vrt 0.4.6 → 0.5.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (14) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.4/deprecated-node-mapping.json +92 -0
  3. data/lib/data/1.4/mappings/cvss_v3.json +752 -0
  4. data/lib/data/1.4/mappings/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.4/mappings/cwe.json +415 -0
  6. data/lib/data/1.4/mappings/cwe.schema.json +63 -0
  7. data/lib/data/1.4/mappings/remediation_advice.json +1141 -0
  8. data/lib/data/1.4/mappings/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.4/vrt.schema.json +63 -0
  10. data/lib/data/1.4/vulnerability-rating-taxonomy.json +1666 -0
  11. data/lib/vrt.rb +1 -1
  12. data/lib/vrt/mapping.rb +41 -14
  13. data/lib/vrt/version.rb +1 -1
  14. metadata +11 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 1c41b68638caaea9a439b88847fe6a9485012836
4
- data.tar.gz: e387bc10e9e3e5279047cc5d3cb967b3efce069a
3
+ metadata.gz: 334fbfda473980d30290ab34b1067869cb0cbdf8
4
+ data.tar.gz: cc3a8b77958779d1e255f3ec03ea7b53cf94610e
5
5
  SHA512:
6
- metadata.gz: c8aa886633c62b9aca5c96236a99e3c7160fcf020f8e638ee1bff2c6e2c2c47ab30cb961a00fb2b08c169348800e776579aeb6546ec5e5588d3adf6d3dd91c9d
7
- data.tar.gz: 2542205ee579f73fc429266119b44db8fd6d1b3c11858c0b1112c59c35b666899c025f01191a747505d0d134460d4135d36ffafd33b9383c68623458dfdc6802
6
+ metadata.gz: a82a35420049b037116610124dc087e23c2944972c5c88733cc0dbe7cf80dc7576d53aa537e3368c08335d62f3efc3250778d756fe6c148be35b3bfeccc47b6a
7
+ data.tar.gz: 1829f1c86bd2ad635a22183b2e3ed0360780e437c0ceb14379e5c71b80d514b99152aec0d5d51b0de2eb47a03e28506eb0816eddbad567fd160f74ff6a3394a7
data/lib/data/1.4/deprecated-node-mapping.json ADDED
@@ -0,0 +1,92 @@
1
+ {
2
+ "poor_physical_security": {
3
+ "1.1": "other"
4
+ },
5
+ "social_engineering": {
6
+ "1.1": "other"
7
+ },
8
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_all_users": {
9
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
10
+ },
11
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_authenticated": {
12
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
13
+ },
14
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_unauthenticated": {
15
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
16
+ },
17
+ "broken_authentication_and_session_management.session_token_in_url.over_https": {
18
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
19
+ },
20
+ "broken_authentication_and_session_management.session_token_in_url.over_http": {
21
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
22
+ },
23
+ "broken_authentication_and_session_management.session_token_in_url": {
24
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
25
+ },
26
+ "insecure_data_transport": {
27
+ "1.2": "mobile_security_misconfiguration"
28
+ },
29
+ "insecure_data_transport.ssl_certificate_pinning": {
30
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning"
31
+ },
32
+ "insecure_data_transport.ssl_certificate_pinning.absent": {
33
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.absent"
34
+ },
35
+ "insecure_data_transport.ssl_certificate_pinning.defeatable": {
36
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.defeatable"
37
+ },
38
+ "insecure_data_storage.credentials_stored_unencrypted": {
39
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted"
40
+ },
41
+ "insecure_data_storage.credentials_stored_unencrypted.on_external_storage": {
42
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_external_storage"
43
+ },
44
+ "insecure_data_storage.credentials_stored_unencrypted.on_internal_storage": {
45
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_internal_storage"
46
+ },
47
+ "insufficient_security_configurability.weak_password_policy.complexity_both_length_and_char_type_not_enforced": {
48
+ "1.2": "insufficient_security_configurability.no_password_policy"
49
+ },
50
+ "missing_function_level_access_control": {
51
+ "1.3": "broken_access_control"
52
+ },
53
+ "missing_function_level_access_control.server_side_request_forgery_ssrf": {
54
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf"
55
+ },
56
+ "missing_function_level_access_control.server_side_request_forgery_ssrf.internal": {
57
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf.internal"
58
+ },
59
+ "missing_function_level_access_control.server_side_request_forgery_ssrf.external": {
60
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf.external"
61
+ },
62
+ "missing_function_level_access_control.username_enumeration": {
63
+ "1.3": "broken_access_control.username_enumeration"
64
+ },
65
+ "missing_function_level_access_control.username_enumeration.data_leak": {
66
+ "1.3": "broken_access_control.username_enumeration.data_leak"
67
+ },
68
+ "missing_function_level_access_control.exposed_sensitive_android_intent": {
69
+ "1.3": "broken_access_control.exposed_sensitive_android_intent"
70
+ },
71
