vrt 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/lib/data/1.6/deprecated-node-mapping.json +131 -0
  3. data/lib/data/1.6/mappings/cvss_v3.json +825 -0
  4. data/lib/data/1.6/mappings/cvss_v3.schema.json +59 -0
  5. data/lib/data/1.6/mappings/cwe.json +423 -0
  6. data/lib/data/1.6/mappings/cwe.schema.json +63 -0
  7. data/lib/data/1.6/mappings/remediation_advice.json +1193 -0
  8. data/lib/data/1.6/mappings/remediation_advice.schema.json +75 -0
  9. data/lib/data/1.6/vrt.schema.json +63 -0
  10. data/lib/data/1.6/vulnerability-rating-taxonomy.json +1783 -0
  11. data/lib/vrt/version.rb +1 -1
  12. metadata +11 -2
data/lib/data/1.6/mappings/remediation_advice.schema.json ADDED
@@ -0,0 +1,75 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-04/schema#",
3
+ "title": "VRT to Remediation Advice",
4
+ "description": "Mapping from the Vulnerability Rating Taxonomy to Remediation Advice",
5
+ "definitions": {
6
+ "MappingMetadata": {
7
+ "type": "object",
8
+ "properties": {
9
+ "default": { "type": "null" },
10
+ "keys": { "type": "array",
11
+ "items": { "type": "string", "enum": ["remediation_advice", "references"] },
12
+ "minItems": 2,
13
+ "uniqueItems": true
14
+ }
15
+ },
16
+ "required": ["default", "keys"]
17
+ },
18
+ "VRTid": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
19
+ "RemediationAdvice": { "type": "string" },
20
+ "References": { "type" : "array",
21
+ "items" : { "type": "string", "pattern": "^http[s]?:\/\/.*$" },
22
+ "minItems": 1,
23
+ "uniqueItems": true
24
+ },
25
+ "Mapping": {
26
+ "type": "object",
27
+ "properties": {
28
+ "id": { "$ref": "#/definitions/VRTid" },
29
+ "remediation_advice" : { "$ref": "#/definitions/RemediationAdvice" },
30
+ "references" : { "$ref": "#/definitions/References" }
31
+ },
32
+ "required": ["id"],
33
+ "anyOf": [
34
+ { "required": ["remediation_advice"] },
35
+ { "required": ["references"] }
36
+ ],
37
+ "additionalProperties": false
38
+ },
39
+ "MappingParent": {
40
+ "type": "object",
41
+ "properties": {
42
+ "id": { "$ref": "#/definitions/VRTid" },
43
+ "children": {
44
+ "type": "array",
45
+ "items" : {
46
+ "anyOf": [
47
+ { "$ref": "#/definitions/MappingParent" },
48
+ { "$ref": "#/definitions/Mapping" }
49
+ ]
50
+ }
51
+ },
52
+ "remediation_advice" : { "$ref": "#/definitions/RemediationAdvice" },
53
+ "references" : { "$ref": "#/definitions/References" }
54
+ },
55
+ "required": ["id", "children"],
56
+ "additionalProperties": false
57
+ }
58
+ },
59
+ "type": "object",
60
+ "required": ["metadata", "content"],
61
+ "properties": {
62
+ "metadata": {
63
+ "$ref": "#/definitions/MappingMetadata"
64
+ },
65
+ "content": {
66
+ "type": "array",
67
+ "items" : {
68
+ "anyOf": [
69
+ { "$ref": "#/definitions/MappingParent" },
70
+ { "$ref": "#/definitions/Mapping" }
71
+ ]
72
+ }
73
+ }
74
+ }
75
+ }
data/lib/data/1.6/vrt.schema.json ADDED
@@ -0,0 +1,63 @@
1
+ {
2
+ "$schema": "http://json-schema.org/draft-04/schema#",
3
+ "title": "Vulnerability Rating Taxonomy",
4
+ "description": "A Taxonomy of potential vulnerabilities with suggested technical priority rating",
5
+ "definitions": {
6
+ "VRTmetadata": {
7
+ "type": "object",
8
+ "properties": {
9
+ "release_date": { "type": "string", "format": "date-time" }
10
+ }
11
+ },
12
+ "VRT": {
13
+ "type": "object",
14
+ "properties": {
15
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
16
+ "type": { "type": "string", "enum": [ "category", "subcategory", "variant" ] },
17
+ "name": { "type": "string", "pattern": "^[ a-zA-Z0-9-+()\/,.<]*$" },
18
+ "priority": {
19
+ "anyOf": [
20
+ { "type": "number", "minimum": 1, "maximum": 5 },
21
+ { "type": "null" }
22
+ ]
23
+ }
24
+ },
25
+ "required": ["id", "name", "type", "priority"]
26
+ },
27
+ "VRTparent": {
28
+ "type": "object",
29
+ "properties": {
30
+ "id": { "type": "string", "pattern": "^[a-z_][a-z_0-9]*$" },
31
+ "name": { "type": "string", "pattern": "^[ a-zA-Z0-9-+()\/,.<]*$" },
32
+ "type": { "type": "string", "enum": [ "category", "subcategory" ] },
33
+ "children": {
34
+ "type": "array",
35
+ "items" : {
36
+ "anyOf": [
37
+ { "$ref": "#/definitions/VRTparent" },
38
+ { "$ref": "#/definitions/VRT" }
39
+ ]
40
+ },
41
+ "minItems": 1
42
+ }
43
+ },
44
+ "required": ["id", "name", "type", "children"]
45
+ }
46
+ },
47
+ "type": "object",
48
+ "required": ["metadata", "content"],
49
+ "properties": {
50
+ "metadata": {
51
+ "$ref": "#/definitions/VRTmetadata"
52
+ },
53
+ "content": {
54
+ "type": "array",
55
+ "items" : {
56
+ "anyOf": [
57
+ { "$ref": "#/definitions/VRTparent" },
58
+ { "$ref": "#/definitions/VRT" }
59
+ ]
60
+ }
61
+ }
62
+ }
63
+ }
data/lib/data/1.6/vulnerability-rating-taxonomy.json ADDED
@@ -0,0 +1,1783 @@
1
+ {
2
+ "metadata": {
3
+ "release_date": "2018-11-2T18:00:00+00:00"
4
+ },
5
+ "content": [
6
+ {
7
+ "id": "server_security_misconfiguration",
8
+ "name": "Server Security Misconfiguration",
9
+ "type": "category",
10
+ "children": [
11
+ {
12
+ "id": "unsafe_cross_origin_resource_sharing",
13
+ "name": "Unsafe Cross-Origin Resource Sharing",
14
+ "type": "subcategory",
15
+ "priority": null
16
+ },
17
+ {
18
+ "id": "path_traversal",
19
+ "name": "Path Traversal",
20
+ "type": "subcategory",
21
+ "priority": null
22
+ },
23
+ {
24
+ "id": "directory_listing_enabled",
25
+ "name": "Directory Listing Enabled",
26
+ "type": "subcategory",
27
+ "children": [
28
+ {
29
+ "id": "sensitive_data_exposure",
30
+ "name": "Sensitive Data Exposure",
31
+ "type": "variant",
32
+ "priority": null
33
+ },
34
+ {
35
+ "id": "non_sensitive_data_exposure",
36
+ "name": "Non-Sensitive Data Exposure",
37
+ "type": "variant",
38
+ "priority": 5
39
+ }
40
+ ]
41
+ },
42
+ {
43
+ "id": "same_site_scripting",
44
+ "name": "Same-Site Scripting",
45
+ "type": "subcategory",
