vrt 0.4.6 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.4/deprecated-node-mapping.json +92 -0
  3. data/lib/data/1.4/mappings/cvss_v3.json +752 -0
  4. data/lib/data/1.4/mappings/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.4/mappings/cwe.json +415 -0
  6. data/lib/data/1.4/mappings/cwe.schema.json +63 -0
  7. data/lib/data/1.4/mappings/remediation_advice.json +1141 -0
  8. data/lib/data/1.4/mappings/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.4/vrt.schema.json +63 -0
  10. data/lib/data/1.4/vulnerability-rating-taxonomy.json +1666 -0
  11. data/lib/vrt.rb +1 -1
  12. data/lib/vrt/mapping.rb +41 -14
  13. data/lib/vrt/version.rb +1 -1
  14. metadata +11 -2
data/lib/data/1.4/mappings/remediation_advice.schema.json ADDED
@@ -0,0 +1,75 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-04/schema#",
3
+ "title": "VRT to Remediation Advice",
4
+ "description": "Mapping from the Vulnerability Rating Taxonomy to Remediation Advice",
5
+ "definitions": {
6
+ "MappingMetadata": {
7
+ "type": "object",
8
+ "properties": {
9
+ "default": { "type": "null" },
10
+ "keys": { "type": "array",
11
+ "items": { "type": "string", "enum": ["remediation_advice", "references"] },
12
+ "minItems": 2,
13
+ "uniqueItems": true
14
+ }
15
+ },
16
+ "required": ["default", "keys"]
17
+ },
18
+ "VRTid": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
19
+ "RemediationAdvice": { "type": "string" },
20
+ "References": { "type" : "array",
21
+ "items" : { "type": "string", "pattern": "^http[s]?:\/\/.*$" },
22
+ "minItems": 1,
23
+ "uniqueItems": true
24
+ },
25
+ "Mapping": {
26
+ "type": "object",
27
+ "properties": {
28
+ "id": { "$ref": "#/definitions/VRTid" },
29
+ "remediation_advice" : { "$ref": "#/definitions/RemediationAdvice" },
30
+ "references" : { "$ref": "#/definitions/References" }
31
+ },
32
+ "required": ["id"],
33
+ "anyOf": [
34
+ { "required": ["remediation_advice"] },
35
+ { "required": ["references"] }
36
+ ],
37
+ "additionalProperties": false
38
+ },
39
+ "MappingParent": {
40
+ "type": "object",
41
+ "properties": {
42
+ "id": { "$ref": "#/definitions/VRTid" },
43
+ "children": {
44
+ "type": "array",
45
+ "items" : {
46
+ "anyOf": [
47
+ { "$ref": "#/definitions/MappingParent" },
48
+ { "$ref": "#/definitions/Mapping" }
49
+ ]
50
+ }
51
+ },
52
+ "remediation_advice" : { "$ref": "#/definitions/RemediationAdvice" },
53
+ "references" : { "$ref": "#/definitions/References" }
54
+ },
55
+ "required": ["id", "children"],
56
+ "additionalProperties": false
57
+ }
58
+ },
59
+ "type": "object",
60
+ "required": ["metadata", "content"],
61
+ "properties": {
62
+ "metadata": {
63
+ "$ref": "#/definitions/MappingMetadata"
64
+ },
65
+ "content": {
66
+ "type": "array",
67
+ "items" : {
68
+ "anyOf": [
69
+ { "$ref": "#/definitions/MappingParent" },
70
+ { "$ref": "#/definitions/Mapping" }
71
+ ]
72
+ }
73
+ }
74
+ }
75
+ }
data/lib/data/1.4/vrt.schema.json ADDED
@@ -0,0 +1,63 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-04/schema#",
3
+ "title": "Vulnerability Rating Taxonomy",
4
+ "description": "A Taxonomy of potential vulnerabilities with suggested technical priority rating",
5
+ "definitions": {
6
+ "VRTmetadata": {
7
+ "type": "object",
8
+ "properties": {
9
+ "release_date": { "type": "string", "format": "date-time" }
10
+ }
11
+ },
12
+ "VRT": {
13
+ "type": "object",
14
+ "properties": {
15
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
16
+ "type": { "type": "string", "enum": [ "category", "subcategory", "variant" ] },
17
+ "name": { "type": "string", "pattern": "^[ a-zA-Z0-9-+()\/,.<]*$" },
18
+ "priority": {
19
+ "anyOf": [
20
+ { "type": "number", "minimum": 1, "maximum": 5 },
21
+ { "type": "null" }
22
+ ]
23
+ }
24
+ },
25
+ "required": ["id", "name", "type", "priority"]
26
+ },
27
+ "VRTparent": {
28
+ "type": "object",
29
+ "properties": {
30
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
31
+ "name": { "type": "string", "pattern": "^[ a-zA-Z0-9-+()\/,.<]*$" },
32
+ "type": { "type": "string", "enum": [ "category", "subcategory" ] },
33
+ "children": {
34
+ "type": "array",
35
+ "items" : {
36
+ "anyOf": [
37
+ { "$ref": "#/definitions/VRTparent" },
38
+ { "$ref": "#/definitions/VRT" }
39
+ ]
40
+ },
41
+ "minItems": 1
42
+ }
43
+ },
44
+ "required": ["id", "name", "type", "children"]
45
+ }
46
+ },
47
+ "type": "object",
48
+ "required": ["metadata", "content"],
49
+ "properties": {
50
+ "metadata": {
51
+ "$ref": "#/definitions/VRTmetadata"
52
+ },
53
+ "content": {
54
+ "type": "array",
55
+ "items" : {
56
+ "anyOf": [
57
+ { "$ref": "#/definitions/VRTparent" },
58
+ { "$ref": "#/definitions/VRT" }
59
+ ]
60
+ }
61
+ }
62
+ }
63
+ }
data/lib/data/1.4/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,1666 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2018-04-13T08:30:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "unsafe_cross_origin_resource_sharing",
13
+ "name": "Unsafe Cross-Origin Resource Sharing",
14
+ "type": "subcategory",
15
+ "priority": null
16
+ },
17
+ {
18
+ "id": "path_traversal",
19
+ "name": "Path Traversal",
20
+ "type": "subcategory",
21
+ "priority": null
22
+ },
23
+ {
24
+ "id": "directory_listing_enabled",
25
+ "name": "Directory Listing Enabled",
26
+ "type": "subcategory",
27
+ "children": [
28
+ {
29
+ "id": "sensitive_data_exposure",
30
+ "name": "Sensitive Data Exposure",
