vrt 0.4.6 → 0.5.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (14) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.4/deprecated-node-mapping.json +92 -0
  3. data/lib/data/1.4/mappings/cvss_v3.json +752 -0
  4. data/lib/data/1.4/mappings/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.4/mappings/cwe.json +415 -0
  6. data/lib/data/1.4/mappings/cwe.schema.json +63 -0
  7. data/lib/data/1.4/mappings/remediation_advice.json +1141 -0
  8. data/lib/data/1.4/mappings/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.4/vrt.schema.json +63 -0
  10. data/lib/data/1.4/vulnerability-rating-taxonomy.json +1666 -0
  11. data/lib/vrt.rb +1 -1
  12. data/lib/vrt/mapping.rb +41 -14
  13. data/lib/vrt/version.rb +1 -1
  14. metadata +11 -2
data/lib/data/1.4/mappings/remediation_advice.schema.json ADDED
@@ -0,0 +1,75 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-04/schema#",
3
+ "title": "VRT to Remediation Advice",
4
+ "description": "Mapping from the Vulnerability Rating Taxonomy to Remediation Advice",
5
+ "definitions": {
6
+ "MappingMetadata": {
7
+ "type": "object",
8
+ "properties": {
9
+ "default": { "type": "null" },
10
+ "keys": { "type": "array",
11
+ "items": { "type": "string", "enum": ["remediation_advice", "references"] },
12
+ "minItems": 2,
13
+ "uniqueItems": true
14
+ }
15
+ },
16
+ "required": ["default", "keys"]
17
+ },
18
+ "VRTid": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
19
+ "RemediationAdvice": { "type": "string" },
20
+ "References": { "type" : "array",
21
+ "items" : { "type": "string", "pattern": "^http[s]?:\/\/.*$" },
22
+ "minItems": 1,
23
+ "uniqueItems": true
24
+ },
25
+ "Mapping": {
26
+ "type": "object",
27
+ "properties": {
28
+ "id": { "$ref": "#/definitions/VRTid" },
29
+ "remediation_advice" : { "$ref": "#/definitions/RemediationAdvice" },
30
+ "references" : { "$ref": "#/definitions/References" }
31
+ },
32
+ "required": ["id"],
33
+ "anyOf": [
34
+ { "required": ["remediation_advice"] },
35
+ { "required": ["references"] }
36
+ ],
37
+ "additionalProperties": false
38
+ },
39
+ "MappingParent": {
40
+ "type": "object",
41
+ "properties": {
42
+ "id": { "$ref": "#/definitions/VRTid" },
43
+ "children": {
44
+ "type": "array",
45
+ "items" : {
46
+ "anyOf": [
47
+ { "$ref": "#/definitions/MappingParent" },
48
+ { "$ref": "#/definitions/Mapping" }
49
+ ]
50
+ }
51
+ },
52
+ "remediation_advice" : { "$ref": "#/definitions/RemediationAdvice" },
53
+ "references" : { "$ref": "#/definitions/References" }
54
+ },
55
+ "required": ["id", "children"],
56
+ "additionalProperties": false
57
+ }
58
+ },
59
+ "type": "object",
60
+ "required": ["metadata", "content"],
61
+ "properties": {
62
+ "metadata": {
63
+ "$ref": "#/definitions/MappingMetadata"
64
+ },
65
+ "content": {
66
+ "type": "array",
67
+ "items" : {
68
+ "anyOf": [
69
+ { "$ref": "#/definitions/MappingParent" },
70
+ { "$ref": "#/definitions/Mapping" }
71
+ ]
72
+ }
73
+ }
74
+ }
75
+ }
data/lib/data/1.4/vrt.schema.json ADDED
@@ -0,0 +1,63 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-04/schema#",
3
+ "title": "Vulnerability Rating Taxonomy",
4
+ "description": "A Taxonomy of potential vulnerabilities with suggested technical priority rating",
5
+ "definitions": {
6
+ "VRTmetadata": {
7
+ "type": "object",
8
+ "properties": {
9
+ "release_date": { "type": "string", "format": "date-time" }
10
+ }
11
+ },
12
+ "VRT": {
13
+ "type": "object",
14
+ "properties": {
15
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
16
+ "type": { "type": "string", "enum": [ "category", "subcategory", "variant" ] },
17
+ "name": { "type": "string", "pattern": "^[ a-zA-Z0-9-+()\/,.<]*$" },
18
+ "priority": {
19
+ "anyOf": [
20
+ { "type": "number", "minimum": 1, "maximum": 5 },
21
+ { "type": "null" }
22
+ ]
23
+ }
24
+ },
25
+ "required": ["id", "name", "type", "priority"]
26
+ },
27
+ "VRTparent": {
28
+ "type": "object",
29
+ "properties": {
30
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
31
+ "name": { "type": "string", "pattern": "^[ a-zA-Z0-9-+()\/,.<]*$" },
32
+ "type": { "type": "string", "enum": [ "category", "subcategory" ] },
33
+ "children": {
34
+ "type": "array",
35
+ "items" : {
36
+ "anyOf": [
37
+ { "$ref": "#/definitions/VRTparent" },
38
+ { "$ref": "#/definitions/VRT" }
39
+ ]
40
+ },
41
+ "minItems": 1
42
+ }
43
+ },
44
+ "required": ["id", "name", "type", "children"]
45
+ }
46
+ },
47
+ "type": "object",
48
+ "required": ["metadata", "content"],
49
+ "properties": {
50
+ "metadata": {
51
+ "$ref": "#/definitions/VRTmetadata"
52
+ },
53
+ "content": {
54
+ "type": "array",
55
+ "items" : {
56
+ "anyOf": [
57
+ { "$ref": "#/definitions/VRTparent" },
58
+ { "$ref": "#/definitions/VRT" }
59
+ ]
60
+ }
61
+ }
62
+ }
63
+ }
data/lib/data/1.4/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,1666 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2018-04-13T08:30:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "unsafe_cross_origin_resource_sharing",
13
+ "name": "Unsafe Cross-Origin Resource Sharing",
14
+ "type": "subcategory",
15
+ "priority": null
16
+ },
17
+ {
18
+ "id": "path_traversal",
19
+ "name": "Path Traversal",
20
+ "type": "subcategory",
21
+ "priority": null
22
+ },
23
+ {
24
+ "id": "directory_listing_enabled",
25
+ "name": "Directory Listing Enabled",
26
+ "type": "subcategory",
27
+ "children": [
28
+ {
29
+ "id": "sensitive_data_exposure",
