vrt 0.3.0 → 0.3.1.pre.rc1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/lib/vrt.rb +8 -0
  3. data/lib/vrt/mapping.rb +69 -0
  4. data/lib/vrt/node.rb +9 -1
  5. data/lib/vrt/version.rb +1 -1
  6. metadata +4 -8
  7. data/lib/data/1.3/deprecated-node-mapping.json +0 -77
  8. data/lib/data/1.3/mappings/cvss_v3.json +0 -722
  9. data/lib/data/1.3/mappings/cvss_v3.schema.json +0 -59
  10. data/lib/data/1.3/vrt.schema.json +0 -63
  11. data/lib/data/1.3/vulnerability-rating-taxonomy.json +0 -1607
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 86dd7c9bb2fb4b86609c3ff36d2d036916864d51
4
- data.tar.gz: ebc292d316d584970d988ca899fca49356e2dcb7
3
+ metadata.gz: 5de47f9404fc1c6810a0cbda0644ddbb06f4e825
4
+ data.tar.gz: 38ccf5c4aa45c48403e685acd1a2180e5575ca44
5
5
  SHA512:
6
- metadata.gz: 2a399701130cf540472607676579f16a05d45f75a6f6293617292c9a5015c3c9439b401f7fcec3ae124879aba45d77db4077686ab2a6a736b0e07c00a5e13928
7
- data.tar.gz: da8920e1a22943010aa1460b95f5224030d59df61c34126d0073c5b88d357b94db04c8e9fdb19ecaeaa03b5efd3f85afada44bf1e45808c6c743d92826929f08
6
+ metadata.gz: e7653b23573229ae4c1712756ed43481cf7eaf401e6e8a801676faafeb3c5ff1b2c9e5f4d706d821102da60db9448c3ecb1bd633686368ba97eeb966bc5f112a
7
+ data.tar.gz: 546bc52974fd5bc2f5312088a9ebd2f1eaca24abd072c0db8be2b24b1a56f45979742369d058f97c8471ecfd0838e1aa28ff12fe054247cd92bb643bec50c170
data/lib/vrt.rb CHANGED
@@ -4,6 +4,7 @@
4
4
 
5
5
  require 'vrt/map'
6
6
  require 'vrt/node'
7
+ require 'vrt/mapping'
7
8
  require 'vrt/cross_version_mapping'
8
9
 
9
10
  require 'date'
@@ -16,6 +17,7 @@ module VRT
16
17
  'name' => 'Other',
17
18
  'priority' => nil,
18
19
  'type' => 'category' }.freeze
20
+ MAPPINGS = { cvss_v3: VRT::Mapping::CVSSv3 }.freeze
19
21
 
20
22
  @version_json = {}
21
23
  @last_update = {}
@@ -105,6 +107,10 @@ module VRT
105
107
  JSON.parse(json_pathname(version).read)['content']
106
108
  end
107
109
 
110
+ def mappings
111
+ @mappings ||= Hash[MAPPINGS.map { |name, klass| [name, klass.new] }]
112
+ end
113
+
108
114
  # Cache the VRT contents in-memory, so we're not hitting File I/O multiple times per
109
115
  # request that needs it.
110
116
  def reload!
@@ -112,6 +118,7 @@ module VRT
112
118
  versions
113
119
  get_json
114
120
  last_updated
121
+ mappings
115
122
  end
116
123
 
