version",
2997
+ "type": "subcategory",
2998
+ "priority": 5
2999
+ },
3000
+ {
3001
+ "id": "rosetta_flash",
3002
+ "name": "Rosetta Flash",
3003
+ "type": "subcategory",
3004
+ "priority": 5
3005
+ }
3006
+ ]
3007
+ },
3008
+ {
3009
+ "id": "zero_knowledge_security_misconfiguration",
3010
+ "name": "Zero Knowledge Security Misconfiguration",
3011
+ "type": "category",
3012
+ "children": [
3013
+ {
3014
+ "id": "deanonymization_of_data",
3015
+ "name": "Deanonymization of Data",
3016
+ "type": "subcategory",
3017
+ "priority": 1
3018
+ },
3019
+ {
3020
+ "id": "improper_proof_validation_and_finalization_logic",
3021
+ "name": "Improper Proof Validation and Finalization Logic",
3022
+ "type": "subcategory",
3023
+ "priority": 1
3024
+ },
3025
+ {
3026
+ "id": "misconfigured_trusted_setup",
3027
+ "name": "Misconfigured Trusted Setup",
3028
+ "type": "subcategory",
3029
+ "priority": null
3030
+ },
3031
+ {
3032
+ "id": "mismatching_bit_lengths",
3033
+ "name": "Mismatching Bit Lengths",
3034
+ "type": "subcategory",
3035
+ "priority": null
3036
+ },
3037
+ {
3038
+ "id": "missing_constraint",
3039
+ "name": "Missing Constraint",
3040
+ "type": "subcategory",
3041
+ "priority": null
3042
+ },
3043
+ {
3044
+ "id": "missing_range_check",
3045
+ "name": "Missing Range Check",
3046
+ "type": "subcategory",
3047
+ "priority": null
3048
+ }
3049
+ ]
3050
+ }
3051
+ ]
3052
+ }