@zerothreatai/vulnerability-registry 1.0.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/categories/configuration.js +378 -0
- package/dist/error-codes.d.ts +18 -0
- package/dist/error-codes.js +18 -0
- package/dist-cjs/categories/configuration.js +378 -0
- package/dist-cjs/error-codes.js +18 -0
- package/dist-cjs/package.json +3 -0
- package/package.json +3 -1
- package/scripts/write-cjs-package.cjs +12 -0
- package/src/categories/configuration.ts +427 -31
- package/src/error-codes.ts +30 -12
- package/zerothreatai-vulnerability-registry-2.0.0.tgz +0 -0
|
@@ -33,10 +33,10 @@ export const CONFIG_VULNERABILITIES: Record<string, VulnerabilityDefinition> = {
|
|
|
33
33
|
remediation: 'Implement Content-Security-Policy header with strict directives. Start with default-src self and progressively add required sources. Use nonce-based CSP for inline scripts.',
|
|
34
34
|
},
|
|
35
35
|
|
|
36
|
-
[VulnerabilityCode.HEADER_MISSING_HSTS]: {
|
|
37
|
-
id: 70,
|
|
38
|
-
code: VulnerabilityCode.HEADER_MISSING_HSTS,
|
|
39
|
-
title: 'Missing Security Header - Strict-Transport-Security',
|
|
36
|
+
[VulnerabilityCode.HEADER_MISSING_HSTS]: {
|
|
37
|
+
id: 70,
|
|
38
|
+
code: VulnerabilityCode.HEADER_MISSING_HSTS,
|
|
39
|
+
title: 'Missing Security Header - Strict-Transport-Security',
|
|
40
40
|
description: 'The application does not implement HSTS (HTTP Strict Transport Security) header, leaving users vulnerable to SSL stripping attacks and man-in-the-middle downgrades from HTTPS to HTTP connections on initial visits or after cookie expiration.',
|
|
41
41
|
severity: 'medium',
|
|
42
42
|
category: 'configuration',
|
|
@@ -52,8 +52,96 @@ export const CONFIG_VULNERABILITIES: Record<string, VulnerabilityDefinition> = {
|
|
|
52
52
|
owasp: [
|
|
53
53
|
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
54
54
|
],
|
|
55
|
-
remediation: 'Add Strict-Transport-Security header with max-age of at least 31536000 (1 year). Include includeSubDomains directive. Consider HSTS preloading for maximum protection.',
|
|
56
|
-
},
|
|
55
|
+
remediation: 'Add Strict-Transport-Security header with max-age of at least 31536000 (1 year). Include includeSubDomains directive. Consider HSTS preloading for maximum protection.',
|
|
56
|
+
},
|
|
57
|
+
|
|
58
|
+
[VulnerabilityCode.HEADER_HSTS_BAD_MAX_AGE]: {
|
|
59
|
+
id: 1011,
|
|
60
|
+
code: VulnerabilityCode.HEADER_HSTS_BAD_MAX_AGE,
|
|
61
|
+
title: 'HSTS Misconfiguration - Invalid Max-Age',
|
|
62
|
+
description: 'The Strict-Transport-Security header uses an invalid or malformed max-age value, preventing reliable HTTPS enforcement.',
|
|
63
|
+
severity: 'medium',
|
|
64
|
+
category: 'configuration',
|
|
65
|
+
scanner: 'security-headers',
|
|
66
|
+
cvss: {
|
|
67
|
+
score: 5.3,
|
|
68
|
+
vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N',
|
|
69
|
+
severity: 'MEDIUM',
|
|
70
|
+
},
|
|
71
|
+
cwe: [
|
|
72
|
+
{ id: 'CWE-319', name: 'Cleartext Transmission', url: 'https://cwe.mitre.org/data/definitions/319.html' },
|
|
73
|
+
],
|
|
74
|
+
owasp: [
|
|
75
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
76
|
+
],
|
|
77
|
+
remediation: 'Set a valid numeric max-age on Strict-Transport-Security (at least 31536000).',
|
|
78
|
+
},
|
|
79
|
+
|
|
80
|
+
[VulnerabilityCode.HEADER_HSTS_SHORT_MAX_AGE]: {
|
|
81
|
+
id: 1012,
|
|
82
|
+
code: VulnerabilityCode.HEADER_HSTS_SHORT_MAX_AGE,
|
|
83
|
+
title: 'HSTS Misconfiguration - Max-Age Too Short',
|
|
84
|
+
description: 'The Strict-Transport-Security header uses a short max-age value that weakens HTTPS enforcement and allows downgrade risk to return quickly.',
|
|
85
|
+
severity: 'medium',
|
|
86
|
+
category: 'configuration',
|
|
87
|
+
scanner: 'security-headers',
|
|
88
|
+
cvss: {
|
|
89
|
+
score: 5.3,
|
|
90
|
+
vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N',
|
|
91
|
+
severity: 'MEDIUM',