117
124
  # We separate unload! out, as we need to call it in test environments.
@@ -119,5 +126,6 @@ module VRT
119
126
  @versions = nil
120
127
  @version_json = {}
121
128
  @last_update = {}
129
+ @mappings = nil
122
130
  end
123
131
  end
data/lib/vrt/mapping.rb ADDED
@@ -0,0 +1,69 @@
1
+ module VRT
2
+ class Mapping
3
+ def initialize(scheme)
4
+ @scheme = scheme
5
+ load_mappings
6
+ end
7
+
8
+ # returns the most specific value provided in the mapping file for the given vrt id
9
+ #
10
+ # if no mapping file exists for the given version, the mapping file for the earliest version available will be used
11
+ def get(id_list, version)
12
+ # update the vrt id to the first version we have a mapping file for
13
+ unless @mappings.key?(version)
14
+ id_list = VRT.find_node(vrt_id: id_list.join('.'), preferred_version: @min_version).id_list
15
+ version = @min_version
16
+ end
17
+
18
+ # iterate through the id components, keeping track of where we are in the mapping file
19
+ # and the most specific mapped value found so far
20
+ mapping = @mappings[version]['content']
21
+ best_guess = @mappings[version]['metadata']['default']
22
+ id_list.each do |id|
23
+ entry = mapping[id]
24
+ break unless entry # mapping file doesn't go this deep, return previous value
25
+ best_guess = entry[@scheme] if entry[@scheme]
26
+ # use the children mapping for the next iteration
27
+ mapping = entry['children'] || {}
28
+ end
29
+ best_guess
30
+ end
31
+
32
+ private
33
+
34
+ def load_mappings
35
+ @mappings = {}
36
+ VRT.versions.each do |version|
37
+ filename = VRT::DIR.join(version, 'mappings', "#{@scheme}.json")
38
+ next unless File.file?(filename)
39
+ mapping = JSON.parse(File.read(filename))
40
+ mapping['content'] = key_by_id(mapping['content'])
41
+ @mappings[version] = mapping
42
+ # VRT.versions is sorted in reverse semver order
43
+ # so this will end up as the earliest version with a mapping file
44
+ @min_version = version
45
+ end
46
+ end
47
+
48
+ # Converts arrays to hashes keyed by the id attribute (as a symbol) for easier lookup. So
49
+ # [{'id': 'one', 'foo': 'bar'}, {'id': 'two', 'foo': 'baz'}]
50
+ # becomes
51
+ # {one: {'id': 'one', 'foo': 'bar'}, two: {'id': 'two', 'foo': 'baz'}}
52
+ def key_by_id(mapping)
53
+ case mapping
54
+ when Array
55
+ mapping.each_with_object({}) { |entry, acc| acc[entry['id'].to_sym] = key_by_id(entry) }
56
+ when Hash
57
+ mapping.each_with_object({}) { |(key, value), acc| acc[key] = key_by_id(value) }
58
+ else
59
+ mapping
60
+ end
61
+ end
62
+
63
+ class CVSSv3 < Mapping
64
+ def initialize
65
+ super('cvss_v3')
66
+ end
67
+ end
68
+ end
69
+ end
data/lib/vrt/node.rb CHANGED
@@ -20,7 +20,15 @@ module VRT
20
20
  end
21
21
 
22
22
  def construct_vrt_id
23
- parent ? "#{parent.qualified_vrt_id}.#{id}" : id.to_s
23
+ id_list.join('.')
24
+ end
25
+
26
+ def cvss_v3
27
+ VRT.mappings[:cvss_v3].get(id_list, @version)
28
+ end
29
+
30
+ def id_list
31
+ parent ? parent.id_list << id : [id]
24
32
  end
25
33
 
26
34
  # Since this object contains references to parent and children,
data/lib/vrt/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Vrt
2
- VERSION = '0.3.0'.freeze
2
+ VERSION = '0.3.1-rc1'.freeze
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: vrt
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.0
4
+ version: 0.3.1.pre.rc1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Barnett Klane
@@ -85,16 +85,12 @@ files:
85
85
  - lib/data/1.2/deprecated-node-mapping.json
86
86
  - lib/data/1.2/vrt.schema.json
87
87
  - lib/data/1.2/vulnerability-rating-taxonomy.json
88
- - lib/data/1.3/deprecated-node-mapping.json
89
- - lib/data/1.3/mappings/cvss_v3.json
90
- - lib/data/1.3/mappings/cvss_v3.schema.json
91
- - lib/data/1.3/vrt.schema.json
92
- - lib/data/1.3/vulnerability-rating-taxonomy.json
93
88
  - lib/generators/vrt.rb
94
89
  - lib/generators/vrt/install_generator.rb
95
90
  - lib/vrt.rb
96
91
  - lib/vrt/cross_version_mapping.rb
97
92
  - lib/vrt/map.rb
93
+ - lib/vrt/mapping.rb
98
94
  - lib/vrt/node.rb
99
95
  - lib/vrt/version.rb
100
96
  homepage: https://github.com/bugcrowd/vrt-ruby
@@ -112,9 +108,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
112
108
  version: '0'
113
109
  required_rubygems_version: !ruby/object:Gem::Requirement
114
110
  requirements:
115
- - - ">="
111
+ - - ">"
116
112
  - !ruby/object:Gem::Version
117
- version: '0'
113
+ version: 1.3.1
118
114
  requirements: []
119
115
  rubyforge_project:
120
116
  rubygems_version: 2.5.2
data/lib/data/1.3/deprecated-node-mapping.json DELETED
@@ -1,77 +0,0 @@
1
- {
2
- "poor_physical_security": {
3
- "1.1": "other"
4
- },
5
- "social_engineering": {
6
- "1.1": "other"
7
- },
8
- "unvalidated_redirects_and_forwards.open_redirect.get_based_all_users": {
9
- "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
10
- },
11
- "unvalidated_redirects_and_forwards.open_redirect.get_based_authenticated": {
12
- "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
13
- },
14
- "unvalidated_redirects_and_forwards.open_redirect.get_based_unauthenticated": {
15
- "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
16
- },