46
+ "priority": 5
47
+ },
48
+ {
49
+ "id": "ssl_attack_breach_poodle_etc",
50
+ "name": "SSL Attack (BREACH, POODLE etc.)",
51
+ "type": "subcategory",
52
+ "priority": null
53
+ },
54
+ {
55
+ "id": "using_default_credentials",
56
+ "name": "Using Default Credentials",
57
+ "type": "subcategory",
58
+ "priority": 1
59
+ },
60
+ {
61
+ "id": "misconfigured_dns",
62
+ "name": "Misconfigured DNS",
63
+ "type": "subcategory",
64
+ "children": [
65
+ {
66
+ "id": "basic_subdomain_takeover",
67
+ "name": "Basic Subdomain Takeover",
68
+ "type": "variant",
69
+ "priority": 3
70
+ },
71
+ {
72
+ "id": "high_impact_subdomain_takeover",
73
+ "name": "High Impact Subdomain Takeover",
74
+ "type": "variant",
75
+ "priority": 2
76
+ },
77
+ {
78
+ "id": "zone_transfer",
79
+ "name": "Zone Transfer",
80
+ "type": "variant",
81
+ "priority": 4
82
+ },
83
+ {
84
+ "id": "missing_caa_record",
85
+ "name": "Missing Certification Authority Authorization (CAA) Record",
86
+ "type": "variant",
87
+ "priority": 5
88
+ }
89
+ ]
90
+ },
91
+ {
92
+ "id": "mail_server_misconfiguration",
93
+ "name": "Mail Server Misconfiguration",
94
+ "type": "subcategory",
95
+ "children": [
96
+ {
97
+ "id": "no_spoofing_protection_on_email_domain",
98
+ "name": "No Spoofing Protection on Email Domain",
99
+ "type": "variant",
100
+ "priority": 3
101
+ },
102
+ {
103
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
104
+ "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
105
+ "type": "variant",
106
+ "priority": 4
107
+ },
108
+ {
109
+ "id": "email_spoofing_to_spam_folder",
110
+ "name": "Email Spoofing to Spam Folder",
111
+ "type": "variant",
112
+ "priority": 5
113
+ },
114
+ {
115
+ "id": "missing_or_misconfigured_spf_and_or_dkim",
116
+ "name": "Missing or Misconfigured SPF and/or DKIM",
117
+ "type": "variant",
118
+ "priority": 5
119
+ }
120
+ ]
121
+ },
122
+ {
123
+ "id": "dbms_misconfiguration",
124
+ "name": "Database Management System (DBMS) Misconfiguration",
125
+ "type": "subcategory",
126
+ "children": [
127
+ {
128
+ "id": "excessively_privileged_user_dba",
129
+ "name": "Excessively Privileged User / DBA",
130
+ "type": "variant",
131
+ "priority": 4
132
+ }
133
+ ]
134
+ },
135
+ {
136
+ "id": "lack_of_password_confirmation",
137
+ "name": "Lack of Password Confirmation",
138
+ "type": "subcategory",
139
+ "children": [
140
+ {
141
+ "id": "change_email_address",
142
+ "name": "Change Email Address",
143
+ "type": "variant",
144
+ "priority": 5
145
+ },
146
+ {
147
+ "id": "change_password",
148
+ "name": "Change Password",
149
+ "type": "variant",
150
+ "priority": 5
151
+ },
152
+ {
153
+ "id": "delete_account",
154
+ "name": "Delete Account",
155
+ "type": "variant",
156
+ "priority": 4
157
+ },
158
+ {
159
+ "id": "manage_two_fa",
160
+ "name": "Manage 2FA",
161
+ "type": "variant",
162
+ "priority": 5
163
+ }
164
+ ]
165
+ },
166
+ {
167
+ "id": "no_rate_limiting_on_form",
168
+ "name": "No Rate Limiting on Form",
169
+ "type": "subcategory",
170
+ "children": [
171
+ {
172
+ "id": "registration",
173
+ "name": "Registration",
174
+ "type": "variant",
175
+ "priority": 4
176
+ },
177
+ {
178
+ "id": "login",
179
+ "name": "Login",
180
+ "type": "variant",
181
+ "priority": 4
182
+ },
183
+ {
184
+ "id": "email_triggering",
185
+ "name": "Email-Triggering",
186
+ "type": "variant",
187
+ "priority": 4
188
+ },
189
+ {
190
+ "id": "sms_triggering",
191
+ "name": "SMS-Triggering",
192
+ "type": "variant",
193
+ "priority": 4
194
+ }
195
+ ]
196
+ },
197
+ {
198
+ "id": "unsafe_file_upload",
199
+ "name": "Unsafe File Upload",
200
+ "type": "subcategory",
201
+ "children": [
202
+ {
203
+ "id": "no_antivirus",
204
+ "name": "No Antivirus",
205
+ "type": "variant",
206
+ "priority": 5
207
+ },
208
+ {
209
+ "id": "no_size_limit",
210
+ "name": "No Size Limit",
211
+ "type": "variant",
212
+ "priority": 5
213
+ },
214
+ {
215
+ "id": "file_extension_filter_bypass",
216
+ "name": "File Extension Filter Bypass",
217
+ "type": "variant",
218
+ "priority": 5
219
+ }
220
+ ]
221
+ },
222
+ {
223
+ "id": "cookie_scoped_to_parent_domain",
224
+ "name": "Cookie Scoped to Parent Domain",
225
+ "type": "subcategory",
226
+ "priority": 5
227
+ },
228
+ {
229
+ "id": "missing_secure_or_httponly_cookie_flag",
230
+ "name": "Missing Secure or HTTPOnly Cookie Flag",
231
+ "type": "subcategory",
232
+ "children": [
233
+ {
234
+ "id": "session_token",
235
+ "name": "Session Token",
236
+ "type": "variant",
237
+ "priority": 4
238
+ },
239
+ {
240
+ "id": "non_session_cookie",
241
+ "name": "Non-Session Cookie",
242
+ "type": "variant",
243
+ "priority": 5
244
+ }
245
+ ]
246
+ },
247
+ {
248
+ "id": "clickjacking",
249
+ "name": "Clickjacking",
250
+ "type": "subcategory",
251
+ "children": [
252
+ {
253
+ "id": "sensitive_action",
254
+ "name": "Sensitive Click-Based Action",
255
+ "type": "variant",
256
+ "priority": 4
257
+ },
258
+ {
259
+ "id": "form_input",
260
+ "name": "Form Input",
261
+ "type": "variant",
262
+ "priority": 5
263
+ },
264
+ {
265
+ "id": "non_sensitive_action",
266
+ "name": "Non-Sensitive Action",
267
+ "type": "variant",
268
+ "priority": 5
269
+ }
270
+ ]
271
+ },
272
+ {
273
+ "id": "oauth_misconfiguration",
274
+ "name": "OAuth Misconfiguration",
275
+ "type": "subcategory",
276
+ "children": [
277
+ {
278
+ "id": "account_takeover",
279
+ "name": "Account Takeover",
280
+ "type": "variant",
281
+ "priority": 2
282
+ },
283
+ {
284
+ "id": "missing_state_parameter",
285
+ "name": "Missing/Broken State Parameter",
286
+ "type": "variant",
287
+ "priority": null
288
+ },
289
+ {
290
+ "id": "insecure_redirect_uri",
291
+ "name": "Insecure Redirect URI",
292
+ "type": "variant",
293
+ "priority": null
294
+ }
295
+ ]
296
+ },
297
+ {
298
+ "id": "captcha",
