vrt 0.13.4 → 0.13.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,3244 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2025-06-23T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "ai_application_security",
8
+ "name": "AI Application Security",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "adversarial_example_injection",
13
+ "name": "Adversarial Example Injection",
14
+ "type": "subcategory",
15
+ "children": [
16
+ {
17
+ "id": "ai_misclassification_attacks",
18
+ "name": "AI Misclassification Attacks",
19
+ "type": "variant",
20
+ "priority": 4
21
+ }
22
+ ]
23
+ },
24
+ {
25
+ "id": "ai_safety",
26
+ "name": "AI Safety",
27
+ "type": "subcategory",
28
+ "children": [
29
+ {
30
+ "id": "misinformation_wrong_factual_data",
31
+ "name": "Misinformation / Wrong Factual Data",
32
+ "type": "variant",
33
+ "priority": 4
34
+ }
35
+ ]
36
+ },
37
+ {
38
+ "id": "denial_of_service_dos",
39
+ "name": "Denial-of-Service (DoS)",
40
+ "type": "subcategory",
41
+ "children": [
42
+ {
43
+ "id": "application_wide",
44
+ "name": "Application-Wide",
45
+ "type": "variant",
46
+ "priority": 2
47
+ },
48
+ {
49
+ "id": "tenant_scoped",
50
+ "name": "Tenant-Scoped",
51
+ "type": "variant",
52
+ "priority": 4
53
+ }
54
+ ]
55
+ },
56
+ {
57
+ "id": "improper_input_handling",
58
+ "name": "Improper Input Handling",
59
+ "type": "subcategory",
60
+ "children": [
61
+ {
62
+ "id": "ansi_escape_codes",
63
+ "name": "ANSI Escape Codes",
64
+ "type": "variant",
65
+ "priority": 5
66
+ },
67
+ {
68
+ "id": "rtl_overrides",
69
+ "name": "RTL Overrides",
70
+ "type": "variant",
71
+ "priority": 5
72
+ },
73
+ {
74
+ "id": "unicode_confusables",
75
+ "name": "Unicode Confusables",
76
+ "type": "variant",
77
+ "priority": 5
78
+ }
79
+ ]
80
+ },
81
+ {
82
+ "id": "improper_output_handling",
83
+ "name": "Improper Output Handling",
84
+ "type": "subcategory",
85
+ "children": [
86
+ {
87
+ "id": "cross_site_scripting_xss",
88
+ "name": "Cross-Site Scripting (XSS)",
89
+ "type": "variant",
90
+ "priority": 3
91
+ },
92
+ {
93
+ "id": "markdown_html_injection",
94
+ "name": "Markdown/HTML Injection",
95
+ "type": "variant",
96
+ "priority": 4
97
+ }
98
+ ]
99
+ },
100
+ {
101
+ "id": "insufficient_rate_limiting",
102
+ "name": "Insufficient Rate Limiting",
103
+ "type": "subcategory",
104
+ "children": [
105
+ {
106
+ "id": "query_flooding_api_token_abuse",
107
+ "name": "Query Flooding / API Token Abuse",
108
+ "type": "variant",
109
+ "priority": 4
110
+ }
111
+ ]
112
+ },
113
+ {
114
+ "id": "model_extraction",
115
+ "name": "Model Extraction",
116
+ "type": "subcategory",
117
+ "children": [
118
+ {
119
+ "id": "api_query_based_model_reconstruction",
120
+ "name": "API Query-Based Model Reconstruction",
121
+ "type": "variant",
122
+ "priority": 1
123
+ }
124
+ ]
125
+ },
126
+ {
127
+ "id": "prompt_injection",
128
+ "name": "Prompt Injection",
129
+ "type": "subcategory",
130
+ "children": [
131
+ {
132
+ "id": "system_prompt_leakage",
133
+ "name": "System Prompt Leakage",
134
+ "type": "variant",
135
+ "priority": 2
136
+ }
137
+ ]
138
+ },
139
+ {
140
+ "id": "remote_code_execution",
141
+ "name": "Remote Code Execution",
142
+ "type": "subcategory",
143
+ "children": [
144
+ {
145
+ "id": "full_system_compromise",
146
+ "name": "Full System Compromise",
147
+ "type": "variant",
148
+ "priority": 1
149
+ },
150
+ {
151
+ "id": "sandboxed_container_code_execution",
152
+ "name": "Sandboxed Container Code Execution",
153
+ "type": "variant",
154
+ "priority": 2
155
+ }
156
+ ]
157
+ },
158
+ {
159
+ "id": "sensitive_information_disclosure",
160
+ "name": "Sensitive Information Disclosure",
161
+ "type": "subcategory",
162
+ "children": [
163
+ {
164
+ "id": "cross_tenant_pii_leakage_exposure",
165
+ "name": "Cross-Tenant PII Leakage/Exposure",
166
+ "type": "variant",
167
+ "priority": 1
168
+ },
169
+ {
170
+ "id": "key_leak",
171
+ "name": "Key Leak",
172
+ "type": "variant",
173
+ "priority": 1
174
+ }
175
+ ]
176
+ },
177
+ {
178
+ "id": "training_data_poisoning",
179
+ "name": "Training Data Poisoning",
180
+ "type": "subcategory",
181
+ "children": [
182
+ {
183
+ "id": "backdoor_injection_bias_manipulation",
184
+ "name": "Backdoor Injection / Bias Manipulation",
185
+ "type": "variant",
186
+ "priority": 1
187
+ }
188
+ ]
189
+ },
190
+ {
191
+ "id": "vector_and_embedding_weaknesses",
192
+ "name": "Vector and Embedding Weaknesses",
193
+ "type": "subcategory",
194
+ "children": [
195
+ {
196
+ "id": "embedding_exfiltration_model_extraction",
197
+ "name": "Embedding Exfiltration / Model Extraction",
198
+ "type": "variant",
199
+ "priority": 2
200
+ },
201
+ {
202
+ "id": "semantic_indexing",
203
+ "name": "Semantic Indexing",
204
+ "type": "variant",
205
+ "priority": 3
206
+ }
207
+ ]
208
+ }
209
+ ]
210
+ },
211
+ {
212
+ "id": "algorithmic_biases",
213
+ "name": "Algorithmic Biases",
214
+ "type": "category",
215
+ "children": [
216
+ {
217
+ "id": "aggregation_bias",
218
+ "name": "Aggregation Bias",
219
+ "type": "subcategory",
220
+ "priority": null
221
+ },
222
+ {
223
+ "id": "processing_bias",
224
+ "name": "Processing Bias",
225
+ "type": "subcategory",
226
+ "priority": null
227
+ }
228
+ ]
229
+ },
230
+ {
231
+ "id": "application_level_denial_of_service_dos",
232
+ "name": "Application-Level Denial-of-Service (DoS)",
233
+ "type": "category",
234
+ "children": [
235
+ {
236
+ "id": "app_crash",
237
+ "name": "App Crash",
238
+ "type": "subcategory",
239
+ "children": [
240
+ {
241
+ "id": "malformed_android_intents",
242
+ "name": "Malformed Android Intents",
243
+ "type": "variant",
244
+ "priority": 5
245
+ },
246
+ {
247
+ "id": "malformed_ios_url_schemes",
248
+ "name": "Malformed iOS URL Schemes",
249
+ "type": "variant",
250
+ "priority": 5
251
+ }
252
+ ]
253
+ },
254
+ {
255
+ "id": "critical_impact_and_or_easy_difficulty",
256
+ "name": "Critical Impact and/or Easy Difficulty",
257
+ "type": "subcategory",
258
+ "priority": 2
259
+ },
260
+ {
261
+ "id": "excessive_resource_consumption",
262
+ "name": "Excessive Resource Consumption",
263
+ "type": "subcategory",
264
+ "children": [
265
+ {
266
+ "id": "injection_prompt",
267
+ "name": "Injection (Prompt)",
268
+ "type": "variant",
269
+ "priority": null
270
+ }
271
+ ]
272
+ },
273
+ {
274
+ "id": "high_impact_and_or_medium_difficulty",
275
+ "name": "High Impact and/or Medium Difficulty",
276
+ "type": "subcategory",
277
+ "priority": 3
278
+ }
279
+ ]
280
+ },
281
+ {
282
+ "id": "automotive_security_misconfiguration",
283
+ "name": "Automotive Security Misconfiguration",
284
+ "type": "category",
285
+ "children": [
286
+ {
287
+ "id": "abs",
288
+ "name": "Automatic Braking System (ABS)",
289
+ "type": "subcategory",
290
+ "children": [
291
+ {
292
+ "id": "unintended_acceleration_brake",
293
+ "name": "Unintended Acceleration / Brake",
294
+ "type": "variant",
295
+ "priority": 3
296
+ }
297
+ ]
298
+ },
299
+ {
300
+ "id": "battery_management_system",
301
+ "name": "Battery Management System",
302
+ "type": "subcategory",
303
+ "children": [
304
+ {
305
+ "id": "firmware_dump",
306
+ "name": "Firmware Dump",
307
+ "type": "variant",
308
+ "priority": 3
309
+ },
310
+ {
311
+ "id": "fraudulent_interface",
312
+ "name": "Fraudulent Interface",
313
+ "type": "variant",
314
+ "priority": 4
315
+ }
316
+ ]
317
+ },
318
+ {
319
+ "id": "can",
320
+ "name": "CAN",
321
+ "type": "subcategory",
322
+ "children": [
323
+ {
324
+ "id": "injection_basic_safety_message",
325
+ "name": "Injection (Basic Safety Message)",
326
+ "type": "variant",
327
+ "priority": 3
328
+ },
329
+ {
330
+ "id": "injection_battery_management_system",
331
+ "name": "Injection (Battery Management System)",
332
+ "type": "variant",
333
+ "priority": 3
334
+ },
335
+ {
336
+ "id": "injection_disallowed_messages",
337
+ "name": "Injection (Disallowed Messages)",
338
+ "type": "variant",
339
+ "priority": 4
340
+ },
341
+ {
342
+ "id": "injection_dos",
343
+ "name": "Injection (DoS)",
344
+ "type": "variant",
345
+ "priority": 4
346
+ },
347
+ {
348
+ "id": "injection_headlights",
349
+ "name": "Injection (Headlights)",
350
+ "type": "variant",
351
+ "priority": 3
352
+ },
353
+ {
354
+ "id": "injection_powertrain",
355
+ "name": "Injection (Powertrain)",
356
+ "type": "variant",
357
+ "priority": 3
358
+ },
359
+ {
360
+ "id": "injection_pyrotechnical_device_deployment_tool",
361
+ "name": "Injection (Pyrotechnical Device Deployment Tool)",
362
+ "type": "variant",
363
+ "priority": 3
364
+ },
365
+ {
366
+ "id": "injection_sensors",
367
+ "name": "Injection (Sensors)",
368
+ "type": "variant",
369
+ "priority": 3
370
+ },
371
+ {
372
+ "id": "injection_steering_control",
373
+ "name": "Injection (Steering Control)",
374
+ "type": "variant",
375
+ "priority": 3
376
+ },
377
+ {
378
+ "id": "injection_vehicle_anti_theft_systems",
379
+ "name": "Injection (Vehicle Anti-theft Systems)",
380
+ "type": "variant",
381
+ "priority": 3
382
+ }
383
+ ]
384
+ },
385
+ {
386
+ "id": "gnss_gps",
387
+ "name": "GNSS / GPS",
388
+ "type": "subcategory",
389
+ "children": [
390
+ {
391
+ "id": "spoofing",
392
+ "name": "Spoofing",
393
+ "type": "variant",
394
+ "priority": 4
395
+ }
396
+ ]
397
+ },
398
+ {
399
+ "id": "immobilizer",
400
+ "name": "Immobilizer",
401
+ "type": "subcategory",
402
+ "children": [
403
+ {
404
+ "id": "engine_start",
405
+ "name": "Engine Start",
406
+ "type": "variant",
407
+ "priority": 3
408
+ }
409
+ ]
410
+ },
411
+ {
412
+ "id": "infotainment_radio_head_unit",
413
+ "name": "Infotainment, Radio Head Unit",
414
+ "type": "subcategory",
415
+ "children": [
416
+ {
417
+ "id": "code_execution_can_bus_pivot",
418
+ "name": "Code Execution (CAN Bus Pivot)",
419
+ "type": "variant",
420
+ "priority": 2
421
+ },
422
+ {
423
+ "id": "code_execution_no_can_bus_pivot",
424
+ "name": "Code Execution (No CAN Bus Pivot)",
