vrt 0.13.3 → 0.13.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.15.1/deprecated-node-mapping.json +317 -0
  3. data/lib/data/1.15.1/mappings/cvss_v3/cvss_v3.json +1465 -0
  4. data/lib/data/1.15.1/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.15.1/mappings/cwe/cwe.json +1161 -0
  6. data/lib/data/1.15.1/mappings/cwe/cwe.schema.json +63 -0
  7. data/lib/data/1.15.1/mappings/remediation_advice/remediation_advice.json +2122 -0
  8. data/lib/data/1.15.1/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.15.1/third-party-mappings/remediation_training/secure-code-warrior-links.json +491 -0
  10. data/lib/data/1.15.1/vrt.schema.json +63 -0
  11. data/lib/data/1.15.1/vulnerability-rating-taxonomy.json +3058 -0
  12. data/lib/vrt/version.rb +1 -1
  13. metadata +12 -2
data/lib/data/1.15.1/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,3058 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2025-03-11T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "ai_application_security",
8
+ "name": "AI Application Security",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "llm_security",
13
+ "name": "Large Language Model (LLM) Security",
14
+ "type": "subcategory",
15
+ "children": [
16
+ {
17
+ "id": "excessive_agency_permission_manipulation",
18
+ "name": "Excessive Agency/Permission Manipulation",
19
+ "type": "variant",
20
+ "priority": 2
21
+ },
22
+ {
23
+ "id": "llm_output_handling",
24
+ "name": "LLM Output Handling",
25
+ "type": "variant",
26
+ "priority": 1
27
+ },
28
+ {
29
+ "id": "prompt_injection",
30
+ "name": "Prompt Injection",
31
+ "type": "variant",
32
+ "priority": 1
33
+ },
34
+ {
35
+ "id": "training_data_poisoning",
36
+ "name": "Training Data Poisoning",
37
+ "type": "variant",
38
+ "priority": 1
39
+ }
40
+ ]
41
+ }
42
+ ]
43
+ },
44
+ {
45
+ "id": "algorithmic_biases",
46
+ "name": "Algorithmic Biases",
47
+ "type": "category",
48
+ "children": [
49
+ {
50
+ "id": "aggregation_bias",
51
+ "name": "Aggregation Bias",
52
+ "type": "subcategory",
53
+ "priority": null
54
+ },
55
+ {
56
+ "id": "processing_bias",
57
+ "name": "Processing Bias",
58
+ "type": "subcategory",
59
+ "priority": null
60
+ }
61
+ ]
62
+ },
63
+ {
64
+ "id": "application_level_denial_of_service_dos",
65
+ "name": "Application-Level Denial-of-Service (DoS)",
66
+ "type": "category",
67
+ "children": [
68
+ {
69
+ "id": "app_crash",
70
+ "name": "App Crash",
71
+ "type": "subcategory",
72
+ "children": [
73
+ {
74
+ "id": "malformed_android_intents",
75
+ "name": "Malformed Android Intents",
76
+ "type": "variant",
77
+ "priority": 5
78
+ },
79
+ {
80
+ "id": "malformed_ios_url_schemes",
81
+ "name": "Malformed iOS URL Schemes",
82
+ "type": "variant",
83
+ "priority": 5
84
+ }
85
+ ]
86
+ },
87
+ {
88
+ "id": "critical_impact_and_or_easy_difficulty",
89
+ "name": "Critical Impact and/or Easy Difficulty",
90
+ "type": "subcategory",
91
+ "priority": 2
92
+ },
93
+ {
94
+ "id": "excessive_resource_consumption",
95
+ "name": "Excessive Resource Consumption",
96
+ "type": "subcategory",
97
+ "children": [
98
+ {
99
+ "id": "injection_prompt",
100
+ "name": "Injection (Prompt)",
101
+ "type": "variant",
102
+ "priority": null
103
+ }
104
+ ]
105
+ },
106
+ {
107
+ "id": "high_impact_and_or_medium_difficulty",
108
+ "name": "High Impact and/or Medium Difficulty",
109
+ "type": "subcategory",
110
+ "priority": 3
111
+ }
112
+ ]
113
+ },
114
+ {
115
+ "id": "automotive_security_misconfiguration",
116
+ "name": "Automotive Security Misconfiguration",
117
+ "type": "category",
118
+ "children": [
119
+ {
120
+ "id": "abs",
121
+ "name": "Automatic Braking System (ABS)",
122
+ "type": "subcategory",
123
+ "children": [
124
+ {
125
+ "id": "unintended_acceleration_brake",
126
+ "name": "Unintended Acceleration / Brake",
127
+ "type": "variant",
128
+ "priority": 3
129
+ }
130
+ ]
131
+ },
132
+ {
133
+ "id": "battery_management_system",
134
+ "name": "Battery Management System",
135
+ "type": "subcategory",
136
+ "children": [
137
+ {
138
+ "id": "firmware_dump",
139
+ "name": "Firmware Dump",
140
+ "type": "variant",
141
+ "priority": 3
142
+ },
143
+ {
144
+ "id": "fraudulent_interface",
145
+ "name": "Fraudulent Interface",
146
+ "type": "variant",
147
+ "priority": 4
148
+ }
149
+ ]
150
+ },
151
+ {
152
+ "id": "can",
153
+ "name": "CAN",
154
+ "type": "subcategory",
155
+ "children": [
156
+ {
157
+ "id": "injection_basic_safety_message",
158
+ "name": "Injection (Basic Safety Message)",
159
+ "type": "variant",
160
+ "priority": 3
161
+ },
162
+ {
163
+ "id": "injection_battery_management_system",
164
+ "name": "Injection (Battery Management System)",
165
+ "type": "variant",
166
+ "priority": 3
167
+ },
168
+ {
169
+ "id": "injection_disallowed_messages",
170
+ "name": "Injection (Disallowed Messages)",
171
+ "type": "variant",
172
+ "priority": 4
173
+ },
174
+ {
175
+ "id": "injection_dos",
176
+ "name": "Injection (DoS)",
177
+ "type": "variant",
178
+ "priority": 4
179
+ },
180
+ {
181
+ "id": "injection_headlights",
182
+ "name": "Injection (Headlights)",
183
+ "type": "variant",
184
+ "priority": 3
185
+ },
186
+ {
187
+ "id": "injection_powertrain",
188
+ "name": "Injection (Powertrain)",
189
+ "type": "variant",
190
+ "priority": 3
191
+ },
192
+ {
193
+ "id": "injection_pyrotechnical_device_deployment_tool",
194
+ "name": "Injection (Pyrotechnical Device Deployment Tool)",
195
+ "type": "variant",
196
+ "priority": 3
197
+ },
198
+ {
199
+ "id": "injection_sensors",
200
+ "name": "Injection (Sensors)",
201
+ "type": "variant",
202
+ "priority": 3
203
+ },
204
+ {
205
+ "id": "injection_steering_control",
206
+ "name": "Injection (Steering Control)",
207
+ "type": "variant",
208
+ "priority": 3
209
+ },
210
+ {
211
+ "id": "injection_vehicle_anti_theft_systems",
212
+ "name": "Injection (Vehicle Anti-theft Systems)",
213
+ "type": "variant",
214
+ "priority": 3
215
+ }
216
+ ]
217
+ },
218
+ {
219
+ "id": "gnss_gps",
220
+ "name": "GNSS / GPS",
221
+ "type": "subcategory",
222
+ "children": [
223
+ {
224
+ "id": "spoofing",
225
+ "name": "Spoofing",
226
+ "type": "variant",
227
+ "priority": 4
228
+ }
229
+ ]
230
+ },
231
+ {
232
+ "id": "immobilizer",
233
+ "name": "Immobilizer",
234
+ "type": "subcategory",
235
+ "children": [
236
+ {
237
+ "id": "engine_start",
238
+ "name": "Engine Start",
239
+ "type": "variant",
240
+ "priority": 3
241
+ }
242
+ ]
243
+ },
244
+ {
245
+ "id": "infotainment_radio_head_unit",
246
+ "name": "Infotainment, Radio Head Unit",
247
+ "type": "subcategory",
248
+ "children": [
249
+ {
250
+ "id": "code_execution_can_bus_pivot",
251
+ "name": "Code Execution (CAN Bus Pivot)",
252
+ "type": "variant",
253
+ "priority": 2
254
+ },
255
+ {
256
+ "id": "code_execution_no_can_bus_pivot",
257
+ "name": "Code Execution (No CAN Bus Pivot)",
258
+ "type": "variant",
259
+ "priority": 3
260
+ },
261
+ {
262
+ "id": "default_credentials",
263
+ "name": "Default Credentials",
264
+ "type": "variant",
265
+ "priority": 4
266
+ },
267
+ {
268
+ "id": "dos_brick",
269
+ "name": "Denial of Service (DoS / Brick)",
270
+ "type": "variant",
271
+ "priority": 4
272
+ },
273
+ {
274
+ "id": "ota_firmware_manipulation",
275
+ "name": "OTA Firmware Manipulation",
276
+ "type": "variant",
277
+ "priority": 2
278
+ },
279
+ {
280
+ "id": "sensitive_data_leakage_exposure",
281
+ "name": "Sensitive data Leakage/Exposure",
282
+ "type": "variant",
283
+ "priority": 1
284
+ },
285
+ {
286
+ "id": "source_code_dump",
287
+ "name": "Source Code Dump",
288
+ "type": "variant",
289
+ "priority": 4
290
+ },
291
+ {
292
+ "id": "unauthorized_access_to_services",
293
+ "name": "Unauthorized Access to Services (API / Endpoints)",
294
+ "type": "variant",
295
+ "priority": 3
296
+ }
297
+ ]
298
+ },
299
+ {
300
+ "id": "rf_hub",
301
+ "name": "RF Hub",
302
+ "type": "subcategory",
303
+ "children": [
304
+ {
305
+ "id": "can_injection_interaction",
306
+ "name": "CAN Injection / Interaction",
307
+ "type": "variant",
308
+ "priority": 2
309
+ },
310
+ {
311
+ "id": "data_leakage_pull_encryption_mechanism",
312
+ "name": "Data Leakage / Pull Encryption Mechanism",
313
+ "type": "variant",
314
+ "priority": 3
315
+ },
316
+ {
317
+ "id": "key_fob_cloning",
318
+ "name": "Key Fob Cloning",
319
+ "type": "variant",
320
+ "priority": 1
321
+ },
322
+ {
323
+ "id": "relay",
324
+ "name": "Relay",
325
+ "type": "variant",
326
+ "priority": 5
327
+ },
328
+ {
329
+ "id": "replay",
330
+ "name": "Replay",
331
+ "type": "variant",
332
+ "priority": 5
333
+ },
334
+ {
335
+ "id": "roll_jam",
336
+ "name": "Roll Jam",
337
+ "type": "variant",
338
+ "priority": 5
339
+ },
340
+ {
341
+ "id": "unauthorized_access_turn_on",
342
+ "name": "Unauthorized Access / Turn On",
343
+ "type": "variant",
344
+ "priority": 4
345
+ }
346
+ ]
347
+ },
348
+ {
349
+ "id": "rsu",
350
+ "name": "Roadside Unit (RSU)",
351
+ "type": "subcategory",
352
+ "children": [
353
+ {
354
+ "id": "sybil_attack",
355
+ "name": "Sybil Attack",
356
+ "type": "variant",
357
+ "priority": 4
358
+ }
359
+ ]
360
+ }
361
+ ]
362
+ },
363
+ {
364
+ "id": "blockchain_infrastructure_misconfiguration",
365
+ "name": "Blockchain Infrastructure Misconfiguration",
366
+ "type": "category",
367
+ "children": [
368
+ {
369
+ "id": "improper_bridge_validation_and_verification_logic",
370
+ "name": "Improper Bridge Validation and Verification Logic",
371