|
|
92
|
+
},
|
|
93
|
+
cwe: [
|
|
94
|
+
{ id: 'CWE-319', name: 'Cleartext Transmission', url: 'https://cwe.mitre.org/data/definitions/319.html' },
|
|
95
|
+
],
|
|
96
|
+
owasp: [
|
|
97
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
98
|
+
],
|
|
99
|
+
remediation: 'Increase max-age to at least 31536000 (1 year) to provide durable HTTPS enforcement.',
|
|
100
|
+
},
|
|
101
|
+
|
|
102
|
+
[VulnerabilityCode.HEADER_HSTS_NO_INCLUDESUBDOMAINS]: {
|
|
103
|
+
id: 1013,
|
|
104
|
+
code: VulnerabilityCode.HEADER_HSTS_NO_INCLUDESUBDOMAINS,
|
|
105
|
+
title: 'HSTS Misconfiguration - Missing includeSubDomains',
|
|
106
|
+
description: 'The Strict-Transport-Security header is missing includeSubDomains, leaving subdomains unprotected from downgrade and stripping attacks.',
|
|
107
|
+
severity: 'medium',
|
|
108
|
+
category: 'configuration',
|
|
109
|
+
scanner: 'security-headers',
|
|
110
|
+
cvss: {
|
|
111
|
+
score: 5.3,
|
|
112
|
+
vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N',
|
|
113
|
+
severity: 'MEDIUM',
|
|
114
|
+
},
|
|
115
|
+
cwe: [
|
|
116
|
+
{ id: 'CWE-319', name: 'Cleartext Transmission', url: 'https://cwe.mitre.org/data/definitions/319.html' },
|
|
117
|
+
],
|
|
118
|
+
owasp: [
|
|
119
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
120
|
+
],
|
|
121
|
+
remediation: 'Add includeSubDomains to the HSTS header to protect all subdomains.',
|
|
122
|
+
},
|
|
123
|
+
|
|
124
|
+
[VulnerabilityCode.HEADER_HSTS_PRELOAD_LOW_MAX_AGE]: {
|
|
125
|
+
id: 1018,
|
|
126
|
+
code: VulnerabilityCode.HEADER_HSTS_PRELOAD_LOW_MAX_AGE,
|
|
127
|
+
title: 'HSTS Preload Requirements Not Met',
|
|
128
|
+
description: 'The HSTS header indicates preload intent but does not meet preload requirements, such as a sufficiently long max-age or includeSubDomains, reducing preload effectiveness.',
|
|
129
|
+
severity: 'medium',
|
|
130
|
+
category: 'configuration',
|
|
131
|
+
scanner: 'security-headers',
|
|
132
|
+
cvss: {
|
|
133
|
+
score: 5.3,
|
|
134
|
+
vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N',
|
|
135
|
+
severity: 'MEDIUM',
|
|
136
|
+
},
|
|
137
|
+
cwe: [
|
|
138
|
+
{ id: 'CWE-319', name: 'Cleartext Transmission', url: 'https://cwe.mitre.org/data/definitions/319.html' },
|
|
139
|
+
],
|
|
140
|
+
owasp: [
|
|
141
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
142
|
+
],
|
|
143
|
+
remediation: 'Ensure HSTS max-age is at least 31536000, include includeSubDomains, and add preload before submitting to the preload list.',
|
|
144
|
+
},
|
|
57
145
|
|
|
58
146
|
[VulnerabilityCode.HEADER_MISSING_XFRAME]: {
|
|
59
147
|
id: 71,
|
|
@@ -77,11 +165,11 @@ export const CONFIG_VULNERABILITIES: Record<string, VulnerabilityDefinition> = {
|
|
|
77
165
|
remediation: 'Set X-Frame-Options header to DENY or SAMEORIGIN. Use Content-Security-Policy frame-ancestors directive for more granular control. Both headers can be used together for compatibility.',
|
|
78
166
|
},
|
|
79
167
|
|
|
80
|
-
[VulnerabilityCode.HEADER_WEAK_CSP]: {
|
|
81
|
-
id: 72,
|
|
82
|
-
code: VulnerabilityCode.HEADER_WEAK_CSP,
|
|
83
|
-
title: 'Weak Content-Security-Policy Configuration',
|
|
84
|
-
description: 'The Content-Security-Policy header contains unsafe directives like unsafe-inline, unsafe-eval, or overly permissive source allowlists that significantly reduce its effectiveness as an XSS mitigation and may create false sense of security.',
|
|
168
|
+
[VulnerabilityCode.HEADER_WEAK_CSP]: {
|
|
169
|
+
id: 72,
|
|
170
|
+
code: VulnerabilityCode.HEADER_WEAK_CSP,
|
|
171
|
+
title: 'Weak Content-Security-Policy Configuration',
|
|
172
|
+
description: 'The Content-Security-Policy header contains unsafe directives like unsafe-inline, unsafe-eval, or overly permissive source allowlists that significantly reduce its effectiveness as an XSS mitigation and may create false sense of security.',
