vrt 0.3.1.pre.rc1 → 0.3.1.pre.rc2

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,1607 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2017-09-22T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "unsafe_cross_origin_resource_sharing",
13
+ "name": "Unsafe Cross-Origin Resource Sharing",
14
+ "type": "subcategory",
15
+ "priority": null
16
+ },
17
+ {
18
+ "id": "path_traversal",
19
+ "name": "Path Traversal",
20
+ "type": "subcategory",
21
+ "priority": null
22
+ },
23
+ {
24
+ "id": "directory_listing_enabled",
25
+ "name": "Directory Listing Enabled",
26
+ "type": "subcategory",
27
+ "children": [
28
+ {
29
+ "id": "sensitive_data_exposure",
30
+ "name": "Sensitive Data Exposure",
31
+ "type": "variant",
32
+ "priority": null
33
+ },
34
+ {
35
+ "id": "non_sensitive_data_exposure",
36
+ "name": "Non-Sensitive Data Exposure",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "same_site_scripting",
44
+ "name": "Same-Site Scripting",
45
+ "type": "subcategory",
46
+ "priority": 5
47
+ },
48
+ {
49
+ "id": "ssl_attack_breach_poodle_etc",
50
+ "name": "SSL Attack (BREACH, POODLE etc.)",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "using_default_credentials",
56
+ "name": "Using Default Credentials",
57
+ "type": "subcategory",
58
+ "children": [
59
+ {
60
+ "id": "production_server",
61
+ "name": "Production Server",
62
+ "type": "variant",
63
+ "priority": 1
64
+ },
65
+ {
66
+ "id": "staging_development_server",
67
+ "name": "Staging/Development Server",
68
+ "type": "variant",
69
+ "priority": 2
70
+ }
71
+ ]
72
+ },
73
+ {
74
+ "id": "misconfigured_dns",
75
+ "name": "Misconfigured DNS",
76
+ "type": "subcategory",
77
+ "children": [
78
+ {
79
+ "id": "subdomain_takeover",
80
+ "name": "Subdomain Takeover",
81
+ "type": "variant",
82
+ "priority": 2
83
+ },
84
+ {
85
+ "id": "zone_transfer",
86
+ "name": "Zone Transfer",
87
+ "type": "variant",
88
+ "priority": 4
89
+ },
90
+ {
91
+ "id": "missing_caa_record",
92
+ "name": "Missing Certification Authority Authorization (CAA) Record",
93
+ "type": "variant",
94
+ "priority": 5
95
+ }
96
+ ]
97
+ },
98
+ {
99
+ "id": "mail_server_misconfiguration",
100
+ "name": "Mail Server Misconfiguration",
101
+ "type": "subcategory",
102
+ "children": [
103
+ {
104
+ "id": "missing_spf_on_email_domain",
105
+ "name": "Missing SPF on Email Domain",
106
+ "type": "variant",
107
+ "priority": 3
108
+ },
109
+ {
110
+ "id": "email_spoofable_via_third_party_api_misconfiguration",
111
+ "name": "Email Spoofable Via Third-Party API Misconfiguration",
112
+ "type": "variant",
113
+ "priority": 3
114
+ },
115
+ {
116
+ "id": "missing_spf_on_non_email_domain",
117
+ "name": "Missing SPF on Non-Email Domain",
118
+ "type": "variant",
119
+ "priority": 5
120
+ },
121
+ {
122
+ "id": "spf_uses_a_soft_fail",
123
+ "name": "SPF Uses a Soft Fail",
124
+ "type": "variant",
125
+ "priority": 5
126
+ },
127
+ {
128
+ "id": "spf_includes_10_lookups",
129
+ "name": "SPF Includes More Than 10 Lookups",
130
+ "type": "variant",
131
+ "priority": 5
132
+ },
133
+ {
134
+ "id": "missing_dmarc",
135
+ "name": "Missing DKIM/DMARC",
136
+ "type": "variant",
137
+ "priority": 5
138
+ }
139
+ ]
140
+ },
141
+ {
142
+ "id": "lack_of_password_confirmation",
143
+ "name": "Lack of Password Confirmation",
144
+ "type": "subcategory",
145
+ "children": [
146
+ {
147
+ "id": "change_email_address",
148
+ "name": "Change Email Address",
149
+ "type": "variant",
150
+ "priority": 4
151
+ },
152
+ {
153
+ "id": "change_password",
154
+ "name": "Change Password",
155
+ "type": "variant",
156
+ "priority": 4
157
+ },
158
+ {
159
+ "id": "delete_account",
160
+ "name": "Delete Account",
161
+ "type": "variant",
162
+ "priority": 4
163
+ },
164
+ {
165
+ "id": "manage_two_fa",
166
+ "name": "Manage 2FA",
167
+ "type": "variant",
168
+ "priority": 5
169
+ }
170
+ ]
171
+ },
172
+ {
173
+ "id": "no_rate_limiting_on_form",
174
+ "name": "No Rate Limiting on Form",
175
+ "type": "subcategory",
176
+ "children": [
177
+ {
178
+ "id": "registration",
179
+ "name": "Registration",
180
+ "type": "variant",
181
+ "priority": 4
182
+ },
183
+ {
184
+ "id": "login",
185
+ "name": "Login",
186
+ "type": "variant",
187
+ "priority": 3
188
+ },
189
+ {
190
+ "id": "email_triggering",
191
+ "name": "Email-Triggering",
192
+ "type": "variant",
193
+ "priority": 4
194
+ }
195
+ ]
196
+ },
197
+ {
198
+ "id": "unsafe_file_upload",
199
+ "name": "Unsafe File Upload",
200
+ "type": "subcategory",
201
+ "children": [
202
+ {
203
+ "id": "no_antivirus",
204
+ "name": "No Antivirus",
205
