vrt 0.3.2 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.3.1/deprecated-node-mapping.json +77 -0
  3. data/lib/data/1.3.1/mappings/cvss_v3.json +722 -0
  4. data/lib/data/1.3.1/mappings/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.3.1/vrt.schema.json +63 -0
  6. data/lib/data/1.3.1/vulnerability-rating-taxonomy.json +1607 -0
  7. data/lib/vrt/version.rb +1 -1
  8. metadata +7 -2
data/lib/data/1.3.1/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,1607 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2017-09-22T00:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "unsafe_cross_origin_resource_sharing",
13
+ "name": "Unsafe Cross-Origin Resource Sharing",
14
+ "type": "subcategory",
15
+ "priority": null
16
+ },
17
+ {
18
+ "id": "path_traversal",
19
+ "name": "Path Traversal",
20
+ "type": "subcategory",
21
+ "priority": null
22
+ },
23
+ {
24
+ "id": "directory_listing_enabled",
25
+ "name": "Directory Listing Enabled",
26
+ "type": "subcategory",
27
+ "children": [
28
+ {
29
+ "id": "sensitive_data_exposure",
30
+ "name": "Sensitive Data Exposure",
31
+ "type": "variant",
32
+ "priority": null
33
+ },
34
+ {
35
+ "id": "non_sensitive_data_exposure",
36
+ "name": "Non-Sensitive Data Exposure",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "same_site_scripting",
44
+ "name": "Same-Site Scripting",
45
+ "type": "subcategory",
46
+ "priority": 5
47
+ },
48
+ {
49
+ "id": "ssl_attack_breach_poodle_etc",
50
+ "name": "SSL Attack (BREACH, POODLE etc.)",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "using_default_credentials",
56
+ "name": "Using Default Credentials",
57
+ "type": "subcategory",
58
+ "children": [
59
+ {
60
+ "id": "production_server",
61
+ "name": "Production Server",
62
+ "type": "variant",
63
+ "priority": 1
64
+ },
65
+ {
66
+ "id": "staging_development_server",
67
+ "name": "Staging/Development Server",
68
+ "type": "variant",
69
+ "priority": 2
70
+ }
71
+ ]
72
+ },
73
+ {
74
+ "id": "misconfigured_dns",
75
+ "name": "Misconfigured DNS",
76
+ "type": "subcategory",
77
+ "children": [
78
+ {
79
+ "id": "subdomain_takeover",
80
+ "name": "Subdomain Takeover",
81
+ "type": "variant",
82
+ "priority": 2
83
+ },
84
+ {
85
+ "id": "zone_transfer",
86
+ "name": "Zone Transfer",
87
+ "type": "variant",
88
+ "priority": 4
89
+ },
90
+ {
91
+ "id": "missing_caa_record",
92
+ "name": "Missing Certification Authority Authorization (CAA) Record",
93
+ "type": "variant",
94
+ "priority": 5
95
+ }
96
+ ]
97
+ },
98
+ {
99
+ "id": "mail_server_misconfiguration",
100
+ "name": "Mail Server Misconfiguration",
101
+ "type": "subcategory",
102
+ "children": [
103
+ {
104
+ "id": "missing_spf_on_email_domain",
105
+ "name": "Missing SPF on Email Domain",
106
+ "type": "variant",
107
+ "priority": 3
108
+ },
109
+ {
110
+ "id": "email_spoofable_via_third_party_api_misconfiguration",
111
+ "name": "Email Spoofable Via Third-Party API Misconfiguration",
112
+ "type": "variant",
113
+ "priority": 3
114
+ },
115
+ {
116
+ "id": "missing_spf_on_non_email_domain",
117
+ "name": "Missing SPF on Non-Email Domain",
118
+ "type": "variant",
119
+ "priority": 5
120
+ },
121
+ {
122
+ "id": "spf_uses_a_soft_fail",
123
+ "name": "SPF Uses a Soft Fail",
124
+ "type": "variant",
125
+ "priority": 5
126
+ },
127
+ {
128
+ "id": "spf_includes_10_lookups",
129
+ "name": "SPF Includes More Than 10 Lookups",
130
+ "type": "variant",
131
+ "priority": 5
132
+ },
133
+ {
134
+ "id": "missing_dmarc",
135
+ "name": "Missing DKIM/DMARC",
136
+ "type": "variant",
137
+ "priority": 5
138
+ }
139
+ ]
140
+ },
141
+ {
142
+ "id": "lack_of_password_confirmation",
143
+ "name": "Lack of Password Confirmation",
144
+ "type": "subcategory",
145
+ "children": [
146
+ {
147
+ "id": "change_email_address",
148
+ "name": "Change Email Address",
149
+ "type": "variant",
150
+ "priority": 4
151
+ },
152
+ {
153
+ "id": "change_password",
154
+ "name": "Change Password",
155
+ "type": "variant",
156
+ "priority": 4
157
+ },
158
+ {
159
+ "id": "delete_account",
160
+ "name": "Delete Account",
161
+ "type": "variant",
162
+ "priority": 4
163
+ },
164
+ {
165
+ "id": "manage_two_fa",
166
+ "name": "Manage 2FA",
167
+ "type": "variant",
168
+ "priority": 5
169
+ }
170
+ ]
171
+ },
172
+ {
173
+ "id": "no_rate_limiting_on_form",
174
+ "name": "No Rate Limiting on Form",
175
+ "type": "subcategory",
176
+ "children": [
177
+ {
178
+ "id": "registration",
179
+ "name": "Registration",
180
+ "type": "variant",
181
+ "priority": 4
182
+ },
183
+ {
184
+ "id": "login",
185
+ "name": "Login",
186
+ "type": "variant",
187
+ "priority": 3
188
+ },
189
+ {
190