17
- "broken_authentication_and_session_management.session_token_in_url.over_https": {
18
- "1.2": "sensitive_data_exposure.sensitive_token_in_url"
19
- },
20
- "broken_authentication_and_session_management.session_token_in_url.over_http": {
21
- "1.2": "sensitive_data_exposure.sensitive_token_in_url"
22
- },
23
- "broken_authentication_and_session_management.session_token_in_url": {
24
- "1.2": "sensitive_data_exposure.sensitive_token_in_url"
25
- },
26
- "insecure_data_transport": {
27
- "1.2": "mobile_security_misconfiguration"
28
- },
29
- "insecure_data_transport.ssl_certificate_pinning": {
30
- "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning"
31
- },
32
- "insecure_data_transport.ssl_certificate_pinning.absent": {
33
- "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.absent"
34
- },
35
- "insecure_data_transport.ssl_certificate_pinning.defeatable": {
36
- "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.defeatable"
37
- },
38
- "insecure_data_storage.credentials_stored_unencrypted": {
39
- "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted"
40
- },
41
- "insecure_data_storage.credentials_stored_unencrypted.on_external_storage": {
42
- "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_external_storage"
43
- },
44
- "insecure_data_storage.credentials_stored_unencrypted.on_internal_storage": {
45
- "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_internal_storage"
46
- },
47
- "insufficient_security_configurability.weak_password_policy.complexity_both_length_and_char_type_not_enforced": {
48
- "1.2": "insufficient_security_configurability.weak_password_policy.no_password_policy"
49
- },
50
- "missing_function_level_access_control": {
51
- "1.3": "broken_access_control"
52
- },
53
- "missing_function_level_access_control.server_side_request_forgery_ssrf": {
54
- "1.3": "broken_access_control.server_side_request_forgery_ssrf"
55
- },
56
- "missing_function_level_access_control.server_side_request_forgery_ssrf.internal": {
57
- "1.3": "broken_access_control.server_side_request_forgery_ssrf.internal"
58
- },
59
- "missing_function_level_access_control.server_side_request_forgery_ssrf.external": {
60
- "1.3": "broken_access_control.server_side_request_forgery_ssrf.external"
61
- },
62
- "missing_function_level_access_control.username_enumeration": {
63
- "1.3": "broken_access_control.username_enumeration"
64
- },
65
- "missing_function_level_access_control.username_enumeration.data_leak": {
66
- "1.3": "broken_access_control.username_enumeration.data_leak"
67
- },
68
- "missing_function_level_access_control.exposed_sensitive_android_intent": {
69
- "1.3": "broken_access_control.exposed_sensitive_android_intent"
70
- },
71
- "missing_function_level_access_control.exposed_sensitive_ios_url_scheme": {
72
- "1.3": "broken_access_control.exposed_sensitive_ios_url_scheme"
73
- },
74
- "insecure_direct_object_references_idor": {
75
- "1.3": "broken_access_control.idor"
76
- }
77
- }
data/lib/data/1.3/mappings/cvss_v3.json DELETED
@@ -1,722 +0,0 @@
1
- {
2
- "metadata": {
3
- "default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
4
- },
5
- "content": [
6
- {
7
- "id": "server_security_misconfiguration",
8
- "children": [
9
- {
10
- "id": "unsafe_cross_origin_resource_sharing",
11
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
12
- },
13
- {
14
- "id": "path_traversal",
15
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
16
- },
17
- {
18
- "id": "directory_listing_enabled",
19
- "children": [
20
- {
21
- "id": "sensitive_data_exposure",
22
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
23
- },
24
- {
25
- "id": "non_sensitive_data_exposure",
26
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
27
- }
28
- ]
29
- },
30
- {
31
- "id": "same_site_scripting",
32
- "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
33
- },
34
- {
35
- "id": "ssl_attack_breach_poodle_etc",
36
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
37
- },
38
- {
39
- "id": "using_default_credentials",
40
- "children": [
41
- {
42
- "id": "production_server",
43
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
44
- },
45
- {
46
- "id": "staging_development_server",
47
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
48
- }
49
- ]
50
- },
51
- {
52
- "id": "misconfigured_dns",
53
- "children": [
54
- {
55
- "id": "subdomain_takeover",
56
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
57
- },
58
- {
59
- "id": "zone_transfer",
60
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
61
- },
62
- {
63
- "id": "missing_caa_record",
64
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
65
- }
66
- ]
67
- },
68
- {
69
- "id": "mail_server_misconfiguration",
70
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
71
- "children": [
72
- {
73
- "id": "missing_spf_on_email_domain",
74
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
75
- },
76
- {
77
- "id": "email_spoofable_via_third_party_api_misconfiguration",
78
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
79
- }
80
- ]
81
- },
82
- {
83
- "id": "lack_of_password_confirmation",
84
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
85
