vrt 0.2.1 → 0.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.3/deprecated-node-mapping.json +77 -0
  3. data/lib/data/1.3/mappings/cvss_v3.json +722 -0
  4. data/lib/data/1.3/mappings/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.3/vrt.schema.json +63 -0
  6. data/lib/data/1.3/vulnerability-rating-taxonomy.json +1607 -0
  7. data/lib/vrt/version.rb +1 -1
  8. metadata +7 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 8af6c283ebd158bea27d53b2f6273c618ab2b76c
4
- data.tar.gz: 5dab5e002891429a95c80fd6498982a0514ee5e4
3
+ metadata.gz: 86dd7c9bb2fb4b86609c3ff36d2d036916864d51
4
+ data.tar.gz: ebc292d316d584970d988ca899fca49356e2dcb7
5
5
  SHA512:
6
- metadata.gz: c3aa6b19106511df05a77382daa7ec896dc2d13d74a6f1a6a38c4cc47d1244b71b9eff14c8bbbda6aff1fa40fa5bcb376c7fce03fd1a04e3b9c5f4b51bd6bfbf
7
- data.tar.gz: a53a266739b11005b1e1c045cddf0135f12e976c8f397b0ef6ba451c7c5c1073252c27541e344ff00b85374215a02ca75787115d291b1536f4b0cd5341dfa595
6
+ metadata.gz: 2a399701130cf540472607676579f16a05d45f75a6f6293617292c9a5015c3c9439b401f7fcec3ae124879aba45d77db4077686ab2a6a736b0e07c00a5e13928
7
+ data.tar.gz: da8920e1a22943010aa1460b95f5224030d59df61c34126d0073c5b88d357b94db04c8e9fdb19ecaeaa03b5efd3f85afada44bf1e45808c6c743d92826929f08
data/lib/data/1.3/deprecated-node-mapping.json ADDED
@@ -0,0 +1,77 @@
1
+ {
2
+ "poor_physical_security": {
3
+ "1.1": "other"
4
+ },
5
+ "social_engineering": {
6
+ "1.1": "other"
7
+ },
8
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_all_users": {
9
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
10
+ },
11
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_authenticated": {
12
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
13
+ },
14
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_unauthenticated": {
15
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
16
+ },
17
+ "broken_authentication_and_session_management.session_token_in_url.over_https": {
18
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
19
+ },
20
+ "broken_authentication_and_session_management.session_token_in_url.over_http": {
21
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
22
+ },
23
+ "broken_authentication_and_session_management.session_token_in_url": {
24
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
25
+ },
26
+ "insecure_data_transport": {
27
+ "1.2": "mobile_security_misconfiguration"
28
+ },
29
+ "insecure_data_transport.ssl_certificate_pinning": {
30
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning"
31
+ },
32
+ "insecure_data_transport.ssl_certificate_pinning.absent": {
33
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.absent"
34
+ },
35
+ "insecure_data_transport.ssl_certificate_pinning.defeatable": {
36
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.defeatable"
37
+ },
38
+ "insecure_data_storage.credentials_stored_unencrypted": {
39
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted"
40
+ },
41
+ "insecure_data_storage.credentials_stored_unencrypted.on_external_storage": {
42
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_external_storage"
43
+ },
44
+ "insecure_data_storage.credentials_stored_unencrypted.on_internal_storage": {
45
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_internal_storage"
46
+ },
47
+ "insufficient_security_configurability.weak_password_policy.complexity_both_length_and_char_type_not_enforced": {
48
+ "1.2": "insufficient_security_configurability.weak_password_policy.no_password_policy"
49
+ },
50
+ "missing_function_level_access_control": {
51
+ "1.3": "broken_access_control"
52
+ },
53
+ "missing_function_level_access_control.server_side_request_forgery_ssrf": {
54
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf"
55
+ },
56
+ "missing_function_level_access_control.server_side_request_forgery_ssrf.internal": {
57
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf.internal"
58
+ },
59
+ "missing_function_level_access_control.server_side_request_forgery_ssrf.external": {
60
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf.external"
61
+ },
62
+ "missing_function_level_access_control.username_enumeration": {
63
+ "1.3": "broken_access_control.username_enumeration"
64
+ },
65
+ "missing_function_level_access_control.username_enumeration.data_leak": {
66
+ "1.3": "broken_access_control.username_enumeration.data_leak"
67
+ },
68
+ "missing_function_level_access_control.exposed_sensitive_android_intent": {
69