299
+ "name": "CAPTCHA",
300
+ "type": "subcategory",
301
+ "children": [
302
+ {
303
+ "id": "implementation_vulnerability",
304
+ "name": "Implementation Vulnerability",
305
+ "type": "variant",
306
+ "priority": 4
307
+ },
308
+ {
309
+ "id": "brute_force",
310
+ "name": "Brute Force",
311
+ "type": "variant",
312
+ "priority": 5
313
+ },
314
+ {
315
+ "id": "missing",
316
+ "name": "Missing",
317
+ "type": "variant",
318
+ "priority": 5
319
+ }
320
+ ]
321
+ },
322
+ {
323
+ "id": "exposed_admin_portal",
324
+ "name": "Exposed Admin Portal",
325
+ "type": "subcategory",
326
+ "children": [
327
+ {
328
+ "id": "to_internet",
329
+ "name": "To Internet",
330
+ "type": "variant",
331
+ "priority": 5
332
+ }
333
+ ]
334
+ },
335
+ {
336
+ "id": "missing_dnssec",
337
+ "name": "Missing DNSSEC",
338
+ "type": "subcategory",
339
+ "priority": 5
340
+ },
341
+ {
342
+ "id": "fingerprinting_banner_disclosure",
343
+ "name": "Fingerprinting/Banner Disclosure",
344
+ "type": "subcategory",
345
+ "priority": 5
346
+ },
347
+ {
348
+ "id": "username_enumeration",
349
+ "name": "Username Enumeration",
350
+ "type": "subcategory",
351
+ "children": [
352
+ {
353
+ "id": "brute_force",
354
+ "name": "Brute Force",
355
+ "type": "variant",
356
+ "priority": 5
357
+ }
358
+ ]
359
+ },
360
+ {
361
+ "id": "potentially_unsafe_http_method_enabled",
362
+ "name": "Potentially Unsafe HTTP Method Enabled",
363
+ "type": "subcategory",
364
+ "children": [
365
+ {
366
+ "id": "options",
367
+ "name": "OPTIONS",
368
+ "type": "variant",
369
+ "priority": 5
370
+ },
371
+ {
372
+ "id": "trace",
373
+ "name": "TRACE",
374
+ "type": "variant",
375
+ "priority": 5
376
+ }
377
+ ]
378
+ },
379
+ {
380
+ "id": "insecure_ssl",
381
+ "name": "Insecure SSL",
382
+ "type": "subcategory",
383
+ "children": [
384
+ {
385
+ "id": "lack_of_forward_secrecy",
386
+ "name": "Lack of Forward Secrecy",
387
+ "type": "variant",
388
+ "priority": 5
389
+ },
390
+ {
391
+ "id": "insecure_cipher_suite",
392
+ "name": "Insecure Cipher Suite",
393
+ "type": "variant",
394
+ "priority": 5
395
+ },
396
+ {
397
+ "id": "certificate_error",
398
+ "name": "Certificate Error",
399
+ "type": "variant",
400
+ "priority": 5
401
+ }
402
+ ]
403
+ },
404
+ {
405
+ "id": "rfd",
406
+ "name": "Reflected File Download (RFD)",
407
+ "type": "subcategory",
408
+ "priority": 5
409
+ },
410
+ {
411
+ "id": "lack_of_security_headers",
412
+ "name": "Lack of Security Headers",
413
+ "type": "subcategory",
414
+ "children": [
415
+ {
416
+ "id": "x_frame_options",
417
+ "name": "X-Frame-Options",
418
+ "type": "variant",
419
+ "priority": 5
420
+ },
421
+ {
422
+ "id": "cache_control_for_a_non_sensitive_page",
423
+ "name": "Cache-Control for a Non-Sensitive Page",
424
+ "type": "variant",
425
+ "priority": 5
426
+ },
427
+ {
428
+ "id": "x_xss_protection",
429
+ "name": "X-XSS-Protection",
430
+ "type": "variant",
431
+ "priority": 5
432
+ },
433
+ {
434
+ "id": "strict_transport_security",
435
+ "name": "Strict-Transport-Security",
436
+ "type": "variant",
437
+ "priority": 5
438
+ },
439
+ {
440
+ "id": "x_content_type_options",
441
+ "name": "X-Content-Type-Options",
442
+ "type": "variant",
443
+ "priority": 5
444
+ },
445
+ {
446
+ "id": "content_security_policy",
447
+ "name": "Content-Security-Policy",
448
+ "type": "variant",
449
+ "priority": 5
450
+ },
451
+ {
452
+ "id": "public_key_pins",
453
+ "name": "Public-Key-Pins",
454
+ "type": "variant",
455
+ "priority": 5
456
+ },
457
+ {
458
+ "id": "x_content_security_policy",
459
+ "name": "X-Content-Security-Policy",
460
+ "type": "variant",
461
+ "priority": 5
462
+ },
463
+ {
464
+ "id": "x_webkit_csp",
465
+ "name": "X-Webkit-CSP",
466
+ "type": "variant",
467
+ "priority": 5
468
+ },
469
+ {
470
+ "id": "content_security_policy_report_only",
471
+ "name": "Content-Security-Policy-Report-Only",
472
+ "type": "variant",
473
+ "priority": 5
474
+ },
475
+ {
476
+ "id": "cache_control_for_a_sensitive_page",
477
+ "name": "Cache-Control for a Sensitive Page",
478
+ "type": "variant",
479
+ "priority": 4
480
+ }
481
+ ]
482
+ },
483
+ {
484
+ "id": "waf_bypass",
485
+ "name": "Web Application Firewall (WAF) Bypass",
486
+ "type": "subcategory",
487
+ "children": [
488
+ {
489
+ "id": "direct_server_access",
490
+ "name": "Direct Server Access",
491
+ "type": "variant",
492
+ "priority": 4
493
+ }
494
+ ]
495
+ },
496
+ {
497
+ "id": "bitsquatting",
498
+ "name": "Bitsquatting",
499
+ "type": "subcategory",
500
+ "priority": 5
501
+ }
502
+ ]
503
+ },
504
+ {
505
+ "id": "server_side_injection",
506
+ "name": "Server-Side Injection",
507
+ "type": "category",
508
+ "children": [
509
+ {
510
+ "id": "file_inclusion",
511
+ "name": "File Inclusion",
512
+ "type": "subcategory",
513
+ "children": [
514
+ {
515
+ "id": "local",
516
+ "name": "Local",
517
+ "type": "variant",
518
+ "priority": 1
519
+ }
520
+ ]
521
+ },
522
+ {
523
+ "id": "parameter_pollution",
524
+ "name": "Parameter Pollution",
525
+ "type": "subcategory",
526
+ "children": [
527
+ {
528
+ "id": "social_media_sharing_buttons",
529
+ "name": "Social Media Sharing Buttons",
530
+ "type": "variant",
531
+ "priority": 5
532
+ }
533
+ ]
534
+ },
535
+ {
536
+ "id": "remote_code_execution_rce",
537
+ "name": "Remote Code Execution (RCE)",
538
+ "type": "subcategory",
539
+ "priority": 1
540
+ },
541
+ {
542
+ "id": "sql_injection",
543
+ "name": "SQL Injection",
544
+ "type": "subcategory",
545
+ "priority": 1
546
+ },
547
+ {
548
+ "id": "xml_external_entity_injection_xxe",
549
+ "name": "XML External Entity Injection (XXE)",
550
+ "type": "subcategory",
551
+ "priority": 1
552
+ },
553
+ {
554
+ "id": "http_response_manipulation",
555
+ "name": "HTTP Response Manipulation",
556
+ "type": "subcategory",