+ "id": "email_triggering",
191
+ "name": "Email-Triggering",
192
+ "type": "variant",
193
+ "priority": 4
194
+ }
195
+ ]
196
+ },
197
+ {
198
+ "id": "unsafe_file_upload",
199
+ "name": "Unsafe File Upload",
200
+ "type": "subcategory",
201
+ "children": [
202
+ {
203
+ "id": "no_antivirus",
204
+ "name": "No Antivirus",
205
+ "type": "variant",
206
+ "priority": 4
207
+ },
208
+ {
209
+ "id": "no_size_limit",
210
+ "name": "No Size Limit",
211
+ "type": "variant",
212
+ "priority": 4
213
+ },
214
+ {
215
+ "id": "file_extension_filter_bypass",
216
+ "name": "File Extension Filter Bypass",
217
+ "type": "variant",
218
+ "priority": 5
219
+ }
220
+ ]
221
+ },
222
+ {
223
+ "id": "cookie_scoped_to_parent_domain",
224
+ "name": "Cookie Scoped to Parent Domain",
225
+ "type": "subcategory",
226
+ "priority": 5
227
+ },
228
+ {
229
+ "id": "missing_secure_or_httponly_cookie_flag",
230
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
231
+ "type": "subcategory",
232
+ "children": [
233
+ {
234
+ "id": "session_token",
235
+ "name": "Session Token",
236
+ "type": "variant",
237
+ "priority": 4
238
+ },
239
+ {
240
+ "id": "non_session_cookie",
241
+ "name": "Non-Session Cookie",
242
+ "type": "variant",
243
+ "priority": 5
244
+ }
245
+ ]
246
+ },
247
+ {
248
+ "id": "clickjacking",
249
+ "name": "Clickjacking",
250
+ "type": "subcategory",
251
+ "children": [
252
+ {
253
+ "id": "sensitive_action",
254
+ "name": "Sensitive Action",
255
+ "type": "variant",
256
+ "priority": 4
257
+ },
258
+ {
259
+ "id": "non_sensitive_action",
260
+ "name": "Non-Sensitive Action",
261
+ "type": "variant",
262
+ "priority": 5
263
+ }
264
+ ]
265
+ },
266
+ {
267
+ "id": "oauth_misconfiguration",
268
+ "name": "OAuth Misconfiguration",
269
+ "type": "subcategory",
270
+ "children": [
271
+ {
272
+ "id": "missing_state_parameter",
273
+ "name": "Missing State Parameter",
274
+ "type": "variant",
275
+ "priority": 4
276
+ }
277
+ ]
278
+ },
279
+ {
280
+ "id": "captcha_bypass",
281
+ "name": "Captcha Bypass",
282
+ "type": "subcategory",
283
+ "children": [
284
+ {
285
+ "id": "implementation_vulnerability",
286
+ "name": "Implementation Vulnerability",
287
+ "type": "variant",
288
+ "priority": 4
289
+ },
290
+ {
291
+ "id": "brute_force",
292
+ "name": "Brute Force",
293
+ "type": "variant",
294
+ "priority": 5
295
+ }
296
+ ]
297
+ },
298
+ {
299
+ "id": "exposed_admin_portal",
300
+ "name": "Exposed Admin Portal",
301
+ "type": "subcategory",
302
+ "children": [
303
+ {
304
+ "id": "to_internet",
305
+ "name": "To Internet",
306
+ "type": "variant",
307
+ "priority": 5
308
+ }
309
+ ]
310
+ },
311
+ {
312
+ "id": "missing_dnssec",
313
+ "name": "Missing DNSSEC",
314
+ "type": "subcategory",
315
+ "priority": 5
316
+ },
317
+ {
318
+ "id": "fingerprinting_banner_disclosure",
319
+ "name": "Fingerprinting/Banner Disclosure",
320
+ "type": "subcategory",
321
+ "priority": 5
322
+ },
323
+ {
324
+ "id": "username_enumeration",
325
+ "name": "Username Enumeration",
326
+ "type": "subcategory",
327
+ "children": [
328
+ {
329
+ "id": "brute_force",
330
+ "name": "Brute Force",
331
+ "type": "variant",
332
+ "priority": 5
333
+ }
334
+ ]
335
+ },
336
+ {
337
+ "id": "potentially_unsafe_http_method_enabled",
338
+ "name": "Potentially Unsafe HTTP Method Enabled",
339
+ "type": "subcategory",
340
+ "children": [
341
+ {
342
+ "id": "options",
343
+ "name": "OPTIONS",
344
+ "type": "variant",
345
+ "priority": 5
346
+ },
347
+ {
348
+ "id": "trace",
349
+ "name": "TRACE",
350
+ "type": "variant",
351
+ "priority": 5
352
+ }
353
+ ]
354
+ },
355
+ {
356
+ "id": "insecure_ssl",
357
+ "name": "Insecure SSL",
358
+ "type": "subcategory",
359
+ "children": [
360
+ {
361
+ "id": "lack_of_forward_secrecy",
362
+ "name": "Lack of Forward Secrecy",
363
+ "type": "variant",
364
+ "priority": 5
365
+ },
366
+ {
367
+ "id": "insecure_cipher_suite",
368
+ "name": "Insecure Cipher Suite",
369
+ "type": "variant",
370
+ "priority": 5
371
+ }
372
+ ]
373
+ },
374
+ {
375
+ "id": "rfd",
376
+ "name": "Reflected File Download (RFD)",
377
+ "type": "subcategory",
378
+ "priority": 5
379
+ },
380
+ {
381
+ "id": "lack_of_security_headers",
382
+ "name": "Lack of Security Headers",
383
+ "type": "subcategory",
384
+ "children": [
385
+ {
386
+ "id": "x_frame_options",
387
+ "name": "X-Frame-Options",
388
+ "type": "variant",
389
+ "priority": 5
390
+ },
391
+ {
392
+ "id": "cache_control_for_a_non_sensitive_page",
393
+ "name": "Cache-Control for a Non-Sensitive Page",
394
+ "type": "variant",
395
+ "priority": 5
396
+ },
397
+ {
398
+ "id": "x_xss_protection",
399
+ "name": "X-XSS-Protection",