31
+ "type": "variant",
32
+ "priority": null
33
+ },
34
+ {
35
+ "id": "non_sensitive_data_exposure",
36
+ "name": "Non-Sensitive Data Exposure",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "same_site_scripting",
44
+ "name": "Same-Site Scripting",
45
+ "type": "subcategory",
46
+ "priority": 5
47
+ },
48
+ {
49
+ "id": "ssl_attack_breach_poodle_etc",
50
+ "name": "SSL Attack (BREACH, POODLE etc.)",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "using_default_credentials",
56
+ "name": "Using Default Credentials",
57
+ "type": "subcategory",
58
+ "priority": 1
59
+ },
60
+ {
61
+ "id": "misconfigured_dns",
62
+ "name": "Misconfigured DNS",
63
+ "type": "subcategory",
64
+ "children": [
65
+ {
66
+ "id": "subdomain_takeover",
67
+ "name": "Subdomain Takeover",
68
+ "type": "variant",
69
+ "priority": 2
70
+ },
71
+ {
72
+ "id": "zone_transfer",
73
+ "name": "Zone Transfer",
74
+ "type": "variant",
75
+ "priority": 4
76
+ },
77
+ {
78
+ "id": "missing_caa_record",
79
+ "name": "Missing Certification Authority Authorization (CAA) Record",
80
+ "type": "variant",
81
+ "priority": 5
82
+ }
83
+ ]
84
+ },
85
+ {
86
+ "id": "mail_server_misconfiguration",
87
+ "name": "Mail Server Misconfiguration",
88
+ "type": "subcategory",
89
+ "children": [
90
+ {
91
+ "id": "missing_spf_on_email_domain",
92
+ "name": "Missing SPF on Email Domain",
93
+ "type": "variant",
94
+ "priority": 3
95
+ },
96
+ {
97
+ "id": "email_spoofable_via_third_party_api_misconfiguration",
98
+ "name": "Email Spoofable Via Third-Party API Misconfiguration",
99
+ "type": "variant",
100
+ "priority": 3
101
+ },
102
+ {
103
+ "id": "missing_spf_on_non_email_domain",
104
+ "name": "Missing SPF on Non-Email Domain",
105
+ "type": "variant",
106
+ "priority": 5
107
+ },
108
+ {
109
+ "id": "spf_uses_a_soft_fail",
110
+ "name": "SPF Uses a Soft Fail",
111
+ "type": "variant",
112
+ "priority": 5
113
+ },
114
+ {
115
+ "id": "spf_includes_10_lookups",
116
+ "name": "SPF Includes More Than 10 Lookups",
117
+ "type": "variant",
118
+ "priority": 5
119
+ },
120
+ {
121
+ "id": "missing_dmarc",
122
+ "name": "Missing DKIM/DMARC",
123
+ "type": "variant",
124
+ "priority": 5
125
+ }
126
+ ]
127
+ },
128
+ {
129
+ "id": "dbms_misconfiguration",
130
+ "name": "Database Management System (DBMS) Misconfiguration",
131
+ "type": "subcategory",
132
+ "children": [
133
+ {
134
+ "id": "excessively_privileged_user_dba",
135
+ "name": "Excessively Privileged User / DBA",
136
+ "type": "variant",
137
+ "priority": 4
138
+ }
139
+ ]
140
+ },
141
+ {
142
+ "id": "lack_of_password_confirmation",
143
+ "name": "Lack of Password Confirmation",
144
+ "type": "subcategory",
145
+ "children": [
146
+ {
147
+ "id": "change_email_address",
148
+ "name": "Change Email Address",
149
+ "type": "variant",
150
+ "priority": 5
151
+ },
152
+ {
153
+ "id": "change_password",
154
+ "name": "Change Password",
155
+ "type": "variant",
156
+ "priority": 5
157
+ },
158
+ {
159
+ "id": "delete_account",
160
+ "name": "Delete Account",
161
+ "type": "variant",
162
+ "priority": 4
163
+ },
164
+ {
165
+ "id": "manage_two_fa",
166
+ "name": "Manage 2FA",
167
+ "type": "variant",
168
+ "priority": 5
169
+ }
170
+ ]
171
+ },
172
+ {
173
+ "id": "no_rate_limiting_on_form",
174
+ "name": "No Rate Limiting on Form",
175
+ "type": "subcategory",
176
+ "children": [
177
+ {
178
+ "id": "registration",
179
+ "name": "Registration",
180
+ "type": "variant",
181
+ "priority": 4
182
+ },
183
+ {
184
+ "id": "login",
185
+ "name": "Login",
186
+ "type": "variant",
187
+ "priority": 4
188
+ },
189
+ {
190
+ "id": "email_triggering",
191
+ "name": "Email-Triggering",
192
+ "type": "variant",
193
+ "priority": 4
194
+ }
195
+ ]
196
+ },
197
+ {
198
+ "id": "unsafe_file_upload",
199
+ "name": "Unsafe File Upload",
200
+ "type": "subcategory",
201
+ "children": [
202
+ {
203
+ "id": "no_antivirus",
204
+ "name": "No Antivirus",
205
+ "type": "variant",
206
+ "priority": 5
207
+ },
208
+ {
209
+ "id": "no_size_limit",
210
+ "name": "No Size Limit",
211
+ "type": "variant",
212
+ "priority": 5
213
+ },
214
+ {
215
+ "id": "file_extension_filter_bypass",
216
+ "name": "File Extension Filter Bypass",
217
+ "type": "variant",
218
+ "priority": 5
219
+ }
220
+ ]
221
+ },
222
+ {
223
+ "id": "cookie_scoped_to_parent_domain",
224
+ "name": "Cookie Scoped to Parent Domain",
225
+ "type": "subcategory",
226
+ "priority": 5
227
+ },
228
+ {
229
+ "id": "missing_secure_or_httponly_cookie_flag",
230
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
231
+ "type": "subcategory",
232
+ "children": [
233
+ {
234
+ "id": "session_token",
235
+ "name": "Session Token",
236
+ "type": "variant",
237
+ "priority": 4
238
+ },
239
+ {
240
+ "id": "non_session_cookie",
241
+ "name": "Non-Session Cookie",
242
+ "type": "variant",
243
+ "priority": 5
244
+ }
245
+ ]
246
+ },
247
+ {
248
+ "id": "clickjacking",
249
+ "name": "Clickjacking",
250
+ "type": "subcategory",
251
+ "children": [
252
+ {
253
+ "id": "sensitive_action",
254
+ "name": "Sensitive Action",
255
+ "type": "variant",
256
+ "priority": 4
257
+ },
258
+ {
259
+ "id": "non_sensitive_action",
260
+ "name": "Non-Sensitive Action",
261
+ "type": "variant",
262
+ "priority": 5
263
+ }
264
+ ]
265
+ },
266
+ {
267
+ "id": "oauth_misconfiguration",
268
+ "name": "OAuth Misconfiguration",
269
+ "type": "subcategory",
270