425
+ "type": "variant",
426
+ "priority": 3
427
+ },
428
+ {
429
+ "id": "default_credentials",
430
+ "name": "Default Credentials",
431
+ "type": "variant",
432
+ "priority": 4
433
+ },
434
+ {
435
+ "id": "dos_brick",
436
+ "name": "Denial of Service (DoS / Brick)",
437
+ "type": "variant",
438
+ "priority": 4
439
+ },
440
+ {
441
+ "id": "ota_firmware_manipulation",
442
+ "name": "OTA Firmware Manipulation",
443
+ "type": "variant",
444
+ "priority": 2
445
+ },
446
+ {
447
+ "id": "sensitive_data_leakage_exposure",
448
+ "name": "Sensitive data Leakage/Exposure",
449
+ "type": "variant",
450
+ "priority": 1
451
+ },
452
+ {
453
+ "id": "source_code_dump",
454
+ "name": "Source Code Dump",
455
+ "type": "variant",
456
+ "priority": 4
457
+ },
458
+ {
459
+ "id": "unauthorized_access_to_services",
460
+ "name": "Unauthorized Access to Services (API / Endpoints)",
461
+ "type": "variant",
462
+ "priority": 3
463
+ }
464
+ ]
465
+ },
466
+ {
467
+ "id": "rf_hub",
468
+ "name": "RF Hub",
469
+ "type": "subcategory",
470
+ "children": [
471
+ {
472
+ "id": "can_injection_interaction",
473
+ "name": "CAN Injection / Interaction",
474
+ "type": "variant",
475
+ "priority": 2
476
+ },
477
+ {
478
+ "id": "data_leakage_pull_encryption_mechanism",
479
+ "name": "Data Leakage / Pull Encryption Mechanism",
480
+ "type": "variant",
481
+ "priority": 3
482
+ },
483
+ {
484
+ "id": "key_fob_cloning",
485
+ "name": "Key Fob Cloning",
486
+ "type": "variant",
487
+ "priority": 1
488
+ },
489
+ {
490
+ "id": "relay",
491
+ "name": "Relay",
492
+ "type": "variant",
493
+ "priority": 5
494
+ },
495
+ {
496
+ "id": "replay",
497
+ "name": "Replay",
498
+ "type": "variant",
499
+ "priority": 5
500
+ },
501
+ {
502
+ "id": "roll_jam",
503
+ "name": "Roll Jam",
504
+ "type": "variant",
505
+ "priority": 5
506
+ },
507
+ {
508
+ "id": "unauthorized_access_turn_on",
509
+ "name": "Unauthorized Access / Turn On",
510
+ "type": "variant",
511
+ "priority": 4
512
+ }
513
+ ]
514
+ },
515
+ {
516
+ "id": "rsu",
517
+ "name": "Roadside Unit (RSU)",
518
+ "type": "subcategory",
519
+ "children": [
520
+ {
521
+ "id": "sybil_attack",
522
+ "name": "Sybil Attack",
523
+ "type": "variant",
524
+ "priority": 4
525
+ }
526
+ ]
527
+ }
528
+ ]
529
+ },
530
+ {
531
+ "id": "blockchain_infrastructure_misconfiguration",
532
+ "name": "Blockchain Infrastructure Misconfiguration",
533
+ "type": "category",
534
+ "children": [
535
+ {
536
+ "id": "improper_bridge_validation_and_verification_logic",
537
+ "name": "Improper Bridge Validation and Verification Logic",
538
+ "type": "subcategory",
539
+ "priority": null
540
+ }
541
+ ]
542
+ },
543
+ {
544
+ "id": "broken_access_control",
545
+ "name": "Broken Access Control (BAC)",
546
+ "type": "category",
547
+ "children": [
548
+ {
549
+ "id": "bypass_of_password_confirmation",
550
+ "name": "Bypass of Password Confirmation",
551
+ "type": "subcategory",
552
+ "children": [
553
+ {
554
+ "id": "change_password",
555
+ "name": "Change Password",
556
+ "type": "variant",
557
+ "priority": 4
558
+ }
559
+ ]
560
+ },
561
+ {
562
+ "id": "exposed_sensitive_android_intent",
563
+ "name": "Exposed Sensitive Android Intent",
564
+ "type": "subcategory",
565
+ "priority": null
566
+ },
567
+ {
568
+ "id": "exposed_sensitive_ios_url_scheme",
569
+ "name": "Exposed Sensitive iOS URL Scheme",
570
+ "type": "subcategory",
571
+ "priority": null
572
+ },
573
+ {
574
+ "id": "idor",
575
+ "name": "Insecure Direct Object References (IDOR)",
576
+ "type": "subcategory",
577
+ "children": [
578
+ {
579
+ "id": "modify_sensitive_information_iterable_object_identifiers",
580
+ "name": "Modify Sensitive Information(Iterable Object Identifiers)",
581
+ "type": "variant",
582
+ "priority": 2
583
+ },
584
+ {
585
+ "id": "modify_view_sensitive_information_guid",
586
+ "name": "Modify/View Sensitive Information(Complex Object Identifiers GUID/UUID)",
587
+ "type": "variant",
588
+ "priority": 4
589
+ },
590
+ {
591
+ "id": "modify_view_sensitive_information_iterable_object_identifiers",
592
+ "name": "Modify/View Sensitive Information(Iterable Object Identifiers)",
593
+ "type": "variant",
594
+ "priority": 1
595
+ },
596
+ {
597
+ "id": "view_non_sensitive_information",
598
+ "name": "View Non-Sensitive Information",
599
+ "type": "variant",
600
+ "priority": 5
601
+ },
602
+ {
603
+ "id": "view_sensitive_information_iterable_object_identifiers",
604
+ "name": "View Sensitive Information(Iterable Object Identifiers)",
605
+ "type": "variant",
606
+ "priority": 3
607
+ }
608
+ ]
609
+ },
610
+ {
611
+ "id": "privilege_escalation",
612
+ "name": "Privilege Escalation",
613
+ "type": "subcategory",
614
+ "priority": null
615
+ },
616
+ {
617
+ "id": "username_enumeration",
618
+ "name": "Username/Email Enumeration",
619
+ "type": "subcategory",
620
+ "children": [
621
+ {
622
+ "id": "non_brute_force",
623
+ "name": "Non-Brute Force",
624
+ "type": "variant",
625
+ "priority": 4
626
+ }
627
+ ]
628
+ }
629
+ ]
630
+ },
631
+ {
632
+ "id": "broken_authentication_and_session_management",
633
+ "name": "Broken Authentication and Session Management",
634
+ "type": "category",
635
+ "children": [
636
+ {
637
+ "id": "authentication_bypass",
638
+ "name": "Authentication Bypass",
639
+ "type": "subcategory",
640
+ "priority": 1
641
+ },
642
+ {
643
+ "id": "cleartext_transmission_of_session_token",
644
+ "name": "Cleartext Transmission of Session Token",
645
+ "type": "subcategory",
646
+ "priority": 4
647
+ },
648
+ {
649
+ "id": "concurrent_logins",
650
+ "name": "Concurrent Logins",
651
+ "type": "subcategory",
652
+ "priority": 5
653
+ },
654
+ {
655
+ "id": "failure_to_invalidate_session",
656
+ "name": "Failure to Invalidate Session",
657
+ "type": "subcategory",
658
+ "children": [
659
+ {
660
+ "id": "all_sessions",
661
+ "name": "Concurrent Sessions On Logout",
662
+ "type": "variant",
663
+ "priority": 5
664
+ },
665
+ {
666
+ "id": "long_timeout",
667
+ "name": "Long Timeout",
668
+ "type": "variant",
669
+ "priority": 5
670
+ },
671
+ {
672
+ "id": "on_email_change",
673
+ "name": "On Email Change",
674
+ "type": "variant",
675
+ "priority": 5
676
+ },
677
+ {
678
+ "id": "on_logout",
679
+ "name": "On Logout (Client and Server-Side)",
680
+ "type": "variant",
681
+ "priority": 4
682
+ },
683
+ {
684
+ "id": "on_logout_server_side_only",
685
+ "name": "On Logout (Server-Side Only)",
686
+ "type": "variant",
687
+ "priority": 5
688
+ },
689
+ {
690
+ "id": "on_password_change",
691
+ "name": "On Password Reset and/or Change",
692
+ "type": "variant",
693
+ "priority": 4
694
+ },
695
+ {
696
+ "id": "on_two_fa_activation_change",
697
+ "name": "On 2FA Activation/Change",
698
+ "type": "variant",
699
+ "priority": 5
700
+ },
701
+ {
702
+ "id": "permission_change",
703
+ "name": "On Permission Change",
704
+ "type": "variant",
705
+ "priority": null
706
+ }
707
+ ]
708
+ },
709
+ {
710
+ "id": "saml_replay",
711
+ "name": "SAML Replay",
712
+ "type": "subcategory",
713
+ "priority": 5
714
+ },
715
+ {
716
+ "id": "session_fixation",
717
+ "name": "Session Fixation",
718
+ "type": "subcategory",
719
+ "children": [
720
+ {
721
+ "id": "local_attack_vector",
722
+ "name": "Local Attack Vector",
723
+ "type": "variant",
724
+ "priority": 5
725
+ },
726
+ {
727
+ "id": "remote_attack_vector",
728
+ "name": "Remote Attack Vector",
729
+ "type": "variant",
730
+ "priority": 3
731
+ }
732
+ ]
733
+ },
734
+ {
735
+ "id": "two_fa_bypass",
736
+ "name": "Second Factor Authentication (2FA) Bypass",
737
+ "type": "subcategory",
738
+ "priority": 3
739
+ },
740
+ {
741
+ "id": "weak_login_function",
742
+ "name": "Weak Login Function",
743
+ "type": "subcategory",
744
+ "children": [
745
+ {
746
+ "id": "not_operational",
747
+ "name": "Not Operational or Intended Public Access",
748
+ "type": "variant",
749
+ "priority": 5
750
+ },
751
+ {
752
+ "id": "other_plaintext_protocol_no_secure_alternative",
753
+ "name": "Other Plaintext Protocol with no Secure Alternative",
754
+ "type": "variant",
755
+ "priority": 4
756
+ },
757
+ {
758
+ "id": "over_http",
759
+ "name": "Over HTTP",
760
+ "type": "variant",
761
+ "priority": 4
762
+ }
763
+ ]
764
+ },
765
+ {
766
+ "id": "weak_registration_implementation",
767
+ "name": "Weak Registration Implementation",
768
+ "type": "subcategory",
769
+ "children": [
770
+ {
771
+ "id": "over_http",
772
+ "name": "Over HTTP",
773
+ "type": "variant",
774
+ "priority": 4
775
+ }
776
+ ]
777
+ }
778
+ ]
779
+ },
780
+ {
781
+ "id": "client_side_injection",
782
+ "name": "Client-Side Injection",
783
+ "type": "category",
784
+ "children": [
785
+ {
786
+ "id": "binary_planting",
787
+ "name": "Binary Planting",
788
+ "type": "subcategory",
789
+ "children": [
790
+ {
791
+ "id": "no_privilege_escalation",
792
+ "name": "No Privilege Escalation",
793
+ "type": "variant",
794
+ "priority": 5
795
+ },
796
+ {
797
+ "id": "non_default_folder_privilege_escalation",
798
+ "name": "Non-Default Folder Privilege Escalation",
799
+ "type": "variant",
800
+ "priority": 5
801
+ },
802
+ {
803
+ "id": "privilege_escalation",
804
+ "name": "Default Folder Privilege Escalation",
805
+ "type": "variant",
806
+ "priority": 3
807
+ }
808
+ ]
809
+ }
810
+ ]
811
+ },
812
+ {
813
+ "id": "cross_site_request_forgery_csrf",
814
+ "name": "Cross-Site Request Forgery (CSRF)",
815
+ "type": "category",
816
+ "children": [
817
+ {
818
+ "id": "action_specific",
819
+ "name": "Action-Specific",
820
+ "type": "subcategory",
821
+ "children": [
822
+ {
823
+ "id": "authenticated_action",
824
+ "name": "Authenticated Action",
825
+ "type": "variant",
826
+ "priority": null
827
+ },
828
+ {
829
+ "id": "logout",
830
+ "name": "Logout",
831
+ "type": "variant",
832
+ "priority": 5
833
+ },
834
+ {
835
+ "id": "unauthenticated_action",
836
+ "name": "Unauthenticated Action",