+ "type": "subcategory",
372
+ "priority": null
373
+ }
374
+ ]
375
+ },
376
+ {
377
+ "id": "broken_access_control",
378
+ "name": "Broken Access Control (BAC)",
379
+ "type": "category",
380
+ "children": [
381
+ {
382
+ "id": "exposed_sensitive_android_intent",
383
+ "name": "Exposed Sensitive Android Intent",
384
+ "type": "subcategory",
385
+ "priority": null
386
+ },
387
+ {
388
+ "id": "exposed_sensitive_ios_url_scheme",
389
+ "name": "Exposed Sensitive iOS URL Scheme",
390
+ "type": "subcategory",
391
+ "priority": null
392
+ },
393
+ {
394
+ "id": "idor",
395
+ "name": "Insecure Direct Object References (IDOR)",
396
+ "type": "subcategory",
397
+ "children": [
398
+ {
399
+ "id": "modify_sensitive_information_iterable_object_identifiers",
400
+ "name": "Modify Sensitive Information(Iterable Object Identifiers)",
401
+ "type": "variant",
402
+ "priority": 2
403
+ },
404
+ {
405
+ "id": "modify_view_sensitive_information_guid",
406
+ "name": "Modify/View Sensitive Information(Complex Object Identifiers GUID/UUID)",
407
+ "type": "variant",
408
+ "priority": 4
409
+ },
410
+ {
411
+ "id": "modify_view_sensitive_information_iterable_object_identifiers",
412
+ "name": "Modify/View Sensitive Information(Iterable Object Identifiers)",
413
+ "type": "variant",
414
+ "priority": 1
415
+ },
416
+ {
417
+ "id": "view_non_sensitive_information",
418
+ "name": "View Non-Sensitive Information",
419
+ "type": "variant",
420
+ "priority": 5
421
+ },
422
+ {
423
+ "id": "view_sensitive_information_iterable_object_identifiers",
424
+ "name": "View Sensitive Information(Iterable Object Identifiers)",
425
+ "type": "variant",
426
+ "priority": 3
427
+ }
428
+ ]
429
+ },
430
+ {
431
+ "id": "privilege_escalation",
432
+ "name": "Privilege Escalation",
433
+ "type": "subcategory",
434
+ "priority": null
435
+ },
436
+ {
437
+ "id": "username_enumeration",
438
+ "name": "Username/Email Enumeration",
439
+ "type": "subcategory",
440
+ "children": [
441
+ {
442
+ "id": "non_brute_force",
443
+ "name": "Non-Brute Force",
444
+ "type": "variant",
445
+ "priority": 4
446
+ }
447
+ ]
448
+ }
449
+ ]
450
+ },
451
+ {
452
+ "id": "broken_authentication_and_session_management",
453
+ "name": "Broken Authentication and Session Management",
454
+ "type": "category",
455
+ "children": [
456
+ {
457
+ "id": "authentication_bypass",
458
+ "name": "Authentication Bypass",
459
+ "type": "subcategory",
460
+ "priority": 1
461
+ },
462
+ {
463
+ "id": "cleartext_transmission_of_session_token",
464
+ "name": "Cleartext Transmission of Session Token",
465
+ "type": "subcategory",
466
+ "priority": 4
467
+ },
468
+ {
469
+ "id": "concurrent_logins",
470
+ "name": "Concurrent Logins",
471
+ "type": "subcategory",
472
+ "priority": 5
473
+ },
474
+ {
475
+ "id": "failure_to_invalidate_session",
476
+ "name": "Failure to Invalidate Session",
477
+ "type": "subcategory",
478
+ "children": [
479
+ {
480
+ "id": "all_sessions",
481
+ "name": "Concurrent Sessions On Logout",
482
+ "type": "variant",
483
+ "priority": 5
484
+ },
485
+ {
486
+ "id": "long_timeout",
487
+ "name": "Long Timeout",
488
+ "type": "variant",
489
+ "priority": 5
490
+ },
491
+ {
492
+ "id": "on_email_change",
493
+ "name": "On Email Change",
494
+ "type": "variant",
495
+ "priority": 5
496
+ },
497
+ {
498
+ "id": "on_logout",
499
+ "name": "On Logout (Client and Server-Side)",
500
+ "type": "variant",
501
+ "priority": 4
502
+ },
503
+ {
504
+ "id": "on_logout_server_side_only",
505
+ "name": "On Logout (Server-Side Only)",
506
+ "type": "variant",
507
+ "priority": 5
508
+ },
509
+ {
510
+ "id": "on_password_change",
511
+ "name": "On Password Reset and/or Change",
512
+ "type": "variant",
513
+ "priority": 4
514
+ },
515
+ {
516
+ "id": "on_two_fa_activation_change",
517
+ "name": "On 2FA Activation/Change",
518
+ "type": "variant",
519
+ "priority": 5
520
+ },
521
+ {
522
+ "id": "permission_change",
523
+ "name": "On Permission Change",
524
+ "type": "variant",
525
+ "priority": null
526
+ }
527
+ ]
528
+ },
529
+ {
530
+ "id": "saml_replay",
531
+ "name": "SAML Replay",
532
+ "type": "subcategory",
533
+ "priority": 5
534
+ },
535
+ {
536
+ "id": "session_fixation",
537
+ "name": "Session Fixation",
538
+ "type": "subcategory",
539
+ "children": [
540
+ {
541
+ "id": "local_attack_vector",
542
+ "name": "Local Attack Vector",
543
+ "type": "variant",
544
+ "priority": 5
545
+ },
546
+ {
547
+ "id": "remote_attack_vector",
548
+ "name": "Remote Attack Vector",
549
+ "type": "variant",
550
+ "priority": 3
551
+ }
552
+ ]
553
+ },
554
+ {
555
+ "id": "two_fa_bypass",
556
+ "name": "Second Factor Authentication (2FA) Bypass",
557
+ "type": "subcategory",
558
+ "priority": 3
559
+ },
560
+ {
561
+ "id": "weak_login_function",
562
+ "name": "Weak Login Function",
563
+ "type": "subcategory",
564
+ "children": [
565
+ {
566
+ "id": "not_operational",
567
+ "name": "Not Operational or Intended Public Access",
568
+ "type": "variant",
569
+ "priority": 5
570
+ },
571
+ {
572
+ "id": "other_plaintext_protocol_no_secure_alternative",
573
+ "name": "Other Plaintext Protocol with no Secure Alternative",
574
+ "type": "variant",
575
+ "priority": 4
576
+ },
577
+ {
578
+ "id": "over_http",
579
+ "name": "Over HTTP",
580
+ "type": "variant",
581
+ "priority": 4
582
+ }
583
+ ]
584
+ },
585
+ {
586
+ "id": "weak_registration_implementation",
587
+ "name": "Weak Registration Implementation",
588
+ "type": "subcategory",
589
+ "children": [
590
+ {
591
+ "id": "over_http",
592
+ "name": "Over HTTP",
593
+ "type": "variant",
594
+ "priority": 4
595
+ }
596
+ ]
597
+ }
598
+ ]
599
+ },
600
+ {
601
+ "id": "client_side_injection",
602
+ "name": "Client-Side Injection",
603
+ "type": "category",
604
+ "children": [
605
+ {
606
+ "id": "binary_planting",
607
+ "name": "Binary Planting",
608
+ "type": "subcategory",
609
+ "children": [
610
+ {
611
+ "id": "no_privilege_escalation",
612
+ "name": "No Privilege Escalation",
613
+ "type": "variant",
614
+ "priority": 5
615
+ },
616
+ {
617
+ "id": "non_default_folder_privilege_escalation",
618
+ "name": "Non-Default Folder Privilege Escalation",
619
+ "type": "variant",
620
+ "priority": 5
621
+ },
622
+ {
623
+ "id": "privilege_escalation",
624
+ "name": "Default Folder Privilege Escalation",
625
+ "type": "variant",
626
+ "priority": 3
627
+ }
628
+ ]
629
+ }
630
+ ]
631
+ },
632
+ {
633
+ "id": "cross_site_request_forgery_csrf",
634
+ "name": "Cross-Site Request Forgery (CSRF)",
635
+ "type": "category",
636
+ "children": [
637
+ {
638
+ "id": "action_specific",
639
+ "name": "Action-Specific",
640
+ "type": "subcategory",
641
+ "children": [
642
+ {
643
+ "id": "authenticated_action",
644
+ "name": "Authenticated Action",
645
+ "type": "variant",
646
+ "priority": null
647
+ },
648
+ {
649
+ "id": "logout",
650
+ "name": "Logout",
651
+ "type": "variant",
652
+ "priority": 5
653
+ },
654
+ {
655
+ "id": "unauthenticated_action",
656
+ "name": "Unauthenticated Action",
657
+ "type": "variant",
658
+ "priority": null
659
+ }
660
+ ]
661
+ },
662
+ {
663
+ "id": "application_wide",
664
+ "name": "Application-Wide",
665
+ "type": "subcategory",
666
+ "priority": 2
667
+ },
668
+ {
669
+ "id": "csrf_token_not_unique_per_request",
670
+ "name": "CSRF Token Not Unique Per Request",
671
+ "type": "subcategory",
672
+ "priority": 5
673
+ },
674
+ {
675
+ "id": "flash_based",
676
+ "name": "Flash-Based",
677
+ "type": "subcategory",
678
+ "priority": 5
679
+ }
680
+ ]
681
+ },
682
+ {
683
+ "id": "cross_site_scripting_xss",
684
+ "name": "Cross-Site Scripting (XSS)",
685
+ "type": "category",
686
+ "children": [
687
+ {
688
+ "id": "cookie_based",
689
+ "name": "Cookie-Based",
690
+ "type": "subcategory",
691
+ "priority": 5
692
+ },
693
+ {
694
+ "id": "flash_based",
695
+ "name": "Flash-Based",
696
+ "type": "subcategory",
697
+ "priority": 5
698
+ },
699
+ {
700
+ "id": "ie_only",
701
+ "name": "IE-Only",
702
+ "type": "subcategory",
703
+ "priority": 5
704
+ },
705
+ {
706
+ "id": "off_domain",
707
+ "name": "Off-Domain",
708
+ "type": "subcategory",
709
+ "children": [
710
+ {
711
+ "id": "data_uri",
712
+ "name": "Data URI",
713
+ "type": "variant",
714
+ "priority": 4
715
+ }
716
+ ]
717
+ },
718
+ {
719
+ "id": "referer",
720
+ "name": "Referer",
721
+ "type": "subcategory",
722
+ "priority": 4
723
+ },
724
+ {
725
+ "id": "reflected",
726
+ "name": "Reflected",
727
+ "type": "subcategory",
728
+ "children": [
729
+ {
730
+ "id": "non_self",
731
+ "name": "Non-Self",
732
+ "type": "variant",
733
+ "priority": 3
734
+ },
735
+ {
736
+ "id": "self",
737
+ "name": "Self",
738
+ "type": "variant",
739
+ "priority": 5
740
+ }
741
+ ]
742
+ },
743
+ {
744
+ "id": "stored",
745
+ "name": "Stored",
746
+ "type": "subcategory",
747
+ "children": [
748
+ {
749
+ "id": "non_admin_to_anyone",
750
+ "name": "Non-Privileged User to Anyone",
751
+ "type": "variant",
752
+ "priority": 2
753
+ },
754
+ {
755
+ "id": "privileged_user_to_no_privilege_elevation",
756
+ "name": "Privileged User to No Privilege Elevation",
757
+ "type": "variant",
758
+ "priority": 4
759
+ },
760
+ {
761
+ "id": "privileged_user_to_privilege_elevation",
762
+ "name": "Privileged User to Privilege Elevation",
763
+ "type": "variant",
764
+ "priority": 3
765
+ },
766
+ {
767
+ "id": "self",
768
+ "name": "Self",
769
+ "type": "variant",
770
+ "priority": 5
771
+ },
772
+ {
773
+ "id": "url_based",
