vrt 0.5.1 → 0.6.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (13) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.5/deprecated-node-mapping.json +113 -0
  3. data/lib/data/1.5/mappings/cvss_v3.json +817 -0
  4. data/lib/data/1.5/mappings/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.5/mappings/cwe.json +423 -0
  6. data/lib/data/1.5/mappings/cwe.schema.json +63 -0
  7. data/lib/data/1.5/mappings/remediation_advice.json +1197 -0
  8. data/lib/data/1.5/mappings/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.5/vrt.schema.json +63 -0
  10. data/lib/data/1.5/vulnerability-rating-taxonomy.json +1783 -0
  11. data/lib/vrt/mapping.rb +1 -1
  12. data/lib/vrt/version.rb +1 -1
  13. metadata +15 -6
data/lib/data/1.5/mappings/remediation_advice.schema.json ADDED
@@ -0,0 +1,75 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-04/schema#",
3
+ "title": "VRT to Remediation Advice",
4
+ "description": "Mapping from the Vulnerability Rating Taxonomy to Remediation Advice",
5
+ "definitions": {
6
+ "MappingMetadata": {
7
+ "type": "object",
8
+ "properties": {
9
+ "default": { "type": "null" },
10
+ "keys": { "type": "array",
11
+ "items": { "type": "string", "enum": ["remediation_advice", "references"] },
12
+ "minItems": 2,
13
+ "uniqueItems": true
14
+ }
15
+ },
16
+ "required": ["default", "keys"]
17
+ },
18
+ "VRTid": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
19
+ "RemediationAdvice": { "type": "string" },
20
+ "References": { "type" : "array",
21
+ "items" : { "type": "string", "pattern": "^http[s]?:\/\/.*$" },
22
+ "minItems": 1,
23
+ "uniqueItems": true
24
+ },
25
+ "Mapping": {
26
+ "type": "object",
27
+ "properties": {
28
+ "id": { "$ref": "#/definitions/VRTid" },
29
+ "remediation_advice" : { "$ref": "#/definitions/RemediationAdvice" },
30
+ "references" : { "$ref": "#/definitions/References" }
31
+ },
32
+ "required": ["id"],
33
+ "anyOf": [
34
+ { "required": ["remediation_advice"] },
35
+ { "required": ["references"] }
36
+ ],
37
+ "additionalProperties": false
38
+ },
39
+ "MappingParent": {
40
+ "type": "object",
41
+ "properties": {
42
+ "id": { "$ref": "#/definitions/VRTid" },
43
+ "children": {
44
+ "type": "array",
45
+ "items" : {
46
+ "anyOf": [
47
+ { "$ref": "#/definitions/MappingParent" },
48
+ { "$ref": "#/definitions/Mapping" }
49
+ ]
50
+ }
51
+ },
52
+ "remediation_advice" : { "$ref": "#/definitions/RemediationAdvice" },
53
+ "references" : { "$ref": "#/definitions/References" }
54
+ },
55
+ "required": ["id", "children"],
56
+ "additionalProperties": false
57
+ }
58
+ },
59
+ "type": "object",
60
+ "required": ["metadata", "content"],
61
+ "properties": {
62
+ "metadata": {
63
+ "$ref": "#/definitions/MappingMetadata"
64
+ },
65
+ "content": {
66
+ "type": "array",
67
+ "items" : {
68
+ "anyOf": [
69
+ { "$ref": "#/definitions/MappingParent" },
70
+ { "$ref": "#/definitions/Mapping" }
71
+ ]
72
+ }
73
+ }
74
+ }
75
+ }
data/lib/data/1.5/vrt.schema.json ADDED
@@ -0,0 +1,63 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-04/schema#",
3
+ "title": "Vulnerability Rating Taxonomy",
4
+ "description": "A Taxonomy of potential vulnerabilities with suggested technical priority rating",
5
+ "definitions": {
6
+ "VRTmetadata": {
7
+ "type": "object",
8
+ "properties": {
9
+ "release_date": { "type": "string", "format": "date-time" }
10
+ }
11
+ },
12
+ "VRT": {
13
+ "type": "object",
14
+ "properties": {
15
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
16
+ "type": { "type": "string", "enum": [ "category", "subcategory", "variant" ] },
17
+ "name": { "type": "string", "pattern": "^[ a-zA-Z0-9-+()\/,.<]*$" },
18
+ "priority": {
19
+ "anyOf": [
20
+ { "type": "number", "minimum": 1, "maximum": 5 },
21
+ { "type": "null" }
22
+ ]
23
+ }
24
+ },
25
+ "required": ["id", "name", "type", "priority"]
26
+ },
27
+ "VRTparent": {
28
+ "type": "object",
29
+ "properties": {
30
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
31
+ "name": { "type": "string", "pattern": "^[ a-zA-Z0-9-+()\/,.<]*$" },
32
+ "type": { "type": "string", "enum": [ "category", "subcategory" ] },
33
+ "children": {
34
+ "type": "array",
35
+ "items" : {
36
+ "anyOf": [
37
+ { "$ref": "#/definitions/VRTparent" },
38
+ { "$ref": "#/definitions/VRT" }
39
+ ]
40
+ },
41
+ "minItems": 1
42
+ }
43
+ },
44
+ "required": ["id", "name", "type", "children"]
45
+ }
46
+ },
47
+ "type": "object",
48
+ "required": ["metadata", "content"],
49
+ "properties": {
50
+ "metadata": {
51
+ "$ref": "#/definitions/VRTmetadata"
52
+ },
53
+ "content": {
54
+ "type": "array",
55
+ "items" : {
56
+ "anyOf": [
57
+ { "$ref": "#/definitions/VRTparent" },
58
+ { "$ref": "#/definitions/VRT" }
59
+ ]
60
+ }
61
+ }
62
+ }
63
+ }
data/lib/data/1.5/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,1783 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2018-09-13T18:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "unsafe_cross_origin_resource_sharing",
13
+ "name": "Unsafe Cross-Origin Resource Sharing",
14
+ "type": "subcategory",
15
+ "priority": null
16
+ },
17
+ {
18
+ "id": "path_traversal",
19
+ "name": "Path Traversal",
20
+ "type": "subcategory",
21
+ "priority": null
22
+ },
23
+ {
24
+ "id": "directory_listing_enabled",
25
+ "name": "Directory Listing Enabled",
26
+ "type": "subcategory",
27
+ "children": [
28
+ {
29
+ "id": "sensitive_data_exposure",
30
+ "name": "Sensitive Data Exposure",
31
+ "type": "variant",
32
+ "priority": null
33
+ },
34
+ {
35
+ "id": "non_sensitive_data_exposure",
36
+ "name": "Non-Sensitive Data Exposure",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "same_site_scripting",
44
+ "name": "Same-Site Scripting",
45
+ "type": "subcategory",
46
+ "priority": 5
47
+ },
48
+ {
49