+ "1.3": "broken_access_control.exposed_sensitive_android_intent"
70
+ },
71
+ "missing_function_level_access_control.exposed_sensitive_ios_url_scheme": {
72
+ "1.3": "broken_access_control.exposed_sensitive_ios_url_scheme"
73
+ },
74
+ "insecure_direct_object_references_idor": {
75
+ "1.3": "broken_access_control.idor"
76
+ }
77
+ }
data/lib/data/1.3/mappings/cvss_v3.json ADDED
@@ -0,0 +1,722 @@
1
+ {
2
+ "metadata": {
3
+ "default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "children": [
9
+ {
10
+ "id": "unsafe_cross_origin_resource_sharing",
11
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
12
+ },
13
+ {
14
+ "id": "path_traversal",
15
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
16
+ },
17
+ {
18
+ "id": "directory_listing_enabled",
19
+ "children": [
20
+ {
21
+ "id": "sensitive_data_exposure",
22
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
23
+ },
24
+ {
25
+ "id": "non_sensitive_data_exposure",
26
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
27
+ }
28
+ ]
29
+ },
30
+ {
31
+ "id": "same_site_scripting",
32
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
33
+ },
34
+ {
35
+ "id": "ssl_attack_breach_poodle_etc",
36
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
37
+ },
38
+ {
39
+ "id": "using_default_credentials",
40
+ "children": [
41
+ {
42
+ "id": "production_server",
43
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
44
+ },
45
+ {
46
+ "id": "staging_development_server",
47
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
48
+ }
49
+ ]
50
+ },
51
+ {
52
+ "id": "misconfigured_dns",
53
+ "children": [
54
+ {
55
+ "id": "subdomain_takeover",
56
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
57
+ },
58
+ {
59
+ "id": "zone_transfer",
60
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
61
+ },
62
+ {
63
+ "id": "missing_caa_record",
64
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
65
+ }
66
+ ]
67
+ },
68
+ {
69
+ "id": "mail_server_misconfiguration",
70
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
71
+ "children": [
72
+ {
73
+ "id": "missing_spf_on_email_domain",
74
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
75
+ },
76
+ {
77
+ "id": "email_spoofable_via_third_party_api_misconfiguration",
78
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
79
+ }
80
+ ]
81
+ },
82
+ {
83
+ "id": "lack_of_password_confirmation",
84
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
85
+ "children": [
86
+ {
87
+ "id": "manage_two_fa",
88
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
89
+ }
90
+ ]
91
+ },
92
+ {
93
+ "id": "no_rate_limiting_on_form",
94
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
95
+ "children": [
96
+ {
97
+ "id": "login",
98
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
99
+ }
100
+ ]
101
+ },
102
+ {
103
+ "id": "unsafe_file_upload",
104
+ "children": [
105
+ {
106
+ "id": "no_antivirus",
107
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"
108
+ },
109
+ {
110
+ "id": "no_size_limit",
111
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
112
+ },
113
+ {
114
+ "id": "file_extension_filter_bypass",
115
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
116
+ }
117
+ ]
118
+ },
119
+ {
120
+ "id": "cookie_scoped_to_parent_domain",
121
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
122
+ },
123
+ {
124
+ "id": "missing_secure_or_httponly_cookie_flag",
125
+ "children": [
126
+ {
127
+ "id": "session_token",
128
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
129
+ },
130
+ {
131
+ "id": "non_session_cookie",
132
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
133
+ }
134
+ ]
135
+ },
136
+ {
137
+ "id": "clickjacking",
138
+ "children": [
139
+ {
140
+ "id": "sensitive_action",
141
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
142
+ },
143
+ {
144
+ "id": "non_sensitive_action",
145
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
146
+ }
147
+ ]
148
+ },
149
+ {
150
+ "id": "oauth_misconfiguration",
151
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
152
+ },
153
+ {
154
+ "id": "captcha_bypass",
155
+ "children": [
156
+ {
157
+ "id": "implementation_vulnerability",
158
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
159
+ },
160
+ {
161
+ "id": "brute_force",
162
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
163
+ }
164
+ ]
165
+ },
166
+ {
167
+ "id": "exposed_admin_portal",
168
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
169
+ },
170
+ {
171
+ "id": "missing_dnssec",
172