837
+ "type": "variant",
838
+ "priority": null
839
+ }
840
+ ]
841
+ },
842
+ {
843
+ "id": "application_wide",
844
+ "name": "Application-Wide",
845
+ "type": "subcategory",
846
+ "priority": 2
847
+ },
848
+ {
849
+ "id": "csrf_token_not_unique_per_request",
850
+ "name": "CSRF Token Not Unique Per Request",
851
+ "type": "subcategory",
852
+ "priority": 5
853
+ },
854
+ {
855
+ "id": "flash_based",
856
+ "name": "Flash-Based",
857
+ "type": "subcategory",
858
+ "priority": 5
859
+ }
860
+ ]
861
+ },
862
+ {
863
+ "id": "cross_site_scripting_xss",
864
+ "name": "Cross-Site Scripting (XSS)",
865
+ "type": "category",
866
+ "children": [
867
+ {
868
+ "id": "cookie_based",
869
+ "name": "Cookie-Based",
870
+ "type": "subcategory",
871
+ "priority": 5
872
+ },
873
+ {
874
+ "id": "flash_based",
875
+ "name": "Flash-Based",
876
+ "type": "subcategory",
877
+ "priority": 5
878
+ },
879
+ {
880
+ "id": "ie_only",
881
+ "name": "IE-Only",
882
+ "type": "subcategory",
883
+ "priority": 5
884
+ },
885
+ {
886
+ "id": "off_domain",
887
+ "name": "Off-Domain",
888
+ "type": "subcategory",
889
+ "children": [
890
+ {
891
+ "id": "data_uri",
892
+ "name": "Data URI",
893
+ "type": "variant",
894
+ "priority": 4
895
+ }
896
+ ]
897
+ },
898
+ {
899
+ "id": "referer",
900
+ "name": "Referer",
901
+ "type": "subcategory",
902
+ "priority": 4
903
+ },
904
+ {
905
+ "id": "reflected",
906
+ "name": "Reflected",
907
+ "type": "subcategory",
908
+ "children": [
909
+ {
910
+ "id": "non_self",
911
+ "name": "Non-Self",
912
+ "type": "variant",
913
+ "priority": 3
914
+ },
915
+ {
916
+ "id": "self",
917
+ "name": "Self",
918
+ "type": "variant",
919
+ "priority": 5
920
+ }
921
+ ]
922
+ },
923
+ {
924
+ "id": "stored",
925
+ "name": "Stored",
926
+ "type": "subcategory",
927
+ "children": [
928
+ {
929
+ "id": "non_admin_to_anyone",
930
+ "name": "Non-Privileged User to Anyone",
931
+ "type": "variant",
932
+ "priority": 2
933
+ },
934
+ {
935
+ "id": "privileged_user_to_no_privilege_elevation",
936
+ "name": "Privileged User to No Privilege Elevation",
937
+ "type": "variant",
938
+ "priority": 4
939
+ },
940
+ {
941
+ "id": "privileged_user_to_privilege_elevation",
942
+ "name": "Privileged User to Privilege Elevation",
943
+ "type": "variant",
944
+ "priority": 3
945
+ },
946
+ {
947
+ "id": "self",
948
+ "name": "Self",
949
+ "type": "variant",
950
+ "priority": 5
951
+ },
952
+ {
953
+ "id": "url_based",
954
+ "name": "CSRF/URL-Based",
955
+ "type": "variant",
956
+ "priority": 3
957
+ }
958
+ ]
959
+ },
960
+ {
961
+ "id": "trace_method",
962
+ "name": "TRACE Method",
963
+ "type": "subcategory",
964
+ "priority": 5
965
+ },
966
+ {
967
+ "id": "universal_uxss",
968
+ "name": "Universal (UXSS)",
969
+ "type": "subcategory",
970
+ "priority": 4
971
+ }
972
+ ]
973
+ },
974
+ {
975
+ "id": "cryptographic_weakness",
976
+ "name": "Cryptographic Weakness",
977
+ "type": "category",
978
+ "children": [
979
+ {
980
+ "id": "broken_cryptography",
981
+ "name": "Broken Cryptography",
982
+ "type": "subcategory",
983
+ "children": [
984
+ {
985
+ "id": "use_of_broken_cryptographic_primitive",
986
+ "name": "Use of Broken Cryptographic Primitive",
987
+ "type": "variant",
988
+ "priority": 3
989
+ },
990
+ {
991
+ "id": "use_of_vulnerable_cryptographic_library",
992
+ "name": "Use of Vulnerable Cryptographic Library",
993
+ "type": "variant",
994
+ "priority": 4
995
+ }
996
+ ]
997
+ },
998
+ {
999
+ "id": "incomplete_cleanup_of_keying_material",
1000
+ "name": "Incomplete Cleanup of Keying Material",
1001
+ "type": "subcategory",
1002
+ "priority": 5
1003
+ },
1004
+ {
1005
+ "id": "insecure_implementation",
1006
+ "name": "Insecure Implementation",
1007
+ "type": "subcategory",
1008
+ "children": [
1009
+ {
1010
+ "id": "improper_following_of_specification",
1011
+ "name": "Improper Following of Specification (Other)",
1012
+ "type": "variant",
1013
+ "priority": null
1014
+ },
1015
+ {
1016
+ "id": "missing_cryptographic_step",
1017
+ "name": "Missing Cryptographic Step",
1018
+ "type": "variant",
1019
+ "priority": null
1020
+ }
1021
+ ]
1022
+ },
1023
+ {
1024
+ "id": "insecure_key_generation",
1025
+ "name": "Insecure Key Generation",
1026
+ "type": "subcategory",
1027
+ "children": [
1028
+ {
1029
+ "id": "improper_asymmetric_exponent_selection",
1030
+ "name": "Improper Asymmetric Exponent Selection",
1031
+ "type": "variant",
1032
+ "priority": null
1033
+ },
1034
+ {
1035
+ "id": "improper_asymmetric_prime_selection",
1036
+ "name": "Improper Asymmetric Prime Selection",
1037
+ "type": "variant",
1038
+ "priority": null
1039
+ },
1040
+ {
1041
+ "id": "insufficient_key_space",
1042
+ "name": "Insufficient Key Space",
1043
+ "type": "variant",
1044
+ "priority": 3
1045
+ },
1046
+ {
1047
+ "id": "insufficient_key_stretching",
1048
+ "name": "Insufficient Key Stretching",
1049
+ "type": "variant",
1050
+ "priority": null
1051
+ },
1052
+ {
1053
+ "id": "key_exchange_without_entity_authentication",
1054
+ "name": "Key Exchage Without Entity Authentication",
1055
+ "type": "variant",
1056
+ "priority": 4
1057
+ }
1058
+ ]
1059
+ },
1060
+ {
1061
+ "id": "insufficient_entropy",
1062
+ "name": "Insufficient Entropy",
1063
+ "type": "subcategory",
1064
+ "children": [
1065
+ {
1066
+ "id": "initialization_vector_reuse",
1067
+ "name": "Initialization Vector (IV) Reuse",
1068
+ "type": "variant",
1069
+ "priority": 5
1070
+ },
1071
+ {
1072
+ "id": "limited_rng_entropy_source",
1073
+ "name": "Limited Random Number Generator (RNG) Entropy Source",
1074
+ "type": "variant",
1075
+ "priority": 4
1076
+ },
1077
+ {
1078
+ "id": "predictable_initialization_vector",
1079
+ "name": "Predictable Initialization Vector (IV)",
1080
+ "type": "variant",
1081
+ "priority": 4
1082
+ },
1083
+ {
1084
+ "id": "predictable_prng_seed",
1085
+ "name": "Predictable Pseudo-Random Number Generator (PRNG) Seed",
1086
+ "type": "variant",
1087
+ "priority": 4
1088
+ },
1089
+ {
1090
+ "id": "prng_seed_reuse",
1091
+ "name": "Pseudo-Random Number Generator (PRNG) Seed Reuse",
1092
+ "type": "variant",
1093
+ "priority": 5
1094
+ },
1095
+ {
1096
+ "id": "small_seed_space_in_prng",
1097
+ "name": "Small Seed Space in Pseudo-Random Number Generator (PRNG)",
1098
+ "type": "variant",
1099
+ "priority": 4
1100
+ },
1101
+ {
1102
+ "id": "use_of_trng_for_nonsecurity_purpose",
1103
+ "name": "Use of True Random Number Generator (TRNG) for Non-Security Purpose",
1104
+ "type": "variant",
1105
+ "priority": 5
1106
+ }
1107
+ ]
1108
+ },
1109
+ {
1110
+ "id": "insufficient_verification_of_data_authenticity",
1111
+ "name": "Insufficient Verification of Data Authenticity",
1112
+ "type": "subcategory",
1113
+ "children": [
1114
+ {
1115
+ "id": "cryptographic_signature",
1116
+ "name": "Cryptographic Signature",
1117
+ "type": "variant",
1118
+ "priority": null
1119
+ },
1120
+ {
1121
+ "id": "identity_check_value",
1122
+ "name": "Integrity Check Value (ICV)",
1123
+ "type": "variant",
1124
+ "priority": 4
1125
+ }
1126
+ ]
1127
+ },
1128
+ {
1129
+ "id": "key_reuse",
1130
+ "name": "Key Reuse",
1131
+ "type": "subcategory",
1132
+ "children": [
1133
+ {
1134
+ "id": "inter_environment",
1135
+ "name": "Inter-Environment",
1136
+ "type": "variant",
1137
+ "priority": 2
1138
+ },
1139
+ {
1140
+ "id": "intra_environment",
1141
+ "name": "Intra-Environment",
1142
+ "type": "variant",
1143
+ "priority": 5
1144
+ },
1145
+ {
1146
+ "id": "lack_of_perfect_forward_secrecy",
1147
+ "name": "Lack of Perfect Forward Secrecy",
1148
+ "type": "variant",
1149
+ "priority": 4
1150
+ }
1151
+ ]
1152
+ },
1153
+ {
1154
+ "id": "side_channel_attack",
1155
+ "name": "Side-Channel Attack",
1156
+ "type": "subcategory",
1157
+ "children": [
1158
+ {
1159
+ "id": "differential_fault_analysis",
1160
+ "name": "Differential Fault Analysis",
1161
+ "type": "variant",
1162
+ "priority": null
1163
+ },
1164
+ {
1165
+ "id": "emanations_attack",
1166
+ "name": "Emanations Attack",
1167
+ "type": "variant",
1168
+ "priority": 5
1169
+ },
1170
+ {
1171
+ "id": "padding_oracle_attack",
1172
+ "name": "Padding Oracle Attack",
1173
+ "type": "variant",
1174
+ "priority": 4
1175
+ },
1176
+ {
1177
+ "id": "power_analysis_attack",
1178
+ "name": "Power Analysis Attack",
1179
+ "type": "variant",
1180
+ "priority": 5
1181
+ },
1182
+ {
1183
+ "id": "timing_attack",
1184
+ "name": "Timing Attack",
1185
+ "type": "variant",
1186
+ "priority": 4
1187
+ }
1188
+ ]
1189
+ },
1190
+ {
1191
+ "id": "use_of_expired_cryptographic_key_or_cert",
1192
+ "name": "Use of Expired Cryptographic Key (or Certificate)",
1193
+ "type": "subcategory",
1194
+ "priority": 4
1195
+ },
1196
+ {
1197
+ "id": "weak_hash",
1198
+ "name": "Weak Hash",
1199
+ "type": "subcategory",
1200
+ "children": [
1201
+ {
1202
+ "id": "lack_of_salt",
1203
+ "name": "Lack of Salt",
1204
+ "type": "variant",
1205
+ "priority": null
1206
+ },
1207
+ {
1208
+ "id": "predictable_hash_collision",
1209
+ "name": "Predictable Hash Collision",
1210
+ "type": "variant",
1211
+ "priority": null
1212
+ },
1213
+ {
1214
+ "id": "use_of_predictable_salt",
1215
+ "name": "Use of Predictable Salt",
1216
+ "type": "variant",
1217
+ "priority": 5
1218
+ }
1219
+ ]
1220
+ }
1221
+ ]
1222
+ },
1223
+ {
1224
+ "id": "data_biases",
1225
+ "name": "Data Biases",
1226
+ "type": "category",
1227
+ "children": [
1228
+ {
1229
+ "id": "pre_existing_bias",
1230
+ "name": "Pre-existing Bias",
1231
+ "type": "subcategory",
1232
+ "priority": null
1233
+ },
1234
+ {
1235
+ "id": "representation_bias",
1236
+ "name": "Representation Bias",
1237
+ "type": "subcategory",
1238
+ "priority": null
1239
+ }
1240
+ ]
1241
+ },
1242
+ {
1243
+ "id": "decentralized_application_misconfiguration",
1244
+ "name": "Decentralized Application Misconfiguration",
1245
+ "type": "category",
1246
+ "children": [
1247
+ {
1248