+ "id": "ssl_attack_breach_poodle_etc",
50
+ "name": "SSL Attack (BREACH, POODLE etc.)",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "using_default_credentials",
56
+ "name": "Using Default Credentials",
57
+ "type": "subcategory",
58
+ "priority": 1
59
+ },
60
+ {
61
+ "id": "misconfigured_dns",
62
+ "name": "Misconfigured DNS",
63
+ "type": "subcategory",
64
+ "children": [
65
+ {
66
+ "id": "basic_subdomain_takeover",
67
+ "name": "Basic Subdomain Takeover",
68
+ "type": "variant",
69
+ "priority": 3
70
+ },
71
+ {
72
+ "id": "high_impact_subdomain_takeover",
73
+ "name": "High Impact Subdomain Takeover",
74
+ "type": "variant",
75
+ "priority": 2
76
+ },
77
+ {
78
+ "id": "zone_transfer",
79
+ "name": "Zone Transfer",
80
+ "type": "variant",
81
+ "priority": 4
82
+ },
83
+ {
84
+ "id": "missing_caa_record",
85
+ "name": "Missing Certification Authority Authorization (CAA) Record",
86
+ "type": "variant",
87
+ "priority": 5
88
+ }
89
+ ]
90
+ },
91
+ {
92
+ "id": "mail_server_misconfiguration",
93
+ "name": "Mail Server Misconfiguration",
94
+ "type": "subcategory",
95
+ "children": [
96
+ {
97
+ "id": "email_spoofing_on_email_domain",
98
+ "name": "Email Spoofing on Email Domain",
99
+ "type": "variant",
100
+ "priority": 3
101
+ },
102
+ {
103
+ "id": "missing_spf_on_non_email_domain",
104
+ "name": "Missing SPF on Non-Email Domain",
105
+ "type": "variant",
106
+ "priority": 5
107
+ },
108
+ {
109
+ "id": "spf_uses_a_soft_fail",
110
+ "name": "SPF Uses a Soft Fail",
111
+ "type": "variant",
112
+ "priority": 5
113
+ },
114
+ {
115
+ "id": "spf_includes_10_lookups",
116
+ "name": "SPF Includes More Than 10 Lookups",
117
+ "type": "variant",
118
+ "priority": 5
119
+ },
120
+ {
121
+ "id": "missing_dmarc",
122
+ "name": "Missing DKIM/DMARC",
123
+ "type": "variant",
124
+ "priority": 5
125
+ }
126
+ ]
127
+ },
128
+ {
129
+ "id": "dbms_misconfiguration",
130
+ "name": "Database Management System (DBMS) Misconfiguration",
131
+ "type": "subcategory",
132
+ "children": [
133
+ {
134
+ "id": "excessively_privileged_user_dba",
135
+ "name": "Excessively Privileged User / DBA",
136
+ "type": "variant",
137
+ "priority": 4
138
+ }
139
+ ]
140
+ },
141
+ {
142
+ "id": "lack_of_password_confirmation",
143
+ "name": "Lack of Password Confirmation",
144
+ "type": "subcategory",
145
+ "children": [
146
+ {
147
+ "id": "change_email_address",
148
+ "name": "Change Email Address",
149
+ "type": "variant",
150
+ "priority": 5
151
+ },
152
+ {
153
+ "id": "change_password",
154
+ "name": "Change Password",
155
+ "type": "variant",
156
+ "priority": 5
157
+ },
158
+ {
159
+ "id": "delete_account",
160
+ "name": "Delete Account",
161
+ "type": "variant",
162
+ "priority": 4
163
+ },
164
+ {
165
+ "id": "manage_two_fa",
166
+ "name": "Manage 2FA",
167
+ "type": "variant",
168
+ "priority": 5
169
+ }
170
+ ]
171
+ },
172
+ {
173
+ "id": "no_rate_limiting_on_form",
174
+ "name": "No Rate Limiting on Form",
175
+ "type": "subcategory",
176
+ "children": [
177
+ {
178
+ "id": "registration",
179
+ "name": "Registration",
180
+ "type": "variant",
181
+ "priority": 4
182
+ },
183
+ {
184
+ "id": "login",
185
+ "name": "Login",
186
+ "type": "variant",
187
+ "priority": 4
188
+ },
189
+ {
190
+ "id": "email_triggering",
191
+ "name": "Email-Triggering",
192
+ "type": "variant",
193
+ "priority": 4
194
+ },
195
+ {
196
+ "id": "sms_triggering",
197
+ "name": "SMS-Triggering",
198
+ "type": "variant",
199
+ "priority": 4
200
+ }
201
+ ]
202
+ },
203
+ {
204
+ "id": "unsafe_file_upload",
205
+ "name": "Unsafe File Upload",
206
+ "type": "subcategory",
207
+ "children": [
208
+ {
209
+ "id": "no_antivirus",
210
+ "name": "No Antivirus",
211
+ "type": "variant",
212
+ "priority": 5
213
+ },
214
+ {
215
+ "id": "no_size_limit",
216
+ "name": "No Size Limit",
217
+ "type": "variant",
218
+ "priority": 5
219
+ },
220
+ {
221
+ "id": "file_extension_filter_bypass",
222
+ "name": "File Extension Filter Bypass",
223
+ "type": "variant",
224
+ "priority": 5
225
+ }
226
+ ]
227
+ },
228
+ {
229
+ "id": "cookie_scoped_to_parent_domain",
230
+ "name": "Cookie Scoped to Parent Domain",
231
+ "type": "subcategory",
232
+ "priority": 5
233
+ },
234
+ {
235
+ "id": "missing_secure_or_httponly_cookie_flag",
236
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
237
+ "type": "subcategory",
238
+ "children": [
239
+ {
240
+ "id": "session_token",
241
+ "name": "Session Token",
242
+ "type": "variant",
243
+ "priority": 4
244
+ },
245
+ {
246
+ "id": "non_session_cookie",
247
+ "name": "Non-Session Cookie",
248
+ "type": "variant",
249
+ "priority": 5
250
+ }
251
+ ]
252
+ },
253
+ {
254
+ "id": "clickjacking",
255
+ "name": "Clickjacking",
256
+ "type": "subcategory",
257
+ "children": [
258
+ {
259
+ "id": "sensitive_action",
260
+ "name": "Sensitive Click-Based Action",
261
+ "type": "variant",
262
+ "priority": 4
263
+ },
264
+ {
265
+ "id": "form_input",
266
+ "name": "Form Input",
267
+ "type": "variant",
268
+ "priority": 5
269
+ },
270
+ {
271
+ "id": "non_sensitive_action",
272
+ "name": "Non-Sensitive Action",
273
+ "type": "variant",
274
+ "priority": 5
275
+ }
276
+ ]
277
+ },
278
+ {
279
+ "id": "oauth_misconfiguration",
280
+ "name": "OAuth Misconfiguration",
281
+ "type": "subcategory",
282
+ "children": [
283
+ {
284
+ "id": "account_takeover",
285
+ "name": "Account Takeover",
286
+ "type": "variant",
287
+ "priority": 2
288
+ },
289
+ {
290
+ "id": "missing_state_parameter",
291
+ "name": "Missing/Broken State Parameter",
292
+ "type": "variant",
293
+ "priority": null
294
+ },
295
+ {
296
+ "id": "insecure_redirect_uri",
297
+ "name": "Insecure Redirect URI",
298
+ "type": "variant",
299
+ "priority": null
300
+ }
301
+ ]
302
+ },
303
+ {
304