+ "missing_function_level_access_control.exposed_sensitive_ios_url_scheme": {
72
+ "1.3": "broken_access_control.exposed_sensitive_ios_url_scheme"
73
+ },
74
+ "insecure_direct_object_references_idor": {
75
+ "1.3": "broken_access_control.idor"
76
+ },
77
+ "broken_authentication_and_session_management.weak_login_function.over_http": {
78
+ "1.4": "broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default"
79
+ },
80
+ "cross_site_scripting_xss.ie_only.older_version_ie_10_11": {
81
+ "1.4": "cross_site_scripting_xss.ie_only.ie11"
82
+ },
83
+ "cross_site_scripting_xss.ie_only.older_version_ie10": {
84
+ "1.4": "cross_site_scripting_xss.ie_only.older_version_ie11"
85
+ },
86
+ "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_reset": {
87
+ "1.4": "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_change"
88
+ },
89
+ "network_security_misconfiguration.telnet_enabled.credentials_required": {
90
+ "1.4": "broken_authentication_and_session_management.weak_login_function.other_plaintext_protocol_no_secure_alternative"
91
+ }
92
+ }
data/lib/data/1.4/mappings/cvss_v3.json ADDED
@@ -0,0 +1,752 @@
1
+ {
2
+ "metadata": {
3
+ "default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "children": [
9
+ {
10
+ "id": "unsafe_cross_origin_resource_sharing",
11
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
12
+ },
13
+ {
14
+ "id": "path_traversal",
15
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
16
+ },
17
+ {
18
+ "id": "directory_listing_enabled",
19
+ "children": [
20
+ {
21
+ "id": "sensitive_data_exposure",
22
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
23
+ },
24
+ {
25
+ "id": "non_sensitive_data_exposure",
26
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
27
+ }
28
+ ]
29
+ },
30
+ {
31
+ "id": "same_site_scripting",
32
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
33
+ },
34
+ {
35
+ "id": "ssl_attack_breach_poodle_etc",
36
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
37
+ },
38
+ {
39
+ "id": "using_default_credentials",
40
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
41
+ },
42
+ {
43
+ "id": "misconfigured_dns",
44
+ "children": [
45
+ {
46
+ "id": "subdomain_takeover",
47
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
48
+ },
49
+ {
50
+ "id": "zone_transfer",
51
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
52
+ },
53
+ {
54
+ "id": "missing_caa_record",
55
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
56
+ }
57
+ ]
58
+ },
59
+ {
60
+ "id": "mail_server_misconfiguration",
61
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
62
+ "children": [
63
+ {
64
+ "id": "missing_spf_on_email_domain",
65
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
66
+ },
67
+ {
68
+ "id": "email_spoofable_via_third_party_api_misconfiguration",
69
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
70
+ }
71
+ ]
72
+ },
73
+ {
74
+ "id": "dbms_misconfiguration",
75
+ "children": [
76
+ {
77
+ "id": "excessively_privileged_user_dba",
78
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
79
+ }
80
+ ]
81
+ },
82
+ {
83
+ "id": "lack_of_password_confirmation",
84
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
85
+ "children": [
86
+ {
87
+ "id": "manage_two_fa",
88
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
89
+ }
90
+ ]
91
+ },
92
+ {
93
+ "id": "no_rate_limiting_on_form",
94
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
95
+ "children": [
96
+ {
97
+ "id": "login",
98
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
99
+ }
100
+ ]
101
+ },
102
+ {
103
+ "id": "unsafe_file_upload",
104
+ "children": [
105
+ {
106
+ "id": "no_antivirus",
107
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
108
+ },
109
+ {
110
+ "id": "no_size_limit",
111
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
112
+ },
113
+ {
114
+ "id": "file_extension_filter_bypass",
115
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
116
+ }
117
+ ]
118
+ },
119
+ {
120
+ "id": "cookie_scoped_to_parent_domain",
121
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
122
+ },
123
+ {
124
+ "id": "missing_secure_or_httponly_cookie_flag",
125
+ "children": [
126
+ {
127
+ "id": "session_token",
128
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
129
+ },
130
+ {
131
+ "id": "non_session_cookie",
132
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
133
+ }
134
+ ]
135
+ },
136
+ {
137
+ "id": "clickjacking",
138
+ "children": [
139
+ {
140
+ "id": "sensitive_action",
141
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
142
+ },
143
+ {
144
+ "id": "non_sensitive_action",
145
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
146
+ }
147
+ ]
148
+ },
149
+ {
150
+ "id": "oauth_misconfiguration",
151
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
152
+ "children": [
153
+ {
154
+ "id": "account_takeover",
155
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