+ "type": "variant",
206
+ "priority": 4
207
+ },
208
+ {
209
+ "id": "no_size_limit",
210
+ "name": "No Size Limit",
211
+ "type": "variant",
212
+ "priority": 4
213
+ },
214
+ {
215
+ "id": "file_extension_filter_bypass",
216
+ "name": "File Extension Filter Bypass",
217
+ "type": "variant",
218
+ "priority": 5
219
+ }
220
+ ]
221
+ },
222
+ {
223
+ "id": "cookie_scoped_to_parent_domain",
224
+ "name": "Cookie Scoped to Parent Domain",
225
+ "type": "subcategory",
226
+ "priority": 5
227
+ },
228
+ {
229
+ "id": "missing_secure_or_httponly_cookie_flag",
230
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
231
+ "type": "subcategory",
232
+ "children": [
233
+ {
234
+ "id": "session_token",
235
+ "name": "Session Token",
236
+ "type": "variant",
237
+ "priority": 4
238
+ },
239
+ {
240
+ "id": "non_session_cookie",
241
+ "name": "Non-Session Cookie",
242
+ "type": "variant",
243
+ "priority": 5
244
+ }
245
+ ]
246
+ },
247
+ {
248
+ "id": "clickjacking",
249
+ "name": "Clickjacking",
250
+ "type": "subcategory",
251
+ "children": [
252
+ {
253
+ "id": "sensitive_action",
254
+ "name": "Sensitive Action",
255
+ "type": "variant",
256
+ "priority": 4
257
+ },
258
+ {
259
+ "id": "non_sensitive_action",
260
+ "name": "Non-Sensitive Action",
261
+ "type": "variant",
262
+ "priority": 5
263
+ }
264
+ ]
265
+ },
266
+ {
267
+ "id": "oauth_misconfiguration",
268
+ "name": "OAuth Misconfiguration",
269
+ "type": "subcategory",
270
+ "children": [
271
+ {
272
+ "id": "missing_state_parameter",
273
+ "name": "Missing State Parameter",
274
+ "type": "variant",
275
+ "priority": 4
276
+ }
277
+ ]
278
+ },
279
+ {
280
+ "id": "captcha_bypass",
281
+ "name": "Captcha Bypass",
282
+ "type": "subcategory",
283
+ "children": [
284
+ {
285
+ "id": "implementation_vulnerability",
286
+ "name": "Implementation Vulnerability",
287
+ "type": "variant",
288
+ "priority": 4
289
+ },
290
+ {
291
+ "id": "brute_force",
292
+ "name": "Brute Force",
293
+ "type": "variant",
294
+ "priority": 5
295
+ }
296
+ ]
297
+ },
298
+ {
299
+ "id": "exposed_admin_portal",
300
+ "name": "Exposed Admin Portal",
301
+ "type": "subcategory",
302
+ "children": [
303
+ {
304
+ "id": "to_internet",
305
+ "name": "To Internet",
306
+ "type": "variant",
307
+ "priority": 5
308
+ }
309
+ ]
310
+ },
311
+ {
312
+ "id": "missing_dnssec",
313
+ "name": "Missing DNSSEC",
314
+ "type": "subcategory",
315
+ "priority": 5
316
+ },
317
+ {
318
+ "id": "fingerprinting_banner_disclosure",
319
+ "name": "Fingerprinting/Banner Disclosure",
320
+ "type": "subcategory",
321
+ "priority": 5
322
+ },
323
+ {
324
+ "id": "username_enumeration",
325
+ "name": "Username Enumeration",
326
+ "type": "subcategory",
327
+ "children": [
328
+ {
329
+ "id": "brute_force",
330
+ "name": "Brute Force",
331
+ "type": "variant",
332
+ "priority": 5
333
+ }
334
+ ]
335
+ },
336
+ {
337
+ "id": "potentially_unsafe_http_method_enabled",
338
+ "name": "Potentially Unsafe HTTP Method Enabled",
339
+ "type": "subcategory",
340
+ "children": [
341
+ {
342
+ "id": "options",
343
+ "name": "OPTIONS",
344
+ "type": "variant",
345
+ "priority": 5
346
+ },
347
+ {
348
+ "id": "trace",
349
+ "name": "TRACE",
350
+ "type": "variant",
351
+ "priority": 5
352
+ }
353
+ ]
354
+ },
355
+ {
356
+ "id": "insecure_ssl",
357
+ "name": "Insecure SSL",
358
+ "type": "subcategory",
359
+ "children": [
360
+ {
361
+ "id": "lack_of_forward_secrecy",
362
+ "name": "Lack of Forward Secrecy",
363
+ "type": "variant",
364
+ "priority": 5
365
+ },
366
+ {
367
+ "id": "insecure_cipher_suite",
368
+ "name": "Insecure Cipher Suite",
369
+ "type": "variant",
370
+ "priority": 5
371
+ }
372
+ ]
373
+ },
374
+ {
375
+ "id": "rfd",
376
+ "name": "Reflected File Download (RFD)",
377
+ "type": "subcategory",
378
+ "priority": 5
379
+ },
380
+ {
381
+ "id": "lack_of_security_headers",
382
+ "name": "Lack of Security Headers",
383
+ "type": "subcategory",
384
+ "children": [
385
+ {
386
+ "id": "x_frame_options",
387
+ "name": "X-Frame-Options",
388
+ "type": "variant",
389
+ "priority": 5
390
+ },
391
+ {
392
+ "id": "cache_control_for_a_non_sensitive_page",
393
+ "name": "Cache-Control for a Non-Sensitive Page",
394
+ "type": "variant",
395
+ "priority": 5
396
+ },
397
+ {
398
+ "id": "x_xss_protection",
399
+ "name": "X-XSS-Protection",
400
+ "type": "variant",
401
+ "priority": 5
402
+ },
403
+ {
404
+ "id": "strict_transport_security",
405
+ "name": "Strict-Transport-Security",
406
+ "type": "variant",
407
+ "priority": 5
408
+ },
409
+ {
410
+ "id": "x_content_type_options",
411
+ "name": "X-Content-Type-Options",