+ "id": "captcha",
305
+ "name": "CAPTCHA",
306
+ "type": "subcategory",
307
+ "children": [
308
+ {
309
+ "id": "implementation_vulnerability",
310
+ "name": "Implementation Vulnerability",
311
+ "type": "variant",
312
+ "priority": 4
313
+ },
314
+ {
315
+ "id": "brute_force",
316
+ "name": "Brute Force",
317
+ "type": "variant",
318
+ "priority": 5
319
+ },
320
+ {
321
+ "id": "missing",
322
+ "name": "Missing",
323
+ "type": "variant",
324
+ "priority": 5
325
+ }
326
+ ]
327
+ },
328
+ {
329
+ "id": "exposed_admin_portal",
330
+ "name": "Exposed Admin Portal",
331
+ "type": "subcategory",
332
+ "children": [
333
+ {
334
+ "id": "to_internet",
335
+ "name": "To Internet",
336
+ "type": "variant",
337
+ "priority": 5
338
+ }
339
+ ]
340
+ },
341
+ {
342
+ "id": "missing_dnssec",
343
+ "name": "Missing DNSSEC",
344
+ "type": "subcategory",
345
+ "priority": 5
346
+ },
347
+ {
348
+ "id": "fingerprinting_banner_disclosure",
349
+ "name": "Fingerprinting/Banner Disclosure",
350
+ "type": "subcategory",
351
+ "priority": 5
352
+ },
353
+ {
354
+ "id": "username_enumeration",
355
+ "name": "Username Enumeration",
356
+ "type": "subcategory",
357
+ "children": [
358
+ {
359
+ "id": "brute_force",
360
+ "name": "Brute Force",
361
+ "type": "variant",
362
+ "priority": 5
363
+ }
364
+ ]
365
+ },
366
+ {
367
+ "id": "potentially_unsafe_http_method_enabled",
368
+ "name": "Potentially Unsafe HTTP Method Enabled",
369
+ "type": "subcategory",
370
+ "children": [
371
+ {
372
+ "id": "options",
373
+ "name": "OPTIONS",
374
+ "type": "variant",
375
+ "priority": 5
376
+ },
377
+ {
378
+ "id": "trace",
379
+ "name": "TRACE",
380
+ "type": "variant",
381
+ "priority": 5
382
+ }
383
+ ]
384
+ },
385
+ {
386
+ "id": "insecure_ssl",
387
+ "name": "Insecure SSL",
388
+ "type": "subcategory",
389
+ "children": [
390
+ {
391
+ "id": "lack_of_forward_secrecy",
392
+ "name": "Lack of Forward Secrecy",
393
+ "type": "variant",
394
+ "priority": 5
395
+ },
396
+ {
397
+ "id": "insecure_cipher_suite",
398
+ "name": "Insecure Cipher Suite",
399
+ "type": "variant",
400
+ "priority": 5
401
+ },
402
+ {
403
+ "id": "certificate_error",
404
+ "name": "Certificate Error",
405
+ "type": "variant",
406
+ "priority": 5
407
+ }
408
+ ]
409
+ },
410
+ {
411
+ "id": "rfd",
412
+ "name": "Reflected File Download (RFD)",
413
+ "type": "subcategory",
414
+ "priority": 5
415
+ },
416
+ {
417
+ "id": "lack_of_security_headers",
418
+ "name": "Lack of Security Headers",
419
+ "type": "subcategory",
420
+ "children": [
421
+ {
422
+ "id": "x_frame_options",
423
+ "name": "X-Frame-Options",
424
+ "type": "variant",
425
+ "priority": 5
426
+ },
427
+ {
428
+ "id": "cache_control_for_a_non_sensitive_page",
429
+ "name": "Cache-Control for a Non-Sensitive Page",
430
+ "type": "variant",
431
+ "priority": 5
432
+ },
433
+ {
434
+ "id": "x_xss_protection",
435
+ "name": "X-XSS-Protection",
436
+ "type": "variant",
437
+ "priority": 5
438
+ },
439
+ {
440
+ "id": "strict_transport_security",
441
+ "name": "Strict-Transport-Security",
442
+ "type": "variant",
443
+ "priority": 5
444
+ },
445
+ {
446
+ "id": "x_content_type_options",
447
+ "name": "X-Content-Type-Options",
448
+ "type": "variant",
449
+ "priority": 5
450
+ },
451
+ {
452
+ "id": "content_security_policy",
453
+ "name": "Content-Security-Policy",
454
+ "type": "variant",
455
+ "priority": 5
456
+ },
457
+ {
458
+ "id": "public_key_pins",
459
+ "name": "Public-Key-Pins",
460
+ "type": "variant",
461
+ "priority": 5
462
+ },
463
+ {
464
+ "id": "x_content_security_policy",
465
+ "name": "X-Content-Security-Policy",
466
+ "type": "variant",
467
+ "priority": 5
468
+ },
469
+ {
470
+ "id": "x_webkit_csp",
471
+ "name": "X-Webkit-CSP",
472
+ "type": "variant",
473
+ "priority": 5
474
+ },
475
+ {
476
+ "id": "content_security_policy_report_only",
477
+ "name": "Content-Security-Policy-Report-Only",
478
+ "type": "variant",
479
+ "priority": 5
480
+ },
481
+ {
482
+ "id": "cache_control_for_a_sensitive_page",
483
+ "name": "Cache-Control for a Sensitive Page",
484
+ "type": "variant",
485
+ "priority": 4
486
+ }
487
+ ]
488
+ },
489
+ {
490
+ "id": "waf_bypass",
491
+ "name": "Web Application Firewall (WAF) Bypass",
492
+ "type": "subcategory",
493
+ "children": [
494
+ {
495
+ "id": "direct_server_access",
496
+ "name": "Direct Server Access",
497
+ "type": "variant",
498
+ "priority": 4
499
+ }
500
+ ]
501
+ },
502
+ {
503
+ "id": "bitsquatting",
504
+ "name": "Bitsquatting",
505
+ "type": "subcategory",
506
+ "priority": 5
507
+ }
508
+ ]
509
+ },
510
+ {
511
+ "id": "server_side_injection",
512
+ "name": "Server-Side Injection",
513
+ "type": "category",
514
+ "children": [
515
+ {
516
+ "id": "file_inclusion",
517
+ "name": "File Inclusion",
518
+ "type": "subcategory",
519
+ "children": [
520
+ {
521
+ "id": "local",
522
+ "name": "Local",
523
+ "type": "variant",
524
+ "priority": 1
525
+ }
526
+ ]
527
+ },
528
+ {
529
+ "id": "parameter_pollution",
530
+ "name": "Parameter Pollution",
531
+ "type": "subcategory",
532
+ "children": [
533
+ {
534
+ "id": "social_media_sharing_buttons",
535
+ "name": "Social Media Sharing Buttons",
536
+ "type": "variant",
537
+ "priority": 5
538
+ }
539
+ ]
540
+ },
541
+ {
542
+ "id": "remote_code_execution_rce",
543
+ "name": "Remote Code Execution (RCE)",
544
+ "type": "subcategory",
545
+ "priority": 1
546
+ },
547
+ {
548
+ "id": "sql_injection",
549
+ "name": "SQL Injection",
550
+ "type": "subcategory",
551
+ "priority": 1
552
+ },
553
+ {
554
+ "id": "xml_external_entity_injection_xxe",
555
+ "name": "XML External Entity Injection (XXE)",
556
+ "type": "subcategory",
557
+ "priority": 1
558
+ },
559
+ {
560
+ "id": "http_response_manipulation",
561
+ "name": "HTTP Response Manipulation",