400
+ "type": "variant",
401
+ "priority": 5
402
+ },
403
+ {
404
+ "id": "strict_transport_security",
405
+ "name": "Strict-Transport-Security",
406
+ "type": "variant",
407
+ "priority": 5
408
+ },
409
+ {
410
+ "id": "x_content_type_options",
411
+ "name": "X-Content-Type-Options",
412
+ "type": "variant",
413
+ "priority": 5
414
+ },
415
+ {
416
+ "id": "content_security_policy",
417
+ "name": "Content-Security-Policy",
418
+ "type": "variant",
419
+ "priority": 5
420
+ },
421
+ {
422
+ "id": "public_key_pins",
423
+ "name": "Public-Key-Pins",
424
+ "type": "variant",
425
+ "priority": 5
426
+ },
427
+ {
428
+ "id": "x_content_security_policy",
429
+ "name": "X-Content-Security-Policy",
430
+ "type": "variant",
431
+ "priority": 5
432
+ },
433
+ {
434
+ "id": "x_webkit_csp",
435
+ "name": "X-Webkit-CSP",
436
+ "type": "variant",
437
+ "priority": 5
438
+ },
439
+ {
440
+ "id": "content_security_policy_report_only",
441
+ "name": "Content-Security-Policy-Report-Only",
442
+ "type": "variant",
443
+ "priority": 5
444
+ },
445
+ {
446
+ "id": "cache_control_for_a_sensitive_page",
447
+ "name": "Cache-Control for a Sensitive Page",
448
+ "type": "variant",
449
+ "priority": 4
450
+ }
451
+ ]
452
+ },
453
+ {
454
+ "id": "bitsquatting",
455
+ "name": "Bitsquatting",
456
+ "type": "subcategory",
457
+ "priority": 5
458
+ }
459
+ ]
460
+ },
461
+ {
462
+ "id": "server_side_injection",
463
+ "name": "Server-Side Injection",
464
+ "type": "category",
465
+ "children": [
466
+ {
467
+ "id": "file_inclusion",
468
+ "name": "File Inclusion",
469
+ "type": "subcategory",
470
+ "children": [
471
+ {
472
+ "id": "local",
473
+ "name": "Local",
474
+ "type": "variant",
475
+ "priority": 1
476
+ }
477
+ ]
478
+ },
479
+ {
480
+ "id": "parameter_pollution",
481
+ "name": "Parameter Pollution",
482
+ "type": "subcategory",
483
+ "children": [
484
+ {
485
+ "id": "social_media_sharing_buttons",
486
+ "name": "Social Media Sharing Buttons",
487
+ "type": "variant",
488
+ "priority": 5
489
+ }
490
+ ]
491
+ },
492
+ {
493
+ "id": "remote_code_execution_rce",
494
+ "name": "Remote Code Execution (RCE)",
495
+ "type": "subcategory",
496
+ "priority": 1
497
+ },
498
+ {
499
+ "id": "sql_injection",
500
+ "name": "SQL Injection",
501
+ "type": "subcategory",
502
+ "children": [
503
+ {
504
+ "id": "error_based",
505
+ "name": "Error-Based",
506
+ "type": "variant",
507
+ "priority": 1
508
+ },
509
+ {
510
+ "id": "blind",
511
+ "name": "Blind",
512
+ "type": "variant",
513
+ "priority": 1
514
+ }
515
+ ]
516
+ },
517
+ {
518
+ "id": "xml_external_entity_injection_xxe",
519
+ "name": "XML External Entity Injection (XXE)",
520
+ "type": "subcategory",
521
+ "priority": 1
522
+ },
523
+ {
524
+ "id": "http_response_manipulation",
525
+ "name": "HTTP Response Manipulation",
526
+ "type": "subcategory",
527
+ "children": [
528
+ {
529
+ "id": "response_splitting_crlf",
530
+ "name": "Response Splitting (CRLF)",
531
+ "type": "variant",
532
+ "priority": 3
533
+ }
534
+ ]
535
+ },
536
+ {
537
+ "id": "content_spoofing",
538
+ "name": "Content Spoofing",
539
+ "type": "subcategory",
540
+ "children": [
541
+ {
542
+ "id": "iframe_injection",
543
+ "name": "iframe Injection",
544
+ "type": "variant",
545
+ "priority": 3
546
+ },
547
+ {
548
+ "id": "external_authentication_injection",
549
+ "name": "External Authentication Injection",
550
+ "type": "variant",
551
+ "priority": 4
552
+ },
553
+ {
554
+ "id": "email_html_injection",
555
+ "name": "Email HTML Injection",
556
+ "type": "variant",
557
+ "priority": 4
558
+ },
559
+ {
560
+ "id": "text_injection",
561
+ "name": "Text Injection",
562
+ "type": "variant",
563
+ "priority": 5
564
+ },
565
+ {
566
+ "id": "homograph_idn_based",
567
+ "name": "Homograph/IDN-Based",
568
+ "type": "variant",
569
+ "priority": 5
570
+ }
571
+ ]
572
+ }
573
+ ]
574
+ },
575
+ {
576
+ "id": "broken_authentication_and_session_management",
577
+ "name": "Broken Authentication and Session Management",
578
+ "type": "category",
579
+ "children": [
580
+ {
581
+ "id": "authentication_bypass",
582
+ "name": "Authentication Bypass",
583
+ "type": "subcategory",
584
+ "priority": 1
585
+ },
586
+ {
587
+ "id": "privilege_escalation",
588
+ "name": "Privilege Escalation",
589
+ "type": "subcategory",
590
+ "priority": null
591
+ },
592
+ {
593
+ "id": "weak_login_function",
594
+ "name": "Weak Login Function",
595
+ "type": "subcategory",
596
+ "children": [
597
+ {
598
+ "id": "over_http",
599
+ "name": "Over HTTP",
600
+ "type": "variant",
601
+ "priority": 3
602
+ }
603
+ ]
604
+ },
605
+ {
606
+ "id": "session_fixation",
607