557
+ "children": [
558
+ {
559
+ "id": "response_splitting_crlf",
560
+ "name": "Response Splitting (CRLF)",
561
+ "type": "variant",
562
+ "priority": 3
563
+ }
564
+ ]
565
+ },
566
+ {
567
+ "id": "content_spoofing",
568
+ "name": "Content Spoofing",
569
+ "type": "subcategory",
570
+ "children": [
571
+ {
572
+ "id": "iframe_injection",
573
+ "name": "iframe Injection",
574
+ "type": "variant",
575
+ "priority": 3
576
+ },
577
+ {
578
+ "id": "external_authentication_injection",
579
+ "name": "External Authentication Injection",
580
+ "type": "variant",
581
+ "priority": 4
582
+ },
583
+ {
584
+ "id": "flash_based_external_authentication_injection",
585
+ "name": "Flash Based External Authentication Injection",
586
+ "type": "variant",
587
+ "priority": 5
588
+ },
589
+ {
590
+ "id": "email_html_injection",
591
+ "name": "Email HTML Injection",
592
+ "type": "variant",
593
+ "priority": 4
594
+ },
595
+ {
596
+ "id": "text_injection",
597
+ "name": "Text Injection",
598
+ "type": "variant",
599
+ "priority": 5
600
+ },
601
+ {
602
+ "id": "homograph_idn_based",
603
+ "name": "Homograph/IDN-Based",
604
+ "type": "variant",
605
+ "priority": 5
606
+ },
607
+ {
608
+ "id": "rtlo",
609
+ "name": "Right-to-Left Override (RTLO)",
610
+ "type": "variant",
611
+ "priority": 5
612
+ }
613
+ ]
614
+ }
615
+ ]
616
+ },
617
+ {
618
+ "id": "broken_authentication_and_session_management",
619
+ "name": "Broken Authentication and Session Management",
620
+ "type": "category",
621
+ "children": [
622
+ {
623
+ "id": "authentication_bypass",
624
+ "name": "Authentication Bypass",
625
+ "type": "subcategory",
626
+ "priority": 1
627
+ },
628
+ {
629
+ "id": "two_fa_bypass",
630
+ "name": "Second Factor Authentication (2FA) Bypass",
631
+ "type": "subcategory",
632
+ "priority": 3
633
+ },
634
+ {
635
+ "id": "privilege_escalation",
636
+ "name": "Privilege Escalation",
637
+ "type": "subcategory",
638
+ "priority": null
639
+ },
640
+ {
641
+ "id": "cleartext_transmission_of_session_token",
642
+ "name": "Cleartext Transmission of Session Token",
643
+ "type": "subcategory",
644
+ "priority": 4
645
+ },
646
+ {
647
+ "id": "weak_login_function",
648
+ "name": "Weak Login Function",
649
+ "type": "subcategory",
650
+ "children": [
651
+ {
652
+ "id": "not_operational",
653
+ "name": "Not Operational or Intended Public Access",
654
+ "type": "variant",
655
+ "priority": 5
656
+ },
657
+ {
658
+ "id": "other_plaintext_protocol_no_secure_alternative",
659
+ "name": "Other Plaintext Protocol with no Secure Alternative",
660
+ "type": "variant",
661
+ "priority": 4
662
+ },
663
+ {
664
+ "id": "lan_only",
665
+ "name": "LAN Only",
666
+ "type": "variant",
667
+ "priority": 4
668
+ },
669
+ {
670
+ "id": "http_and_https_available",
671
+ "name": "HTTP and HTTPS Available",
672
+ "type": "variant",
673
+ "priority": 4
674
+ },
675
+ {
676
+ "id": "https_not_available_or_http_by_default",
677
+ "name": "HTTPS not Available or HTTP by Default",
678
+ "type": "variant",
679
+ "priority": 3
680
+ }
681
+ ]
682
+ },
683
+ {
684
+ "id": "session_fixation",
685
+ "name": "Session Fixation",
686
+ "type": "subcategory",
687
+ "children": [
688
+ {
689
+ "id": "remote_attack_vector",
690
+ "name": "Remote Attack Vector",
691
+ "type": "variant",
692
+ "priority": 3
693
+ },
694
+ {
695
+ "id": "local_attack_vector",
696
+ "name": "Local Attack Vector",
697
+ "type": "variant",
698
+ "priority": 5
699
+ }
700
+ ]
701
+ },
702
+ {
703
+ "id": "failure_to_invalidate_session",
704
+ "name": "Failure to Invalidate Session",
705
+ "type": "subcategory",
706
+ "children": [
707
+ {
708
+ "id": "on_logout",
709
+ "name": "On Logout (Client and Server-Side)",
710
+ "type": "variant",
711
+ "priority": 4
712
+ },
713
+ {
714
+ "id": "on_logout_server_side_only",
715
+ "name": "On Logout (Server-Side Only)",
716
+ "type": "variant",
717
+ "priority": 5
718
+ },
719
+ {
720
+ "id": "on_password_change",
721
+ "name": "On Password Reset and/or Change",
722
+ "type": "variant",
723
+ "priority": 4
724
+ },
725
+ {
726
+ "id": "all_sessions",
727
+ "name": "Concurrent Sessions On Logout",
728
+ "type": "variant",
729
+ "priority": 5
730
+ },
731
+ {
732
+ "id": "on_email_change",
733
+ "name": "On Email Change",
734
+ "type": "variant",
735
+ "priority": 5
736
+ },
737
+ {
738
+ "id": "long_timeout",
739
+ "name": "Long Timeout",
740
+ "type": "variant",
741
+ "priority": 5
742
+ }
743
+ ]
744
+ },
745
+ {
746
+ "id": "concurrent_logins",
747
+ "name": "Concurrent Logins",
748
+ "type": "subcategory",
749
+ "priority": 5
750
+ },
751
+ {
752
+ "id": "weak_registration_implementation",
753
+ "name": "Weak Registration Implementation",
754
+ "type": "subcategory",
755
+ "children": [
756
+ {
757
+ "id": "over_http",
758
+ "name": "Over HTTP",
759
+ "type": "variant",
760
+ "priority": 4
761
+ }
762
+ ]
763
+ }
764
+ ]
765
+ },
766
+ {
767
+ "id": "sensitive_data_exposure",
768
+ "name": "Sensitive Data Exposure",
769
+ "type": "category",
770
+ "children": [
771
+ {
772
+ "id": "critically_sensitive_data",
773
+ "name": "Critically Sensitive Data",
774
+ "type": "subcategory",
775
+ "children": [
776
+ {
777
+ "id": "password_disclosure",
778
+ "name": "Password Disclosure",
779
+ "type": "variant",
780
+ "priority": 1
781
+ },
782
+ {
783
+ "id": "private_api_keys",
784
+ "name": "Private API Keys",
785
+ "type": "variant",
786
+ "priority": 1
787
+ }
788
+ ]
789
+ },
790
+ {
791
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
792
+ "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
793
+ "type": "subcategory",
794
+ "children": [
795
+ {
796
+ "id": "automatic_user_enumeration",
797
+ "name": "Automatic User Enumeration",
798
+ "type": "variant",
799
+ "priority": 3
800
+ },
801
+ {
802