|
|
85
173
|
severity: 'medium',
|
|
86
174
|
category: 'configuration',
|
|
87
175
|
scanner: 'security-headers',
|
|
@@ -96,13 +184,189 @@ export const CONFIG_VULNERABILITIES: Record<string, VulnerabilityDefinition> = {
|
|
|
96
184
|
owasp: [
|
|
97
185
|
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
98
186
|
],
|
|
99
|
-
remediation: 'Remove unsafe-inline and unsafe-eval directives. Use nonce-based or hash-based CSP for inline scripts. Restrict source allowlists to specific trusted domains rather than wildcards.',
|
|
100
|
-
},
|
|
187
|
+
remediation: 'Remove unsafe-inline and unsafe-eval directives. Use nonce-based or hash-based CSP for inline scripts. Restrict source allowlists to specific trusted domains rather than wildcards.',
|
|
188
|
+
},
|
|
189
|
+
|
|
190
|
+
[VulnerabilityCode.HEADER_CSP_REPORT_ONLY]: {
|
|
191
|
+
id: 1001,
|
|
192
|
+
code: VulnerabilityCode.HEADER_CSP_REPORT_ONLY,
|
|
193
|
+
title: 'Content-Security-Policy Report-Only Enabled',
|
|
194
|
+
description: 'The Content-Security-Policy header is deployed in report-only mode, which does not enforce protections and allows unsafe content to execute while only logging violations.',
|
|
195
|
+
severity: 'medium',
|
|
196
|
+
category: 'configuration',
|
|
197
|
+
scanner: 'security-headers',
|
|
198
|
+
cvss: {
|
|
199
|
+
score: 5.3,
|
|
200
|
+
vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
|
|
201
|
+
severity: 'MEDIUM',
|
|
202
|
+
},
|
|
203
|
+
cwe: [
|
|
204
|
+
{ id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
|
|
205
|
+
],
|
|
206
|
+
owasp: [
|
|
207
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
208
|
+
],
|
|
209
|
+
remediation: 'Switch to enforcing Content-Security-Policy once violations are reviewed. Use report-only during rollout, then enforce with strict directives.',
|
|
210
|
+
},
|
|
211
|
+
|
|
212
|
+
[VulnerabilityCode.HEADER_CSP_WEAK_DIRECTIVES]: {
|
|
213
|
+
id: 1002,
|
|
214
|
+
code: VulnerabilityCode.HEADER_CSP_WEAK_DIRECTIVES,
|
|
215
|
+
title: 'Content-Security-Policy Contains Unsafe Directives',
|
|
216
|
+
description: 'The Content-Security-Policy header includes unsafe directives such as unsafe-inline or unsafe-eval that reduce XSS protection and allow risky script execution paths.',
|
|
217
|
+
severity: 'medium',
|
|
218
|
+
category: 'configuration',
|
|
219
|
+
scanner: 'security-headers',
|
|
220
|
+
cvss: {
|
|
221
|
+
score: 5.3,
|
|
222
|
+
vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
|
|
223
|
+
severity: 'MEDIUM',
|
|
224
|
+
},
|
|
225
|
+
cwe: [
|
|
226
|
+
{ id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
|
|
227
|
+
],
|
|
228
|
+
owasp: [
|
|
229
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
230
|
+
],
|
|
231
|
+
remediation: 'Remove unsafe-inline and unsafe-eval directives. Replace inline scripts with nonces or hashes and restrict sources to trusted domains.',
|
|
232
|
+
},
|
|
233
|
+
|
|
234
|
+
[VulnerabilityCode.HEADER_CSP_DATA_URI_SCRIPT]: {
|
|
235
|
+
id: 1003,
|
|
236
|
+
code: VulnerabilityCode.HEADER_CSP_DATA_URI_SCRIPT,
|
|
237
|
+
title: 'Content-Security-Policy Allows data: in script-src',
|
|
238
|
+
description: 'The CSP allows data: URIs for script execution, which can enable script injection through crafted data URLs and weaken XSS protections.',
|
|
239
|
+
severity: 'medium',
|
|
240
|
+
category: 'configuration',
|
|
241
|
+
scanner: 'security-headers',
|
|
242
|
+
cvss: {
|
|
243
|
+
score: 5.3,
|
|
244
|
+
vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
|
|
245
|
+
severity: 'MEDIUM',
|
|
246
|
+
},
|
|
247
|
+
cwe: [
|
|
248
|
+
{ id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
|
|
249
|
+
],
|
|
250
|
+
owasp: [
|
|
251
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
252
|
+
],
|
|
253
|
+
remediation: 'Remove data: from script-src. Use nonce or hash-based CSP for any required inline scripts.',