30
+ "name": "Sensitive Data Exposure",
31
+ "type": "variant",
32
+ "priority": null
33
+ },
34
+ {
35
+ "id": "non_sensitive_data_exposure",
36
+ "name": "Non-Sensitive Data Exposure",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "same_site_scripting",
44
+ "name": "Same-Site Scripting",
45
+ "type": "subcategory",
46
+ "priority": 5
47
+ },
48
+ {
49
+ "id": "ssl_attack_breach_poodle_etc",
50
+ "name": "SSL Attack (BREACH, POODLE etc.)",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "using_default_credentials",
56
+ "name": "Using Default Credentials",
57
+ "type": "subcategory",
58
+ "priority": 1
59
+ },
60
+ {
61
+ "id": "misconfigured_dns",
62
+ "name": "Misconfigured DNS",
63
+ "type": "subcategory",
64
+ "children": [
65
+ {
66
+ "id": "subdomain_takeover",
67
+ "name": "Subdomain Takeover",
68
+ "type": "variant",
69
+ "priority": 2
70
+ },
71
+ {
72
+ "id": "zone_transfer",
73
+ "name": "Zone Transfer",
74
+ "type": "variant",
75
+ "priority": 4
76
+ },
77
+ {
78
+ "id": "missing_caa_record",
79
+ "name": "Missing Certification Authority Authorization (CAA) Record",
80
+ "type": "variant",
81
+ "priority": 5
82
+ }
83
+ ]
84
+ },
85
+ {
86
+ "id": "mail_server_misconfiguration",
87
+ "name": "Mail Server Misconfiguration",
88
+ "type": "subcategory",
89
+ "children": [
90
+ {
91
+ "id": "missing_spf_on_email_domain",
92
+ "name": "Missing SPF on Email Domain",
93
+ "type": "variant",
94
+ "priority": 3
95
+ },
96
+ {
97
+ "id": "email_spoofable_via_third_party_api_misconfiguration",
98
+ "name": "Email Spoofable Via Third-Party API Misconfiguration",
99
+ "type": "variant",
100
+ "priority": 3
101
+ },
102
+ {
103
+ "id": "missing_spf_on_non_email_domain",
104
+ "name": "Missing SPF on Non-Email Domain",
105
+ "type": "variant",
106
+ "priority": 5
107
+ },
108
+ {
109
+ "id": "spf_uses_a_soft_fail",
110
+ "name": "SPF Uses a Soft Fail",
111
+ "type": "variant",
112
+ "priority": 5
113
+ },
114
+ {
115
+ "id": "spf_includes_10_lookups",
116
+ "name": "SPF Includes More Than 10 Lookups",
117
+ "type": "variant",
118
+ "priority": 5
119
+ },
120
+ {
121
+ "id": "missing_dmarc",
122
+ "name": "Missing DKIM/DMARC",
123
+ "type": "variant",
124
+ "priority": 5
125
+ }
126
+ ]
127
+ },
128
+ {
129
+ "id": "dbms_misconfiguration",
130
+ "name": "Database Management System (DBMS) Misconfiguration",
131
+ "type": "subcategory",
132
+ "children": [
133
+ {
134
+ "id": "excessively_privileged_user_dba",
135
+ "name": "Excessively Privileged User / DBA",
136
+ "type": "variant",
137
+ "priority": 4
138
+ }
139
+ ]
140
+ },
141
+ {
142
+ "id": "lack_of_password_confirmation",
143
+ "name": "Lack of Password Confirmation",
144
+ "type": "subcategory",
145
+ "children": [
146
+ {
147
+ "id": "change_email_address",
148
+ "name": "Change Email Address",
149
+ "type": "variant",
150
+ "priority": 5
151
+ },
152
+ {
153
+ "id": "change_password",
154
+ "name": "Change Password",
155
+ "type": "variant",
156
+ "priority": 5
157
+ },
158
+ {
159
+ "id": "delete_account",
160
+ "name": "Delete Account",
161
+ "type": "variant",
162
+ "priority": 4
163
+ },
164
+ {
165
+ "id": "manage_two_fa",
166
+ "name": "Manage 2FA",
167
+ "type": "variant",
168
+ "priority": 5
169
+ }
170
+ ]
171
+ },
172
+ {
173
+ "id": "no_rate_limiting_on_form",
174
+ "name": "No Rate Limiting on Form",
175
+ "type": "subcategory",
176
+ "children": [
177
+ {
178
+ "id": "registration",
179
+ "name": "Registration",
180
+ "type": "variant",
181
+ "priority": 4
182
+ },
183
+ {
184
+ "id": "login",
185
+ "name": "Login",
186
+ "type": "variant",
187
+ "priority": 4
188
+ },
189
+ {
190
+ "id": "email_triggering",
191
+ "name": "Email-Triggering",
192
+ "type": "variant",
193
+ "priority": 4
194
+ }
195
+ ]
196
+ },
197
+ {
198
+ "id": "unsafe_file_upload",
199
+ "name": "Unsafe File Upload",
200
+ "type": "subcategory",
201
+ "children": [
202
+ {
203
+ "id": "no_antivirus",
204
+ "name": "No Antivirus",
205
+ "type": "variant",
206
+ "priority": 5
207
+ },
208
+ {
209
+ "id": "no_size_limit",
210
+ "name": "No Size Limit",
211
+ "type": "variant",
212
+ "priority": 5
213
+ },
214
+ {
215
+ "id": "file_extension_filter_bypass",
216
+ "name": "File Extension Filter Bypass",
217
+ "type": "variant",
218
+ "priority": 5
219
+ }
220
+ ]
221
+ },
222
+ {
223
+ "id": "cookie_scoped_to_parent_domain",
224
+ "name": "Cookie Scoped to Parent Domain",
225
+ "type": "subcategory",
226
+ "priority": 5
227
+ },
228
+ {
229
+ "id": "missing_secure_or_httponly_cookie_flag",
230
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
231
+ "type": "subcategory",
232
+ "children": [
233
+ {
234
+ "id": "session_token",
235
+ "name": "Session Token",
236
+ "type": "variant",
237
+ "priority": 4
238
+ },
239
+ {
240
+ "id": "non_session_cookie",
241
+ "name": "Non-Session Cookie",
242
+ "type": "variant",
243
+ "priority": 5
244
+ }
245
+ ]
246
+ },
247
+ {
248
+ "id": "clickjacking",
249
+ "name": "Clickjacking",
250
+ "type": "subcategory",
251
+ "children": [
252
+ {
253
+ "id": "sensitive_action",
254
+ "name": "Sensitive Action",
255
+ "type": "variant",
256
+ "priority": 4
257
+ },
258
+ {
259
+ "id": "non_sensitive_action",
260
+ "name": "Non-Sensitive Action",
261
+ "type": "variant",
262
+ "priority": 5
263
+ }
264
+ ]
265
+ },
266
+ {
267
+ "id": "oauth_misconfiguration",
268
+ "name": "OAuth Misconfiguration",