+ "id": "manual_user_enumeration",
803
+ "name": "Manual User Enumeration",
804
+ "type": "variant",
805
+ "priority": 4
806
+ }
807
+ ]
808
+ },
809
+ {
810
+ "id": "visible_detailed_error_page",
811
+ "name": "Visible Detailed Error/Debug Page",
812
+ "type": "subcategory",
813
+ "children": [
814
+ {
815
+ "id": "detailed_server_configuration",
816
+ "name": "Detailed Server Configuration",
817
+ "type": "variant",
818
+ "priority": 4
819
+ },
820
+ {
821
+ "id": "full_path_disclosure",
822
+ "name": "Full Path Disclosure",
823
+ "type": "variant",
824
+ "priority": 5
825
+ },
826
+ {
827
+ "id": "descriptive_stack_trace",
828
+ "name": "Descriptive Stack Trace",
829
+ "type": "variant",
830
+ "priority": 5
831
+ }
832
+ ]
833
+ },
834
+ {
835
+ "id": "disclosure_of_known_public_information",
836
+ "name": "Disclosure of Known Public Information",
837
+ "type": "subcategory",
838
+ "priority": 5
839
+ },
840
+ {
841
+ "id": "token_leakage_via_referer",
842
+ "name": "Token Leakage via Referer",
843
+ "type": "subcategory",
844
+ "children": [
845
+ {
846
+ "id": "trusted_3rd_party",
847
+ "name": "Trusted 3rd Party",
848
+ "type": "variant",
849
+ "priority": 5
850
+ },
851
+ {
852
+ "id": "untrusted_3rd_party",
853
+ "name": "Untrusted 3rd Party",
854
+ "type": "variant",
855
+ "priority": 4
856
+ },
857
+ {
858
+ "id": "over_http",
859
+ "name": "Over HTTP",
860
+ "type": "variant",
861
+ "priority": 4
862
+ }
863
+ ]
864
+ },
865
+ {
866
+ "id": "sensitive_token_in_url",
867
+ "name": "Sensitive Token in URL",
868
+ "type": "subcategory",
869
+ "children": [
870
+ {
871
+ "id": "user_facing",
872
+ "name": "User Facing",
873
+ "type": "variant",
874
+ "priority": 4
875
+ },
876
+ {
877
+ "id": "in_the_background",
878
+ "name": "In the Background",
879
+ "type": "variant",
880
+ "priority": 5
881
+ },
882
+ {
883
+ "id": "on_password_reset",
884
+ "name": "On Password Reset",
885
+ "type": "variant",
886
+ "priority": 5
887
+ }
888
+ ]
889
+ },
890
+ {
891
+ "id": "non_sensitive_token_in_url",
892
+ "name": "Non-Sensitive Token in URL",
893
+ "type": "subcategory",
894
+ "priority": 5
895
+ },
896
+ {
897
+ "id": "weak_password_reset_implementation",
898
+ "name": "Weak Password Reset Implementation",
899
+ "type": "subcategory",
900
+ "children": [
901
+ {
902
+ "id": "password_reset_token_sent_over_http",
903
+ "name": "Password Reset Token Sent Over HTTP",
904
+ "type": "variant",
905
+ "priority": 4
906
+ }
907
+ ]
908
+ },
909
+ {
910
+ "id": "mixed_content",
911
+ "name": "Mixed Content (HTTPS Sourcing HTTP)",
912
+ "type": "subcategory",
913
+ "priority": 5
914
+ },
915
+ {
916
+ "id": "sensitive_data_hardcoded",
917
+ "name": "Sensitive Data Hardcoded",
918
+ "type": "subcategory",
919
+ "children": [
920
+ {
921
+ "id": "oauth_secret",
922
+ "name": "OAuth Secret",
923
+ "type": "variant",
924
+ "priority": 5
925
+ },
926
+ {
927
+ "id": "file_paths",
928
+ "name": "File Paths",
929
+ "type": "variant",
930
+ "priority": 5
931
+ }
932
+ ]
933
+ },
934
+ {
935
+ "id": "internal_ip_disclosure",
936
+ "name": "Internal IP Disclosure",
937
+ "type": "subcategory",
938
+ "priority": 5
939
+ },
940
+ {
941
+ "id": "xssi",
942
+ "name": "Cross Site Script Inclusion (XSSI)",
943
+ "type": "subcategory",
944
+ "priority": null
945
+ },
946
+ {
947
+ "id": "json_hijacking",
948
+ "name": "JSON Hijacking",
949
+ "type": "subcategory",
950
+ "priority": 5
951
+ }
952
+ ]
953
+ },
954
+ {
955
+ "id": "cross_site_scripting_xss",
956
+ "name": "Cross-Site Scripting (XSS)",
957
+ "type": "category",
958
+ "children": [
959
+ {
960
+ "id": "stored",
961
+ "name": "Stored",
962
+ "type": "subcategory",
963
+ "children": [
964
+ {
965
+ "id": "non_admin_to_anyone",
966
+ "name": "Non-Privileged User to Anyone",
967
+ "type": "variant",
968
+ "priority": 2
969
+ },
970
+ {
971
+ "id": "privileged_user_to_privilege_elevation",
972
+ "name": "Privileged User to Privilege Elevation",
973
+ "type": "variant",
974
+ "priority": 3
975
+ },
976
+ {
977
+ "id": "privileged_user_to_no_privilege_elevation",
978
+ "name": "Privileged User to No Privilege Elevation",
979
+ "type": "variant",
980
+ "priority": 4
981
+ },
982
+ {
983
+ "id": "url_based",
984
+ "name": "CSRF/URL-Based",
985
+ "type": "variant",
986
+ "priority": 3
987
+ },
988
+ {
989
+ "id": "self",
990
+ "name": "Self",
991
+ "type": "variant",
992
+ "priority": 5
993
+ }
994
+ ]
995
+ },
996
+ {
997
+ "id": "reflected",
998
+ "name": "Reflected",
999
+ "type": "subcategory",
1000
+ "children": [
1001
+ {
1002
+ "id": "non_self",
1003
+ "name": "Non-Self",
1004
+ "type": "variant",
1005
+ "priority": 3
1006
+ },
1007
+ {
1008
+ "id": "self",
1009
+ "name": "Self",
1010
+ "type": "variant",
1011
+ "priority": 5
1012
+ }
1013
+ ]
1014
+ },
1015
+ {
1016
+ "id": "flash_based",
1017
+ "name": "Flash-Based",
1018
+ "type": "subcategory",
1019
+ "priority": 4
1020
+ },
1021
+ {
1022
+ "id": "cookie_based",
1023
+ "name": "Cookie-Based",
1024
+ "type": "subcategory",
1025
+ "priority": 5
1026
+ },
1027
+ {
1028
+ "id": "ie_only",
1029
+ "name": "IE-Only",
1030
+ "type": "subcategory",
1031
+ "children": [
1032
+ {
1033
+ "id": "ie11",
1034
+ "name": "IE11",
1035
+ "type": "variant",
1036
+ "priority": 4
1037
+ },
1038
+ {
1039
+ "id": "xss_filter_disabled",
1040
+ "name": "XSS Filter Disabled",
1041
+ "type": "variant",
1042
+ "priority": 5
1043
+ },
1044
+ {
1045
+ "id": "older_version_ie11",
1046
+ "name": "Older Version (< IE11)",
1047
+ "type": "variant",
1048
+ "priority": 5
1049
+ }
1050
+ ]
1051
+ },
1052
+ {
1053
+ "id": "referer",
1054
+ "name": "Referer",
1055
+ "type": "subcategory",
1056
+ "priority": 4
1057
+ },
1058
+ {
1059
+ "id": "trace_method",
1060
+ "name": "TRACE Method",
1061
+ "type": "subcategory",