774
+ "name": "CSRF/URL-Based",
775
+ "type": "variant",
776
+ "priority": 3
777
+ }
778
+ ]
779
+ },
780
+ {
781
+ "id": "trace_method",
782
+ "name": "TRACE Method",
783
+ "type": "subcategory",
784
+ "priority": 5
785
+ },
786
+ {
787
+ "id": "universal_uxss",
788
+ "name": "Universal (UXSS)",
789
+ "type": "subcategory",
790
+ "priority": 4
791
+ }
792
+ ]
793
+ },
794
+ {
795
+ "id": "cryptographic_weakness",
796
+ "name": "Cryptographic Weakness",
797
+ "type": "category",
798
+ "children": [
799
+ {
800
+ "id": "broken_cryptography",
801
+ "name": "Broken Cryptography",
802
+ "type": "subcategory",
803
+ "children": [
804
+ {
805
+ "id": "use_of_broken_cryptographic_primitive",
806
+ "name": "Use of Broken Cryptographic Primitive",
807
+ "type": "variant",
808
+ "priority": 3
809
+ },
810
+ {
811
+ "id": "use_of_vulnerable_cryptographic_library",
812
+ "name": "Use of Vulnerable Cryptographic Library",
813
+ "type": "variant",
814
+ "priority": 4
815
+ }
816
+ ]
817
+ },
818
+ {
819
+ "id": "incomplete_cleanup_of_keying_material",
820
+ "name": "Incomplete Cleanup of Keying Material",
821
+ "type": "subcategory",
822
+ "priority": 5
823
+ },
824
+ {
825
+ "id": "insecure_implementation",
826
+ "name": "Insecure Implementation",
827
+ "type": "subcategory",
828
+ "children": [
829
+ {
830
+ "id": "improper_following_of_specification",
831
+ "name": "Improper Following of Specification (Other)",
832
+ "type": "variant",
833
+ "priority": null
834
+ },
835
+ {
836
+ "id": "missing_cryptographic_step",
837
+ "name": "Missing Cryptographic Step",
838
+ "type": "variant",
839
+ "priority": null
840
+ }
841
+ ]
842
+ },
843
+ {
844
+ "id": "insecure_key_generation",
845
+ "name": "Insecure Key Generation",
846
+ "type": "subcategory",
847
+ "children": [
848
+ {
849
+ "id": "improper_asymmetric_exponent_selection",
850
+ "name": "Improper Asymmetric Exponent Selection",
851
+ "type": "variant",
852
+ "priority": null
853
+ },
854
+ {
855
+ "id": "improper_asymmetric_prime_selection",
856
+ "name": "Improper Asymmetric Prime Selection",
857
+ "type": "variant",
858
+ "priority": null
859
+ },
860
+ {
861
+ "id": "insufficient_key_space",
862
+ "name": "Insufficient Key Space",
863
+ "type": "variant",
864
+ "priority": 3
865
+ },
866
+ {
867
+ "id": "insufficient_key_stretching",
868
+ "name": "Insufficient Key Stretching",
869
+ "type": "variant",
870
+ "priority": null
871
+ },
872
+ {
873
+ "id": "key_exchange_without_entity_authentication",
874
+ "name": "Key Exchage Without Entity Authentication",
875
+ "type": "variant",
876
+ "priority": 4
877
+ }
878
+ ]
879
+ },
880
+ {
881
+ "id": "insufficient_entropy",
882
+ "name": "Insufficient Entropy",
883
+ "type": "subcategory",
884
+ "children": [
885
+ {
886
+ "id": "initialization_vector_reuse",
887
+ "name": "Initialization Vector (IV) Reuse",
888
+ "type": "variant",
889
+ "priority": 5
890
+ },
891
+ {
892
+ "id": "limited_rng_entropy_source",
893
+ "name": "Limited Random Number Generator (RNG) Entropy Source",
894
+ "type": "variant",
895
+ "priority": 4
896
+ },
897
+ {
898
+ "id": "predictable_initialization_vector",
899
+ "name": "Predictable Initialization Vector (IV)",
900
+ "type": "variant",
901
+ "priority": 4
902
+ },
903
+ {
904
+ "id": "predictable_prng_seed",
905
+ "name": "Predictable Pseudo-Random Number Generator (PRNG) Seed",
906
+ "type": "variant",
907
+ "priority": 4
908
+ },
909
+ {
910
+ "id": "prng_seed_reuse",
911
+ "name": "Pseudo-Random Number Generator (PRNG) Seed Reuse",
912
+ "type": "variant",
913
+ "priority": 5
914
+ },
915
+ {
916
+ "id": "small_seed_space_in_prng",
917
+ "name": "Small Seed Space in Pseudo-Random Number Generator (PRNG)",
918
+ "type": "variant",
919
+ "priority": 4
920
+ },
921
+ {
922
+ "id": "use_of_trng_for_nonsecurity_purpose",
923
+ "name": "Use of True Random Number Generator (TRNG) for Non-Security Purpose",
924
+ "type": "variant",
925
+ "priority": 5
926
+ }
927
+ ]
928
+ },
929
+ {
930
+ "id": "insufficient_verification_of_data_authenticity",
931
+ "name": "Insufficient Verification of Data Authenticity",
932
+ "type": "subcategory",
933
+ "children": [
934
+ {
935
+ "id": "cryptographic_signature",
936
+ "name": "Cryptographic Signature",
937
+ "type": "variant",
938
+ "priority": null
939
+ },
940
+ {
941
+ "id": "identity_check_value",
942
+ "name": "Integrity Check Value (ICV)",
943
+ "type": "variant",
944
+ "priority": 4
945
+ }
946
+ ]
947
+ },
948
+ {
949
+ "id": "key_reuse",
950
+ "name": "Key Reuse",
951
+ "type": "subcategory",
952
+ "children": [
953
+ {
954
+ "id": "inter_environment",
955
+ "name": "Inter-Environment",
956
+ "type": "variant",
957
+ "priority": 2
958
+ },
959
+ {
960
+ "id": "intra_environment",
961
+ "name": "Intra-Environment",
962
+ "type": "variant",
963
+ "priority": 5
964
+ },
965
+ {
966
+ "id": "lack_of_perfect_forward_secrecy",
967
+ "name": "Lack of Perfect Forward Secrecy",
968
+ "type": "variant",
969
+ "priority": 4
970
+ }
971
+ ]
972
+ },
973
+ {
974
+ "id": "side_channel_attack",
975
+ "name": "Side-Channel Attack",
976
+ "type": "subcategory",
977
+ "children": [
978
+ {
979
+ "id": "differential_fault_analysis",
980
+ "name": "Differential Fault Analysis",
981
+ "type": "variant",
982
+ "priority": null
983
+ },
984
+ {
985
+ "id": "emanations_attack",
986
+ "name": "Emanations Attack",
987
+ "type": "variant",
988
+ "priority": 5
989
+ },
990
+ {
991
+ "id": "padding_oracle_attack",
992
+ "name": "Padding Oracle Attack",
993
+ "type": "variant",
994
+ "priority": 4
995
+ },
996
+ {
997
+ "id": "power_analysis_attack",
998
+ "name": "Power Analysis Attack",
999
+ "type": "variant",
1000
+ "priority": 5
1001
+ },
1002
+ {
1003
+ "id": "timing_attack",
1004
+ "name": "Timing Attack",
1005
+ "type": "variant",
1006
+ "priority": 4
1007
+ }
1008
+ ]
1009
+ },
1010
+ {
1011
+ "id": "use_of_expired_cryptographic_key_or_cert",
1012
+ "name": "Use of Expired Cryptographic Key (or Certificate)",
1013
+ "type": "subcategory",
1014
+ "priority": 4
1015
+ },
1016
+ {
1017
+ "id": "weak_hash",
1018
+ "name": "Weak Hash",
1019
+ "type": "subcategory",
1020
+ "children": [
1021
+ {
1022
+ "id": "lack_of_salt",
1023
+ "name": "Lack of Salt",
1024
+ "type": "variant",
1025
+ "priority": null
1026
+ },
1027
+ {
1028
+ "id": "predictable_hash_collision",
1029
+ "name": "Predictable Hash Collision",
1030
+ "type": "variant",
1031
+ "priority": null
1032
+ },
1033
+ {
1034
+ "id": "use_of_predictable_salt",
1035
+ "name": "Use of Predictable Salt",
1036
+ "type": "variant",
1037
+ "priority": 5
1038
+ }
1039
+ ]
1040
+ }
1041
+ ]
1042
+ },
1043
+ {
1044
+ "id": "data_biases",
1045
+ "name": "Data Biases",
1046
+ "type": "category",
1047
+ "children": [
1048
+ {
1049
+ "id": "pre_existing_bias",
1050
+ "name": "Pre-existing Bias",
1051
+ "type": "subcategory",
1052
+ "priority": null
1053
+ },
1054
+ {
1055
+ "id": "representation_bias",
1056
+ "name": "Representation Bias",
1057
+ "type": "subcategory",
1058
+ "priority": null
1059
+ }
1060
+ ]
1061
+ },
1062
+ {
1063
+ "id": "decentralized_application_misconfiguration",
1064
+ "name": "Decentralized Application Misconfiguration",
1065
+ "type": "category",
1066
+ "children": [
1067
+ {
1068
+ "id": "defi_security",
1069
+ "name": "DeFi Security",
1070
+ "type": "subcategory",
1071
+ "children": [
1072
+ {
1073
+ "id": "flash_loan_attack",
1074
+ "name": "Flash Loan Attack",
1075
+ "type": "variant",
1076
+ "priority": null
1077
+ },
1078
+ {
1079
+ "id": "function_level_accounting_error",
1080
+ "name": "Function-Level Accounting Error",
1081
+ "type": "variant",
1082
+ "priority": null
1083
+ },
1084
+ {
1085
+ "id": "improper_implementation_of_governance",
1086
+ "name": "Improper Implementation of Governance",
1087
+ "type": "variant",
1088
+ "priority": null
1089
+ },
1090
+ {
1091
+ "id": "pricing_oracle_manipulation",
1092
+ "name": "Pricing Oracle Manipulation",
1093
+ "type": "variant",
1094
+ "priority": null
1095
+ }
1096
+ ]
1097
+ },
1098
+ {
1099
+ "id": "improper_authorization",
1100
+ "name": "Improper Authorization",
1101
+ "type": "subcategory",
1102
+ "children": [
1103
+ {
1104
+ "id": "insufficient_signature_validation",
1105
+ "name": "Insufficient Signature Validation",
1106
+ "type": "variant",
1107
+ "priority": null
1108
+ }
1109
+ ]
1110
+ },
1111
+ {
1112
+ "id": "insecure_data_storage",
1113
+ "name": "Insecure Data Storage",
1114
+ "type": "subcategory",
1115
+ "children": [
1116
+ {
1117
+ "id": "plaintext_private_key",
1118
+ "name": "Plaintext Private Key",
1119
+ "type": "variant",
1120
+ "priority": 1
1121
+ },
1122
+ {
1123
+ "id": "sensitive_information_exposure",
1124
+ "name": "Sensitive Information Exposure",
1125
+ "type": "variant",
1126
+ "priority": null
1127
+ }
1128
+ ]
1129
+ },
1130
+ {
1131
+ "id": "marketplace_security",
1132
+ "name": "Marketplace Security",
1133
+ "type": "subcategory",
1134
+ "children": [
1135
+ {
1136
+ "id": "denial_of_service",
1137
+ "name": "Denial of Service",
1138
+ "type": "variant",
1139
+ "priority": null
1140
+ },
1141
+ {
1142
+ "id": "improper_validation_and_checks_for_deposits_and_withdrawals",
1143
+ "name": "Improper Validation and Checks For Deposits and Withdrawals",
1144
+ "type": "variant",
1145
+ "priority": null
1146
+ },
1147
+ {
1148
+ "id": "malicious_order_offer",
1149
+ "name": "Malicious Order Offer",
1150
