vrt 0.13.7 → 0.13.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.18.1/deprecated-node-mapping.json +341 -0
  3. data/lib/data/1.18.1/mappings/cvss_v3/cvss_v3.json +1602 -0
  4. data/lib/data/1.18.1/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.18.1/mappings/cvss_v4/cvss_v4.json +2521 -0
  6. data/lib/data/1.18.1/mappings/cvss_v4/cvss_v4.schema.json +62 -0
  7. data/lib/data/1.18.1/mappings/cwe/cwe.json +1363 -0
  8. data/lib/data/1.18.1/mappings/cwe/cwe.schema.json +63 -0
  9. data/lib/data/1.18.1/mappings/remediation_advice/remediation_advice.json +2300 -0
  10. data/lib/data/1.18.1/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  11. data/lib/data/1.18.1/scw_links.json +583 -0
  12. data/lib/data/1.18.1/third-party-mappings/remediation_training/secure-code-warrior-links.json +583 -0
  13. data/lib/data/1.18.1/vrt.schema.json +63 -0
  14. data/lib/data/1.18.1/vulnerability-rating-taxonomy.json +3638 -0
  15. data/lib/data/1.19/deprecated-node-mapping.json +341 -0
  16. data/lib/data/1.19/mappings/cvss_v3/cvss_v3.json +1602 -0
  17. data/lib/data/1.19/mappings/cvss_v3/cvss_v3.schema.json +59 -0
  18. data/lib/data/1.19/mappings/cvss_v4/cvss_v4.json +2521 -0
  19. data/lib/data/1.19/mappings/cvss_v4/cvss_v4.schema.json +62 -0
  20. data/lib/data/1.19/mappings/cwe/cwe.json +1363 -0
  21. data/lib/data/1.19/mappings/cwe/cwe.schema.json +63 -0
  22. data/lib/data/1.19/mappings/remediation_advice/remediation_advice.json +2300 -0
  23. data/lib/data/1.19/mappings/remediation_advice/remediation_advice.schema.json +75 -0
  24. data/lib/data/1.19/third-party-mappings/remediation_training/secure-code-warrior-links.json +583 -0
  25. data/lib/data/1.19/vrt.schema.json +63 -0
  26. data/lib/data/1.19/vulnerability-rating-taxonomy.json +3638 -0
  27. data/lib/vrt/version.rb +1 -1
  28. metadata +28 -3
data/lib/data/1.18.1/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,3638 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2026-04-20T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "ai_application_security",
8
+ "name": "AI Application Security",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "adversarial_example_injection",
13
+ "name": "Adversarial Example Injection",
14
+ "type": "subcategory",
15
+ "children": [
16
+ {
17
+ "id": "ai_misclassification_attacks",
18
+ "name": "AI Misclassification Attacks",
19
+ "type": "variant",
20
+ "priority": 4
21
+ }
22
+ ]
23
+ },
24
+ {
25
+ "id": "ai_safety",
26
+ "name": "AI Safety",
27
+ "type": "subcategory",
28
+ "children": [
29
+ {
30
+ "id": "misinformation_wrong_factual_data",
31
+ "name": "Misinformation / Wrong Factual Data",
32
+ "type": "variant",
33
+ "priority": 4
34
+ }
35
+ ]
36
+ },
37
+ {
38
+ "id": "denial_of_service_dos",
39
+ "name": "Denial-of-Service (DoS)",
40
+ "type": "subcategory",
41
+ "children": [
42
+ {
43
+ "id": "application_wide",
44
+ "name": "Application-Wide",
45
+ "type": "variant",
46
+ "priority": 2
47
+ },
48
+ {
49
+ "id": "tenant_scoped",
50
+ "name": "Tenant-Scoped",
51
+ "type": "variant",
52
+ "priority": 4
53
+ }
54
+ ]
55
+ },
56
+ {
57
+ "id": "improper_input_handling",
58
+ "name": "Improper Input Handling",
59
+ "type": "subcategory",
60
+ "children": [
61
+ {
62
+ "id": "ansi_escape_codes",
63
+ "name": "ANSI Escape Codes",
64
+ "type": "variant",
65
+ "priority": 5
66
+ },
67
+ {
68
+ "id": "rtl_overrides",
69
+ "name": "RTL Overrides",
70
+ "type": "variant",
71
+ "priority": 5
72
+ },
73
+ {
74
+ "id": "unicode_confusables",
75
+ "name": "Unicode Confusables",
76
+ "type": "variant",
77
+ "priority": 5
78
+ }
79
+ ]
80
+ },
81
+ {
82
+ "id": "improper_output_handling",
83
+ "name": "Improper Output Handling",
84
+ "type": "subcategory",
85
+ "children": [
86
+ {
87
+ "id": "cross_site_scripting_xss",
88
+ "name": "Cross-Site Scripting (XSS)",
89
+ "type": "variant",
90
+ "priority": 3
91
+ },
92
+ {
93
+ "id": "markdown_html_injection",
94
+ "name": "Markdown/HTML Injection",
95
+ "type": "variant",
96
+ "priority": 4
97
+ }
98
+ ]
99
+ },
100
+ {
101
+ "id": "insufficient_rate_limiting",
102
+ "name": "Insufficient Rate Limiting",
103
+ "type": "subcategory",
104
+ "children": [
105
+ {
106
+ "id": "query_flooding_api_token_abuse",
107
+ "name": "Query Flooding / API Token Abuse",
108
+ "type": "variant",
109
+ "priority": 4
110
+ }
111
+ ]
112
+ },
113
+ {
114
+ "id": "model_extraction",
115
+ "name": "Model Extraction",
116
+ "type": "subcategory",
117
+ "children": [
118
+ {
119
+ "id": "api_query_based_model_reconstruction",
120
+ "name": "API Query-Based Model Reconstruction",
121
+ "type": "variant",
122
+ "priority": 1
123
+ }
124
+ ]
125
+ },
126
+ {
127
+ "id": "prompt_injection",
128
+ "name": "Prompt Injection",
129
+ "type": "subcategory",
130
+ "children": [
131
+ {
132
+ "id": "system_prompt_leakage",
133
+ "name": "System Prompt Leakage",
134
+ "type": "variant",
135
+ "priority": 2
136
+ }
137
+ ]
138
+ },
139
+ {
140
+ "id": "remote_code_execution",
141
+ "name": "Remote Code Execution",
142
+ "type": "subcategory",
143
+ "children": [
144
+ {
145
+ "id": "full_system_compromise",
146
+ "name": "Full System Compromise",
147
+ "type": "variant",
148
+ "priority": 1
149
+ },
150
+ {
151
+ "id": "sandboxed_container_code_execution",
152
+ "name": "Sandboxed Container Code Execution",
153
+ "type": "variant",
154
+ "priority": 2
155
+ }
156
+ ]
157
+ },
158
+ {
159
+ "id": "sensitive_information_disclosure",
160
+ "name": "Sensitive Information Disclosure",
161
+ "type": "subcategory",
162
+ "children": [
163
+ {
164
+ "id": "cross_tenant_pii_leakage_exposure",
165
+ "name": "Cross-Tenant PII Leakage/Exposure",
166
+ "type": "variant",
167
+ "priority": 1
168
+ },
169
+ {
170
+ "id": "key_leak",
171
+ "name": "Key Leak",
172
+ "type": "variant",
173
+ "priority": 1
174
+ }
175
+ ]
176
+ },
177
+ {
178
+ "id": "training_data_poisoning",
179
+ "name": "Training Data Poisoning",
180
+ "type": "subcategory",
181
+ "children": [
182
+ {
183
+ "id": "backdoor_injection_bias_manipulation",
184
+ "name": "Backdoor Injection / Bias Manipulation",
185
+ "type": "variant",
186
+ "priority": 1
187
+ }
188
+ ]
189
+ },
190
+ {
191
+ "id": "vector_and_embedding_weaknesses",
192
+ "name": "Vector and Embedding Weaknesses",
193
+ "type": "subcategory",
194
+ "children": [
195
+ {
196
+ "id": "embedding_exfiltration_model_extraction",
197
+ "name": "Embedding Exfiltration / Model Extraction",
198
+ "type": "variant",
199
+ "priority": 2
200
+ },
201
+ {
202
+ "id": "semantic_indexing",
203
+ "name": "Semantic Indexing",
204
+ "type": "variant",
205
+ "priority": 3
206
+ }
207
+ ]
208
+ }
209
+ ]
210
+ },
211
+ {
212
+ "id": "algorithmic_biases",
213
+ "name": "Algorithmic Biases",
214
+ "type": "category",
215
+ "children": [
216
+ {
217
+ "id": "aggregation_bias",
218
+ "name": "Aggregation Bias",
219
+ "type": "subcategory",
220
+ "priority": null
221
+ },
222
+ {
223
+ "id": "processing_bias",
224
+ "name": "Processing Bias",
225
+ "type": "subcategory",
226
+ "priority": null
227
+ }
228
+ ]
229
+ },
230
+ {
231
+ "id": "application_level_denial_of_service_dos",
232
+ "name": "Application-Level Denial-of-Service (DoS)",
233
+ "type": "category",
234
+ "children": [
235
+ {
236
+ "id": "app_crash",
237
+ "name": "App Crash",
238
+ "type": "subcategory",
239
+ "children": [
240
+ {
241
+ "id": "malformed_android_intents",
242
+ "name": "Malformed Android Intents",
243
+ "type": "variant",
244
+ "priority": 5
245
+ },
246
+ {
247
+ "id": "malformed_ios_url_schemes",
248
+ "name": "Malformed iOS URL Schemes",
249
+ "type": "variant",
250
+ "priority": 5
251
+ }
252
+ ]
253
+ },
254
+ {
255
+ "id": "critical_impact_and_or_easy_difficulty",
256
+ "name": "Critical Impact and/or Easy Difficulty",
257
+ "type": "subcategory",
258
+ "priority": 2
259
+ },
260
+ {
261
+ "id": "excessive_resource_consumption",
262
+ "name": "Excessive Resource Consumption",
263
+ "type": "subcategory",
264
+ "children": [
265
+ {
266
+ "id": "injection_prompt",
267
+ "name": "Injection (Prompt)",
268
+ "type": "variant",
269
+ "priority": null
270
+ }
271
+ ]
272
+ },
273
+ {
274
+ "id": "high_impact_and_or_medium_difficulty",
275
+ "name": "High Impact and/or Medium Difficulty",
276
+ "type": "subcategory",
277
+ "priority": 3
278
+ }
279
+ ]
280
+ },
281
+ {
282
+ "id": "automotive_security_misconfiguration",
283
+ "name": "Automotive Security Misconfiguration",
284
+ "type": "category",
285
+ "children": [
286
+ {
287
+ "id": "abs",
288
+ "name": "Automatic Braking System (ABS)",
289
+ "type": "subcategory",
290
+ "children": [
291
+ {
292
+ "id": "unintended_acceleration_brake",
293
+ "name": "Unintended Acceleration / Brake",
294
+ "type": "variant",
295
+ "priority": 3
296
+ }
297
+ ]
298
+ },
299
+ {
300
+ "id": "battery_management_system",
301
+ "name": "Battery Management System",
302
+ "type": "subcategory",
303
+ "children": [
304
+ {
305
+ "id": "firmware_dump",
306
+ "name": "Firmware Dump",
307
+ "type": "variant",
308
+ "priority": 3
309
+ },
310
+ {
311
+ "id": "fraudulent_interface",
312
+ "name": "Fraudulent Interface",
313
+ "type": "variant",
314
+ "priority": 4
315
+ }
316
+ ]
317
+ },
318
+ {
319
+ "id": "can",
320
+ "name": "CAN",
321
+ "type": "subcategory",
322
+ "children": [
323
+ {
324
+ "id": "injection_basic_safety_message",
325
+ "name": "Injection (Basic Safety Message)",
326
+ "type": "variant",
327
+ "priority": 3
328
+ },
329
+ {
330
+ "id": "injection_battery_management_system",
331
+ "name": "Injection (Battery Management System)",
332
+ "type": "variant",
333
+ "priority": 3
334
+ },
335
+ {
336
+ "id": "injection_disallowed_messages",
337
+ "name": "Injection (Disallowed Messages)",
338
+ "type": "variant",
339
+ "priority": 4
340
+ },
341
+ {
342
+ "id": "injection_dos",
343
+ "name": "Injection (DoS)",
344
+ "type": "variant",
345
+ "priority": 4
346
+ },
347
+ {
348
+ "id": "injection_headlights",
349
+ "name": "Injection (Headlights)",
350
+ "type": "variant",
351
+ "priority": 3
352
+ },
353
+ {
354
+ "id": "injection_powertrain",
355
+ "name": "Injection (Powertrain)",
356
+ "type": "variant",
357
+ "priority": 3
358
+ },
359
+ {
360
+ "id": "injection_pyrotechnical_device_deployment_tool",
361
+ "name": "Injection (Pyrotechnical Device Deployment Tool)",
362
+ "type": "variant",
363
+ "priority": 3
364
+ },
365
+ {
366
+ "id": "injection_sensors",
367
+ "name": "Injection (Sensors)",
368
+ "type": "variant",
369
+ "priority": 3
370
+ },
371
+ {
372
+ "id": "injection_steering_control",
373
+ "name": "Injection (Steering Control)",
374
+ "type": "variant",
375
+ "priority": 3
376
+ },
377
+ {
378
+ "id": "injection_vehicle_anti_theft_systems",
379
+ "name": "Injection (Vehicle Anti-theft Systems)",
380
+ "type": "variant",
381
+ "priority": 3
382
+ }
383
+ ]
384
+ },
385
+ {
386
+ "id": "gnss_gps",
387
+ "name": "GNSS / GPS",
388
+ "type": "subcategory",
389
+ "children": [
390
+ {
391
+ "id": "spoofing",
392
+ "name": "Spoofing",
393
+ "type": "variant",
394
+ "priority": 4
395
+ }
396
+ ]
397
+ },
398
+ {
399
+ "id": "immobilizer",
400
+ "name": "Immobilizer",
401
+ "type": "subcategory",
402
+ "children": [
403
+ {
404
+ "id": "engine_start",
405
+ "name": "Engine Start",
406
+ "type": "variant",
407
+ "priority": 3
408
+ }
409
+ ]
410
+ },
411
+ {
412
+ "id": "infotainment_radio_head_unit",
413
+ "name": "Infotainment, Radio Head Unit",