+ "children": [
271
+ {
272
+ "id": "account_takeover",
273
+ "name": "Account Takeover",
274
+ "type": "variant",
275
+ "priority": 2
276
+ },
277
+ {
278
+ "id": "missing_state_parameter",
279
+ "name": "Missing/Broken State Parameter",
280
+ "type": "variant",
281
+ "priority": null
282
+ },
283
+ {
284
+ "id": "insecure_redirect_uri",
285
+ "name": "Insecure Redirect URI",
286
+ "type": "variant",
287
+ "priority": null
288
+ }
289
+ ]
290
+ },
291
+ {
292
+ "id": "captcha_bypass",
293
+ "name": "Captcha Bypass",
294
+ "type": "subcategory",
295
+ "children": [
296
+ {
297
+ "id": "implementation_vulnerability",
298
+ "name": "Implementation Vulnerability",
299
+ "type": "variant",
300
+ "priority": 4
301
+ },
302
+ {
303
+ "id": "brute_force",
304
+ "name": "Brute Force",
305
+ "type": "variant",
306
+ "priority": 5
307
+ }
308
+ ]
309
+ },
310
+ {
311
+ "id": "exposed_admin_portal",
312
+ "name": "Exposed Admin Portal",
313
+ "type": "subcategory",
314
+ "children": [
315
+ {
316
+ "id": "to_internet",
317
+ "name": "To Internet",
318
+ "type": "variant",
319
+ "priority": 5
320
+ }
321
+ ]
322
+ },
323
+ {
324
+ "id": "missing_dnssec",
325
+ "name": "Missing DNSSEC",
326
+ "type": "subcategory",
327
+ "priority": 5
328
+ },
329
+ {
330
+ "id": "fingerprinting_banner_disclosure",
331
+ "name": "Fingerprinting/Banner Disclosure",
332
+ "type": "subcategory",
333
+ "priority": 5
334
+ },
335
+ {
336
+ "id": "username_enumeration",
337
+ "name": "Username Enumeration",
338
+ "type": "subcategory",
339
+ "children": [
340
+ {
341
+ "id": "brute_force",
342
+ "name": "Brute Force",
343
+ "type": "variant",
344
+ "priority": 5
345
+ }
346
+ ]
347
+ },
348
+ {
349
+ "id": "potentially_unsafe_http_method_enabled",
350
+ "name": "Potentially Unsafe HTTP Method Enabled",
351
+ "type": "subcategory",
352
+ "children": [
353
+ {
354
+ "id": "options",
355
+ "name": "OPTIONS",
356
+ "type": "variant",
357
+ "priority": 5
358
+ },
359
+ {
360
+ "id": "trace",
361
+ "name": "TRACE",
362
+ "type": "variant",
363
+ "priority": 5
364
+ }
365
+ ]
366
+ },
367
+ {
368
+ "id": "insecure_ssl",
369
+ "name": "Insecure SSL",
370
+ "type": "subcategory",
371
+ "children": [
372
+ {
373
+ "id": "lack_of_forward_secrecy",
374
+ "name": "Lack of Forward Secrecy",
375
+ "type": "variant",
376
+ "priority": 5
377
+ },
378
+ {
379
+ "id": "insecure_cipher_suite",
380
+ "name": "Insecure Cipher Suite",
381
+ "type": "variant",
382
+ "priority": 5
383
+ }
384
+ ]
385
+ },
386
+ {
387
+ "id": "rfd",
388
+ "name": "Reflected File Download (RFD)",
389
+ "type": "subcategory",
390
+ "priority": 5
391
+ },
392
+ {
393
+ "id": "lack_of_security_headers",
394
+ "name": "Lack of Security Headers",
395
+ "type": "subcategory",
396
+ "children": [
397
+ {
398
+ "id": "x_frame_options",
399
+ "name": "X-Frame-Options",
400
+ "type": "variant",
401
+ "priority": 5
402
+ },
403
+ {
404
+ "id": "cache_control_for_a_non_sensitive_page",
405
+ "name": "Cache-Control for a Non-Sensitive Page",
406
+ "type": "variant",
407
+ "priority": 5
408
+ },
409
+ {
410
+ "id": "x_xss_protection",
411
+ "name": "X-XSS-Protection",
412
+ "type": "variant",
413
+ "priority": 5
414
+ },
415
+ {
416
+ "id": "strict_transport_security",
417
+ "name": "Strict-Transport-Security",
418
+ "type": "variant",
419
+ "priority": 5
420
+ },
421
+ {
422
+ "id": "x_content_type_options",
423
+ "name": "X-Content-Type-Options",
424
+ "type": "variant",
425
+ "priority": 5
426
+ },
427
+ {
428
+ "id": "content_security_policy",
429
+ "name": "Content-Security-Policy",
430
+ "type": "variant",
431
+ "priority": 5
432
+ },
433
+ {
434
+ "id": "public_key_pins",
435
+ "name": "Public-Key-Pins",
436
+ "type": "variant",
437
+ "priority": 5
438
+ },
439
+ {
440
+ "id": "x_content_security_policy",
441
+ "name": "X-Content-Security-Policy",
442
+ "type": "variant",
443
+ "priority": 5
444
+ },
445
+ {
446
+ "id": "x_webkit_csp",
447
+ "name": "X-Webkit-CSP",
448
+ "type": "variant",
449
+ "priority": 5
450
+ },
451
+ {
452
+ "id": "content_security_policy_report_only",
453
+ "name": "Content-Security-Policy-Report-Only",
454
+ "type": "variant",
455
+ "priority": 5
456
+ },
457
+ {
458
+ "id": "cache_control_for_a_sensitive_page",
459
+ "name": "Cache-Control for a Sensitive Page",
460
+ "type": "variant",
461
+ "priority": 4
462
+ }
463
+ ]
464
+ },
465
+ {
466
+ "id": "bitsquatting",
467
+ "name": "Bitsquatting",
468
+ "type": "subcategory",
469
+ "priority": 5
470
+ }
471
+ ]
472
+ },
473
+ {
474
+ "id": "server_side_injection",
475
+ "name": "Server-Side Injection",
476
+ "type": "category",
477
+ "children": [
478
+ {
479
+ "id": "file_inclusion",
480
+ "name": "File Inclusion",
481
+ "type": "subcategory",
482
+ "children": [
483
+ {
484
+ "id": "local",
485
+ "name": "Local",
486
+ "type": "variant",
487
+ "priority": 1
488
+ }
489
+ ]
490
+ },
491
+ {
492
+ "id": "parameter_pollution",
493
+ "name": "Parameter Pollution",
494
+ "type": "subcategory",
495
+ "children": [
496
+ {
497
+ "id": "social_media_sharing_buttons",
498
+ "name": "Social Media Sharing Buttons",
499
+ "type": "variant",
500
+ "priority": 5
501
+ }
502
+ ]
503
+ },
504
+ {
505
+ "id": "remote_code_execution_rce",
506
+ "name": "Remote Code Execution (RCE)",
507
+ "type": "subcategory",
508
+ "priority": 1
509
+ },
510
+ {
511
+ "id": "sql_injection",
512
+ "name": "SQL Injection",