+ "type": "variant",
1151
+ "priority": 2
1152
+ },
1153
+ {
1154
+ "id": "miscalculated_accounting_logic",
1155
+ "name": "Miscalculated Accounting Logic",
1156
+ "type": "variant",
1157
+ "priority": null
1158
+ },
1159
+ {
1160
+ "id": "ofac_bypass",
1161
+ "name": "OFAC Bypass",
1162
+ "type": "variant",
1163
+ "priority": 3
1164
+ },
1165
+ {
1166
+ "id": "orderbook_manipulation",
1167
+ "name": "Orderbook Manipulation",
1168
+ "type": "variant",
1169
+ "priority": 1
1170
+ },
1171
+ {
1172
+ "id": "price_or_fee_manipulation",
1173
+ "name": "Price or Fee Manipulation",
1174
+ "type": "variant",
1175
+ "priority": 2
1176
+ },
1177
+ {
1178
+ "id": "signer_account_takeover",
1179
+ "name": "Signer Account Takeover",
1180
+ "type": "variant",
1181
+ "priority": 1
1182
+ },
1183
+ {
1184
+ "id": "unauthorized_asset_transfer",
1185
+ "name": "Unauthorized Asset Transfer",
1186
+ "type": "variant",
1187
+ "priority": 1
1188
+ }
1189
+ ]
1190
+ },
1191
+ {
1192
+ "id": "protocol_security_misconfiguration",
1193
+ "name": "Protocol Security Misconfiguration",
1194
+ "type": "subcategory",
1195
+ "children": [
1196
+ {
1197
+ "id": "node_level_denial_of_service",
1198
+ "name": "Node-level Denial of Service",
1199
+ "type": "variant",
1200
+ "priority": 1
1201
+ }
1202
+ ]
1203
+ }
1204
+ ]
1205
+ },
1206
+ {
1207
+ "id": "developer_biases",
1208
+ "name": "Developer Biases",
1209
+ "type": "category",
1210
+ "children": [
1211
+ {
1212
+ "id": "implicit_bias",
1213
+ "name": "Implicit Bias",
1214
+ "type": "subcategory",
1215
+ "priority": null
1216
+ }
1217
+ ]
1218
+ },
1219
+ {
1220
+ "id": "external_behavior",
1221
+ "name": "External Behavior",
1222
+ "type": "category",
1223
+ "children": [
1224
+ {
1225
+ "id": "browser_feature",
1226
+ "name": "Browser Feature",
1227
+ "type": "subcategory",
1228
+ "children": [
1229
+ {
1230
+ "id": "aggressive_offline_caching",
1231
+ "name": "Aggressive Offline Caching",
1232
+ "type": "variant",
1233
+ "priority": 5
1234
+ },
1235
+ {
1236
+ "id": "autocomplete_enabled",
1237
+ "name": "Autocomplete Enabled",
1238
+ "type": "variant",
1239
+ "priority": 5
1240
+ },
1241
+ {
1242
+ "id": "autocorrect_enabled",
1243
+ "name": "Autocorrect Enabled",
1244
+ "type": "variant",
1245
+ "priority": 5
1246
+ },
1247
+ {
1248
+ "id": "plaintext_password_field",
1249
+ "name": "Plaintext Password Field",
1250
+ "type": "variant",
1251
+ "priority": 5
1252
+ },
1253
+ {
1254
+ "id": "save_password",
1255
+ "name": "Save Password",
1256
+ "type": "variant",
1257
+ "priority": 5
1258
+ }
1259
+ ]
1260
+ },
1261
+ {
1262
+ "id": "captcha_bypass",
1263
+ "name": "Captcha Bypass",
1264
+ "type": "subcategory",
1265
+ "children": [
1266
+ {
1267
+ "id": "crowdsourcing",
1268
+ "name": "Crowdsourcing",
1269
+ "type": "variant",
1270
+ "priority": 5
1271
+ }
1272
+ ]
1273
+ },
1274
+ {
1275
+ "id": "csv_injection",
1276
+ "name": "CSV Injection",
1277
+ "type": "subcategory",
1278
+ "priority": 5
1279
+ },
1280
+ {
1281
+ "id": "system_clipboard_leak",
1282
+ "name": "System Clipboard Leak",
1283
+ "type": "subcategory",
1284
+ "children": [
1285
+ {
1286
+ "id": "shared_links",
1287
+ "name": "Shared Links",
1288
+ "type": "variant",
1289
+ "priority": 5
1290
+ }
1291
+ ]
1292
+ },
1293
+ {
1294
+ "id": "user_password_persisted_in_memory",
1295
+ "name": "User Password Persisted in Memory",
1296
+ "type": "subcategory",
1297
+ "priority": 5
1298
+ }
1299
+ ]
1300
+ },
1301
+ {
1302
+ "id": "indicators_of_compromise",
1303
+ "name": "Indicators of Compromise",
1304
+ "type": "category",
1305
+ "priority": null
1306
+ },
1307
+ {
1308
+ "id": "insecure_data_storage",
1309
+ "name": "Insecure Data Storage",
1310
+ "type": "category",
1311
+ "children": [
1312
+ {
1313
+ "id": "non_sensitive_application_data_stored_unencrypted",
1314
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1315
+ "type": "subcategory",
1316
+ "priority": 5
1317
+ },
1318
+ {
1319
+ "id": "screen_caching_enabled",
1320
+ "name": "Screen Caching Enabled",
1321
+ "type": "subcategory",
1322
+ "priority": 5
1323
+ },
1324
+ {
1325
+ "id": "sensitive_application_data_stored_unencrypted",
1326
+ "name": "Sensitive Application Data Stored Unencrypted",
1327
+ "type": "subcategory",
1328
+ "children": [
1329
+ {
1330
+ "id": "on_external_storage",
1331
+ "name": "On External Storage",
1332
+ "type": "variant",
1333
+ "priority": 4
1334
+ },
1335
+ {
1336
+ "id": "on_internal_storage",
1337
+ "name": "On Internal Storage",
1338
+ "type": "variant",
1339
+ "priority": 5
1340
+ }
1341
+ ]
1342
+ },
1343
+ {
1344
+ "id": "server_side_credentials_storage",
1345
+ "name": "Server-Side Credentials Storage",
1346
+ "type": "subcategory",
1347
+ "children": [
1348
+ {
1349
+ "id": "plaintext",
1350
+ "name": "Plaintext",
1351
+ "type": "variant",
1352
+ "priority": 4
1353
+ }
1354
+ ]
1355
+ }
1356
+ ]
1357
+ },
1358
+ {
1359
+ "id": "insecure_data_transport",
1360
+ "name": "Insecure Data Transport",
1361
+ "type": "category",
1362
+ "children": [
1363
+ {
1364
+ "id": "cleartext_transmission_of_sensitive_data",
1365
+ "name": "Cleartext Transmission of Sensitive Data",
1366
+ "type": "subcategory",
1367
+ "priority": null
1368
+ },
1369
+ {
1370
+ "id": "executable_download",
1371
+ "name": "Executable Download",
1372
+ "type": "subcategory",
1373
+ "children": [
1374
+ {
1375
+ "id": "no_secure_integrity_check",
1376
+ "name": "No Secure Integrity Check",
1377
+ "type": "variant",
1378
+ "priority": 4
1379
+ },
1380
+ {
1381
+ "id": "secure_integrity_check",
1382
+ "name": "Secure Integrity Check",
1383
+ "type": "variant",
1384
+ "priority": 5
1385
+ }
1386
+ ]
1387
+ }
1388
+ ]
1389
+ },
1390
+ {
1391
+ "id": "insecure_os_firmware",
1392
+ "name": "Insecure OS/Firmware",
1393
+ "type": "category",
1394
+ "children": [
1395
+ {
1396
+ "id": "command_injection",
1397
+ "name": "Command Injection",
1398
+ "type": "subcategory",
1399
+ "priority": 1
1400
+ },
1401
+ {
1402
+ "id": "data_not_encrypted_at_rest",
1403
+ "name": "Data not encrypted at rest",
1404
+ "type": "subcategory",
1405
+ "children": [
1406
+ {
1407
+ "id": "non_sensitive",
1408
+ "name": "Non sensitive",
1409
+ "type": "variant",
1410
+ "priority": 5
1411
+ },
1412
+ {
1413
+ "id": "sensitive",
1414
+ "name": "Sensitive",
1415
+ "type": "variant",
1416
+ "priority": null
1417
+ }
1418
+ ]
1419
+ },
1420
+ {
1421
+ "id": "failure_to_remove_sensitive_artifacts_from_disk",
1422
+ "name": "Failure to Remove Sensitive Artifacts from Disk",
1423
+ "type": "subcategory",
1424
+ "priority": null
1425
+ },
1426
+ {
1427
+ "id": "hardcoded_password",
1428
+ "name": "Hardcoded Password",
1429
+ "type": "subcategory",
1430
+ "children": [
1431
+ {
1432
+ "id": "non_privileged_user",
1433
+ "name": "Non-Privileged User",
1434
+ "type": "variant",
1435
+ "priority": 2
1436
+ },
1437
+ {
1438
+ "id": "privileged_user",
1439
+ "name": "Privileged User",
1440
+ "type": "variant",
1441
+ "priority": 1
1442
+ }
1443
+ ]
1444
+ },
1445
+ {
1446
+ "id": "kiosk_escape_or_breakout",
1447
+ "name": "Kiosk Escape or Breakout",
1448
+ "type": "subcategory",
1449
+ "priority": null
1450
+ },
1451
+ {
1452
+ "id": "local_administrator_on_default_environment",
1453
+ "name": "Local Administrator on default environment",
1454
+ "type": "subcategory",
1455
+ "priority": 2
1456
+ },
1457
+ {
1458
+ "id": "over_permissioned_credentials_on_storage",
1459
+ "name": "Over-Permissioned Credentials on Storage",
1460
+ "type": "subcategory",
1461
+ "priority": 2
1462
+ },
1463
+ {
1464
+ "id": "poorly_configured_disk_encryption",
1465
+ "name": "Poorly Configured Disk Encryption",
1466
+ "type": "subcategory",
1467
+ "priority": null
1468
+ },
1469
+ {
1470
+ "id": "poorly_configured_operating_system_security",
1471
+ "name": "Poorly Configured Operating System Security",
1472
+ "type": "subcategory",
1473
+ "priority": null
1474
+ },
1475
+ {
1476
+ "id": "recovery_of_disk_contains_sensitive_material",
1477
+ "name": "Recovery of Disk Contains Sensitive Material",
1478
+ "type": "subcategory",
1479
+ "priority": null
1480
+ },
1481
+ {
1482
+ "id": "shared_credentials_on_storage",
1483
+ "name": "Shared Credentials on Storage",
1484
+ "type": "subcategory",
1485
+ "priority": 3
1486
+ },
1487
+ {
1488
+ "id": "weakness_in_firmware_updates",
1489
+ "name": "Weakness in Firmware Updates",
1490
+ "type": "subcategory",
1491
+ "children": [
1492
+ {
1493
+ "id": "firmware_cannot_be_updated",
1494
+ "name": "Firmware cannot be updated",
1495
+ "type": "variant",
1496
+ "priority": null
1497
+ },
1498
+ {
1499
+ "id": "firmware_does_not_validate_update_integrity",
1500
+ "name": "Firmware does not validate update integrity",
1501
+ "type": "variant",
1502
+ "priority": 3
1503
+ },
1504
+ {
1505
+ "id": "firmware_is_not_encrypted",
1506
+ "name": "Firmware is not encrypted",
1507
+ "type": "variant",
1508
+ "priority": 5
1509
+ }
1510
+ ]
1511
+ }
1512
+ ]
1513
+ },
1514
+ {
1515
+ "id": "insufficient_security_configurability",
1516
+ "name": "Insufficient Security Configurability",
1517
+ "type": "category",
1518
+ "children": [
1519
+ {
1520
+ "id": "lack_of_notification_email",
1521
+ "name": "Lack of Notification Email",
1522
+ "type": "subcategory",
1523
+ "priority": 5
1524
+ },
1525
+ {
1526
+ "id": "no_password_policy",
1527
+ "name": "No Password Policy",
1528
+ "type": "subcategory",
1529