414
+ "type": "subcategory",
415
+ "children": [
416
+ {
417
+ "id": "code_execution_can_bus_pivot",
418
+ "name": "Code Execution (CAN Bus Pivot)",
419
+ "type": "variant",
420
+ "priority": 2
421
+ },
422
+ {
423
+ "id": "code_execution_no_can_bus_pivot",
424
+ "name": "Code Execution (No CAN Bus Pivot)",
425
+ "type": "variant",
426
+ "priority": 3
427
+ },
428
+ {
429
+ "id": "default_credentials",
430
+ "name": "Default Credentials",
431
+ "type": "variant",
432
+ "priority": 4
433
+ },
434
+ {
435
+ "id": "dos_brick",
436
+ "name": "Denial of Service (DoS / Brick)",
437
+ "type": "variant",
438
+ "priority": 4
439
+ },
440
+ {
441
+ "id": "ota_firmware_manipulation",
442
+ "name": "OTA Firmware Manipulation",
443
+ "type": "variant",
444
+ "priority": 2
445
+ },
446
+ {
447
+ "id": "sensitive_data_leakage_exposure",
448
+ "name": "Sensitive data Leakage/Exposure",
449
+ "type": "variant",
450
+ "priority": 1
451
+ },
452
+ {
453
+ "id": "source_code_dump",
454
+ "name": "Source Code Dump",
455
+ "type": "variant",
456
+ "priority": 4
457
+ },
458
+ {
459
+ "id": "unauthorized_access_to_services",
460
+ "name": "Unauthorized Access to Services (API / Endpoints)",
461
+ "type": "variant",
462
+ "priority": 3
463
+ }
464
+ ]
465
+ },
466
+ {
467
+ "id": "rf_hub",
468
+ "name": "RF Hub",
469
+ "type": "subcategory",
470
+ "children": [
471
+ {
472
+ "id": "can_injection_interaction",
473
+ "name": "CAN Injection / Interaction",
474
+ "type": "variant",
475
+ "priority": 2
476
+ },
477
+ {
478
+ "id": "data_leakage_pull_encryption_mechanism",
479
+ "name": "Data Leakage / Pull Encryption Mechanism",
480
+ "type": "variant",
481
+ "priority": 3
482
+ },
483
+ {
484
+ "id": "key_fob_cloning",
485
+ "name": "Key Fob Cloning",
486
+ "type": "variant",
487
+ "priority": 1
488
+ },
489
+ {
490
+ "id": "relay",
491
+ "name": "Relay",
492
+ "type": "variant",
493
+ "priority": 5
494
+ },
495
+ {
496
+ "id": "replay",
497
+ "name": "Replay",
498
+ "type": "variant",
499
+ "priority": 5
500
+ },
501
+ {
502
+ "id": "roll_jam",
503
+ "name": "Roll Jam",
504
+ "type": "variant",
505
+ "priority": 5
506
+ },
507
+ {
508
+ "id": "unauthorized_access_turn_on",
509
+ "name": "Unauthorized Access / Turn On",
510
+ "type": "variant",
511
+ "priority": 4
512
+ }
513
+ ]
514
+ },
515
+ {
516
+ "id": "rsu",
517
+ "name": "Roadside Unit (RSU)",
518
+ "type": "subcategory",
519
+ "children": [
520
+ {
521
+ "id": "sybil_attack",
522
+ "name": "Sybil Attack",
523
+ "type": "variant",
524
+ "priority": 4
525
+ }
526
+ ]
527
+ }
528
+ ]
529
+ },
530
+ {
531
+ "id": "blockchain_infrastructure_misconfiguration",
532
+ "name": "Blockchain Infrastructure Misconfiguration",
533
+ "type": "category",
534
+ "children": [
535
+ {
536
+ "id": "improper_bridge_validation_and_verification_logic",
537
+ "name": "Improper Bridge Validation and Verification Logic",
538
+ "type": "subcategory",
539
+ "priority": null
540
+ }
541
+ ]
542
+ },
543
+ {
544
+ "id": "broken_access_control",
545
+ "name": "Broken Access Control (BAC)",
546
+ "type": "category",
547
+ "children": [
548
+ {
549
+ "id": "bypass_of_password_confirmation",
550
+ "name": "Bypass of Password Confirmation",
551
+ "type": "subcategory",
552
+ "children": [
553
+ {
554
+ "id": "change_password",
555
+ "name": "Change Password",
556
+ "type": "variant",
557
+ "priority": 4
558
+ }
559
+ ]
560
+ },
561
+ {
562
+ "id": "exposed_sensitive_android_intent",
563
+ "name": "Exposed Sensitive Android Intent",
564
+ "type": "subcategory",
565
+ "priority": null
566
+ },
567
+ {
568
+ "id": "exposed_sensitive_ios_url_scheme",
569
+ "name": "Exposed Sensitive iOS URL Scheme",
570
+ "type": "subcategory",
571
+ "priority": null
572
+ },
573
+ {
574
+ "id": "idor",
575
+ "name": "Insecure Direct Object References (IDOR)",
576
+ "type": "subcategory",
577
+ "children": [
578
+ {
579
+ "id": "modify_sensitive_information_iterable_object_identifiers",
580
+ "name": "Modify Sensitive Information(Iterable Object Identifiers)",
581
+ "type": "variant",
582
+ "priority": 2
583
+ },
584
+ {
585
+ "id": "modify_view_sensitive_information_guid",
586
+ "name": "Modify/View Sensitive Information(Complex Object Identifiers GUID/UUID)",
587
+ "type": "variant",
588
+ "priority": 4
589
+ },
590
+ {
591
+ "id": "modify_view_sensitive_information_iterable_object_identifiers",
592
+ "name": "Modify/View Sensitive Information(Iterable Object Identifiers)",
593
+ "type": "variant",
594
+ "priority": 1
595
+ },
596
+ {
597
+ "id": "view_non_sensitive_information",
598
+ "name": "View Non-Sensitive Information",
599
+ "type": "variant",
600
+ "priority": 5
601
+ },
602
+ {
603
+ "id": "view_sensitive_information_iterable_object_identifiers",
604
+ "name": "View Sensitive Information(Iterable Object Identifiers)",
605
+ "type": "variant",
606
+ "priority": 3
607
+ }
608
+ ]
609
+ },
610
+ {
611
+ "id": "privilege_escalation",
612
+ "name": "Privilege Escalation",
613
+ "type": "subcategory",
614
+ "priority": null
615
+ },
616
+ {
617
+ "id": "username_enumeration",
618
+ "name": "Username/Email Enumeration",
619
+ "type": "subcategory",
620
+ "children": [
621
+ {
622
+ "id": "non_brute_force",
623
+ "name": "Non-Brute Force",
624
+ "type": "variant",
625
+ "priority": 4
626
+ }
627
+ ]
628
+ }
629
+ ]
630
+ },
631
+ {
632
+ "id": "broken_authentication_and_session_management",
633
+ "name": "Broken Authentication and Session Management",
634
+ "type": "category",
635
+ "children": [
636
+ {
637
+ "id": "authentication_bypass",
638
+ "name": "Authentication Bypass",
639
+ "type": "subcategory",
640
+ "priority": 1
641
+ },
642
+ {
643
+ "id": "cleartext_transmission_of_session_token",
644
+ "name": "Cleartext Transmission of Session Token",
645
+ "type": "subcategory",
646
+ "priority": 4
647
+ },
648
+ {
649
+ "id": "concurrent_logins",
650
+ "name": "Concurrent Logins",
651
+ "type": "subcategory",
652
+ "priority": 5
653
+ },
654
+ {
655
+ "id": "failure_to_invalidate_session",
656
+ "name": "Failure to Invalidate Session",
657
+ "type": "subcategory",
658
+ "children": [
659
+ {
660
+ "id": "all_sessions",
661
+ "name": "Concurrent Sessions On Logout",
662
+ "type": "variant",
663
+ "priority": 5
664
+ },
665
+ {
666
+ "id": "long_timeout",
667
+ "name": "Long Timeout",
668
+ "type": "variant",
669
+ "priority": 5
670
+ },
671
+ {
672
+ "id": "on_email_change",
673
+ "name": "On Email Change",
674
+ "type": "variant",
675
+ "priority": 5
676
+ },
677
+ {
678
+ "id": "on_logout",
679
+ "name": "On Logout (Client and Server-Side)",
680
+ "type": "variant",
681
+ "priority": 4
682
+ },
683
+ {
684
+ "id": "on_logout_server_side_only",
685
+ "name": "On Logout (Server-Side Only)",
686
+ "type": "variant",
687
+ "priority": 5
688
+ },
689
+ {
690
+ "id": "on_password_change",
691
+ "name": "On Password Reset and/or Change",
692
+ "type": "variant",
693
+ "priority": 4
694
+ },
695
+ {
696
+ "id": "on_two_fa_activation_change",
697
+ "name": "On 2FA Activation/Change",
698
+ "type": "variant",
699
+ "priority": 5
700
+ },
701
+ {
702
+ "id": "permission_change",
703
+ "name": "On Permission Change",
704
+ "type": "variant",
705
+ "priority": null
706
+ }
707
+ ]
708
+ },
709
+ {
710
+ "id": "saml_replay",
711
+ "name": "SAML Replay",
712
+ "type": "subcategory",
713
+ "priority": 5
714
+ },
715
+ {
716
+ "id": "session_fixation",
717
+ "name": "Session Fixation",
718
+ "type": "subcategory",
719
+ "children": [
720
+ {
721
+ "id": "local_attack_vector",
722
+ "name": "Local Attack Vector",
723
+ "type": "variant",
724
+ "priority": 5
725
+ },
726
+ {
727
+ "id": "remote_attack_vector",
728
+ "name": "Remote Attack Vector",
729
+ "type": "variant",
730
+ "priority": 3
731
+ }
732
+ ]
733
+ },
734
+ {
735
+ "id": "two_fa_bypass",
736
+ "name": "Second Factor Authentication (2FA) Bypass",
737
+ "type": "subcategory",
738
+ "priority": 3
739
+ },
740
+ {
741
+ "id": "weak_login_function",
742
+ "name": "Weak Login Function",
743
+ "type": "subcategory",
744
+ "children": [
745
+ {
746
+ "id": "not_operational",
747
+ "name": "Not Operational or Intended Public Access",
748
+ "type": "variant",
749
+ "priority": 5
750
+ },
751
+ {
752
+ "id": "other_plaintext_protocol_no_secure_alternative",
753
+ "name": "Other Plaintext Protocol with no Secure Alternative",
754
+ "type": "variant",
755
+ "priority": 4
756
+ },
757
+ {
758
+ "id": "over_http",
759
+ "name": "Over HTTP",
760
+ "type": "variant",
761
+ "priority": 4
762
+ }
763
+ ]
764
+ },
765
+ {
766
+ "id": "weak_registration_implementation",
767
+ "name": "Weak Registration Implementation",
768
+ "type": "subcategory",
769
+ "children": [
770
+ {
771
+ "id": "over_http",
772
+ "name": "Over HTTP",
773
+ "type": "variant",
774
+ "priority": 4
775
+ }
776
+ ]
777
+ },
778
+ {
779
+ "id": "excessive_jwt_lifetime",
780
+ "name": "Excessive JSON Web Token (JWT) Lifetime",
781
+ "type": "subcategory",
782
+ "priority": 5
783
+ },
784
+ {
785
+ "id": "secret_questions_account_verification",
786
+ "name": "Secret Questions Used for Account Verification",
787
+ "type": "subcategory",
788
+ "priority": 5
789
+ }
790
+ ]
791
+ },
792
+ {
793
+ "id": "client_side_injection",
794
+ "name": "Client-Side Injection",
795
+ "type": "category",
796
+ "children": [
797
+ {
798
+ "id": "binary_planting",
799
+ "name": "Binary Planting",
800
+ "type": "subcategory",
801
+ "children": [
802
+ {
803
+ "id": "no_privilege_escalation",
804
+ "name": "No Privilege Escalation",
805
+ "type": "variant",
806
+ "priority": 5
807
+ },
808
+ {
809
+ "id": "non_default_folder_privilege_escalation",
810
+ "name": "Non-Default Folder Privilege Escalation",
811
+ "type": "variant",
812
+ "priority": 5
813
+ },
814
+ {
815
+ "id": "privilege_escalation",
816
+ "name": "Default Folder Privilege Escalation",
817
+ "type": "variant",
818
+ "priority": 3
819
+ }
820
+ ]
821
+ }
822
+ ]
823
+ },
824
+ {
825
+ "id": "cloud_security",
826
+ "name": "Cloud Security",
827
+ "type": "category",
828
+ "children": [
829
+ {
830
+ "id": "identity_and_access_management_iam_misconfigurations",
831
+ "name": "Identity and Access Management (IAM) Misconfigurations",
832
+ "type": "subcategory",
833
+ "children": [
834
+ {
835
+ "id": "overly_permissive_iam_roles",
836
+ "name": "Overly Permissive IAM Roles",
837
+ "type": "variant",
838
+ "priority": 2
839
+ },
840
+ {
841
+ "id": "publicly_accessible_iam_credentials",
842
+ "name": "Publicly Accessible IAM Credentials",
843
+ "type": "variant",
844
+ "priority": 1
845
+ }
846
+ ]
847
+ },
848
+ {
849
+ "id": "logging_and_monitoring_issues",
850
+ "name": "Logging and Monitoring Issues",
851
+ "type": "subcategory",
852
+ "children": [
853
+ {
854
+ "id": "disabled_or_insufficient_logging",
855
+ "name": "Disabled or Insufficient Logging",
856
+ "type": "variant",
857
+ "priority": 5
858
+ }
859
+ ]
860
+ },
861
+ {
862
+ "id": "misconfigured_services_and_apis",
863
+ "name": "Misconfigured Services and APIs",
864
+ "type": "subcategory",
865
+ "children": [
866
+ {
867
+ "id": "exposed_debug_or_admin_interfaces",
868
+ "name": "Exposed Debug or Admin Interfaces",
869
+ "type": "variant",
870
+ "priority": null
871
+ },
872
+ {
873
+ "id": "insecure_api_endpoints",
874
+ "name": "Insecure API Endpoints",
875
+ "type": "variant",
876
+ "priority": 4
877
+ }
878
+ ]
879
+ },
880
+ {
881
+ "id": "network_configuration_issues",