269
+ "type": "subcategory",
270
+ "children": [
271
+ {
272
+ "id": "account_takeover",
273
+ "name": "Account Takeover",
274
+ "type": "variant",
275
+ "priority": 2
276
+ },
277
+ {
278
+ "id": "missing_state_parameter",
279
+ "name": "Missing/Broken State Parameter",
280
+ "type": "variant",
281
+ "priority": null
282
+ },
283
+ {
284
+ "id": "insecure_redirect_uri",
285
+ "name": "Insecure Redirect URI",
286
+ "type": "variant",
287
+ "priority": null
288
+ }
289
+ ]
290
+ },
291
+ {
292
+ "id": "captcha_bypass",
293
+ "name": "Captcha Bypass",
294
+ "type": "subcategory",
295
+ "children": [
296
+ {
297
+ "id": "implementation_vulnerability",
298
+ "name": "Implementation Vulnerability",
299
+ "type": "variant",
300
+ "priority": 4
301
+ },
302
+ {
303
+ "id": "brute_force",
304
+ "name": "Brute Force",
305
+ "type": "variant",
306
+ "priority": 5
307
+ }
308
+ ]
309
+ },
310
+ {
311
+ "id": "exposed_admin_portal",
312
+ "name": "Exposed Admin Portal",
313
+ "type": "subcategory",
314
+ "children": [
315
+ {
316
+ "id": "to_internet",
317
+ "name": "To Internet",
318
+ "type": "variant",
319
+ "priority": 5
320
+ }
321
+ ]
322
+ },
323
+ {
324
+ "id": "missing_dnssec",
325
+ "name": "Missing DNSSEC",
326
+ "type": "subcategory",
327
+ "priority": 5
328
+ },
329
+ {
330
+ "id": "fingerprinting_banner_disclosure",
331
+ "name": "Fingerprinting/Banner Disclosure",
332
+ "type": "subcategory",
333
+ "priority": 5
334
+ },
335
+ {
336
+ "id": "username_enumeration",
337
+ "name": "Username Enumeration",
338
+ "type": "subcategory",
339
+ "children": [
340
+ {
341
+ "id": "brute_force",
342
+ "name": "Brute Force",
343
+ "type": "variant",
344
+ "priority": 5
345
+ }
346
+ ]
347
+ },
348
+ {
349
+ "id": "potentially_unsafe_http_method_enabled",
350
+ "name": "Potentially Unsafe HTTP Method Enabled",
351
+ "type": "subcategory",
352
+ "children": [
353
+ {
354
+ "id": "options",
355
+ "name": "OPTIONS",
356
+ "type": "variant",
357
+ "priority": 5
358
+ },
359
+ {
360
+ "id": "trace",
361
+ "name": "TRACE",
362
+ "type": "variant",
363
+ "priority": 5
364
+ }
365
+ ]
366
+ },
367
+ {
368
+ "id": "insecure_ssl",
369
+ "name": "Insecure SSL",
370
+ "type": "subcategory",
371
+ "children": [
372
+ {
373
+ "id": "lack_of_forward_secrecy",
374
+ "name": "Lack of Forward Secrecy",
375
+ "type": "variant",
376
+ "priority": 5
377
+ },
378
+ {
379
+ "id": "insecure_cipher_suite",
380
+ "name": "Insecure Cipher Suite",
381
+ "type": "variant",
382
+ "priority": 5
383
+ }
384
+ ]
385
+ },
386
+ {
387
+ "id": "rfd",
388
+ "name": "Reflected File Download (RFD)",
389
+ "type": "subcategory",
390
+ "priority": 5
391
+ },
392
+ {
393
+ "id": "lack_of_security_headers",
394
+ "name": "Lack of Security Headers",
395
+ "type": "subcategory",
396
+ "children": [
397
+ {
398
+ "id": "x_frame_options",
399
+ "name": "X-Frame-Options",
400
+ "type": "variant",
401
+ "priority": 5
402
+ },
403
+ {
404
+ "id": "cache_control_for_a_non_sensitive_page",
405
+ "name": "Cache-Control for a Non-Sensitive Page",
406
+ "type": "variant",
407
+ "priority": 5
408
+ },
409
+ {
410
+ "id": "x_xss_protection",
411
+ "name": "X-XSS-Protection",
412
+ "type": "variant",
413
+ "priority": 5
414
+ },
415
+ {
416
+ "id": "strict_transport_security",
417
+ "name": "Strict-Transport-Security",
418
+ "type": "variant",
419
+ "priority": 5
420
+ },
421
+ {
422
+ "id": "x_content_type_options",
423
+ "name": "X-Content-Type-Options",
424
+ "type": "variant",
425
+ "priority": 5
426
+ },
427
+ {
428
+ "id": "content_security_policy",
429
+ "name": "Content-Security-Policy",
430
+ "type": "variant",
431
+ "priority": 5
432
+ },
433
+ {
434
+ "id": "public_key_pins",
435
+ "name": "Public-Key-Pins",
436
+ "type": "variant",
437
+ "priority": 5
438
+ },
439
+ {
440
+ "id": "x_content_security_policy",
441
+ "name": "X-Content-Security-Policy",
442
+ "type": "variant",
443
+ "priority": 5
444
+ },
445
+ {
446
+ "id": "x_webkit_csp",
447
+ "name": "X-Webkit-CSP",
448
+ "type": "variant",
449
+ "priority": 5
450
+ },
451
+ {
452
+ "id": "content_security_policy_report_only",
453
+ "name": "Content-Security-Policy-Report-Only",
454
+ "type": "variant",
455
+ "priority": 5
456
+ },
457
+ {
458
+ "id": "cache_control_for_a_sensitive_page",
459
+ "name": "Cache-Control for a Sensitive Page",
460
+ "type": "variant",
461
+ "priority": 4
462
+ }
463
+ ]
464
+ },
465
+ {
466
+ "id": "bitsquatting",
467
+ "name": "Bitsquatting",
468
+ "type": "subcategory",
469
+ "priority": 5
470
+ }
471
+ ]
472
+ },
473
+ {
474
+ "id": "server_side_injection",
475
+ "name": "Server-Side Injection",
476
+ "type": "category",
477
+ "children": [
478
+ {
479
+ "id": "file_inclusion",
480
+ "name": "File Inclusion",
481
+ "type": "subcategory",
482
+ "children": [
483
+ {
484
+ "id": "local",
485
+ "name": "Local",
486
+ "type": "variant",
487
+ "priority": 1
488
+ }
489
+ ]
490
+ },
491
+ {
492
+ "id": "parameter_pollution",
493
+ "name": "Parameter Pollution",
494
+ "type": "subcategory",
495
+ "children": [
496
+ {
497
+ "id": "social_media_sharing_buttons",
498
+ "name": "Social Media Sharing Buttons",
499
+ "type": "variant",
500
+ "priority": 5
501
+ }
502
+ ]
503
+ },
504
+ {
505
+ "id": "remote_code_execution_rce",
506
+ "name": "Remote Code Execution (RCE)",
507
+ "type": "subcategory",
508
+ "priority": 1
509
+ },
510
+ {
511
+ "id": "sql_injection",