+ "name": "Session Fixation",
608
+ "type": "subcategory",
609
+ "priority": 3
610
+ },
611
+ {
612
+ "id": "failure_to_invalidate_session",
613
+ "name": "Failure to Invalidate Session",
614
+ "type": "subcategory",
615
+ "children": [
616
+ {
617
+ "id": "on_logout",
618
+ "name": "On Logout",
619
+ "type": "variant",
620
+ "priority": 4
621
+ },
622
+ {
623
+ "id": "on_password_reset",
624
+ "name": "On Password Reset",
625
+ "type": "variant",
626
+ "priority": 4
627
+ },
628
+ {
629
+ "id": "on_password_change",
630
+ "name": "On Password Change",
631
+ "type": "variant",
632
+ "priority": 4
633
+ },
634
+ {
635
+ "id": "all_sessions",
636
+ "name": "All Sessions",
637
+ "type": "variant",
638
+ "priority": 5
639
+ },
640
+ {
641
+ "id": "on_email_change",
642
+ "name": "On Email Change",
643
+ "type": "variant",
644
+ "priority": 5
645
+ },
646
+ {
647
+ "id": "long_timeout",
648
+ "name": "Long Timeout",
649
+ "type": "variant",
650
+ "priority": 5
651
+ }
652
+ ]
653
+ },
654
+ {
655
+ "id": "concurrent_logins",
656
+ "name": "Concurrent Logins",
657
+ "type": "subcategory",
658
+ "priority": 5
659
+ },
660
+ {
661
+ "id": "weak_registration_implementation",
662
+ "name": "Weak Registration Implementation",
663
+ "type": "subcategory",
664
+ "children": [
665
+ {
666
+ "id": "over_http",
667
+ "name": "Over HTTP",
668
+ "type": "variant",
669
+ "priority": 4
670
+ }
671
+ ]
672
+ }
673
+ ]
674
+ },
675
+ {
676
+ "id": "sensitive_data_exposure",
677
+ "name": "Sensitive Data Exposure",
678
+ "type": "category",
679
+ "children": [
680
+ {
681
+ "id": "critically_sensitive_data",
682
+ "name": "Critically Sensitive Data",
683
+ "type": "subcategory",
684
+ "children": [
685
+ {
686
+ "id": "password_disclosure",
687
+ "name": "Password Disclosure",
688
+ "type": "variant",
689
+ "priority": 1
690
+ },
691
+ {
692
+ "id": "private_api_keys",
693
+ "name": "Private API Keys",
694
+ "type": "variant",
695
+ "priority": 1
696
+ }
697
+ ]
698
+ },
699
+ {
700
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
701
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
702
+ "type": "subcategory",
703
+ "children": [
704
+ {
705
+ "id": "automatic_user_enumeration",
706
+ "name": "Automatic User Enumeration",
707
+ "type": "variant",
708
+ "priority": 3
709
+ },
710
+ {
711
+ "id": "manual_user_enumeration",
712
+ "name": "Manual User Enumeration",
713
+ "type": "variant",
714
+ "priority": 4
715
+ }
716
+ ]
717
+ },
718
+ {
719
+ "id": "visible_detailed_error_page",
720
+ "name": "Visible Detailed Error/Debug Page",
721
+ "type": "subcategory",
722
+ "children": [
723
+ {
724
+ "id": "detailed_server_configuration",
725
+ "name": "Detailed Server Configuration",
726
+ "type": "variant",
727
+ "priority": 4
728
+ },
729
+ {
730
+ "id": "full_path_disclosure",
731
+ "name": "Full Path Disclosure",
732
+ "type": "variant",
733
+ "priority": 5
734
+ },
735
+ {
736
+ "id": "descriptive_stack_trace",
737
+ "name": "Descriptive Stack Trace",
738
+ "type": "variant",
739
+ "priority": 5
740
+ }
741
+ ]
742
+ },
743
+ {
744
+ "id": "disclosure_of_known_public_information",
745
+ "name": "Disclosure of Known Public Information",
746
+ "type": "subcategory",
747
+ "priority": 5
748
+ },
749
+ {
750
+ "id": "token_leakage_via_referer",
751
+ "name": "Token Leakage via Referer",
752
+ "type": "subcategory",
753
+ "children": [
754
+ {
755
+ "id": "trusted_3rd_party",
756
+ "name": "Trusted 3rd Party",
757
+ "type": "variant",
758
+ "priority": 5
759
+ },
760
+ {
761
+ "id": "untrusted_3rd_party",
762
+ "name": "Untrusted 3rd Party",
763
+ "type": "variant",
764
+ "priority": 4
765
+ },
766
+ {
767
+ "id": "over_http",
768
+ "name": "Over HTTP",
769
+ "type": "variant",
770
+ "priority": 4
771
+ }
772
+ ]
773
+ },
774
+ {
775
+ "id": "sensitive_token_in_url",
776
+ "name": "Sensitive Token in URL",
777
+ "type": "subcategory",
778
+ "priority": 4
779
+ },
780
+ {
781
+ "id": "non_sensitive_token_in_url",
782
+ "name": "Non-Sensitive Token in URL",
783
+ "type": "subcategory",
784
+ "priority": 5
785
+ },
786
+ {
787
+ "id": "weak_password_reset_implementation",
788
+ "name": "Weak Password Reset Implementation",
789
+ "type": "subcategory",
790
+ "children": [
791
+ {
792
+ "id": "password_reset_token_sent_over_http",
793
+ "name": "Password Reset Token Sent Over HTTP",
794
+ "type": "variant",
795
+ "priority": 4
796
+ }
797
+ ]
798
+ },
799
+ {
800
+ "id": "mixed_content",
801
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
802
+ "type": "subcategory",
803
+ "priority": 5
804
+ },
805
+ {
806
+ "id": "sensitive_data_hardcoded",
807
+ "name": "Sensitive Data Hardcoded",