882
+ "name": "Network Configuration Issues",
883
+ "type": "subcategory",
884
+ "children": [
885
+ {
886
+ "id": "lack_of_network_segmentation",
887
+ "name": "Lack of Network Segmentation",
888
+ "type": "variant",
889
+ "priority": 3
890
+ },
891
+ {
892
+ "id": "open_management_ports_to_the_internet",
893
+ "name": "Open Management Ports to the Internet",
894
+ "type": "variant",
895
+ "priority": 3
896
+ }
897
+ ]
898
+ },
899
+ {
900
+ "id": "storage_misconfigurations",
901
+ "name": "Storage Misconfigurations",
902
+ "type": "subcategory",
903
+ "children": [
904
+ {
905
+ "id": "publicly_accessible_cloud_storage",
906
+ "name": "Publicly Accessible Cloud Storage",
907
+ "type": "variant",
908
+ "priority": null
909
+ },
910
+ {
911
+ "id": "unencrypted_sensitive_data_at_rest",
912
+ "name": "Unencrypted Sensitive Data at Rest",
913
+ "type": "variant",
914
+ "priority": 2
915
+ }
916
+ ]
917
+ }
918
+ ]
919
+ },
920
+ {
921
+ "id": "cross_site_request_forgery_csrf",
922
+ "name": "Cross-Site Request Forgery (CSRF)",
923
+ "type": "category",
924
+ "children": [
925
+ {
926
+ "id": "action_specific",
927
+ "name": "Action-Specific",
928
+ "type": "subcategory",
929
+ "children": [
930
+ {
931
+ "id": "authenticated_action",
932
+ "name": "Authenticated Action",
933
+ "type": "variant",
934
+ "priority": null
935
+ },
936
+ {
937
+ "id": "logout",
938
+ "name": "Logout",
939
+ "type": "variant",
940
+ "priority": 5
941
+ },
942
+ {
943
+ "id": "unauthenticated_action",
944
+ "name": "Unauthenticated Action",
945
+ "type": "variant",
946
+ "priority": null
947
+ }
948
+ ]
949
+ },
950
+ {
951
+ "id": "application_wide",
952
+ "name": "Application-Wide",
953
+ "type": "subcategory",
954
+ "priority": 2
955
+ },
956
+ {
957
+ "id": "csrf_token_not_unique_per_request",
958
+ "name": "CSRF Token Not Unique Per Request",
959
+ "type": "subcategory",
960
+ "priority": 5
961
+ },
962
+ {
963
+ "id": "flash_based",
964
+ "name": "Flash-Based",
965
+ "type": "subcategory",
966
+ "priority": 5
967
+ }
968
+ ]
969
+ },
970
+ {
971
+ "id": "cross_site_scripting_xss",
972
+ "name": "Cross-Site Scripting (XSS)",
973
+ "type": "category",
974
+ "children": [
975
+ {
976
+ "id": "cookie_based",
977
+ "name": "Cookie-Based",
978
+ "type": "subcategory",
979
+ "priority": 5
980
+ },
981
+ {
982
+ "id": "flash_based",
983
+ "name": "Flash-Based",
984
+ "type": "subcategory",
985
+ "priority": 5
986
+ },
987
+ {
988
+ "id": "ie_only",
989
+ "name": "IE-Only",
990
+ "type": "subcategory",
991
+ "priority": 5
992
+ },
993
+ {
994
+ "id": "off_domain",
995
+ "name": "Off-Domain",
996
+ "type": "subcategory",
997
+ "children": [
998
+ {
999
+ "id": "data_uri",
1000
+ "name": "Data URI",
1001
+ "type": "variant",
1002
+ "priority": 4
1003
+ }
1004
+ ]
1005
+ },
1006
+ {
1007
+ "id": "referer",
1008
+ "name": "Referer",
1009
+ "type": "subcategory",
1010
+ "priority": 4
1011
+ },
1012
+ {
1013
+ "id": "reflected",
1014
+ "name": "Reflected",
1015
+ "type": "subcategory",
1016
+ "children": [
1017
+ {
1018
+ "id": "non_self",
1019
+ "name": "Non-Self",
1020
+ "type": "variant",
1021
+ "priority": 3
1022
+ },
1023
+ {
1024
+ "id": "self",
1025
+ "name": "Self",
1026
+ "type": "variant",
1027
+ "priority": 5
1028
+ }
1029
+ ]
1030
+ },
1031
+ {
1032
+ "id": "stored",
1033
+ "name": "Stored",
1034
+ "type": "subcategory",
1035
+ "children": [
1036
+ {
1037
+ "id": "non_admin_to_anyone",
1038
+ "name": "Non-Privileged User to Anyone",
1039
+ "type": "variant",
1040
+ "priority": 2
1041
+ },
1042
+ {
1043
+ "id": "privileged_user_to_no_privilege_elevation",
1044
+ "name": "Privileged User to No Privilege Elevation",
1045
+ "type": "variant",
1046
+ "priority": 4
1047
+ },
1048
+ {
1049
+ "id": "privileged_user_to_privilege_elevation",
1050
+ "name": "Privileged User to Privilege Elevation",
1051
+ "type": "variant",
1052
+ "priority": 3
1053
+ },
1054
+ {
1055
+ "id": "self",
1056
+ "name": "Self",
1057
+ "type": "variant",
1058
+ "priority": 5
1059
+ },
1060
+ {
1061
+ "id": "url_based",
1062
+ "name": "CSRF/URL-Based",
1063
+ "type": "variant",
1064
+ "priority": 3
1065
+ }
1066
+ ]
1067
+ },
1068
+ {
1069
+ "id": "trace_method",
1070
+ "name": "TRACE Method",
1071
+ "type": "subcategory",
1072
+ "priority": 5
1073
+ },
1074
+ {
1075
+ "id": "universal_uxss",
1076
+ "name": "Universal (UXSS)",
1077
+ "type": "subcategory",
1078
+ "priority": 4
1079
+ }
1080
+ ]
1081
+ },
1082
+ {
1083
+ "id": "cryptographic_weakness",
1084
+ "name": "Cryptographic Weakness",
1085
+ "type": "category",
1086
+ "children": [
1087
+ {
1088
+ "id": "broken_cryptography",
1089
+ "name": "Broken Cryptography",
1090
+ "type": "subcategory",
1091
+ "children": [
1092
+ {
1093
+ "id": "use_of_broken_cryptographic_primitive",
1094
+ "name": "Use of Broken Cryptographic Primitive",
1095
+ "type": "variant",
1096
+ "priority": 3
1097
+ },
1098
+ {
1099
+ "id": "use_of_vulnerable_cryptographic_library",
1100
+ "name": "Use of Vulnerable Cryptographic Library",
1101
+ "type": "variant",
1102
+ "priority": 4
1103
+ }
1104
+ ]
1105
+ },
1106
+ {
1107
+ "id": "incomplete_cleanup_of_keying_material",
1108
+ "name": "Incomplete Cleanup of Keying Material",
1109
+ "type": "subcategory",
1110
+ "priority": 5
1111
+ },
1112
+ {
1113
+ "id": "insecure_implementation",
1114
+ "name": "Insecure Implementation",
1115
+ "type": "subcategory",
1116
+ "children": [
1117
+ {
1118
+ "id": "improper_following_of_specification",
1119
+ "name": "Improper Following of Specification (Other)",
1120
+ "type": "variant",
1121
+ "priority": null
1122
+ },
1123
+ {
1124
+ "id": "missing_cryptographic_step",
1125
+ "name": "Missing Cryptographic Step",
1126
+ "type": "variant",
1127
+ "priority": null
1128
+ }
1129
+ ]
1130
+ },
1131
+ {
1132
+ "id": "insecure_key_generation",
1133
+ "name": "Insecure Key Generation",
1134
+ "type": "subcategory",
1135
+ "children": [
1136
+ {
1137
+ "id": "improper_asymmetric_exponent_selection",
1138
+ "name": "Improper Asymmetric Exponent Selection",
1139
+ "type": "variant",
1140
+ "priority": null
1141
+ },
1142
+ {
1143
+ "id": "improper_asymmetric_prime_selection",
1144
+ "name": "Improper Asymmetric Prime Selection",
1145
+ "type": "variant",
1146
+ "priority": null
1147
+ },
1148
+ {
1149
+ "id": "insufficient_key_space",
1150
+ "name": "Insufficient Key Space",
1151
+ "type": "variant",
1152
+ "priority": 3
1153
+ },
1154
+ {
1155
+ "id": "insufficient_key_stretching",
1156
+ "name": "Insufficient Key Stretching",
1157
+ "type": "variant",
1158
+ "priority": null
1159
+ },
1160
+ {
1161
+ "id": "key_exchange_without_entity_authentication",
1162
+ "name": "Key Exchage Without Entity Authentication",
1163
+ "type": "variant",
1164
+ "priority": 4
1165
+ }
1166
+ ]
1167
+ },
1168
+ {
1169
+ "id": "insufficient_entropy",
1170
+ "name": "Insufficient Entropy",
1171
+ "type": "subcategory",
1172
+ "children": [
1173
+ {
1174
+ "id": "initialization_vector_reuse",
1175
+ "name": "Initialization Vector (IV) Reuse",
1176
+ "type": "variant",
1177
+ "priority": 5
1178
+ },
1179
+ {
1180
+ "id": "limited_rng_entropy_source",
1181
+ "name": "Limited Random Number Generator (RNG) Entropy Source",
1182
+ "type": "variant",
1183
+ "priority": 4
1184
+ },
1185
+ {
1186
+ "id": "predictable_initialization_vector",
1187
+ "name": "Predictable Initialization Vector (IV)",
1188
+ "type": "variant",
1189
+ "priority": 4
1190
+ },
1191
+ {
1192
+ "id": "predictable_prng_seed",
1193
+ "name": "Predictable Pseudo-Random Number Generator (PRNG) Seed",
1194
+ "type": "variant",
1195
+ "priority": 4
1196
+ },
1197
+ {
1198
+ "id": "prng_seed_reuse",
1199
+ "name": "Pseudo-Random Number Generator (PRNG) Seed Reuse",
1200
+ "type": "variant",
1201
+ "priority": 5
1202
+ },
1203
+ {
1204
+ "id": "small_seed_space_in_prng",
1205
+ "name": "Small Seed Space in Pseudo-Random Number Generator (PRNG)",
1206
+ "type": "variant",
1207
+ "priority": 4
1208
+ },
1209
+ {
1210
+ "id": "use_of_trng_for_nonsecurity_purpose",
1211
+ "name": "Use of True Random Number Generator (TRNG) for Non-Security Purpose",
1212
+ "type": "variant",
1213
+ "priority": 5
1214
+ }
1215
+ ]
1216
+ },
1217
+ {
1218
+ "id": "insufficient_verification_of_data_authenticity",
1219
+ "name": "Insufficient Verification of Data Authenticity",
1220
+ "type": "subcategory",
1221
+ "children": [
1222
+ {
1223
+ "id": "cryptographic_signature",
1224
+ "name": "Cryptographic Signature",
1225
+ "type": "variant",
1226
+ "priority": null
1227
+ },
1228
+ {
1229
+ "id": "identity_check_value",
1230
+ "name": "Integrity Check Value (ICV)",
1231
+ "type": "variant",
1232
+ "priority": 4
1233
+ }
1234
+ ]
1235
+ },
1236
+ {
1237
+ "id": "key_reuse",
1238
+ "name": "Key Reuse",
1239
+ "type": "subcategory",
1240
+ "children": [
1241
+ {
1242
+ "id": "inter_environment",
1243
+ "name": "Inter-Environment",
1244
+ "type": "variant",
1245
+ "priority": 2
1246
+ },
1247
+ {
1248
+ "id": "intra_environment",
1249
+ "name": "Intra-Environment",
1250
+ "type": "variant",
1251
+ "priority": 5
1252
+ },
1253
+ {
1254
+ "id": "lack_of_perfect_forward_secrecy",
1255
+ "name": "Lack of Perfect Forward Secrecy",
1256
+ "type": "variant",
1257
+ "priority": 4
1258
+ }
1259
+ ]
1260
+ },
1261
+ {
1262
+ "id": "side_channel_attack",
1263
+ "name": "Side-Channel Attack",
1264
+ "type": "subcategory",
1265
+ "children": [
1266
+ {
1267
+ "id": "differential_fault_analysis",
1268
+ "name": "Differential Fault Analysis",
1269
+ "type": "variant",
1270
+ "priority": null
1271
+ },
1272
+ {
1273
+ "id": "emanations_attack",
1274
+ "name": "Emanations Attack",
1275
+ "type": "variant",
1276
+ "priority": 5
1277
+ },
1278
+ {
1279
+ "id": "padding_oracle_attack",
1280
+ "name": "Padding Oracle Attack",
1281
+ "type": "variant",
1282
+ "priority": 4
1283
+ },
1284
+ {
1285
+ "id": "power_analysis_attack",
1286
+ "name": "Power Analysis Attack",
1287
+ "type": "variant",
1288
+ "priority": 5
1289
+ },
1290
+ {
1291
+ "id": "timing_attack",
1292
+ "name": "Timing Attack",
1293
+ "type": "variant",
1294
+ "priority": 4
1295
+ }
1296
+ ]
1297
+ },
1298
+ {
1299
+ "id": "use_of_expired_cryptographic_key_or_cert",
1300
+ "name": "Use of Expired Cryptographic Key (or Certificate)",
1301
+ "type": "subcategory",
1302
+ "priority": 4
1303
+ },
1304
+ {
1305
+ "id": "weak_hash",
1306
+ "name": "Weak Hash",
1307
+ "type": "subcategory",
1308
+ "children": [
1309
+ {
1310
+ "id": "lack_of_salt",
1311
+ "name": "Lack of Salt",
1312
+ "type": "variant",
1313
+ "priority": null
1314
+ },
1315
+ {
1316
+ "id": "predictable_hash_collision",
1317
+ "name": "Predictable Hash Collision",
1318
+ "type": "variant",
1319
+ "priority": null
1320
+ },
1321
+ {
1322
+ "id": "use_of_predictable_salt",
1323
+ "name": "Use of Predictable Salt",
1324
+ "type": "variant",
1325
+ "priority": 5
1326
+ }
1327
+ ]
1328
+ }
1329
+ ]
1330
+ },
1331
+ {
1332
+ "id": "data_biases",
1333
+ "name": "Data Biases",
1334
+ "type": "category",
1335
+ "children": [
1336
+ {
1337
+ "id": "pre_existing_bias",
1338
+ "name": "Pre-existing Bias",
1339
+ "type": "subcategory",
1340
+ "priority": null
1341
+ },
1342
+ {
1343
+ "id": "representation_bias",
1344
+ "name": "Representation Bias",
1345
+ "type": "subcategory",
1346
+ "priority": null
1347
+ }
1348
+ ]
1349
+ },
1350
+ {
1351
+ "id": "decentralized_application_misconfiguration",
1352