1062
+ "priority": 5
1063
+ },
1064
+ {
1065
+ "id": "universal_uxss",
1066
+ "name": "Universal (UXSS)",
1067
+ "type": "subcategory",
1068
+ "priority": 4
1069
+ },
1070
+ {
1071
+ "id": "off_domain",
1072
+ "name": "Off-Domain",
1073
+ "type": "subcategory",
1074
+ "children": [
1075
+ {
1076
+ "id": "data_uri",
1077
+ "name": "Data URI",
1078
+ "type": "variant",
1079
+ "priority": 4
1080
+ }
1081
+ ]
1082
+ }
1083
+ ]
1084
+ },
1085
+ {
1086
+ "id": "broken_access_control",
1087
+ "name": "Broken Access Control (BAC)",
1088
+ "type": "category",
1089
+ "children": [
1090
+ {
1091
+ "id": "idor",
1092
+ "name": "Insecure Direct Object References (IDOR)",
1093
+ "type": "subcategory",
1094
+ "priority": null
1095
+ },
1096
+ {
1097
+ "id": "server_side_request_forgery_ssrf",
1098
+ "name": "Server-Side Request Forgery (SSRF)",
1099
+ "type": "subcategory",
1100
+ "children": [
1101
+ {
1102
+ "id": "internal_high_impact",
1103
+ "name": "Internal High Impact",
1104
+ "type": "variant",
1105
+ "priority": 2
1106
+ },
1107
+ {
1108
+ "id": "internal_scan_and_or_medium_impact",
1109
+ "name": "Internal Scan and/or Medium Impact",
1110
+ "type": "variant",
1111
+ "priority": 3
1112
+ },
1113
+ {
1114
+ "id": "external",
1115
+ "name": "External",
1116
+ "type": "variant",
1117
+ "priority": 4
1118
+ },
1119
+ {
1120
+ "id": "dns_query_only",
1121
+ "name": "DNS Query Only",
1122
+ "type": "variant",
1123
+ "priority": 5
1124
+ }
1125
+ ]
1126
+ },
1127
+ {
1128
+ "id": "username_enumeration",
1129
+ "name": "Username Enumeration",
1130
+ "type": "subcategory",
1131
+ "children": [
1132
+ {
1133
+ "id": "data_leak",
1134
+ "name": "Data Leak",
1135
+ "type": "variant",
1136
+ "priority": 4
1137
+ }
1138
+ ]
1139
+ },
1140
+ {
1141
+ "id": "exposed_sensitive_android_intent",
1142
+ "name": "Exposed Sensitive Android Intent",
1143
+ "type": "subcategory",
1144
+ "priority": null
1145
+ },
1146
+ {
1147
+ "id": "exposed_sensitive_ios_url_scheme",
1148
+ "name": "Exposed Sensitive iOS URL Scheme",
1149
+ "type": "subcategory",
1150
+ "priority": null
1151
+ }
1152
+ ]
1153
+ },
1154
+ {
1155
+ "id": "cross_site_request_forgery_csrf",
1156
+ "name": "Cross-Site Request Forgery (CSRF)",
1157
+ "type": "category",
1158
+ "children": [
1159
+ {
1160
+ "id": "application_wide",
1161
+ "name": "Application-Wide",
1162
+ "type": "subcategory",
1163
+ "priority": 2
1164
+ },
1165
+ {
1166
+ "id": "action_specific",
1167
+ "name": "Action-Specific",
1168
+ "type": "subcategory",
1169
+ "children": [
1170
+ {
1171
+ "id": "authenticated_action",
1172
+ "name": "Authenticated Action",
1173
+ "type": "variant",
1174
+ "priority": null
1175
+ },
1176
+ {
1177
+ "id": "unauthenticated_action",
1178
+ "name": "Unauthenticated Action",
1179
+ "type": "variant",
1180
+ "priority": null
1181
+ },
1182
+ {
1183
+ "id": "logout",
1184
+ "name": "Logout",
1185
+ "type": "variant",
1186
+ "priority": 5
1187
+ }
1188
+ ]
1189
+ },
1190
+ {
1191
+ "id": "csrf_token_not_unique_per_request",
1192
+ "name": "CSRF Token Not Unique Per Request",
1193
+ "type": "subcategory",
1194
+ "priority": 5
1195
+ }
1196
+ ]
1197
+ },
1198
+ {
1199
+ "id": "application_level_denial_of_service_dos",
1200
+ "name": "Application-Level Denial-of-Service (DoS)",
1201
+ "type": "category",
1202
+ "children": [
1203
+ {
1204
+ "id": "critical_impact_and_or_easy_difficulty",
1205
+ "name": "Critical Impact and/or Easy Difficulty",
1206
+ "type": "subcategory",
1207
+ "priority": 2
1208
+ },
1209
+ {
1210
+ "id": "high_impact_and_or_medium_difficulty",
1211
+ "name": "High Impact and/or Medium Difficulty",
1212
+ "type": "subcategory",
1213
+ "priority": 3
1214
+ },
1215
+ {
1216
+ "id": "app_crash",
1217
+ "name": "App Crash",
1218
+ "type": "subcategory",
1219
+ "children": [
1220
+ {
1221
+ "id": "malformed_android_intents",
1222
+ "name": "Malformed Android Intents",
1223
+ "type": "variant",
1224
+ "priority": 5
1225
+ },
1226
+ {
1227
+ "id": "malformed_ios_url_schemes",
1228
+ "name": "Malformed iOS URL Schemes",
1229
+ "type": "variant",
1230
+ "priority": 5
1231
+ }
1232
+ ]
1233
+ }
1234
+ ]
1235
+ },
1236
+ {
1237
+ "id": "unvalidated_redirects_and_forwards",
1238
+ "name": "Unvalidated Redirects and Forwards",
1239
+ "type": "category",
1240
+ "children": [
1241
+ {
1242
+ "id": "open_redirect",
1243
+ "name": "Open Redirect",
1244
+ "type": "subcategory",
1245
+ "children": [
1246
+ {
1247
+ "id": "get_based",
1248
+ "name": "GET-Based",
1249
+ "type": "variant",
1250
+ "priority": 4
1251
+ },
1252
+ {
1253
+ "id": "post_based",
1254
+ "name": "POST-Based",
1255
+ "type": "variant",
1256
+ "priority": 5
1257
+ },
1258
+ {
1259
+ "id": "header_based",
1260
+ "name": "Header-Based",
1261
+ "type": "variant",
1262
+ "priority": 5
1263
+ },
1264
+ {
1265
+ "id": "flash_based",
1266
+ "name": "Flash-Based",
1267
+ "type": "variant",
1268
+ "priority": 5
1269
+ }
1270
+ ]
1271
+ },
1272
+ {
1273
+ "id": "tabnabbing",
1274
+ "name": "Tabnabbing",
1275
+ "type": "subcategory",
1276
+ "priority": 5
1277
+ },
1278
+ {
1279
+ "id": "lack_of_security_speed_bump_page",
1280
+ "name": "Lack of Security Speed Bump Page",
1281
+ "type": "subcategory",
1282
+ "priority": 5
1283
+ }
1284
+ ]
1285
+ },
1286
+ {
1287
+ "id": "external_behavior",
1288
+ "name": "External Behavior",
1289
+ "type": "category",
1290
+ "children": [
1291
+ {
1292
+ "id": "browser_feature",
1293
+ "name": "Browser Feature",
1294
+ "type": "subcategory",
1295
+ "children": [
1296
+ {
1297
+ "id": "plaintext_password_field",
1298
+ "name": "Plaintext Password Field",
1299
+ "type": "variant",
1300
+ "priority": 5
1301
+ },
1302
+ {
1303
+ "id": "save_password",
1304
+ "name": "Save Password",
1305
+ "type": "variant",
1306
+ "priority": 5
1307
+ },