412
+ "type": "variant",
413
+ "priority": 5
414
+ },
415
+ {
416
+ "id": "content_security_policy",
417
+ "name": "Content-Security-Policy",
418
+ "type": "variant",
419
+ "priority": 5
420
+ },
421
+ {
422
+ "id": "public_key_pins",
423
+ "name": "Public-Key-Pins",
424
+ "type": "variant",
425
+ "priority": 5
426
+ },
427
+ {
428
+ "id": "x_content_security_policy",
429
+ "name": "X-Content-Security-Policy",
430
+ "type": "variant",
431
+ "priority": 5
432
+ },
433
+ {
434
+ "id": "x_webkit_csp",
435
+ "name": "X-Webkit-CSP",
436
+ "type": "variant",
437
+ "priority": 5
438
+ },
439
+ {
440
+ "id": "content_security_policy_report_only",
441
+ "name": "Content-Security-Policy-Report-Only",
442
+ "type": "variant",
443
+ "priority": 5
444
+ },
445
+ {
446
+ "id": "cache_control_for_a_sensitive_page",
447
+ "name": "Cache-Control for a Sensitive Page",
448
+ "type": "variant",
449
+ "priority": 4
450
+ }
451
+ ]
452
+ },
453
+ {
454
+ "id": "bitsquatting",
455
+ "name": "Bitsquatting",
456
+ "type": "subcategory",
457
+ "priority": 5
458
+ }
459
+ ]
460
+ },
461
+ {
462
+ "id": "server_side_injection",
463
+ "name": "Server-Side Injection",
464
+ "type": "category",
465
+ "children": [
466
+ {
467
+ "id": "file_inclusion",
468
+ "name": "File Inclusion",
469
+ "type": "subcategory",
470
+ "children": [
471
+ {
472
+ "id": "local",
473
+ "name": "Local",
474
+ "type": "variant",
475
+ "priority": 1
476
+ }
477
+ ]
478
+ },
479
+ {
480
+ "id": "parameter_pollution",
481
+ "name": "Parameter Pollution",
482
+ "type": "subcategory",
483
+ "children": [
484
+ {
485
+ "id": "social_media_sharing_buttons",
486
+ "name": "Social Media Sharing Buttons",
487
+ "type": "variant",
488
+ "priority": 5
489
+ }
490
+ ]
491
+ },
492
+ {
493
+ "id": "remote_code_execution_rce",
494
+ "name": "Remote Code Execution (RCE)",
495
+ "type": "subcategory",
496
+ "priority": 1
497
+ },
498
+ {
499
+ "id": "sql_injection",
500
+ "name": "SQL Injection",
501
+ "type": "subcategory",
502
+ "children": [
503
+ {
504
+ "id": "error_based",
505
+ "name": "Error-Based",
506
+ "type": "variant",
507
+ "priority": 1
508
+ },
509
+ {
510
+ "id": "blind",
511
+ "name": "Blind",
512
+ "type": "variant",
513
+ "priority": 1
514
+ }
515
+ ]
516
+ },
517
+ {
518
+ "id": "xml_external_entity_injection_xxe",
519
+ "name": "XML External Entity Injection (XXE)",
520
+ "type": "subcategory",
521
+ "priority": 1
522
+ },
523
+ {
524
+ "id": "http_response_manipulation",
525
+ "name": "HTTP Response Manipulation",
526
+ "type": "subcategory",
527
+ "children": [
528
+ {
529
+ "id": "response_splitting_crlf",
530
+ "name": "Response Splitting (CRLF)",
531
+ "type": "variant",
532
+ "priority": 3
533
+ }
534
+ ]
535
+ },
536
+ {
537
+ "id": "content_spoofing",
538
+ "name": "Content Spoofing",
539
+ "type": "subcategory",
540
+ "children": [
541
+ {
542
+ "id": "iframe_injection",
543
+ "name": "iframe Injection",
544
+ "type": "variant",
545
+ "priority": 3
546
+ },
547
+ {
548
+ "id": "external_authentication_injection",
549
+ "name": "External Authentication Injection",
550
+ "type": "variant",
551
+ "priority": 4
552
+ },
553
+ {
554
+ "id": "email_html_injection",
555
+ "name": "Email HTML Injection",
556
+ "type": "variant",
557
+ "priority": 4
558
+ },
559
+ {
560
+ "id": "text_injection",
561
+ "name": "Text Injection",
562
+ "type": "variant",
563
+ "priority": 5
564
+ },
565
+ {
566
+ "id": "homograph_idn_based",
567
+ "name": "Homograph/IDN-Based",
568
+ "type": "variant",
569
+ "priority": 5
570
+ }
571
+ ]
572
+ }
573
+ ]
574
+ },
575
+ {
576
+ "id": "broken_authentication_and_session_management",
577
+ "name": "Broken Authentication and Session Management",
578
+ "type": "category",
579
+ "children": [
580
+ {
581
+ "id": "authentication_bypass",
582
+ "name": "Authentication Bypass",
583
+ "type": "subcategory",
584
+ "priority": 1
585
+ },
586
+ {
587
+ "id": "privilege_escalation",
588
+ "name": "Privilege Escalation",
589
+ "type": "subcategory",
590
+ "priority": null
591
+ },
592
+ {
593
+ "id": "weak_login_function",
594
+ "name": "Weak Login Function",
595
+ "type": "subcategory",
596
+ "children": [
597
+ {
598
+ "id": "over_http",
599
+ "name": "Over HTTP",
600
+ "type": "variant",
601
+ "priority": 3
602
+ }
603
+ ]
604
+ },
605
+ {
606
+ "id": "session_fixation",
607
+ "name": "Session Fixation",
608
+ "type": "subcategory",
609
+ "priority": 3
610
+ },
611
+ {
612
+ "id": "failure_to_invalidate_session",
613
+ "name": "Failure to Invalidate Session",
614
+ "type": "subcategory",
615
+ "children": [
616
+ {
617