808
+ "type": "subcategory",
809
+ "children": [
810
+ {
811
+ "id": "oauth_secret",
812
+ "name": "OAuth Secret",
813
+ "type": "variant",
814
+ "priority": 5
815
+ },
816
+ {
817
+ "id": "file_paths",
818
+ "name": "File Paths",
819
+ "type": "variant",
820
+ "priority": 5
821
+ }
822
+ ]
823
+ },
824
+ {
825
+ "id": "internal_ip_disclosure",
826
+ "name": "Internal IP Disclosure",
827
+ "type": "subcategory",
828
+ "priority": 5
829
+ },
830
+ {
831
+ "id": "xssi",
832
+ "name": "Cross Site Script Inclusion (XSSI)",
833
+ "type": "subcategory",
834
+ "priority": null
835
+ },
836
+ {
837
+ "id": "json_hijacking",
838
+ "name": "JSON Hijacking",
839
+ "type": "subcategory",
840
+ "priority": 5
841
+ }
842
+ ]
843
+ },
844
+ {
845
+ "id": "cross_site_scripting_xss",
846
+ "name": "Cross-Site Scripting (XSS)",
847
+ "type": "category",
848
+ "children": [
849
+ {
850
+ "id": "stored",
851
+ "name": "Stored",
852
+ "type": "subcategory",
853
+ "children": [
854
+ {
855
+ "id": "non_admin_to_anyone",
856
+ "name": "Non-Admin to Anyone",
857
+ "type": "variant",
858
+ "priority": 2
859
+ },
860
+ {
861
+ "id": "admin_to_anyone",
862
+ "name": "Admin to Anyone",
863
+ "type": "variant",
864
+ "priority": 3
865
+ },
866
+ {
867
+ "id": "self",
868
+ "name": "Self",
869
+ "type": "variant",
870
+ "priority": 5
871
+ }
872
+ ]
873
+ },
874
+ {
875
+ "id": "reflected",
876
+ "name": "Reflected",
877
+ "type": "subcategory",
878
+ "children": [
879
+ {
880
+ "id": "non_self",
881
+ "name": "Non-Self",
882
+ "type": "variant",
883
+ "priority": 3
884
+ },
885
+ {
886
+ "id": "self",
887
+ "name": "Self",
888
+ "type": "variant",
889
+ "priority": 5
890
+ }
891
+ ]
892
+ },
893
+ {
894
+ "id": "cookie_based",
895
+ "name": "Cookie-Based",
896
+ "type": "subcategory",
897
+ "priority": 5
898
+ },
899
+ {
900
+ "id": "ie_only",
901
+ "name": "IE-Only",
902
+ "type": "subcategory",
903
+ "children": [
904
+ {
905
+ "id": "older_version_ie_10_11",
906
+ "name": "Older Version (IE 10/11)",
907
+ "type": "variant",
908
+ "priority": 4
909
+ },
910
+ {
911
+ "id": "xss_filter_disabled",
912
+ "name": "XSS Filter Disabled",
913
+ "type": "variant",
914
+ "priority": 5
915
+ },
916
+ {
917
+ "id": "older_version_ie10",
918
+ "name": "Older Version (< IE10)",
919
+ "type": "variant",
920
+ "priority": 5
921
+ }
922
+ ]
923
+ },
924
+ {
925
+ "id": "referer",
926
+ "name": "Referer",
927
+ "type": "subcategory",
928
+ "priority": 4
929
+ },
930
+ {
931
+ "id": "trace_method",
932
+ "name": "TRACE Method",
933
+ "type": "subcategory",
934
+ "priority": 5
935
+ },
936
+ {
937
+ "id": "universal_uxss",
938
+ "name": "Universal (UXSS)",
939
+ "type": "subcategory",
940
+ "priority": 4
941
+ },
942
+ {
943
+ "id": "off_domain",
944
+ "name": "Off-Domain",
945
+ "type": "subcategory",
946
+ "children": [
947
+ {
948
+ "id": "data_uri",
949
+ "name": "Data URI",
950
+ "type": "variant",
951
+ "priority": 4
952
+ }
953
+ ]
954
+ }
955
+ ]
956
+ },
957
+ {
958
+ "id": "broken_access_control",
959
+ "name": "Broken Access Control (BAC)",
960
+ "type": "category",
961
+ "children": [
962
+ {
963
+ "id": "idor",
964
+ "name": "Insecure Direct Object References (IDOR)",
965
+ "type": "subcategory",
966
+ "priority": null
967
+ },
968
+ {
969
+ "id": "server_side_request_forgery_ssrf",
970
+ "name": "Server-Side Request Forgery (SSRF)",
971
+ "type": "subcategory",
972
+ "children": [
973
+ {
974
+ "id": "internal",
975
+ "name": "Internal",
976
+ "type": "variant",
977
+ "priority": 2
978
+ },
979
+ {
980
+ "id": "external",
981
+ "name": "External",
982
+ "type": "variant",
983
+ "priority": 4
984
+ }
985
+ ]
986
+ },
987
+ {
988
+ "id": "username_enumeration",
989
+ "name": "Username Enumeration",
990
+ "type": "subcategory",
991
+ "children": [
992
+ {
993
+ "id": "data_leak",
994
+ "name": "Data Leak",
995
+ "type": "variant",
996
+ "priority": 4
997
+ }
998
+ ]
999
+ },
1000
+ {
1001
+ "id": "exposed_sensitive_android_intent",
1002
+ "name": "Exposed Sensitive Android Intent",
1003
+ "type": "subcategory",
1004
+ "priority": null
1005
+ },
1006
+ {
1007
+ "id": "exposed_sensitive_ios_url_scheme",
1008
+ "name": "Exposed Sensitive iOS URL Scheme",
1009
+ "type": "subcategory",
1010
+ "priority": null
1011
+ }
1012
+ ]
1013
+ },
1014
+ {
1015
+ "id": "cross_site_request_forgery_csrf",
1016
+ "name": "Cross-Site Request Forgery (CSRF)",
1017
+ "type": "category",
1018
+ "children": [
1019
+ {
1020
+ "id": "application_wide",
1021
+ "name": "Application-Wide",
1022
+ "type": "subcategory",
1023
+ "priority": 2
1024
+ },
1025
+ {
1026
+ "id": "action_specific",