+ "name": "Decentralized Application Misconfiguration",
1353
+ "type": "category",
1354
+ "children": [
1355
+ {
1356
+ "id": "defi_security",
1357
+ "name": "DeFi Security",
1358
+ "type": "subcategory",
1359
+ "children": [
1360
+ {
1361
+ "id": "flash_loan_attack",
1362
+ "name": "Flash Loan Attack",
1363
+ "type": "variant",
1364
+ "priority": null
1365
+ },
1366
+ {
1367
+ "id": "function_level_accounting_error",
1368
+ "name": "Function-Level Accounting Error",
1369
+ "type": "variant",
1370
+ "priority": null
1371
+ },
1372
+ {
1373
+ "id": "improper_implementation_of_governance",
1374
+ "name": "Improper Implementation of Governance",
1375
+ "type": "variant",
1376
+ "priority": null
1377
+ },
1378
+ {
1379
+ "id": "pricing_oracle_manipulation",
1380
+ "name": "Pricing Oracle Manipulation",
1381
+ "type": "variant",
1382
+ "priority": null
1383
+ }
1384
+ ]
1385
+ },
1386
+ {
1387
+ "id": "improper_authorization",
1388
+ "name": "Improper Authorization",
1389
+ "type": "subcategory",
1390
+ "children": [
1391
+ {
1392
+ "id": "insufficient_signature_validation",
1393
+ "name": "Insufficient Signature Validation",
1394
+ "type": "variant",
1395
+ "priority": null
1396
+ }
1397
+ ]
1398
+ },
1399
+ {
1400
+ "id": "insecure_data_storage",
1401
+ "name": "Insecure Data Storage",
1402
+ "type": "subcategory",
1403
+ "children": [
1404
+ {
1405
+ "id": "plaintext_private_key",
1406
+ "name": "Plaintext Private Key",
1407
+ "type": "variant",
1408
+ "priority": 1
1409
+ },
1410
+ {
1411
+ "id": "sensitive_information_exposure",
1412
+ "name": "Sensitive Information Exposure",
1413
+ "type": "variant",
1414
+ "priority": null
1415
+ }
1416
+ ]
1417
+ },
1418
+ {
1419
+ "id": "marketplace_security",
1420
+ "name": "Marketplace Security",
1421
+ "type": "subcategory",
1422
+ "children": [
1423
+ {
1424
+ "id": "denial_of_service",
1425
+ "name": "Denial of Service",
1426
+ "type": "variant",
1427
+ "priority": null
1428
+ },
1429
+ {
1430
+ "id": "improper_validation_and_checks_for_deposits_and_withdrawals",
1431
+ "name": "Improper Validation and Checks For Deposits and Withdrawals",
1432
+ "type": "variant",
1433
+ "priority": null
1434
+ },
1435
+ {
1436
+ "id": "malicious_order_offer",
1437
+ "name": "Malicious Order Offer",
1438
+ "type": "variant",
1439
+ "priority": 2
1440
+ },
1441
+ {
1442
+ "id": "miscalculated_accounting_logic",
1443
+ "name": "Miscalculated Accounting Logic",
1444
+ "type": "variant",
1445
+ "priority": null
1446
+ },
1447
+ {
1448
+ "id": "ofac_bypass",
1449
+ "name": "OFAC Bypass",
1450
+ "type": "variant",
1451
+ "priority": 3
1452
+ },
1453
+ {
1454
+ "id": "orderbook_manipulation",
1455
+ "name": "Orderbook Manipulation",
1456
+ "type": "variant",
1457
+ "priority": 1
1458
+ },
1459
+ {
1460
+ "id": "price_or_fee_manipulation",
1461
+ "name": "Price or Fee Manipulation",
1462
+ "type": "variant",
1463
+ "priority": 2
1464
+ },
1465
+ {
1466
+ "id": "signer_account_takeover",
1467
+ "name": "Signer Account Takeover",
1468
+ "type": "variant",
1469
+ "priority": 1
1470
+ },
1471
+ {
1472
+ "id": "unauthorized_asset_transfer",
1473
+ "name": "Unauthorized Asset Transfer",
1474
+ "type": "variant",
1475
+ "priority": 1
1476
+ }
1477
+ ]
1478
+ },
1479
+ {
1480
+ "id": "protocol_security_misconfiguration",
1481
+ "name": "Protocol Security Misconfiguration",
1482
+ "type": "subcategory",
1483
+ "children": [
1484
+ {
1485
+ "id": "node_level_denial_of_service",
1486
+ "name": "Node-level Denial of Service",
1487
+ "type": "variant",
1488
+ "priority": 1
1489
+ }
1490
+ ]
1491
+ }
1492
+ ]
1493
+ },
1494
+ {
1495
+ "id": "developer_biases",
1496
+ "name": "Developer Biases",
1497
+ "type": "category",
1498
+ "children": [
1499
+ {
1500
+ "id": "implicit_bias",
1501
+ "name": "Implicit Bias",
1502
+ "type": "subcategory",
1503
+ "priority": null
1504
+ }
1505
+ ]
1506
+ },
1507
+ {
1508
+ "id": "external_behavior",
1509
+ "name": "External Behavior",
1510
+ "type": "category",
1511
+ "children": [
1512
+ {
1513
+ "id": "browser_feature",
1514
+ "name": "Browser Feature",
1515
+ "type": "subcategory",
1516
+ "children": [
1517
+ {
1518
+ "id": "aggressive_offline_caching",
1519
+ "name": "Aggressive Offline Caching",
1520
+ "type": "variant",
1521
+ "priority": 5
1522
+ },
1523
+ {
1524
+ "id": "autocomplete_enabled",
1525
+ "name": "Autocomplete Enabled",
1526
+ "type": "variant",
1527
+ "priority": 5
1528
+ },
1529
+ {
1530
+ "id": "autocorrect_enabled",
1531
+ "name": "Autocorrect Enabled",
1532
+ "type": "variant",
1533
+ "priority": 5
1534
+ },
1535
+ {
1536
+ "id": "plaintext_password_field",
1537
+ "name": "Plaintext Password Field",
1538
+ "type": "variant",
1539
+ "priority": 5
1540
+ },
1541
+ {
1542
+ "id": "save_password",
1543
+ "name": "Save Password",
1544
+ "type": "variant",
1545
+ "priority": 5
1546
+ }
1547
+ ]
1548
+ },
1549
+ {
1550
+ "id": "captcha_bypass",
1551
+ "name": "Captcha Bypass",
1552
+ "type": "subcategory",
1553
+ "children": [
1554
+ {
1555
+ "id": "crowdsourcing",
1556
+ "name": "Crowdsourcing",
1557
+ "type": "variant",
1558
+ "priority": 5
1559
+ }
1560
+ ]
1561
+ },
1562
+ {
1563
+ "id": "csv_injection",
1564
+ "name": "CSV Injection",
1565
+ "type": "subcategory",
1566
+ "priority": 5
1567
+ },
1568
+ {
1569
+ "id": "system_clipboard_leak",
1570
+ "name": "System Clipboard Leak",
1571
+ "type": "subcategory",
1572
+ "children": [
1573
+ {
1574
+ "id": "shared_links",
1575
+ "name": "Shared Links",
1576
+ "type": "variant",
1577
+ "priority": 5
1578
+ }
1579
+ ]
1580
+ },
1581
+ {
1582
+ "id": "user_password_persisted_in_memory",
1583
+ "name": "User Password Persisted in Memory",
1584
+ "type": "subcategory",
1585
+ "priority": 5
1586
+ }
1587
+ ]
1588
+ },
1589
+ {
1590
+ "id": "indicators_of_compromise",
1591
+ "name": "Indicators of Compromise",
1592
+ "type": "category",
1593
+ "priority": null
1594
+ },
1595
+ {
1596
+ "id": "insecure_data_storage",
1597
+ "name": "Insecure Data Storage",
1598
+ "type": "category",
1599
+ "children": [
1600
+ {
1601
+ "id": "non_sensitive_application_data_stored_unencrypted",
1602
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1603
+ "type": "subcategory",
1604
+ "priority": 5
1605
+ },
1606
+ {
1607
+ "id": "screen_caching_enabled",
1608
+ "name": "Screen Caching Enabled",
1609
+ "type": "subcategory",
1610
+ "priority": 5
1611
+ },
1612
+ {
1613
+ "id": "sensitive_application_data_stored_unencrypted",
1614
+ "name": "Sensitive Application Data Stored Unencrypted",
1615
+ "type": "subcategory",
1616
+ "children": [
1617
+ {
1618
+ "id": "on_external_storage",
1619
+ "name": "On External Storage",
1620
+ "type": "variant",
1621
+ "priority": 4
1622
+ },
1623
+ {
1624
+ "id": "on_internal_storage",
1625
+ "name": "On Internal Storage",
1626
+ "type": "variant",
1627
+ "priority": 5
1628
+ }
1629
+ ]
1630
+ },
1631
+ {
1632
+ "id": "server_side_credentials_storage",
1633
+ "name": "Server-Side Credentials Storage",
1634
+ "type": "subcategory",
1635
+ "children": [
1636
+ {
1637
+ "id": "plaintext",
1638
+ "name": "Plaintext",
1639
+ "type": "variant",
1640
+ "priority": 4
1641
+ }
1642
+ ]
1643
+ }
1644
+ ]
1645
+ },
1646
+ {
1647
+ "id": "insecure_data_transport",
1648
+ "name": "Insecure Data Transport",
1649
+ "type": "category",
1650
+ "children": [
1651
+ {
1652
+ "id": "cleartext_transmission_of_sensitive_data",
1653
+ "name": "Cleartext Transmission of Sensitive Data",
1654
+ "type": "subcategory",
1655
+ "priority": null
1656
+ },
1657
+ {
1658
+ "id": "executable_download",
1659
+ "name": "Executable Download",
1660
+ "type": "subcategory",
1661
+ "children": [
1662
+ {
1663
+ "id": "no_secure_integrity_check",
1664
+ "name": "No Secure Integrity Check",
1665
+ "type": "variant",
1666
+ "priority": 4
1667
+ },
1668
+ {
1669
+ "id": "secure_integrity_check",
1670
+ "name": "Secure Integrity Check",
1671
+ "type": "variant",
1672
+ "priority": 5
1673
+ }
1674
+ ]
1675
+ }
1676
+ ]
1677
+ },
1678
+ {
1679
+ "id": "insecure_os_firmware",
1680
+ "name": "Insecure OS/Firmware",
1681
+ "type": "category",
1682
+ "children": [
1683
+ {
1684
+ "id": "command_injection",
1685
+ "name": "Command Injection",
1686
+ "type": "subcategory",
1687
+ "priority": 1
1688
+ },
1689
+ {
1690
+ "id": "data_not_encrypted_at_rest",
1691
+ "name": "Data not encrypted at rest",
1692
+ "type": "subcategory",
1693
+ "children": [
1694
+ {
1695
+ "id": "non_sensitive",
1696
+ "name": "Non sensitive",
1697
+ "type": "variant",
1698
+ "priority": 5
1699
+ },
1700
+ {
1701
+ "id": "sensitive",
1702
+ "name": "Sensitive",
1703
+ "type": "variant",
1704
+ "priority": null
1705
+ }
1706
+ ]
1707
+ },
1708
+ {
1709
+ "id": "failure_to_remove_sensitive_artifacts_from_disk",
1710
+ "name": "Failure to Remove Sensitive Artifacts from Disk",
1711
+ "type": "subcategory",
1712
+ "priority": null
1713
+ },
1714
+ {
1715
+ "id": "hardcoded_password",
1716
+ "name": "Hardcoded Password",
1717
+ "type": "subcategory",
1718
+ "children": [
1719
+ {
1720
+ "id": "non_privileged_user",
1721
+ "name": "Non-Privileged User",
1722
+ "type": "variant",
1723
+ "priority": 2
1724
+ },
1725
+ {
1726
+ "id": "privileged_user",
1727
+ "name": "Privileged User",
1728
+ "type": "variant",
1729
+ "priority": 1
1730
+ }
1731
+ ]
1732
+ },
1733
+ {
1734
+ "id": "kiosk_escape_or_breakout",
1735
+ "name": "Kiosk Escape or Breakout",
1736
+ "type": "subcategory",
1737
+ "priority": null
1738
+ },
1739
+ {
1740
+ "id": "local_administrator_on_default_environment",
1741
+ "name": "Local Administrator on default environment",
1742
+ "type": "subcategory",
1743
+ "priority": 2
1744
+ },
1745
+ {
1746
+ "id": "over_permissioned_credentials_on_storage",
1747
+ "name": "Over-Permissioned Credentials on Storage",
1748
+ "type": "subcategory",
1749
+ "priority": 2
1750
+ },
1751
+ {
1752
+ "id": "poorly_configured_disk_encryption",
1753
+ "name": "Poorly Configured Disk Encryption",
1754
+ "type": "subcategory",
1755
+ "priority": null
1756
+ },
1757
+ {
1758
+ "id": "poorly_configured_operating_system_security",
1759
+ "name": "Poorly Configured Operating System Security",
1760
+ "type": "subcategory",
1761
+ "priority": null
1762
+ },
1763
+ {
1764
+ "id": "recovery_of_disk_contains_sensitive_material",
1765
+ "name": "Recovery of Disk Contains Sensitive Material",
1766
+ "type": "subcategory",
1767
+ "priority": null
1768
+ },
1769
+ {
1770
+ "id": "shared_credentials_on_storage",
1771
+ "name": "Shared Credentials on Storage",
1772
+ "type": "subcategory",
1773
+ "priority": 3
1774
+ },
1775
+ {
1776
+ "id": "weakness_in_firmware_updates",
1777
+ "name": "Weakness in Firmware Updates",
1778
+ "type": "subcategory",
1779
+ "children": [
1780
+ {
1781
+ "id": "firmware_cannot_be_updated",
1782
+ "name": "Firmware cannot be updated",
1783
+ "type": "variant",
1784
+ "priority": null
1785
+ },
1786
+ {
1787
+ "id": "firmware_does_not_validate_update_integrity",
1788
+ "name": "Firmware does not validate update integrity",
1789
+ "type": "variant",
1790
+ "priority": 3
1791
+ },
1792
+ {
1793
+ "id": "firmware_is_not_encrypted",
1794
+ "name": "Firmware is not encrypted",
1795
+ "type": "variant",
1796
+ "priority": 5
1797
+ }
1798
+ ]
1799
+ }
1800
+ ]
1801
+ },
1802
+ {
1803
+ "id": "insufficient_security_configurability",
1804
+ "name": "Insufficient Security Configurability",
1805
+ "type": "category",
1806
+ "children": [
1807
+ {
1808