+ "priority": 4
1530
+ },
1531
+ {
1532
+ "id": "password_policy_bypass",
1533
+ "name": "Password Policy Bypass",
1534
+ "type": "subcategory",
1535
+ "priority": 5
1536
+ },
1537
+ {
1538
+ "id": "verification_of_contact_method_not_required",
1539
+ "name": "Verification of Contact Method not Required",
1540
+ "type": "subcategory",
1541
+ "priority": 5
1542
+ },
1543
+ {
1544
+ "id": "weak_password_policy",
1545
+ "name": "Weak Password Policy",
1546
+ "type": "subcategory",
1547
+ "priority": 5
1548
+ },
1549
+ {
1550
+ "id": "weak_password_reset_implementation",
1551
+ "name": "Weak Password Reset Implementation",
1552
+ "type": "subcategory",
1553
+ "children": [
1554
+ {
1555
+ "id": "token_has_long_timed_expiry",
1556
+ "name": "Token Has Long Timed Expiry",
1557
+ "type": "variant",
1558
+ "priority": 5
1559
+ },
1560
+ {
1561
+ "id": "token_is_not_invalidated_after_email_change",
1562
+ "name": "Token is Not Invalidated After Email Change",
1563
+ "type": "variant",
1564
+ "priority": 5
1565
+ },
1566
+ {
1567
+ "id": "token_is_not_invalidated_after_login",
1568
+ "name": "Token is Not Invalidated After Login",
1569
+ "type": "variant",
1570
+ "priority": 5
1571
+ },
1572
+ {
1573
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1574
+ "name": "Token is Not Invalidated After New Token is Requested",
1575
+ "type": "variant",
1576
+ "priority": 5
1577
+ },
1578
+ {
1579
+ "id": "token_is_not_invalidated_after_password_change",
1580
+ "name": "Token is Not Invalidated After Password Change",
1581
+ "type": "variant",
1582
+ "priority": 5
1583
+ },
1584
+ {
1585
+ "id": "token_is_not_invalidated_after_use",
1586
+ "name": "Token is Not Invalidated After Use",
1587
+ "type": "variant",
1588
+ "priority": 4
1589
+ }
1590
+ ]
1591
+ },
1592
+ {
1593
+ "id": "weak_registration_implementation",
1594
+ "name": "Weak Registration Implementation",
1595
+ "type": "subcategory",
1596
+ "children": [
1597
+ {
1598
+ "id": "allows_disposable_email_addresses",
1599
+ "name": "Allows Disposable Email Addresses",
1600
+ "type": "variant",
1601
+ "priority": 5
1602
+ }
1603
+ ]
1604
+ },
1605
+ {
1606
+ "id": "weak_two_fa_implementation",
1607
+ "name": "Weak 2FA Implementation",
1608
+ "type": "subcategory",
1609
+ "children": [
1610
+ {
1611
+ "id": "missing_failsafe",
1612
+ "name": "Missing Failsafe",
1613
+ "type": "variant",
1614
+ "priority": 5
1615
+ },
1616
+ {
1617
+ "id": "old_two_fa_code_is_not_invalidated_after_new_code_is_generated",
1618
+ "name": "Old 2FA Code is Not Invalidated After New Code is Generated",
1619
+ "type": "variant",
1620
+ "priority": 5
1621
+ },
1622
+ {
1623
+ "id": "two_fa_code_is_not_updated_after_new_code_is_requested",
1624
+ "name": "2FA Code is Not Updated After New Code is Requested",
1625
+ "type": "variant",
1626
+ "priority": 5
1627
+ },
1628
+ {
1629
+ "id": "two_fa_secret_cannot_be_rotated",
1630
+ "name": "2FA Secret Cannot be Rotated",
1631
+ "type": "variant",
1632
+ "priority": 4
1633
+ },
1634
+ {
1635
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
1636
+ "name": "2FA Secret Remains Obtainable After 2FA is Enabled",
1637
+ "type": "variant",
1638
+ "priority": 4
1639
+ }
1640
+ ]
1641
+ }
1642
+ ]
1643
+ },
1644
+ {
1645
+ "id": "lack_of_binary_hardening",
1646
+ "name": "Lack of Binary Hardening",
1647
+ "type": "category",
1648
+ "children": [
1649
+ {
1650
+ "id": "lack_of_exploit_mitigations",
1651
+ "name": "Lack of Exploit Mitigations",
1652
+ "type": "subcategory",
1653
+ "priority": 5
1654
+ },
1655
+ {
1656
+ "id": "lack_of_jailbreak_detection",
1657
+ "name": "Lack of Jailbreak Detection",
1658
+ "type": "subcategory",
1659
+ "priority": 5
1660
+ },
1661
+ {
1662
+ "id": "lack_of_obfuscation",
1663
+ "name": "Lack of Obfuscation",
1664
+ "type": "subcategory",
1665
+ "priority": 5
1666
+ },
1667
+ {
1668
+ "id": "runtime_instrumentation_based",
1669
+ "name": "Runtime Instrumentation-Based",
1670
+ "type": "subcategory",
1671
+ "priority": 5
1672
+ }
1673
+ ]
1674
+ },
1675
+ {
1676
+ "id": "misinterpretation_biases",
1677
+ "name": "Misinterpretation Biases",
1678
+ "type": "category",
1679
+ "children": [
1680
+ {
1681
+ "id": "context_ignorance",
1682
+ "name": "Context Ignorance",
1683
+ "type": "subcategory",
1684
+ "priority": null
1685
+ }
1686
+ ]
1687
+ },
1688
+ {
1689
+ "id": "mobile_security_misconfiguration",
1690
+ "name": "Mobile Security Misconfiguration",
1691
+ "type": "category",
1692
+ "children": [
1693
+ {
1694
+ "id": "auto_backup_allowed_by_default",
1695
+ "name": "Auto Backup Allowed by Default",
1696
+ "type": "subcategory",
1697
+ "priority": 5
1698
+ },
1699
+ {
1700
+ "id": "clipboard_enabled",
1701
+ "name": "Clipboard Enabled",
1702
+ "type": "subcategory",
1703
+ "priority": 5
1704
+ },
1705
+ {
1706
+ "id": "ssl_certificate_pinning",
1707
+ "name": "SSL Certificate Pinning",
1708
+ "type": "subcategory",
1709
+ "children": [
1710
+ {
1711
+ "id": "absent",
1712
+ "name": "Absent",
1713
+ "type": "variant",
1714
+ "priority": 5
1715
+ },
1716
+ {
1717
+ "id": "defeatable",
1718
+ "name": "Defeatable",
1719
+ "type": "variant",
1720
+ "priority": 5
1721
+ }
1722
+ ]
1723
+ },
1724
+ {
1725
+ "id": "tapjacking",
1726
+ "name": "Tapjacking",
1727
+ "type": "subcategory",
1728
+ "priority": 5
1729
+ }
1730
+ ]
1731
+ },
1732
+ {
1733
+ "id": "network_security_misconfiguration",
1734
+ "name": "Network Security Misconfiguration",
1735
+ "type": "category",
1736
+ "children": [
1737
+ {
1738
+ "id": "telnet_enabled",
1739
+ "name": "Telnet Enabled",
1740
+ "type": "subcategory",
1741
+ "priority": 5
1742
+ }
1743
+ ]
1744
+ },
1745
+ {
1746
+ "id": "physical_security_issues",
1747
+ "name": "Physical Security Issues",
1748
+ "type": "category",
1749
+ "children": [
1750
+ {
1751
+ "id": "bypass_of_physical_access_control",
1752
+ "name": "Bypass of physical access control",
1753
+ "type": "subcategory",
1754
+ "priority": null
1755
+ },
1756
+ {
1757
+ "id": "weakness_in_physical_access_control",
1758
+ "name": "Weakness in physical access control",
1759
+ "type": "subcategory",
1760
+ "children": [
1761
+ {
1762
+ "id": "cloneable_key",
1763
+ "name": "Cloneable Key",
1764
+ "type": "variant",
1765
+ "priority": null
1766
+ },
1767
+ {
1768
+ "id": "commonly_keyed_system",
1769
+ "name": "Commonly Keyed System",
1770
+ "type": "variant",
1771
+ "priority": 2
1772
+ },
1773
+ {
1774
+ "id": "master_key_identification",
1775
+ "name": "Master Key Identification",
1776
+ "type": "variant",
1777
+ "priority": null
1778
+ }
1779
+ ]
1780
+ }
1781
+ ]
1782
+ },
1783
+ {
1784
+ "id": "privacy_concerns",
1785
+ "name": "Privacy Concerns",
1786
+ "type": "category",
1787
+ "children": [
1788
+ {
1789
+ "id": "unnecessary_data_collection",
1790
+ "name": "Unnecessary Data Collection",
1791
+ "type": "subcategory",
1792
+ "children": [
1793
+ {
1794
+ "id": "wifi_ssid_password",
1795
+ "name": "WiFi SSID+Password",
1796
+ "type": "variant",
1797
+ "priority": 4
1798
+ }
1799
+ ]
1800
+ }
1801
+ ]
1802
+ },
1803
+ {
1804
+ "id": "protocol_specific_misconfiguration",
1805
+ "name": "Protocol Specific Misconfiguration",
1806
+ "type": "category",
1807
+ "children": [
1808
+ {
1809
+ "id": "frontrunning_enabled_attack",
1810
+ "name": "Frontrunning-Enabled Attack",
1811
+ "type": "subcategory",
1812
+ "priority": 2
1813
+ },
1814
+ {
1815
+ "id": "improper_validation_and_finalization_logic",
1816
+ "name": "Improper Validation and Finalization Logic",
1817
+ "type": "subcategory",
1818
+ "priority": null
1819
+ },
1820
+ {
1821
+ "id": "misconfigured_staking_logic",
1822
+ "name": "Misconfigured Staking Logic",
1823
+ "type": "subcategory",
1824
+ "priority": null
1825
+ },
1826
+ {
1827
+ "id": "sandwich_enabled_attack",
1828
+ "name": "Sandwich-Enabled Attack",
1829
+ "type": "subcategory",
1830
+ "priority": 2
1831
+ }
1832
+ ]
1833
+ },
1834
+ {
1835
+ "id": "sensitive_data_exposure",
1836
+ "name": "Sensitive Data Exposure",
1837
+ "type": "category",
1838
+ "children": [
1839
+ {
1840
+ "id": "disclosure_of_known_public_information",
1841
+ "name": "Disclosure of Known Public Information",
1842
+ "type": "subcategory",
1843
+ "priority": 5
1844
+ },
1845
+ {
1846
+ "id": "disclosure_of_secrets",
1847
+ "name": "Disclosure of Secrets",
1848
+ "type": "subcategory",
1849
+ "children": [
1850
+ {
1851
+ "id": "data_traffic_spam",
1852
+ "name": "Data/Traffic Spam",
1853
+ "type": "variant",
1854
+ "priority": 5
1855
+ },
1856
+ {
1857
+ "id": "for_internal_asset",
1858
+ "name": "For Internal Asset",
1859
+ "type": "variant",
1860
+ "priority": 3
1861
+ },
1862
+ {
1863
+ "id": "for_publicly_accessible_asset",
1864
+ "name": "For Publicly Accessible Asset",
1865
+ "type": "variant",
1866
+ "priority": 1
1867
+ },
1868
+ {
1869
+ "id": "intentionally_public_sample_or_invalid",
1870
+ "name": "Intentionally Public, Sample or Invalid",
1871
+ "type": "variant",
1872
+ "priority": 5
1873
+ },
1874
+ {
1875
+ "id": "non_corporate_user",
1876
+ "name": "Non-Corporate User",
1877
+ "type": "variant",
1878
+ "priority": 5
1879
+ },
1880
+ {
1881
+ "id": "pay_per_use_abuse",
1882
+ "name": "Pay-Per-Use Abuse",
1883
+ "type": "variant",
1884
+ "priority": 4
1885
+ },
1886
+ {
1887
+ "id": "pii_leakage_exposure",
1888
+ "name": "PII Leakage/Exposure",
1889
+ "type": "variant",
1890
+ "priority": null
1891
+ }
1892
+ ]
1893
+ },
1894
+ {
1895