512
+ "name": "SQL Injection",
513
+ "type": "subcategory",
514
+ "priority": 1
515
+ },
516
+ {
517
+ "id": "xml_external_entity_injection_xxe",
518
+ "name": "XML External Entity Injection (XXE)",
519
+ "type": "subcategory",
520
+ "priority": 1
521
+ },
522
+ {
523
+ "id": "http_response_manipulation",
524
+ "name": "HTTP Response Manipulation",
525
+ "type": "subcategory",
526
+ "children": [
527
+ {
528
+ "id": "response_splitting_crlf",
529
+ "name": "Response Splitting (CRLF)",
530
+ "type": "variant",
531
+ "priority": 3
532
+ }
533
+ ]
534
+ },
535
+ {
536
+ "id": "content_spoofing",
537
+ "name": "Content Spoofing",
538
+ "type": "subcategory",
539
+ "children": [
540
+ {
541
+ "id": "iframe_injection",
542
+ "name": "iframe Injection",
543
+ "type": "variant",
544
+ "priority": 3
545
+ },
546
+ {
547
+ "id": "external_authentication_injection",
548
+ "name": "External Authentication Injection",
549
+ "type": "variant",
550
+ "priority": 4
551
+ },
552
+ {
553
+ "id": "email_html_injection",
554
+ "name": "Email HTML Injection",
555
+ "type": "variant",
556
+ "priority": 4
557
+ },
558
+ {
559
+ "id": "text_injection",
560
+ "name": "Text Injection",
561
+ "type": "variant",
562
+ "priority": 5
563
+ },
564
+ {
565
+ "id": "homograph_idn_based",
566
+ "name": "Homograph/IDN-Based",
567
+ "type": "variant",
568
+ "priority": 5
569
+ },
570
+ {
571
+ "id": "rtlo",
572
+ "name": "Right-to-Left Override (RTLO)",
573
+ "type": "variant",
574
+ "priority": 5
575
+ }
576
+ ]
577
+ }
578
+ ]
579
+ },
580
+ {
581
+ "id": "broken_authentication_and_session_management",
582
+ "name": "Broken Authentication and Session Management",
583
+ "type": "category",
584
+ "children": [
585
+ {
586
+ "id": "authentication_bypass",
587
+ "name": "Authentication Bypass",
588
+ "type": "subcategory",
589
+ "priority": 1
590
+ },
591
+ {
592
+ "id": "privilege_escalation",
593
+ "name": "Privilege Escalation",
594
+ "type": "subcategory",
595
+ "priority": null
596
+ },
597
+ {
598
+ "id": "weak_login_function",
599
+ "name": "Weak Login Function",
600
+ "type": "subcategory",
601
+ "children": [
602
+ {
603
+ "id": "not_operational",
604
+ "name": "Not Operational or Intended Public Access",
605
+ "type": "variant",
606
+ "priority": 5
607
+ },
608
+ {
609
+ "id": "other_plaintext_protocol_no_secure_alternative",
610
+ "name": "Other Plaintext Protocol with no Secure Alternative",
611
+ "type": "variant",
612
+ "priority": 4
613
+ },
614
+ {
615
+ "id": "lan_only",
616
+ "name": "LAN Only",
617
+ "type": "variant",
618
+ "priority": 4
619
+ },
620
+ {
621
+ "id": "http_and_https_available",
622
+ "name": "HTTP and HTTPS Available",
623
+ "type": "variant",
624
+ "priority": 4
625
+ },
626
+ {
627
+ "id": "https_not_available_or_http_by_default",
628
+ "name": "HTTPS not Available or HTTP by Default",
629
+ "type": "variant",
630
+ "priority": 3
631
+ }
632
+ ]
633
+ },
634
+ {
635
+ "id": "session_fixation",
636
+ "name": "Session Fixation",
637
+ "type": "subcategory",
638
+ "priority": 3
639
+ },
640
+ {
641
+ "id": "failure_to_invalidate_session",
642
+ "name": "Failure to Invalidate Session",
643
+ "type": "subcategory",
644
+ "children": [
645
+ {
646
+ "id": "on_logout",
647
+ "name": "On Logout (Client and Server-Side)",
648
+ "type": "variant",
649
+ "priority": 4
650
+ },
651
+ {
652
+ "id": "on_logout_server_side_only",
653
+ "name": "On Logout (Server-Side Only)",
654
+ "type": "variant",
655
+ "priority": 5
656
+ },
657
+ {
658
+ "id": "on_password_change",
659
+ "name": "On Password Reset and/or Change",
660
+ "type": "variant",
661
+ "priority": 4
662
+ },
663
+ {
664
+ "id": "all_sessions",
665
+ "name": "Concurrent Sessions On Logout",
666
+ "type": "variant",
667
+ "priority": 5
668
+ },
669
+ {
670
+ "id": "on_email_change",
671
+ "name": "On Email Change",
672
+ "type": "variant",
673
+ "priority": 5
674
+ },
675
+ {
676
+ "id": "long_timeout",
677
+ "name": "Long Timeout",
678
+ "type": "variant",
679
+ "priority": 5
680
+ }
681
+ ]
682
+ },
683
+ {
684
+ "id": "concurrent_logins",
685
+ "name": "Concurrent Logins",
686
+ "type": "subcategory",
687
+ "priority": 5
688
+ },
689
+ {
690
+ "id": "weak_registration_implementation",
691
+ "name": "Weak Registration Implementation",
692
+ "type": "subcategory",
693
+ "children": [
694
+ {
695
+ "id": "over_http",
696
+ "name": "Over HTTP",
697
+ "type": "variant",
698
+ "priority": 4
699
+ }
700
+ ]
701
+ }
702
+ ]
703
+ },
704
+ {
705
+ "id": "sensitive_data_exposure",
706
+ "name": "Sensitive Data Exposure",
707
+ "type": "category",
708
+ "children": [
709
+ {
710
+ "id": "critically_sensitive_data",
711
+ "name": "Critically Sensitive Data",
712
+ "type": "subcategory",
713
+ "children": [
714
+ {
715
+ "id": "password_disclosure",
716
+ "name": "Password Disclosure",
717
+ "type": "variant",
718
+ "priority": 1
719
+ },
720
+ {
721
+ "id": "private_api_keys",
722
+ "name": "Private API Keys",
723
+ "type": "variant",
724
+ "priority": 1
725
+ }
726
+ ]
727
+ },
728
+ {
729
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
730
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
731
+ "type": "subcategory",
732
+ "children": [
733
+ {
734
+ "id": "automatic_user_enumeration",
735
+ "name": "Automatic User Enumeration",
736
+ "type": "variant",
737
+ "priority": 3
738
+ },
739
+ {
740
+ "id": "manual_user_enumeration",