+ "id": "defi_security",
1249
+ "name": "DeFi Security",
1250
+ "type": "subcategory",
1251
+ "children": [
1252
+ {
1253
+ "id": "flash_loan_attack",
1254
+ "name": "Flash Loan Attack",
1255
+ "type": "variant",
1256
+ "priority": null
1257
+ },
1258
+ {
1259
+ "id": "function_level_accounting_error",
1260
+ "name": "Function-Level Accounting Error",
1261
+ "type": "variant",
1262
+ "priority": null
1263
+ },
1264
+ {
1265
+ "id": "improper_implementation_of_governance",
1266
+ "name": "Improper Implementation of Governance",
1267
+ "type": "variant",
1268
+ "priority": null
1269
+ },
1270
+ {
1271
+ "id": "pricing_oracle_manipulation",
1272
+ "name": "Pricing Oracle Manipulation",
1273
+ "type": "variant",
1274
+ "priority": null
1275
+ }
1276
+ ]
1277
+ },
1278
+ {
1279
+ "id": "improper_authorization",
1280
+ "name": "Improper Authorization",
1281
+ "type": "subcategory",
1282
+ "children": [
1283
+ {
1284
+ "id": "insufficient_signature_validation",
1285
+ "name": "Insufficient Signature Validation",
1286
+ "type": "variant",
1287
+ "priority": null
1288
+ }
1289
+ ]
1290
+ },
1291
+ {
1292
+ "id": "insecure_data_storage",
1293
+ "name": "Insecure Data Storage",
1294
+ "type": "subcategory",
1295
+ "children": [
1296
+ {
1297
+ "id": "plaintext_private_key",
1298
+ "name": "Plaintext Private Key",
1299
+ "type": "variant",
1300
+ "priority": 1
1301
+ },
1302
+ {
1303
+ "id": "sensitive_information_exposure",
1304
+ "name": "Sensitive Information Exposure",
1305
+ "type": "variant",
1306
+ "priority": null
1307
+ }
1308
+ ]
1309
+ },
1310
+ {
1311
+ "id": "marketplace_security",
1312
+ "name": "Marketplace Security",
1313
+ "type": "subcategory",
1314
+ "children": [
1315
+ {
1316
+ "id": "denial_of_service",
1317
+ "name": "Denial of Service",
1318
+ "type": "variant",
1319
+ "priority": null
1320
+ },
1321
+ {
1322
+ "id": "improper_validation_and_checks_for_deposits_and_withdrawals",
1323
+ "name": "Improper Validation and Checks For Deposits and Withdrawals",
1324
+ "type": "variant",
1325
+ "priority": null
1326
+ },
1327
+ {
1328
+ "id": "malicious_order_offer",
1329
+ "name": "Malicious Order Offer",
1330
+ "type": "variant",
1331
+ "priority": 2
1332
+ },
1333
+ {
1334
+ "id": "miscalculated_accounting_logic",
1335
+ "name": "Miscalculated Accounting Logic",
1336
+ "type": "variant",
1337
+ "priority": null
1338
+ },
1339
+ {
1340
+ "id": "ofac_bypass",
1341
+ "name": "OFAC Bypass",
1342
+ "type": "variant",
1343
+ "priority": 3
1344
+ },
1345
+ {
1346
+ "id": "orderbook_manipulation",
1347
+ "name": "Orderbook Manipulation",
1348
+ "type": "variant",
1349
+ "priority": 1
1350
+ },
1351
+ {
1352
+ "id": "price_or_fee_manipulation",
1353
+ "name": "Price or Fee Manipulation",
1354
+ "type": "variant",
1355
+ "priority": 2
1356
+ },
1357
+ {
1358
+ "id": "signer_account_takeover",
1359
+ "name": "Signer Account Takeover",
1360
+ "type": "variant",
1361
+ "priority": 1
1362
+ },
1363
+ {
1364
+ "id": "unauthorized_asset_transfer",
1365
+ "name": "Unauthorized Asset Transfer",
1366
+ "type": "variant",
1367
+ "priority": 1
1368
+ }
1369
+ ]
1370
+ },
1371
+ {
1372
+ "id": "protocol_security_misconfiguration",
1373
+ "name": "Protocol Security Misconfiguration",
1374
+ "type": "subcategory",
1375
+ "children": [
1376
+ {
1377
+ "id": "node_level_denial_of_service",
1378
+ "name": "Node-level Denial of Service",
1379
+ "type": "variant",
1380
+ "priority": 1
1381
+ }
1382
+ ]
1383
+ }
1384
+ ]
1385
+ },
1386
+ {
1387
+ "id": "developer_biases",
1388
+ "name": "Developer Biases",
1389
+ "type": "category",
1390
+ "children": [
1391
+ {
1392
+ "id": "implicit_bias",
1393
+ "name": "Implicit Bias",
1394
+ "type": "subcategory",
1395
+ "priority": null
1396
+ }
1397
+ ]
1398
+ },
1399
+ {
1400
+ "id": "external_behavior",
1401
+ "name": "External Behavior",
1402
+ "type": "category",
1403
+ "children": [
1404
+ {
1405
+ "id": "browser_feature",
1406
+ "name": "Browser Feature",
1407
+ "type": "subcategory",
1408
+ "children": [
1409
+ {
1410
+ "id": "aggressive_offline_caching",
1411
+ "name": "Aggressive Offline Caching",
1412
+ "type": "variant",
1413
+ "priority": 5
1414
+ },
1415
+ {
1416
+ "id": "autocomplete_enabled",
1417
+ "name": "Autocomplete Enabled",
1418
+ "type": "variant",
1419
+ "priority": 5
1420
+ },
1421
+ {
1422
+ "id": "autocorrect_enabled",
1423
+ "name": "Autocorrect Enabled",
1424
+ "type": "variant",
1425
+ "priority": 5
1426
+ },
1427
+ {
1428
+ "id": "plaintext_password_field",
1429
+ "name": "Plaintext Password Field",
1430
+ "type": "variant",
1431
+ "priority": 5
1432
+ },
1433
+ {
1434
+ "id": "save_password",
1435
+ "name": "Save Password",
1436
+ "type": "variant",
1437
+ "priority": 5
1438
+ }
1439
+ ]
1440
+ },
1441
+ {
1442
+ "id": "captcha_bypass",
1443
+ "name": "Captcha Bypass",
1444
+ "type": "subcategory",
1445
+ "children": [
1446
+ {
1447
+ "id": "crowdsourcing",
1448
+ "name": "Crowdsourcing",
1449
+ "type": "variant",
1450
+ "priority": 5
1451
+ }
1452
+ ]
1453
+ },
1454
+ {
1455
+ "id": "csv_injection",
1456
+ "name": "CSV Injection",
1457
+ "type": "subcategory",
1458
+ "priority": 5
1459
+ },
1460
+ {
1461
+ "id": "system_clipboard_leak",
1462
+ "name": "System Clipboard Leak",
1463
+ "type": "subcategory",
1464
+ "children": [
1465
+ {
1466
+ "id": "shared_links",
1467
+ "name": "Shared Links",
1468
+ "type": "variant",
1469
+ "priority": 5
1470
+ }
1471
+ ]
1472
+ },
1473
+ {
1474
+ "id": "user_password_persisted_in_memory",
1475
+ "name": "User Password Persisted in Memory",
1476
+ "type": "subcategory",
1477
+ "priority": 5
1478
+ }
1479
+ ]
1480
+ },
1481
+ {
1482
+ "id": "indicators_of_compromise",
1483
+ "name": "Indicators of Compromise",
1484
+ "type": "category",
1485
+ "priority": null
1486
+ },
1487
+ {
1488
+ "id": "insecure_data_storage",
1489
+ "name": "Insecure Data Storage",
1490
+ "type": "category",
1491
+ "children": [
1492
+ {
1493
+ "id": "non_sensitive_application_data_stored_unencrypted",
1494
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1495
+ "type": "subcategory",
1496
+ "priority": 5
1497
+ },
1498
+ {
1499
+ "id": "screen_caching_enabled",
1500
+ "name": "Screen Caching Enabled",
1501
+ "type": "subcategory",
1502
+ "priority": 5
1503
+ },
1504
+ {
1505
+ "id": "sensitive_application_data_stored_unencrypted",
1506
+ "name": "Sensitive Application Data Stored Unencrypted",
1507
+ "type": "subcategory",
1508
+ "children": [
1509
+ {
1510
+ "id": "on_external_storage",
1511
+ "name": "On External Storage",
1512
+ "type": "variant",
1513
+ "priority": 4
1514
+ },
1515
+ {
1516
+ "id": "on_internal_storage",
1517
+ "name": "On Internal Storage",
1518
+ "type": "variant",
1519
+ "priority": 5
1520
+ }
1521
+ ]
1522
+ },
1523
+ {
1524
+ "id": "server_side_credentials_storage",
1525
+ "name": "Server-Side Credentials Storage",
1526
+ "type": "subcategory",
1527
+ "children": [
1528
+ {
1529
+ "id": "plaintext",
1530
+ "name": "Plaintext",
1531
+ "type": "variant",
1532
+ "priority": 4
1533
+ }
1534
+ ]
1535
+ }
1536
+ ]
1537
+ },
1538
+ {
1539
+ "id": "insecure_data_transport",
1540
+ "name": "Insecure Data Transport",
1541
+ "type": "category",
1542
+ "children": [
1543
+ {
1544
+ "id": "cleartext_transmission_of_sensitive_data",
1545
+ "name": "Cleartext Transmission of Sensitive Data",
1546
+ "type": "subcategory",
1547
+ "priority": null
1548
+ },
1549
+ {
1550
+ "id": "executable_download",
1551
+ "name": "Executable Download",
1552
+ "type": "subcategory",
1553
+ "children": [
1554
+ {
1555
+ "id": "no_secure_integrity_check",
1556
+ "name": "No Secure Integrity Check",
1557
+ "type": "variant",
1558
+ "priority": 4
1559
+ },
1560
+ {
1561
+ "id": "secure_integrity_check",
1562
+ "name": "Secure Integrity Check",
1563
+ "type": "variant",
1564
+ "priority": 5
1565
+ }
1566
+ ]
1567
+ }
1568
+ ]
1569
+ },
1570
+ {
1571
+ "id": "insecure_os_firmware",
1572
+ "name": "Insecure OS/Firmware",
1573
+ "type": "category",
1574
+ "children": [
1575
+ {
1576
+ "id": "command_injection",
1577
+ "name": "Command Injection",
1578
+ "type": "subcategory",
1579
+ "priority": 1
1580
+ },
1581
+ {
1582
+ "id": "data_not_encrypted_at_rest",
1583
+ "name": "Data not encrypted at rest",
1584
+ "type": "subcategory",
1585
+ "children": [
1586
+ {
1587
+ "id": "non_sensitive",
1588
+ "name": "Non sensitive",
1589
+ "type": "variant",
1590
+ "priority": 5
1591
+ },
1592
+ {
1593
+ "id": "sensitive",
1594
+ "name": "Sensitive",
1595
+ "type": "variant",
1596
+ "priority": null
1597
+ }
1598
+ ]
1599
+ },
1600
+ {
1601
+ "id": "failure_to_remove_sensitive_artifacts_from_disk",
1602
+ "name": "Failure to Remove Sensitive Artifacts from Disk",
1603
+ "type": "subcategory",
1604
+ "priority": null
1605
+ },
1606
+ {
1607
+ "id": "hardcoded_password",
1608
+ "name": "Hardcoded Password",
1609
+ "type": "subcategory",
1610
+ "children": [
1611
+ {
1612
+ "id": "non_privileged_user",
1613
+ "name": "Non-Privileged User",
1614
+ "type": "variant",
1615
+ "priority": 2
1616
+ },
1617
+ {
1618
+ "id": "privileged_user",
1619
+ "name": "Privileged User",
1620
+ "type": "variant",
1621
+ "priority": 1
1622
+ }
1623
+ ]
1624
+ },
1625
+ {
1626
+ "id": "kiosk_escape_or_breakout",
1627
+ "name": "Kiosk Escape or Breakout",
1628
+ "type": "subcategory",
1629
+ "priority": null
1630
+ },
1631
+ {
1632
+ "id": "local_administrator_on_default_environment",
1633
+ "name": "Local Administrator on default environment",
1634
+ "type": "subcategory",
1635
+ "priority": 2
1636
+ },
1637
+ {
1638
+ "id": "over_permissioned_credentials_on_storage",
1639
+ "name": "Over-Permissioned Credentials on Storage",
1640
+ "type": "subcategory",
1641
+ "priority": 2
1642
+ },
1643
+ {
1644
+ "id": "poorly_configured_disk_encryption",
1645
+ "name": "Poorly Configured Disk Encryption",
1646
+ "type": "subcategory",
1647
+ "priority": null
1648
+ },
1649