- "children": [
86
- {
87
- "id": "manage_two_fa",
88
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
89
- }
90
- ]
91
- },
92
- {
93
- "id": "no_rate_limiting_on_form",
94
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
95
- "children": [
96
- {
97
- "id": "login",
98
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
99
- }
100
- ]
101
- },
102
- {
103
- "id": "unsafe_file_upload",
104
- "children": [
105
- {
106
- "id": "no_antivirus",
107
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"
108
- },
109
- {
110
- "id": "no_size_limit",
111
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
112
- },
113
- {
114
- "id": "file_extension_filter_bypass",
115
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
116
- }
117
- ]
118
- },
119
- {
120
- "id": "cookie_scoped_to_parent_domain",
121
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
122
- },
123
- {
124
- "id": "missing_secure_or_httponly_cookie_flag",
125
- "children": [
126
- {
127
- "id": "session_token",
128
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
129
- },
130
- {
131
- "id": "non_session_cookie",
132
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
133
- }
134
- ]
135
- },
136
- {
137
- "id": "clickjacking",
138
- "children": [
139
- {
140
- "id": "sensitive_action",
141
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
142
- },
143
- {
144
- "id": "non_sensitive_action",
145
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
146
- }
147
- ]
148
- },
149
- {
150
- "id": "oauth_misconfiguration",
151
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
152
- },
153
- {
154
- "id": "captcha_bypass",
155
- "children": [
156
- {
157
- "id": "implementation_vulnerability",
158
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
159
- },
160
- {
161
- "id": "brute_force",
162
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
163
- }
164
- ]
165
- },
166
- {
167
- "id": "exposed_admin_portal",
168
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
169
- },
170
- {
171
- "id": "missing_dnssec",
172
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
173
- },
174
- {
175
- "id": "fingerprinting_banner_disclosure",
176
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
177
- },
178
- {
179
- "id": "username_enumeration",
180
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
181
- },
182
- {
183
- "id": "potentially_unsafe_http_method_enabled",
184
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
185
- },
186
- {
187
- "id": "insecure_ssl",
188
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
189
- },
190
- {
191
- "id": "rfd",
192
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
193
- },
194
- {
195
- "id": "lack_of_security_headers",
196
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
197
- "children": [
198
- {
199
- "id": "cache_control_for_a_sensitive_page",
200
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
201
- }
202
- ]
203
- },
204
- {
205
- "id": "bitsquatting",
206
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
207
- }
208
- ]
209
- },
210
- {
211
- "id": "server_side_injection",
212
- "children": [
213
- {
214
- "id": "file_inclusion",
215
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
216
- },
217
- {
218
- "id": "parameter_pollution",
219
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
220
- },
221
- {
222
- "id": "remote_code_execution_rce",
223
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
224
- },
225
- {
226
- "id": "sql_injection",
227
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
228
- },
229
- {
230
- "id": "xml_external_entity_injection_xxe",
231
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
232
- },
233
- {
234
- "id": "http_response_manipulation",
235
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
236
- },
237
- {
238
- "id": "content_spoofing",
239
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
240
- "children": [
241
- {
242
- "id": "iframe_injection",
243
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
244
- },
245
- {
246
- "id": "external_authentication_injection",
247
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
248
- },
249
- {
250
- "id": "email_html_injection",
251
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
252
- }
253
- ]
254
- }
255
- ]
256
- },
257
- {
258
- "id": "broken_authentication_and_session_management",
259
- "children": [
260
- {
261
- "id": "authentication_bypass",
262
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
263
- },
264
- {
265
- "id": "privilege_escalation",
266
- "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
267
- },
268
- {
269
- "id": "weak_login_function",
270
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
271
- },
272
- {
273
- "id": "session_fixation",
274
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"
275
- },
276
- {
277
- "id": "failure_to_invalidate_session",
278
- "children": [
279
- {
280
- "id": "on_logout",
281
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
282
- },
283
- {
284
- "id": "on_password_reset",
285
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
286
- },
287
- {
288
- "id": "on_password_change",
289
