vrt 0.6.0 → 0.7.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.6/deprecated-node-mapping.json +131 -0
  3. data/lib/data/1.6/mappings/cvss_v3.json +825 -0
  4. data/lib/data/1.6/mappings/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.6/mappings/cwe.json +423 -0
  6. data/lib/data/1.6/mappings/cwe.schema.json +63 -0
  7. data/lib/data/1.6/mappings/remediation_advice.json +1193 -0
  8. data/lib/data/1.6/mappings/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.6/vrt.schema.json +63 -0
  10. data/lib/data/1.6/vulnerability-rating-taxonomy.json +1783 -0
  11. data/lib/vrt/version.rb +1 -1
  12. metadata +11 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 0bbf3f9665646c0a5684190da5d391a67876c9e8
4
- data.tar.gz: cd55a28fa619b35f0408225183a176ab1ff89738
3
+ metadata.gz: 9710704ecea5f4320f22103ea00b268d71cc90f7
4
+ data.tar.gz: fe250e93cb316fd058d4dab3fc2b679ac0fcbb71
5
5
  SHA512:
6
- metadata.gz: 52d1c1178403a7970f12882511a4a989b4f7230ecd3946537371ef46a2f78075839a171f93c5e3709f60f80128275006f5c26b7690620661c16bba53b8de3651
7
- data.tar.gz: a9f9f9fe94abba85cef0d214246f4c78b475c7f8c31f427a6be8556d2d83b39fdb04c291af11056c2bc409787c20d0fdce29e8580d3f49291d1d6fe09483f7c3
6
+ metadata.gz: b4ed35f1273882ec8e745bf8d026cc636fe120feb266d6c86a3899d70e625ce278f23ef5f2298f2b0b364a876da83cf6b8fa3030c99453786d9f8291669fae81
7
+ data.tar.gz: 53b0f1b36395927a2074480525bcda49b5472277fc63e14a46327f65e8eabbef9b4cd115c3f62f84b33cf628a0202b0a420589d0760e584d301228ea9de00cac
data/lib/data/1.6/deprecated-node-mapping.json ADDED
@@ -0,0 +1,131 @@
1
+ {
2
+ "poor_physical_security": {
3
+ "1.1": "other"
4
+ },
5
+ "social_engineering": {
6
+ "1.1": "other"
7
+ },
8
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_all_users": {
9
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
10
+ },
11
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_authenticated": {
12
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
13
+ },
14
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_unauthenticated": {
15
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
16
+ },
17
+ "broken_authentication_and_session_management.session_token_in_url.over_https": {
18
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
19
+ },
20
+ "broken_authentication_and_session_management.session_token_in_url.over_http": {
21
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
22
+ },
23
+ "broken_authentication_and_session_management.session_token_in_url": {
24
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
25
+ },
26
+ "insecure_data_transport": {
27
+ "1.2": "mobile_security_misconfiguration"
28
+ },
29
+ "insecure_data_transport.ssl_certificate_pinning": {
30
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning"
31
+ },
32
+ "insecure_data_transport.ssl_certificate_pinning.absent": {
33
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.absent"
34
+ },
35
+ "insecure_data_transport.ssl_certificate_pinning.defeatable": {
36
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.defeatable"
37
+ },
38
+ "insecure_data_storage.credentials_stored_unencrypted": {
39
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted"
40
+ },
41
+ "insecure_data_storage.credentials_stored_unencrypted.on_external_storage": {
42
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_external_storage"
43
+ },
44
+ "insecure_data_storage.credentials_stored_unencrypted.on_internal_storage": {
45
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_internal_storage"
46
+ },
47
+ "insufficient_security_configurability.weak_password_policy.complexity_both_length_and_char_type_not_enforced": {
48
+ "1.2": "insufficient_security_configurability.no_password_policy"
49
+ },
50
+ "missing_function_level_access_control": {
51
+ "1.3": "broken_access_control"
52
+ },
53
+ "missing_function_level_access_control.server_side_request_forgery_ssrf": {
54
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf"
55
+ },
56
+ "missing_function_level_access_control.server_side_request_forgery_ssrf.internal": {
57
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf.internal"
58
+ },
59
+ "missing_function_level_access_control.server_side_request_forgery_ssrf.external": {
60
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf.external"
61
+ },
62
+ "missing_function_level_access_control.username_enumeration": {
63
+ "1.3": "broken_access_control.username_enumeration"
64
+ },
65
+ "missing_function_level_access_control.username_enumeration.data_leak": {
66
+ "1.3": "broken_access_control.username_enumeration.data_leak"
67
+ },
68
+ "missing_function_level_access_control.exposed_sensitive_android_intent": {
69
+ "1.3": "broken_access_control.exposed_sensitive_android_intent"