513
+ "type": "subcategory",
514
+ "priority": 1
515
+ },
516
+ {
517
+ "id": "xml_external_entity_injection_xxe",
518
+ "name": "XML External Entity Injection (XXE)",
519
+ "type": "subcategory",
520
+ "priority": 1
521
+ },
522
+ {
523
+ "id": "http_response_manipulation",
524
+ "name": "HTTP Response Manipulation",
525
+ "type": "subcategory",
526
+ "children": [
527
+ {
528
+ "id": "response_splitting_crlf",
529
+ "name": "Response Splitting (CRLF)",
530
+ "type": "variant",
531
+ "priority": 3
532
+ }
533
+ ]
534
+ },
535
+ {
536
+ "id": "content_spoofing",
537
+ "name": "Content Spoofing",
538
+ "type": "subcategory",
539
+ "children": [
540
+ {
541
+ "id": "iframe_injection",
542
+ "name": "iframe Injection",
543
+ "type": "variant",
544
+ "priority": 3
545
+ },
546
+ {
547
+ "id": "external_authentication_injection",
548
+ "name": "External Authentication Injection",
549
+ "type": "variant",
550
+ "priority": 4
551
+ },
552
+ {
553
+ "id": "email_html_injection",
554
+ "name": "Email HTML Injection",
555
+ "type": "variant",
556
+ "priority": 4
557
+ },
558
+ {
559
+ "id": "text_injection",
560
+ "name": "Text Injection",
561
+ "type": "variant",
562
+ "priority": 5
563
+ },
564
+ {
565
+ "id": "homograph_idn_based",
566
+ "name": "Homograph/IDN-Based",
567
+ "type": "variant",
568
+ "priority": 5
569
+ },
570
+ {
571
+ "id": "rtlo",
572
+ "name": "Right-to-Left Override (RTLO)",
573
+ "type": "variant",
574
+ "priority": 5
575
+ }
576
+ ]
577
+ }
578
+ ]
579
+ },
580
+ {
581
+ "id": "broken_authentication_and_session_management",
582
+ "name": "Broken Authentication and Session Management",
583
+ "type": "category",
584
+ "children": [
585
+ {
586
+ "id": "authentication_bypass",
587
+ "name": "Authentication Bypass",
588
+ "type": "subcategory",
589
+ "priority": 1
590
+ },
591
+ {
592
+ "id": "privilege_escalation",
593
+ "name": "Privilege Escalation",
594
+ "type": "subcategory",
595
+ "priority": null
596
+ },
597
+ {
598
+ "id": "weak_login_function",
599
+ "name": "Weak Login Function",
600
+ "type": "subcategory",
601
+ "children": [
602
+ {
603
+ "id": "not_operational",
604
+ "name": "Not Operational or Intended Public Access",
605
+ "type": "variant",
606
+ "priority": 5
607
+ },
608
+ {
609
+ "id": "other_plaintext_protocol_no_secure_alternative",
610
+ "name": "Other Plaintext Protocol with no Secure Alternative",
611
+ "type": "variant",
612
+ "priority": 4
613
+ },
614
+ {
615
+ "id": "lan_only",
616
+ "name": "LAN Only",
617
+ "type": "variant",
618
+ "priority": 4
619
+ },
620
+ {
621
+ "id": "http_and_https_available",
622
+ "name": "HTTP and HTTPS Available",
623
+ "type": "variant",
624
+ "priority": 4
625
+ },
626
+ {
627
+ "id": "https_not_available_or_http_by_default",
628
+ "name": "HTTPS not Available or HTTP by Default",
629
+ "type": "variant",
630
+ "priority": 3
631
+ }
632
+ ]
633
+ },
634
+ {
635
+ "id": "session_fixation",
636
+ "name": "Session Fixation",
637
+ "type": "subcategory",
638
+ "priority": 3
639
+ },
640
+ {
641
+ "id": "failure_to_invalidate_session",
642
+ "name": "Failure to Invalidate Session",
643
+ "type": "subcategory",
644
+ "children": [
645
+ {
646
+ "id": "on_logout",
647
+ "name": "On Logout (Client and Server-Side)",
648
+ "type": "variant",
649
+ "priority": 4
650
+ },
651
+ {
652
+ "id": "on_logout_server_side_only",
653
+ "name": "On Logout (Server-Side Only)",
654
+ "type": "variant",
655
+ "priority": 5
656
+ },
657
+ {
658
+ "id": "on_password_change",
659
+ "name": "On Password Reset and/or Change",
660
+ "type": "variant",
661
+ "priority": 4
662
+ },
663
+ {
664
+ "id": "all_sessions",
665
+ "name": "Concurrent Sessions On Logout",
666
+ "type": "variant",
667
+ "priority": 5
668
+ },
669
+ {
670
+ "id": "on_email_change",
671
+ "name": "On Email Change",
672
+ "type": "variant",
673
+ "priority": 5
674
+ },
675
+ {
676
+ "id": "long_timeout",
677
+ "name": "Long Timeout",
678
+ "type": "variant",
679
+ "priority": 5
680
+ }
681
+ ]
682
+ },
683
+ {
684
+ "id": "concurrent_logins",
685
+ "name": "Concurrent Logins",
686
+ "type": "subcategory",
687
+ "priority": 5
688
+ },
689
+ {
690
+ "id": "weak_registration_implementation",
691
+ "name": "Weak Registration Implementation",
692
+ "type": "subcategory",
693
+ "children": [
694
+ {
695
+ "id": "over_http",
696
+ "name": "Over HTTP",
697
+ "type": "variant",
698
+ "priority": 4
699
+ }
700
+ ]
701
+ }
702
+ ]
703
+ },
704
+ {
705
+ "id": "sensitive_data_exposure",
706
+ "name": "Sensitive Data Exposure",
707
+ "type": "category",
708
+ "children": [
709
+ {
710
+ "id": "critically_sensitive_data",
711
+ "name": "Critically Sensitive Data",
712
+ "type": "subcategory",
713
+ "children": [
714
+ {
715
+ "id": "password_disclosure",
716
+ "name": "Password Disclosure",
717
+ "type": "variant",
718
+ "priority": 1
719
+ },
720
+ {
721
+ "id": "private_api_keys",
722
+ "name": "Private API Keys",
723
+ "type": "variant",
724
+ "priority": 1
725
+ }
726
+ ]
727
+ },
728
+ {
729
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
730
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
731
+ "type": "subcategory",
732
+ "children": [
733
+ {
734
+ "id": "automatic_user_enumeration",
735
+ "name": "Automatic User Enumeration",
736
+ "type": "variant",
737
+ "priority": 3
738
+ },
739
+ {
740
+ "id": "manual_user_enumeration",
741
+ "name": "Manual User Enumeration",