+ "id": "on_logout",
618
+ "name": "On Logout",
619
+ "type": "variant",
620
+ "priority": 4
621
+ },
622
+ {
623
+ "id": "on_password_reset",
624
+ "name": "On Password Reset",
625
+ "type": "variant",
626
+ "priority": 4
627
+ },
628
+ {
629
+ "id": "on_password_change",
630
+ "name": "On Password Change",
631
+ "type": "variant",
632
+ "priority": 4
633
+ },
634
+ {
635
+ "id": "all_sessions",
636
+ "name": "All Sessions",
637
+ "type": "variant",
638
+ "priority": 5
639
+ },
640
+ {
641
+ "id": "on_email_change",
642
+ "name": "On Email Change",
643
+ "type": "variant",
644
+ "priority": 5
645
+ },
646
+ {
647
+ "id": "long_timeout",
648
+ "name": "Long Timeout",
649
+ "type": "variant",
650
+ "priority": 5
651
+ }
652
+ ]
653
+ },
654
+ {
655
+ "id": "concurrent_logins",
656
+ "name": "Concurrent Logins",
657
+ "type": "subcategory",
658
+ "priority": 5
659
+ },
660
+ {
661
+ "id": "weak_registration_implementation",
662
+ "name": "Weak Registration Implementation",
663
+ "type": "subcategory",
664
+ "children": [
665
+ {
666
+ "id": "over_http",
667
+ "name": "Over HTTP",
668
+ "type": "variant",
669
+ "priority": 4
670
+ }
671
+ ]
672
+ }
673
+ ]
674
+ },
675
+ {
676
+ "id": "sensitive_data_exposure",
677
+ "name": "Sensitive Data Exposure",
678
+ "type": "category",
679
+ "children": [
680
+ {
681
+ "id": "critically_sensitive_data",
682
+ "name": "Critically Sensitive Data",
683
+ "type": "subcategory",
684
+ "children": [
685
+ {
686
+ "id": "password_disclosure",
687
+ "name": "Password Disclosure",
688
+ "type": "variant",
689
+ "priority": 1
690
+ },
691
+ {
692
+ "id": "private_api_keys",
693
+ "name": "Private API Keys",
694
+ "type": "variant",
695
+ "priority": 1
696
+ }
697
+ ]
698
+ },
699
+ {
700
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
701
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
702
+ "type": "subcategory",
703
+ "children": [
704
+ {
705
+ "id": "automatic_user_enumeration",
706
+ "name": "Automatic User Enumeration",
707
+ "type": "variant",
708
+ "priority": 3
709
+ },
710
+ {
711
+ "id": "manual_user_enumeration",
712
+ "name": "Manual User Enumeration",
713
+ "type": "variant",
714
+ "priority": 4
715
+ }
716
+ ]
717
+ },
718
+ {
719
+ "id": "visible_detailed_error_page",
720
+ "name": "Visible Detailed Error/Debug Page",
721
+ "type": "subcategory",
722
+ "children": [
723
+ {
724
+ "id": "detailed_server_configuration",
725
+ "name": "Detailed Server Configuration",
726
+ "type": "variant",
727
+ "priority": 4
728
+ },
729
+ {
730
+ "id": "full_path_disclosure",
731
+ "name": "Full Path Disclosure",
732
+ "type": "variant",
733
+ "priority": 5
734
+ },
735
+ {
736
+ "id": "descriptive_stack_trace",
737
+ "name": "Descriptive Stack Trace",
738
+ "type": "variant",
739
+ "priority": 5
740
+ }
741
+ ]
742
+ },
743
+ {
744
+ "id": "disclosure_of_known_public_information",
745
+ "name": "Disclosure of Known Public Information",
746
+ "type": "subcategory",
747
+ "priority": 5
748
+ },
749
+ {
750
+ "id": "token_leakage_via_referer",
751
+ "name": "Token Leakage via Referer",
752
+ "type": "subcategory",
753
+ "children": [
754
+ {
755
+ "id": "trusted_3rd_party",
756
+ "name": "Trusted 3rd Party",
757
+ "type": "variant",
758
+ "priority": 5
759
+ },
760
+ {
761
+ "id": "untrusted_3rd_party",
762
+ "name": "Untrusted 3rd Party",
763
+ "type": "variant",
764
+ "priority": 4
765
+ },
766
+ {
767
+ "id": "over_http",
768
+ "name": "Over HTTP",
769
+ "type": "variant",
770
+ "priority": 4
771
+ }
772
+ ]
773
+ },
774
+ {
775
+ "id": "sensitive_token_in_url",
776
+ "name": "Sensitive Token in URL",
777
+ "type": "subcategory",
778
+ "priority": 4
779
+ },
780
+ {
781
+ "id": "non_sensitive_token_in_url",
782
+ "name": "Non-Sensitive Token in URL",
783
+ "type": "subcategory",
784
+ "priority": 5
785
+ },
786
+ {
787
+ "id": "weak_password_reset_implementation",
788
+ "name": "Weak Password Reset Implementation",
789
+ "type": "subcategory",
790
+ "children": [
791
+ {
792
+ "id": "password_reset_token_sent_over_http",
793
+ "name": "Password Reset Token Sent Over HTTP",
794
+ "type": "variant",
795
+ "priority": 4
796
+ }
797
+ ]
798
+ },
799
+ {
800
+ "id": "mixed_content",
801
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
802
+ "type": "subcategory",
803
+ "priority": 5
804
+ },
805
+ {
806
+ "id": "sensitive_data_hardcoded",
807
+ "name": "Sensitive Data Hardcoded",
808
+ "type": "subcategory",
809
+ "children": [
810
+ {
811
+ "id": "oauth_secret",
812
+ "name": "OAuth Secret",
813
+ "type": "variant",
814
+ "priority": 5
815
+ },
816
+ {