|
|
254
|
+
},
|
|
255
|
+
|
|
256
|
+
[VulnerabilityCode.HEADER_CSP_BLOB_URI_SCRIPT]: {
|
|
257
|
+
id: 1004,
|
|
258
|
+
code: VulnerabilityCode.HEADER_CSP_BLOB_URI_SCRIPT,
|
|
259
|
+
title: 'Content-Security-Policy Allows blob: in script-src',
|
|
260
|
+
description: 'The CSP allows blob: URIs for script execution, which can be abused to load attacker-controlled scripts in some contexts and weaken XSS mitigations.',
|
|
261
|
+
severity: 'medium',
|
|
262
|
+
category: 'configuration',
|
|
263
|
+
scanner: 'security-headers',
|
|
264
|
+
cvss: {
|
|
265
|
+
score: 5.3,
|
|
266
|
+
vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
|
|
267
|
+
severity: 'MEDIUM',
|
|
268
|
+
},
|
|
269
|
+
cwe: [
|
|
270
|
+
{ id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
|
|
271
|
+
],
|
|
272
|
+
owasp: [
|
|
273
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
274
|
+
],
|
|
275
|
+
remediation: 'Remove blob: from script-src unless strictly required. Use a narrower allowlist or nonces for trusted scripts.',
|
|
276
|
+
},
|
|
277
|
+
|
|
278
|
+
[VulnerabilityCode.HEADER_CSP_WILDCARD_DEFAULT]: {
|
|
279
|
+
id: 1005,
|
|
280
|
+
code: VulnerabilityCode.HEADER_CSP_WILDCARD_DEFAULT,
|
|
281
|
+
title: 'Content-Security-Policy default-src Uses Wildcard',
|
|
282
|
+
description: 'The CSP default-src directive allows all origins, which effectively disables the protection and allows untrusted content to load.',
|
|
283
|
+
severity: 'medium',
|
|
284
|
+
category: 'configuration',
|
|
285
|
+
scanner: 'security-headers',
|
|
286
|
+
cvss: {
|
|
287
|
+
score: 5.3,
|
|
288
|
+
vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
|
|
289
|
+
severity: 'MEDIUM',
|
|
290
|
+
},
|
|
291
|
+
cwe: [
|
|
292
|
+
{ id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
|
|
293
|
+
],
|
|
294
|
+
owasp: [
|
|
295
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
296
|
+
],
|
|
297
|
+
remediation: 'Replace wildcard default-src with explicit trusted origins and tighten resource-specific directives.',
|
|
298
|
+
},
|
|
299
|
+
|
|
300
|
+
[VulnerabilityCode.HEADER_CSP_NO_BASE_URI]: {
|
|
301
|
+
id: 1006,
|
|
302
|
+
code: VulnerabilityCode.HEADER_CSP_NO_BASE_URI,
|
|
303
|
+
title: 'Content-Security-Policy Missing base-uri Directive',
|
|
304
|
+
description: 'The CSP does not include a base-uri directive, allowing the base URL to be set by injected markup and enabling abuse of relative URL resolution.',
|
|
305
|
+
severity: 'medium',
|
|
306
|
+
category: 'configuration',
|
|
307
|
+
scanner: 'security-headers',
|
|
308
|
+
cvss: {
|
|
309
|
+
score: 5.3,
|
|
310
|
+
vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
|
|
311
|
+
severity: 'MEDIUM',
|
|
312
|
+
},
|
|
313
|
+
cwe: [
|
|
314
|
+
{ id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
|
|
315
|
+
],
|
|
316
|
+
owasp: [
|
|
317
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
318
|
+
],
|
|
319
|
+
remediation: 'Add base-uri \'self\' (or a strict allowlist) to CSP to prevent base tag abuse.',
|
|
320
|
+
},
|
|
321
|
+
|
|
322
|
+
[VulnerabilityCode.HEADER_CSP_NO_OBJECT_SRC]: {
|
|
323
|
+
id: 1007,
|
|
324
|
+
code: VulnerabilityCode.HEADER_CSP_NO_OBJECT_SRC,
|
|
325
|
+
title: 'Content-Security-Policy Missing object-src Directive',
|
|
326
|
+
description: 'The CSP does not include an object-src directive, allowing embedded objects to load from arbitrary origins and weakening defense-in-depth against plugin-based risks.',
|
|
327
|
+
severity: 'medium',
|
|
328
|
+
category: 'configuration',
|
|
329
|
+
scanner: 'security-headers',
|
|
330
|
+
cvss: {
|
|
331
|
+
score: 5.3,
|
|
332
|
+
vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
|
|
333
|
+
severity: 'MEDIUM',
|
|
334
|
+
},
|
|
335
|
+
cwe: [
|
|
336
|
+
{ id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
|
|
337
|
+
],
|
|
338
|
+
owasp: [
|