742
+ "type": "variant",
743
+ "priority": 4
744
+ }
745
+ ]
746
+ },
747
+ {
748
+ "id": "visible_detailed_error_page",
749
+ "name": "Visible Detailed Error/Debug Page",
750
+ "type": "subcategory",
751
+ "children": [
752
+ {
753
+ "id": "detailed_server_configuration",
754
+ "name": "Detailed Server Configuration",
755
+ "type": "variant",
756
+ "priority": 4
757
+ },
758
+ {
759
+ "id": "full_path_disclosure",
760
+ "name": "Full Path Disclosure",
761
+ "type": "variant",
762
+ "priority": 5
763
+ },
764
+ {
765
+ "id": "descriptive_stack_trace",
766
+ "name": "Descriptive Stack Trace",
767
+ "type": "variant",
768
+ "priority": 5
769
+ }
770
+ ]
771
+ },
772
+ {
773
+ "id": "disclosure_of_known_public_information",
774
+ "name": "Disclosure of Known Public Information",
775
+ "type": "subcategory",
776
+ "priority": 5
777
+ },
778
+ {
779
+ "id": "token_leakage_via_referer",
780
+ "name": "Token Leakage via Referer",
781
+ "type": "subcategory",
782
+ "children": [
783
+ {
784
+ "id": "trusted_3rd_party",
785
+ "name": "Trusted 3rd Party",
786
+ "type": "variant",
787
+ "priority": 5
788
+ },
789
+ {
790
+ "id": "untrusted_3rd_party",
791
+ "name": "Untrusted 3rd Party",
792
+ "type": "variant",
793
+ "priority": 4
794
+ },
795
+ {
796
+ "id": "over_http",
797
+ "name": "Over HTTP",
798
+ "type": "variant",
799
+ "priority": 4
800
+ }
801
+ ]
802
+ },
803
+ {
804
+ "id": "sensitive_token_in_url",
805
+ "name": "Sensitive Token in URL",
806
+ "type": "subcategory",
807
+ "children": [
808
+ {
809
+ "id": "user_facing",
810
+ "name": "User Facing",
811
+ "type": "variant",
812
+ "priority": 4
813
+ },
814
+ {
815
+ "id": "in_the_background",
816
+ "name": "In the Background",
817
+ "type": "variant",
818
+ "priority": 5
819
+ },
820
+ {
821
+ "id": "on_password_reset",
822
+ "name": "On Password Reset",
823
+ "type": "variant",
824
+ "priority": 5
825
+ }
826
+ ]
827
+ },
828
+ {
829
+ "id": "non_sensitive_token_in_url",
830
+ "name": "Non-Sensitive Token in URL",
831
+ "type": "subcategory",
832
+ "priority": 5
833
+ },
834
+ {
835
+ "id": "weak_password_reset_implementation",
836
+ "name": "Weak Password Reset Implementation",
837
+ "type": "subcategory",
838
+ "children": [
839
+ {
840
+ "id": "password_reset_token_sent_over_http",
841
+ "name": "Password Reset Token Sent Over HTTP",
842
+ "type": "variant",
843
+ "priority": 4
844
+ }
845
+ ]
846
+ },
847
+ {
848
+ "id": "mixed_content",
849
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
850
+ "type": "subcategory",
851
+ "priority": 5
852
+ },
853
+ {
854
+ "id": "sensitive_data_hardcoded",
855
+ "name": "Sensitive Data Hardcoded",
856
+ "type": "subcategory",
857
+ "children": [
858
+ {
859
+ "id": "oauth_secret",
860
+ "name": "OAuth Secret",
861
+ "type": "variant",
862
+ "priority": 5
863
+ },
864
+ {
865
+ "id": "file_paths",
866
+ "name": "File Paths",
867
+ "type": "variant",
868
+ "priority": 5
869
+ }
870
+ ]
871
+ },
872
+ {
873
+ "id": "internal_ip_disclosure",
874
+ "name": "Internal IP Disclosure",
875
+ "type": "subcategory",
876
+ "priority": 5
877
+ },
878
+ {
879
+ "id": "xssi",
880
+ "name": "Cross Site Script Inclusion (XSSI)",
881
+ "type": "subcategory",
882
+ "priority": null
883
+ },
884
+ {
885
+ "id": "json_hijacking",
886
+ "name": "JSON Hijacking",
887
+ "type": "subcategory",
888
+ "priority": 5
889
+ }
890
+ ]
891
+ },
892
+ {
893
+ "id": "cross_site_scripting_xss",
894
+ "name": "Cross-Site Scripting (XSS)",
895
+ "type": "category",
896
+ "children": [
897
+ {
898
+ "id": "stored",
899
+ "name": "Stored",
900
+ "type": "subcategory",
901
+ "children": [
902
+ {
903
+ "id": "non_admin_to_anyone",
904
+ "name": "Non-Admin to Anyone",
905
+ "type": "variant",
906
+ "priority": 2
907
+ },
908
+ {
909
+ "id": "admin_to_anyone",
910
+ "name": "Admin to Anyone",
911
+ "type": "variant",
912
+ "priority": 3
913
+ },
914
+ {
915
+ "id": "url_based",
916
+ "name": "CSRF/URL-Based",
917
+ "type": "variant",
918
+ "priority": 3
919
+ },
920
+ {
921
+ "id": "self",
922
+ "name": "Self",
923
+ "type": "variant",
924
+ "priority": 5
925
+ }
926
+ ]
927
+ },
928
+ {
929
+ "id": "reflected",
930
+ "name": "Reflected",
931
+ "type": "subcategory",
932
+ "children": [
933
+ {
934
+ "id": "non_self",
935
+ "name": "Non-Self",
936
+ "type": "variant",
937
+ "priority": 3
938
+ },
939
+ {
940
+ "id": "self",
941
+ "name": "Self",
942
+ "type": "variant",
943
+ "priority": 5
944
+ }
945
+ ]
946
+ },
947
+ {
948
+ "id": "cookie_based",
949
+ "name": "Cookie-Based",
950
+ "type": "subcategory",
951
+ "priority": 5
952
+ },
953
+ {
954
+ "id": "ie_only",
955
+ "name": "IE-Only",
956
+ "type": "subcategory",
957
+ "children": [
958
+ {
959
+ "id": "ie11",
960
+ "name": "IE11",
961
+ "type": "variant",
962
+ "priority": 4
963
+ },
964
+ {
965
+ "id": "xss_filter_disabled",
966
+ "name": "XSS Filter Disabled",
967
+ "type": "variant",
968
+ "priority": 5
969
+ },
970
+ {
971
+ "id": "older_version_ie11",
972
+ "name": "Older Version (< IE11)",
973
+ "type": "variant",
974
+ "priority": 5
975
+ }
976
+ ]
977
+ },
978
+ {
979
+ "id": "referer",
980
+ "name": "Referer",
981
+ "type": "subcategory",
982
+ "priority": 4
983
+ },
984
+ {
985
+ "id": "trace_method",
986
+ "name": "TRACE Method",
987
+ "type": "subcategory",
988
+ "priority": 5
989
+ },
990
+ {
991
+ "id": "universal_uxss",
992