741
+ "name": "Manual User Enumeration",
742
+ "type": "variant",
743
+ "priority": 4
744
+ }
745
+ ]
746
+ },
747
+ {
748
+ "id": "visible_detailed_error_page",
749
+ "name": "Visible Detailed Error/Debug Page",
750
+ "type": "subcategory",
751
+ "children": [
752
+ {
753
+ "id": "detailed_server_configuration",
754
+ "name": "Detailed Server Configuration",
755
+ "type": "variant",
756
+ "priority": 4
757
+ },
758
+ {
759
+ "id": "full_path_disclosure",
760
+ "name": "Full Path Disclosure",
761
+ "type": "variant",
762
+ "priority": 5
763
+ },
764
+ {
765
+ "id": "descriptive_stack_trace",
766
+ "name": "Descriptive Stack Trace",
767
+ "type": "variant",
768
+ "priority": 5
769
+ }
770
+ ]
771
+ },
772
+ {
773
+ "id": "disclosure_of_known_public_information",
774
+ "name": "Disclosure of Known Public Information",
775
+ "type": "subcategory",
776
+ "priority": 5
777
+ },
778
+ {
779
+ "id": "token_leakage_via_referer",
780
+ "name": "Token Leakage via Referer",
781
+ "type": "subcategory",
782
+ "children": [
783
+ {
784
+ "id": "trusted_3rd_party",
785
+ "name": "Trusted 3rd Party",
786
+ "type": "variant",
787
+ "priority": 5
788
+ },
789
+ {
790
+ "id": "untrusted_3rd_party",
791
+ "name": "Untrusted 3rd Party",
792
+ "type": "variant",
793
+ "priority": 4
794
+ },
795
+ {
796
+ "id": "over_http",
797
+ "name": "Over HTTP",
798
+ "type": "variant",
799
+ "priority": 4
800
+ }
801
+ ]
802
+ },
803
+ {
804
+ "id": "sensitive_token_in_url",
805
+ "name": "Sensitive Token in URL",
806
+ "type": "subcategory",
807
+ "children": [
808
+ {
809
+ "id": "user_facing",
810
+ "name": "User Facing",
811
+ "type": "variant",
812
+ "priority": 4
813
+ },
814
+ {
815
+ "id": "in_the_background",
816
+ "name": "In the Background",
817
+ "type": "variant",
818
+ "priority": 5
819
+ },
820
+ {
821
+ "id": "on_password_reset",
822
+ "name": "On Password Reset",
823
+ "type": "variant",
824
+ "priority": 5
825
+ }
826
+ ]
827
+ },
828
+ {
829
+ "id": "non_sensitive_token_in_url",
830
+ "name": "Non-Sensitive Token in URL",
831
+ "type": "subcategory",
832
+ "priority": 5
833
+ },
834
+ {
835
+ "id": "weak_password_reset_implementation",
836
+ "name": "Weak Password Reset Implementation",
837
+ "type": "subcategory",
838
+ "children": [
839
+ {
840
+ "id": "password_reset_token_sent_over_http",
841
+ "name": "Password Reset Token Sent Over HTTP",
842
+ "type": "variant",
843
+ "priority": 4
844
+ }
845
+ ]
846
+ },
847
+ {
848
+ "id": "mixed_content",
849
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
850
+ "type": "subcategory",
851
+ "priority": 5
852
+ },
853
+ {
854
+ "id": "sensitive_data_hardcoded",
855
+ "name": "Sensitive Data Hardcoded",
856
+ "type": "subcategory",
857
+ "children": [
858
+ {
859
+ "id": "oauth_secret",
860
+ "name": "OAuth Secret",
861
+ "type": "variant",
862
+ "priority": 5
863
+ },
864
+ {
865
+ "id": "file_paths",
866
+ "name": "File Paths",
867
+ "type": "variant",
868
+ "priority": 5
869
+ }
870
+ ]
871
+ },
872
+ {
873
+ "id": "internal_ip_disclosure",
874
+ "name": "Internal IP Disclosure",
875
+ "type": "subcategory",
876
+ "priority": 5
877
+ },
878
+ {
879
+ "id": "xssi",
880
+ "name": "Cross Site Script Inclusion (XSSI)",
881
+ "type": "subcategory",
882
+ "priority": null
883
+ },
884
+ {
885
+ "id": "json_hijacking",
886
+ "name": "JSON Hijacking",
887
+ "type": "subcategory",
888
+ "priority": 5
889
+ }
890
+ ]
891
+ },
892
+ {
893
+ "id": "cross_site_scripting_xss",
894
+ "name": "Cross-Site Scripting (XSS)",
895
+ "type": "category",
896
+ "children": [
897
+ {
898
+ "id": "stored",
899
+ "name": "Stored",
900
+ "type": "subcategory",
901
+ "children": [
902
+ {
903
+ "id": "non_admin_to_anyone",
904
+ "name": "Non-Admin to Anyone",
905
+ "type": "variant",
906
+ "priority": 2
907
+ },
908
+ {
909
+ "id": "admin_to_anyone",
910
+ "name": "Admin to Anyone",
911
+ "type": "variant",
912
+ "priority": 3
913
+ },
914
+ {
915
+ "id": "url_based",
916
+ "name": "CSRF/URL-Based",
917
+ "type": "variant",
918
+ "priority": 3
919
+ },
920
+ {
921
+ "id": "self",
922
+ "name": "Self",
923
+ "type": "variant",
924
+ "priority": 5
925
+ }
926
+ ]
927
+ },
928
+ {
929
+ "id": "reflected",
930
+ "name": "Reflected",
931
+ "type": "subcategory",
932
+ "children": [
933
+ {
934
+ "id": "non_self",
935
+ "name": "Non-Self",
936
+ "type": "variant",
937
+ "priority": 3
938
+ },
939
+ {
940
+ "id": "self",
941
+ "name": "Self",
942
+ "type": "variant",
943
+ "priority": 5
944
+ }
945
+ ]
946
+ },
947
+ {
948
+ "id": "cookie_based",
949
+ "name": "Cookie-Based",
950
+ "type": "subcategory",
951
+ "priority": 5
952
+ },
953
+ {
954
+ "id": "ie_only",
955
+ "name": "IE-Only",
956
+ "type": "subcategory",
957
+ "children": [
958
+ {
959
+ "id": "ie11",
960
+ "name": "IE11",
961
+ "type": "variant",
962
+ "priority": 4
963
+ },
964
+ {
965
+ "id": "xss_filter_disabled",
966
+ "name": "XSS Filter Disabled",
967
+ "type": "variant",
968
+ "priority": 5
969
+ },
970
+ {
971
+ "id": "older_version_ie11",
972
+ "name": "Older Version (< IE11)",
973
+ "type": "variant",
974
+ "priority": 5
975
+ }
976
+ ]
977
+ },
978
+ {
979
+ "id": "referer",
980
+ "name": "Referer",
981
+ "type": "subcategory",
982
+ "priority": 4
983
+ },
984
+ {
985
+ "id": "trace_method",
986
+ "name": "TRACE Method",
987
+ "type": "subcategory",
988
+ "priority": 5
989
+ },
990
+ {
991
+ "id": "universal_uxss",