156
+ }
157
+ ]
158
+ },
159
+ {
160
+ "id": "captcha_bypass",
161
+ "children": [
162
+ {
163
+ "id": "implementation_vulnerability",
164
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
165
+ },
166
+ {
167
+ "id": "brute_force",
168
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
169
+ }
170
+ ]
171
+ },
172
+ {
173
+ "id": "exposed_admin_portal",
174
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
175
+ },
176
+ {
177
+ "id": "missing_dnssec",
178
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
179
+ },
180
+ {
181
+ "id": "fingerprinting_banner_disclosure",
182
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
183
+ },
184
+ {
185
+ "id": "username_enumeration",
186
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
187
+ },
188
+ {
189
+ "id": "potentially_unsafe_http_method_enabled",
190
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
191
+ },
192
+ {
193
+ "id": "insecure_ssl",
194
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
195
+ },
196
+ {
197
+ "id": "rfd",
198
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
199
+ },
200
+ {
201
+ "id": "lack_of_security_headers",
202
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
203
+ "children": [
204
+ {
205
+ "id": "cache_control_for_a_sensitive_page",
206
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
207
+ }
208
+ ]
209
+ },
210
+ {
211
+ "id": "bitsquatting",
212
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
213
+ }
214
+ ]
215
+ },
216
+ {
217
+ "id": "server_side_injection",
218
+ "children": [
219
+ {
220
+ "id": "file_inclusion",
221
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
222
+ },
223
+ {
224
+ "id": "parameter_pollution",
225
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
226
+ },
227
+ {
228
+ "id": "remote_code_execution_rce",
229
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
230
+ },
231
+ {
232
+ "id": "sql_injection",
233
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
234
+ },
235
+ {
236
+ "id": "xml_external_entity_injection_xxe",
237
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
238
+ },
239
+ {
240
+ "id": "http_response_manipulation",
241
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
242
+ },
243
+ {
244
+ "id": "content_spoofing",
245
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
246
+ "children": [
247
+ {
248
+ "id": "iframe_injection",
249
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
250
+ },
251
+ {
252
+ "id": "external_authentication_injection",
253
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
254
+ },
255
+ {
256
+ "id": "email_html_injection",
257
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
258
+ }
259
+ ]
260
+ }
261
+ ]
262
+ },
263
+ {
264
+ "id": "broken_authentication_and_session_management",
265
+ "children": [
266
+ {
267
+ "id": "authentication_bypass",
268
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
269
+ },
270
+ {
271
+ "id": "privilege_escalation",
272
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
273
+ },
274
+ {
275
+ "id": "weak_login_function",
276
+ "children": [
277
+ {
278
+ "id": "not_operational",
279
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
280
+ },
281
+ {
282
+ "id": "other_plaintext_protocol_no_secure_alternative",
283
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
284
+ },
285
+ {
286
+ "id": "lan_only",
287
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
288
+ },
289
+ {
290
+ "id": "http_and_https_available",
291
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
292
+ },
293
+ {
294
+ "id": "https_not_available_or_http_by_default",
295
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
296
+ }
297
+ ]
298
+ },
299
+ {
300
+ "id": "session_fixation",
301
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"
302
+ },
303
+ {
304
+ "id": "failure_to_invalidate_session",
305
+ "children": [
306
+ {
307
+ "id": "on_logout",
308
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
309
+ },
310
+ {
311
+ "id": "on_logout_server_side_only",
312
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
313
+ },
314
+ {
315
+ "id": "on_password_change",
316
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
317
+ },
318
+ {
319
+ "id": "all_sessions",
320
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
321
+ },
322
+ {
323
+ "id": "on_email_change",
324
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
325
+ },
326
+ {
327
+ "id": "long_timeout",
328
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
329
+ }
330
+ ]
331
+ },
332
+ {
333
+ "id": "concurrent_logins",
334
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
335
+ },
336
+ {
337
+ "id": "weak_registration_implementation",
338
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
339
+ }
340
+ ]
341
+ },
342
+ {
343
+ "id": "sensitive_data_exposure",
344
+ "children": [
345
+ {
346