1027
+ "name": "Action-Specific",
1028
+ "type": "subcategory",
1029
+ "children": [
1030
+ {
1031
+ "id": "authenticated_action",
1032
+ "name": "Authenticated Action",
1033
+ "type": "variant",
1034
+ "priority": null
1035
+ },
1036
+ {
1037
+ "id": "unauthenticated_action",
1038
+ "name": "Unauthenticated Action",
1039
+ "type": "variant",
1040
+ "priority": null
1041
+ },
1042
+ {
1043
+ "id": "logout",
1044
+ "name": "Logout",
1045
+ "type": "variant",
1046
+ "priority": 5
1047
+ }
1048
+ ]
1049
+ }
1050
+ ]
1051
+ },
1052
+ {
1053
+ "id": "application_level_denial_of_service_dos",
1054
+ "name": "Application-Level Denial-of-Service (DoS)",
1055
+ "type": "category",
1056
+ "children": [
1057
+ {
1058
+ "id": "critical_impact_and_or_easy_difficulty",
1059
+ "name": "Critical Impact and/or Easy Difficulty",
1060
+ "type": "subcategory",
1061
+ "priority": 2
1062
+ },
1063
+ {
1064
+ "id": "high_impact_and_or_medium_difficulty",
1065
+ "name": "High Impact and/or Medium Difficulty",
1066
+ "type": "subcategory",
1067
+ "priority": 3
1068
+ },
1069
+ {
1070
+ "id": "app_crash",
1071
+ "name": "App Crash",
1072
+ "type": "subcategory",
1073
+ "children": [
1074
+ {
1075
+ "id": "malformed_android_intents",
1076
+ "name": "Malformed Android Intents",
1077
+ "type": "variant",
1078
+ "priority": 5
1079
+ },
1080
+ {
1081
+ "id": "malformed_ios_url_schemes",
1082
+ "name": "Malformed iOS URL Schemes",
1083
+ "type": "variant",
1084
+ "priority": 5
1085
+ }
1086
+ ]
1087
+ }
1088
+ ]
1089
+ },
1090
+ {
1091
+ "id": "unvalidated_redirects_and_forwards",
1092
+ "name": "Unvalidated Redirects and Forwards",
1093
+ "type": "category",
1094
+ "children": [
1095
+ {
1096
+ "id": "open_redirect",
1097
+ "name": "Open Redirect",
1098
+ "type": "subcategory",
1099
+ "children": [
1100
+ {
1101
+ "id": "get_based",
1102
+ "name": "GET-Based",
1103
+ "type": "variant",
1104
+ "priority": 4
1105
+ },
1106
+ {
1107
+ "id": "post_based",
1108
+ "name": "POST-Based",
1109
+ "type": "variant",
1110
+ "priority": 5
1111
+ },
1112
+ {
1113
+ "id": "header_based",
1114
+ "name": "Header-Based",
1115
+ "type": "variant",
1116
+ "priority": 5
1117
+ }
1118
+ ]
1119
+ },
1120
+ {
1121
+ "id": "tabnabbing",
1122
+ "name": "Tabnabbing",
1123
+ "type": "subcategory",
1124
+ "priority": 5
1125
+ },
1126
+ {
1127
+ "id": "lack_of_security_speed_bump_page",
1128
+ "name": "Lack of Security Speed Bump Page",
1129
+ "type": "subcategory",
1130
+ "priority": 5
1131
+ }
1132
+ ]
1133
+ },
1134
+ {
1135
+ "id": "external_behavior",
1136
+ "name": "External Behavior",
1137
+ "type": "category",
1138
+ "children": [
1139
+ {
1140
+ "id": "browser_feature",
1141
+ "name": "Browser Feature",
1142
+ "type": "subcategory",
1143
+ "children": [
1144
+ {
1145
+ "id": "plaintext_password_field",
1146
+ "name": "Plaintext Password Field",
1147
+ "type": "variant",
1148
+ "priority": 5
1149
+ },
1150
+ {
1151
+ "id": "save_password",
1152
+ "name": "Save Password",
1153
+ "type": "variant",
1154
+ "priority": 5
1155
+ },
1156
+ {
1157
+ "id": "autocomplete_enabled",
1158
+ "name": "Autocomplete Enabled",
1159
+ "type": "variant",
1160
+ "priority": 5
1161
+ },
1162
+ {
1163
+ "id": "autocorrect_enabled",
1164
+ "name": "Autocorrect Enabled",
1165
+ "type": "variant",
1166
+ "priority": 5
1167
+ },
1168
+ {
1169
+ "id": "aggressive_offline_caching",
1170
+ "name": "Aggressive Offline Caching",
1171
+ "type": "variant",
1172
+ "priority": 5
1173
+ }
1174
+ ]
1175
+ },
1176
+ {
1177
+ "id": "csv_injection",
1178
+ "name": "CSV Injection",
1179
+ "type": "subcategory",
1180
+ "priority": 5
1181
+ },
1182
+ {
1183
+ "id": "captcha_bypass",
1184
+ "name": "Captcha Bypass",
1185
+ "type": "subcategory",
1186
+ "children": [
1187
+ {
1188
+ "id": "crowdsourcing",
1189
+ "name": "Crowdsourcing",
1190
+ "type": "variant",
1191
+ "priority": 5
1192
+ }
1193
+ ]
1194
+ },
1195
+ {
1196
+ "id": "system_clipboard_leak",
1197
+ "name": "System Clipboard Leak",
1198
+ "type": "subcategory",
1199
+ "children": [
1200
+ {
1201
+ "id": "shared_links",
1202
+ "name": "Shared Links",
1203
+ "type": "variant",
1204
+ "priority": 5
1205
+ }
1206
+ ]
1207
+ },
1208
+ {
1209
+ "id": "user_password_persisted_in_memory",
1210
+ "name": "User Password Persisted in Memory",
1211
+ "type": "subcategory",
1212
+ "priority": 5
1213
+ }
1214
+ ]
1215
+ },
1216
+ {
1217
+ "id": "insufficient_security_configurability",
1218
+ "name": "Insufficient Security Configurability",
1219
+ "type": "category",
1220
+ "children": [
1221
+ {
1222
+ "id": "weak_password_policy",
1223
+ "name": "Weak Password Policy",
1224
+ "type": "subcategory",