1308
+ {
1309
+ "id": "autocomplete_enabled",
1310
+ "name": "Autocomplete Enabled",
1311
+ "type": "variant",
1312
+ "priority": 5
1313
+ },
1314
+ {
1315
+ "id": "autocorrect_enabled",
1316
+ "name": "Autocorrect Enabled",
1317
+ "type": "variant",
1318
+ "priority": 5
1319
+ },
1320
+ {
1321
+ "id": "aggressive_offline_caching",
1322
+ "name": "Aggressive Offline Caching",
1323
+ "type": "variant",
1324
+ "priority": 5
1325
+ }
1326
+ ]
1327
+ },
1328
+ {
1329
+ "id": "csv_injection",
1330
+ "name": "CSV Injection",
1331
+ "type": "subcategory",
1332
+ "priority": 5
1333
+ },
1334
+ {
1335
+ "id": "captcha_bypass",
1336
+ "name": "Captcha Bypass",
1337
+ "type": "subcategory",
1338
+ "children": [
1339
+ {
1340
+ "id": "crowdsourcing",
1341
+ "name": "Crowdsourcing",
1342
+ "type": "variant",
1343
+ "priority": 5
1344
+ }
1345
+ ]
1346
+ },
1347
+ {
1348
+ "id": "system_clipboard_leak",
1349
+ "name": "System Clipboard Leak",
1350
+ "type": "subcategory",
1351
+ "children": [
1352
+ {
1353
+ "id": "shared_links",
1354
+ "name": "Shared Links",
1355
+ "type": "variant",
1356
+ "priority": 5
1357
+ }
1358
+ ]
1359
+ },
1360
+ {
1361
+ "id": "user_password_persisted_in_memory",
1362
+ "name": "User Password Persisted in Memory",
1363
+ "type": "subcategory",
1364
+ "priority": 5
1365
+ }
1366
+ ]
1367
+ },
1368
+ {
1369
+ "id": "insufficient_security_configurability",
1370
+ "name": "Insufficient Security Configurability",
1371
+ "type": "category",
1372
+ "children": [
1373
+ {
1374
+ "id": "weak_password_policy",
1375
+ "name": "Weak Password Policy",
1376
+ "type": "subcategory",
1377
+ "priority": 5
1378
+ },
1379
+ {
1380
+ "id": "no_password_policy",
1381
+ "name": "No Password Policy",
1382
+ "type": "subcategory",
1383
+ "priority": 4
1384
+ },
1385
+ {
1386
+ "id": "weak_password_reset_implementation",
1387
+ "name": "Weak Password Reset Implementation",
1388
+ "type": "subcategory",
1389
+ "children": [
1390
+ {
1391
+ "id": "token_is_not_invalidated_after_use",
1392
+ "name": "Token is Not Invalidated After Use",
1393
+ "type": "variant",
1394
+ "priority": 4
1395
+ },
1396
+ {
1397
+ "id": "token_is_not_invalidated_after_email_change",
1398
+ "name": "Token is Not Invalidated After Email Change",
1399
+ "type": "variant",
1400
+ "priority": 5
1401
+ },
1402
+ {
1403
+ "id": "token_is_not_invalidated_after_password_change",
1404
+ "name": "Token is Not Invalidated After Password Change",
1405
+ "type": "variant",
1406
+ "priority": 5
1407
+ },
1408
+ {
1409
+ "id": "token_has_long_timed_expiry",
1410
+ "name": "Token Has Long Timed Expiry",
1411
+ "type": "variant",
1412
+ "priority": 5
1413
+ },
1414
+ {
1415
+ "id": "token_is_not_invalidated_after_new_token_is_requested",
1416
+ "name": "Token is Not Invalidated After New Token is Requested",
1417
+ "type": "variant",
1418
+ "priority": 5
1419
+ },
1420
+ {
1421
+ "id": "token_is_not_invalidated_after_login",
1422
+ "name": "Token is Not Invalidated After Login",
1423
+ "type": "variant",
1424
+ "priority": 5
1425
+ }
1426
+ ]
1427
+ },
1428
+ {
1429
+ "id": "lack_of_verification_email",
1430
+ "name": "Lack of Verification Email",
1431
+ "type": "subcategory",
1432
+ "priority": 5
1433
+ },
1434
+ {
1435
+ "id": "lack_of_notification_email",
1436
+ "name": "Lack of Notification Email",
1437
+ "type": "subcategory",
1438
+ "priority": 5
1439
+ },
1440
+ {
1441
+ "id": "weak_registration_implementation",
1442
+ "name": "Weak Registration Implementation",
1443
+ "type": "subcategory",
1444
+ "children": [
1445
+ {
1446
+ "id": "allows_disposable_email_addresses",
1447
+ "name": "Allows Disposable Email Addresses",
1448
+ "type": "variant",
1449
+ "priority": 5
1450
+ }
1451
+ ]
1452
+ },
1453
+ {
1454
+ "id": "weak_2fa_implementation",
1455
+ "name": "Weak 2FA Implementation",
1456
+ "type": "subcategory",
1457
+ "children": [
1458
+ {
1459
+ "id": "missing_failsafe",
1460
+ "name": "Missing Failsafe",
1461
+ "type": "variant",
1462
+ "priority": 5
1463
+ }
1464
+ ]
1465
+ }
1466
+ ]
1467
+ },
1468
+ {
1469
+ "id": "using_components_with_known_vulnerabilities",
1470
+ "name": "Using Components with Known Vulnerabilities",
1471
+ "type": "category",
1472
+ "children": [
1473
+ {
1474
+ "id": "rosetta_flash",
1475
+ "name": "Rosetta Flash",
1476
+ "type": "subcategory",
1477
+ "priority": 4
1478
+ },
1479
+ {
1480
+ "id": "outdated_software_version",
1481
+ "name": "Outdated Software Version",
1482
+ "type": "subcategory",
1483
+ "priority": 5
1484
+ },
1485
+ {
1486
+ "id": "captcha_bypass",
1487
+ "name": "Captcha Bypass",
1488
+ "type": "subcategory",
1489
+ "children": [
1490
+ {
1491
+ "id": "ocr_optical_character_recognition",
1492
+ "name": "OCR (Optical Character Recognition)",
1493
+ "type": "variant",
1494
+ "priority": 5
1495
+ }
1496
+ ]
1497
+ }
1498
+ ]
1499
+ },
1500
+ {
1501
+ "id": "insecure_data_storage",
1502
+ "name": "Insecure Data Storage",
1503
+ "type": "category",
1504
+ "children": [
1505
+ {
1506
+ "id": "sensitive_application_data_stored_unencrypted",
1507
+ "name": "Sensitive Application Data Stored Unencrypted",
1508
+ "type": "subcategory",
1509
+ "children": [
1510
+ {
1511
+ "id": "on_external_storage",
1512
+ "name": "On External Storage",
1513
+ "type": "variant",
1514
+ "priority": 4
1515
+ },
1516
+ {
1517
+ "id": "on_internal_storage",
1518
+ "name": "On Internal Storage",
1519
+ "type": "variant",
1520
+ "priority": 5
1521
+ }
1522
+ ]
1523
+ },
1524
+ {
1525
+ "id": "server_side_credentials_storage",
1526
+ "name": "Server-Side Credentials Storage",
1527
+ "type": "subcategory",
1528
+ "children": [
1529
+ {
1530
+ "id": "plaintext",
1531
+ "name": "Plaintext",
1532
+ "type": "variant",
1533
+ "priority": 4
1534
+ }
1535
+ ]
1536
+ },
1537
+ {
1538