+ {
1650
+ "id": "poorly_configured_operating_system_security",
1651
+ "name": "Poorly Configured Operating System Security",
1652
+ "type": "subcategory",
1653
+ "priority": null
1654
+ },
1655
+ {
1656
+ "id": "recovery_of_disk_contains_sensitive_material",
1657
+ "name": "Recovery of Disk Contains Sensitive Material",
1658
+ "type": "subcategory",
1659
+ "priority": null
1660
+ },
1661
+ {
1662
+ "id": "shared_credentials_on_storage",
1663
+ "name": "Shared Credentials on Storage",
1664
+ "type": "subcategory",
1665
+ "priority": 3
1666
+ },
1667
+ {
1668
+ "id": "weakness_in_firmware_updates",
1669
+ "name": "Weakness in Firmware Updates",
1670
+ "type": "subcategory",
1671
+ "children": [
1672
+ {
1673
+ "id": "firmware_cannot_be_updated",
1674
+ "name": "Firmware cannot be updated",
1675
+ "type": "variant",
1676
+ "priority": null
1677
+ },
1678
+ {
1679
+ "id": "firmware_does_not_validate_update_integrity",
1680
+ "name": "Firmware does not validate update integrity",
1681
+ "type": "variant",
1682
+ "priority": 3
1683
+ },
1684
+ {
1685
+ "id": "firmware_is_not_encrypted",
1686
+ "name": "Firmware is not encrypted",
1687
+ "type": "variant",
1688
+ "priority": 5
1689
+ }
1690
+ ]
1691
+ }
1692
+ ]
1693
+ },
1694
+ {
1695
+ "id": "insufficient_security_configurability",
1696
+ "name": "Insufficient Security Configurability",
1697
+ "type": "category",
1698
+ "children": [
1699
+ {
1700
+ "id": "lack_of_notification_email",
1701
+ "name": "Lack of Notification Email",
1702
+ "type": "subcategory",
1703
+ "priority": 5
1704
+ },
1705
+ {
1706
+ "id": "no_password_policy",
1707
+ "name": "No Password Policy",
1708
+ "type": "subcategory",
1709
+ "priority": 4
1710
+ },
1711
+ {
1712
+ "id": "password_policy_bypass",
1713
+ "name": "Password Policy Bypass",
1714
+ "type": "subcategory",
1715
+ "priority": 5
1716
+ },
1717
+ {
1718
+ "id": "verification_of_contact_method_not_required",
1719
+ "name": "Verification of Contact Method not Required",
1720
+ "type": "subcategory",
1721
+ "priority": 5
1722
+ },
1723
+ {
1724
+ "id": "weak_password_policy",
1725
+ "name": "Weak Password Policy",
1726
+ "type": "subcategory",
1727
+ "priority": 5
1728
+ },
1729
+ {
1730
+ "id": "weak_password_reset_implementation",
1731
+ "name": "Weak Password Reset Implementation",
1732
+ "type": "subcategory",
1733
+ "children": [
1734
+ {
1735
+ "id": "token_has_long_timed_expiry",
1736
+ "name": "Token Has Long Timed Expiry",
1737
+ "type": "variant",
1738
+ "priority": 5
1739
+ },
1740
+ {
1741
+ "id": "token_is_not_invalidated_after_email_change",
1742
+ "name": "Token is Not Invalidated After Email Change",
1743
+ "type": "variant",
1744
+ "priority": 5
1745
+ },
1746
+ {
1747
+ "id": "token_is_not_invalidated_after_login",
1748
+ "name": "Token is Not Invalidated After Login",
1749
+ "type": "variant",
1750
+ "priority": 5
1751
+ },
1752
+ {
1753
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1754
+ "name": "Token is Not Invalidated After New Token is Requested",
1755
+ "type": "variant",
1756
+ "priority": 5
1757
+ },
1758
+ {
1759
+ "id": "token_is_not_invalidated_after_password_change",
1760
+ "name": "Token is Not Invalidated After Password Change",
1761
+ "type": "variant",
1762
+ "priority": 5
1763
+ },
1764
+ {
1765
+ "id": "token_is_not_invalidated_after_use",
1766
+ "name": "Token is Not Invalidated After Use",
1767
+ "type": "variant",
1768
+ "priority": 4
1769
+ }
1770
+ ]
1771
+ },
1772
+ {
1773
+ "id": "weak_registration_implementation",
1774
+ "name": "Weak Registration Implementation",
1775
+ "type": "subcategory",
1776
+ "children": [
1777
+ {
1778
+ "id": "allows_disposable_email_addresses",
1779
+ "name": "Allows Disposable Email Addresses",
1780
+ "type": "variant",
1781
+ "priority": 5
1782
+ }
1783
+ ]
1784
+ },
1785
+ {
1786
+ "id": "weak_two_fa_implementation",
1787
+ "name": "Weak 2FA Implementation",
1788
+ "type": "subcategory",
1789
+ "children": [
1790
+ {
1791
+ "id": "missing_failsafe",
1792
+ "name": "Missing Failsafe",
1793
+ "type": "variant",
1794
+ "priority": 5
1795
+ },
1796
+ {
1797
+ "id": "old_two_fa_code_is_not_invalidated_after_new_code_is_generated",
1798
+ "name": "Old 2FA Code is Not Invalidated After New Code is Generated",
1799
+ "type": "variant",
1800
+ "priority": 5
1801
+ },
1802
+ {
1803
+ "id": "two_fa_code_is_not_updated_after_new_code_is_requested",
1804
+ "name": "2FA Code is Not Updated After New Code is Requested",
1805
+ "type": "variant",
1806
+ "priority": 5
1807
+ },
1808
+ {
1809
+ "id": "two_fa_secret_cannot_be_rotated",
1810
+ "name": "2FA Secret Cannot be Rotated",
1811
+ "type": "variant",
1812
+ "priority": 4
1813
+ },
1814
+ {
1815
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
1816
+ "name": "2FA Secret Remains Obtainable After 2FA is Enabled",
1817
+ "type": "variant",
1818
+ "priority": 4
1819
+ }
1820
+ ]
1821
+ }
1822
+ ]
1823
+ },
1824
+ {
1825
+ "id": "lack_of_binary_hardening",
1826
+ "name": "Lack of Binary Hardening",
1827
+ "type": "category",
1828
+ "children": [
1829
+ {
1830
+ "id": "lack_of_exploit_mitigations",
1831
+ "name": "Lack of Exploit Mitigations",
1832
+ "type": "subcategory",
1833
+ "priority": 5
1834
+ },
1835
+ {
1836
+ "id": "lack_of_jailbreak_detection",
1837
+ "name": "Lack of Jailbreak Detection",
1838
+ "type": "subcategory",
1839
+ "priority": 5
1840
+ },
1841
+ {
1842
+ "id": "lack_of_obfuscation",
1843
+ "name": "Lack of Obfuscation",
1844
+ "type": "subcategory",
1845
+ "priority": 5
1846
+ },
1847
+ {
1848
+ "id": "runtime_instrumentation_based",
1849
+ "name": "Runtime Instrumentation-Based",
1850
+ "type": "subcategory",
1851
+ "priority": 5
1852
+ }
1853
+ ]
1854
+ },
1855
+ {
1856
+ "id": "misinterpretation_biases",
1857
+ "name": "Misinterpretation Biases",
1858
+ "type": "category",
1859
+ "children": [
1860
+ {
1861
+ "id": "context_ignorance",
1862
+ "name": "Context Ignorance",
1863
+ "type": "subcategory",
1864
+ "priority": null
1865
+ }
1866
+ ]
1867
+ },
1868
+ {
1869
+ "id": "mobile_security_misconfiguration",
1870
+ "name": "Mobile Security Misconfiguration",
1871
+ "type": "category",
1872
+ "children": [
1873
+ {
1874
+ "id": "auto_backup_allowed_by_default",
1875
+ "name": "Auto Backup Allowed by Default",
1876
+ "type": "subcategory",
1877
+ "priority": 5
1878
+ },
1879
+ {
1880
+ "id": "clipboard_enabled",
1881
+ "name": "Clipboard Enabled",
1882
+ "type": "subcategory",
1883
+ "priority": 5
1884
+ },
1885
+ {
1886
+ "id": "ssl_certificate_pinning",
1887
+ "name": "SSL Certificate Pinning",
1888
+ "type": "subcategory",
1889
+ "children": [
1890
+ {
1891
+ "id": "absent",
1892
+ "name": "Absent",
1893
+ "type": "variant",
1894
+ "priority": 5
1895
+ },
1896
+ {
1897
+ "id": "defeatable",
1898
+ "name": "Defeatable",
1899
+ "type": "variant",
1900
+ "priority": 5
1901
+ }
1902
+ ]
1903
+ },
1904
+ {
1905
+ "id": "tapjacking",
1906
+ "name": "Tapjacking",
1907
+ "type": "subcategory",
1908
+ "priority": 5
1909
+ }
1910
+ ]
1911
+ },
1912
+ {
1913
+ "id": "network_security_misconfiguration",
1914
+ "name": "Network Security Misconfiguration",
1915
+ "type": "category",
1916
+ "children": [
1917
+ {
1918
+ "id": "telnet_enabled",
1919
+ "name": "Telnet Enabled",
1920
+ "type": "subcategory",
1921
+ "priority": 5
1922
+ }
1923
+ ]
1924
+ },
1925
+ {
1926
+ "id": "physical_security_issues",
1927
+ "name": "Physical Security Issues",
1928
+ "type": "category",
1929
+ "children": [
1930
+ {
1931
+ "id": "bypass_of_physical_access_control",
1932
+ "name": "Bypass of physical access control",
1933
+ "type": "subcategory",
1934
+ "priority": null
1935
+ },
1936
+ {
1937
+ "id": "weakness_in_physical_access_control",
1938
+ "name": "Weakness in physical access control",
1939
+ "type": "subcategory",
1940
+ "children": [
1941
+ {
1942
+ "id": "cloneable_key",
1943
+ "name": "Cloneable Key",
1944
+ "type": "variant",
1945
+ "priority": null
1946
+ },
1947
+ {
1948
+ "id": "commonly_keyed_system",
1949
+ "name": "Commonly Keyed System",
1950
+ "type": "variant",
1951
+ "priority": 2
1952
+ },
1953
+ {
1954
+ "id": "master_key_identification",
1955
+ "name": "Master Key Identification",
1956
+ "type": "variant",
1957
+ "priority": null
1958
+ }
1959
+ ]
1960
+ }
1961
+ ]
1962
+ },
1963
+ {
1964
+ "id": "privacy_concerns",
1965
+ "name": "Privacy Concerns",
1966
+ "type": "category",
1967
+ "children": [
1968
+ {
1969
+ "id": "unnecessary_data_collection",
1970
+ "name": "Unnecessary Data Collection",
1971
+ "type": "subcategory",
1972
+ "children": [
1973
+ {
1974
+ "id": "wifi_ssid_password",
1975
+ "name": "WiFi SSID+Password",
1976
+ "type": "variant",
1977
+ "priority": 4
1978
+ }
1979
+ ]
1980
+ }
1981
+ ]
1982
+ },
1983
+ {
1984
+ "id": "protocol_specific_misconfiguration",
1985
+ "name": "Protocol Specific Misconfiguration",
1986
+ "type": "category",
1987
+ "children": [
1988
+ {
1989
+ "id": "frontrunning_enabled_attack",
1990
+ "name": "Frontrunning-Enabled Attack",
1991
+ "type": "subcategory",
1992
+ "priority": 2
1993
+ },
1994
+ {
1995
+ "id": "improper_validation_and_finalization_logic",
1996
+ "name": "Improper Validation and Finalization Logic",
1997
+ "type": "subcategory",
1998
+ "priority": null
1999
+ },
2000
+ {
2001
+ "id": "misconfigured_staking_logic",
2002
+ "name": "Misconfigured Staking Logic",
2003
+ "type": "subcategory",
2004
+ "priority": null
2005
+ },
2006
+ {
2007
+ "id": "sandwich_enabled_attack",
2008
+ "name": "Sandwich-Enabled Attack",
2009
+ "type": "subcategory",
2010
+ "priority": 2
2011
+ }
2012
+ ]
2013
+ },
2014
+ {
2015
+ "id": "sensitive_data_exposure",
2016
+ "name": "Sensitive Data Exposure",
2017
+ "type": "category",
2018
+ "children": [
2019
+ {
2020
+ "id": "disclosure_of_known_public_information",
2021
+ "name": "Disclosure of Known Public Information",
2022
+ "type": "subcategory",
2023
+ "priority": 5