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
173
+ },
174
+ {
175
+ "id": "fingerprinting_banner_disclosure",
176
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
177
+ },
178
+ {
179
+ "id": "username_enumeration",
180
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
181
+ },
182
+ {
183
+ "id": "potentially_unsafe_http_method_enabled",
184
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
185
+ },
186
+ {
187
+ "id": "insecure_ssl",
188
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
189
+ },
190
+ {
191
+ "id": "rfd",
192
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
193
+ },
194
+ {
195
+ "id": "lack_of_security_headers",
196
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
197
+ "children": [
198
+ {
199
+ "id": "cache_control_for_a_sensitive_page",
200
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
201
+ }
202
+ ]
203
+ },
204
+ {
205
+ "id": "bitsquatting",
206
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
207
+ }
208
+ ]
209
+ },
210
+ {
211
+ "id": "server_side_injection",
212
+ "children": [
213
+ {
214
+ "id": "file_inclusion",
215
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
216
+ },
217
+ {
218
+ "id": "parameter_pollution",
219
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
220
+ },
221
+ {
222
+ "id": "remote_code_execution_rce",
223
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
224
+ },
225
+ {
226
+ "id": "sql_injection",
227
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
228
+ },
229
+ {
230
+ "id": "xml_external_entity_injection_xxe",
231
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
232
+ },
233
+ {
234
+ "id": "http_response_manipulation",
235
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
236
+ },
237
+ {
238
+ "id": "content_spoofing",
239
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
240
+ "children": [
241
+ {
242
+ "id": "iframe_injection",
243
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
244
+ },
245
+ {
246
+ "id": "external_authentication_injection",
247
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
248
+ },
249
+ {
250
+ "id": "email_html_injection",
251
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
252
+ }
253
+ ]
254
+ }
255
+ ]
256
+ },
257
+ {
258
+ "id": "broken_authentication_and_session_management",
259
+ "children": [
260
+ {
261
+ "id": "authentication_bypass",
262
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
263
+ },
264
+ {
265
+ "id": "privilege_escalation",
266
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
267
+ },
268
+ {
269
+ "id": "weak_login_function",
270
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
271
+ },
272
+ {
273
+ "id": "session_fixation",
274
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"
275
+ },
276
+ {
277
+ "id": "failure_to_invalidate_session",
278
+ "children": [
279
+ {
280
+ "id": "on_logout",
281
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
282
+ },
283
+ {
284
+ "id": "on_password_reset",
285
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
286
+ },
287
+ {
288
+ "id": "on_password_change",
289
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
290
+ },
291
+ {
292
+ "id": "all_sessions",
293
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
294
+ },
295
+ {
296
+ "id": "on_email_change",
297
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
298
+ },
299
+ {
300
+ "id": "long_timeout",
301
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
302
+ }
303
+ ]
304
+ },
305
+ {
306
+ "id": "concurrent_logins",
307
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
308
+ },
309
+ {
310
+ "id": "weak_registration_implementation",
311
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
312
+ }
313
+ ]
314
+ },
315
+ {
316
+ "id": "sensitive_data_exposure",
317
+ "children": [
318
+ {
319
+ "id": "critically_sensitive_data",
320
+ "children": [
321
+ {
322
+ "id": "password_disclosure",
323
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
324
+ },
325
+ {
326
+ "id": "private_api_keys",
327
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
328
+ }
329
+ ]
330
+ },
331
+ {
332
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
333
+ "children": [
334
+ {
335
+ "id": "automatic_user_enumeration",
336
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
337
+ },
338
+ {
339
+ "id": "manual_user_enumeration",
340
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
341
+ }
342
+ ]
343
+ },
344
+ {
345