+ "name": "Universal (UXSS)",
993
+ "type": "subcategory",
994
+ "priority": 4
995
+ },
996
+ {
997
+ "id": "off_domain",
998
+ "name": "Off-Domain",
999
+ "type": "subcategory",
1000
+ "children": [
1001
+ {
1002
+ "id": "data_uri",
1003
+ "name": "Data URI",
1004
+ "type": "variant",
1005
+ "priority": 4
1006
+ }
1007
+ ]
1008
+ }
1009
+ ]
1010
+ },
1011
+ {
1012
+ "id": "broken_access_control",
1013
+ "name": "Broken Access Control (BAC)",
1014
+ "type": "category",
1015
+ "children": [
1016
+ {
1017
+ "id": "idor",
1018
+ "name": "Insecure Direct Object References (IDOR)",
1019
+ "type": "subcategory",
1020
+ "priority": null
1021
+ },
1022
+ {
1023
+ "id": "server_side_request_forgery_ssrf",
1024
+ "name": "Server-Side Request Forgery (SSRF)",
1025
+ "type": "subcategory",
1026
+ "children": [
1027
+ {
1028
+ "id": "internal",
1029
+ "name": "Internal",
1030
+ "type": "variant",
1031
+ "priority": 2
1032
+ },
1033
+ {
1034
+ "id": "external",
1035
+ "name": "External",
1036
+ "type": "variant",
1037
+ "priority": 4
1038
+ }
1039
+ ]
1040
+ },
1041
+ {
1042
+ "id": "username_enumeration",
1043
+ "name": "Username Enumeration",
1044
+ "type": "subcategory",
1045
+ "children": [
1046
+ {
1047
+ "id": "data_leak",
1048
+ "name": "Data Leak",
1049
+ "type": "variant",
1050
+ "priority": 4
1051
+ }
1052
+ ]
1053
+ },
1054
+ {
1055
+ "id": "exposed_sensitive_android_intent",
1056
+ "name": "Exposed Sensitive Android Intent",
1057
+ "type": "subcategory",
1058
+ "priority": null
1059
+ },
1060
+ {
1061
+ "id": "exposed_sensitive_ios_url_scheme",
1062
+ "name": "Exposed Sensitive iOS URL Scheme",
1063
+ "type": "subcategory",
1064
+ "priority": null
1065
+ }
1066
+ ]
1067
+ },
1068
+ {
1069
+ "id": "cross_site_request_forgery_csrf",
1070
+ "name": "Cross-Site Request Forgery (CSRF)",
1071
+ "type": "category",
1072
+ "children": [
1073
+ {
1074
+ "id": "application_wide",
1075
+ "name": "Application-Wide",
1076
+ "type": "subcategory",
1077
+ "priority": 2
1078
+ },
1079
+ {
1080
+ "id": "action_specific",
1081
+ "name": "Action-Specific",
1082
+ "type": "subcategory",
1083
+ "children": [
1084
+ {
1085
+ "id": "authenticated_action",
1086
+ "name": "Authenticated Action",
1087
+ "type": "variant",
1088
+ "priority": null
1089
+ },
1090
+ {
1091
+ "id": "unauthenticated_action",
1092
+ "name": "Unauthenticated Action",
1093
+ "type": "variant",
1094
+ "priority": null
1095
+ },
1096
+ {
1097
+ "id": "logout",
1098
+ "name": "Logout",
1099
+ "type": "variant",
1100
+ "priority": 5
1101
+ }
1102
+ ]
1103
+ }
1104
+ ]
1105
+ },
1106
+ {
1107
+ "id": "application_level_denial_of_service_dos",
1108
+ "name": "Application-Level Denial-of-Service (DoS)",
1109
+ "type": "category",
1110
+ "children": [
1111
+ {
1112
+ "id": "critical_impact_and_or_easy_difficulty",
1113
+ "name": "Critical Impact and/or Easy Difficulty",
1114
+ "type": "subcategory",
1115
+ "priority": 2
1116
+ },
1117
+ {
1118
+ "id": "high_impact_and_or_medium_difficulty",
1119
+ "name": "High Impact and/or Medium Difficulty",
1120
+ "type": "subcategory",
1121
+ "priority": 3
1122
+ },
1123
+ {
1124
+ "id": "app_crash",
1125
+ "name": "App Crash",
1126
+ "type": "subcategory",
1127
+ "children": [
1128
+ {
1129
+ "id": "malformed_android_intents",
1130
+ "name": "Malformed Android Intents",
1131
+ "type": "variant",
1132
+ "priority": 5
1133
+ },
1134
+ {
1135
+ "id": "malformed_ios_url_schemes",
1136
+ "name": "Malformed iOS URL Schemes",
1137
+ "type": "variant",
1138
+ "priority": 5
1139
+ }
1140
+ ]
1141
+ }
1142
+ ]
1143
+ },
1144
+ {
1145
+ "id": "unvalidated_redirects_and_forwards",
1146
+ "name": "Unvalidated Redirects and Forwards",
1147
+ "type": "category",
1148
+ "children": [
1149
+ {
1150
+ "id": "open_redirect",
1151
+ "name": "Open Redirect",
1152
+ "type": "subcategory",
1153
+ "children": [
1154
+ {
1155
+ "id": "get_based",
1156
+ "name": "GET-Based",
1157
+ "type": "variant",
1158
+ "priority": 4
1159
+ },
1160
+ {
1161
+ "id": "post_based",
1162
+ "name": "POST-Based",
1163
+ "type": "variant",
1164
+ "priority": 5
1165
+ },
1166
+ {
1167
+ "id": "header_based",
1168
+ "name": "Header-Based",
1169
+ "type": "variant",
1170
+ "priority": 5
1171
+ }
1172
+ ]
1173
+ },
1174
+ {
1175
+ "id": "tabnabbing",
1176
+ "name": "Tabnabbing",
1177
+ "type": "subcategory",
1178
+ "priority": 5
1179
+ },
1180
+ {
1181
+ "id": "lack_of_security_speed_bump_page",
1182
+ "name": "Lack of Security Speed Bump Page",
1183
+ "type": "subcategory",
1184
+ "priority": 5
1185
+ }
1186
+ ]
1187
+ },
1188
+ {
1189
+ "id": "external_behavior",
1190
+ "name": "External Behavior",
1191
+ "type": "category",
1192
+ "children": [
1193
+ {
1194
+ "id": "browser_feature",
1195
+ "name": "Browser Feature",
1196
+ "type": "subcategory",
1197
+ "children": [
1198
+ {
1199
+ "id": "plaintext_password_field",
1200
+ "name": "Plaintext Password Field",
1201
+ "type": "variant",
1202
+ "priority": 5
1203
+ },
1204
+ {
1205
+ "id": "save_password",
1206
+ "name": "Save Password",
1207
+ "type": "variant",
1208
+ "priority": 5
1209
+ },
1210
+ {
1211
+ "id": "autocomplete_enabled",
1212
+ "name": "Autocomplete Enabled",
1213
+ "type": "variant",
1214
+ "priority": 5
1215
+ },
1216
+ {
1217
+ "id": "autocorrect_enabled",
1218
+ "name": "Autocorrect Enabled",
1219
+ "type": "variant",
1220
+ "priority": 5
1221
+ },
1222
+ {
1223
+ "id": "aggressive_offline_caching",