817
+ "id": "file_paths",
818
+ "name": "File Paths",
819
+ "type": "variant",
820
+ "priority": 5
821
+ }
822
+ ]
823
+ },
824
+ {
825
+ "id": "internal_ip_disclosure",
826
+ "name": "Internal IP Disclosure",
827
+ "type": "subcategory",
828
+ "priority": 5
829
+ },
830
+ {
831
+ "id": "xssi",
832
+ "name": "Cross Site Script Inclusion (XSSI)",
833
+ "type": "subcategory",
834
+ "priority": null
835
+ },
836
+ {
837
+ "id": "json_hijacking",
838
+ "name": "JSON Hijacking",
839
+ "type": "subcategory",
840
+ "priority": 5
841
+ }
842
+ ]
843
+ },
844
+ {
845
+ "id": "cross_site_scripting_xss",
846
+ "name": "Cross-Site Scripting (XSS)",
847
+ "type": "category",
848
+ "children": [
849
+ {
850
+ "id": "stored",
851
+ "name": "Stored",
852
+ "type": "subcategory",
853
+ "children": [
854
+ {
855
+ "id": "non_admin_to_anyone",
856
+ "name": "Non-Admin to Anyone",
857
+ "type": "variant",
858
+ "priority": 2
859
+ },
860
+ {
861
+ "id": "admin_to_anyone",
862
+ "name": "Admin to Anyone",
863
+ "type": "variant",
864
+ "priority": 3
865
+ },
866
+ {
867
+ "id": "self",
868
+ "name": "Self",
869
+ "type": "variant",
870
+ "priority": 5
871
+ }
872
+ ]
873
+ },
874
+ {
875
+ "id": "reflected",
876
+ "name": "Reflected",
877
+ "type": "subcategory",
878
+ "children": [
879
+ {
880
+ "id": "non_self",
881
+ "name": "Non-Self",
882
+ "type": "variant",
883
+ "priority": 3
884
+ },
885
+ {
886
+ "id": "self",
887
+ "name": "Self",
888
+ "type": "variant",
889
+ "priority": 5
890
+ }
891
+ ]
892
+ },
893
+ {
894
+ "id": "cookie_based",
895
+ "name": "Cookie-Based",
896
+ "type": "subcategory",
897
+ "priority": 5
898
+ },
899
+ {
900
+ "id": "ie_only",
901
+ "name": "IE-Only",
902
+ "type": "subcategory",
903
+ "children": [
904
+ {
905
+ "id": "older_version_ie_10_11",
906
+ "name": "Older Version (IE 10/11)",
907
+ "type": "variant",
908
+ "priority": 4
909
+ },
910
+ {
911
+ "id": "xss_filter_disabled",
912
+ "name": "XSS Filter Disabled",
913
+ "type": "variant",
914
+ "priority": 5
915
+ },
916
+ {
917
+ "id": "older_version_ie10",
918
+ "name": "Older Version (< IE10)",
919
+ "type": "variant",
920
+ "priority": 5
921
+ }
922
+ ]
923
+ },
924
+ {
925
+ "id": "referer",
926
+ "name": "Referer",
927
+ "type": "subcategory",
928
+ "priority": 4
929
+ },
930
+ {
931
+ "id": "trace_method",
932
+ "name": "TRACE Method",
933
+ "type": "subcategory",
934
+ "priority": 5
935
+ },
936
+ {
937
+ "id": "universal_uxss",
938
+ "name": "Universal (UXSS)",
939
+ "type": "subcategory",
940
+ "priority": 4
941
+ },
942
+ {
943
+ "id": "off_domain",
944
+ "name": "Off-Domain",
945
+ "type": "subcategory",
946
+ "children": [
947
+ {
948
+ "id": "data_uri",
949
+ "name": "Data URI",
950
+ "type": "variant",
951
+ "priority": 4
952
+ }
953
+ ]
954
+ }
955
+ ]
956
+ },
957
+ {
958
+ "id": "broken_access_control",
959
+ "name": "Broken Access Control (BAC)",
960
+ "type": "category",
961
+ "children": [
962
+ {
963
+ "id": "idor",
964
+ "name": "Insecure Direct Object References (IDOR)",
965
+ "type": "subcategory",
966
+ "priority": null
967
+ },
968
+ {
969
+ "id": "server_side_request_forgery_ssrf",
970
+ "name": "Server-Side Request Forgery (SSRF)",
971
+ "type": "subcategory",
972
+ "children": [
973
+ {
974
+ "id": "internal",
975
+ "name": "Internal",
976
+ "type": "variant",
977
+ "priority": 2
978
+ },
979
+ {
980
+ "id": "external",
981
+ "name": "External",
982
+ "type": "variant",
983
+ "priority": 4
984
+ }
985
+ ]
986
+ },
987
+ {
988
+ "id": "username_enumeration",
989
+ "name": "Username Enumeration",
990
+ "type": "subcategory",
991
+ "children": [
992
+ {
993
+ "id": "data_leak",
994
+ "name": "Data Leak",
995
+ "type": "variant",
996
+ "priority": 4
997
+ }
998
+ ]
999
+ },
1000
+ {
1001
+ "id": "exposed_sensitive_android_intent",
1002
+ "name": "Exposed Sensitive Android Intent",
1003
+ "type": "subcategory",
1004
+ "priority": null
1005
+ },
1006
+ {
1007
+ "id": "exposed_sensitive_ios_url_scheme",
1008
+ "name": "Exposed Sensitive iOS URL Scheme",
1009
+ "type": "subcategory",
1010
+ "priority": null
1011
+ }
1012
+ ]
1013
+ },
1014
+ {
1015
+ "id": "cross_site_request_forgery_csrf",
1016
+ "name": "Cross-Site Request Forgery (CSRF)",
1017
+ "type": "category",
1018
+ "children": [
1019
+ {
1020
+ "id": "application_wide",
1021
+ "name": "Application-Wide",
1022
+ "type": "subcategory",
1023
+ "priority": 2
1024
+ },
1025
+ {
1026
+ "id": "action_specific",
1027
+ "name": "Action-Specific",
1028
+ "type": "subcategory",
1029
+ "children": [
1030
+ {
1031
+ "id": "authenticated_action",
1032