+ "id": "lack_of_notification_email",
1809
+ "name": "Lack of Notification Email",
1810
+ "type": "subcategory",
1811
+ "priority": 5
1812
+ },
1813
+ {
1814
+ "id": "no_password_policy",
1815
+ "name": "No Password Policy",
1816
+ "type": "subcategory",
1817
+ "priority": 4
1818
+ },
1819
+ {
1820
+ "id": "password_policy_bypass",
1821
+ "name": "Password Policy Bypass",
1822
+ "type": "subcategory",
1823
+ "priority": 5
1824
+ },
1825
+ {
1826
+ "id": "verification_of_contact_method_not_required",
1827
+ "name": "Verification of Contact Method not Required",
1828
+ "type": "subcategory",
1829
+ "priority": 5
1830
+ },
1831
+ {
1832
+ "id": "weak_password_policy",
1833
+ "name": "Weak Password Policy",
1834
+ "type": "subcategory",
1835
+ "priority": 5
1836
+ },
1837
+ {
1838
+ "id": "weak_password_reset_implementation",
1839
+ "name": "Weak Password Reset Implementation",
1840
+ "type": "subcategory",
1841
+ "children": [
1842
+ {
1843
+ "id": "token_has_long_timed_expiry",
1844
+ "name": "Token Has Long Timed Expiry",
1845
+ "type": "variant",
1846
+ "priority": 5
1847
+ },
1848
+ {
1849
+ "id": "token_is_not_invalidated_after_email_change",
1850
+ "name": "Token is Not Invalidated After Email Change",
1851
+ "type": "variant",
1852
+ "priority": 5
1853
+ },
1854
+ {
1855
+ "id": "token_is_not_invalidated_after_login",
1856
+ "name": "Token is Not Invalidated After Login",
1857
+ "type": "variant",
1858
+ "priority": 5
1859
+ },
1860
+ {
1861
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1862
+ "name": "Token is Not Invalidated After New Token is Requested",
1863
+ "type": "variant",
1864
+ "priority": 5
1865
+ },
1866
+ {
1867
+ "id": "token_is_not_invalidated_after_password_change",
1868
+ "name": "Token is Not Invalidated After Password Change",
1869
+ "type": "variant",
1870
+ "priority": 5
1871
+ },
1872
+ {
1873
+ "id": "token_is_not_invalidated_after_use",
1874
+ "name": "Token is Not Invalidated After Use",
1875
+ "type": "variant",
1876
+ "priority": 4
1877
+ }
1878
+ ]
1879
+ },
1880
+ {
1881
+ "id": "weak_registration_implementation",
1882
+ "name": "Weak Registration Implementation",
1883
+ "type": "subcategory",
1884
+ "children": [
1885
+ {
1886
+ "id": "allows_disposable_email_addresses",
1887
+ "name": "Allows Disposable Email Addresses",
1888
+ "type": "variant",
1889
+ "priority": 5
1890
+ }
1891
+ ]
1892
+ },
1893
+ {
1894
+ "id": "weak_two_fa_implementation",
1895
+ "name": "Weak 2FA Implementation",
1896
+ "type": "subcategory",
1897
+ "children": [
1898
+ {
1899
+ "id": "missing_failsafe",
1900
+ "name": "Missing Failsafe",
1901
+ "type": "variant",
1902
+ "priority": 5
1903
+ },
1904
+ {
1905
+ "id": "old_two_fa_code_is_not_invalidated_after_new_code_is_generated",
1906
+ "name": "Old 2FA Code is Not Invalidated After New Code is Generated",
1907
+ "type": "variant",
1908
+ "priority": 5
1909
+ },
1910
+ {
1911
+ "id": "two_fa_code_is_not_updated_after_new_code_is_requested",
1912
+ "name": "2FA Code is Not Updated After New Code is Requested",
1913
+ "type": "variant",
1914
+ "priority": 5
1915
+ },
1916
+ {
1917
+ "id": "two_fa_secret_cannot_be_rotated",
1918
+ "name": "2FA Secret Cannot be Rotated",
1919
+ "type": "variant",
1920
+ "priority": 4
1921
+ },
1922
+ {
1923
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
1924
+ "name": "2FA Secret Remains Obtainable After 2FA is Enabled",
1925
+ "type": "variant",
1926
+ "priority": 4
1927
+ }
1928
+ ]
1929
+ },
1930
+ {
1931
+ "id": "no_two_fa_implementation",
1932
+ "name": "No 2FA Implementation",
1933
+ "type": "subcategory",
1934
+ "priority": 5
1935
+ },
1936
+ {
1937
+ "id": "no_account_lockout",
1938
+ "name": "No Account Lockout",
1939
+ "type": "subcategory",
1940
+ "priority": 5
1941
+ },
1942
+ {
1943
+ "id": "weak_jwt_hashing_algorithm",
1944
+ "name": "Weak JSON Web Token (JWT) Hashing Algorithm",
1945
+ "type": "subcategory",
1946
+ "priority": 5
1947
+ }
1948
+ ]
1949
+ },
1950
+ {
1951
+ "id": "lack_of_binary_hardening",
1952
+ "name": "Lack of Binary Hardening",
1953
+ "type": "category",
1954
+ "children": [
1955
+ {
1956
+ "id": "lack_of_exploit_mitigations",
1957
+ "name": "Lack of Exploit Mitigations",
1958
+ "type": "subcategory",
1959
+ "priority": 5
1960
+ },
1961
+ {
1962
+ "id": "lack_of_jailbreak_detection",
1963
+ "name": "Lack of Jailbreak Detection",
1964
+ "type": "subcategory",
1965
+ "priority": 5
1966
+ },
1967
+ {
1968
+ "id": "lack_of_obfuscation",
1969
+ "name": "Lack of Obfuscation",
1970
+ "type": "subcategory",
1971
+ "priority": 5
1972
+ },
1973
+ {
1974
+ "id": "runtime_instrumentation_based",
1975
+ "name": "Runtime Instrumentation-Based",
1976
+ "type": "subcategory",
1977
+ "priority": 5
1978
+ }
1979
+ ]
1980
+ },
1981
+ {
1982
+ "id": "misinterpretation_biases",
1983
+ "name": "Misinterpretation Biases",
1984
+ "type": "category",
1985
+ "children": [
1986
+ {
1987
+ "id": "context_ignorance",
1988
+ "name": "Context Ignorance",
1989
+ "type": "subcategory",
1990
+ "priority": null
1991
+ }
1992
+ ]
1993
+ },
1994
+ {
1995
+ "id": "mobile_security_misconfiguration",
1996
+ "name": "Mobile Security Misconfiguration",
1997
+ "type": "category",
1998
+ "children": [
1999
+ {
2000
+ "id": "auto_backup_allowed_by_default",
2001
+ "name": "Auto Backup Allowed by Default",
2002
+ "type": "subcategory",
2003
+ "priority": 5
2004
+ },
2005
+ {
2006
+ "id": "clipboard_enabled",
2007
+ "name": "Clipboard Enabled",
2008
+ "type": "subcategory",
2009
+ "priority": 5
2010
+ },
2011
+ {
2012
+ "id": "ssl_certificate_pinning",
2013
+ "name": "SSL Certificate Pinning",
2014
+ "type": "subcategory",
2015
+ "children": [
2016
+ {
2017
+ "id": "absent",
2018
+ "name": "Absent",
2019
+ "type": "variant",
2020
+ "priority": 5
2021
+ },
2022
+ {
2023
+ "id": "defeatable",
2024
+ "name": "Defeatable",
2025
+ "type": "variant",
2026
+ "priority": 5
2027
+ }
2028
+ ]
2029
+ },
2030
+ {
2031
+ "id": "tapjacking",
2032
+ "name": "Tapjacking",
2033
+ "type": "subcategory",
2034
+ "priority": 5
2035
+ }
2036
+ ]
2037
+ },
2038
+ {
2039
+ "id": "network_security_misconfiguration",
2040
+ "name": "Network Security Misconfiguration",
2041
+ "type": "category",
2042
+ "children": [
2043
+ {
2044
+ "id": "telnet_enabled",
2045
+ "name": "Telnet Enabled",
2046
+ "type": "subcategory",
2047
+ "priority": 5
2048
+ }
2049
+ ]
2050
+ },
2051
+ {
2052
+ "id": "physical_security_issues",
2053
+ "name": "Physical Security Issues",
2054
+ "type": "category",
2055
+ "children": [
2056
+ {
2057
+ "id": "bypass_of_physical_access_control",
2058
+ "name": "Bypass of physical access control",
2059
+ "type": "subcategory",
2060
+ "priority": null
2061
+ },
2062
+ {
2063
+ "id": "weakness_in_physical_access_control",
2064
+ "name": "Weakness in physical access control",
2065
+ "type": "subcategory",
2066
+ "children": [
2067
+ {
2068
+ "id": "cloneable_key",
2069
+ "name": "Cloneable Key",
2070
+ "type": "variant",
2071
+ "priority": null
2072
+ },
2073
+ {
2074
+ "id": "commonly_keyed_system",
2075
+ "name": "Commonly Keyed System",
2076
+ "type": "variant",
2077
+ "priority": 2
2078
+ },
2079
+ {
2080
+ "id": "master_key_identification",
2081
+ "name": "Master Key Identification",
2082
+ "type": "variant",
2083
+ "priority": null
2084
+ }
2085
+ ]
2086
+ }
2087
+ ]
2088
+ },
2089
+ {
2090
+ "id": "privacy_concerns",
2091
+ "name": "Privacy Concerns",
2092
+ "type": "category",
2093
+ "children": [
2094
+ {
2095
+ "id": "unnecessary_data_collection",
2096
+ "name": "Unnecessary Data Collection",
2097
+ "type": "subcategory",
2098
+ "children": [
2099
+ {
2100
+ "id": "wifi_ssid_password",
2101
+ "name": "WiFi SSID+Password",
2102
+ "type": "variant",
2103
+ "priority": 4
2104
+ }
2105
+ ]
2106
+ }
2107
+ ]
2108
+ },
2109
+ {
2110
+ "id": "protocol_specific_misconfiguration",
2111
+ "name": "Protocol Specific Misconfiguration",
2112
+ "type": "category",
2113
+ "children": [
2114
+ {
2115
+ "id": "frontrunning_enabled_attack",
2116
+ "name": "Frontrunning-Enabled Attack",
2117
+ "type": "subcategory",
2118
+ "priority": 2
2119
+ },
2120
+ {
2121
+ "id": "improper_validation_and_finalization_logic",
2122
+ "name": "Improper Validation and Finalization Logic",
2123
+ "type": "subcategory",
2124
+ "priority": null
2125
+ },
2126
+ {
2127
+ "id": "misconfigured_staking_logic",
2128
+ "name": "Misconfigured Staking Logic",
2129
+ "type": "subcategory",
2130
+ "priority": null
2131
+ },
2132
+ {
2133
+ "id": "sandwich_enabled_attack",
2134
+ "name": "Sandwich-Enabled Attack",
2135
+ "type": "subcategory",
2136
+ "priority": 2
2137
+ }
2138
+ ]
2139
+ },
2140
+ {
2141
+ "id": "sensitive_data_exposure",
2142
+ "name": "Sensitive Data Exposure",
2143
+ "type": "category",
2144
+ "children": [
2145
+ {
2146
+ "id": "disclosure_of_known_public_information",
2147
+ "name": "Disclosure of Known Public Information",
2148
+ "type": "subcategory",
2149
+ "priority": 5
2150
+ },
2151
+ {
2152
+ "id": "disclosure_of_secrets",
2153
+ "name": "Disclosure of Secrets",
2154
+ "type": "subcategory",
2155
+ "children": [
2156
+ {
2157
+ "id": "data_traffic_spam",
2158
+ "name": "Data/Traffic Spam",
2159
+ "type": "variant",
2160
+ "priority": 5
2161
+ },
2162
+ {
2163
+ "id": "for_internal_asset",
2164
+ "name": "For Internal Asset",
2165
+ "type": "variant",
2166
+ "priority": 3
2167
+ },
2168
+ {
2169
+ "id": "for_publicly_accessible_asset",
2170
+ "name": "For Publicly Accessible Asset",
2171
+ "type": "variant",
2172
+ "priority": 1
2173
+ },
2174
+ {
2175
+ "id": "intentionally_public_sample_or_invalid",
2176
+ "name": "Intentionally Public, Sample or Invalid",
2177
+ "type": "variant",
2178
+ "priority": 5
2179
+ },
2180
+ {
2181
+ "id": "non_corporate_user",
2182
+ "name": "Non-Corporate User",
2183
+ "type": "variant",
2184
+ "priority": 5
2185
+ },
2186
+ {
2187
+ "id": "pay_per_use_abuse",
2188
+ "name": "Pay-Per-Use Abuse",
2189
+ "type": "variant",
2190
+ "priority": 4
2191
+ },
2192
+ {
2193
+ "id": "pii_leakage_exposure",
2194
+ "name": "PII Leakage/Exposure",
2195
+ "type": "variant",
2196
+ "priority": null
2197
+ },
2198
+ {
2199
+ "id": "sensitive_information_disclosed_jwt",
2200
+ "name": "Sensitive Information Disclosed in JSON Web Token (JWT)",
2201
+ "type": "variant",
2202
+ "priority": 5
2203
+ },
2204
+ {
2205
+ "id": "publicly_accessible_robots",
2206
+ "name": "Publicly accessible Robots.txt",
2207
+ "type": "variant",
2208
+ "priority": 5
2209
+ }
2210
+ ]
2211
+ },
2212
+ {
2213
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
2214
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
2215
+ "type": "subcategory",
2216
+ "children": [
2217
+ {
2218
+ "id": "automatic_user_enumeration",
2219
+ "name": "Automatic User Enumeration",
2220
+ "type": "variant",
2221
+ "priority": 3
2222
+ },
2223
+ {
2224
+ "id": "manual_user_enumeration",
2225
+ "name": "Manual User Enumeration",
2226
+ "type": "variant",
2227
+ "priority": 4
2228
+ }
2229
+ ]
2230
+ },
2231
+ {
2232
+ "id": "graphql_introspection_enabled",
2233
+ "name": "GraphQL Introspection Enabled",
2234
+ "type": "subcategory",
2235
+ "priority": 5
2236
+ },
2237
+ {
2238
+ "id": "internal_ip_disclosure",
2239
+ "name": "Internal IP Disclosure",
2240
+ "type": "subcategory",
2241
+ "priority": 5
2242
+ },
2243
+ {
2244
+ "id": "json_hijacking",
2245
+ "name": "JSON Hijacking",
2246
+ "type": "subcategory",
2247
+ "priority": 5