70
+ },
71
+ "missing_function_level_access_control.exposed_sensitive_ios_url_scheme": {
72
+ "1.3": "broken_access_control.exposed_sensitive_ios_url_scheme"
73
+ },
74
+ "insecure_direct_object_references_idor": {
75
+ "1.3": "broken_access_control.idor"
76
+ },
77
+ "broken_authentication_and_session_management.weak_login_function.over_http": {
78
+ "1.4": "broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default"
79
+ },
80
+ "cross_site_scripting_xss.ie_only.older_version_ie_10_11": {
81
+ "1.4": "cross_site_scripting_xss.ie_only.ie11"
82
+ },
83
+ "cross_site_scripting_xss.ie_only.older_version_ie10": {
84
+ "1.4": "cross_site_scripting_xss.ie_only.older_version_ie11"
85
+ },
86
+ "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_reset": {
87
+ "1.4": "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_change"
88
+ },
89
+ "network_security_misconfiguration.telnet_enabled.credentials_required": {
90
+ "1.4": "broken_authentication_and_session_management.weak_login_function.other_plaintext_protocol_no_secure_alternative"
91
+ },
92
+ "server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_email_domain": {
93
+ "1.5": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain"
94
+ },
95
+ "server_security_misconfiguration.mail_server_misconfiguration.email_spoofable_via_third_party_api_misconfiguration": {
96
+ "1.5": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain"
97
+ },
98
+ "cross_site_scripting_xss.stored.admin_to_anyone": {
99
+ "1.5": "cross_site_scripting_xss.stored.privileged_user_to_privilege_elevation"
100
+ },
101
+ "server_security_misconfiguration.misconfigured_dns.subdomain_takeover": {
102
+ "1.5": "server_security_misconfiguration.misconfigured_dns.basic_subdomain_takeover"
103
+ },
104
+ "server_security_misconfiguration.captcha_bypass": {
105
+ "1.5": "server_security_misconfiguration.captcha"
106
+ },
107
+ "server_security_misconfiguration.captcha_bypass.implementation_vulnerability": {
108
+ "1.5": "server_security_misconfiguration.captcha.implementation_vulnerability"
109
+ },
110
+ "server_security_misconfiguration.captcha_bypass.brute_force": {
111
+ "1.5": "server_security_misconfiguration.captcha.brute_force"
112
+ },
113
+ "broken_access_control.server_side_request_forgery_ssrf.internal": {
114
+ "1.6": "broken_access_control.server_side_request_forgery_ssrf.internal_high_impact"
115
+ },
116
+ "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain": {
117
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.no_spoofing_protection_on_email_domain"
118
+ },
119
+ "server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_non_email_domain": {
120
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
121
+ },
122
+ "server_security_misconfiguration.mail_server_misconfiguration.spf_uses_a_soft_fail": {
123
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
124
+ },
125
+ "server_security_misconfiguration.mail_server_misconfiguration.spf_includes_10_lookups": {
126
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
127
+ },
128
+ "server_security_misconfiguration.mail_server_misconfiguration.missing_dmarc": {
129
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain"
130
+ }
131
+ }
data/lib/data/1.6/mappings/cvss_v3.json ADDED
@@ -0,0 +1,825 @@
1
+ {
2
+ "metadata": {
3
+ "default": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "children": [
9
+ {
10
+ "id": "unsafe_cross_origin_resource_sharing",
11
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
12
+ },
13
+ {
14
+ "id": "path_traversal",
15
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
16
+ },
17
+ {
18
+ "id": "directory_listing_enabled",
19
+ "children": [
20
+ {
21
+ "id": "sensitive_data_exposure",
22
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
23
+ },
24
+ {
25
+ "id": "non_sensitive_data_exposure",
26
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
27
+ }
28
+ ]
29
+ },
30
+ {
31
+ "id": "same_site_scripting",
32
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
33
+ },
34
+ {
35
+ "id": "ssl_attack_breach_poodle_etc",
36
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
37
+ },
38
+ {
39
+ "id": "using_default_credentials",
40
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
41
+ },
42
+ {
43
+ "id": "misconfigured_dns",
44
+ "children": [
45
+ {
46
+ "id": "basic_subdomain_takeover",
47
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
48
+ },
49
+ {
50
+ "id": "high_impact_subdomain_takeover",
51
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
52
+ },
53
+ {
54
+ "id": "zone_transfer",
55
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
56
+ },
57
+ {
58
+ "id": "missing_caa_record",
59
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