1225
+ "priority": 5
1226
+ },
1227
+ {
1228
+ "id": "no_password_policy",
1229
+ "name": "No Password Policy",
1230
+ "type": "subcategory",
1231
+ "priority": 4
1232
+ },
1233
+ {
1234
+ "id": "weak_password_reset_implementation",
1235
+ "name": "Weak Password Reset Implementation",
1236
+ "type": "subcategory",
1237
+ "children": [
1238
+ {
1239
+ "id": "token_is_not_invalidated_after_use",
1240
+ "name": "Token is Not Invalidated After Use",
1241
+ "type": "variant",
1242
+ "priority": 4
1243
+ },
1244
+ {
1245
+ "id": "token_is_not_invalidated_after_email_change",
1246
+ "name": "Token is Not Invalidated After Email Change",
1247
+ "type": "variant",
1248
+ "priority": 5
1249
+ },
1250
+ {
1251
+ "id": "token_is_not_invalidated_after_password_change",
1252
+ "name": "Token is Not Invalidated After Password Change",
1253
+ "type": "variant",
1254
+ "priority": 5
1255
+ },
1256
+ {
1257
+ "id": "token_has_long_timed_expiry",
1258
+ "name": "Token Has Long Timed Expiry",
1259
+ "type": "variant",
1260
+ "priority": 5
1261
+ },
1262
+ {
1263
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1264
+ "name": "Token is Not Invalidated After New Token is Requested",
1265
+ "type": "variant",
1266
+ "priority": 5
1267
+ }
1268
+ ]
1269
+ },
1270
+ {
1271
+ "id": "lack_of_verification_email",
1272
+ "name": "Lack of Verification Email",
1273
+ "type": "subcategory",
1274
+ "priority": 5
1275
+ },
1276
+ {
1277
+ "id": "lack_of_notification_email",
1278
+ "name": "Lack of Notification Email",
1279
+ "type": "subcategory",
1280
+ "priority": 5
1281
+ },
1282
+ {
1283
+ "id": "weak_registration_implementation",
1284
+ "name": "Weak Registration Implementation",
1285
+ "type": "subcategory",
1286
+ "children": [
1287
+ {
1288
+ "id": "allows_disposable_email_addresses",
1289
+ "name": "Allows Disposable Email Addresses",
1290
+ "type": "variant",
1291
+ "priority": 5
1292
+ }
1293
+ ]
1294
+ },
1295
+ {
1296
+ "id": "weak_2fa_implementation",
1297
+ "name": "Weak 2FA Implementation",
1298
+ "type": "subcategory",
1299
+ "children": [
1300
+ {
1301
+ "id": "missing_failsafe",
1302
+ "name": "Missing Failsafe",
1303
+ "type": "variant",
1304
+ "priority": 5
1305
+ }
1306
+ ]
1307
+ }
1308
+ ]
1309
+ },
1310
+ {
1311
+ "id": "using_components_with_known_vulnerabilities",
1312
+ "name": "Using Components with Known Vulnerabilities",
1313
+ "type": "category",
1314
+ "children": [
1315
+ {
1316
+ "id": "rosetta_flash",
1317
+ "name": "Rosetta Flash",
1318
+ "type": "subcategory",
1319
+ "priority": 4
1320
+ },
1321
+ {
1322
+ "id": "outdated_software_version",
1323
+ "name": "Outdated Software Version",
1324
+ "type": "subcategory",
1325
+ "priority": 5
1326
+ },
1327
+ {
1328
+ "id": "captcha_bypass",
1329
+ "name": "Captcha Bypass",
1330
+ "type": "subcategory",
1331
+ "children": [
1332
+ {
1333
+ "id": "ocr_optical_character_recognition",
1334
+ "name": "OCR (Optical Character Recognition)",
1335
+ "type": "variant",
1336
+ "priority": 5
1337
+ }
1338
+ ]
1339
+ }
1340
+ ]
1341
+ },
1342
+ {
1343
+ "id": "insecure_data_storage",
1344
+ "name": "Insecure Data Storage",
1345
+ "type": "category",
1346
+ "children": [
1347
+ {
1348
+ "id": "sensitive_application_data_stored_unencrypted",
1349
+ "name": "Sensitive Application Data Stored Unencrypted",
1350
+ "type": "subcategory",
1351
+ "children": [
1352
+ {
1353
+ "id": "on_external_storage",
1354
+ "name": "On External Storage",
1355
+ "type": "variant",
1356
+ "priority": 4
1357
+ },
1358
+ {
1359
+ "id": "on_internal_storage",
1360
+ "name": "On Internal Storage",
1361
+ "type": "variant",
1362
+ "priority": 5
1363
+ }
1364
+ ]
1365
+ },
1366
+ {
1367
+ "id": "server_side_credentials_storage",
1368
+ "name": "Server-Side Credentials Storage",
1369
+ "type": "subcategory",
1370
+ "children": [
1371
+ {
1372
+ "id": "plaintext",
1373
+ "name": "Plaintext",
1374
+ "type": "variant",
1375
+ "priority": 4
1376
+ }
1377
+ ]
1378
+ },
1379
+ {
1380
+ "id": "non_sensitive_application_data_stored_unencrypted",
1381
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1382
+ "type": "subcategory",
1383
+ "priority": 5
1384
+ },
1385
+ {
1386
+ "id": "screen_caching_enabled",
1387
+ "name": "Screen Caching Enabled",
1388
+ "type": "subcategory",
1389
+ "priority": 5
1390
+ }
1391
+ ]
1392
+ },
1393
+ {
1394
+ "id": "lack_of_binary_hardening",
1395
+ "name": "Lack of Binary Hardening",
1396
+ "type": "category",
1397
+ "children": [
1398
+ {
1399
+ "id": "lack_of_exploit_mitigations",
1400
+ "name": "Lack of Exploit Mitigations",
1401
+ "type": "subcategory",
1402
+ "priority": 5
1403
+ },
1404
+ {