2248
+ },
2249
+ {
2250
+ "id": "mixed_content",
2251
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
2252
+ "type": "subcategory",
2253
+ "priority": 5
2254
+ },
2255
+ {
2256
+ "id": "non_sensitive_token_in_url",
2257
+ "name": "Non-Sensitive Token in URL",
2258
+ "type": "subcategory",
2259
+ "priority": 5
2260
+ },
2261
+ {
2262
+ "id": "sensitive_data_hardcoded",
2263
+ "name": "Sensitive Data Hardcoded",
2264
+ "type": "subcategory",
2265
+ "children": [
2266
+ {
2267
+ "id": "file_paths",
2268
+ "name": "File Paths",
2269
+ "type": "variant",
2270
+ "priority": 5
2271
+ },
2272
+ {
2273
+ "id": "oauth_secret",
2274
+ "name": "OAuth Secret",
2275
+ "type": "variant",
2276
+ "priority": 5
2277
+ }
2278
+ ]
2279
+ },
2280
+ {
2281
+ "id": "sensitive_token_in_url",
2282
+ "name": "Sensitive Token in URL",
2283
+ "type": "subcategory",
2284
+ "children": [
2285
+ {
2286
+ "id": "in_the_background",
2287
+ "name": "In the Background",
2288
+ "type": "variant",
2289
+ "priority": 5
2290
+ },
2291
+ {
2292
+ "id": "on_password_reset",
2293
+ "name": "On Password Reset",
2294
+ "type": "variant",
2295
+ "priority": 5
2296
+ },
2297
+ {
2298
+ "id": "user_facing",
2299
+ "name": "User Facing",
2300
+ "type": "variant",
2301
+ "priority": 4
2302
+ }
2303
+ ]
2304
+ },
2305
+ {
2306
+ "id": "token_leakage_via_referer",
2307
+ "name": "Token Leakage via Referer",
2308
+ "type": "subcategory",
2309
+ "children": [
2310
+ {
2311
+ "id": "over_http",
2312
+ "name": "Over HTTP",
2313
+ "type": "variant",
2314
+ "priority": 4
2315
+ },
2316
+ {
2317
+ "id": "password_reset_token",
2318
+ "name": "Password Reset Token",
2319
+ "type": "variant",
2320
+ "priority": 5
2321
+ },
2322
+ {
2323
+ "id": "trusted_third_party",
2324
+ "name": "Trusted 3rd Party",
2325
+ "type": "variant",
2326
+ "priority": 5
2327
+ },
2328
+ {
2329
+ "id": "untrusted_third_party",
2330
+ "name": "Untrusted 3rd Party",
2331
+ "type": "variant",
2332
+ "priority": 4
2333
+ }
2334
+ ]
2335
+ },
2336
+ {
2337
+ "id": "via_localstorage_sessionstorage",
2338
+ "name": "Via localStorage/sessionStorage",
2339
+ "type": "subcategory",
2340
+ "children": [
2341
+ {
2342
+ "id": "non_sensitive_token",
2343
+ "name": "Non-Sensitive Token",
2344
+ "type": "variant",
2345
+ "priority": 5
2346
+ },
2347
+ {
2348
+ "id": "sensitive_token",
2349
+ "name": "Sensitive Token",
2350
+ "type": "variant",
2351
+ "priority": 4
2352
+ }
2353
+ ]
2354
+ },
2355
+ {
2356
+ "id": "visible_detailed_error_page",
2357
+ "name": "Visible Detailed Error/Debug Page",
2358
+ "type": "subcategory",
2359
+ "children": [
2360
+ {
2361
+ "id": "descriptive_stack_trace",
2362
+ "name": "Descriptive Stack Trace",
2363
+ "type": "variant",
2364
+ "priority": 5
2365
+ },
2366
+ {
2367
+ "id": "detailed_server_configuration",
2368
+ "name": "Detailed Server Configuration",
2369
+ "type": "variant",
2370
+ "priority": 4
2371
+ },
2372
+ {
2373
+ "id": "full_path_disclosure",
2374
+ "name": "Full Path Disclosure",
2375
+ "type": "variant",
2376
+ "priority": 5
2377
+ }
2378
+ ]
2379
+ },
2380
+ {
2381
+ "id": "weak_password_reset_implementation",
2382
+ "name": "Weak Password Reset Implementation",
2383
+ "type": "subcategory",
2384
+ "children": [
2385
+ {
2386
+ "id": "password_reset_token_sent_over_http",
2387
+ "name": "Password Reset Token Sent Over HTTP",
2388
+ "type": "variant",
2389
+ "priority": 4
2390
+ },
2391
+ {
2392
+ "id": "token_leakage_via_host_header_poisoning",
2393
+ "name": "Token Leakage via Host Header Poisoning",
2394
+ "type": "variant",
2395
+ "priority": 2
2396
+ }
2397
+ ]
2398
+ },
2399
+ {
2400
+ "id": "xssi",
2401
+ "name": "Cross Site Script Inclusion (XSSI)",
2402
+ "type": "subcategory",
2403
+ "priority": null
2404
+ }
2405
+ ]
2406
+ },
2407
+ {
2408
+ "id": "server_security_misconfiguration",
2409
+ "name": "Server Security Misconfiguration",
2410
+ "type": "category",
2411
+ "children": [
2412
+ {
2413
+ "id": "bitsquatting",
2414
+ "name": "Bitsquatting",
2415
+ "type": "subcategory",
2416
+ "priority": 5
2417
+ },
2418
+ {
2419
+ "id": "cache_deception",
2420
+ "name": "Cache Deception",
2421
+ "type": "subcategory",
2422
+ "priority": null
2423
+ },
2424
+ {
2425
+ "id": "cache_poisoning",
2426
+ "name": "Cache Poisoning",
2427
+ "type": "subcategory",
2428
+ "priority": null
2429
+ },
2430
+ {
2431
+ "id": "captcha",
2432
+ "name": "CAPTCHA",
2433
+ "type": "subcategory",
2434
+ "children": [
2435
+ {
2436
+ "id": "brute_force",
2437
+ "name": "Brute Force",
2438
+ "type": "variant",
2439
+ "priority": 5
2440
+ },
2441
+ {
2442
+ "id": "implementation_vulnerability",
2443
+ "name": "Implementation Vulnerability",
2444
+ "type": "variant",
2445
+ "priority": 4
2446
+ },
2447
+ {
2448
+ "id": "missing",
2449
+ "name": "Missing",
2450
+ "type": "variant",
2451
+ "priority": 5
2452
+ }
2453
+ ]
2454
+ },
2455
+ {
2456
+ "id": "clickjacking",
2457
+ "name": "Clickjacking",
2458
+ "type": "subcategory",
2459
+ "children": [
2460
+ {
2461
+ "id": "form_input",
2462
+ "name": "Form Input",
2463
+ "type": "variant",
2464
+ "priority": 5
2465
+ },
2466
+ {
2467
+ "id": "non_sensitive_action",
2468
+ "name": "Non-Sensitive Action",
2469
+ "type": "variant",
2470
+ "priority": 5
2471
+ },
2472
+ {
2473
+ "id": "sensitive_action",
2474
+ "name": "Sensitive Click-Based Action",
2475
+ "type": "variant",
2476
+ "priority": 4
2477
+ }
2478
+ ]
2479
+ },
2480
+ {
2481
+ "id": "cookie_scoped_to_parent_domain",
2482
+ "name": "Cookie Scoped to Parent Domain",
2483
+ "type": "subcategory",
2484
+ "priority": 5
2485
+ },
2486
+ {
2487
+ "id": "dbms_misconfiguration",
2488
+ "name": "Database Management System (DBMS) Misconfiguration",
2489
+ "type": "subcategory",
2490
+ "children": [
2491
+ {
2492
+ "id": "excessively_privileged_user_dba",
2493
+ "name": "Excessively Privileged User / DBA",
2494
+ "type": "variant",
2495
+ "priority": 4
2496
+ }
2497
+ ]
2498
+ },
2499
+ {
2500
+ "id": "directory_listing_enabled",
2501
+ "name": "Directory Listing Enabled",
2502
+ "type": "subcategory",
2503
+ "children": [
2504
+ {
2505
+ "id": "non_sensitive_data_exposure",
2506
+ "name": "Non-Sensitive Data Exposure",
2507
+ "type": "variant",
2508
+ "priority": 5
2509
+ },
2510
+ {
2511
+ "id": "sensitive_data_exposure",
2512
+ "name": "Sensitive Data Exposure",
2513
+ "type": "variant",
2514
+ "priority": null
2515
+ }
2516
+ ]
2517
+ },
2518
+ {
2519
+ "id": "email_verification_bypass",
2520
+ "name": "Email Verification Bypass",
2521
+ "type": "subcategory",
2522
+ "priority": 5
2523
+ },
2524
+ {
2525
+ "id": "exposed_portal",
2526
+ "name": "Exposed Portal",
2527
+ "type": "subcategory",
2528
+ "children": [
2529
+ {
2530
+ "id": "admin_portal",
2531
+ "name": "Admin Portal",
2532
+ "type": "variant",
2533
+ "priority": 1
2534
+ },
2535
+ {
2536
+ "id": "non_admin_portal",
2537
+ "name": "Non-Admin Portal",
2538
+ "type": "variant",
2539
+ "priority": 3
2540
+ },
2541
+ {
2542
+ "id": "protected",
2543
+ "name": "Protected",
2544
+ "type": "variant",
2545
+ "priority": 5
2546
+ }
2547
+ ]
2548
+ },
2549
+ {
2550
+ "id": "fingerprinting_banner_disclosure",
2551
+ "name": "Fingerprinting/Banner Disclosure",
2552
+ "type": "subcategory",
2553
+ "priority": 5,
2554
+ "children": [
2555
+ {
2556
+ "id": "software_version_in_response_headers",
2557
+ "name": "Software Versions Disclosed in Response Headers",
2558
+ "type": "variant",
2559
+ "priority": 5
2560
+ }
2561
+ ]
2562
+ },
2563
+ {
2564
+ "id": "insecure_ssl",
2565
+ "name": "Insecure SSL",
2566
+ "type": "subcategory",
2567
+ "children": [
2568
+ {
2569
+ "id": "certificate_error",
2570
+ "name": "Certificate Error",
2571
+ "type": "variant",
2572
+ "priority": 5
2573
+ },
2574
+ {
2575
+ "id": "insecure_cipher_suite",
2576
+ "name": "Insecure Cipher Suite",
2577
+ "type": "variant",
2578
+ "priority": 5
2579
+ },
2580
+ {
2581
+ "id": "lack_of_forward_secrecy",
2582
+ "name": "Lack of Forward Secrecy",
2583
+ "type": "variant",
2584
+ "priority": 5
2585
+ }
2586
+ ]
2587
+ },
2588
+ {
2589
+ "id": "lack_of_password_confirmation",
2590
+ "name": "Lack of Password Confirmation",
2591
+ "type": "subcategory",
2592
+ "children": [
2593
+ {
2594
+ "id": "change_email_address",
2595
+ "name": "Change Email Address",
2596
+ "type": "variant",
2597
+ "priority": 5
2598
+ },
2599
+ {
2600
+ "id": "change_password",
2601
+ "name": "Change Password",
2602
+ "type": "variant",
2603
+ "priority": 5
2604
+ },
2605
+ {
2606
+ "id": "delete_account",
2607
+ "name": "Delete Account",
2608
+ "type": "variant",
2609
+ "priority": 4
2610
+ },
2611
+ {
2612
+ "id": "manage_two_fa",
2613
+ "name": "Manage 2FA",
2614
+ "type": "variant",
2615
+ "priority": 5
2616
+ }
2617
+ ]
2618
+ },
2619
+ {
2620
+ "id": "lack_of_security_headers",
2621
+ "name": "Lack of Security Headers",
2622
+ "type": "subcategory",
2623
+ "children": [
2624
+ {
2625
+ "id": "cache_control_for_a_non_sensitive_page",
2626
+ "name": "Cache-Control for a Non-Sensitive Page",
2627
+ "type": "variant",
2628
+ "priority": 5
2629
+ },
2630
+ {
2631
+ "id": "cache_control_for_a_sensitive_page",
2632
+ "name": "Cache-Control for a Sensitive Page",
2633
+ "type": "variant",
2634
+ "priority": 4
2635
+ },
2636
+ {
2637
+ "id": "content_security_policy",
2638
+ "name": "Content-Security-Policy",
2639
+ "type": "variant",
2640
+ "priority": 5
2641
+ },
2642
+ {
2643
+ "id": "content_security_policy_report_only",
2644
+ "name": "Content-Security-Policy-Report-Only",
2645
+ "type": "variant",
2646
+ "priority": 5
2647
+ },
2648
+ {
2649
+ "id": "public_key_pins",
2650
+ "name": "Public-Key-Pins",
2651
+ "type": "variant",
2652
+ "priority": 5
2653
+ },
2654
+ {
2655
+ "id": "strict_transport_security",
2656
+ "name": "Strict-Transport-Security",
2657
+ "type": "variant",
2658
+ "priority": 5
2659
+ },
2660
+ {
2661
+ "id": "x_content_security_policy",
2662
+ "name": "X-Content-Security-Policy",
2663
+ "type": "variant",
2664
+ "priority": 5
2665
+ },
2666
+ {
2667
+ "id": "x_content_type_options",
2668
+ "name": "X-Content-Type-Options",
2669
+ "type": "variant",
2670
+ "priority": 5
2671
+ },
2672
+ {
2673
+ "id": "x_frame_options",
2674
+ "name": "X-Frame-Options",
2675
+ "type": "variant",
2676
+ "priority": 5
2677
+ },
2678
+ {
2679
+ "id": "x_webkit_csp",
2680
+ "name": "X-Webkit-CSP",
2681
+ "type": "variant",
2682
+ "priority": 5
2683
+ },
2684
+ {
2685
+ "id": "x_xss_protection",
2686
+ "name": "X-XSS-Protection",
2687
+ "type": "variant",
2688
+ "priority": 5
2689
+ }
2690
+ ]
2691
+ },
2692
+ {
2693
+ "id": "mail_server_misconfiguration",
2694
+ "name": "Mail Server Misconfiguration",
2695
+ "type": "subcategory",
2696
+ "children": [
2697
+ {
2698
+ "id": "email_spoofing_on_non_email_domain",
2699
+ "name": "Email Spoofing on Non-Email Domain",
2700
+ "type": "variant",
2701
+ "priority": 5
2702
+ },
2703
+ {
2704
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
2705
+ "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
2706
+ "type": "variant",
2707
+ "priority": 4
2708
+ },
2709
+ {
2710
+ "id": "email_spoofing_to_spam_folder",
2711
+ "name": "Email Spoofing to Spam Folder",
2712
+ "type": "variant",
2713
+ "priority": 5
2714
+ },
2715
+ {
2716
+ "id": "missing_or_misconfigured_spf_and_or_dkim",
2717
+ "name": "Missing or Misconfigured SPF and/or DKIM",
2718
+ "type": "variant",
2719
+ "priority": 5
2720
+ },
2721
+ {