60
+ }
61
+ ]
62
+ },
63
+ {
64
+ "id": "mail_server_misconfiguration",
65
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
66
+ "children": [
67
+ {
68
+ "id": "no_spoofing_protection_on_email_domain",
69
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
70
+ },
71
+ {
72
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
73
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
74
+ }
75
+ ]
76
+ },
77
+ {
78
+ "id": "dbms_misconfiguration",
79
+ "children": [
80
+ {
81
+ "id": "excessively_privileged_user_dba",
82
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
83
+ }
84
+ ]
85
+ },
86
+ {
87
+ "id": "lack_of_password_confirmation",
88
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
89
+ "children": [
90
+ {
91
+ "id": "manage_two_fa",
92
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
93
+ }
94
+ ]
95
+ },
96
+ {
97
+ "id": "no_rate_limiting_on_form",
98
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
99
+ "children": [
100
+ {
101
+ "id": "login",
102
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
103
+ }
104
+ ]
105
+ },
106
+ {
107
+ "id": "unsafe_file_upload",
108
+ "children": [
109
+ {
110
+ "id": "no_antivirus",
111
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
112
+ },
113
+ {
114
+ "id": "no_size_limit",
115
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
116
+ },
117
+ {
118
+ "id": "file_extension_filter_bypass",
119
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
120
+ }
121
+ ]
122
+ },
123
+ {
124
+ "id": "cookie_scoped_to_parent_domain",
125
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
126
+ },
127
+ {
128
+ "id": "missing_secure_or_httponly_cookie_flag",
129
+ "children": [
130
+ {
131
+ "id": "session_token",
132
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
133
+ },
134
+ {
135
+ "id": "non_session_cookie",
136
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
137
+ }
138
+ ]
139
+ },
140
+ {
141
+ "id": "clickjacking",
142
+ "children": [
143
+ {
144
+ "id": "sensitive_action",
145
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
146
+ },
147
+ {
148
+ "id": "form_input",
149
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
150
+ },
151
+ {
152
+ "id": "non_sensitive_action",
153
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
154
+ }
155
+ ]
156
+ },
157
+ {
158
+ "id": "oauth_misconfiguration",
159
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
160
+ "children": [
161
+ {
162
+ "id": "account_takeover",
163
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
164
+ }
165
+ ]
166
+ },
167
+ {
168
+ "id": "captcha",
169
+ "children": [
170
+ {
171
+ "id": "implementation_vulnerability",
172
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
173
+ },
174
+ {
175
+ "id": "brute_force",
176
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
177
+ },
178
+ {
179
+ "id": "missing",
180
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
181
+ }
182
+ ]
183
+ },
184
+ {
185
+ "id": "exposed_admin_portal",
186
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
187
+ },
188
+ {
189
+ "id": "missing_dnssec",
190
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
191
+ },
192
+ {
193
+ "id": "fingerprinting_banner_disclosure",
194
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
195
+ },
196
+ {
197
+ "id": "username_enumeration",
198
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
199
+ },
200
+ {
201
+ "id": "potentially_unsafe_http_method_enabled",
202
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
203
+ },
204
+ {
205
+ "id": "insecure_ssl",
206
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
207
+ },
208
+ {
209
+ "id": "rfd",
210
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
211
+ },
212
+ {
213
+ "id": "lack_of_security_headers",
214
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
215
+ "children": [
216
+ {
217
+ "id": "cache_control_for_a_sensitive_page",
218
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
219
+ }
220
+ ]
221
+ },
222
+ {
223
+ "id": "waf_bypass",
224
+ "children": [
225
+ {
226
+ "id": "direct_server_access",
227
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
228
+ }
229
+ ]
230
+ },
231
+ {
232
+ "id": "bitsquatting",
233
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
234
+ }
235
+ ]
236
+ },
237
+ {
238
+ "id": "server_side_injection",
239
+ "children": [
240
+ {
241
+ "id": "file_inclusion",
242
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
243
+ },
244
+ {
245
+ "id": "parameter_pollution",
246
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
247
+ },
248
+ {
249
+ "id": "remote_code_execution_rce",
250
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
251
+ },