2024
+ },
2025
+ {
2026
+ "id": "disclosure_of_secrets",
2027
+ "name": "Disclosure of Secrets",
2028
+ "type": "subcategory",
2029
+ "children": [
2030
+ {
2031
+ "id": "data_traffic_spam",
2032
+ "name": "Data/Traffic Spam",
2033
+ "type": "variant",
2034
+ "priority": 5
2035
+ },
2036
+ {
2037
+ "id": "for_internal_asset",
2038
+ "name": "For Internal Asset",
2039
+ "type": "variant",
2040
+ "priority": 3
2041
+ },
2042
+ {
2043
+ "id": "for_publicly_accessible_asset",
2044
+ "name": "For Publicly Accessible Asset",
2045
+ "type": "variant",
2046
+ "priority": 1
2047
+ },
2048
+ {
2049
+ "id": "intentionally_public_sample_or_invalid",
2050
+ "name": "Intentionally Public, Sample or Invalid",
2051
+ "type": "variant",
2052
+ "priority": 5
2053
+ },
2054
+ {
2055
+ "id": "non_corporate_user",
2056
+ "name": "Non-Corporate User",
2057
+ "type": "variant",
2058
+ "priority": 5
2059
+ },
2060
+ {
2061
+ "id": "pay_per_use_abuse",
2062
+ "name": "Pay-Per-Use Abuse",
2063
+ "type": "variant",
2064
+ "priority": 4
2065
+ },
2066
+ {
2067
+ "id": "pii_leakage_exposure",
2068
+ "name": "PII Leakage/Exposure",
2069
+ "type": "variant",
2070
+ "priority": null
2071
+ }
2072
+ ]
2073
+ },
2074
+ {
2075
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
2076
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
2077
+ "type": "subcategory",
2078
+ "children": [
2079
+ {
2080
+ "id": "automatic_user_enumeration",
2081
+ "name": "Automatic User Enumeration",
2082
+ "type": "variant",
2083
+ "priority": 3
2084
+ },
2085
+ {
2086
+ "id": "manual_user_enumeration",
2087
+ "name": "Manual User Enumeration",
2088
+ "type": "variant",
2089
+ "priority": 4
2090
+ }
2091
+ ]
2092
+ },
2093
+ {
2094
+ "id": "graphql_introspection_enabled",
2095
+ "name": "GraphQL Introspection Enabled",
2096
+ "type": "subcategory",
2097
+ "priority": 5
2098
+ },
2099
+ {
2100
+ "id": "internal_ip_disclosure",
2101
+ "name": "Internal IP Disclosure",
2102
+ "type": "subcategory",
2103
+ "priority": 5
2104
+ },
2105
+ {
2106
+ "id": "json_hijacking",
2107
+ "name": "JSON Hijacking",
2108
+ "type": "subcategory",
2109
+ "priority": 5
2110
+ },
2111
+ {
2112
+ "id": "mixed_content",
2113
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
2114
+ "type": "subcategory",
2115
+ "priority": 5
2116
+ },
2117
+ {
2118
+ "id": "non_sensitive_token_in_url",
2119
+ "name": "Non-Sensitive Token in URL",
2120
+ "type": "subcategory",
2121
+ "priority": 5
2122
+ },
2123
+ {
2124
+ "id": "sensitive_data_hardcoded",
2125
+ "name": "Sensitive Data Hardcoded",
2126
+ "type": "subcategory",
2127
+ "children": [
2128
+ {
2129
+ "id": "file_paths",
2130
+ "name": "File Paths",
2131
+ "type": "variant",
2132
+ "priority": 5
2133
+ },
2134
+ {
2135
+ "id": "oauth_secret",
2136
+ "name": "OAuth Secret",
2137
+ "type": "variant",
2138
+ "priority": 5
2139
+ }
2140
+ ]
2141
+ },
2142
+ {
2143
+ "id": "sensitive_token_in_url",
2144
+ "name": "Sensitive Token in URL",
2145
+ "type": "subcategory",
2146
+ "children": [
2147
+ {
2148
+ "id": "in_the_background",
2149
+ "name": "In the Background",
2150
+ "type": "variant",
2151
+ "priority": 5
2152
+ },
2153
+ {
2154
+ "id": "on_password_reset",
2155
+ "name": "On Password Reset",
2156
+ "type": "variant",
2157
+ "priority": 5
2158
+ },
2159
+ {
2160
+ "id": "user_facing",
2161
+ "name": "User Facing",
2162
+ "type": "variant",
2163
+ "priority": 4
2164
+ }
2165
+ ]
2166
+ },
2167
+ {
2168
+ "id": "token_leakage_via_referer",
2169
+ "name": "Token Leakage via Referer",
2170
+ "type": "subcategory",
2171
+ "children": [
2172
+ {
2173
+ "id": "over_http",
2174
+ "name": "Over HTTP",
2175
+ "type": "variant",
2176
+ "priority": 4
2177
+ },
2178
+ {
2179
+ "id": "password_reset_token",
2180
+ "name": "Password Reset Token",
2181
+ "type": "variant",
2182
+ "priority": 5
2183
+ },
2184
+ {
2185
+ "id": "trusted_third_party",
2186
+ "name": "Trusted 3rd Party",
2187
+ "type": "variant",
2188
+ "priority": 5
2189
+ },
2190
+ {
2191
+ "id": "untrusted_third_party",
2192
+ "name": "Untrusted 3rd Party",
2193
+ "type": "variant",
2194
+ "priority": 4
2195
+ }
2196
+ ]
2197
+ },
2198
+ {
2199
+ "id": "via_localstorage_sessionstorage",
2200
+ "name": "Via localStorage/sessionStorage",
2201
+ "type": "subcategory",
2202
+ "children": [
2203
+ {
2204
+ "id": "non_sensitive_token",
2205
+ "name": "Non-Sensitive Token",
2206
+ "type": "variant",
2207
+ "priority": 5
2208
+ },
2209
+ {
2210
+ "id": "sensitive_token",
2211
+ "name": "Sensitive Token",
2212
+ "type": "variant",
2213
+ "priority": 4
2214
+ }
2215
+ ]
2216
+ },
2217
+ {
2218
+ "id": "visible_detailed_error_page",
2219
+ "name": "Visible Detailed Error/Debug Page",
2220
+ "type": "subcategory",
2221
+ "children": [
2222
+ {
2223
+ "id": "descriptive_stack_trace",
2224
+ "name": "Descriptive Stack Trace",
2225
+ "type": "variant",
2226
+ "priority": 5
2227
+ },
2228
+ {
2229
+ "id": "detailed_server_configuration",
2230
+ "name": "Detailed Server Configuration",
2231
+ "type": "variant",
2232
+ "priority": 4
2233
+ },
2234
+ {
2235
+ "id": "full_path_disclosure",
2236
+ "name": "Full Path Disclosure",
2237
+ "type": "variant",
2238
+ "priority": 5
2239
+ }
2240
+ ]
2241
+ },
2242
+ {
2243
+ "id": "weak_password_reset_implementation",
2244
+ "name": "Weak Password Reset Implementation",
2245
+ "type": "subcategory",
2246
+ "children": [
2247
+ {
2248
+ "id": "password_reset_token_sent_over_http",
2249
+ "name": "Password Reset Token Sent Over HTTP",
2250
+ "type": "variant",
2251
+ "priority": 4
2252
+ },
2253
+ {
2254
+ "id": "token_leakage_via_host_header_poisoning",
2255
+ "name": "Token Leakage via Host Header Poisoning",
2256
+ "type": "variant",
2257
+ "priority": 2
2258
+ }
2259
+ ]
2260
+ },
2261
+ {
2262
+ "id": "xssi",
2263
+ "name": "Cross Site Script Inclusion (XSSI)",
2264
+ "type": "subcategory",
2265
+ "priority": null
2266
+ }
2267
+ ]
2268
+ },
2269
+ {
2270
+ "id": "server_security_misconfiguration",
2271
+ "name": "Server Security Misconfiguration",
2272
+ "type": "category",
2273
+ "children": [
2274
+ {
2275
+ "id": "bitsquatting",
2276
+ "name": "Bitsquatting",
2277
+ "type": "subcategory",
2278
+ "priority": 5
2279
+ },
2280
+ {
2281
+ "id": "cache_deception",
2282
+ "name": "Cache Deception",
2283
+ "type": "subcategory",
2284
+ "priority": null
2285
+ },
2286
+ {
2287
+ "id": "cache_poisoning",
2288
+ "name": "Cache Poisoning",
2289
+ "type": "subcategory",
2290
+ "priority": null
2291
+ },
2292
+ {
2293
+ "id": "captcha",
2294
+ "name": "CAPTCHA",
2295
+ "type": "subcategory",
2296
+ "children": [
2297
+ {
2298
+ "id": "brute_force",
2299
+ "name": "Brute Force",
2300
+ "type": "variant",
2301
+ "priority": 5
2302
+ },
2303
+ {
2304
+ "id": "implementation_vulnerability",
2305
+ "name": "Implementation Vulnerability",
2306
+ "type": "variant",
2307
+ "priority": 4
2308
+ },
2309
+ {
2310
+ "id": "missing",
2311
+ "name": "Missing",
2312
+ "type": "variant",
2313
+ "priority": 5
2314
+ }
2315
+ ]
2316
+ },
2317
+ {
2318
+ "id": "clickjacking",
2319
+ "name": "Clickjacking",
2320
+ "type": "subcategory",
2321
+ "children": [
2322
+ {
2323
+ "id": "form_input",
2324
+ "name": "Form Input",
2325
+ "type": "variant",
2326
+ "priority": 5
2327
+ },
2328
+ {
2329
+ "id": "non_sensitive_action",
2330
+ "name": "Non-Sensitive Action",
2331
+ "type": "variant",
2332
+ "priority": 5
2333
+ },
2334
+ {
2335
+ "id": "sensitive_action",
2336
+ "name": "Sensitive Click-Based Action",
2337
+ "type": "variant",
2338
+ "priority": 4
2339
+ }
2340
+ ]
2341
+ },
2342
+ {
2343
+ "id": "cookie_scoped_to_parent_domain",
2344
+ "name": "Cookie Scoped to Parent Domain",
2345
+ "type": "subcategory",
2346
+ "priority": 5
2347
+ },
2348
+ {
2349
+ "id": "dbms_misconfiguration",
2350
+ "name": "Database Management System (DBMS) Misconfiguration",
2351
+ "type": "subcategory",
2352
+ "children": [
2353
+ {
2354
+ "id": "excessively_privileged_user_dba",
2355
+ "name": "Excessively Privileged User / DBA",
2356
+ "type": "variant",
2357
+ "priority": 4
2358
+ }
2359
+ ]
2360
+ },
2361
+ {
2362
+ "id": "directory_listing_enabled",
2363
+ "name": "Directory Listing Enabled",
2364
+ "type": "subcategory",
2365
+ "children": [
2366
+ {
2367
+ "id": "non_sensitive_data_exposure",
2368
+ "name": "Non-Sensitive Data Exposure",
2369
+ "type": "variant",
2370
+ "priority": 5
2371
+ },
2372
+ {
2373
+ "id": "sensitive_data_exposure",
2374
+ "name": "Sensitive Data Exposure",
2375
+ "type": "variant",
2376
+ "priority": null
2377
+ }
2378
+ ]
2379
+ },
2380
+ {
2381
+ "id": "email_verification_bypass",
2382
+ "name": "Email Verification Bypass",
2383
+ "type": "subcategory",
2384
+ "priority": 5
2385
+ },
2386
+ {
2387
+ "id": "exposed_admin_portal",
2388
+ "name": "Exposed Admin Portal",
2389
+ "type": "subcategory",
2390
+ "children": [
2391
+ {
2392
+ "id": "to_internet",
2393
+ "name": "To Internet",
2394
+ "type": "variant",
2395
+ "priority": 5
2396
+ }
2397
+ ]
2398
+ },
2399
+ {
2400
+ "id": "fingerprinting_banner_disclosure",
2401
+ "name": "Fingerprinting/Banner Disclosure",
2402
+ "type": "subcategory",
2403
+ "priority": 5
2404
+ },
2405
+ {
2406
+ "id": "insecure_ssl",
2407
+ "name": "Insecure SSL",
2408
+ "type": "subcategory",
2409
+ "children": [
2410
+ {
2411
+ "id": "certificate_error",
2412
+ "name": "Certificate Error",
2413
+ "type": "variant",
2414
+ "priority": 5
2415
+ },
2416
+ {
2417
+ "id": "insecure_cipher_suite",
2418
+ "name": "Insecure Cipher Suite",
2419
+ "type": "variant",
2420
+ "priority": 5
2421
+ },
2422
+ {
2423
+ "id": "lack_of_forward_secrecy",
2424
+ "name": "Lack of Forward Secrecy",
2425
+ "type": "variant",
2426
+ "priority": 5
2427
+ }
2428
+ ]
2429
+ },
2430
+ {
2431
+ "id": "lack_of_password_confirmation",
2432
+ "name": "Lack of Password Confirmation",
2433
+ "type": "subcategory",
2434
+ "children": [