+ "id": "visible_detailed_error_page",
346
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
347
+ "children": [
348
+ {
349
+ "id": "detailed_server_configuration",
350
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
351
+ }
352
+ ]
353
+ },
354
+ {
355
+ "id": "disclosure_of_known_public_information",
356
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
357
+ },
358
+ {
359
+ "id": "token_leakage_via_referer",
360
+ "children": [
361
+ {
362
+ "id": "trusted_3rd_party",
363
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
364
+ },
365
+ {
366
+ "id": "untrusted_3rd_party",
367
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
368
+ },
369
+ {
370
+ "id": "over_http",
371
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
372
+ }
373
+ ]
374
+ },
375
+ {
376
+ "id": "sensitive_token_in_url",
377
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
378
+ },
379
+ {
380
+ "id": "non_sensitive_token_in_url",
381
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
382
+ },
383
+ {
384
+ "id": "weak_password_reset_implementation",
385
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"
386
+ },
387
+ {
388
+ "id": "mixed_content",
389
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
390
+ },
391
+ {
392
+ "id": "sensitive_data_hardcoded",
393
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
394
+ },
395
+ {
396
+ "id": "internal_ip_disclosure",
397
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
398
+ },
399
+ {
400
+ "id": "xssi",
401
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
402
+ },
403
+ {
404
+ "id": "json_hijacking",
405
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
406
+ }
407
+ ]
408
+ },
409
+ {
410
+ "id": "cross_site_scripting_xss",
411
+ "children": [
412
+ {
413
+ "id": "stored",
414
+ "children": [
415
+ {
416
+ "id": "non_admin_to_anyone",
417
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
418
+ },
419
+ {
420
+ "id": "admin_to_anyone",
421
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"
422
+ },
423
+ {
424
+ "id": "self",
425
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
426
+ }
427
+ ]
428
+ },
429
+ {
430
+ "id": "reflected",
431
+ "children": [
432
+ {
433
+ "id": "non_self",
434
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
435
+ },
436
+ {
437
+ "id": "self",
438
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
439
+ }
440
+ ]
441
+ },
442
+ {
443
+ "id": "cookie_based",
444
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
445
+ },
446
+ {
447
+ "id": "ie_only",
448
+ "children": [
449
+ {
450
+ "id": "older_version_ie_10_11",
451
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
452
+ },
453
+ {
454
+ "id": "xss_filter_disabled",
455
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
456
+ },
457
+ {
458
+ "id": "older_version_ie10",
459
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N"
460
+ }
461
+ ]
462
+ },
463
+ {
464
+ "id": "referer",
465
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
466
+ },
467
+ {
468
+ "id": "trace_method",
469
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
470
+ },
471
+ {
472
+ "id": "universal_uxss",
473
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
474
+ },
475
+ {
476
+ "id": "off_domain",
477
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
478
+ }
479
+ ]
480
+ },
481
+ {
482
+ "id": "broken_access_control",
483
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
484
+ "children": [
485
+ {
486
+ "id": "server_side_request_forgery_ssrf",
487
+ "children": [
488
+ {
489
+ "id": "internal",
490
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
491
+ },
492
+ {
493
+ "id": "external",
494
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
495
+ }
496
+ ]
497
+ },
498
+ {
499
+ "id": "username_enumeration",
500
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
501
+ }
502
+ ]
503
+ },
504
+ {
505
+ "id": "cross_site_request_forgery_csrf",
506
+ "children": [
507
+ {
508
+ "id": "application_wide",
509
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
510
+ },
511
+ {
512
+ "id": "action_specific",
513
+ "children": [
514
+ {
515
+ "id": "authenticated_action",
516
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
517
+ },
518
+ {
519
+ "id": "unauthenticated_action",
520
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
521
+ },
522
+ {
523
+ "id": "logout",
524
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
525
+ }
526
+ ]
527
+ }
528
+ ]
529
+ },
530
+ {
531