562
+ "type": "subcategory",
563
+ "children": [
564
+ {
565
+ "id": "response_splitting_crlf",
566
+ "name": "Response Splitting (CRLF)",
567
+ "type": "variant",
568
+ "priority": 3
569
+ }
570
+ ]
571
+ },
572
+ {
573
+ "id": "content_spoofing",
574
+ "name": "Content Spoofing",
575
+ "type": "subcategory",
576
+ "children": [
577
+ {
578
+ "id": "iframe_injection",
579
+ "name": "iframe Injection",
580
+ "type": "variant",
581
+ "priority": 3
582
+ },
583
+ {
584
+ "id": "external_authentication_injection",
585
+ "name": "External Authentication Injection",
586
+ "type": "variant",
587
+ "priority": 4
588
+ },
589
+ {
590
+ "id": "flash_based_external_authentication_injection",
591
+ "name": "Flash Based External Authentication Injection",
592
+ "type": "variant",
593
+ "priority": 5
594
+ },
595
+ {
596
+ "id": "email_html_injection",
597
+ "name": "Email HTML Injection",
598
+ "type": "variant",
599
+ "priority": 4
600
+ },
601
+ {
602
+ "id": "text_injection",
603
+ "name": "Text Injection",
604
+ "type": "variant",
605
+ "priority": 5
606
+ },
607
+ {
608
+ "id": "homograph_idn_based",
609
+ "name": "Homograph/IDN-Based",
610
+ "type": "variant",
611
+ "priority": 5
612
+ },
613
+ {
614
+ "id": "rtlo",
615
+ "name": "Right-to-Left Override (RTLO)",
616
+ "type": "variant",
617
+ "priority": 5
618
+ }
619
+ ]
620
+ }
621
+ ]
622
+ },
623
+ {
624
+ "id": "broken_authentication_and_session_management",
625
+ "name": "Broken Authentication and Session Management",
626
+ "type": "category",
627
+ "children": [
628
+ {
629
+ "id": "authentication_bypass",
630
+ "name": "Authentication Bypass",
631
+ "type": "subcategory",
632
+ "priority": 1
633
+ },
634
+ {
635
+ "id": "two_fa_bypass",
636
+ "name": "Second Factor Authentication (2FA) Bypass",
637
+ "type": "subcategory",
638
+ "priority": 3
639
+ },
640
+ {
641
+ "id": "privilege_escalation",
642
+ "name": "Privilege Escalation",
643
+ "type": "subcategory",
644
+ "priority": null
645
+ },
646
+ {
647
+ "id": "cleartext_transmission_of_session_token",
648
+ "name": "Cleartext Transmission of Session Token",
649
+ "type": "subcategory",
650
+ "priority": 4
651
+ },
652
+ {
653
+ "id": "weak_login_function",
654
+ "name": "Weak Login Function",
655
+ "type": "subcategory",
656
+ "children": [
657
+ {
658
+ "id": "not_operational",
659
+ "name": "Not Operational or Intended Public Access",
660
+ "type": "variant",
661
+ "priority": 5
662
+ },
663
+ {
664
+ "id": "other_plaintext_protocol_no_secure_alternative",
665
+ "name": "Other Plaintext Protocol with no Secure Alternative",
666
+ "type": "variant",
667
+ "priority": 4
668
+ },
669
+ {
670
+ "id": "lan_only",
671
+ "name": "LAN Only",
672
+ "type": "variant",
673
+ "priority": 4
674
+ },
675
+ {
676
+ "id": "http_and_https_available",
677
+ "name": "HTTP and HTTPS Available",
678
+ "type": "variant",
679
+ "priority": 4
680
+ },
681
+ {
682
+ "id": "https_not_available_or_http_by_default",
683
+ "name": "HTTPS not Available or HTTP by Default",
684
+ "type": "variant",
685
+ "priority": 3
686
+ }
687
+ ]
688
+ },
689
+ {
690
+ "id": "session_fixation",
691
+ "name": "Session Fixation",
692
+ "type": "subcategory",
693
+ "children": [
694
+ {
695
+ "id": "remote_attack_vector",
696
+ "name": "Remote Attack Vector",
697
+ "type": "variant",
698
+ "priority": 3
699
+ },
700
+ {
701
+ "id": "local_attack_vector",
702
+ "name": "Local Attack Vector",
703
+ "type": "variant",
704
+ "priority": 5
705
+ }
706
+ ]
707
+ },
708
+ {
709
+ "id": "failure_to_invalidate_session",
710
+ "name": "Failure to Invalidate Session",
711
+ "type": "subcategory",
712
+ "children": [
713
+ {
714
+ "id": "on_logout",
715
+ "name": "On Logout (Client and Server-Side)",
716
+ "type": "variant",
717
+ "priority": 4
718
+ },
719
+ {
720
+ "id": "on_logout_server_side_only",
721
+ "name": "On Logout (Server-Side Only)",
722
+ "type": "variant",
723
+ "priority": 5
724
+ },
725
+ {
726
+ "id": "on_password_change",
727
+ "name": "On Password Reset and/or Change",
728
+ "type": "variant",
729
+ "priority": 4
730
+ },
731
+ {
732
+ "id": "all_sessions",
733
+ "name": "Concurrent Sessions On Logout",
734
+ "type": "variant",
735
+ "priority": 5
736
+ },
737
+ {
738
+ "id": "on_email_change",
739
+ "name": "On Email Change",
740
+ "type": "variant",
741
+ "priority": 5
742
+ },
743
+ {
744
+ "id": "long_timeout",
745
+ "name": "Long Timeout",
746
+ "type": "variant",
747
+ "priority": 5
748
+ }
749
+ ]
750
+ },
751
+ {
752
+ "id": "concurrent_logins",
753
+ "name": "Concurrent Logins",
754
+ "type": "subcategory",
755
+ "priority": 5
756
+ },
757
+ {
758
+ "id": "weak_registration_implementation",
759
+ "name": "Weak Registration Implementation",
760
+ "type": "subcategory",
761
+ "children": [
762
+ {
763
+ "id": "over_http",
764
+ "name": "Over HTTP",
765
+ "type": "variant",
766
+ "priority": 4
767
+ }
768
+ ]
769
+ }
770
+ ]
771
+ },
772
+ {
773
+ "id": "sensitive_data_exposure",
774
+ "name": "Sensitive Data Exposure",
775
+ "type": "category",
776
+ "children": [
777
+ {
778
+ "id": "critically_sensitive_data",
779
+ "name": "Critically Sensitive Data",
780
+ "type": "subcategory",
781
+ "children": [
782
+ {
783
+ "id": "password_disclosure",
784
+ "name": "Password Disclosure",
785
+ "type": "variant",
786
+ "priority": 1
787
+ },
788
+ {
789
+ "id": "private_api_keys",
790
+ "name": "Private API Keys",
791
+ "type": "variant",
792
+ "priority": 1
793
+ }
794
+ ]
795
+ },
796
+ {
797
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
798
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
799
+ "type": "subcategory",
800
+ "children": [
801
+ {
802
+ "id": "automatic_user_enumeration",
803
+ "name": "Automatic User Enumeration",