1405
+ "id": "lack_of_jailbreak_detection",
1406
+ "name": "Lack of Jailbreak Detection",
1407
+ "type": "subcategory",
1408
+ "priority": 5
1409
+ },
1410
+ {
1411
+ "id": "lack_of_obfuscation",
1412
+ "name": "Lack of Obfuscation",
1413
+ "type": "subcategory",
1414
+ "priority": 5
1415
+ },
1416
+ {
1417
+ "id": "runtime_instrumentation_based",
1418
+ "name": "Runtime Instrumentation-Based",
1419
+ "type": "subcategory",
1420
+ "priority": 5
1421
+ }
1422
+ ]
1423
+ },
1424
+ {
1425
+ "id": "insecure_data_transport",
1426
+ "name": "Insecure Data Transport",
1427
+ "type": "category",
1428
+ "children": [
1429
+ {
1430
+ "id": "cleartext_transmission_of_sensitive_data",
1431
+ "name": "Cleartext Transmission of Sensitive Data",
1432
+ "type": "subcategory",
1433
+ "priority": null
1434
+ },
1435
+ {
1436
+ "id": "executable_download",
1437
+ "name": "Executable Download",
1438
+ "type": "subcategory",
1439
+ "children": [
1440
+ {
1441
+ "id": "no_secure_integrity_check",
1442
+ "name": "No Secure Integrity Check",
1443
+ "type": "variant",
1444
+ "priority": 4
1445
+ },
1446
+ {
1447
+ "id": "secure_integrity_check",
1448
+ "name": "Secure Integrity Check",
1449
+ "type": "variant",
1450
+ "priority": 5
1451
+ }
1452
+ ]
1453
+ }
1454
+ ]
1455
+ },
1456
+ {
1457
+ "id": "insecure_os_firmware",
1458
+ "name": "Insecure OS/Firmware",
1459
+ "type": "category",
1460
+ "children": [
1461
+ {
1462
+ "id": "command_injection",
1463
+ "name": "Command Injection",
1464
+ "type": "subcategory",
1465
+ "priority": 1
1466
+ },
1467
+ {
1468
+ "id": "hardcoded_password",
1469
+ "name": "Hardcoded Password",
1470
+ "type": "subcategory",
1471
+ "children": [
1472
+ {
1473
+ "id": "privileged_user",
1474
+ "name": "Privileged User",
1475
+ "type": "variant",
1476
+ "priority": 1
1477
+ },
1478
+ {
1479
+ "id": "non_privileged_user",
1480
+ "name": "Non-Privileged User",
1481
+ "type": "variant",
1482
+ "priority": 2
1483
+ }
1484
+ ]
1485
+ }
1486
+ ]
1487
+ },
1488
+ {
1489
+ "id": "broken_cryptography",
1490
+ "name": "Broken Cryptography",
1491
+ "type": "category",
1492
+ "children": [
1493
+ {
1494
+ "id": "cryptographic_flaw",
1495
+ "name": "Cryptographic Flaw",
1496
+ "type": "subcategory",
1497
+ "children": [
1498
+ {
1499
+ "id": "incorrect_usage",
1500
+ "name": "Incorrect Usage",
1501
+ "type": "variant",
1502
+ "priority": 1
1503
+ }
1504
+ ]
1505
+ }
1506
+ ]
1507
+ },
1508
+ {
1509
+ "id": "privacy_concerns",
1510
+ "name": "Privacy Concerns",
1511
+ "type": "category",
1512
+ "children": [
1513
+ {
1514
+ "id": "unnecessary_data_collection",
1515
+ "name": "Unnecessary Data Collection",
1516
+ "type": "subcategory",
1517
+ "children": [
1518
+ {
1519
+ "id": "wifi_ssid_password",
1520
+ "name": "WiFi SSID+Password",
1521
+ "type": "variant",
1522
+ "priority": 4
1523
+ }
1524
+ ]
1525
+ }
1526
+ ]
1527
+ },
1528
+ {
1529
+ "id": "network_security_misconfiguration",
1530
+ "name": "Network Security Misconfiguration",
1531
+ "type": "category",
1532
+ "children": [
1533
+ {
1534
+ "id": "telnet_enabled",
1535
+ "name": "Telnet Enabled",
1536
+ "type": "subcategory",
1537
+ "children": [
1538
+ {
1539
+ "id": "credentials_required",
1540
+ "name": "Credentials Required",
1541
+ "type": "variant",
1542
+ "priority": 4
1543
+ }
1544
+ ]
1545
+ }
1546
+ ]
1547
+ },
1548
+ {
1549
+ "id": "mobile_security_misconfiguration",
1550
+ "name": "Mobile Security Misconfiguration",
1551
+ "type": "category",
1552
+ "children": [
1553
+ {
1554
+ "id": "ssl_certificate_pinning",
1555
+ "name": "SSL Certificate Pinning",
1556
+ "type": "subcategory",
1557
+ "children": [
1558
+ {
1559
+ "id": "absent",
1560
+ "name": "Absent",
1561
+ "type": "variant",
1562
+ "priority": 5
1563
+ },
1564
+ {
1565
+ "id": "defeatable",
1566
+ "name": "Defeatable",
1567
+ "type": "variant",
1568
+ "priority": 5
1569
+ }
1570
+ ]
1571
+ },
1572
+ {
1573
+ "id": "tapjacking",
1574
+ "name": "Tapjacking",
1575
+ "type": "subcategory",
1576
+ "priority": 5
1577
+ }
1578
+ ]
1579
+ },
1580
+ {
1581
+ "id": "client_side_injection",
1582
+ "name": "Client-Side Injection",
1583
+ "type": "category",
1584
+ "children": [
1585
+ {
1586
+ "id": "binary_planting",
1587
+ "name": "Binary Planting",
1588
+ "type": "subcategory",
1589
+ "children": [
1590
+ {
1591
+ "id": "privilege_escalation",
1592
+ "name": "Privilege Escalation",
1593
+ "type": "variant",
1594
+ "priority": 4
1595
+ },
1596
+ {
1597
+ "id": "no_privilege_escalation",
1598
+ "name": "No Privilege Escalation",
1599
+ "type": "variant",
1600
+ "priority": 5
1601
+ }
1602
+ ]
1603
+ }
1604
+ ]
1605
+ }
1606
+ ]
1607
+ }