+ "id": "application_level_denial_of_service_dos",
532
+ "children": [
533
+ {
534
+ "id": "critical_impact_and_or_easy_difficulty",
535
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
536
+ },
537
+ {
538
+ "id": "high_impact_and_or_medium_difficulty",
539
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
540
+ },
541
+ {
542
+ "id": "app_crash",
543
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
544
+ }
545
+ ]
546
+ },
547
+ {
548
+ "id": "unvalidated_redirects_and_forwards",
549
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
550
+ "children": [
551
+ {
552
+ "id": "open_redirect",
553
+ "children": [
554
+ {
555
+ "id": "get_based",
556
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
557
+ }
558
+ ]
559
+ }
560
+ ]
561
+ },
562
+ {
563
+ "id": "external_behavior",
564
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
565
+ },
566
+ {
567
+ "id": "insufficient_security_configurability",
568
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
569
+ "children": [
570
+ {
571
+ "id": "no_password_policy",
572
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
573
+ },
574
+ {
575
+ "id": "weak_password_reset_implementation",
576
+ "children": [
577
+ {
578
+ "id": "token_is_not_invalidated_after_use",
579
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
580
+ }
581
+ ]
582
+ }
583
+ ]
584
+ },
585
+ {
586
+ "id": "using_components_with_known_vulnerabilities",
587
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
588
+ "children": [
589
+ {
590
+ "id": "rosetta_flash",
591
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
592
+ }
593
+ ]
594
+ },
595
+ {
596
+ "id": "insecure_data_storage",
597
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
598
+ "children": [
599
+ {
600
+ "id": "sensitive_application_data_stored_unencrypted",
601
+ "children": [
602
+ {
603
+ "id": "on_external_storage",
604
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
605
+ }
606
+ ]
607
+ },
608
+ {
609
+ "id": "server_side_credentials_storage",
610
+ "children": [
611
+ {
612
+ "id": "plaintext",
613
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
614
+ }
615
+ ]
616
+ }
617
+ ]
618
+ },
619
+ {
620
+ "id": "lack_of_binary_hardening",
621
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
622
+ },
623
+ {
624
+ "id": "insecure_data_transport",
625
+ "children": [
626
+ {
627
+ "id": "cleartext_transmission_of_sensitive_data",
628
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
629
+ },
630
+ {
631
+ "id": "executable_download",
632
+ "children": [
633
+ {
634
+ "id": "no_secure_integrity_check",
635
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
636
+ },
637
+ {
638
+ "id": "secure_integrity_check",
639
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
640
+ }
641
+ ]
642
+ }
643
+ ]
644
+ },
645
+ {
646
+ "id": "insecure_os_firmware",
647
+ "children": [
648
+ {
649
+ "id": "command_injection",
650
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
651
+ },
652
+ {
653
+ "id": "hardcoded_password",
654
+ "children": [
655
+ {
656
+ "id": "privileged_user",
657
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
658
+ },
659
+ {
660
+ "id": "non_privileged_user",
661
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
662
+ }
663
+ ]
664
+ }
665
+ ]
666
+ },
667
+ {
668
+ "id": "broken_cryptography",
669
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
670
+ },
671
+ {
672
+ "id": "privacy_concerns",
673
+ "children": [
674
+ {
675
+ "id": "unnecessary_data_collection",
676
+ "children": [
677
+ {
678
+ "id": "wifi_ssid_password",
679
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
680
+ }
681
+ ]
682
+ }
683
+ ]
684
+ },
685
+ {
686
+ "id": "network_security_misconfiguration",
687
+ "children": [
688
+ {
689
+ "id": "telnet_enabled",
690
+ "children": [
691
+ {
692
+ "id": "credentials_required",
693
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
694
+ }
695
+ ]
696
+ }
697
+ ]
698
+ },
699
+ {
700
+ "id": "mobile_security_misconfiguration",
701
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
702
+ },
703
+ {
704
+ "id": "client_side_injection",
705
+ "children": [
706
+ {
707
+ "id": "binary_planting",
708
+ "children": [
709
+ {
710
+ "id": "privilege_escalation",
711
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
712
+ },
713
+ {
714
+ "id": "no_privilege_escalation",
715
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
716
+ }
717
+ ]
718
+ }
719
+ ]
720
+ }
721
+ ]
722
+ }