|
339
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
340
|
+
],
|
|
341
|
+
remediation: 'Add object-src \'none\' (or a strict allowlist) to CSP to prevent plugin content loading.',
|
|
342
|
+
},
|
|
343
|
+
|
|
344
|
+
[VulnerabilityCode.HEADER_CSP_NO_FRAME_ANCESTORS]: {
|
|
345
|
+
id: 1008,
|
|
346
|
+
code: VulnerabilityCode.HEADER_CSP_NO_FRAME_ANCESTORS,
|
|
347
|
+
title: 'Content-Security-Policy Missing frame-ancestors Directive',
|
|
348
|
+
description: 'The CSP does not include a frame-ancestors directive, leaving pages potentially frameable and vulnerable to clickjacking attacks.',
|
|
349
|
+
severity: 'medium',
|
|
350
|
+
category: 'configuration',
|
|
351
|
+
scanner: 'security-headers',
|
|
352
|
+
cvss: {
|
|
353
|
+
score: 4.7,
|
|
354
|
+
vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N',
|
|
355
|
+
severity: 'MEDIUM',
|
|
356
|
+
},
|
|
357
|
+
cwe: [
|
|
358
|
+
{ id: 'CWE-1021', name: 'Improper Restriction of Rendered UI Layers', url: 'https://cwe.mitre.org/data/definitions/1021.html' },
|
|
359
|
+
],
|
|
360
|
+
owasp: [
|
|
361
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
362
|
+
],
|
|
363
|
+
remediation: 'Add frame-ancestors \'none\' or a strict allowlist to CSP to prevent clickjacking.',
|
|
364
|
+
},
|
|
101
365
|
|
|
102
|
-
[VulnerabilityCode.HEADER_CORS_MISCONFIGURED]: {
|
|
103
|
-
id: 73,
|
|
104
|
-
code: VulnerabilityCode.HEADER_CORS_MISCONFIGURED,
|
|
105
|
-
title: 'CORS Misconfiguration',
|
|
366
|
+
[VulnerabilityCode.HEADER_CORS_MISCONFIGURED]: {
|
|
367
|
+
id: 73,
|
|
368
|
+
code: VulnerabilityCode.HEADER_CORS_MISCONFIGURED,
|
|
369
|
+
title: 'CORS Misconfiguration',
|
|
106
370
|
description: 'Cross-Origin Resource Sharing is misconfigured with overly permissive Access-Control-Allow-Origin headers including wildcard (*) with credentials, or dynamic reflection of Origin header without proper validation, enabling cross-origin data theft.',
|
|
107
371
|
severity: 'high',
|
|
108
372
|
category: 'configuration',
|
|
@@ -118,8 +382,96 @@ export const CONFIG_VULNERABILITIES: Record<string, VulnerabilityDefinition> = {
|
|
|
118
382
|
owasp: [
|
|
119
383
|
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
120
384
|
],
|
|
121
|
-
remediation: 'Implement strict Origin validation with allowlist of trusted domains. Never reflect Origin header without validation. Do not use wildcard with Access-Control-Allow-Credentials.',
|
|
122
|
-
},
|
|
385
|
+
remediation: 'Implement strict Origin validation with allowlist of trusted domains. Never reflect Origin header without validation. Do not use wildcard with Access-Control-Allow-Credentials.',
|
|
386
|
+
},
|
|
387
|
+
|
|
388
|
+
[VulnerabilityCode.HEADER_CORS_STAR_WITH_CREDENTIALS]: {
|
|
389
|
+
id: 1014,
|
|
390
|
+
code: VulnerabilityCode.HEADER_CORS_STAR_WITH_CREDENTIALS,
|
|
391
|
+
title: 'CORS Wildcard With Credentials',
|
|
392
|
+
description: 'Access-Control-Allow-Origin is set to * while Access-Control-Allow-Credentials is enabled, which browsers block but signals a dangerous CORS policy that can be misapplied in some environments.',
|
|
393
|
+
severity: 'high',
|
|
394
|
+
category: 'configuration',
|
|
395
|
+
scanner: 'security-headers',
|
|
396
|
+
cvss: {
|
|
397
|
+
score: 7.5,
|
|
398
|
+
vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
|
|
399
|
+
severity: 'HIGH',
|
|
400
|
+
},
|
|
401
|
+
cwe: [
|
|
402
|
+
{ id: 'CWE-942', name: 'Permissive CORS Policy', url: 'https://cwe.mitre.org/data/definitions/942.html' },
|
|
403
|
+
],
|
|
404
|
+
owasp: [
|
|
405
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
406
|
+
],
|
|
407
|
+
remediation: 'Never use wildcard origins with credentials. Replace * with an explicit allowlist and set Vary: Origin.',
|
|
408
|
+
},
|
|
409
|
+
|
|
410
|
+
[VulnerabilityCode.HEADER_CORS_ORIGIN_REFLECT_NO_VARY]: {
|
|
411
|
+
id: 1015,