+ "name": "Authenticated Action",
1033
+ "type": "variant",
1034
+ "priority": null
1035
+ },
1036
+ {
1037
+ "id": "unauthenticated_action",
1038
+ "name": "Unauthenticated Action",
1039
+ "type": "variant",
1040
+ "priority": null
1041
+ },
1042
+ {
1043
+ "id": "logout",
1044
+ "name": "Logout",
1045
+ "type": "variant",
1046
+ "priority": 5
1047
+ }
1048
+ ]
1049
+ }
1050
+ ]
1051
+ },
1052
+ {
1053
+ "id": "application_level_denial_of_service_dos",
1054
+ "name": "Application-Level Denial-of-Service (DoS)",
1055
+ "type": "category",
1056
+ "children": [
1057
+ {
1058
+ "id": "critical_impact_and_or_easy_difficulty",
1059
+ "name": "Critical Impact and/or Easy Difficulty",
1060
+ "type": "subcategory",
1061
+ "priority": 2
1062
+ },
1063
+ {
1064
+ "id": "high_impact_and_or_medium_difficulty",
1065
+ "name": "High Impact and/or Medium Difficulty",
1066
+ "type": "subcategory",
1067
+ "priority": 3
1068
+ },
1069
+ {
1070
+ "id": "app_crash",
1071
+ "name": "App Crash",
1072
+ "type": "subcategory",
1073
+ "children": [
1074
+ {
1075
+ "id": "malformed_android_intents",
1076
+ "name": "Malformed Android Intents",
1077
+ "type": "variant",
1078
+ "priority": 5
1079
+ },
1080
+ {
1081
+ "id": "malformed_ios_url_schemes",
1082
+ "name": "Malformed iOS URL Schemes",
1083
+ "type": "variant",
1084
+ "priority": 5
1085
+ }
1086
+ ]
1087
+ }
1088
+ ]
1089
+ },
1090
+ {
1091
+ "id": "unvalidated_redirects_and_forwards",
1092
+ "name": "Unvalidated Redirects and Forwards",
1093
+ "type": "category",
1094
+ "children": [
1095
+ {
1096
+ "id": "open_redirect",
1097
+ "name": "Open Redirect",
1098
+ "type": "subcategory",
1099
+ "children": [
1100
+ {
1101
+ "id": "get_based",
1102
+ "name": "GET-Based",
1103
+ "type": "variant",
1104
+ "priority": 4
1105
+ },
1106
+ {
1107
+ "id": "post_based",
1108
+ "name": "POST-Based",
1109
+ "type": "variant",
1110
+ "priority": 5
1111
+ },
1112
+ {
1113
+ "id": "header_based",
1114
+ "name": "Header-Based",
1115
+ "type": "variant",
1116
+ "priority": 5
1117
+ }
1118
+ ]
1119
+ },
1120
+ {
1121
+ "id": "tabnabbing",
1122
+ "name": "Tabnabbing",
1123
+ "type": "subcategory",
1124
+ "priority": 5
1125
+ },
1126
+ {
1127
+ "id": "lack_of_security_speed_bump_page",
1128
+ "name": "Lack of Security Speed Bump Page",
1129
+ "type": "subcategory",
1130
+ "priority": 5
1131
+ }
1132
+ ]
1133
+ },
1134
+ {
1135
+ "id": "external_behavior",
1136
+ "name": "External Behavior",
1137
+ "type": "category",
1138
+ "children": [
1139
+ {
1140
+ "id": "browser_feature",
1141
+ "name": "Browser Feature",
1142
+ "type": "subcategory",
1143
+ "children": [
1144
+ {
1145
+ "id": "plaintext_password_field",
1146
+ "name": "Plaintext Password Field",
1147
+ "type": "variant",
1148
+ "priority": 5
1149
+ },
1150
+ {
1151
+ "id": "save_password",
1152
+ "name": "Save Password",
1153
+ "type": "variant",
1154
+ "priority": 5
1155
+ },
1156
+ {
1157
+ "id": "autocomplete_enabled",
1158
+ "name": "Autocomplete Enabled",
1159
+ "type": "variant",
1160
+ "priority": 5
1161
+ },
1162
+ {
1163
+ "id": "autocorrect_enabled",
1164
+ "name": "Autocorrect Enabled",
1165
+ "type": "variant",
1166
+ "priority": 5
1167
+ },
1168
+ {
1169
+ "id": "aggressive_offline_caching",
1170
+ "name": "Aggressive Offline Caching",
1171
+ "type": "variant",
1172
+ "priority": 5
1173
+ }
1174
+ ]
1175
+ },
1176
+ {
1177
+ "id": "csv_injection",
1178
+ "name": "CSV Injection",
1179
+ "type": "subcategory",
1180
+ "priority": 5
1181
+ },
1182
+ {
1183
+ "id": "captcha_bypass",
1184
+ "name": "Captcha Bypass",
1185
+ "type": "subcategory",
1186
+ "children": [
1187
+ {
1188
+ "id": "crowdsourcing",
1189
+ "name": "Crowdsourcing",
1190
+ "type": "variant",
1191
+ "priority": 5
1192
+ }
1193
+ ]
1194
+ },
1195
+ {
1196
+ "id": "system_clipboard_leak",
1197
+ "name": "System Clipboard Leak",
1198
+ "type": "subcategory",
1199
+ "children": [
1200
+ {
1201
+ "id": "shared_links",
1202
+ "name": "Shared Links",
1203
+ "type": "variant",
1204
+ "priority": 5
1205
+ }
1206
+ ]
1207
+ },
1208
+ {
1209
+ "id": "user_password_persisted_in_memory",
1210
+ "name": "User Password Persisted in Memory",
1211
+ "type": "subcategory",
1212
+ "priority": 5
1213
+ }
1214
+ ]
1215
+ },
1216
+ {
1217
+ "id": "insufficient_security_configurability",
1218
+ "name": "Insufficient Security Configurability",
1219
+ "type": "category",
1220
+ "children": [
1221
+ {
1222
+ "id": "weak_password_policy",
1223
+ "name": "Weak Password Policy",
1224
+ "type": "subcategory",
1225
+ "priority": 5
1226
+ },
1227
+ {
1228
+ "id": "no_password_policy",
1229