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
290
- },
291
- {
292
- "id": "all_sessions",
293
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
294
- },
295
- {
296
- "id": "on_email_change",
297
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
298
- },
299
- {
300
- "id": "long_timeout",
301
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
302
- }
303
- ]
304
- },
305
- {
306
- "id": "concurrent_logins",
307
- "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
308
- },
309
- {
310
- "id": "weak_registration_implementation",
311
- "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
312
- }
313
- ]
314
- },
315
- {
316
- "id": "sensitive_data_exposure",
317
- "children": [
318
- {
319
- "id": "critically_sensitive_data",
320
- "children": [
321
- {
322
- "id": "password_disclosure",
323
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
324
- },
325
- {
326
- "id": "private_api_keys",
327
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
328
- }
329
- ]
330
- },
331
- {
332
- "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
333
- "children": [
334
- {
335
- "id": "automatic_user_enumeration",
336
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
337
- },
338
- {
339
- "id": "manual_user_enumeration",
340
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
341
- }
342
- ]
343
- },
344
- {
345
- "id": "visible_detailed_error_page",
346
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
347
- "children": [
348
- {
349
- "id": "detailed_server_configuration",
350
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
351
- }
352
- ]
353
- },
354
- {
355
- "id": "disclosure_of_known_public_information",
356
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
357
- },
358
- {
359
- "id": "token_leakage_via_referer",
360
- "children": [
361
- {
362
- "id": "trusted_3rd_party",
363
- "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
364
- },
365
- {
366
- "id": "untrusted_3rd_party",
367
- "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
368
- },
369
- {
370
- "id": "over_http",
371
- "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
372
- }
373
- ]
374
- },
375
- {
376
- "id": "sensitive_token_in_url",
377
- "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
378
- },
379
- {
380
- "id": "non_sensitive_token_in_url",
381
- "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
382
- },
383
- {
384
- "id": "weak_password_reset_implementation",
385
- "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"
386
- },
387
- {
388
- "id": "mixed_content",
389
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
390
- },
391
- {
392
- "id": "sensitive_data_hardcoded",
393
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
394
- },
395
- {
396
- "id": "internal_ip_disclosure",
397
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
398
- },
399
- {
400
- "id": "xssi",
401
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
402
- },
403
- {
404
- "id": "json_hijacking",
405
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
406
- }
407
- ]
408
- },
409
- {
410
- "id": "cross_site_scripting_xss",
411
- "children": [
412
- {
413
- "id": "stored",
414
- "children": [
415
- {
416
- "id": "non_admin_to_anyone",
417
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
418
- },
419
- {
420
- "id": "admin_to_anyone",
421
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"
422
- },
423
- {
424
- "id": "self",
425
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
426
- }
427
- ]
428
- },
429
- {
430
- "id": "reflected",
431
- "children": [
432
- {
433
- "id": "non_self",
434
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
435
- },
436
- {
437
- "id": "self",
438
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
439
- }
440
- ]
441
- },
442
- {
443
- "id": "cookie_based",
444
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
445
- },
446
- {
447
- "id": "ie_only",
448
- "children": [
449
- {
450
- "id": "older_version_ie_10_11",
451
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
452
- },
453
- {
454
- "id": "xss_filter_disabled",
455
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
456
- },
457
- {
458
- "id": "older_version_ie10",
459
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N"
460
- }
461
- ]
462
- },
463
- {
464
- "id": "referer",
465
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
466
- },
467
- {
468
- "id": "trace_method",
469
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
470
- },
471
- {
472
- "id": "universal_uxss",
473
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
474
- },
475
- {
476
- "id": "off_domain",
477
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
478
- }
479
- ]
480
- },
481
- {
482
- "id": "broken_access_control",
483
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
484
- "children": [
485
- {
486
- "id": "server_side_request_forgery_ssrf",
487
- "children": [
488
- {
489
- "id": "internal",
490
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
491
- },
492
- {
493
- "id": "external",
494
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
495
- }
496
- ]
497
- },
498
- {
499
- "id": "username_enumeration",
500