1224
+ "name": "Aggressive Offline Caching",
1225
+ "type": "variant",
1226
+ "priority": 5
1227
+ }
1228
+ ]
1229
+ },
1230
+ {
1231
+ "id": "csv_injection",
1232
+ "name": "CSV Injection",
1233
+ "type": "subcategory",
1234
+ "priority": 5
1235
+ },
1236
+ {
1237
+ "id": "captcha_bypass",
1238
+ "name": "Captcha Bypass",
1239
+ "type": "subcategory",
1240
+ "children": [
1241
+ {
1242
+ "id": "crowdsourcing",
1243
+ "name": "Crowdsourcing",
1244
+ "type": "variant",
1245
+ "priority": 5
1246
+ }
1247
+ ]
1248
+ },
1249
+ {
1250
+ "id": "system_clipboard_leak",
1251
+ "name": "System Clipboard Leak",
1252
+ "type": "subcategory",
1253
+ "children": [
1254
+ {
1255
+ "id": "shared_links",
1256
+ "name": "Shared Links",
1257
+ "type": "variant",
1258
+ "priority": 5
1259
+ }
1260
+ ]
1261
+ },
1262
+ {
1263
+ "id": "user_password_persisted_in_memory",
1264
+ "name": "User Password Persisted in Memory",
1265
+ "type": "subcategory",
1266
+ "priority": 5
1267
+ }
1268
+ ]
1269
+ },
1270
+ {
1271
+ "id": "insufficient_security_configurability",
1272
+ "name": "Insufficient Security Configurability",
1273
+ "type": "category",
1274
+ "children": [
1275
+ {
1276
+ "id": "weak_password_policy",
1277
+ "name": "Weak Password Policy",
1278
+ "type": "subcategory",
1279
+ "priority": 5
1280
+ },
1281
+ {
1282
+ "id": "no_password_policy",
1283
+ "name": "No Password Policy",
1284
+ "type": "subcategory",
1285
+ "priority": 4
1286
+ },
1287
+ {
1288
+ "id": "weak_password_reset_implementation",
1289
+ "name": "Weak Password Reset Implementation",
1290
+ "type": "subcategory",
1291
+ "children": [
1292
+ {
1293
+ "id": "token_is_not_invalidated_after_use",
1294
+ "name": "Token is Not Invalidated After Use",
1295
+ "type": "variant",
1296
+ "priority": 4
1297
+ },
1298
+ {
1299
+ "id": "token_is_not_invalidated_after_email_change",
1300
+ "name": "Token is Not Invalidated After Email Change",
1301
+ "type": "variant",
1302
+ "priority": 5
1303
+ },
1304
+ {
1305
+ "id": "token_is_not_invalidated_after_password_change",
1306
+ "name": "Token is Not Invalidated After Password Change",
1307
+ "type": "variant",
1308
+ "priority": 5
1309
+ },
1310
+ {
1311
+ "id": "token_has_long_timed_expiry",
1312
+ "name": "Token Has Long Timed Expiry",
1313
+ "type": "variant",
1314
+ "priority": 5
1315
+ },
1316
+ {
1317
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1318
+ "name": "Token is Not Invalidated After New Token is Requested",
1319
+ "type": "variant",
1320
+ "priority": 5
1321
+ },
1322
+ {
1323
+ "id": "token_is_not_invalidated_after_login",
1324
+ "name": "Token is Not Invalidated After Login",
1325
+ "type": "variant",
1326
+ "priority": 5
1327
+ }
1328
+ ]
1329
+ },
1330
+ {
1331
+ "id": "lack_of_verification_email",
1332
+ "name": "Lack of Verification Email",
1333
+ "type": "subcategory",
1334
+ "priority": 5
1335
+ },
1336
+ {
1337
+ "id": "lack_of_notification_email",
1338
+ "name": "Lack of Notification Email",
1339
+ "type": "subcategory",
1340
+ "priority": 5
1341
+ },
1342
+ {
1343
+ "id": "weak_registration_implementation",
1344
+ "name": "Weak Registration Implementation",
1345
+ "type": "subcategory",
1346
+ "children": [
1347
+ {
1348
+ "id": "allows_disposable_email_addresses",
1349
+ "name": "Allows Disposable Email Addresses",
1350
+ "type": "variant",
1351
+ "priority": 5
1352
+ }
1353
+ ]
1354
+ },
1355
+ {
1356
+ "id": "weak_2fa_implementation",
1357
+ "name": "Weak 2FA Implementation",
1358
+ "type": "subcategory",
1359
+ "children": [
1360
+ {
1361
+ "id": "missing_failsafe",
1362
+ "name": "Missing Failsafe",
1363
+ "type": "variant",
1364
+ "priority": 5
1365
+ }
1366
+ ]
1367
+ }
1368
+ ]
1369
+ },
1370
+ {
1371
+ "id": "using_components_with_known_vulnerabilities",
1372
+ "name": "Using Components with Known Vulnerabilities",
1373
+ "type": "category",
1374
+ "children": [
1375
+ {
1376
+ "id": "rosetta_flash",
1377
+ "name": "Rosetta Flash",
1378
+ "type": "subcategory",
1379
+ "priority": 4
1380
+ },
1381
+ {
1382
+ "id": "outdated_software_version",
1383
+ "name": "Outdated Software Version",
1384
+ "type": "subcategory",
1385
+ "priority": 5
1386
+ },
1387
+ {
1388
+ "id": "captcha_bypass",
1389
+ "name": "Captcha Bypass",
1390
+ "type": "subcategory",
1391
+ "children": [
1392
+ {
1393
+ "id": "ocr_optical_character_recognition",
1394
+ "name": "OCR (Optical Character Recognition)",
1395
+ "type": "variant",
1396
+ "priority": 5
1397
+ }
1398
+ ]
1399
+ }
1400
+ ]
1401
+ },
1402
+ {
1403
+ "id": "insecure_data_storage",
1404
+ "name": "Insecure Data Storage",
1405
+ "type": "category",
1406
+ "children": [
1407
+ {
1408
+ "id": "sensitive_application_data_stored_unencrypted",
1409
+ "name": "Sensitive Application Data Stored Unencrypted",
1410
+ "type": "subcategory",
1411
+ "children": [
1412
+ {
1413
+ "id": "on_external_storage",
1414
+ "name": "On External Storage",
1415
+ "type": "variant",
1416
+ "priority": 4
1417
+ },
1418
+ {
1419
+ "id": "on_internal_storage",
1420
+ "name": "On Internal Storage",
1421
+ "type": "variant",
1422
+ "priority": 5
1423
+ }
1424
+ ]
1425
+ },
1426
+ {
1427
+ "id": "server_side_credentials_storage",
1428
+ "name": "Server-Side Credentials Storage",
1429
+ "type": "subcategory",
1430
+ "children": [
1431
+ {
1432
+ "id": "plaintext",
1433
+ "name": "Plaintext",
1434
+ "type": "variant",
1435
+ "priority": 4