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
1896
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
1897
+ "type": "subcategory",
1898
+ "children": [
1899
+ {
1900
+ "id": "automatic_user_enumeration",
1901
+ "name": "Automatic User Enumeration",
1902
+ "type": "variant",
1903
+ "priority": 3
1904
+ },
1905
+ {
1906
+ "id": "manual_user_enumeration",
1907
+ "name": "Manual User Enumeration",
1908
+ "type": "variant",
1909
+ "priority": 4
1910
+ }
1911
+ ]
1912
+ },
1913
+ {
1914
+ "id": "internal_ip_disclosure",
1915
+ "name": "Internal IP Disclosure",
1916
+ "type": "subcategory",
1917
+ "priority": 5
1918
+ },
1919
+ {
1920
+ "id": "json_hijacking",
1921
+ "name": "JSON Hijacking",
1922
+ "type": "subcategory",
1923
+ "priority": 5
1924
+ },
1925
+ {
1926
+ "id": "mixed_content",
1927
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
1928
+ "type": "subcategory",
1929
+ "priority": 5
1930
+ },
1931
+ {
1932
+ "id": "non_sensitive_token_in_url",
1933
+ "name": "Non-Sensitive Token in URL",
1934
+ "type": "subcategory",
1935
+ "priority": 5
1936
+ },
1937
+ {
1938
+ "id": "sensitive_data_hardcoded",
1939
+ "name": "Sensitive Data Hardcoded",
1940
+ "type": "subcategory",
1941
+ "children": [
1942
+ {
1943
+ "id": "file_paths",
1944
+ "name": "File Paths",
1945
+ "type": "variant",
1946
+ "priority": 5
1947
+ },
1948
+ {
1949
+ "id": "oauth_secret",
1950
+ "name": "OAuth Secret",
1951
+ "type": "variant",
1952
+ "priority": 5
1953
+ }
1954
+ ]
1955
+ },
1956
+ {
1957
+ "id": "sensitive_token_in_url",
1958
+ "name": "Sensitive Token in URL",
1959
+ "type": "subcategory",
1960
+ "children": [
1961
+ {
1962
+ "id": "in_the_background",
1963
+ "name": "In the Background",
1964
+ "type": "variant",
1965
+ "priority": 5
1966
+ },
1967
+ {
1968
+ "id": "on_password_reset",
1969
+ "name": "On Password Reset",
1970
+ "type": "variant",
1971
+ "priority": 5
1972
+ },
1973
+ {
1974
+ "id": "user_facing",
1975
+ "name": "User Facing",
1976
+ "type": "variant",
1977
+ "priority": 4
1978
+ }
1979
+ ]
1980
+ },
1981
+ {
1982
+ "id": "token_leakage_via_referer",
1983
+ "name": "Token Leakage via Referer",
1984
+ "type": "subcategory",
1985
+ "children": [
1986
+ {
1987
+ "id": "over_http",
1988
+ "name": "Over HTTP",
1989
+ "type": "variant",
1990
+ "priority": 4
1991
+ },
1992
+ {
1993
+ "id": "password_reset_token",
1994
+ "name": "Password Reset Token",
1995
+ "type": "variant",
1996
+ "priority": 5
1997
+ },
1998
+ {
1999
+ "id": "trusted_third_party",
2000
+ "name": "Trusted 3rd Party",
2001
+ "type": "variant",
2002
+ "priority": 5
2003
+ },
2004
+ {
2005
+ "id": "untrusted_third_party",
2006
+ "name": "Untrusted 3rd Party",
2007
+ "type": "variant",
2008
+ "priority": 4
2009
+ }
2010
+ ]
2011
+ },
2012
+ {
2013
+ "id": "via_localstorage_sessionstorage",
2014
+ "name": "Via localStorage/sessionStorage",
2015
+ "type": "subcategory",
2016
+ "children": [
2017
+ {
2018
+ "id": "non_sensitive_token",
2019
+ "name": "Non-Sensitive Token",
2020
+ "type": "variant",
2021
+ "priority": 5
2022
+ },
2023
+ {
2024
+ "id": "sensitive_token",
2025
+ "name": "Sensitive Token",
2026
+ "type": "variant",
2027
+ "priority": 4
2028
+ }
2029
+ ]
2030
+ },
2031
+ {
2032
+ "id": "visible_detailed_error_page",
2033
+ "name": "Visible Detailed Error/Debug Page",
2034
+ "type": "subcategory",
2035
+ "children": [
2036
+ {
2037
+ "id": "descriptive_stack_trace",
2038
+ "name": "Descriptive Stack Trace",
2039
+ "type": "variant",
2040
+ "priority": 5
2041
+ },
2042
+ {
2043
+ "id": "detailed_server_configuration",
2044
+ "name": "Detailed Server Configuration",
2045
+ "type": "variant",
2046
+ "priority": 4
2047
+ },
2048
+ {
2049
+ "id": "full_path_disclosure",
2050
+ "name": "Full Path Disclosure",
2051
+ "type": "variant",
2052
+ "priority": 5
2053
+ }
2054
+ ]
2055
+ },
2056
+ {
2057
+ "id": "weak_password_reset_implementation",
2058
+ "name": "Weak Password Reset Implementation",
2059
+ "type": "subcategory",
2060
+ "children": [
2061
+ {
2062
+ "id": "password_reset_token_sent_over_http",
2063
+ "name": "Password Reset Token Sent Over HTTP",
2064
+ "type": "variant",
2065
+ "priority": 4
2066
+ },
2067
+ {
2068
+ "id": "token_leakage_via_host_header_poisoning",
2069
+ "name": "Token Leakage via Host Header Poisoning",
2070
+ "type": "variant",
2071
+ "priority": 2
2072
+ }
2073
+ ]
2074
+ },
2075
+ {
2076
+ "id": "xssi",
2077
+ "name": "Cross Site Script Inclusion (XSSI)",
2078
+ "type": "subcategory",
2079
+ "priority": null
2080
+ }
2081
+ ]
2082
+ },
2083
+ {
2084
+ "id": "server_security_misconfiguration",
2085
+ "name": "Server Security Misconfiguration",
2086
+ "type": "category",
2087
+ "children": [
2088
+ {
2089
+ "id": "bitsquatting",
2090
+ "name": "Bitsquatting",
2091
+ "type": "subcategory",
2092
+ "priority": 5
2093
+ },
2094
+ {
2095
+ "id": "cache_poisoning",
2096
+ "name": "Cache Poisoning",
2097
+ "type": "subcategory",
2098
+ "priority": null
2099
+ },
2100
+ {
2101
+ "id": "cache_deception",
2102
+ "name": "Cache Deception",
2103
+ "type": "subcategory",
2104
+ "priority": null
2105
+ },
2106
+ {
2107
+ "id": "captcha",
2108
+ "name": "CAPTCHA",
2109
+ "type": "subcategory",
2110
+ "children": [
2111
+ {
2112
+ "id": "brute_force",
2113
+ "name": "Brute Force",
2114
+ "type": "variant",
2115
+ "priority": 5
2116
+ },
2117
+ {
2118
+ "id": "implementation_vulnerability",
2119
+ "name": "Implementation Vulnerability",
2120
+ "type": "variant",
2121
+ "priority": 4
2122
+ },
2123
+ {
2124
+ "id": "missing",
2125
+ "name": "Missing",
2126
+ "type": "variant",
2127
+ "priority": 5
2128
+ }
2129
+ ]
2130
+ },
2131
+ {
2132
+ "id": "clickjacking",
2133
+ "name": "Clickjacking",
2134
+ "type": "subcategory",
2135
+ "children": [
2136
+ {
2137
+ "id": "form_input",
2138
+ "name": "Form Input",
2139
+ "type": "variant",
2140
+ "priority": 5
2141
+ },
2142
+ {
2143
+ "id": "non_sensitive_action",
2144
+ "name": "Non-Sensitive Action",
2145
+ "type": "variant",
2146
+ "priority": 5
2147
+ },
2148
+ {
2149
+ "id": "sensitive_action",
2150
+ "name": "Sensitive Click-Based Action",
2151
+ "type": "variant",
2152
+ "priority": 4
2153
+ }
2154
+ ]
2155
+ },
2156
+ {
2157
+ "id": "cookie_scoped_to_parent_domain",
2158
+ "name": "Cookie Scoped to Parent Domain",
2159
+ "type": "subcategory",
2160
+ "priority": 5
2161
+ },
2162
+ {
2163
+ "id": "dbms_misconfiguration",
2164
+ "name": "Database Management System (DBMS) Misconfiguration",
2165
+ "type": "subcategory",
2166
+ "children": [
2167
+ {
2168
+ "id": "excessively_privileged_user_dba",
2169
+ "name": "Excessively Privileged User / DBA",
2170
+ "type": "variant",
2171
+ "priority": 4
2172
+ }
2173
+ ]
2174
+ },
2175
+ {
2176
+ "id": "directory_listing_enabled",
2177
+ "name": "Directory Listing Enabled",
2178
+ "type": "subcategory",
2179
+ "children": [
2180
+ {
2181
+ "id": "non_sensitive_data_exposure",
2182
+ "name": "Non-Sensitive Data Exposure",
2183
+ "type": "variant",
2184
+ "priority": 5
2185
+ },
2186
+ {
2187
+ "id": "sensitive_data_exposure",
2188
+ "name": "Sensitive Data Exposure",
2189
+ "type": "variant",
2190
+ "priority": null
2191
+ }
2192
+ ]
2193
+ },
2194
+ {
2195
+ "id": "email_verification_bypass",
2196
+ "name": "Email Verification Bypass",
2197
+ "type": "subcategory",
2198
+ "priority": 5
2199
+ },
2200
+ {
2201
+ "id": "exposed_admin_portal",
2202
+ "name": "Exposed Admin Portal",
2203
+ "type": "subcategory",
2204
+ "children": [
2205
+ {
2206
+ "id": "to_internet",
2207
+ "name": "To Internet",
2208
+ "type": "variant",
2209
+ "priority": 5
2210
+ }
2211
+ ]
2212
+ },
2213
+ {
2214
+ "id": "fingerprinting_banner_disclosure",
2215
+ "name": "Fingerprinting/Banner Disclosure",
2216
+ "type": "subcategory",
2217
+ "priority": 5
2218
+ },
2219
+ {
2220
+ "id": "insecure_ssl",
2221
+ "name": "Insecure SSL",
2222
+ "type": "subcategory",
2223
+ "children": [
2224
+ {
2225
+ "id": "certificate_error",
2226
+ "name": "Certificate Error",
2227
+ "type": "variant",
2228
+ "priority": 5
2229
+ },
2230
+ {
2231
+ "id": "insecure_cipher_suite",
2232
+ "name": "Insecure Cipher Suite",
2233
+ "type": "variant",
2234
+ "priority": 5
2235
+ },
2236
+ {
2237
+ "id": "lack_of_forward_secrecy",
2238
+ "name": "Lack of Forward Secrecy",
2239
+ "type": "variant",
2240
+ "priority": 5
2241
+ }
2242
+ ]
2243
+ },
2244
+ {
2245
+ "id": "lack_of_password_confirmation",
2246
+ "name": "Lack of Password Confirmation",
2247
+ "type": "subcategory",
2248
+ "children": [
2249
+ {
2250
+ "id": "change_email_address",
2251
+ "name": "Change Email Address",
2252
+ "type": "variant",
2253
+ "priority": 5
2254
+ },
2255
+ {
2256
+ "id": "change_password",
2257
+ "name": "Change Password",
2258
+ "type": "variant",
2259
+ "priority": 5
2260
+ },
2261
+ {
2262
+ "id": "delete_account",
2263
+ "name": "Delete Account",
2264
+ "type": "variant",
2265
+ "priority": 4
2266
+ },
2267
+ {
2268
+ "id": "manage_two_fa",
2269
+ "name": "Manage 2FA",
2270
+ "type": "variant",
2271
+ "priority": 5
2272
+ }
2273
+ ]
2274
+ },
2275
+ {
2276
+ "id": "lack_of_security_headers",
2277
+ "name": "Lack of Security Headers",
2278
+ "type": "subcategory",
2279
+ "children": [
2280
+ {
2281
+ "id": "cache_control_for_a_non_sensitive_page",
2282
+ "name": "Cache-Control for a Non-Sensitive Page",
2283
+ "type": "variant",
2284
+ "priority": 5
2285
+ },
2286
+ {
2287
+ "id": "cache_control_for_a_sensitive_page",