|
|
412
|
+
code: VulnerabilityCode.HEADER_CORS_ORIGIN_REFLECT_NO_VARY,
|
|
413
|
+
title: 'CORS Origin Reflection Without Vary',
|
|
414
|
+
description: 'The Origin header is reflected in Access-Control-Allow-Origin without Vary: Origin, which can lead to cache poisoning and unintended cross-origin access.',
|
|
415
|
+
severity: 'high',
|
|
416
|
+
category: 'configuration',
|
|
417
|
+
scanner: 'security-headers',
|
|
418
|
+
cvss: {
|
|
419
|
+
score: 7.5,
|
|
420
|
+
vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
|
|
421
|
+
severity: 'HIGH',
|
|
422
|
+
},
|
|
423
|
+
cwe: [
|
|
424
|
+
{ id: 'CWE-942', name: 'Permissive CORS Policy', url: 'https://cwe.mitre.org/data/definitions/942.html' },
|
|
425
|
+
],
|
|
426
|
+
owasp: [
|
|
427
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
428
|
+
],
|
|
429
|
+
remediation: 'Validate origins against an allowlist and always include Vary: Origin when dynamically setting Access-Control-Allow-Origin.',
|
|
430
|
+
},
|
|
431
|
+
|
|
432
|
+
[VulnerabilityCode.HEADER_CORS_NULL_ORIGIN]: {
|
|
433
|
+
id: 1016,
|
|
434
|
+
code: VulnerabilityCode.HEADER_CORS_NULL_ORIGIN,
|
|
435
|
+
title: 'CORS Allows Null Origin',
|
|
436
|
+
description: 'Access-Control-Allow-Origin allows the null origin, enabling requests from opaque origins such as sandboxed iframes and file URLs that can be abused to access sensitive data.',
|
|
437
|
+
severity: 'high',
|
|
438
|
+
category: 'configuration',
|
|
439
|
+
scanner: 'security-headers',
|
|
440
|
+
cvss: {
|
|
441
|
+
score: 7.5,
|
|
442
|
+
vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
|
|
443
|
+
severity: 'HIGH',
|
|
444
|
+
},
|
|
445
|
+
cwe: [
|
|
446
|
+
{ id: 'CWE-942', name: 'Permissive CORS Policy', url: 'https://cwe.mitre.org/data/definitions/942.html' },
|
|
447
|
+
],
|
|
448
|
+
owasp: [
|
|
449
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
450
|
+
],
|
|
451
|
+
remediation: 'Remove null from allowed origins. Restrict CORS to explicit trusted domains only.',
|
|
452
|
+
},
|
|
453
|
+
|
|
454
|
+
[VulnerabilityCode.HEADER_CORS_WILDCARD_SUBDOMAIN]: {
|
|
455
|
+
id: 1017,
|
|
456
|
+
code: VulnerabilityCode.HEADER_CORS_WILDCARD_SUBDOMAIN,
|
|
457
|
+
title: 'CORS Allows Wildcard Subdomains',
|
|
458
|
+
description: 'CORS policies allow wildcard subdomains that can be abused if any subdomain is compromised or can be controlled by untrusted parties.',
|
|
459
|
+
severity: 'high',
|
|
460
|
+
category: 'configuration',
|
|
461
|
+
scanner: 'security-headers',
|
|
462
|
+
cvss: {
|
|
463
|
+
score: 7.5,
|
|
464
|
+
vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
|
|
465
|
+
severity: 'HIGH',
|
|
466
|
+
},
|
|
467
|
+
cwe: [
|
|
468
|
+
{ id: 'CWE-942', name: 'Permissive CORS Policy', url: 'https://cwe.mitre.org/data/definitions/942.html' },
|
|
469
|
+
],
|
|
470
|
+
owasp: [
|
|
471
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
472
|
+
],
|
|
473
|
+
remediation: 'Replace wildcard subdomains with a strict allowlist of trusted origins.',
|
|
474
|
+
},
|
|
123
475
|
|
|
124
476
|
// ========================================
|
|
125
477
|
// DIRECTORY BROWSING
|
|
@@ -350,10 +702,10 @@ export const CONFIG_VULNERABILITIES: Record<string, VulnerabilityDefinition> = {
|
|
|
350
702
|
remediation: 'Apply consistent frame protection across all pages. Use DENY or SAMEORIGIN rather than ALLOW-FROM. Audit all endpoints for missing protection. Use CSP frame-ancestors instead of X-Frame-Options.',
|
|
351
703
|
},
|
|
352
704
|
|
|
353
|
-
[VulnerabilityCode.HEADER_MISSING_XCONTENT_TYPE]: {
|
|
354
|
-
id: 84,
|
|
355
|
-
code: VulnerabilityCode.HEADER_MISSING_XCONTENT_TYPE,
|
|
356
|
-
title: 'Missing Security Header - X-Content-Type-Options',
|
|
705
|
+
[VulnerabilityCode.HEADER_MISSING_XCONTENT_TYPE]: {
|
|
706
|
+
id: 84,
|
|
707
|
+
code: VulnerabilityCode.HEADER_MISSING_XCONTENT_TYPE,