252
+ {
253
+ "id": "sql_injection",
254
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
255
+ },
256
+ {
257
+ "id": "xml_external_entity_injection_xxe",
258
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
259
+ },
260
+ {
261
+ "id": "http_response_manipulation",
262
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
263
+ },
264
+ {
265
+ "id": "content_spoofing",
266
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
267
+ "children": [
268
+ {
269
+ "id": "iframe_injection",
270
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
271
+ },
272
+ {
273
+ "id": "external_authentication_injection",
274
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
275
+ },
276
+ {
277
+ "id": "flash_based_external_authentication_injection",
278
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
279
+ },
280
+ {
281
+ "id": "email_html_injection",
282
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
283
+ }
284
+ ]
285
+ }
286
+ ]
287
+ },
288
+ {
289
+ "id": "broken_authentication_and_session_management",
290
+ "children": [
291
+ {
292
+ "id": "authentication_bypass",
293
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
294
+ },
295
+ {
296
+ "id": "two_fa_bypass",
297
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
298
+ },
299
+ {
300
+ "id": "privilege_escalation",
301
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
302
+ },
303
+ {
304
+ "id": "cleartext_transmission_of_session_token",
305
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
306
+ },
307
+ {
308
+ "id": "weak_login_function",
309
+ "children": [
310
+ {
311
+ "id": "not_operational",
312
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
313
+ },
314
+ {
315
+ "id": "other_plaintext_protocol_no_secure_alternative",
316
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
317
+ },
318
+ {
319
+ "id": "lan_only",
320
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
321
+ },
322
+ {
323
+ "id": "http_and_https_available",
324
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
325
+ },
326
+ {
327
+ "id": "https_not_available_or_http_by_default",
328
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
329
+ }
330
+ ]
331
+ },
332
+ {
333
+ "id": "session_fixation",
334
+ "children": [
335
+ {
336
+ "id": "remote_attack_vector",
337
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
338
+ },
339
+ {
340
+ "id": "local_attack_vector",
341
+ "cvss_v3": "AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
342
+ }
343
+ ]
344
+ },
345
+ {
346
+ "id": "failure_to_invalidate_session",
347
+ "children": [
348
+ {
349
+ "id": "on_logout",
350
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
351
+ },
352
+ {
353
+ "id": "on_logout_server_side_only",
354
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
355
+ },
356
+ {
357
+ "id": "on_password_change",
358
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
359
+ },
360
+ {
361
+ "id": "all_sessions",
362
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
363
+ },
364
+ {
365
+ "id": "on_email_change",
366
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
367
+ },
368
+ {
369
+ "id": "long_timeout",
370
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
371
+ }
372
+ ]
373
+ },
374
+ {
375
+ "id": "concurrent_logins",
376
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
377
+ },
378
+ {
379
+ "id": "weak_registration_implementation",
380
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
381
+ }
382
+ ]
383
+ },
384
+ {
385
+ "id": "sensitive_data_exposure",
386
+ "children": [
387
+ {
388
+ "id": "critically_sensitive_data",
389
+ "children": [
390
+ {
391
+ "id": "password_disclosure",
392
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
393
+ },
394
+ {
395
+ "id": "private_api_keys",
396
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
397
+ }
398
+ ]
399
+ },
400
+ {
401
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
402
+ "children": [
403
+ {
404
+ "id": "automatic_user_enumeration",
405
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
406
+ },
407
+ {
408
+ "id": "manual_user_enumeration",
409
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
410
+ }
411
+ ]
412
+ },
413
+ {
414
+ "id": "visible_detailed_error_page",
415
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
416
+ "children": [
417
+ {
418
+ "id": "detailed_server_configuration",
419
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
420
+ }
421
+ ]
422
+ },
423
+ {
424
+ "id": "disclosure_of_known_public_information",
425
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
426
+ },
427
+ {
428
+ "id": "token_leakage_via_referer",
429
+ "children": [
430
+ {
431
+ "id": "trusted_3rd_party",
432