992
+ "name": "Universal (UXSS)",
993
+ "type": "subcategory",
994
+ "priority": 4
995
+ },
996
+ {
997
+ "id": "off_domain",
998
+ "name": "Off-Domain",
999
+ "type": "subcategory",
1000
+ "children": [
1001
+ {
1002
+ "id": "data_uri",
1003
+ "name": "Data URI",
1004
+ "type": "variant",
1005
+ "priority": 4
1006
+ }
1007
+ ]
1008
+ }
1009
+ ]
1010
+ },
1011
+ {
1012
+ "id": "broken_access_control",
1013
+ "name": "Broken Access Control (BAC)",
1014
+ "type": "category",
1015
+ "children": [
1016
+ {
1017
+ "id": "idor",
1018
+ "name": "Insecure Direct Object References (IDOR)",
1019
+ "type": "subcategory",
1020
+ "priority": null
1021
+ },
1022
+ {
1023
+ "id": "server_side_request_forgery_ssrf",
1024
+ "name": "Server-Side Request Forgery (SSRF)",
1025
+ "type": "subcategory",
1026
+ "children": [
1027
+ {
1028
+ "id": "internal",
1029
+ "name": "Internal",
1030
+ "type": "variant",
1031
+ "priority": 2
1032
+ },
1033
+ {
1034
+ "id": "external",
1035
+ "name": "External",
1036
+ "type": "variant",
1037
+ "priority": 4
1038
+ }
1039
+ ]
1040
+ },
1041
+ {
1042
+ "id": "username_enumeration",
1043
+ "name": "Username Enumeration",
1044
+ "type": "subcategory",
1045
+ "children": [
1046
+ {
1047
+ "id": "data_leak",
1048
+ "name": "Data Leak",
1049
+ "type": "variant",
1050
+ "priority": 4
1051
+ }
1052
+ ]
1053
+ },
1054
+ {
1055
+ "id": "exposed_sensitive_android_intent",
1056
+ "name": "Exposed Sensitive Android Intent",
1057
+ "type": "subcategory",
1058
+ "priority": null
1059
+ },
1060
+ {
1061
+ "id": "exposed_sensitive_ios_url_scheme",
1062
+ "name": "Exposed Sensitive iOS URL Scheme",
1063
+ "type": "subcategory",
1064
+ "priority": null
1065
+ }
1066
+ ]
1067
+ },
1068
+ {
1069
+ "id": "cross_site_request_forgery_csrf",
1070
+ "name": "Cross-Site Request Forgery (CSRF)",
1071
+ "type": "category",
1072
+ "children": [
1073
+ {
1074
+ "id": "application_wide",
1075
+ "name": "Application-Wide",
1076
+ "type": "subcategory",
1077
+ "priority": 2
1078
+ },
1079
+ {
1080
+ "id": "action_specific",
1081
+ "name": "Action-Specific",
1082
+ "type": "subcategory",
1083
+ "children": [
1084
+ {
1085
+ "id": "authenticated_action",
1086
+ "name": "Authenticated Action",
1087
+ "type": "variant",
1088
+ "priority": null
1089
+ },
1090
+ {
1091
+ "id": "unauthenticated_action",
1092
+ "name": "Unauthenticated Action",
1093
+ "type": "variant",
1094
+ "priority": null
1095
+ },
1096
+ {
1097
+ "id": "logout",
1098
+ "name": "Logout",
1099
+ "type": "variant",
1100
+ "priority": 5
1101
+ }
1102
+ ]
1103
+ }
1104
+ ]
1105
+ },
1106
+ {
1107
+ "id": "application_level_denial_of_service_dos",
1108
+ "name": "Application-Level Denial-of-Service (DoS)",
1109
+ "type": "category",
1110
+ "children": [
1111
+ {
1112
+ "id": "critical_impact_and_or_easy_difficulty",
1113
+ "name": "Critical Impact and/or Easy Difficulty",
1114
+ "type": "subcategory",
1115
+ "priority": 2
1116
+ },
1117
+ {
1118
+ "id": "high_impact_and_or_medium_difficulty",
1119
+ "name": "High Impact and/or Medium Difficulty",
1120
+ "type": "subcategory",
1121
+ "priority": 3
1122
+ },
1123
+ {
1124
+ "id": "app_crash",
1125
+ "name": "App Crash",
1126
+ "type": "subcategory",
1127
+ "children": [
1128
+ {
1129
+ "id": "malformed_android_intents",
1130
+ "name": "Malformed Android Intents",
1131
+ "type": "variant",
1132
+ "priority": 5
1133
+ },
1134
+ {
1135
+ "id": "malformed_ios_url_schemes",
1136
+ "name": "Malformed iOS URL Schemes",
1137
+ "type": "variant",
1138
+ "priority": 5
1139
+ }
1140
+ ]
1141
+ }
1142
+ ]
1143
+ },
1144
+ {
1145
+ "id": "unvalidated_redirects_and_forwards",
1146
+ "name": "Unvalidated Redirects and Forwards",
1147
+ "type": "category",
1148
+ "children": [
1149
+ {
1150
+ "id": "open_redirect",
1151
+ "name": "Open Redirect",
1152
+ "type": "subcategory",
1153
+ "children": [
1154
+ {
1155
+ "id": "get_based",
1156
+ "name": "GET-Based",
1157
+ "type": "variant",
1158
+ "priority": 4
1159
+ },
1160
+ {
1161
+ "id": "post_based",
1162
+ "name": "POST-Based",
1163
+ "type": "variant",
1164
+ "priority": 5
1165
+ },
1166
+ {
1167
+ "id": "header_based",
1168
+ "name": "Header-Based",
1169
+ "type": "variant",
1170
+ "priority": 5
1171
+ }
1172
+ ]
1173
+ },
1174
+ {
1175
+ "id": "tabnabbing",
1176
+ "name": "Tabnabbing",
1177
+ "type": "subcategory",
1178
+ "priority": 5
1179
+ },
1180
+ {
1181
+ "id": "lack_of_security_speed_bump_page",
1182
+ "name": "Lack of Security Speed Bump Page",
1183
+ "type": "subcategory",
1184
+ "priority": 5
1185
+ }
1186
+ ]
1187
+ },
1188
+ {
1189
+ "id": "external_behavior",
1190
+ "name": "External Behavior",
1191
+ "type": "category",
1192
+ "children": [
1193
+ {
1194
+ "id": "browser_feature",
1195
+ "name": "Browser Feature",
1196
+ "type": "subcategory",
1197
+ "children": [
1198
+ {
1199
+ "id": "plaintext_password_field",
1200
+ "name": "Plaintext Password Field",
1201
+ "type": "variant",
1202
+ "priority": 5
1203
+ },
1204
+ {
1205
+ "id": "save_password",
1206
+ "name": "Save Password",
1207
+ "type": "variant",
1208
+ "priority": 5
1209
+ },
1210
+ {
1211
+ "id": "autocomplete_enabled",
1212
+ "name": "Autocomplete Enabled",
1213
+ "type": "variant",
1214
+ "priority": 5
1215
+ },
1216
+ {
1217
+ "id": "autocorrect_enabled",
1218
+ "name": "Autocorrect Enabled",
1219
+ "type": "variant",
1220
+ "priority": 5
1221
+ },
1222
+ {
1223