1436
+ }
1437
+ ]
1438
+ },
1439
+ {
1440
+ "id": "non_sensitive_application_data_stored_unencrypted",
1441
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1442
+ "type": "subcategory",
1443
+ "priority": 5
1444
+ },
1445
+ {
1446
+ "id": "screen_caching_enabled",
1447
+ "name": "Screen Caching Enabled",
1448
+ "type": "subcategory",
1449
+ "priority": 5
1450
+ }
1451
+ ]
1452
+ },
1453
+ {
1454
+ "id": "lack_of_binary_hardening",
1455
+ "name": "Lack of Binary Hardening",
1456
+ "type": "category",
1457
+ "children": [
1458
+ {
1459
+ "id": "lack_of_exploit_mitigations",
1460
+ "name": "Lack of Exploit Mitigations",
1461
+ "type": "subcategory",
1462
+ "priority": 5
1463
+ },
1464
+ {
1465
+ "id": "lack_of_jailbreak_detection",
1466
+ "name": "Lack of Jailbreak Detection",
1467
+ "type": "subcategory",
1468
+ "priority": 5
1469
+ },
1470
+ {
1471
+ "id": "lack_of_obfuscation",
1472
+ "name": "Lack of Obfuscation",
1473
+ "type": "subcategory",
1474
+ "priority": 5
1475
+ },
1476
+ {
1477
+ "id": "runtime_instrumentation_based",
1478
+ "name": "Runtime Instrumentation-Based",
1479
+ "type": "subcategory",
1480
+ "priority": 5
1481
+ }
1482
+ ]
1483
+ },
1484
+ {
1485
+ "id": "insecure_data_transport",
1486
+ "name": "Insecure Data Transport",
1487
+ "type": "category",
1488
+ "children": [
1489
+ {
1490
+ "id": "cleartext_transmission_of_sensitive_data",
1491
+ "name": "Cleartext Transmission of Sensitive Data",
1492
+ "type": "subcategory",
1493
+ "priority": null
1494
+ },
1495
+ {
1496
+ "id": "executable_download",
1497
+ "name": "Executable Download",
1498
+ "type": "subcategory",
1499
+ "children": [
1500
+ {
1501
+ "id": "no_secure_integrity_check",
1502
+ "name": "No Secure Integrity Check",
1503
+ "type": "variant",
1504
+ "priority": 4
1505
+ },
1506
+ {
1507
+ "id": "secure_integrity_check",
1508
+ "name": "Secure Integrity Check",
1509
+ "type": "variant",
1510
+ "priority": 5
1511
+ }
1512
+ ]
1513
+ }
1514
+ ]
1515
+ },
1516
+ {
1517
+ "id": "insecure_os_firmware",
1518
+ "name": "Insecure OS/Firmware",
1519
+ "type": "category",
1520
+ "children": [
1521
+ {
1522
+ "id": "command_injection",
1523
+ "name": "Command Injection",
1524
+ "type": "subcategory",
1525
+ "priority": 1
1526
+ },
1527
+ {
1528
+ "id": "hardcoded_password",
1529
+ "name": "Hardcoded Password",
1530
+ "type": "subcategory",
1531
+ "children": [
1532
+ {
1533
+ "id": "privileged_user",
1534
+ "name": "Privileged User",
1535
+ "type": "variant",
1536
+ "priority": 1
1537
+ },
1538
+ {
1539
+ "id": "non_privileged_user",
1540
+ "name": "Non-Privileged User",
1541
+ "type": "variant",
1542
+ "priority": 2
1543
+ }
1544
+ ]
1545
+ }
1546
+ ]
1547
+ },
1548
+ {
1549
+ "id": "broken_cryptography",
1550
+ "name": "Broken Cryptography",
1551
+ "type": "category",
1552
+ "children": [
1553
+ {
1554
+ "id": "cryptographic_flaw",
1555
+ "name": "Cryptographic Flaw",
1556
+ "type": "subcategory",
1557
+ "children": [
1558
+ {
1559
+ "id": "incorrect_usage",
1560
+ "name": "Incorrect Usage",
1561
+ "type": "variant",
1562
+ "priority": 1
1563
+ }
1564
+ ]
1565
+ }
1566
+ ]
1567
+ },
1568
+ {
1569
+ "id": "privacy_concerns",
1570
+ "name": "Privacy Concerns",
1571
+ "type": "category",
1572
+ "children": [
1573
+ {
1574
+ "id": "unnecessary_data_collection",
1575
+ "name": "Unnecessary Data Collection",
1576
+ "type": "subcategory",
1577
+ "children": [
1578
+ {
1579
+ "id": "wifi_ssid_password",
1580
+ "name": "WiFi SSID+Password",
1581
+ "type": "variant",
1582
+ "priority": 4
1583
+ }
1584
+ ]
1585
+ }
1586
+ ]
1587
+ },
1588
+ {
1589
+ "id": "network_security_misconfiguration",
1590
+ "name": "Network Security Misconfiguration",
1591
+ "type": "category",
1592
+ "children": [
1593
+ {
1594
+ "id": "telnet_enabled",
1595
+ "name": "Telnet Enabled",
1596
+ "type": "subcategory",
1597
+ "priority": 5
1598
+ }
1599
+ ]
1600
+ },
1601
+ {
1602
+ "id": "mobile_security_misconfiguration",
1603
+ "name": "Mobile Security Misconfiguration",
1604
+ "type": "category",
1605
+ "children": [
1606
+ {
1607
+ "id": "ssl_certificate_pinning",
1608
+ "name": "SSL Certificate Pinning",
1609
+ "type": "subcategory",
1610
+ "children": [
1611
+ {
1612
+ "id": "absent",
1613
+ "name": "Absent",
1614
+ "type": "variant",
1615
+ "priority": 5
1616
+ },
1617
+ {
1618
+ "id": "defeatable",
1619
+ "name": "Defeatable",
1620
+ "type": "variant",
1621
+ "priority": 5
1622
+ }
1623
+ ]
1624
+ },
1625
+ {
1626
+ "id": "tapjacking",
1627
+ "name": "Tapjacking",
1628
+ "type": "subcategory",
1629
+ "priority": 5
1630
+ }
1631
+ ]
1632
+ },
1633
+ {
1634
+ "id": "client_side_injection",
1635
+ "name": "Client-Side Injection",
1636
+ "type": "category",
1637
+ "children": [
1638
+ {
1639
+ "id": "binary_planting",
1640
+ "name": "Binary Planting",
1641
+ "type": "subcategory",
1642
+ "children": [
1643
+ {
1644
+ "id": "privilege_escalation",
1645
+ "name": "Default Folder Privilege Escalation",
1646
+ "type": "variant",
1647
+ "priority": 3
1648
+ },
1649
+ {
1650
+ "id": "non_default_folder_privilege_escalation",
1651
+ "name": "Non-Default Folder Privilege Escalation",
1652
+ "type": "variant",
1653
+ "priority": 5
1654
+ },
1655
+ {
1656
+ "id": "no_privilege_escalation",
1657
+ "name": "No Privilege Escalation",
1658
+ "type": "variant",
1659
+ "priority": 5
1660
+ }
1661
+ ]
1662
+ }
1663
+ ]
1664
+ }
1665
+ ]
1666
+ }