804
+ "type": "variant",
805
+ "priority": 3
806
+ },
807
+ {
808
+ "id": "manual_user_enumeration",
809
+ "name": "Manual User Enumeration",
810
+ "type": "variant",
811
+ "priority": 4
812
+ }
813
+ ]
814
+ },
815
+ {
816
+ "id": "visible_detailed_error_page",
817
+ "name": "Visible Detailed Error/Debug Page",
818
+ "type": "subcategory",
819
+ "children": [
820
+ {
821
+ "id": "detailed_server_configuration",
822
+ "name": "Detailed Server Configuration",
823
+ "type": "variant",
824
+ "priority": 4
825
+ },
826
+ {
827
+ "id": "full_path_disclosure",
828
+ "name": "Full Path Disclosure",
829
+ "type": "variant",
830
+ "priority": 5
831
+ },
832
+ {
833
+ "id": "descriptive_stack_trace",
834
+ "name": "Descriptive Stack Trace",
835
+ "type": "variant",
836
+ "priority": 5
837
+ }
838
+ ]
839
+ },
840
+ {
841
+ "id": "disclosure_of_known_public_information",
842
+ "name": "Disclosure of Known Public Information",
843
+ "type": "subcategory",
844
+ "priority": 5
845
+ },
846
+ {
847
+ "id": "token_leakage_via_referer",
848
+ "name": "Token Leakage via Referer",
849
+ "type": "subcategory",
850
+ "children": [
851
+ {
852
+ "id": "trusted_3rd_party",
853
+ "name": "Trusted 3rd Party",
854
+ "type": "variant",
855
+ "priority": 5
856
+ },
857
+ {
858
+ "id": "untrusted_3rd_party",
859
+ "name": "Untrusted 3rd Party",
860
+ "type": "variant",
861
+ "priority": 4
862
+ },
863
+ {
864
+ "id": "over_http",
865
+ "name": "Over HTTP",
866
+ "type": "variant",
867
+ "priority": 4
868
+ }
869
+ ]
870
+ },
871
+ {
872
+ "id": "sensitive_token_in_url",
873
+ "name": "Sensitive Token in URL",
874
+ "type": "subcategory",
875
+ "children": [
876
+ {
877
+ "id": "user_facing",
878
+ "name": "User Facing",
879
+ "type": "variant",
880
+ "priority": 4
881
+ },
882
+ {
883
+ "id": "in_the_background",
884
+ "name": "In the Background",
885
+ "type": "variant",
886
+ "priority": 5
887
+ },
888
+ {
889
+ "id": "on_password_reset",
890
+ "name": "On Password Reset",
891
+ "type": "variant",
892
+ "priority": 5
893
+ }
894
+ ]
895
+ },
896
+ {
897
+ "id": "non_sensitive_token_in_url",
898
+ "name": "Non-Sensitive Token in URL",
899
+ "type": "subcategory",
900
+ "priority": 5
901
+ },
902
+ {
903
+ "id": "weak_password_reset_implementation",
904
+ "name": "Weak Password Reset Implementation",
905
+ "type": "subcategory",
906
+ "children": [
907
+ {
908
+ "id": "password_reset_token_sent_over_http",
909
+ "name": "Password Reset Token Sent Over HTTP",
910
+ "type": "variant",
911
+ "priority": 4
912
+ }
913
+ ]
914
+ },
915
+ {
916
+ "id": "mixed_content",
917
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
918
+ "type": "subcategory",
919
+ "priority": 5
920
+ },
921
+ {
922
+ "id": "sensitive_data_hardcoded",
923
+ "name": "Sensitive Data Hardcoded",
924
+ "type": "subcategory",
925
+ "children": [
926
+ {
927
+ "id": "oauth_secret",
928
+ "name": "OAuth Secret",
929
+ "type": "variant",
930
+ "priority": 5
931
+ },
932
+ {
933
+ "id": "file_paths",
934
+ "name": "File Paths",
935
+ "type": "variant",
936
+ "priority": 5
937
+ }
938
+ ]
939
+ },
940
+ {
941
+ "id": "internal_ip_disclosure",
942
+ "name": "Internal IP Disclosure",
943
+ "type": "subcategory",
944
+ "priority": 5
945
+ },
946
+ {
947
+ "id": "xssi",
948
+ "name": "Cross Site Script Inclusion (XSSI)",
949
+ "type": "subcategory",
950
+ "priority": null
951
+ },
952
+ {
953
+ "id": "json_hijacking",
954
+ "name": "JSON Hijacking",
955
+ "type": "subcategory",
956
+ "priority": 5
957
+ }
958
+ ]
959
+ },
960
+ {
961
+ "id": "cross_site_scripting_xss",
962
+ "name": "Cross-Site Scripting (XSS)",
963
+ "type": "category",
964
+ "children": [
965
+ {
966
+ "id": "stored",
967
+ "name": "Stored",
968
+ "type": "subcategory",
969
+ "children": [
970
+ {
971
+ "id": "non_admin_to_anyone",
972
+ "name": "Non-Privileged User to Anyone",
973
+ "type": "variant",
974
+ "priority": 2
975
+ },
976
+ {
977
+ "id": "privileged_user_to_privilege_elevation",
978
+ "name": "Privileged User to Privilege Elevation",
979
+ "type": "variant",
980
+ "priority": 3
981
+ },
982
+ {
983
+ "id": "privileged_user_to_no_privilege_elevation",
984
+ "name": "Privileged User to No Privilege Elevation",
985
+ "type": "variant",
986
+ "priority": 4
987
+ },
988
+ {
989
+ "id": "url_based",
990
+ "name": "CSRF/URL-Based",
991
+ "type": "variant",
992
+ "priority": 3
993
+ },
994
+ {
995
+ "id": "self",
996
+ "name": "Self",
997
+ "type": "variant",
998
+ "priority": 5
999
+ }
1000
+ ]
1001
+ },
1002
+ {
1003
+ "id": "reflected",
1004
+ "name": "Reflected",
1005
+ "type": "subcategory",
1006
+ "children": [
1007
+ {
1008
+ "id": "non_self",
1009
+ "name": "Non-Self",
1010
+ "type": "variant",
1011
+ "priority": 3
1012
+ },
1013
+ {
1014
+ "id": "self",
1015
+ "name": "Self",
1016
+ "type": "variant",
1017
+ "priority": 5
1018
+ }
1019
+ ]
1020
+ },
1021
+ {
1022
+ "id": "flash_based",
1023
+ "name": "Flash-Based",
1024
+ "type": "subcategory",
1025
+ "priority": 4
1026
+ },
1027
+ {
1028
+ "id": "cookie_based",
1029
+ "name": "Cookie-Based",
1030
+ "type": "subcategory",
1031
+ "priority": 5
1032
+ },
1033
+ {
1034
+ "id": "ie_only",
1035
+ "name": "IE-Only",
1036
+ "type": "subcategory",
1037
+ "children": [
1038
+ {
1039
+ "id": "ie11",
1040
+ "name": "IE11",
1041
+ "type": "variant",
1042
+ "priority": 4
1043
+ },
1044
+ {
1045
+ "id": "xss_filter_disabled",
1046
+ "name": "XSS Filter Disabled",
1047
+ "type": "variant",
1048
+ "priority": 5
1049
+ },
1050
+ {
1051
+ "id": "older_version_ie11",
1052
+ "name": "Older Version (< IE11)",
1053
+ "type": "variant",
1054
+ "priority": 5
1055
+ }
1056
+ ]
1057
+ },
1058
+ {
1059
+ "id": "referer",
1060
+ "name": "Referer",
1061
+ "type": "subcategory",
1062
+ "priority": 4