2288
+ "name": "Cache-Control for a Sensitive Page",
2289
+ "type": "variant",
2290
+ "priority": 4
2291
+ },
2292
+ {
2293
+ "id": "content_security_policy",
2294
+ "name": "Content-Security-Policy",
2295
+ "type": "variant",
2296
+ "priority": 5
2297
+ },
2298
+ {
2299
+ "id": "content_security_policy_report_only",
2300
+ "name": "Content-Security-Policy-Report-Only",
2301
+ "type": "variant",
2302
+ "priority": 5
2303
+ },
2304
+ {
2305
+ "id": "public_key_pins",
2306
+ "name": "Public-Key-Pins",
2307
+ "type": "variant",
2308
+ "priority": 5
2309
+ },
2310
+ {
2311
+ "id": "strict_transport_security",
2312
+ "name": "Strict-Transport-Security",
2313
+ "type": "variant",
2314
+ "priority": 5
2315
+ },
2316
+ {
2317
+ "id": "x_content_security_policy",
2318
+ "name": "X-Content-Security-Policy",
2319
+ "type": "variant",
2320
+ "priority": 5
2321
+ },
2322
+ {
2323
+ "id": "x_content_type_options",
2324
+ "name": "X-Content-Type-Options",
2325
+ "type": "variant",
2326
+ "priority": 5
2327
+ },
2328
+ {
2329
+ "id": "x_frame_options",
2330
+ "name": "X-Frame-Options",
2331
+ "type": "variant",
2332
+ "priority": 5
2333
+ },
2334
+ {
2335
+ "id": "x_webkit_csp",
2336
+ "name": "X-Webkit-CSP",
2337
+ "type": "variant",
2338
+ "priority": 5
2339
+ },
2340
+ {
2341
+ "id": "x_xss_protection",
2342
+ "name": "X-XSS-Protection",
2343
+ "type": "variant",
2344
+ "priority": 5
2345
+ }
2346
+ ]
2347
+ },
2348
+ {
2349
+ "id": "mail_server_misconfiguration",
2350
+ "name": "Mail Server Misconfiguration",
2351
+ "type": "subcategory",
2352
+ "children": [
2353
+ {
2354
+ "id": "email_spoofing_on_non_email_domain",
2355
+ "name": "Email Spoofing on Non-Email Domain",
2356
+ "type": "variant",
2357
+ "priority": 5
2358
+ },
2359
+ {
2360
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
2361
+ "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
2362
+ "type": "variant",
2363
+ "priority": 4
2364
+ },
2365
+ {
2366
+ "id": "email_spoofing_to_spam_folder",
2367
+ "name": "Email Spoofing to Spam Folder",
2368
+ "type": "variant",
2369
+ "priority": 5
2370
+ },
2371
+ {
2372
+ "id": "missing_or_misconfigured_spf_and_or_dkim",
2373
+ "name": "Missing or Misconfigured SPF and/or DKIM",
2374
+ "type": "variant",
2375
+ "priority": 5
2376
+ },
2377
+ {
2378
+ "id": "no_spoofing_protection_on_email_domain",
2379
+ "name": "No Spoofing Protection on Email Domain",
2380
+ "type": "variant",
2381
+ "priority": 3
2382
+ }
2383
+ ]
2384
+ },
2385
+ {
2386
+ "id": "misconfigured_dns",
2387
+ "name": "Misconfigured DNS",
2388
+ "type": "subcategory",
2389
+ "children": [
2390
+ {
2391
+ "id": "missing_caa_record",
2392
+ "name": "Missing Certification Authority Authorization (CAA) Record",
2393
+ "type": "variant",
2394
+ "priority": 5
2395
+ },
2396
+ {
2397
+ "id": "subdomain_takeover",
2398
+ "name": "Subdomain Takeover",
2399
+ "type": "variant",
2400
+ "priority": 3
2401
+ },
2402
+ {
2403
+ "id": "zone_transfer",
2404
+ "name": "Zone Transfer",
2405
+ "type": "variant",
2406
+ "priority": 4
2407
+ }
2408
+ ]
2409
+ },
2410
+ {
2411
+ "id": "missing_dnssec",
2412
+ "name": "Missing DNSSEC",
2413
+ "type": "subcategory",
2414
+ "priority": 5
2415
+ },
2416
+ {
2417
+ "id": "missing_secure_or_httponly_cookie_flag",
2418
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
2419
+ "type": "subcategory",
2420
+ "children": [
2421
+ {
2422
+ "id": "non_session_cookie",
2423
+ "name": "Non-Session Cookie",
2424
+ "type": "variant",
2425
+ "priority": 5
2426
+ },
2427
+ {
2428
+ "id": "session_token",
2429
+ "name": "Session Token",
2430
+ "type": "variant",
2431
+ "priority": 4
2432
+ }
2433
+ ]
2434
+ },
2435
+ {
2436
+ "id": "missing_subresource_integrity",
2437
+ "name": "Missing Subresource Integrity",
2438
+ "type": "subcategory",
2439
+ "priority": 5
2440
+ },
2441
+ {
2442
+ "id": "no_rate_limiting_on_form",
2443
+ "name": "No Rate Limiting on Form",
2444
+ "type": "subcategory",
2445
+ "children": [
2446
+ {
2447
+ "id": "change_password",
2448
+ "name": "Change Password",
2449
+ "type": "variant",
2450
+ "priority": 5
2451
+ },
2452
+ {
2453
+ "id": "email_triggering",
2454
+ "name": "Email-Triggering",
2455
+ "type": "variant",
2456
+ "priority": 4
2457
+ },
2458
+ {
2459
+ "id": "login",
2460
+ "name": "Login",
2461
+ "type": "variant",
2462
+ "priority": 4
2463
+ },
2464
+ {
2465
+ "id": "registration",
2466
+ "name": "Registration",
2467
+ "type": "variant",
2468
+ "priority": 4
2469
+ },
2470
+ {
2471
+ "id": "sms_triggering",
2472
+ "name": "SMS-Triggering",
2473
+ "type": "variant",
2474
+ "priority": 4
2475
+ }
2476
+ ]
2477
+ },
2478
+ {
2479
+ "id": "oauth_misconfiguration",
2480
+ "name": "OAuth Misconfiguration",
2481
+ "type": "subcategory",
2482
+ "children": [
2483
+ {
2484
+ "id": "account_squatting",
2485
+ "name": "Account Squatting",
2486
+ "type": "variant",
2487
+ "priority": 4
2488
+ },
2489
+ {
2490
+ "id": "account_takeover",
2491
+ "name": "Account Takeover",
2492
+ "type": "variant",
2493
+ "priority": 2
2494
+ },
2495
+ {
2496
+ "id": "insecure_redirect_uri",
2497
+ "name": "Insecure Redirect URI",
2498
+ "type": "variant",
2499
+ "priority": null
2500
+ },
2501
+ {
2502
+ "id": "missing_state_parameter",
2503
+ "name": "Missing/Broken State Parameter",
2504
+ "type": "variant",
2505
+ "priority": null
2506
+ }
2507
+ ]
2508
+ },
2509
+ {
2510
+ "id": "path_traversal",
2511
+ "name": "Path Traversal",
2512
+ "type": "subcategory",
2513
+ "priority": null
2514
+ },
2515
+ {
2516
+ "id": "potentially_unsafe_http_method_enabled",
2517
+ "name": "Potentially Unsafe HTTP Method Enabled",
2518
+ "type": "subcategory",
2519
+ "children": [
2520
+ {
2521
+ "id": "options",
2522
+ "name": "OPTIONS",
2523
+ "type": "variant",
2524
+ "priority": 5
2525
+ },
2526
+ {
2527
+ "id": "trace",
2528
+ "name": "TRACE",
2529
+ "type": "variant",
2530
+ "priority": 5
2531
+ }
2532
+ ]
2533
+ },
2534
+ {
2535
+ "id": "race_condition",
2536
+ "name": "Race Condition",
2537
+ "type": "subcategory",
2538
+ "priority": null
2539
+ },
2540
+ {
2541
+ "id": "request_smuggling",
2542
+ "name": "HTTP Request Smuggling",
2543
+ "type": "subcategory",
2544
+ "priority": null
2545
+ },
2546
+ {
2547
+ "id": "rfd",
2548
+ "name": "Reflected File Download (RFD)",
2549
+ "type": "subcategory",
2550
+ "priority": 5
2551
+ },
2552
+ {
2553
+ "id": "same_site_scripting",
2554
+ "name": "Same-Site Scripting",
2555
+ "type": "subcategory",
2556
+ "priority": 5
2557
+ },
2558
+ {
2559
+ "id": "server_side_request_forgery_ssrf",
2560
+ "name": "Server-Side Request Forgery (SSRF)",
2561
+ "type": "subcategory",
2562
+ "children": [
2563
+ {
2564
+ "id": "external_dns_query_only",
2565
+ "name": "External - DNS Query Only",
2566
+ "type": "variant",
2567
+ "priority": 5
2568
+ },
2569
+ {
2570
+ "id": "external_low_impact",
2571
+ "name": "External - Low impact",
2572
+ "type": "variant",
2573
+ "priority": 5
2574
+ },
2575
+ {
2576
+ "id": "internal_high_impact",
2577
+ "name": "Internal High Impact",
2578
+ "type": "variant",
2579
+ "priority": 2
2580
+ },
2581
+ {
2582
+ "id": "internal_scan_and_or_medium_impact",
2583
+ "name": "Internal Scan and/or Medium Impact",
2584
+ "type": "variant",
2585
+ "priority": 3
2586
+ }
2587
+ ]
2588
+ },
2589
+ {
2590
+ "id": "software_package_takeover",
2591
+ "name": "Software Package Takeover",
2592
+ "type": "subcategory",
2593
+ "priority": null
2594
+ },
2595
+ {
2596
+ "id": "ssl_attack_breach_poodle_etc",
2597
+ "name": "SSL Attack (BREACH, POODLE etc.)",
2598
+ "type": "subcategory",
2599
+ "priority": null
2600
+ },
2601
+ {
2602
+ "id": "unsafe_cross_origin_resource_sharing",
2603
+ "name": "Unsafe Cross-Origin Resource Sharing",
2604
+ "type": "subcategory",
2605
+ "priority": null
2606
+ },
2607
+ {
2608
+ "id": "unsafe_file_upload",
2609
+ "name": "Unsafe File Upload",
2610
+ "type": "subcategory",
2611
+ "children": [
2612
+ {
2613
+ "id": "file_extension_filter_bypass",
2614
+ "name": "File Extension Filter Bypass",
2615
+ "type": "variant",
2616
+ "priority": 5
2617
+ },
2618
+ {
2619
+ "id": "no_antivirus",
2620
+ "name": "No Antivirus",
2621
+ "type": "variant",
2622
+ "priority": 5
2623
+ },
2624
+ {
2625
+ "id": "no_size_limit",
2626
+ "name": "No Size Limit",
2627
+ "type": "variant",
2628
+ "priority": 5
2629
+ }
2630
+ ]
2631
+ },
2632
+ {
2633
+ "id": "username_enumeration",
2634
+ "name": "Username/Email Enumeration",
2635
+ "type": "subcategory",
2636
+ "children": [
2637
+ {
2638
+ "id": "brute_force",
2639
+ "name": "Brute Force",
2640
+ "type": "variant",
2641
+ "priority": 5
2642
+ }
2643
+ ]
2644
+ },
2645
+ {
2646
+ "id": "using_default_credentials",
2647
+ "name": "Using Default Credentials",
2648
+ "type": "subcategory",
2649
+ "priority": 1
2650
+ },
2651
+ {
2652
+ "id": "waf_bypass",
2653
+ "name": "Web Application Firewall (WAF) Bypass",
2654
+ "type": "subcategory",
2655
+ "children": [
2656
+ {
2657
+ "id": "direct_server_access",
2658
+ "name": "Direct Server Access",
2659
+ "type": "variant",
2660
+ "priority": 4
2661
+ }
2662
+ ]
2663
+ }
2664
+ ]
2665
+ },
2666
+ {
2667
+ "id": "server_side_injection",
2668
+ "name": "Server-Side Injection",
2669
+ "type": "category",
2670
+ "children": [
2671
+ {
2672
+ "id": "content_spoofing",
2673
+ "name": "Content Spoofing",
2674
+ "type": "subcategory",
2675
+ "children": [
2676
+ {
2677
+ "id": "email_html_injection",