|
|
708
|
+
title: 'Missing Security Header - X-Content-Type-Options',
|
|
357
709
|
description: 'The application does not set X-Content-Type-Options: nosniff header, allowing browsers to perform MIME-type sniffing that can lead to XSS attacks when user-uploaded content is served with incorrect Content-Type and browsers execute it as script.',
|
|
358
710
|
severity: 'low',
|
|
359
711
|
category: 'configuration',
|
|
@@ -369,13 +721,35 @@ export const CONFIG_VULNERABILITIES: Record<string, VulnerabilityDefinition> = {
|
|
|
369
721
|
owasp: [
|
|
370
722
|
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
371
723
|
],
|
|
372
|
-
remediation: 'Add X-Content-Type-Options: nosniff header to all responses. Ensure correct Content-Type headers are set for all resources. Validate file types before serving user uploads.',
|
|
373
|
-
},
|
|
724
|
+
remediation: 'Add X-Content-Type-Options: nosniff header to all responses. Ensure correct Content-Type headers are set for all resources. Validate file types before serving user uploads.',
|
|
725
|
+
},
|
|
726
|
+
|
|
727
|
+
[VulnerabilityCode.HEADER_XCONTENT_TYPE_INVALID]: {
|
|
728
|
+
id: 1009,
|
|
729
|
+
code: VulnerabilityCode.HEADER_XCONTENT_TYPE_INVALID,
|
|
730
|
+
title: 'Invalid Security Header - X-Content-Type-Options',
|
|
731
|
+
description: 'The X-Content-Type-Options header is present but misconfigured (not set to nosniff), which can allow MIME sniffing and reduce protection against content-type confusion.',
|
|
732
|
+
severity: 'low',
|
|
733
|
+
category: 'configuration',
|
|
734
|
+
scanner: 'security-headers',
|
|
735
|
+
cvss: {
|
|
736
|
+
score: 3.7,
|
|
737
|
+
vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N',
|
|
738
|
+
severity: 'LOW',
|
|
739
|
+
},
|
|
740
|
+
cwe: [
|
|
741
|
+
{ id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
|
|
742
|
+
],
|
|
743
|
+
owasp: [
|
|
744
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
745
|
+
],
|
|
746
|
+
remediation: 'Set X-Content-Type-Options to nosniff on all responses to prevent MIME sniffing.',
|
|
747
|
+
},
|
|
374
748
|
|
|
375
|
-
[VulnerabilityCode.HEADER_MISSING_REFERRER_POLICY]: {
|
|
376
|
-
id: 85,
|
|
377
|
-
code: VulnerabilityCode.HEADER_MISSING_REFERRER_POLICY,
|
|
378
|
-
title: 'Missing Security Header - Referrer-Policy',
|
|
749
|
+
[VulnerabilityCode.HEADER_MISSING_REFERRER_POLICY]: {
|
|
750
|
+
id: 85,
|
|
751
|
+
code: VulnerabilityCode.HEADER_MISSING_REFERRER_POLICY,
|
|
752
|
+
title: 'Missing Security Header - Referrer-Policy',
|
|
379
753
|
description: 'The application does not implement Referrer-Policy header, potentially leaking sensitive URL information including session tokens, user IDs, or query parameters to external sites when users click links or resources are loaded from third-party domains.',
|
|
380
754
|
severity: 'low',
|
|
381
755
|
category: 'configuration',
|
|
@@ -391,8 +765,30 @@ export const CONFIG_VULNERABILITIES: Record<string, VulnerabilityDefinition> = {
|
|
|
391
765
|
owasp: [
|
|
392
766
|
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
393
767
|
],
|
|
394
|
-
remediation: 'Implement Referrer-Policy header with strict-origin-when-cross-origin or no-referrer policy. Avoid passing sensitive data in URLs. Use POST requests for sensitive operations.',
|
|
395
|
-
},
|
|
768
|
+
remediation: 'Implement Referrer-Policy header with strict-origin-when-cross-origin or no-referrer policy. Avoid passing sensitive data in URLs. Use POST requests for sensitive operations.',
|
|
769
|
+
},
|
|
770
|
+
|
|
771
|
+
[VulnerabilityCode.HEADER_REFERRER_POLICY_UNSAFE]: {
|
|
772
|
+
id: 1010,
|
|
773
|
+
code: VulnerabilityCode.HEADER_REFERRER_POLICY_UNSAFE,
|
|
774
|
+
title: 'Unsafe Referrer-Policy Configuration',
|
|
775
|
+
description: 'The Referrer-Policy header is set to a permissive value that can leak full URLs and sensitive query parameters to external origins.',