2435
+ {
2436
+ "id": "change_email_address",
2437
+ "name": "Change Email Address",
2438
+ "type": "variant",
2439
+ "priority": 5
2440
+ },
2441
+ {
2442
+ "id": "change_password",
2443
+ "name": "Change Password",
2444
+ "type": "variant",
2445
+ "priority": 5
2446
+ },
2447
+ {
2448
+ "id": "delete_account",
2449
+ "name": "Delete Account",
2450
+ "type": "variant",
2451
+ "priority": 4
2452
+ },
2453
+ {
2454
+ "id": "manage_two_fa",
2455
+ "name": "Manage 2FA",
2456
+ "type": "variant",
2457
+ "priority": 5
2458
+ }
2459
+ ]
2460
+ },
2461
+ {
2462
+ "id": "lack_of_security_headers",
2463
+ "name": "Lack of Security Headers",
2464
+ "type": "subcategory",
2465
+ "children": [
2466
+ {
2467
+ "id": "cache_control_for_a_non_sensitive_page",
2468
+ "name": "Cache-Control for a Non-Sensitive Page",
2469
+ "type": "variant",
2470
+ "priority": 5
2471
+ },
2472
+ {
2473
+ "id": "cache_control_for_a_sensitive_page",
2474
+ "name": "Cache-Control for a Sensitive Page",
2475
+ "type": "variant",
2476
+ "priority": 4
2477
+ },
2478
+ {
2479
+ "id": "content_security_policy",
2480
+ "name": "Content-Security-Policy",
2481
+ "type": "variant",
2482
+ "priority": 5
2483
+ },
2484
+ {
2485
+ "id": "content_security_policy_report_only",
2486
+ "name": "Content-Security-Policy-Report-Only",
2487
+ "type": "variant",
2488
+ "priority": 5
2489
+ },
2490
+ {
2491
+ "id": "public_key_pins",
2492
+ "name": "Public-Key-Pins",
2493
+ "type": "variant",
2494
+ "priority": 5
2495
+ },
2496
+ {
2497
+ "id": "strict_transport_security",
2498
+ "name": "Strict-Transport-Security",
2499
+ "type": "variant",
2500
+ "priority": 5
2501
+ },
2502
+ {
2503
+ "id": "x_content_security_policy",
2504
+ "name": "X-Content-Security-Policy",
2505
+ "type": "variant",
2506
+ "priority": 5
2507
+ },
2508
+ {
2509
+ "id": "x_content_type_options",
2510
+ "name": "X-Content-Type-Options",
2511
+ "type": "variant",
2512
+ "priority": 5
2513
+ },
2514
+ {
2515
+ "id": "x_frame_options",
2516
+ "name": "X-Frame-Options",
2517
+ "type": "variant",
2518
+ "priority": 5
2519
+ },
2520
+ {
2521
+ "id": "x_webkit_csp",
2522
+ "name": "X-Webkit-CSP",
2523
+ "type": "variant",
2524
+ "priority": 5
2525
+ },
2526
+ {
2527
+ "id": "x_xss_protection",
2528
+ "name": "X-XSS-Protection",
2529
+ "type": "variant",
2530
+ "priority": 5
2531
+ }
2532
+ ]
2533
+ },
2534
+ {
2535
+ "id": "mail_server_misconfiguration",
2536
+ "name": "Mail Server Misconfiguration",
2537
+ "type": "subcategory",
2538
+ "children": [
2539
+ {
2540
+ "id": "email_spoofing_on_non_email_domain",
2541
+ "name": "Email Spoofing on Non-Email Domain",
2542
+ "type": "variant",
2543
+ "priority": 5
2544
+ },
2545
+ {
2546
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
2547
+ "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
2548
+ "type": "variant",
2549
+ "priority": 4
2550
+ },
2551
+ {
2552
+ "id": "email_spoofing_to_spam_folder",
2553
+ "name": "Email Spoofing to Spam Folder",
2554
+ "type": "variant",
2555
+ "priority": 5
2556
+ },
2557
+ {
2558
+ "id": "missing_or_misconfigured_spf_and_or_dkim",
2559
+ "name": "Missing or Misconfigured SPF and/or DKIM",
2560
+ "type": "variant",
2561
+ "priority": 5
2562
+ },
2563
+ {
2564
+ "id": "no_spoofing_protection_on_email_domain",
2565
+ "name": "No Spoofing Protection on Email Domain",
2566
+ "type": "variant",
2567
+ "priority": 3
2568
+ }
2569
+ ]
2570
+ },
2571
+ {
2572
+ "id": "misconfigured_dns",
2573
+ "name": "Misconfigured DNS",
2574
+ "type": "subcategory",
2575
+ "children": [
2576
+ {
2577
+ "id": "missing_caa_record",
2578
+ "name": "Missing Certification Authority Authorization (CAA) Record",
2579
+ "type": "variant",
2580
+ "priority": 5
2581
+ },
2582
+ {
2583
+ "id": "subdomain_takeover",
2584
+ "name": "Subdomain Takeover",
2585
+ "type": "variant",
2586
+ "priority": 3
2587
+ },
2588
+ {
2589
+ "id": "zone_transfer",
2590
+ "name": "Zone Transfer",
2591
+ "type": "variant",
2592
+ "priority": 4
2593
+ }
2594
+ ]
2595
+ },
2596
+ {
2597
+ "id": "missing_dnssec",
2598
+ "name": "Missing DNSSEC",
2599
+ "type": "subcategory",
2600
+ "priority": 5
2601
+ },
2602
+ {
2603
+ "id": "missing_secure_or_httponly_cookie_flag",
2604
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
2605
+ "type": "subcategory",
2606
+ "children": [
2607
+ {
2608
+ "id": "non_session_cookie",
2609
+ "name": "Non-Session Cookie",
2610
+ "type": "variant",
2611
+ "priority": 5
2612
+ },
2613
+ {
2614
+ "id": "session_token",
2615
+ "name": "Session Token",
2616
+ "type": "variant",
2617
+ "priority": 4
2618
+ }
2619
+ ]
2620
+ },
2621
+ {
2622
+ "id": "missing_subresource_integrity",
2623
+ "name": "Missing Subresource Integrity",
2624
+ "type": "subcategory",
2625
+ "priority": 5
2626
+ },
2627
+ {
2628
+ "id": "no_rate_limiting_on_form",
2629
+ "name": "No Rate Limiting on Form",
2630
+ "type": "subcategory",
2631
+ "children": [
2632
+ {
2633
+ "id": "change_password",
2634
+ "name": "Change Password",
2635
+ "type": "variant",
2636
+ "priority": 5
2637
+ },
2638
+ {
2639
+ "id": "email_triggering",
2640
+ "name": "Email-Triggering",
2641
+ "type": "variant",
2642
+ "priority": 4
2643
+ },
2644
+ {
2645
+ "id": "login",
2646
+ "name": "Login",
2647
+ "type": "variant",
2648
+ "priority": 4
2649
+ },
2650
+ {
2651
+ "id": "registration",
2652
+ "name": "Registration",
2653
+ "type": "variant",
2654
+ "priority": 4
2655
+ },
2656
+ {
2657
+ "id": "sms_triggering",
2658
+ "name": "SMS-Triggering",
2659
+ "type": "variant",
2660
+ "priority": 4
2661
+ }
2662
+ ]
2663
+ },
2664
+ {
2665
+ "id": "oauth_misconfiguration",
2666
+ "name": "OAuth Misconfiguration",
2667
+ "type": "subcategory",
2668
+ "children": [
2669
+ {
2670
+ "id": "account_squatting",
2671
+ "name": "Account Squatting",
2672
+ "type": "variant",
2673
+ "priority": 4
2674
+ },
2675
+ {
2676
+ "id": "account_takeover",
2677
+ "name": "Account Takeover",
2678
+ "type": "variant",
2679
+ "priority": 2
2680
+ },
2681
+ {
2682
+ "id": "insecure_redirect_uri",
2683
+ "name": "Insecure Redirect URI",
2684
+ "type": "variant",
2685
+ "priority": null
2686
+ },
2687
+ {
2688
+ "id": "missing_state_parameter",
2689
+ "name": "Missing/Broken State Parameter",
2690
+ "type": "variant",
2691
+ "priority": null
2692
+ }
2693
+ ]
2694
+ },
2695
+ {
2696
+ "id": "path_traversal",
2697
+ "name": "Path Traversal",
2698
+ "type": "subcategory",
2699
+ "priority": null
2700
+ },
2701
+ {
2702
+ "id": "potentially_unsafe_http_method_enabled",
2703
+ "name": "Potentially Unsafe HTTP Method Enabled",
2704
+ "type": "subcategory",
2705
+ "children": [
2706
+ {
2707
+ "id": "options",
2708
+ "name": "OPTIONS",
2709
+ "type": "variant",
2710
+ "priority": 5
2711
+ },
2712
+ {
2713
+ "id": "trace",
2714
+ "name": "TRACE",
2715
+ "type": "variant",
2716
+ "priority": 5
2717
+ }
2718
+ ]
2719
+ },
2720
+ {
2721
+ "id": "race_condition",
2722
+ "name": "Race Condition",
2723
+ "type": "subcategory",
2724
+ "priority": null
2725
+ },
2726
+ {
2727
+ "id": "request_smuggling",
2728
+ "name": "HTTP Request Smuggling",
2729
+ "type": "subcategory",
2730
+ "priority": null
2731
+ },
2732
+ {
2733
+ "id": "rfd",
2734
+ "name": "Reflected File Download (RFD)",
2735
+ "type": "subcategory",
2736
+ "priority": 5
2737
+ },
2738
+ {
2739
+ "id": "same_site_scripting",
2740
+ "name": "Same-Site Scripting",
2741
+ "type": "subcategory",
2742
+ "priority": 5
2743
+ },
2744
+ {
2745
+ "id": "server_side_request_forgery_ssrf",
2746
+ "name": "Server-Side Request Forgery (SSRF)",
2747
+ "type": "subcategory",
2748
+ "children": [
2749
+ {
2750
+ "id": "external_dns_query_only",
2751
+ "name": "External - DNS Query Only",
2752
+ "type": "variant",
2753
+ "priority": 5
2754
+ },
2755
+ {
2756
+ "id": "external_low_impact",
2757
+ "name": "External - Low impact",
2758
+ "type": "variant",
2759
+ "priority": 5
2760
+ },
2761
+ {
2762
+ "id": "internal_high_impact",
2763
+ "name": "Internal High Impact",
2764
+ "type": "variant",
2765
+ "priority": 2
2766
+ },
2767
+ {
2768
+ "id": "internal_scan_and_or_medium_impact",
2769
+ "name": "Internal Scan and/or Medium Impact",
2770
+ "type": "variant",
2771
+ "priority": 3
2772
+ }
2773
+ ]
2774
+ },
2775
+ {
2776
+ "id": "software_package_takeover",
2777
+ "name": "Software Package Takeover",
2778
+ "type": "subcategory",
2779
+ "priority": null
2780
+ },
2781
+ {
2782
+ "id": "ssl_attack_breach_poodle_etc",
2783
+ "name": "SSL Attack (BREACH, POODLE etc.)",
2784
+ "type": "subcategory",
2785
+ "priority": null
2786
+ },
2787
+ {
2788
+ "id": "unsafe_cross_origin_resource_sharing",
2789
+ "name": "Unsafe Cross-Origin Resource Sharing",
2790
+ "type": "subcategory",
2791
+ "priority": null
2792
+ },
2793
+ {
2794
+ "id": "unsafe_file_upload",
2795
+ "name": "Unsafe File Upload",
2796
+ "type": "subcategory",
2797
+ "children": [
2798
+ {
2799
+ "id": "file_extension_filter_bypass",
2800
+ "name": "File Extension Filter Bypass",
2801
+ "type": "variant",
2802
+ "priority": 5
2803
+ },
2804
+ {
2805
+ "id": "no_antivirus",
2806
+ "name": "No Antivirus",
2807
+ "type": "variant",
2808
+ "priority": 5
2809
+ },
2810
+ {
2811
+ "id": "no_size_limit",
2812
+ "name": "No Size Limit",
2813
+ "type": "variant",
2814
+ "priority": 5
2815
+ }
2816
+ ]
2817
+ },
2818
+ {
2819
+ "id": "username_enumeration",
2820
+ "name": "Username/Email Enumeration",
2821
+ "type": "subcategory",
2822
+ "children": [
2823
+ {
2824
+ "id": "brute_force",
2825
+ "name": "Brute Force",
2826
+ "type": "variant",
2827
+ "priority": 5
2828
+ }
2829
+ ]
2830
+ },
2831
+ {
2832
+ "id": "using_default_credentials",
2833
+ "name": "Using Default Credentials",
2834
+ "type": "subcategory",
2835
+ "priority": 1
2836
+ },
2837
+ {
2838
+ "id": "waf_bypass",
2839
+ "name": "Web Application Firewall (WAF) Bypass",
2840
+ "type": "subcategory",
2841
+ "children": [
2842
+ {