2722
+ "id": "no_spoofing_protection_on_email_domain",
2723
+ "name": "No Spoofing Protection on Email Domain",
2724
+ "type": "variant",
2725
+ "priority": 3
2726
+ }
2727
+ ]
2728
+ },
2729
+ {
2730
+ "id": "misconfigured_dns",
2731
+ "name": "Misconfigured DNS",
2732
+ "type": "subcategory",
2733
+ "children": [
2734
+ {
2735
+ "id": "missing_caa_record",
2736
+ "name": "Missing Certification Authority Authorization (CAA) Record",
2737
+ "type": "variant",
2738
+ "priority": 5
2739
+ },
2740
+ {
2741
+ "id": "subdomain_takeover",
2742
+ "name": "Subdomain Takeover",
2743
+ "type": "variant",
2744
+ "priority": 3
2745
+ },
2746
+ {
2747
+ "id": "zone_transfer",
2748
+ "name": "Zone Transfer",
2749
+ "type": "variant",
2750
+ "priority": 4
2751
+ }
2752
+ ]
2753
+ },
2754
+ {
2755
+ "id": "missing_dnssec",
2756
+ "name": "Missing DNSSEC",
2757
+ "type": "subcategory",
2758
+ "priority": 5
2759
+ },
2760
+ {
2761
+ "id": "missing_secure_or_httponly_cookie_flag",
2762
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
2763
+ "type": "subcategory",
2764
+ "children": [
2765
+ {
2766
+ "id": "non_session_cookie",
2767
+ "name": "Non-Session Cookie",
2768
+ "type": "variant",
2769
+ "priority": 5
2770
+ },
2771
+ {
2772
+ "id": "session_token",
2773
+ "name": "Session Token",
2774
+ "type": "variant",
2775
+ "priority": 4
2776
+ }
2777
+ ]
2778
+ },
2779
+ {
2780
+ "id": "missing_subresource_integrity",
2781
+ "name": "Missing Subresource Integrity",
2782
+ "type": "subcategory",
2783
+ "priority": 5
2784
+ },
2785
+ {
2786
+ "id": "no_rate_limiting_on_form",
2787
+ "name": "No Rate Limiting on Form",
2788
+ "type": "subcategory",
2789
+ "children": [
2790
+ {
2791
+ "id": "change_password",
2792
+ "name": "Change Password",
2793
+ "type": "variant",
2794
+ "priority": 5
2795
+ },
2796
+ {
2797
+ "id": "email_triggering",
2798
+ "name": "Email-Triggering",
2799
+ "type": "variant",
2800
+ "priority": 4
2801
+ },
2802
+ {
2803
+ "id": "login",
2804
+ "name": "Login",
2805
+ "type": "variant",
2806
+ "priority": 4
2807
+ },
2808
+ {
2809
+ "id": "registration",
2810
+ "name": "Registration",
2811
+ "type": "variant",
2812
+ "priority": 4
2813
+ },
2814
+ {
2815
+ "id": "sms_triggering",
2816
+ "name": "SMS-Triggering",
2817
+ "type": "variant",
2818
+ "priority": 4
2819
+ }
2820
+ ]
2821
+ },
2822
+ {
2823
+ "id": "oauth_misconfiguration",
2824
+ "name": "OAuth Misconfiguration",
2825
+ "type": "subcategory",
2826
+ "children": [
2827
+ {
2828
+ "id": "account_squatting",
2829
+ "name": "Account Squatting",
2830
+ "type": "variant",
2831
+ "priority": 4
2832
+ },
2833
+ {
2834
+ "id": "account_takeover",
2835
+ "name": "Account Takeover",
2836
+ "type": "variant",
2837
+ "priority": 2
2838
+ },
2839
+ {
2840
+ "id": "insecure_redirect_uri",
2841
+ "name": "Insecure Redirect URI",
2842
+ "type": "variant",
2843
+ "priority": null
2844
+ },
2845
+ {
2846
+ "id": "missing_state_parameter",
2847
+ "name": "Missing/Broken State Parameter",
2848
+ "type": "variant",
2849
+ "priority": null
2850
+ }
2851
+ ]
2852
+ },
2853
+ {
2854
+ "id": "path_traversal",
2855
+ "name": "Path Traversal",
2856
+ "type": "subcategory",
2857
+ "priority": null
2858
+ },
2859
+ {
2860
+ "id": "potentially_unsafe_http_method_enabled",
2861
+ "name": "Potentially Unsafe HTTP Method Enabled",
2862
+ "type": "subcategory",
2863
+ "children": [
2864
+ {
2865
+ "id": "options",
2866
+ "name": "OPTIONS",
2867
+ "type": "variant",
2868
+ "priority": 5
2869
+ },
2870
+ {
2871
+ "id": "trace",
2872
+ "name": "TRACE",
2873
+ "type": "variant",
2874
+ "priority": 5
2875
+ }
2876
+ ]
2877
+ },
2878
+ {
2879
+ "id": "race_condition",
2880
+ "name": "Race Condition",
2881
+ "type": "subcategory",
2882
+ "priority": null
2883
+ },
2884
+ {
2885
+ "id": "request_smuggling",
2886
+ "name": "HTTP Request Smuggling",
2887
+ "type": "subcategory",
2888
+ "priority": null
2889
+ },
2890
+ {
2891
+ "id": "rfd",
2892
+ "name": "Reflected File Download (RFD)",
2893
+ "type": "subcategory",
2894
+ "priority": 5
2895
+ },
2896
+ {
2897
+ "id": "same_site_scripting",
2898
+ "name": "Same-Site Scripting",
2899
+ "type": "subcategory",
2900
+ "priority": 5
2901
+ },
2902
+ {
2903
+ "id": "server_side_request_forgery_ssrf",
2904
+ "name": "Server-Side Request Forgery (SSRF)",
2905
+ "type": "subcategory",
2906
+ "children": [
2907
+ {
2908
+ "id": "external_dns_query_only",
2909
+ "name": "External - DNS Query Only",
2910
+ "type": "variant",
2911
+ "priority": 5
2912
+ },
2913
+ {
2914
+ "id": "external_low_impact",
2915
+ "name": "External - Low impact",
2916
+ "type": "variant",
2917
+ "priority": 5
2918
+ },
2919
+ {
2920
+ "id": "internal_secrets_exposure",
2921
+ "name": "Internal Secrets Exposure",
2922
+ "type": "variant",
2923
+ "priority": 2
2924
+ },
2925
+ {
2926
+ "id": "internal_data_exposure",
2927
+ "name": "Internal Data Exposure",
2928
+ "type": "variant",
2929
+ "priority": 3
2930
+ },
2931
+ {
2932
+ "id": "internal_port_service_scan",
2933
+ "name": "Internal Port Service Scan",
2934
+ "type": "variant",
2935
+ "priority": 3
2936
+ },
2937
+ {
2938
+ "id": "internal_exposure_presence_data_secrets",
2939
+ "name": "Internal Exposure of the Presence of Data/Secrets",
2940
+ "type": "variant",
2941
+ "priority": 4
2942
+ },
2943
+ {
2944
+ "id": "internal_port_scan_only",
2945
+ "name": "Internal Port Scan Only",
2946
+ "type": "variant",
2947
+ "priority": 4
2948
+ }
2949
+ ]
2950
+ },
2951
+ {
2952
+ "id": "software_package_takeover",
2953
+ "name": "Software Package Takeover",
2954
+ "type": "subcategory",
2955
+ "priority": null
2956
+ },
2957
+ {
2958
+ "id": "ssl_attack_breach_poodle_etc",
2959
+ "name": "SSL Attack (BREACH, POODLE etc.)",
2960
+ "type": "subcategory",
2961
+ "priority": null
2962
+ },
2963
+ {
2964
+ "id": "unsafe_cross_origin_resource_sharing",
2965
+ "name": "Unsafe Cross-Origin Resource Sharing",
2966
+ "type": "subcategory",
2967
+ "priority": null
2968
+ },
2969
+ {
2970
+ "id": "unsafe_file_upload",
2971
+ "name": "Unsafe File Upload",
2972
+ "type": "subcategory",
2973
+ "children": [
2974
+ {
2975
+ "id": "file_extension_filter_bypass",
2976
+ "name": "File Extension Filter Bypass",
2977
+ "type": "variant",
2978
+ "priority": 5
2979
+ },
2980
+ {
2981
+ "id": "no_antivirus",
2982
+ "name": "No Antivirus",
2983
+ "type": "variant",
2984
+ "priority": 5
2985
+ },
2986
+ {
2987
+ "id": "no_size_limit",
2988
+ "name": "No Size Limit",
2989
+ "type": "variant",
2990
+ "priority": 5
2991
+ }
2992
+ ]
2993
+ },
2994
+ {
2995
+ "id": "username_enumeration",
2996
+ "name": "Username/Email Enumeration",
2997
+ "type": "subcategory",
2998
+ "children": [
2999
+ {
3000
+ "id": "brute_force",
3001
+ "name": "Brute Force",
3002
+ "type": "variant",
3003
+ "priority": 5
3004
+ }
3005
+ ]
3006
+ },
3007
+ {
3008
+ "id": "using_default_credentials",
3009
+ "name": "Using Default Credentials",
3010
+ "type": "subcategory",
3011
+ "priority": 1
3012
+ },
3013
+ {
3014
+ "id": "waf_bypass",
3015
+ "name": "Web Application Firewall (WAF) Bypass",
3016
+ "type": "subcategory",
3017
+ "children": [
3018
+ {
3019
+ "id": "direct_server_access",
3020
+ "name": "Direct Server Access",
3021
+ "type": "variant",
3022
+ "priority": 4
3023
+ }
3024
+ ]
3025
+ },
3026
+ {
3027
+ "id": "misconfigured_file_share",
3028
+ "name": "Misconfigured File Share",
3029
+ "type": "subcategory",
3030
+ "children": [
3031
+ {
3032
+ "id": "anonymous_ftp_enabled",
3033
+ "name": "Anonymous FTP Enabled",
3034
+ "type": "variant",
3035
+ "priority": null
3036
+ },
3037
+ {
3038
+ "id": "anonymous_smb_enabled",
3039
+ "name": "Anonymous SMB Enabled",
3040
+ "type": "variant",
3041
+ "priority": null
3042
+ },
3043
+ {
3044
+ "id": "non_sensitive_data_exposure_ftp_smb",
3045
+ "name": "Non-Sensitive Data Exposure via Anonymous FTP/SMB Enabled",
3046
+ "type": "variant",
3047
+ "priority": 5
3048
+ }
3049
+ ]
3050
+ },
3051
+ {
3052
+ "id": "misconfigured_security_headers",
3053
+ "name": "Misconfigured Security Headers ",
3054
+ "type": "subcategory",
3055
+ "children": [
3056
+ {
3057
+ "id": "insecure_csp",
3058
+ "name": "Insecure Content-Security-Policy",
3059
+ "type": "variant",
3060
+ "priority": 5
3061
+ }
3062
+ ]
3063
+ }
3064
+ ]
3065
+ },
3066
+ {
3067
+ "id": "server_side_injection",
3068
+ "name": "Server-Side Injection",
3069
+ "type": "category",
3070
+ "children": [
3071
+ {
3072
+ "id": "content_spoofing",
3073
+ "name": "Content Spoofing",
3074
+ "type": "subcategory",
3075
+ "children": [
3076
+ {
3077
+ "id": "email_html_injection",
3078
+ "name": "Email HTML Injection",
3079
+ "type": "variant",
3080
+ "priority": 4
3081
+ },
3082
+ {
3083
+ "id": "email_hyperlink_injection_based_on_email_provider",
3084
+ "name": "Email Hyperlink Injection Based on Email Provider",
3085
+ "type": "variant",
3086
+ "priority": 5
3087
+ },
3088
+ {
3089
+ "id": "external_authentication_injection",
3090
+ "name": "External Authentication Injection",
3091
+ "type": "variant",
3092
+ "priority": 4
3093
+ },
3094
+ {
3095
+ "id": "flash_based_external_authentication_injection",
3096
+ "name": "Flash Based External Authentication Injection",
3097
+ "type": "variant",
3098
+ "priority": 5
3099
+ },
3100
+ {
3101
+ "id": "homograph_idn_based",
3102
+ "name": "Homograph/IDN-Based",
3103
+ "type": "variant",
3104
+ "priority": 5
3105
+ },
3106
+ {
3107
+ "id": "html_content_injection",
3108
+ "name": "HTML Content Injection",
3109
+ "type": "variant",
3110
+ "priority": 5
3111
+ },
3112
+ {
3113
+ "id": "iframe_injection",
3114
+ "name": "iframe Injection",
3115
+ "type": "variant",
3116
+ "priority": 3
3117
+ },
3118
+ {
3119
+ "id": "impersonation_via_broken_link_hijacking",
3120
+ "name": "Impersonation via Broken Link Hijacking",
3121
+ "type": "variant",
3122
+ "priority": 4
3123
+ },
3124
+ {
3125
+ "id": "rtlo",
3126
+ "name": "Right-to-Left Override (RTLO)",
3127
+ "type": "variant",
3128
+ "priority": 5
3129
+ },
3130
+ {
3131
+ "id": "text_injection",
3132
+ "name": "Text Injection",
3133
+ "type": "variant",
3134
+ "priority": 5
3135
+ },
3136
+ {
3137
+ "id": "self_email_html_injection",
3138
+ "name": "Self Email HTML Injection",
3139
+ "type": "variant",
3140
+ "priority": 5
3141
+ }
3142
+ ]
3143
+ },
3144
+ {
3145
+ "id": "exposed_data",
3146
+ "name": "Exposed Data",
3147
+ "type": "subcategory",
3148
+ "children": [
3149
+ {
3150
+ "id": "non_sensitive_data",
3151
+ "name": "Non Sensitive Data",
3152
+ "type": "variant",
3153
+ "priority": 5
3154
+ },
3155
+ {
3156
+ "id": "sensitive_data",
3157
+ "name": "Sensitive Data",
3158
+ "type": "variant",
3159
+ "priority": null
3160
+ }
3161
+ ]
3162
+ },
3163
+ {
3164
+ "id": "file_inclusion",
3165
+ "name": "File Inclusion",
3166
+ "type": "subcategory",
3167
+ "children": [
3168
+ {
3169
+ "id": "local",
3170
+ "name": "Local",
3171
+ "type": "variant",
3172
+ "priority": 1
3173
+ }
3174
+ ]
3175
+ },
3176
+ {
3177
+ "id": "http_response_manipulation",
3178
+ "name": "HTTP Response Manipulation",
3179
+ "type": "subcategory",
3180
+ "children": [
3181
+ {
3182
+ "id": "response_splitting_crlf",
3183
+ "name": "Response Splitting (CRLF)",
3184
+ "type": "variant",
3185
+ "priority": 3
3186
+ }
3187
+ ]
3188
+ },
3189
+ {
3190
+ "id": "ldap_injection",
3191
+ "name": "LDAP Injection",
3192
+ "type": "subcategory",
3193
+ "priority": null
3194
+ },
3195
+ {
3196