1063
+ },
1064
+ {
1065
+ "id": "trace_method",
1066
+ "name": "TRACE Method",
1067
+ "type": "subcategory",
1068
+ "priority": 5
1069
+ },
1070
+ {
1071
+ "id": "universal_uxss",
1072
+ "name": "Universal (UXSS)",
1073
+ "type": "subcategory",
1074
+ "priority": 4
1075
+ },
1076
+ {
1077
+ "id": "off_domain",
1078
+ "name": "Off-Domain",
1079
+ "type": "subcategory",
1080
+ "children": [
1081
+ {
1082
+ "id": "data_uri",
1083
+ "name": "Data URI",
1084
+ "type": "variant",
1085
+ "priority": 4
1086
+ }
1087
+ ]
1088
+ }
1089
+ ]
1090
+ },
1091
+ {
1092
+ "id": "broken_access_control",
1093
+ "name": "Broken Access Control (BAC)",
1094
+ "type": "category",
1095
+ "children": [
1096
+ {
1097
+ "id": "idor",
1098
+ "name": "Insecure Direct Object References (IDOR)",
1099
+ "type": "subcategory",
1100
+ "priority": null
1101
+ },
1102
+ {
1103
+ "id": "server_side_request_forgery_ssrf",
1104
+ "name": "Server-Side Request Forgery (SSRF)",
1105
+ "type": "subcategory",
1106
+ "children": [
1107
+ {
1108
+ "id": "internal",
1109
+ "name": "Internal",
1110
+ "type": "variant",
1111
+ "priority": 2
1112
+ },
1113
+ {
1114
+ "id": "external",
1115
+ "name": "External",
1116
+ "type": "variant",
1117
+ "priority": 4
1118
+ },
1119
+ {
1120
+ "id": "dns_query_only",
1121
+ "name": "DNS Query Only",
1122
+ "type": "variant",
1123
+ "priority": 5
1124
+ }
1125
+ ]
1126
+ },
1127
+ {
1128
+ "id": "username_enumeration",
1129
+ "name": "Username Enumeration",
1130
+ "type": "subcategory",
1131
+ "children": [
1132
+ {
1133
+ "id": "data_leak",
1134
+ "name": "Data Leak",
1135
+ "type": "variant",
1136
+ "priority": 4
1137
+ }
1138
+ ]
1139
+ },
1140
+ {
1141
+ "id": "exposed_sensitive_android_intent",
1142
+ "name": "Exposed Sensitive Android Intent",
1143
+ "type": "subcategory",
1144
+ "priority": null
1145
+ },
1146
+ {
1147
+ "id": "exposed_sensitive_ios_url_scheme",
1148
+ "name": "Exposed Sensitive iOS URL Scheme",
1149
+ "type": "subcategory",
1150
+ "priority": null
1151
+ }
1152
+ ]
1153
+ },
1154
+ {
1155
+ "id": "cross_site_request_forgery_csrf",
1156
+ "name": "Cross-Site Request Forgery (CSRF)",
1157
+ "type": "category",
1158
+ "children": [
1159
+ {
1160
+ "id": "application_wide",
1161
+ "name": "Application-Wide",
1162
+ "type": "subcategory",
1163
+ "priority": 2
1164
+ },
1165
+ {
1166
+ "id": "action_specific",
1167
+ "name": "Action-Specific",
1168
+ "type": "subcategory",
1169
+ "children": [
1170
+ {
1171
+ "id": "authenticated_action",
1172
+ "name": "Authenticated Action",
1173
+ "type": "variant",
1174
+ "priority": null
1175
+ },
1176
+ {
1177
+ "id": "unauthenticated_action",
1178
+ "name": "Unauthenticated Action",
1179
+ "type": "variant",
1180
+ "priority": null
1181
+ },
1182
+ {
1183
+ "id": "logout",
1184
+ "name": "Logout",
1185
+ "type": "variant",
1186
+ "priority": 5
1187
+ }
1188
+ ]
1189
+ },
1190
+ {
1191
+ "id": "csrf_token_not_unique_per_request",
1192
+ "name": "CSRF Token Not Unique Per Request",
1193
+ "type": "subcategory",
1194
+ "priority": 5
1195
+ }
1196
+ ]
1197
+ },
1198
+ {
1199
+ "id": "application_level_denial_of_service_dos",
1200
+ "name": "Application-Level Denial-of-Service (DoS)",
1201
+ "type": "category",
1202
+ "children": [
1203
+ {
1204
+ "id": "critical_impact_and_or_easy_difficulty",
1205
+ "name": "Critical Impact and/or Easy Difficulty",
1206
+ "type": "subcategory",
1207
+ "priority": 2
1208
+ },
1209
+ {
1210
+ "id": "high_impact_and_or_medium_difficulty",
1211
+ "name": "High Impact and/or Medium Difficulty",
1212
+ "type": "subcategory",
1213
+ "priority": 3
1214
+ },
1215
+ {
1216
+ "id": "app_crash",
1217
+ "name": "App Crash",
1218
+ "type": "subcategory",
1219
+ "children": [
1220
+ {
1221
+ "id": "malformed_android_intents",
1222
+ "name": "Malformed Android Intents",
1223
+ "type": "variant",
1224
+ "priority": 5
1225
+ },
1226
+ {
1227
+ "id": "malformed_ios_url_schemes",
1228
+ "name": "Malformed iOS URL Schemes",
1229
+ "type": "variant",
1230
+ "priority": 5
1231
+ }
1232
+ ]
1233
+ }
1234
+ ]
1235
+ },
1236
+ {
1237
+ "id": "unvalidated_redirects_and_forwards",
1238
+ "name": "Unvalidated Redirects and Forwards",
1239
+ "type": "category",
1240
+ "children": [
1241
+ {
1242
+ "id": "open_redirect",
1243
+ "name": "Open Redirect",
1244
+ "type": "subcategory",
1245
+ "children": [
1246
+ {
1247
+ "id": "get_based",
1248
+ "name": "GET-Based",
1249
+ "type": "variant",
1250
+ "priority": 4
1251
+ },
1252
+ {
1253
+ "id": "post_based",
1254
+ "name": "POST-Based",
1255
+ "type": "variant",
1256
+ "priority": 5
1257
+ },
1258
+ {
1259
+ "id": "header_based",
1260
+ "name": "Header-Based",
1261
+ "type": "variant",
1262
+ "priority": 5
1263
+ },
1264
+ {
1265
+ "id": "flash_based",
1266
+ "name": "Flash-Based",
1267
+ "type": "variant",
1268
+ "priority": 5
1269
+ }
1270
+ ]
1271
+ },
1272
+ {
1273
+ "id": "tabnabbing",
1274
+ "name": "Tabnabbing",
1275
+ "type": "subcategory",
1276
+ "priority": 5
1277
+ },
1278
+ {
1279
+ "id": "lack_of_security_speed_bump_page",
1280
+ "name": "Lack of Security Speed Bump Page",
1281
+ "type": "subcategory",
1282
+ "priority": 5
1283
+ }
1284
+ ]
1285
+ },
1286
+ {
1287
+ "id": "external_behavior",
1288
+ "name": "External Behavior",
1289
+ "type": "category",
1290
+ "children": [
1291
+ {
1292
+ "id": "browser_feature",
1293
+ "name": "Browser Feature",
1294
+ "type": "subcategory",
1295
+ "children": [
1296
+ {
1297
+ "id": "plaintext_password_field",
1298
+ "name": "Plaintext Password Field",
1299
+ "type": "variant",
1300
+ "priority": 5
1301
+ },
1302
+ {
1303
+ "id": "save_password",
1304
+ "name": "Save Password",
1305
+ "type": "variant",
1306
+ "priority": 5
1307
+ },
1308
+ {
1309
+ "id": "autocomplete_enabled",