+ "id": "critically_sensitive_data",
347
+ "children": [
348
+ {
349
+ "id": "password_disclosure",
350
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
351
+ },
352
+ {
353
+ "id": "private_api_keys",
354
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
355
+ }
356
+ ]
357
+ },
358
+ {
359
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
360
+ "children": [
361
+ {
362
+ "id": "automatic_user_enumeration",
363
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
364
+ },
365
+ {
366
+ "id": "manual_user_enumeration",
367
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
368
+ }
369
+ ]
370
+ },
371
+ {
372
+ "id": "visible_detailed_error_page",
373
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
374
+ "children": [
375
+ {
376
+ "id": "detailed_server_configuration",
377
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
378
+ }
379
+ ]
380
+ },
381
+ {
382
+ "id": "disclosure_of_known_public_information",
383
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
384
+ },
385
+ {
386
+ "id": "token_leakage_via_referer",
387
+ "children": [
388
+ {
389
+ "id": "trusted_3rd_party",
390
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
391
+ },
392
+ {
393
+ "id": "untrusted_3rd_party",
394
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
395
+ },
396
+ {
397
+ "id": "over_http",
398
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
399
+ }
400
+ ]
401
+ },
402
+ {
403
+ "id": "sensitive_token_in_url",
404
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
405
+ },
406
+ {
407
+ "id": "non_sensitive_token_in_url",
408
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
409
+ },
410
+ {
411
+ "id": "weak_password_reset_implementation",
412
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"
413
+ },
414
+ {
415
+ "id": "mixed_content",
416
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
417
+ },
418
+ {
419
+ "id": "sensitive_data_hardcoded",
420
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
421
+ },
422
+ {
423
+ "id": "internal_ip_disclosure",
424
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
425
+ },
426
+ {
427
+ "id": "xssi",
428
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
429
+ },
430
+ {
431
+ "id": "json_hijacking",
432
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
433
+ }
434
+ ]
435
+ },
436
+ {
437
+ "id": "cross_site_scripting_xss",
438
+ "children": [
439
+ {
440
+ "id": "stored",
441
+ "children": [
442
+ {
443
+ "id": "non_admin_to_anyone",
444
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
445
+ },
446
+ {
447
+ "id": "admin_to_anyone",
448
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"
449
+ },
450
+ {
451
+ "id": "url_based",
452
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
453
+ },
454
+ {
455
+ "id": "self",
456
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
457
+ }
458
+ ]
459
+ },
460
+ {
461
+ "id": "reflected",
462
+ "children": [
463
+ {
464
+ "id": "non_self",
465
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
466
+ },
467
+ {
468
+ "id": "self",
469
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
470
+ }
471
+ ]
472
+ },
473
+ {
474
+ "id": "cookie_based",
475
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
476
+ },
477
+ {
478
+ "id": "ie_only",
479
+ "children": [
480
+ {
481
+ "id": "ie11",
482
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
483
+ },
484
+ {
485
+ "id": "xss_filter_disabled",
486
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
487
+ },
488
+ {
489
+ "id": "older_version_ie11",
490
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N"
491
+ }
492
+ ]
493
+ },
494
+ {
495
+ "id": "referer",
496
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
497
+ },
498
+ {
499
+ "id": "trace_method",
500
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
501
+ },
502
+ {
503
+ "id": "universal_uxss",
504
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
505
+ },
506
+ {
507
+ "id": "off_domain",
508
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
509
+ }
510
+ ]
511
+ },
512
+ {
513
+ "id": "broken_access_control",
514
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
515
+ "children": [
516
+ {
517
+ "id": "server_side_request_forgery_ssrf",
518
+ "children": [
519
+ {
520
+ "id": "internal",
521
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
522
+ },
523
+ {
524
+ "id": "external",
525
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
526
+ }
527
+ ]
528
+ },
529
+ {
530
+ "id": "username_enumeration",
531
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
532
+ }
533
+ ]
534
+ },
535
+ {
536
+ "id": "cross_site_request_forgery_csrf",
537
+ "children": [
538
+ {
539
+ "id": "application_wide",
540
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
541
+ },
542
+ {
543
+ "id": "action_specific",
544
+ "children": [
545
+ {
546
+ "id": "authenticated_action",