+ "id": "parameter_pollution",
3197
+ "name": "Parameter Pollution",
3198
+ "type": "subcategory",
3199
+ "children": [
3200
+ {
3201
+ "id": "social_media_sharing_buttons",
3202
+ "name": "Social Media Sharing Buttons",
3203
+ "type": "variant",
3204
+ "priority": 5
3205
+ }
3206
+ ]
3207
+ },
3208
+ {
3209
+ "id": "remote_code_execution_rce",
3210
+ "name": "Remote Code Execution (RCE)",
3211
+ "type": "subcategory",
3212
+ "priority": 1
3213
+ },
3214
+ {
3215
+ "id": "sql_injection",
3216
+ "name": "SQL Injection",
3217
+ "type": "subcategory",
3218
+ "priority": 1
3219
+ },
3220
+ {
3221
+ "id": "ssti",
3222
+ "name": "Server-Side Template Injection (SSTI)",
3223
+ "type": "subcategory",
3224
+ "children": [
3225
+ {
3226
+ "id": "basic",
3227
+ "name": "Basic",
3228
+ "type": "variant",
3229
+ "priority": 4
3230
+ },
3231
+ {
3232
+ "id": "custom",
3233
+ "name": "Custom",
3234
+ "type": "variant",
3235
+ "priority": null
3236
+ }
3237
+ ]
3238
+ },
3239
+ {
3240
+ "id": "xml_external_entity_injection_xxe",
3241
+ "name": "XML External Entity Injection (XXE)",
3242
+ "type": "subcategory",
3243
+ "priority": 1
3244
+ }
3245
+ ]
3246
+ },
3247
+ {
3248
+ "id": "smart_contract_misconfiguration",
3249
+ "name": "Smart Contract Misconfiguration",
3250
+ "type": "category",
3251
+ "children": [
3252
+ {
3253
+ "id": "bypass_of_function_modifiers_and_checks",
3254
+ "name": "Bypass of Function Modifiers and Checks",
3255
+ "type": "subcategory",
3256
+ "priority": null
3257
+ },
3258
+ {
3259
+ "id": "function_level_denial_of_service",
3260
+ "name": "Function-level Denial of Service",
3261
+ "type": "subcategory",
3262
+ "priority": 3
3263
+ },
3264
+ {
3265
+ "id": "improper_decimals_implementation",
3266
+ "name": "Improper Decimals Implementation",
3267
+ "type": "subcategory",
3268
+ "priority": 4
3269
+ },
3270
+ {
3271
+ "id": "improper_fee_implementation",
3272
+ "name": "Improper Fee Implementation",
3273
+ "type": "subcategory",
3274
+ "priority": 3
3275
+ },
3276
+ {
3277
+ "id": "improper_use_of_modifier",
3278
+ "name": "Improper Use of Modifier",
3279
+ "type": "subcategory",
3280
+ "priority": 4
3281
+ },
3282
+ {
3283
+ "id": "inaccurate_rounding_calculation",
3284
+ "name": "Inaccurate Rounding Calculation",
3285
+ "type": "subcategory",
3286
+ "priority": null
3287
+ },
3288
+ {
3289
+ "id": "integer_overflow_underflow",
3290
+ "name": "Integer Overflow / Underflow",
3291
+ "type": "subcategory",
3292
+ "priority": 2
3293
+ },
3294
+ {
3295
+ "id": "irreversible_function_call",
3296
+ "name": "Irreversible Function Call",
3297
+ "type": "subcategory",
3298
+ "priority": 3
3299
+ },
3300
+ {
3301
+ "id": "malicious_superuser_risk",
3302
+ "name": "Malicious Superuser Risk",
3303
+ "type": "subcategory",
3304
+ "priority": 3
3305
+ },
3306
+ {
3307
+ "id": "reentrancy_attack",
3308
+ "name": "Reentrancy Attack",
3309
+ "type": "subcategory",
3310
+ "priority": 1
3311
+ },
3312
+ {
3313
+ "id": "smart_contract_owner_takeover",
3314
+ "name": "Smart Contract Owner Takeover",
3315
+ "type": "subcategory",
3316
+ "priority": 1
3317
+ },
3318
+ {
3319
+ "id": "unauthorized_smart_contract_approval",
3320
+ "name": "Unauthorized Smart Contract Approval",
3321
+ "type": "subcategory",
3322
+ "priority": 2
3323
+ },
3324
+ {
3325
+ "id": "unauthorized_transfer_of_funds",
3326
+ "name": "Unauthorized Transfer of Funds",
3327
+ "type": "subcategory",
3328
+ "priority": 1
3329
+ },
3330
+ {
3331
+ "id": "uninitialized_variables",
3332
+ "name": "Uninitialized Variables",
3333
+ "type": "subcategory",
3334
+ "priority": 1
3335
+ }
3336
+ ]
3337
+ },
3338
+ {
3339
+ "id": "societal_biases",
3340
+ "name": "Societal Biases",
3341
+ "type": "category",
3342
+ "children": [
3343
+ {
3344
+ "id": "confirmation_bias",
3345
+ "name": "Confirmation Bias",
3346
+ "type": "subcategory",
3347
+ "priority": null
3348
+ },
3349
+ {
3350
+ "id": "systemic_bias",
3351
+ "name": "Systemic Bias",
3352
+ "type": "subcategory",
3353
+ "priority": null
3354
+ }
3355
+ ]
3356
+ },
3357
+ {
3358
+ "id": "unvalidated_redirects_and_forwards",
3359
+ "name": "Unvalidated Redirects and Forwards",
3360
+ "type": "category",
3361
+ "children": [
3362
+ {
3363
+ "id": "lack_of_security_speed_bump_page",
3364
+ "name": "Lack of Security Speed Bump Page",
3365
+ "type": "subcategory",
3366
+ "priority": 5
3367
+ },
3368
+ {
3369
+ "id": "open_redirect",
3370
+ "name": "Open Redirect",
3371
+ "type": "subcategory",
3372
+ "children": [
3373
+ {
3374
+ "id": "flash_based",
3375
+ "name": "Flash-Based",
3376
+ "type": "variant",
3377
+ "priority": 5
3378
+ },
3379
+ {
3380
+ "id": "get_based",
3381
+ "name": "GET-Based",
3382
+ "type": "variant",
3383
+ "priority": 4
3384
+ },
3385
+ {
3386
+ "id": "header_based",
3387
+ "name": "Header-Based",
3388
+ "type": "variant",
3389
+ "priority": 5
3390
+ },
3391
+ {
3392
+ "id": "post_based",
3393
+ "name": "POST-Based",
3394
+ "type": "variant",
3395
+ "priority": 5
3396
+ }
3397
+ ]
3398
+ },
3399
+ {
3400
+ "id": "tabnabbing",
3401
+ "name": "Tabnabbing",
3402
+ "type": "subcategory",
3403
+ "priority": 5
3404
+ }
3405
+ ]
3406
+ },
3407
+ {
3408
+ "id": "using_components_with_known_vulnerabilities",
3409
+ "name": "Using Components with Known Vulnerabilities",
3410
+ "type": "category",
3411
+ "children": [
3412
+ {
3413
+ "id": "captcha_bypass",
3414
+ "name": "Captcha Bypass",
3415
+ "type": "subcategory",
3416
+ "children": [
3417
+ {
3418
+ "id": "ocr_optical_character_recognition",
3419
+ "name": "OCR (Optical Character Recognition)",
3420
+ "type": "variant",
3421
+ "priority": 5
3422
+ }
3423
+ ]
3424
+ },
3425
+ {
3426
+ "id": "outdated_software_version",
3427
+ "name": "Outdated Software Version",
3428
+ "type": "subcategory",
3429
+ "priority": 5
3430
+ },
3431
+ {
3432
+ "id": "rosetta_flash",
3433
+ "name": "Rosetta Flash",
3434
+ "type": "subcategory",
3435
+ "priority": 5
3436
+ },
3437
+ {
3438
+ "id": "unpatched_javascript_libraries",
3439
+ "name": "Unpatched Javascript Libraries",
3440
+ "type": "subcategory",
3441
+ "priority": 5
3442
+ }
3443
+ ]
3444
+ },
3445
+ {
3446
+ "id": "zero_knowledge_security_misconfiguration",
3447
+ "name": "Zero Knowledge Security Misconfiguration",
3448
+ "type": "category",
3449
+ "children": [
3450
+ {
3451
+ "id": "deanonymization_of_data",
3452
+ "name": "Deanonymization of Data",
3453
+ "type": "subcategory",
3454
+ "priority": 1
3455
+ },
3456
+ {
3457
+ "id": "improper_proof_validation_and_finalization_logic",
3458
+ "name": "Improper Proof Validation and Finalization Logic",
3459
+ "type": "subcategory",
3460
+ "priority": 1
3461
+ },
3462
+ {
3463
+ "id": "misconfigured_trusted_setup",
3464
+ "name": "Misconfigured Trusted Setup",
3465
+ "type": "subcategory",
3466
+ "priority": null
3467
+ },
3468
+ {
3469
+ "id": "mismatching_bit_lengths",
3470
+ "name": "Mismatching Bit Lengths",
3471
+ "type": "subcategory",
3472
+ "priority": null
3473
+ },
3474
+ {
3475
+ "id": "missing_constraint",
3476
+ "name": "Missing Constraint",
3477
+ "type": "subcategory",
3478
+ "priority": null
3479
+ },
3480
+ {
3481
+ "id": "missing_range_check",
3482
+ "name": "Missing Range Check",
3483
+ "type": "subcategory",
3484
+ "priority": null
3485
+ }
3486
+ ]
3487
+ },
3488
+ {
3489
+ "id": "active_directory",
3490
+ "name": "Active Directory (AD)",
3491
+ "type": "category",
3492
+ "children": [
3493
+ {
3494
+ "id": "sscm_abuse",
3495
+ "name": "SCCM Abuse",
3496
+ "type": "subcategory",
3497
+ "children": [
3498
+ {
3499
+ "id": "pxe_boot_media_theft",
3500
+ "name": "PXE Boot Media Theft",
3501
+ "type": "variant",
3502
+ "priority": null
3503
+ },
3504
+ {
3505
+ "id": "distribution_point_anonymous_access",
3506
+ "name": "Distribution Point Permits Anonymous Access",
3507
+ "type": "variant",
3508
+ "priority": null
3509
+ },
3510
+ {
3511
+ "id": "automatic_device_approval",
3512
+ "name": "Automatic Device Approval Enabled",
3513
+ "type": "variant",
3514
+ "priority": null
3515
+ },
3516
+ {
3517
+ "id": "ntlm_management_point_site_database",
3518
+ "name": "NTLM Relay From Management Point to Site Database",
3519
+ "type": "variant",
3520
+ "priority": null
3521
+ },
3522
+ {
3523
+ "id": "ntlm_site_server_site_systems",
3524
+ "name": "NTLM Relay From Site Server To Site Systems",
3525
+ "type": "variant",
3526
+ "priority": null
3527
+ },
3528
+ {
3529
+ "id": "ntlm_automatic_push_installation",
3530
+ "name": "NTLM Relay Via Automatic Client Push Installation",
3531
+ "type": "variant",
3532
+ "priority": null
3533
+ },
3534
+ {
3535
+ "id": "privileged_credentials_exposed",
3536
+ "name": "Privileged Credentials Exposed In Task Sequences, Collection Variables or Network Access Account",
3537
+ "type": "variant",
3538
+ "priority": null
3539
+ }
3540
+ ]
3541
+ },
3542
+ {
3543
+ "id": "kerberos_abuse",
3544
+ "name": "Kerberos Abuse",
3545
+ "type": "subcategory",
3546
+ "children": [
3547
+ {
3548
+ "id": "domain_compromise_unconstrained_delegated",
3549
+ "name": "Domain Compromise via Unconstrained Delegated",
3550
+ "type": "variant",
3551
+ "priority": 1
3552
+ },
3553
+ {
3554
+ "id": "insecure_service_account_management",
3555
+ "name": "Insecure Service Account Management (Kerberoasting)",
3556
+ "type": "variant",
3557
+ "priority": 2
3558
+ },
3559
+ {
3560
+ "id": "no_pre_authentication",
3561
+ "name": "User Does Not Require Pre-authentication (ASREPRoasting)",
3562
+ "type": "variant",
3563
+ "priority": 2
3564
+ }
3565
+ ]
3566
+ },
3567
+ {
3568
+ "id": "misconfigured_active_directory_certificate_services",
3569
+ "name": "Misconfigured Active Directory Certificate Services (ADCS)",
3570
+ "type": "subcategory",
3571
+ "priority": null
3572
+ },
3573
+ {
3574
+ "id": "configuration_weaknesses",
3575
+ "name": "Configuration Weaknesses",
3576
+ "type": "subcategory",
3577
+ "children": [
3578
+ {
3579
+ "id": "passwords_found_domain_description",
3580
+ "name": "Passwords Found within Domain User Account Description",
3581
+ "type": "variant",
3582
+ "priority": null
3583
+ },
3584
+ {
3585
+ "id": "weak_domain_password_policy",
3586
+ "name": "Weak Domain Password Policy",
3587
+ "type": "variant",
3588
+ "priority": 2
3589
+ },
3590
+ {
3591
+ "id": "shared_administrator_passwords",
3592
+ "name": "Shared Administrator Passwords",
3593
+ "type": "variant",
3594
+ "priority": 2
3595
+ },
3596
+ {
3597
+ "id": "excessive_domain_admin_membership",
3598
+ "name": "Excessive Domain Admin Membership",
3599
+ "type": "variant",
3600
+ "priority": 3
3601
+ },
3602
+ {
3603
+ "id": "dormant_enabled_user_accounts",
3604
+ "name": "Dormant / Inactive User Accounts Enabled in the Domain",
3605
+ "type": "variant",
3606
+ "priority": 3
3607
+ }
3608
+ ]
3609
+ },
3610
+ {
3611
+ "id": "sensitive_data_exposure",
3612
+ "name": "Sensitive Data Exposure",
3613
+ "type": "subcategory",
3614
+ "children": [
3615
+ {
3616
+ "id": "ldap_anonymous_bind_enabled",
3617
+ "name": "LDAP Anonymous Bind Enabled",
3618
+ "type": "variant",
3619
+ "priority": null
3620
+ },
3621
+ {
3622
+ "id": "sensitive_data_in_open_file_shares",
3623
+ "name": "Sensitive Data in Open File Shares",
3624
+ "type": "variant",
3625
+ "priority": null
3626
+ }
3627
+ ]
3628
+ },
3629
+ {
3630
+ "id": "dacl_abuse",
3631
+ "name": "DACL Abuse",
3632
+ "type": "subcategory",
3633
+ "priority": null
3634
+ }
3635
+ ]
3636
+ }
3637
+ ]
3638
+ }