1310
+ "name": "Autocomplete Enabled",
1311
+ "type": "variant",
1312
+ "priority": 5
1313
+ },
1314
+ {
1315
+ "id": "autocorrect_enabled",
1316
+ "name": "Autocorrect Enabled",
1317
+ "type": "variant",
1318
+ "priority": 5
1319
+ },
1320
+ {
1321
+ "id": "aggressive_offline_caching",
1322
+ "name": "Aggressive Offline Caching",
1323
+ "type": "variant",
1324
+ "priority": 5
1325
+ }
1326
+ ]
1327
+ },
1328
+ {
1329
+ "id": "csv_injection",
1330
+ "name": "CSV Injection",
1331
+ "type": "subcategory",
1332
+ "priority": 5
1333
+ },
1334
+ {
1335
+ "id": "captcha_bypass",
1336
+ "name": "Captcha Bypass",
1337
+ "type": "subcategory",
1338
+ "children": [
1339
+ {
1340
+ "id": "crowdsourcing",
1341
+ "name": "Crowdsourcing",
1342
+ "type": "variant",
1343
+ "priority": 5
1344
+ }
1345
+ ]
1346
+ },
1347
+ {
1348
+ "id": "system_clipboard_leak",
1349
+ "name": "System Clipboard Leak",
1350
+ "type": "subcategory",
1351
+ "children": [
1352
+ {
1353
+ "id": "shared_links",
1354
+ "name": "Shared Links",
1355
+ "type": "variant",
1356
+ "priority": 5
1357
+ }
1358
+ ]
1359
+ },
1360
+ {
1361
+ "id": "user_password_persisted_in_memory",
1362
+ "name": "User Password Persisted in Memory",
1363
+ "type": "subcategory",
1364
+ "priority": 5
1365
+ }
1366
+ ]
1367
+ },
1368
+ {
1369
+ "id": "insufficient_security_configurability",
1370
+ "name": "Insufficient Security Configurability",
1371
+ "type": "category",
1372
+ "children": [
1373
+ {
1374
+ "id": "weak_password_policy",
1375
+ "name": "Weak Password Policy",
1376
+ "type": "subcategory",
1377
+ "priority": 5
1378
+ },
1379
+ {
1380
+ "id": "no_password_policy",
1381
+ "name": "No Password Policy",
1382
+ "type": "subcategory",
1383
+ "priority": 4
1384
+ },
1385
+ {
1386
+ "id": "weak_password_reset_implementation",
1387
+ "name": "Weak Password Reset Implementation",
1388
+ "type": "subcategory",
1389
+ "children": [
1390
+ {
1391
+ "id": "token_is_not_invalidated_after_use",
1392
+ "name": "Token is Not Invalidated After Use",
1393
+ "type": "variant",
1394
+ "priority": 4
1395
+ },
1396
+ {
1397
+ "id": "token_is_not_invalidated_after_email_change",
1398
+ "name": "Token is Not Invalidated After Email Change",
1399
+ "type": "variant",
1400
+ "priority": 5
1401
+ },
1402
+ {
1403
+ "id": "token_is_not_invalidated_after_password_change",
1404
+ "name": "Token is Not Invalidated After Password Change",
1405
+ "type": "variant",
1406
+ "priority": 5
1407
+ },
1408
+ {
1409
+ "id": "token_has_long_timed_expiry",
1410
+ "name": "Token Has Long Timed Expiry",
1411
+ "type": "variant",
1412
+ "priority": 5
1413
+ },
1414
+ {
1415
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1416
+ "name": "Token is Not Invalidated After New Token is Requested",
1417
+ "type": "variant",
1418
+ "priority": 5
1419
+ },
1420
+ {
1421
+ "id": "token_is_not_invalidated_after_login",
1422
+ "name": "Token is Not Invalidated After Login",
1423
+ "type": "variant",
1424
+ "priority": 5
1425
+ }
1426
+ ]
1427
+ },
1428
+ {
1429
+ "id": "lack_of_verification_email",
1430
+ "name": "Lack of Verification Email",
1431
+ "type": "subcategory",
1432
+ "priority": 5
1433
+ },
1434
+ {
1435
+ "id": "lack_of_notification_email",
1436
+ "name": "Lack of Notification Email",
1437
+ "type": "subcategory",
1438
+ "priority": 5
1439
+ },
1440
+ {
1441
+ "id": "weak_registration_implementation",
1442
+ "name": "Weak Registration Implementation",
1443
+ "type": "subcategory",
1444
+ "children": [
1445
+ {
1446
+ "id": "allows_disposable_email_addresses",
1447
+ "name": "Allows Disposable Email Addresses",
1448
+ "type": "variant",
1449
+ "priority": 5
1450
+ }
1451
+ ]
1452
+ },
1453
+ {
1454
+ "id": "weak_2fa_implementation",
1455
+ "name": "Weak 2FA Implementation",
1456
+ "type": "subcategory",
1457
+ "children": [
1458
+ {
1459
+ "id": "missing_failsafe",
1460
+ "name": "Missing Failsafe",
1461
+ "type": "variant",
1462
+ "priority": 5
1463
+ }
1464
+ ]
1465
+ }
1466
+ ]
1467
+ },
1468
+ {
1469
+ "id": "using_components_with_known_vulnerabilities",
1470
+ "name": "Using Components with Known Vulnerabilities",
1471
+ "type": "category",
1472
+ "children": [
1473
+ {
1474
+ "id": "rosetta_flash",
1475
+ "name": "Rosetta Flash",
1476
+ "type": "subcategory",
1477
+ "priority": 4
1478
+ },
1479
+ {
1480
+ "id": "outdated_software_version",
1481
+ "name": "Outdated Software Version",
1482
+ "type": "subcategory",
1483
+ "priority": 5
1484
+ },
1485
+ {
1486
+ "id": "captcha_bypass",
1487
+ "name": "Captcha Bypass",
1488
+ "type": "subcategory",
1489
+ "children": [
1490
+ {
1491
+ "id": "ocr_optical_character_recognition",
1492
+ "name": "OCR (Optical Character Recognition)",
1493
+ "type": "variant",
1494
+ "priority": 5
1495
+ }
1496
+ ]
1497
+ }
1498
+ ]
1499
+ },
1500
+ {
1501
+ "id": "insecure_data_storage",
1502
+ "name": "Insecure Data Storage",
1503
+ "type": "category",
1504
+ "children": [
1505
+ {
1506
+ "id": "sensitive_application_data_stored_unencrypted",
1507
+ "name": "Sensitive Application Data Stored Unencrypted",
1508
+ "type": "subcategory",
1509
+ "children": [
1510
+ {
1511
+ "id": "on_external_storage",
1512
+ "name": "On External Storage",
1513
+ "type": "variant",
1514
+ "priority": 4
1515
+ },
1516
+ {
1517
+ "id": "on_internal_storage",
1518
+ "name": "On Internal Storage",
1519
+ "type": "variant",
1520
+ "priority": 5
1521
+ }
1522
+ ]
1523
+ },
1524
+ {
1525
+ "id": "server_side_credentials_storage",
1526
+ "name": "Server-Side Credentials Storage",
1527
+ "type": "subcategory",
1528
+ "children": [
1529
+ {
1530
+ "id": "plaintext",
1531
+ "name": "Plaintext",
1532
+ "type": "variant",
1533
+ "priority": 4
1534
+ }
1535
+ ]
1536
+ },
1537
+ {
1538
+ "id": "non_sensitive_application_data_stored_unencrypted",