+ "id": "aggressive_offline_caching",
1224
+ "name": "Aggressive Offline Caching",
1225
+ "type": "variant",
1226
+ "priority": 5
1227
+ }
1228
+ ]
1229
+ },
1230
+ {
1231
+ "id": "csv_injection",
1232
+ "name": "CSV Injection",
1233
+ "type": "subcategory",
1234
+ "priority": 5
1235
+ },
1236
+ {
1237
+ "id": "captcha_bypass",
1238
+ "name": "Captcha Bypass",
1239
+ "type": "subcategory",
1240
+ "children": [
1241
+ {
1242
+ "id": "crowdsourcing",
1243
+ "name": "Crowdsourcing",
1244
+ "type": "variant",
1245
+ "priority": 5
1246
+ }
1247
+ ]
1248
+ },
1249
+ {
1250
+ "id": "system_clipboard_leak",
1251
+ "name": "System Clipboard Leak",
1252
+ "type": "subcategory",
1253
+ "children": [
1254
+ {
1255
+ "id": "shared_links",
1256
+ "name": "Shared Links",
1257
+ "type": "variant",
1258
+ "priority": 5
1259
+ }
1260
+ ]
1261
+ },
1262
+ {
1263
+ "id": "user_password_persisted_in_memory",
1264
+ "name": "User Password Persisted in Memory",
1265
+ "type": "subcategory",
1266
+ "priority": 5
1267
+ }
1268
+ ]
1269
+ },
1270
+ {
1271
+ "id": "insufficient_security_configurability",
1272
+ "name": "Insufficient Security Configurability",
1273
+ "type": "category",
1274
+ "children": [
1275
+ {
1276
+ "id": "weak_password_policy",
1277
+ "name": "Weak Password Policy",
1278
+ "type": "subcategory",
1279
+ "priority": 5
1280
+ },
1281
+ {
1282
+ "id": "no_password_policy",
1283
+ "name": "No Password Policy",
1284
+ "type": "subcategory",
1285
+ "priority": 4
1286
+ },
1287
+ {
1288
+ "id": "weak_password_reset_implementation",
1289
+ "name": "Weak Password Reset Implementation",
1290
+ "type": "subcategory",
1291
+ "children": [
1292
+ {
1293
+ "id": "token_is_not_invalidated_after_use",
1294
+ "name": "Token is Not Invalidated After Use",
1295
+ "type": "variant",
1296
+ "priority": 4
1297
+ },
1298
+ {
1299
+ "id": "token_is_not_invalidated_after_email_change",
1300
+ "name": "Token is Not Invalidated After Email Change",
1301
+ "type": "variant",
1302
+ "priority": 5
1303
+ },
1304
+ {
1305
+ "id": "token_is_not_invalidated_after_password_change",
1306
+ "name": "Token is Not Invalidated After Password Change",
1307
+ "type": "variant",
1308
+ "priority": 5
1309
+ },
1310
+ {
1311
+ "id": "token_has_long_timed_expiry",
1312
+ "name": "Token Has Long Timed Expiry",
1313
+ "type": "variant",
1314
+ "priority": 5
1315
+ },
1316
+ {
1317
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1318
+ "name": "Token is Not Invalidated After New Token is Requested",
1319
+ "type": "variant",
1320
+ "priority": 5
1321
+ },
1322
+ {
1323
+ "id": "token_is_not_invalidated_after_login",
1324
+ "name": "Token is Not Invalidated After Login",
1325
+ "type": "variant",
1326
+ "priority": 5
1327
+ }
1328
+ ]
1329
+ },
1330
+ {
1331
+ "id": "lack_of_verification_email",
1332
+ "name": "Lack of Verification Email",
1333
+ "type": "subcategory",
1334
+ "priority": 5
1335
+ },
1336
+ {
1337
+ "id": "lack_of_notification_email",
1338
+ "name": "Lack of Notification Email",
1339
+ "type": "subcategory",
1340
+ "priority": 5
1341
+ },
1342
+ {
1343
+ "id": "weak_registration_implementation",
1344
+ "name": "Weak Registration Implementation",
1345
+ "type": "subcategory",
1346
+ "children": [
1347
+ {
1348
+ "id": "allows_disposable_email_addresses",
1349
+ "name": "Allows Disposable Email Addresses",
1350
+ "type": "variant",
1351
+ "priority": 5
1352
+ }
1353
+ ]
1354
+ },
1355
+ {
1356
+ "id": "weak_2fa_implementation",
1357
+ "name": "Weak 2FA Implementation",
1358
+ "type": "subcategory",
1359
+ "children": [
1360
+ {
1361
+ "id": "missing_failsafe",
1362
+ "name": "Missing Failsafe",
1363
+ "type": "variant",
1364
+ "priority": 5
1365
+ }
1366
+ ]
1367
+ }
1368
+ ]
1369
+ },
1370
+ {
1371
+ "id": "using_components_with_known_vulnerabilities",
1372
+ "name": "Using Components with Known Vulnerabilities",
1373
+ "type": "category",
1374
+ "children": [
1375
+ {
1376
+ "id": "rosetta_flash",
1377
+ "name": "Rosetta Flash",
1378
+ "type": "subcategory",
1379
+ "priority": 4
1380
+ },
1381
+ {
1382
+ "id": "outdated_software_version",
1383
+ "name": "Outdated Software Version",
1384
+ "type": "subcategory",
1385
+ "priority": 5
1386
+ },
1387
+ {
1388
+ "id": "captcha_bypass",
1389
+ "name": "Captcha Bypass",
1390
+ "type": "subcategory",
1391
+ "children": [
1392
+ {
1393
+ "id": "ocr_optical_character_recognition",
1394
+ "name": "OCR (Optical Character Recognition)",
1395
+ "type": "variant",
1396
+ "priority": 5
1397
+ }
1398
+ ]
1399
+ }
1400
+ ]
1401
+ },
1402
+ {
1403
+ "id": "insecure_data_storage",
1404
+ "name": "Insecure Data Storage",
1405
+ "type": "category",
1406
+ "children": [
1407
+ {
1408
+ "id": "sensitive_application_data_stored_unencrypted",
1409
+ "name": "Sensitive Application Data Stored Unencrypted",
1410
+ "type": "subcategory",
1411
+ "children": [
1412
+ {
1413
+ "id": "on_external_storage",
1414
+ "name": "On External Storage",
1415
+ "type": "variant",
1416
+ "priority": 4
1417
+ },
1418
+ {
1419
+ "id": "on_internal_storage",
1420
+ "name": "On Internal Storage",
1421
+ "type": "variant",
1422
+ "priority": 5
1423
+ }
1424
+ ]
1425
+ },
1426
+ {
1427
+ "id": "server_side_credentials_storage",
1428
+ "name": "Server-Side Credentials Storage",
1429
+ "type": "subcategory",
1430
+ "children": [
1431
+ {
1432
+ "id": "plaintext",
1433
+ "name": "Plaintext",
1434
+ "type": "variant",
1435