+ "name": "No Password Policy",
1230
+ "type": "subcategory",
1231
+ "priority": 4
1232
+ },
1233
+ {
1234
+ "id": "weak_password_reset_implementation",
1235
+ "name": "Weak Password Reset Implementation",
1236
+ "type": "subcategory",
1237
+ "children": [
1238
+ {
1239
+ "id": "token_is_not_invalidated_after_use",
1240
+ "name": "Token is Not Invalidated After Use",
1241
+ "type": "variant",
1242
+ "priority": 4
1243
+ },
1244
+ {
1245
+ "id": "token_is_not_invalidated_after_email_change",
1246
+ "name": "Token is Not Invalidated After Email Change",
1247
+ "type": "variant",
1248
+ "priority": 5
1249
+ },
1250
+ {
1251
+ "id": "token_is_not_invalidated_after_password_change",
1252
+ "name": "Token is Not Invalidated After Password Change",
1253
+ "type": "variant",
1254
+ "priority": 5
1255
+ },
1256
+ {
1257
+ "id": "token_has_long_timed_expiry",
1258
+ "name": "Token Has Long Timed Expiry",
1259
+ "type": "variant",
1260
+ "priority": 5
1261
+ },
1262
+ {
1263
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1264
+ "name": "Token is Not Invalidated After New Token is Requested",
1265
+ "type": "variant",
1266
+ "priority": 5
1267
+ }
1268
+ ]
1269
+ },
1270
+ {
1271
+ "id": "lack_of_verification_email",
1272
+ "name": "Lack of Verification Email",
1273
+ "type": "subcategory",
1274
+ "priority": 5
1275
+ },
1276
+ {
1277
+ "id": "lack_of_notification_email",
1278
+ "name": "Lack of Notification Email",
1279
+ "type": "subcategory",
1280
+ "priority": 5
1281
+ },
1282
+ {
1283
+ "id": "weak_registration_implementation",
1284
+ "name": "Weak Registration Implementation",
1285
+ "type": "subcategory",
1286
+ "children": [
1287
+ {
1288
+ "id": "allows_disposable_email_addresses",
1289
+ "name": "Allows Disposable Email Addresses",
1290
+ "type": "variant",
1291
+ "priority": 5
1292
+ }
1293
+ ]
1294
+ },
1295
+ {
1296
+ "id": "weak_2fa_implementation",
1297
+ "name": "Weak 2FA Implementation",
1298
+ "type": "subcategory",
1299
+ "children": [
1300
+ {
1301
+ "id": "missing_failsafe",
1302
+ "name": "Missing Failsafe",
1303
+ "type": "variant",
1304
+ "priority": 5
1305
+ }
1306
+ ]
1307
+ }
1308
+ ]
1309
+ },
1310
+ {
1311
+ "id": "using_components_with_known_vulnerabilities",
1312
+ "name": "Using Components with Known Vulnerabilities",
1313
+ "type": "category",
1314
+ "children": [
1315
+ {
1316
+ "id": "rosetta_flash",
1317
+ "name": "Rosetta Flash",
1318
+ "type": "subcategory",
1319
+ "priority": 4
1320
+ },
1321
+ {
1322
+ "id": "outdated_software_version",
1323
+ "name": "Outdated Software Version",
1324
+ "type": "subcategory",
1325
+ "priority": 5
1326
+ },
1327
+ {
1328
+ "id": "captcha_bypass",
1329
+ "name": "Captcha Bypass",
1330
+ "type": "subcategory",
1331
+ "children": [
1332
+ {
1333
+ "id": "ocr_optical_character_recognition",
1334
+ "name": "OCR (Optical Character Recognition)",
1335
+ "type": "variant",
1336
+ "priority": 5
1337
+ }
1338
+ ]
1339
+ }
1340
+ ]
1341
+ },
1342
+ {
1343
+ "id": "insecure_data_storage",
1344
+ "name": "Insecure Data Storage",
1345
+ "type": "category",
1346
+ "children": [
1347
+ {
1348
+ "id": "sensitive_application_data_stored_unencrypted",
1349
+ "name": "Sensitive Application Data Stored Unencrypted",
1350
+ "type": "subcategory",
1351
+ "children": [
1352
+ {
1353
+ "id": "on_external_storage",
1354
+ "name": "On External Storage",
1355
+ "type": "variant",
1356
+ "priority": 4
1357
+ },
1358
+ {
1359
+ "id": "on_internal_storage",
1360
+ "name": "On Internal Storage",
1361
+ "type": "variant",
1362
+ "priority": 5
1363
+ }
1364
+ ]
1365
+ },
1366
+ {
1367
+ "id": "server_side_credentials_storage",
1368
+ "name": "Server-Side Credentials Storage",
1369
+ "type": "subcategory",
1370
+ "children": [
1371
+ {
1372
+ "id": "plaintext",
1373
+ "name": "Plaintext",
1374
+ "type": "variant",
1375
+ "priority": 4
1376
+ }
1377
+ ]
1378
+ },
1379
+ {
1380
+ "id": "non_sensitive_application_data_stored_unencrypted",
1381
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1382
+ "type": "subcategory",
1383
+ "priority": 5
1384
+ },
1385
+ {
1386
+ "id": "screen_caching_enabled",
1387
+ "name": "Screen Caching Enabled",
1388
+ "type": "subcategory",
1389
+ "priority": 5
1390
+ }
1391
+ ]
1392
+ },
1393
+ {
1394
+ "id": "lack_of_binary_hardening",
1395
+ "name": "Lack of Binary Hardening",
1396
+ "type": "category",
1397
+ "children": [
1398
+ {
1399
+ "id": "lack_of_exploit_mitigations",
1400
+ "name": "Lack of Exploit Mitigations",
1401
+ "type": "subcategory",
1402
+ "priority": 5
1403
+ },
1404
+ {
1405
+ "id": "lack_of_jailbreak_detection",
1406