2843
+ "id": "direct_server_access",
2844
+ "name": "Direct Server Access",
2845
+ "type": "variant",
2846
+ "priority": 4
2847
+ }
2848
+ ]
2849
+ }
2850
+ ]
2851
+ },
2852
+ {
2853
+ "id": "server_side_injection",
2854
+ "name": "Server-Side Injection",
2855
+ "type": "category",
2856
+ "children": [
2857
+ {
2858
+ "id": "content_spoofing",
2859
+ "name": "Content Spoofing",
2860
+ "type": "subcategory",
2861
+ "children": [
2862
+ {
2863
+ "id": "email_html_injection",
2864
+ "name": "Email HTML Injection",
2865
+ "type": "variant",
2866
+ "priority": 4
2867
+ },
2868
+ {
2869
+ "id": "email_hyperlink_injection_based_on_email_provider",
2870
+ "name": "Email Hyperlink Injection Based on Email Provider",
2871
+ "type": "variant",
2872
+ "priority": 5
2873
+ },
2874
+ {
2875
+ "id": "external_authentication_injection",
2876
+ "name": "External Authentication Injection",
2877
+ "type": "variant",
2878
+ "priority": 4
2879
+ },
2880
+ {
2881
+ "id": "flash_based_external_authentication_injection",
2882
+ "name": "Flash Based External Authentication Injection",
2883
+ "type": "variant",
2884
+ "priority": 5
2885
+ },
2886
+ {
2887
+ "id": "homograph_idn_based",
2888
+ "name": "Homograph/IDN-Based",
2889
+ "type": "variant",
2890
+ "priority": 5
2891
+ },
2892
+ {
2893
+ "id": "html_content_injection",
2894
+ "name": "HTML Content Injection",
2895
+ "type": "variant",
2896
+ "priority": 5
2897
+ },
2898
+ {
2899
+ "id": "iframe_injection",
2900
+ "name": "iframe Injection",
2901
+ "type": "variant",
2902
+ "priority": 3
2903
+ },
2904
+ {
2905
+ "id": "impersonation_via_broken_link_hijacking",
2906
+ "name": "Impersonation via Broken Link Hijacking",
2907
+ "type": "variant",
2908
+ "priority": 4
2909
+ },
2910
+ {
2911
+ "id": "rtlo",
2912
+ "name": "Right-to-Left Override (RTLO)",
2913
+ "type": "variant",
2914
+ "priority": 5
2915
+ },
2916
+ {
2917
+ "id": "text_injection",
2918
+ "name": "Text Injection",
2919
+ "type": "variant",
2920
+ "priority": 5
2921
+ }
2922
+ ]
2923
+ },
2924
+ {
2925
+ "id": "file_inclusion",
2926
+ "name": "File Inclusion",
2927
+ "type": "subcategory",
2928
+ "children": [
2929
+ {
2930
+ "id": "local",
2931
+ "name": "Local",
2932
+ "type": "variant",
2933
+ "priority": 1
2934
+ }
2935
+ ]
2936
+ },
2937
+ {
2938
+ "id": "http_response_manipulation",
2939
+ "name": "HTTP Response Manipulation",
2940
+ "type": "subcategory",
2941
+ "children": [
2942
+ {
2943
+ "id": "response_splitting_crlf",
2944
+ "name": "Response Splitting (CRLF)",
2945
+ "type": "variant",
2946
+ "priority": 3
2947
+ }
2948
+ ]
2949
+ },
2950
+ {
2951
+ "id": "ldap_injection",
2952
+ "name": "LDAP Injection",
2953
+ "type": "subcategory",
2954
+ "priority": null
2955
+ },
2956
+ {
2957
+ "id": "parameter_pollution",
2958
+ "name": "Parameter Pollution",
2959
+ "type": "subcategory",
2960
+ "children": [
2961
+ {
2962
+ "id": "social_media_sharing_buttons",
2963
+ "name": "Social Media Sharing Buttons",
2964
+ "type": "variant",
2965
+ "priority": 5
2966
+ }
2967
+ ]
2968
+ },
2969
+ {
2970
+ "id": "remote_code_execution_rce",
2971
+ "name": "Remote Code Execution (RCE)",
2972
+ "type": "subcategory",
2973
+ "priority": 1
2974
+ },
2975
+ {
2976
+ "id": "sql_injection",
2977
+ "name": "SQL Injection",
2978
+ "type": "subcategory",
2979
+ "priority": 1
2980
+ },
2981
+ {
2982
+ "id": "ssti",
2983
+ "name": "Server-Side Template Injection (SSTI)",
2984
+ "type": "subcategory",
2985
+ "children": [
2986
+ {
2987
+ "id": "basic",
2988
+ "name": "Basic",
2989
+ "type": "variant",
2990
+ "priority": 4
2991
+ },
2992
+ {
2993
+ "id": "custom",
2994
+ "name": "Custom",
2995
+ "type": "variant",
2996
+ "priority": null
2997
+ }
2998
+ ]
2999
+ },
3000
+ {
3001
+ "id": "xml_external_entity_injection_xxe",
3002
+ "name": "XML External Entity Injection (XXE)",
3003
+ "type": "subcategory",
3004
+ "priority": 1
3005
+ }
3006
+ ]
3007
+ },
3008
+ {
3009
+ "id": "smart_contract_misconfiguration",
3010
+ "name": "Smart Contract Misconfiguration",
3011
+ "type": "category",
3012
+ "children": [
3013
+ {
3014
+ "id": "bypass_of_function_modifiers_and_checks",
3015
+ "name": "Bypass of Function Modifiers and Checks",
3016
+ "type": "subcategory",
3017
+ "priority": null
3018
+ },
3019
+ {
3020
+ "id": "function_level_denial_of_service",
3021
+ "name": "Function-level Denial of Service",
3022
+ "type": "subcategory",
3023
+ "priority": 3
3024
+ },
3025
+ {
3026
+ "id": "improper_decimals_implementation",
3027
+ "name": "Improper Decimals Implementation",
3028
+ "type": "subcategory",
3029
+ "priority": 4
3030
+ },
3031
+ {
3032
+ "id": "improper_fee_implementation",
3033
+ "name": "Improper Fee Implementation",
3034
+ "type": "subcategory",
3035
+ "priority": 3
3036
+ },
3037
+ {
3038
+ "id": "improper_use_of_modifier",
3039
+ "name": "Improper Use of Modifier",
3040
+ "type": "subcategory",
3041
+ "priority": 4
3042
+ },
3043
+ {
3044
+ "id": "inaccurate_rounding_calculation",
3045
+ "name": "Inaccurate Rounding Calculation",
3046
+ "type": "subcategory",
3047
+ "priority": null
3048
+ },
3049
+ {
3050
+ "id": "integer_overflow_underflow",
3051
+ "name": "Integer Overflow / Underflow",
3052
+ "type": "subcategory",
3053
+ "priority": 2
3054
+ },
3055
+ {
3056
+ "id": "irreversible_function_call",
3057
+ "name": "Irreversible Function Call",
3058
+ "type": "subcategory",
3059
+ "priority": 3
3060
+ },
3061
+ {
3062
+ "id": "malicious_superuser_risk",
3063
+ "name": "Malicious Superuser Risk",
3064
+ "type": "subcategory",
3065
+ "priority": 3
3066
+ },
3067
+ {
3068
+ "id": "reentrancy_attack",
3069
+ "name": "Reentrancy Attack",
3070
+ "type": "subcategory",
3071
+ "priority": 1
3072
+ },
3073
+ {
3074
+ "id": "smart_contract_owner_takeover",
3075
+ "name": "Smart Contract Owner Takeover",
3076
+ "type": "subcategory",
3077
+ "priority": 1
3078
+ },
3079
+ {
3080
+ "id": "unauthorized_smart_contract_approval",
3081
+ "name": "Unauthorized Smart Contract Approval",
3082
+ "type": "subcategory",
3083
+ "priority": 2
3084
+ },
3085
+ {
3086
+ "id": "unauthorized_transfer_of_funds",
3087
+ "name": "Unauthorized Transfer of Funds",
3088
+ "type": "subcategory",
3089
+ "priority": 1
3090
+ },
3091
+ {
3092
+ "id": "uninitialized_variables",
3093
+ "name": "Uninitialized Variables",
3094
+ "type": "subcategory",
3095
+ "priority": 1
3096
+ }
3097
+ ]
3098
+ },
3099
+ {
3100
+ "id": "societal_biases",
3101
+ "name": "Societal Biases",
3102
+ "type": "category",
3103
+ "children": [
3104
+ {
3105
+ "id": "confirmation_bias",
3106
+ "name": "Confirmation Bias",
3107
+ "type": "subcategory",
3108
+ "priority": null
3109
+ },
3110
+ {
3111
+ "id": "systemic_bias",
3112
+ "name": "Systemic Bias",
3113
+ "type": "subcategory",
3114
+ "priority": null
3115
+ }
3116
+ ]
3117
+ },
3118
+ {
3119
+ "id": "unvalidated_redirects_and_forwards",
3120
+ "name": "Unvalidated Redirects and Forwards",
3121
+ "type": "category",
3122
+ "children": [
3123
+ {
3124
+ "id": "lack_of_security_speed_bump_page",
3125
+ "name": "Lack of Security Speed Bump Page",
3126
+ "type": "subcategory",
3127
+ "priority": 5
3128
+ },
3129
+ {
3130
+ "id": "open_redirect",
3131
+ "name": "Open Redirect",
3132
+ "type": "subcategory",
3133
+ "children": [
3134
+ {
3135
+ "id": "flash_based",
3136
+ "name": "Flash-Based",
3137
+ "type": "variant",
3138
+ "priority": 5
3139
+ },
3140
+ {
3141
+ "id": "get_based",
3142
+ "name": "GET-Based",
3143
+ "type": "variant",
3144
+ "priority": 4
3145
+ },
3146
+ {
3147
+ "id": "header_based",
3148
+ "name": "Header-Based",
3149
+ "type": "variant",
3150
+ "priority": 5
3151
+ },
3152
+ {
3153
+ "id": "post_based",
3154
+ "name": "POST-Based",
3155
+ "type": "variant",
3156
+ "priority": 5
3157
+ }
3158
+ ]
3159
+ },
3160
+ {
3161
+ "id": "tabnabbing",
3162
+ "name": "Tabnabbing",
3163
+ "type": "subcategory",
3164
+ "priority": 5
3165
+ }
3166
+ ]
3167
+ },
3168
+ {
3169
+ "id": "using_components_with_known_vulnerabilities",
3170
+ "name": "Using Components with Known Vulnerabilities",
3171
+ "type": "category",
3172
+ "children": [
3173
+ {
3174
+ "id": "captcha_bypass",
3175
+ "name": "Captcha Bypass",
3176
+ "type": "subcategory",
3177
+ "children": [
3178
+ {
3179
+ "id": "ocr_optical_character_recognition",
3180
+ "name": "OCR (Optical Character Recognition)",
3181
+ "type": "variant",
3182
+ "priority": 5
3183
+ }
3184
+ ]
3185
+ },
3186
+ {
3187
+ "id": "outdated_software_version",
3188
+ "name": "Outdated Software Version",
3189
+ "type": "subcategory",
3190
+ "priority": 5
3191
+ },
3192
+ {
3193
+ "id": "rosetta_flash",
3194
+ "name": "Rosetta Flash",
3195
+ "type": "subcategory",
3196
+ "priority": 5
3197
+ }
3198
+ ]
3199
+ },
3200
+ {
3201
+ "id": "zero_knowledge_security_misconfiguration",
3202
+ "name": "Zero Knowledge Security Misconfiguration",
3203
+ "type": "category",
3204
+ "children": [
3205
+ {
3206
+ "id": "deanonymization_of_data",
3207
+ "name": "Deanonymization of Data",
3208
+ "type": "subcategory",
3209
+ "priority": 1
3210
+ },
3211
+ {
3212
+ "id": "improper_proof_validation_and_finalization_logic",
3213
+ "name": "Improper Proof Validation and Finalization Logic",
3214
+ "type": "subcategory",
3215
+ "priority": 1
3216
+ },
3217
+ {
3218
+ "id": "misconfigured_trusted_setup",
3219
+ "name": "Misconfigured Trusted Setup",
3220
+ "type": "subcategory",
3221
+ "priority": null
3222
+ },
3223
+ {
3224
+ "id": "mismatching_bit_lengths",
3225
+ "name": "Mismatching Bit Lengths",
3226
+ "type": "subcategory",
3227
+ "priority": null
3228
+ },
3229
+ {
3230
+ "id": "missing_constraint",
3231
+ "name": "Missing Constraint",
3232
+ "type": "subcategory",
3233
+ "priority": null
3234
+ },
3235
+ {
3236
+ "id": "missing_range_check",
3237
+ "name": "Missing Range Check",
3238
+ "type": "subcategory",
3239
+ "priority": null
3240
+ }
3241
+ ]
3242
+ }
3243
+ ]
3244
+ }