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
433
+ },
434
+ {
435
+ "id": "untrusted_3rd_party",
436
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
437
+ },
438
+ {
439
+ "id": "over_http",
440
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
441
+ }
442
+ ]
443
+ },
444
+ {
445
+ "id": "sensitive_token_in_url",
446
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
447
+ },
448
+ {
449
+ "id": "non_sensitive_token_in_url",
450
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
451
+ },
452
+ {
453
+ "id": "weak_password_reset_implementation",
454
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"
455
+ },
456
+ {
457
+ "id": "mixed_content",
458
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
459
+ },
460
+ {
461
+ "id": "sensitive_data_hardcoded",
462
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
463
+ },
464
+ {
465
+ "id": "internal_ip_disclosure",
466
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
467
+ },
468
+ {
469
+ "id": "xssi",
470
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
471
+ },
472
+ {
473
+ "id": "json_hijacking",
474
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
475
+ }
476
+ ]
477
+ },
478
+ {
479
+ "id": "cross_site_scripting_xss",
480
+ "children": [
481
+ {
482
+ "id": "stored",
483
+ "children": [
484
+ {
485
+ "id": "non_admin_to_anyone",
486
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
487
+ },
488
+ {
489
+ "id": "privileged_user_to_privilege_elevation",
490
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"
491
+ },
492
+ {
493
+ "id": "privileged_user_to_no_privilege_elevation",
494
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
495
+ },
496
+ {
497
+ "id": "url_based",
498
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
499
+ },
500
+ {
501
+ "id": "self",
502
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
503
+ }
504
+ ]
505
+ },
506
+ {
507
+ "id": "reflected",
508
+ "children": [
509
+ {
510
+ "id": "non_self",
511
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
512
+ },
513
+ {
514
+ "id": "self",
515
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
516
+ }
517
+ ]
518
+ },
519
+ {
520
+ "id": "flash_based",
521
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
522
+ },
523
+ {
524
+ "id": "cookie_based",
525
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
526
+ },
527
+ {
528
+ "id": "ie_only",
529
+ "children": [
530
+ {
531
+ "id": "ie11",
532
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
533
+ },
534
+ {
535
+ "id": "xss_filter_disabled",
536
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
537
+ },
538
+ {
539
+ "id": "older_version_ie11",
540
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N"
541
+ }
542
+ ]
543
+ },
544
+ {
545
+ "id": "referer",
546
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
547
+ },
548
+ {
549
+ "id": "trace_method",
550
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
551
+ },
552
+ {
553
+ "id": "universal_uxss",
554
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
555
+ },
556
+ {
557
+ "id": "off_domain",
558
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
559
+ }
560
+ ]
561
+ },
562
+ {
563
+ "id": "broken_access_control",
564
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
565
+ "children": [
566
+ {
567
+ "id": "server_side_request_forgery_ssrf",
568
+ "children": [
569
+ {
570
+ "id": "internal_high_impact",
571
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
572
+ },
573
+ {
574
+ "id": "internal_scan_and_or_medium_impact",
575
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
576
+ },
577
+ {
578
+ "id": "external",
579
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
580
+ }
581
+ ]
582
+ },
583
+ {
584
+ "id": "username_enumeration",
585
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
586
+ }
587
+ ]
588
+ },
589
+ {
590
+ "id": "cross_site_request_forgery_csrf",
591
+ "children": [
592
+ {
593
+ "id": "application_wide",
594
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
595
+ },
596
+ {
597
+ "id": "action_specific",
598
+ "children": [
599
+ {
600
+ "id": "authenticated_action",
601
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
602
+ },
603
+ {
604
+ "id": "unauthenticated_action",
605
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
606
+ },
607
+ {
608
+ "id": "logout",
609
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
610
+ }
611
+ ]
612
+ },
613
+ {
614
+ "id": "csrf_token_not_unique_per_request",
615
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
616
+ }
617
+ ]
618
+ },
619
+ {
620
+ "id": "application_level_denial_of_service_dos",
621
+ "children": [
622
+ {
623
+ "id": "critical_impact_and_or_easy_difficulty",
624