+ "id": "non_sensitive_application_data_stored_unencrypted",
1539
+ "name": "Non-Sensitive Application Data Stored Unencrypted",
1540
+ "type": "subcategory",
1541
+ "priority": 5
1542
+ },
1543
+ {
1544
+ "id": "screen_caching_enabled",
1545
+ "name": "Screen Caching Enabled",
1546
+ "type": "subcategory",
1547
+ "priority": 5
1548
+ }
1549
+ ]
1550
+ },
1551
+ {
1552
+ "id": "lack_of_binary_hardening",
1553
+ "name": "Lack of Binary Hardening",
1554
+ "type": "category",
1555
+ "children": [
1556
+ {
1557
+ "id": "lack_of_exploit_mitigations",
1558
+ "name": "Lack of Exploit Mitigations",
1559
+ "type": "subcategory",
1560
+ "priority": 5
1561
+ },
1562
+ {
1563
+ "id": "lack_of_jailbreak_detection",
1564
+ "name": "Lack of Jailbreak Detection",
1565
+ "type": "subcategory",
1566
+ "priority": 5
1567
+ },
1568
+ {
1569
+ "id": "lack_of_obfuscation",
1570
+ "name": "Lack of Obfuscation",
1571
+ "type": "subcategory",
1572
+ "priority": 5
1573
+ },
1574
+ {
1575
+ "id": "runtime_instrumentation_based",
1576
+ "name": "Runtime Instrumentation-Based",
1577
+ "type": "subcategory",
1578
+ "priority": 5
1579
+ }
1580
+ ]
1581
+ },
1582
+ {
1583
+ "id": "insecure_data_transport",
1584
+ "name": "Insecure Data Transport",
1585
+ "type": "category",
1586
+ "children": [
1587
+ {
1588
+ "id": "cleartext_transmission_of_sensitive_data",
1589
+ "name": "Cleartext Transmission of Sensitive Data",
1590
+ "type": "subcategory",
1591
+ "priority": null
1592
+ },
1593
+ {
1594
+ "id": "executable_download",
1595
+ "name": "Executable Download",
1596
+ "type": "subcategory",
1597
+ "children": [
1598
+ {
1599
+ "id": "no_secure_integrity_check",
1600
+ "name": "No Secure Integrity Check",
1601
+ "type": "variant",
1602
+ "priority": 4
1603
+ },
1604
+ {
1605
+ "id": "secure_integrity_check",
1606
+ "name": "Secure Integrity Check",
1607
+ "type": "variant",
1608
+ "priority": 5
1609
+ }
1610
+ ]
1611
+ }
1612
+ ]
1613
+ },
1614
+ {
1615
+ "id": "insecure_os_firmware",
1616
+ "name": "Insecure OS/Firmware",
1617
+ "type": "category",
1618
+ "children": [
1619
+ {
1620
+ "id": "command_injection",
1621
+ "name": "Command Injection",
1622
+ "type": "subcategory",
1623
+ "priority": 1
1624
+ },
1625
+ {
1626
+ "id": "hardcoded_password",
1627
+ "name": "Hardcoded Password",
1628
+ "type": "subcategory",
1629
+ "children": [
1630
+ {
1631
+ "id": "privileged_user",
1632
+ "name": "Privileged User",
1633
+ "type": "variant",
1634
+ "priority": 1
1635
+ },
1636
+ {
1637
+ "id": "non_privileged_user",
1638
+ "name": "Non-Privileged User",
1639
+ "type": "variant",
1640
+ "priority": 2
1641
+ }
1642
+ ]
1643
+ }
1644
+ ]
1645
+ },
1646
+ {
1647
+ "id": "broken_cryptography",
1648
+ "name": "Broken Cryptography",
1649
+ "type": "category",
1650
+ "children": [
1651
+ {
1652
+ "id": "cryptographic_flaw",
1653
+ "name": "Cryptographic Flaw",
1654
+ "type": "subcategory",
1655
+ "children": [
1656
+ {
1657
+ "id": "incorrect_usage",
1658
+ "name": "Incorrect Usage",
1659
+ "type": "variant",
1660
+ "priority": 1
1661
+ }
1662
+ ]
1663
+ }
1664
+ ]
1665
+ },
1666
+ {
1667
+ "id": "privacy_concerns",
1668
+ "name": "Privacy Concerns",
1669
+ "type": "category",
1670
+ "children": [
1671
+ {
1672
+ "id": "unnecessary_data_collection",
1673
+ "name": "Unnecessary Data Collection",
1674
+ "type": "subcategory",
1675
+ "children": [
1676
+ {
1677
+ "id": "wifi_ssid_password",
1678
+ "name": "WiFi SSID+Password",
1679
+ "type": "variant",
1680
+ "priority": 4
1681
+ }
1682
+ ]
1683
+ }
1684
+ ]
1685
+ },
1686
+ {
1687
+ "id": "network_security_misconfiguration",
1688
+ "name": "Network Security Misconfiguration",
1689
+ "type": "category",
1690
+ "children": [
1691
+ {
1692
+ "id": "telnet_enabled",
1693
+ "name": "Telnet Enabled",
1694
+ "type": "subcategory",
1695
+ "priority": 5
1696
+ }
1697
+ ]
1698
+ },
1699
+ {
1700
+ "id": "mobile_security_misconfiguration",
1701
+ "name": "Mobile Security Misconfiguration",
1702
+ "type": "category",
1703
+ "children": [
1704
+ {
1705
+ "id": "ssl_certificate_pinning",
1706
+ "name": "SSL Certificate Pinning",
1707
+ "type": "subcategory",
1708
+ "children": [
1709
+ {
1710
+ "id": "absent",
1711
+ "name": "Absent",
1712
+ "type": "variant",
1713
+ "priority": 5
1714
+ },
1715
+ {
1716
+ "id": "defeatable",
1717
+ "name": "Defeatable",
1718
+ "type": "variant",
1719
+ "priority": 5
1720
+ }
1721
+ ]
1722
+ },
1723
+ {
1724
+ "id": "tapjacking",
1725
+ "name": "Tapjacking",
1726
+ "type": "subcategory",
1727
+ "priority": 5
1728
+ },
1729
+ {
1730
+ "id": "clipboard_enabled",
1731
+ "name": "Clipboard Enabled",
1732
+ "type": "subcategory",
1733
+ "children": [
1734
+ {
1735
+ "id": "on_sensitive_content",
1736
+ "name": "On Sensitive Content",
1737
+ "type": "variant",
1738
+ "priority": 4
1739
+ },
1740
+ {
1741
+ "id": "on_non_sensitive_content",
1742
+ "name": "On Non-Sensitive Content",
1743
+ "type": "variant",
1744
+ "priority": 5
1745
+ }
1746
+ ]
1747
+ }
1748
+ ]
1749
+ },
1750
+ {
1751
+ "id": "client_side_injection",
1752
+ "name": "Client-Side Injection",
1753
+ "type": "category",
1754
+ "children": [
1755
+ {
1756
+ "id": "binary_planting",
1757
+ "name": "Binary Planting",
1758
+ "type": "subcategory",
1759
+ "children": [
1760
+ {
1761
+ "id": "privilege_escalation",
1762
+ "name": "Default Folder Privilege Escalation",
1763
+ "type": "variant",
1764
+ "priority": 3
1765
+ },
1766
+ {
1767
+ "id": "non_default_folder_privilege_escalation",
1768
+ "name": "Non-Default Folder Privilege Escalation",
1769
+ "type": "variant",
1770
+ "priority": 5
1771
+ },
1772
+ {
1773
+ "id": "no_privilege_escalation",
1774
+ "name": "No Privilege Escalation",
1775
+ "type": "variant",
1776
+ "priority": 5
1777
+ }
1778
+ ]
1779
+ }
1780
+ ]
1781
+ }
1782
+ ]
1783
+ }