2678
+ "name": "Email HTML Injection",
2679
+ "type": "variant",
2680
+ "priority": 4
2681
+ },
2682
+ {
2683
+ "id": "email_hyperlink_injection_based_on_email_provider",
2684
+ "name": "Email Hyperlink Injection Based on Email Provider",
2685
+ "type": "variant",
2686
+ "priority": 5
2687
+ },
2688
+ {
2689
+ "id": "external_authentication_injection",
2690
+ "name": "External Authentication Injection",
2691
+ "type": "variant",
2692
+ "priority": 4
2693
+ },
2694
+ {
2695
+ "id": "flash_based_external_authentication_injection",
2696
+ "name": "Flash Based External Authentication Injection",
2697
+ "type": "variant",
2698
+ "priority": 5
2699
+ },
2700
+ {
2701
+ "id": "homograph_idn_based",
2702
+ "name": "Homograph/IDN-Based",
2703
+ "type": "variant",
2704
+ "priority": 5
2705
+ },
2706
+ {
2707
+ "id": "html_content_injection",
2708
+ "name": "HTML Content Injection",
2709
+ "type": "variant",
2710
+ "priority": 5
2711
+ },
2712
+ {
2713
+ "id": "iframe_injection",
2714
+ "name": "iframe Injection",
2715
+ "type": "variant",
2716
+ "priority": 3
2717
+ },
2718
+ {
2719
+ "id": "impersonation_via_broken_link_hijacking",
2720
+ "name": "Impersonation via Broken Link Hijacking",
2721
+ "type": "variant",
2722
+ "priority": 4
2723
+ },
2724
+ {
2725
+ "id": "rtlo",
2726
+ "name": "Right-to-Left Override (RTLO)",
2727
+ "type": "variant",
2728
+ "priority": 5
2729
+ },
2730
+ {
2731
+ "id": "text_injection",
2732
+ "name": "Text Injection",
2733
+ "type": "variant",
2734
+ "priority": 5
2735
+ }
2736
+ ]
2737
+ },
2738
+ {
2739
+ "id": "file_inclusion",
2740
+ "name": "File Inclusion",
2741
+ "type": "subcategory",
2742
+ "children": [
2743
+ {
2744
+ "id": "local",
2745
+ "name": "Local",
2746
+ "type": "variant",
2747
+ "priority": 1
2748
+ }
2749
+ ]
2750
+ },
2751
+ {
2752
+ "id": "http_response_manipulation",
2753
+ "name": "HTTP Response Manipulation",
2754
+ "type": "subcategory",
2755
+ "children": [
2756
+ {
2757
+ "id": "response_splitting_crlf",
2758
+ "name": "Response Splitting (CRLF)",
2759
+ "type": "variant",
2760
+ "priority": 3
2761
+ }
2762
+ ]
2763
+ },
2764
+ {
2765
+ "id": "ldap_injection",
2766
+ "name": "LDAP Injection",
2767
+ "type": "subcategory",
2768
+ "priority": null
2769
+ },
2770
+ {
2771
+ "id": "parameter_pollution",
2772
+ "name": "Parameter Pollution",
2773
+ "type": "subcategory",
2774
+ "children": [
2775
+ {
2776
+ "id": "social_media_sharing_buttons",
2777
+ "name": "Social Media Sharing Buttons",
2778
+ "type": "variant",
2779
+ "priority": 5
2780
+ }
2781
+ ]
2782
+ },
2783
+ {
2784
+ "id": "remote_code_execution_rce",
2785
+ "name": "Remote Code Execution (RCE)",
2786
+ "type": "subcategory",
2787
+ "priority": 1
2788
+ },
2789
+ {
2790
+ "id": "sql_injection",
2791
+ "name": "SQL Injection",
2792
+ "type": "subcategory",
2793
+ "priority": 1
2794
+ },
2795
+ {
2796
+ "id": "ssti",
2797
+ "name": "Server-Side Template Injection (SSTI)",
2798
+ "type": "subcategory",
2799
+ "children": [
2800
+ {
2801
+ "id": "basic",
2802
+ "name": "Basic",
2803
+ "type": "variant",
2804
+ "priority": 4
2805
+ },
2806
+ {
2807
+ "id": "custom",
2808
+ "name": "Custom",
2809
+ "type": "variant",
2810
+ "priority": null
2811
+ }
2812
+ ]
2813
+ },
2814
+ {
2815
+ "id": "xml_external_entity_injection_xxe",
2816
+ "name": "XML External Entity Injection (XXE)",
2817
+ "type": "subcategory",
2818
+ "priority": 1
2819
+ }
2820
+ ]
2821
+ },
2822
+ {
2823
+ "id": "smart_contract_misconfiguration",
2824
+ "name": "Smart Contract Misconfiguration",
2825
+ "type": "category",
2826
+ "children": [
2827
+ {
2828
+ "id": "bypass_of_function_modifiers_and_checks",
2829
+ "name": "Bypass of Function Modifiers and Checks",
2830
+ "type": "subcategory",
2831
+ "priority": null
2832
+ },
2833
+ {
2834
+ "id": "function_level_denial_of_service",
2835
+ "name": "Function-level Denial of Service",
2836
+ "type": "subcategory",
2837
+ "priority": 3
2838
+ },
2839
+ {
2840
+ "id": "improper_decimals_implementation",
2841
+ "name": "Improper Decimals Implementation",
2842
+ "type": "subcategory",
2843
+ "priority": 4
2844
+ },
2845
+ {
2846
+ "id": "improper_fee_implementation",
2847
+ "name": "Improper Fee Implementation",
2848
+ "type": "subcategory",
2849
+ "priority": 3
2850
+ },
2851
+ {
2852
+ "id": "improper_use_of_modifier",
2853
+ "name": "Improper Use of Modifier",
2854
+ "type": "subcategory",
2855
+ "priority": 4
2856
+ },
2857
+ {
2858
+ "id": "inaccurate_rounding_calculation",
2859
+ "name": "Inaccurate Rounding Calculation",
2860
+ "type": "subcategory",
2861
+ "priority": null
2862
+ },
2863
+ {
2864
+ "id": "integer_overflow_underflow",
2865
+ "name": "Integer Overflow / Underflow",
2866
+ "type": "subcategory",
2867
+ "priority": 2
2868
+ },
2869
+ {
2870
+ "id": "irreversible_function_call",
2871
+ "name": "Irreversible Function Call",
2872
+ "type": "subcategory",
2873
+ "priority": 3
2874
+ },
2875
+ {
2876
+ "id": "malicious_superuser_risk",
2877
+ "name": "Malicious Superuser Risk",
2878
+ "type": "subcategory",
2879
+ "priority": 3
2880
+ },
2881
+ {
2882
+ "id": "reentrancy_attack",
2883
+ "name": "Reentrancy Attack",
2884
+ "type": "subcategory",
2885
+ "priority": 1
2886
+ },
2887
+ {
2888
+ "id": "smart_contract_owner_takeover",
2889
+ "name": "Smart Contract Owner Takeover",
2890
+ "type": "subcategory",
2891
+ "priority": 1
2892
+ },
2893
+ {
2894
+ "id": "unauthorized_smart_contract_approval",
2895
+ "name": "Unauthorized Smart Contract Approval",
2896
+ "type": "subcategory",
2897
+ "priority": 2
2898
+ },
2899
+ {
2900
+ "id": "unauthorized_transfer_of_funds",
2901
+ "name": "Unauthorized Transfer of Funds",
2902
+ "type": "subcategory",
2903
+ "priority": 1
2904
+ },
2905
+ {
2906
+ "id": "uninitialized_variables",
2907
+ "name": "Uninitialized Variables",
2908
+ "type": "subcategory",
2909
+ "priority": 1
2910
+ }
2911
+ ]
2912
+ },
2913
+ {
2914
+ "id": "societal_biases",
2915
+ "name": "Societal Biases",
2916
+ "type": "category",
2917
+ "children": [
2918
+ {
2919
+ "id": "confirmation_bias",
2920
+ "name": "Confirmation Bias",
2921
+ "type": "subcategory",
2922
+ "priority": null
2923
+ },
2924
+ {
2925
+ "id": "systemic_bias",
2926
+ "name": "Systemic Bias",
2927
+ "type": "subcategory",
2928
+ "priority": null
2929
+ }
2930
+ ]
2931
+ },
2932
+ {
2933
+ "id": "unvalidated_redirects_and_forwards",
2934
+ "name": "Unvalidated Redirects and Forwards",
2935
+ "type": "category",
2936
+ "children": [
2937
+ {
2938
+ "id": "lack_of_security_speed_bump_page",
2939
+ "name": "Lack of Security Speed Bump Page",
2940
+ "type": "subcategory",
2941
+ "priority": 5
2942
+ },
2943
+ {
2944
+ "id": "open_redirect",
2945
+ "name": "Open Redirect",
2946
+ "type": "subcategory",
2947
+ "children": [
2948
+ {
2949
+ "id": "flash_based",
2950
+ "name": "Flash-Based",
2951
+ "type": "variant",
2952
+ "priority": 5
2953
+ },
2954
+ {
2955
+ "id": "get_based",
2956
+ "name": "GET-Based",
2957
+ "type": "variant",
2958
+ "priority": 4
2959
+ },
2960
+ {
2961
+ "id": "header_based",
2962
+ "name": "Header-Based",
2963
+ "type": "variant",
2964
+ "priority": 5
2965
+ },
2966
+ {
2967
+ "id": "post_based",
2968
+ "name": "POST-Based",
2969
+ "type": "variant",
2970
+ "priority": 5
2971
+ }
2972
+ ]
2973
+ },
2974
+ {
2975
+ "id": "tabnabbing",
2976
+ "name": "Tabnabbing",
2977
+ "type": "subcategory",
2978
+ "priority": 5
2979
+ }
2980
+ ]
2981
+ },
2982
+ {
2983
+ "id": "using_components_with_known_vulnerabilities",
2984
+ "name": "Using Components with Known Vulnerabilities",
2985
+ "type": "category",
2986
+ "children": [
2987
+ {
2988
+ "id": "captcha_bypass",
2989
+ "name": "Captcha Bypass",
2990
+ "type": "subcategory",
2991
+ "children": [
2992
+ {
2993
+ "id": "ocr_optical_character_recognition",
2994
+ "name": "OCR (Optical Character Recognition)",
2995
+ "type": "variant",
2996
+ "priority": 5
2997
+ }
2998
+ ]
2999
+ },
3000
+ {
3001
+ "id": "outdated_software_version",
3002
+ "name": "Outdated Software Version",
3003
+ "type": "subcategory",
3004
+ "priority": 5
3005
+ },
3006
+ {
3007
+ "id": "rosetta_flash",
3008
+ "name": "Rosetta Flash",
3009
+ "type": "subcategory",
3010
+ "priority": 5
3011
+ }
3012
+ ]
3013
+ },
3014
+ {
3015
+ "id": "zero_knowledge_security_misconfiguration",
3016
+ "name": "Zero Knowledge Security Misconfiguration",
3017
+ "type": "category",
3018
+ "children": [
3019
+ {
3020
+ "id": "deanonymization_of_data",
3021
+ "name": "Deanonymization of Data",
3022
+ "type": "subcategory",
3023
+ "priority": 1
3024
+ },
3025
+ {
3026
+ "id": "improper_proof_validation_and_finalization_logic",
3027
+ "name": "Improper Proof Validation and Finalization Logic",
3028
+ "type": "subcategory",
3029
+ "priority": 1
3030
+ },
3031
+ {
3032
+ "id": "misconfigured_trusted_setup",
3033
+ "name": "Misconfigured Trusted Setup",
3034
+ "type": "subcategory",
3035
+ "priority": null
3036
+ },
3037
+ {
3038
+ "id": "mismatching_bit_lengths",
3039
+ "name": "Mismatching Bit Lengths",
3040
+ "type": "subcategory",
3041
+ "priority": null
3042
+ },
3043
+ {
3044
+ "id": "missing_constraint",
3045
+ "name": "Missing Constraint",
3046
+ "type": "subcategory",
3047
+ "priority": null
3048
+ },
3049
+ {
3050
+ "id": "missing_range_check",
3051
+ "name": "Missing Range Check",
3052
+ "type": "subcategory",
3053
+ "priority": null
3054
+ }
3055
+ ]
3056
+ }
3057
+ ]
3058
+ }