1539
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1540
+ "type": "subcategory",
1541
+ "priority": 5
1542
+ },
1543
+ {
1544
+ "id": "screen_caching_enabled",
1545
+ "name": "Screen Caching Enabled",
1546
+ "type": "subcategory",
1547
+ "priority": 5
1548
+ }
1549
+ ]
1550
+ },
1551
+ {
1552
+ "id": "lack_of_binary_hardening",
1553
+ "name": "Lack of Binary Hardening",
1554
+ "type": "category",
1555
+ "children": [
1556
+ {
1557
+ "id": "lack_of_exploit_mitigations",
1558
+ "name": "Lack of Exploit Mitigations",
1559
+ "type": "subcategory",
1560
+ "priority": 5
1561
+ },
1562
+ {
1563
+ "id": "lack_of_jailbreak_detection",
1564
+ "name": "Lack of Jailbreak Detection",
1565
+ "type": "subcategory",
1566
+ "priority": 5
1567
+ },
1568
+ {
1569
+ "id": "lack_of_obfuscation",
1570
+ "name": "Lack of Obfuscation",
1571
+ "type": "subcategory",
1572
+ "priority": 5
1573
+ },
1574
+ {
1575
+ "id": "runtime_instrumentation_based",
1576
+ "name": "Runtime Instrumentation-Based",
1577
+ "type": "subcategory",
1578
+ "priority": 5
1579
+ }
1580
+ ]
1581
+ },
1582
+ {
1583
+ "id": "insecure_data_transport",
1584
+ "name": "Insecure Data Transport",
1585
+ "type": "category",
1586
+ "children": [
1587
+ {
1588
+ "id": "cleartext_transmission_of_sensitive_data",
1589
+ "name": "Cleartext Transmission of Sensitive Data",
1590
+ "type": "subcategory",
1591
+ "priority": null
1592
+ },
1593
+ {
1594
+ "id": "executable_download",
1595
+ "name": "Executable Download",
1596
+ "type": "subcategory",
1597
+ "children": [
1598
+ {
1599
+ "id": "no_secure_integrity_check",
1600
+ "name": "No Secure Integrity Check",
1601
+ "type": "variant",
1602
+ "priority": 4
1603
+ },
1604
+ {
1605
+ "id": "secure_integrity_check",
1606
+ "name": "Secure Integrity Check",
1607
+ "type": "variant",
1608
+ "priority": 5
1609
+ }
1610
+ ]
1611
+ }
1612
+ ]
1613
+ },
1614
+ {
1615
+ "id": "insecure_os_firmware",
1616
+ "name": "Insecure OS/Firmware",
1617
+ "type": "category",
1618
+ "children": [
1619
+ {
1620
+ "id": "command_injection",
1621
+ "name": "Command Injection",
1622
+ "type": "subcategory",
1623
+ "priority": 1
1624
+ },
1625
+ {
1626
+ "id": "hardcoded_password",
1627
+ "name": "Hardcoded Password",
1628
+ "type": "subcategory",
1629
+ "children": [
1630
+ {
1631
+ "id": "privileged_user",
1632
+ "name": "Privileged User",
1633
+ "type": "variant",
1634
+ "priority": 1
1635
+ },
1636
+ {
1637
+ "id": "non_privileged_user",
1638
+ "name": "Non-Privileged User",
1639
+ "type": "variant",
1640
+ "priority": 2
1641
+ }
1642
+ ]
1643
+ }
1644
+ ]
1645
+ },
1646
+ {
1647
+ "id": "broken_cryptography",
1648
+ "name": "Broken Cryptography",
1649
+ "type": "category",
1650
+ "children": [
1651
+ {
1652
+ "id": "cryptographic_flaw",
1653
+ "name": "Cryptographic Flaw",
1654
+ "type": "subcategory",
1655
+ "children": [
1656
+ {
1657
+ "id": "incorrect_usage",
1658
+ "name": "Incorrect Usage",
1659
+ "type": "variant",
1660
+ "priority": 1
1661
+ }
1662
+ ]
1663
+ }
1664
+ ]
1665
+ },
1666
+ {
1667
+ "id": "privacy_concerns",
1668
+ "name": "Privacy Concerns",
1669
+ "type": "category",
1670
+ "children": [
1671
+ {
1672
+ "id": "unnecessary_data_collection",
1673
+ "name": "Unnecessary Data Collection",
1674
+ "type": "subcategory",
1675
+ "children": [
1676
+ {
1677
+ "id": "wifi_ssid_password",
1678
+ "name": "WiFi SSID+Password",
1679
+ "type": "variant",
1680
+ "priority": 4
1681
+ }
1682
+ ]
1683
+ }
1684
+ ]
1685
+ },
1686
+ {
1687
+ "id": "network_security_misconfiguration",
1688
+ "name": "Network Security Misconfiguration",
1689
+ "type": "category",
1690
+ "children": [
1691
+ {
1692
+ "id": "telnet_enabled",
1693
+ "name": "Telnet Enabled",
1694
+ "type": "subcategory",
1695
+ "priority": 5
1696
+ }
1697
+ ]
1698
+ },
1699
+ {
1700
+ "id": "mobile_security_misconfiguration",
1701
+ "name": "Mobile Security Misconfiguration",
1702
+ "type": "category",
1703
+ "children": [
1704
+ {
1705
+ "id": "ssl_certificate_pinning",
1706
+ "name": "SSL Certificate Pinning",
1707
+ "type": "subcategory",
1708
+ "children": [
1709
+ {
1710
+ "id": "absent",
1711
+ "name": "Absent",
1712
+ "type": "variant",
1713
+ "priority": 5
1714
+ },
1715
+ {
1716
+ "id": "defeatable",
1717
+ "name": "Defeatable",
1718
+ "type": "variant",
1719
+ "priority": 5
1720
+ }
1721
+ ]
1722
+ },
1723
+ {
1724
+ "id": "tapjacking",
1725
+ "name": "Tapjacking",
1726
+ "type": "subcategory",
1727
+ "priority": 5
1728
+ },
1729
+ {
1730
+ "id": "clipboard_enabled",
1731
+ "name": "Clipboard Enabled",
1732
+ "type": "subcategory",
1733
+ "children": [
1734
+ {
1735
+ "id": "on_sensitive_content",
1736
+ "name": "On Sensitive Content",
1737
+ "type": "variant",
1738
+ "priority": 4
1739
+ },
1740
+ {
1741
+ "id": "on_non_sensitive_content",
1742
+ "name": "On Non-Sensitive Content",
1743
+ "type": "variant",
1744
+ "priority": 5
1745
+ }
1746
+ ]
1747
+ }
1748
+ ]
1749
+ },
1750
+ {
1751
+ "id": "client_side_injection",
1752
+ "name": "Client-Side Injection",
1753
+ "type": "category",
1754
+ "children": [
1755
+ {
1756
+ "id": "binary_planting",
1757
+ "name": "Binary Planting",
1758
+ "type": "subcategory",
1759
+ "children": [
1760
+ {
1761
+ "id": "privilege_escalation",
1762
+ "name": "Default Folder Privilege Escalation",
1763
+ "type": "variant",
1764
+ "priority": 3
1765
+ },
1766
+ {
1767
+ "id": "non_default_folder_privilege_escalation",
1768
+ "name": "Non-Default Folder Privilege Escalation",
1769
+ "type": "variant",
1770
+ "priority": 5
1771
+ },
1772
+ {
1773
+ "id": "no_privilege_escalation",
1774
+ "name": "No Privilege Escalation",
1775
+ "type": "variant",
1776
+ "priority": 5
1777
+ }
1778
+ ]
1779
+ }
1780
+ ]
1781
+ }
1782
+ ]
1783
+ }