+ "priority": 4
1436
+ }
1437
+ ]
1438
+ },
1439
+ {
1440
+ "id": "non_sensitive_application_data_stored_unencrypted",
1441
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1442
+ "type": "subcategory",
1443
+ "priority": 5
1444
+ },
1445
+ {
1446
+ "id": "screen_caching_enabled",
1447
+ "name": "Screen Caching Enabled",
1448
+ "type": "subcategory",
1449
+ "priority": 5
1450
+ }
1451
+ ]
1452
+ },
1453
+ {
1454
+ "id": "lack_of_binary_hardening",
1455
+ "name": "Lack of Binary Hardening",
1456
+ "type": "category",
1457
+ "children": [
1458
+ {
1459
+ "id": "lack_of_exploit_mitigations",
1460
+ "name": "Lack of Exploit Mitigations",
1461
+ "type": "subcategory",
1462
+ "priority": 5
1463
+ },
1464
+ {
1465
+ "id": "lack_of_jailbreak_detection",
1466
+ "name": "Lack of Jailbreak Detection",
1467
+ "type": "subcategory",
1468
+ "priority": 5
1469
+ },
1470
+ {
1471
+ "id": "lack_of_obfuscation",
1472
+ "name": "Lack of Obfuscation",
1473
+ "type": "subcategory",
1474
+ "priority": 5
1475
+ },
1476
+ {
1477
+ "id": "runtime_instrumentation_based",
1478
+ "name": "Runtime Instrumentation-Based",
1479
+ "type": "subcategory",
1480
+ "priority": 5
1481
+ }
1482
+ ]
1483
+ },
1484
+ {
1485
+ "id": "insecure_data_transport",
1486
+ "name": "Insecure Data Transport",
1487
+ "type": "category",
1488
+ "children": [
1489
+ {
1490
+ "id": "cleartext_transmission_of_sensitive_data",
1491
+ "name": "Cleartext Transmission of Sensitive Data",
1492
+ "type": "subcategory",
1493
+ "priority": null
1494
+ },
1495
+ {
1496
+ "id": "executable_download",
1497
+ "name": "Executable Download",
1498
+ "type": "subcategory",
1499
+ "children": [
1500
+ {
1501
+ "id": "no_secure_integrity_check",
1502
+ "name": "No Secure Integrity Check",
1503
+ "type": "variant",
1504
+ "priority": 4
1505
+ },
1506
+ {
1507
+ "id": "secure_integrity_check",
1508
+ "name": "Secure Integrity Check",
1509
+ "type": "variant",
1510
+ "priority": 5
1511
+ }
1512
+ ]
1513
+ }
1514
+ ]
1515
+ },
1516
+ {
1517
+ "id": "insecure_os_firmware",
1518
+ "name": "Insecure OS/Firmware",
1519
+ "type": "category",
1520
+ "children": [
1521
+ {
1522
+ "id": "command_injection",
1523
+ "name": "Command Injection",
1524
+ "type": "subcategory",
1525
+ "priority": 1
1526
+ },
1527
+ {
1528
+ "id": "hardcoded_password",
1529
+ "name": "Hardcoded Password",
1530
+ "type": "subcategory",
1531
+ "children": [
1532
+ {
1533
+ "id": "privileged_user",
1534
+ "name": "Privileged User",
1535
+ "type": "variant",
1536
+ "priority": 1
1537
+ },
1538
+ {
1539
+ "id": "non_privileged_user",
1540
+ "name": "Non-Privileged User",
1541
+ "type": "variant",
1542
+ "priority": 2
1543
+ }
1544
+ ]
1545
+ }
1546
+ ]
1547
+ },
1548
+ {
1549
+ "id": "broken_cryptography",
1550
+ "name": "Broken Cryptography",
1551
+ "type": "category",
1552
+ "children": [
1553
+ {
1554
+ "id": "cryptographic_flaw",
1555
+ "name": "Cryptographic Flaw",
1556
+ "type": "subcategory",
1557
+ "children": [
1558
+ {
1559
+ "id": "incorrect_usage",
1560
+ "name": "Incorrect Usage",
1561
+ "type": "variant",
1562
+ "priority": 1
1563
+ }
1564
+ ]
1565
+ }
1566
+ ]
1567
+ },
1568
+ {
1569
+ "id": "privacy_concerns",
1570
+ "name": "Privacy Concerns",
1571
+ "type": "category",
1572
+ "children": [
1573
+ {
1574
+ "id": "unnecessary_data_collection",
1575
+ "name": "Unnecessary Data Collection",
1576
+ "type": "subcategory",
1577
+ "children": [
1578
+ {
1579
+ "id": "wifi_ssid_password",
1580
+ "name": "WiFi SSID+Password",
1581
+ "type": "variant",
1582
+ "priority": 4
1583
+ }
1584
+ ]
1585
+ }
1586
+ ]
1587
+ },
1588
+ {
1589
+ "id": "network_security_misconfiguration",
1590
+ "name": "Network Security Misconfiguration",
1591
+ "type": "category",
1592
+ "children": [
1593
+ {
1594
+ "id": "telnet_enabled",
1595
+ "name": "Telnet Enabled",
1596
+ "type": "subcategory",
1597
+ "priority": 5
1598
+ }
1599
+ ]
1600
+ },
1601
+ {
1602
+ "id": "mobile_security_misconfiguration",
1603
+ "name": "Mobile Security Misconfiguration",
1604
+ "type": "category",
1605
+ "children": [
1606
+ {
1607
+ "id": "ssl_certificate_pinning",
1608
+ "name": "SSL Certificate Pinning",
1609
+ "type": "subcategory",
1610
+ "children": [
1611
+ {
1612
+ "id": "absent",
1613
+ "name": "Absent",
1614
+ "type": "variant",
1615
+ "priority": 5
1616
+ },
1617
+ {
1618
+ "id": "defeatable",
1619
+ "name": "Defeatable",
1620
+ "type": "variant",
1621
+ "priority": 5
1622
+ }
1623
+ ]
1624
+ },
1625
+ {
1626
+ "id": "tapjacking",
1627
+ "name": "Tapjacking",
1628
+ "type": "subcategory",
1629
+ "priority": 5
1630
+ }
1631
+ ]
1632
+ },
1633
+ {
1634
+ "id": "client_side_injection",
1635
+ "name": "Client-Side Injection",
1636
+ "type": "category",
1637
+ "children": [
1638
+ {
1639
+ "id": "binary_planting",
1640
+ "name": "Binary Planting",
1641
+ "type": "subcategory",
1642
+ "children": [
1643
+ {
1644
+ "id": "privilege_escalation",
1645
+ "name": "Default Folder Privilege Escalation",
1646
+ "type": "variant",
1647
+ "priority": 3
1648
+ },
1649
+ {
1650
+ "id": "non_default_folder_privilege_escalation",
1651
+ "name": "Non-Default Folder Privilege Escalation",
1652
+ "type": "variant",
1653
+ "priority": 5
1654
+ },
1655
+ {
1656
+ "id": "no_privilege_escalation",
1657
+ "name": "No Privilege Escalation",
1658
+ "type": "variant",
1659
+ "priority": 5
1660
+ }
1661
+ ]
1662
+ }
1663
+ ]
1664
+ }
1665
+ ]
1666
+ }