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
501
- }
502
- ]
503
- },
504
- {
505
- "id": "cross_site_request_forgery_csrf",
506
- "children": [
507
- {
508
- "id": "application_wide",
509
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
510
- },
511
- {
512
- "id": "action_specific",
513
- "children": [
514
- {
515
- "id": "authenticated_action",
516
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
517
- },
518
- {
519
- "id": "unauthenticated_action",
520
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
521
- },
522
- {
523
- "id": "logout",
524
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
525
- }
526
- ]
527
- }
528
- ]
529
- },
530
- {
531
- "id": "application_level_denial_of_service_dos",
532
- "children": [
533
- {
534
- "id": "critical_impact_and_or_easy_difficulty",
535
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
536
- },
537
- {
538
- "id": "high_impact_and_or_medium_difficulty",
539
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
540
- },
541
- {
542
- "id": "app_crash",
543
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
544
- }
545
- ]
546
- },
547
- {
548
- "id": "unvalidated_redirects_and_forwards",
549
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
550
- "children": [
551
- {
552
- "id": "open_redirect",
553
- "children": [
554
- {
555
- "id": "get_based",
556
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
557
- }
558
- ]
559
- }
560
- ]
561
- },
562
- {
563
- "id": "external_behavior",
564
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
565
- },
566
- {
567
- "id": "insufficient_security_configurability",
568
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
569
- "children": [
570
- {
571
- "id": "no_password_policy",
572
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
573
- },
574
- {
575
- "id": "weak_password_reset_implementation",
576
- "children": [
577
- {
578
- "id": "token_is_not_invalidated_after_use",
579
- "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
580
- }
581
- ]
582
- }
583
- ]
584
- },
585
- {
586
- "id": "using_components_with_known_vulnerabilities",
587
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
588
- "children": [
589
- {
590
- "id": "rosetta_flash",
591
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
592
- }
593
- ]
594
- },
595
- {
596
- "id": "insecure_data_storage",
597
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
598
- "children": [
599
- {
600
- "id": "sensitive_application_data_stored_unencrypted",
601
- "children": [
602
- {
603
- "id": "on_external_storage",
604
- "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
605
- }
606
- ]
607
- },
608
- {
609
- "id": "server_side_credentials_storage",
610
- "children": [
611
- {
612
- "id": "plaintext",
613
- "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
614
- }
615
- ]
616
- }
617
- ]
618
- },
619
- {
620
- "id": "lack_of_binary_hardening",
621
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
622
- },
623
- {
624
- "id": "insecure_data_transport",
625
- "children": [
626
- {
627
- "id": "cleartext_transmission_of_sensitive_data",
628
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
629
- },
630
- {
631
- "id": "executable_download",
632
- "children": [
633
- {
634
- "id": "no_secure_integrity_check",
635
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
636
- },
637
- {
638
- "id": "secure_integrity_check",
639
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
640
- }
641
- ]
642
- }
643
- ]
644
- },
645
- {
646
- "id": "insecure_os_firmware",
647
- "children": [
648
- {
649
- "id": "command_injection",
650
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
651
- },
652
- {
653
- "id": "hardcoded_password",
654
- "children": [
655
- {
656
- "id": "privileged_user",
657
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
658
- },
659
- {
660
- "id": "non_privileged_user",
661
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
662
- }
663
- ]
664
- }
665
- ]
666
- },
667
- {
668
- "id": "broken_cryptography",
669
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
670
- },
671
- {
672
- "id": "privacy_concerns",
673
- "children": [
674
- {
675
- "id": "unnecessary_data_collection",
676
- "children": [
677
- {
678
- "id": "wifi_ssid_password",
679
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
680
- }
681
- ]
682
- }
683
- ]
684
- },
685
- {
686
- "id": "network_security_misconfiguration",
687
- "children": [
688
- {
689
- "id": "telnet_enabled",
690
- "children": [
691
- {
692
- "id": "credentials_required",
693
- "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
694
- }
695
- ]
696
- }
697
- ]
698
- },
699
- {
700
- "id": "mobile_security_misconfiguration",
701
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
702
- },
703
- {
704
- "id": "client_side_injection",
705
- "children": [
706
- {
707
- "id": "binary_planting",
708
- "children": [
709
- {
710
- "id": "privilege_escalation",
711
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
712
- },
713
- {
714
- "id": "no_privilege_escalation",
715
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
716
- }
717
- ]
718
- }
719
- ]
720
- }
721
- ]
722
- }