547
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
548
+ },
549
+ {
550
+ "id": "unauthenticated_action",
551
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
552
+ },
553
+ {
554
+ "id": "logout",
555
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
556
+ }
557
+ ]
558
+ }
559
+ ]
560
+ },
561
+ {
562
+ "id": "application_level_denial_of_service_dos",
563
+ "children": [
564
+ {
565
+ "id": "critical_impact_and_or_easy_difficulty",
566
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
567
+ },
568
+ {
569
+ "id": "high_impact_and_or_medium_difficulty",
570
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
571
+ },
572
+ {
573
+ "id": "app_crash",
574
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
575
+ }
576
+ ]
577
+ },
578
+ {
579
+ "id": "unvalidated_redirects_and_forwards",
580
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
581
+ "children": [
582
+ {
583
+ "id": "open_redirect",
584
+ "children": [
585
+ {
586
+ "id": "get_based",
587
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
588
+ }
589
+ ]
590
+ }
591
+ ]
592
+ },
593
+ {
594
+ "id": "external_behavior",
595
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
596
+ },
597
+ {
598
+ "id": "insufficient_security_configurability",
599
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
600
+ "children": [
601
+ {
602
+ "id": "no_password_policy",
603
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
604
+ },
605
+ {
606
+ "id": "weak_password_reset_implementation",
607
+ "children": [
608
+ {
609
+ "id": "token_is_not_invalidated_after_use",
610
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
611
+ }
612
+ ]
613
+ }
614
+ ]
615
+ },
616
+ {
617
+ "id": "using_components_with_known_vulnerabilities",
618
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
619
+ "children": [
620
+ {
621
+ "id": "rosetta_flash",
622
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
623
+ }
624
+ ]
625
+ },
626
+ {
627
+ "id": "insecure_data_storage",
628
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
629
+ "children": [
630
+ {
631
+ "id": "sensitive_application_data_stored_unencrypted",
632
+ "children": [
633
+ {
634
+ "id": "on_external_storage",
635
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
636
+ }
637
+ ]
638
+ },
639
+ {
640
+ "id": "server_side_credentials_storage",
641
+ "children": [
642
+ {
643
+ "id": "plaintext",
644
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
645
+ }
646
+ ]
647
+ }
648
+ ]
649
+ },
650
+ {
651
+ "id": "lack_of_binary_hardening",
652
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
653
+ },
654
+ {
655
+ "id": "insecure_data_transport",
656
+ "children": [
657
+ {
658
+ "id": "cleartext_transmission_of_sensitive_data",
659
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
660
+ },
661
+ {
662
+ "id": "executable_download",
663
+ "children": [
664
+ {
665
+ "id": "no_secure_integrity_check",
666
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
667
+ },
668
+ {
669
+ "id": "secure_integrity_check",
670
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
671
+ }
672
+ ]
673
+ }
674
+ ]
675
+ },
676
+ {
677
+ "id": "insecure_os_firmware",
678
+ "children": [
679
+ {
680
+ "id": "command_injection",
681
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
682
+ },
683
+ {
684
+ "id": "hardcoded_password",
685
+ "children": [
686
+ {
687
+ "id": "privileged_user",
688
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
689
+ },
690
+ {
691
+ "id": "non_privileged_user",
692
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
693
+ }
694
+ ]
695
+ }
696
+ ]
697
+ },
698
+ {
699
+ "id": "broken_cryptography",
700
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
701
+ },
702
+ {
703
+ "id": "privacy_concerns",
704
+ "children": [
705
+ {
706
+ "id": "unnecessary_data_collection",
707
+ "children": [
708
+ {
709
+ "id": "wifi_ssid_password",
710
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
711
+ }
712
+ ]
713
+ }
714
+ ]
715
+ },
716
+ {
717
+ "id": "network_security_misconfiguration",
718
+ "children": [
719
+ {
720
+ "id": "telnet_enabled",
721
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
722
+ }
723
+ ]
724
+ },
725
+ {
726
+ "id": "mobile_security_misconfiguration",
727
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
728
+ },
729
+ {
730
+ "id": "client_side_injection",
731
+ "children": [
732
+ {
733
+ "id": "binary_planting",
734
+ "children": [
735
+ {
736
+ "id": "privilege_escalation",
737
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
738
+ },
739
+ {
740
+ "id": "non_default_folder_privilege_escalation",
741
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
742
+ },
743
+ {
744
+ "id": "no_privilege_escalation",
745
+ "cvss_v3": "AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
746
+ }
747
+ ]
748
+ }
749
+ ]
750
+ }
751
+ ]
752
+ }