|
|
776
|
+
severity: 'low',
|
|
777
|
+
category: 'configuration',
|
|
778
|
+
scanner: 'security-headers',
|
|
779
|
+
cvss: {
|
|
780
|
+
score: 3.1,
|
|
781
|
+
vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N',
|
|
782
|
+
severity: 'LOW',
|
|
783
|
+
},
|
|
784
|
+
cwe: [
|
|
785
|
+
{ id: 'CWE-200', name: 'Information Exposure', url: 'https://cwe.mitre.org/data/definitions/200.html' },
|
|
786
|
+
],
|
|
787
|
+
owasp: [
|
|
788
|
+
{ id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
|
|
789
|
+
],
|
|
790
|
+
remediation: 'Use strict-origin-when-cross-origin or no-referrer to minimize leakage of sensitive URL data.',
|
|
791
|
+
},
|
|
396
792
|
|
|
397
793
|
[VulnerabilityCode.HEADER_MISSING_PERMISSIONS_POLICY]: {
|
|
398
794
|
id: 86,
|
package/src/error-codes.ts
CHANGED
|
@@ -128,18 +128,36 @@ export enum VulnerabilityCode {
|
|
|
128
128
|
HEADER_MISSING_HSTS = 'HEADER_MISSING_HSTS',
|
|
129
129
|
HEADER_MISSING_XFRAME = 'HEADER_MISSING_XFRAME',
|
|
130
130
|
HEADER_MISSING_XCONTENT_TYPE = 'HEADER_MISSING_XCONTENT_TYPE',
|
|
131
|
-
HEADER_MISSING_XSS_PROTECTION = 'HEADER_MISSING_XSS_PROTECTION',
|
|
132
|
-
HEADER_MISSING_REFERRER_POLICY = 'HEADER_MISSING_REFERRER_POLICY',
|
|
133
|
-
HEADER_MISSING_PERMISSIONS_POLICY = 'HEADER_MISSING_PERMISSIONS_POLICY',
|
|
134
|
-
HEADER_WEAK_CSP = 'HEADER_WEAK_CSP',
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
131
|
+
HEADER_MISSING_XSS_PROTECTION = 'HEADER_MISSING_XSS_PROTECTION',
|
|
132
|
+
HEADER_MISSING_REFERRER_POLICY = 'HEADER_MISSING_REFERRER_POLICY',
|
|
133
|
+
HEADER_MISSING_PERMISSIONS_POLICY = 'HEADER_MISSING_PERMISSIONS_POLICY',
|
|
134
|
+
HEADER_WEAK_CSP = 'HEADER_WEAK_CSP',
|
|
135
|
+
HEADER_CSP_REPORT_ONLY = 'HEADER_CSP_REPORT_ONLY',
|
|
136
|
+
HEADER_CSP_WEAK_DIRECTIVES = 'HEADER_CSP_WEAK_DIRECTIVES',
|
|
137
|
+
HEADER_CSP_DATA_URI_SCRIPT = 'HEADER_CSP_DATA_URI_SCRIPT',
|
|
138
|
+
HEADER_CSP_BLOB_URI_SCRIPT = 'HEADER_CSP_BLOB_URI_SCRIPT',
|
|
139
|
+
HEADER_CSP_WILDCARD_DEFAULT = 'HEADER_CSP_WILDCARD_DEFAULT',
|
|
140
|
+
HEADER_CSP_NO_BASE_URI = 'HEADER_CSP_NO_BASE_URI',
|
|
141
|
+
HEADER_CSP_NO_OBJECT_SRC = 'HEADER_CSP_NO_OBJECT_SRC',
|
|
142
|
+
HEADER_CSP_NO_FRAME_ANCESTORS = 'HEADER_CSP_NO_FRAME_ANCESTORS',
|
|
143
|
+
HEADER_CORS_MISCONFIGURED = 'HEADER_CORS_MISCONFIGURED',
|
|
144
|
+
HEADER_CORS_STAR_WITH_CREDENTIALS = 'HEADER_CORS_STAR_WITH_CREDENTIALS',
|
|
145
|
+
HEADER_CORS_ORIGIN_REFLECT_NO_VARY = 'HEADER_CORS_ORIGIN_REFLECT_NO_VARY',
|
|
146
|
+
HEADER_CORS_NULL_ORIGIN = 'HEADER_CORS_NULL_ORIGIN',
|
|
147
|
+
HEADER_CORS_WILDCARD_SUBDOMAIN = 'HEADER_CORS_WILDCARD_SUBDOMAIN',
|
|
148
|
+
HEADER_COEP_WITHOUT_COOP = 'HEADER_COEP_WITHOUT_COOP',
|
|
149
|
+
HEADER_CORP_UNUSUAL = 'HEADER_CORP_UNUSUAL',
|
|
150
|
+
HEADER_EXPECT_CT_PRESENT = 'HEADER_EXPECT_CT_PRESENT',
|
|
151
|
+
HEADER_SERVER_HEADER_PRESENT = 'HEADER_SERVER_HEADER_PRESENT',
|
|
152
|
+
HEADER_X_POWERED_BY_PRESENT = 'HEADER_X_POWERED_BY_PRESENT',
|
|
153
|
+
HEADER_X_XSS_PROTECTION_ENABLED = 'HEADER_X_XSS_PROTECTION_ENABLED',
|
|
154
|
+
HEADER_XCONTENT_TYPE_INVALID = 'HEADER_XCONTENT_TYPE_INVALID',
|
|
155
|
+
HEADER_REFERRER_POLICY_UNSAFE = 'HEADER_REFERRER_POLICY_UNSAFE',
|
|
156
|
+
HEADER_HSTS_BAD_MAX_AGE = 'HEADER_HSTS_BAD_MAX_AGE',
|
|
157
|
+
HEADER_HSTS_SHORT_MAX_AGE = 'HEADER_HSTS_SHORT_MAX_AGE',
|
|
158
|
+
HEADER_HSTS_NO_INCLUDESUBDOMAINS = 'HEADER_HSTS_NO_INCLUDESUBDOMAINS',
|
|
159
|
+
HEADER_HSTS_PRELOAD_LOW_MAX_AGE = 'HEADER_HSTS_PRELOAD_LOW_MAX_AGE',
|
|
160
|
+
COOKIE_SAMESITE_NONE_WITHOUT_SECURE = 'COOKIE_SAMESITE_NONE_WITHOUT_SECURE',
|
|
143
161
|
COOKIE_SESSION_MISSING_SECURE = 'COOKIE_SESSION_MISSING_SECURE',
|
|
144
162
|
COOKIE_MISSING_SECURE = 'COOKIE_MISSING_SECURE',
|
|
145
163
|
COOKIE_SESSION_MISSING_HTTPONLY = 'COOKIE_SESSION_MISSING_HTTPONLY',
|
|
Binary file
|