+ "name": "Lack of Jailbreak Detection",
1407
+ "type": "subcategory",
1408
+ "priority": 5
1409
+ },
1410
+ {
1411
+ "id": "lack_of_obfuscation",
1412
+ "name": "Lack of Obfuscation",
1413
+ "type": "subcategory",
1414
+ "priority": 5
1415
+ },
1416
+ {
1417
+ "id": "runtime_instrumentation_based",
1418
+ "name": "Runtime Instrumentation-Based",
1419
+ "type": "subcategory",
1420
+ "priority": 5
1421
+ }
1422
+ ]
1423
+ },
1424
+ {
1425
+ "id": "insecure_data_transport",
1426
+ "name": "Insecure Data Transport",
1427
+ "type": "category",
1428
+ "children": [
1429
+ {
1430
+ "id": "cleartext_transmission_of_sensitive_data",
1431
+ "name": "Cleartext Transmission of Sensitive Data",
1432
+ "type": "subcategory",
1433
+ "priority": null
1434
+ },
1435
+ {
1436
+ "id": "executable_download",
1437
+ "name": "Executable Download",
1438
+ "type": "subcategory",
1439
+ "children": [
1440
+ {
1441
+ "id": "no_secure_integrity_check",
1442
+ "name": "No Secure Integrity Check",
1443
+ "type": "variant",
1444
+ "priority": 4
1445
+ },
1446
+ {
1447
+ "id": "secure_integrity_check",
1448
+ "name": "Secure Integrity Check",
1449
+ "type": "variant",
1450
+ "priority": 5
1451
+ }
1452
+ ]
1453
+ }
1454
+ ]
1455
+ },
1456
+ {
1457
+ "id": "insecure_os_firmware",
1458
+ "name": "Insecure OS/Firmware",
1459
+ "type": "category",
1460
+ "children": [
1461
+ {
1462
+ "id": "command_injection",
1463
+ "name": "Command Injection",
1464
+ "type": "subcategory",
1465
+ "priority": 1
1466
+ },
1467
+ {
1468
+ "id": "hardcoded_password",
1469
+ "name": "Hardcoded Password",
1470
+ "type": "subcategory",
1471
+ "children": [
1472
+ {
1473
+ "id": "privileged_user",
1474
+ "name": "Privileged User",
1475
+ "type": "variant",
1476
+ "priority": 1
1477
+ },
1478
+ {
1479
+ "id": "non_privileged_user",
1480
+ "name": "Non-Privileged User",
1481
+ "type": "variant",
1482
+ "priority": 2
1483
+ }
1484
+ ]
1485
+ }
1486
+ ]
1487
+ },
1488
+ {
1489
+ "id": "broken_cryptography",
1490
+ "name": "Broken Cryptography",
1491
+ "type": "category",
1492
+ "children": [
1493
+ {
1494
+ "id": "cryptographic_flaw",
1495
+ "name": "Cryptographic Flaw",
1496
+ "type": "subcategory",
1497
+ "children": [
1498
+ {
1499
+ "id": "incorrect_usage",
1500
+ "name": "Incorrect Usage",
1501
+ "type": "variant",
1502
+ "priority": 1
1503
+ }
1504
+ ]
1505
+ }
1506
+ ]
1507
+ },
1508
+ {
1509
+ "id": "privacy_concerns",
1510
+ "name": "Privacy Concerns",
1511
+ "type": "category",
1512
+ "children": [
1513
+ {
1514
+ "id": "unnecessary_data_collection",
1515
+ "name": "Unnecessary Data Collection",
1516
+ "type": "subcategory",
1517
+ "children": [
1518
+ {
1519
+ "id": "wifi_ssid_password",
1520
+ "name": "WiFi SSID+Password",
1521
+ "type": "variant",
1522
+ "priority": 4
1523
+ }
1524
+ ]
1525
+ }
1526
+ ]
1527
+ },
1528
+ {
1529
+ "id": "network_security_misconfiguration",
1530
+ "name": "Network Security Misconfiguration",
1531
+ "type": "category",
1532
+ "children": [
1533
+ {
1534
+ "id": "telnet_enabled",
1535
+ "name": "Telnet Enabled",
1536
+ "type": "subcategory",
1537
+ "children": [
1538
+ {
1539
+ "id": "credentials_required",
1540
+ "name": "Credentials Required",
1541
+ "type": "variant",
1542
+ "priority": 4
1543
+ }
1544
+ ]
1545
+ }
1546
+ ]
1547
+ },
1548
+ {
1549
+ "id": "mobile_security_misconfiguration",
1550
+ "name": "Mobile Security Misconfiguration",
1551
+ "type": "category",
1552
+ "children": [
1553
+ {
1554
+ "id": "ssl_certificate_pinning",
1555
+ "name": "SSL Certificate Pinning",
1556
+ "type": "subcategory",
1557
+ "children": [
1558
+ {
1559
+ "id": "absent",
1560
+ "name": "Absent",
1561
+ "type": "variant",
1562
+ "priority": 5
1563
+ },
1564
+ {
1565
+ "id": "defeatable",
1566
+ "name": "Defeatable",
1567
+ "type": "variant",
1568
+ "priority": 5
1569
+ }
1570
+ ]
1571
+ },
1572
+ {
1573
+ "id": "tapjacking",
1574
+ "name": "Tapjacking",
1575
+ "type": "subcategory",
1576
+ "priority": 5
1577
+ }
1578
+ ]
1579
+ },
1580
+ {
1581
+ "id": "client_side_injection",
1582
+ "name": "Client-Side Injection",
1583
+ "type": "category",
1584
+ "children": [
1585
+ {
1586
+ "id": "binary_planting",
1587
+ "name": "Binary Planting",
1588
+ "type": "subcategory",
1589
+ "children": [
1590
+ {
1591
+ "id": "privilege_escalation",
1592
+ "name": "Privilege Escalation",
1593
+ "type": "variant",
1594
+ "priority": 4
1595
+ },
1596
+ {
1597
+ "id": "no_privilege_escalation",
1598
+ "name": "No Privilege Escalation",
1599
+ "type": "variant",
1600
+ "priority": 5
1601
+ }
1602
+ ]
1603
+ }
1604
+ ]
1605
+ }
1606
+ ]
1607
+ }