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
625
+ },
626
+ {
627
+ "id": "high_impact_and_or_medium_difficulty",
628
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
629
+ },
630
+ {
631
+ "id": "app_crash",
632
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
633
+ }
634
+ ]
635
+ },
636
+ {
637
+ "id": "unvalidated_redirects_and_forwards",
638
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
639
+ "children": [
640
+ {
641
+ "id": "open_redirect",
642
+ "children": [
643
+ {
644
+ "id": "get_based",
645
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
646
+ }
647
+ ]
648
+ }
649
+ ]
650
+ },
651
+ {
652
+ "id": "external_behavior",
653
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
654
+ },
655
+ {
656
+ "id": "insufficient_security_configurability",
657
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
658
+ "children": [
659
+ {
660
+ "id": "no_password_policy",
661
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
662
+ },
663
+ {
664
+ "id": "weak_password_reset_implementation",
665
+ "children": [
666
+ {
667
+ "id": "token_is_not_invalidated_after_use",
668
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
669
+ }
670
+ ]
671
+ }
672
+ ]
673
+ },
674
+ {
675
+ "id": "using_components_with_known_vulnerabilities",
676
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
677
+ "children": [
678
+ {
679
+ "id": "rosetta_flash",
680
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
681
+ }
682
+ ]
683
+ },
684
+ {
685
+ "id": "insecure_data_storage",
686
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
687
+ "children": [
688
+ {
689
+ "id": "sensitive_application_data_stored_unencrypted",
690
+ "children": [
691
+ {
692
+ "id": "on_external_storage",
693
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
694
+ }
695
+ ]
696
+ },
697
+ {
698
+ "id": "server_side_credentials_storage",
699
+ "children": [
700
+ {
701
+ "id": "plaintext",
702
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N"
703
+ }
704
+ ]
705
+ }
706
+ ]
707
+ },
708
+ {
709
+ "id": "lack_of_binary_hardening",
710
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
711
+ },
712
+ {
713
+ "id": "insecure_data_transport",
714
+ "children": [
715
+ {
716
+ "id": "cleartext_transmission_of_sensitive_data",
717
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
718
+ },
719
+ {
720
+ "id": "executable_download",
721
+ "children": [
722
+ {
723
+ "id": "no_secure_integrity_check",
724
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"
725
+ },
726
+ {
727
+ "id": "secure_integrity_check",
728
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
729
+ }
730
+ ]
731
+ }
732
+ ]
733
+ },
734
+ {
735
+ "id": "insecure_os_firmware",
736
+ "children": [
737
+ {
738
+ "id": "command_injection",
739
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
740
+ },
741
+ {
742
+ "id": "hardcoded_password",
743
+ "children": [
744
+ {
745
+ "id": "privileged_user",
746
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
747
+ },
748
+ {
749
+ "id": "non_privileged_user",
750
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
751
+ }
752
+ ]
753
+ }
754
+ ]
755
+ },
756
+ {
757
+ "id": "broken_cryptography",
758
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
759
+ },
760
+ {
761
+ "id": "privacy_concerns",
762
+ "children": [
763
+ {
764
+ "id": "unnecessary_data_collection",
765
+ "children": [
766
+ {
767
+ "id": "wifi_ssid_password",
768
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
769
+ }
770
+ ]
771
+ }
772
+ ]
773
+ },
774
+ {
775
+ "id": "network_security_misconfiguration",
776
+ "children": [
777
+ {
778
+ "id": "telnet_enabled",
779
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
780
+ }
781
+ ]
782
+ },
783
+ {
784
+ "id": "mobile_security_misconfiguration",
785
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
786
+ "children": [
787
+ {
788
+ "id": "clipboard_enabled",
789
+ "children": [
790
+ {
791
+ "id": "on_sensitive_content",
792
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N"
793
+ },
794
+ {
795
+ "id": "on_non_sensitive_content",
796
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
797
+ }
798
+ ]
799
+ }
800
+ ]
801
+ },
802
+ {
803
+ "id": "client_side_injection",
804
+ "children": [
805
+ {
806
+ "id": "binary_planting",
807
+ "children": [
808
+ {
809
+ "id": "privilege_escalation",
810
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
811
+ },
812
+ {
813
+ "id": "non_default_folder_privilege_escalation",
814
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
815
+ },
816
+ {
817
+ "id": "no_privilege_escalation",
818
+ "cvss_v3": "AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
819
+ }
820
+ ]
821
+ }
822
+ ]
823
+ }
824
+ ]
825
+ }