{

"metadata": {
  "release_date": "2021-03-18T00:00:00+00:00"
},
"content": [
  {
    "id": "server_security_misconfiguration",
    "name": "Server Security Misconfiguration",
    "type": "category",
    "children": [
      {
        "id": "unsafe_cross_origin_resource_sharing",
        "name": "Unsafe Cross-Origin Resource Sharing",
        "type": "subcategory",
        "priority": null
      },
      {
        "id": "path_traversal",
        "name": "Path Traversal",
        "type": "subcategory",
        "priority": null
      },
      {
        "id": "directory_listing_enabled",
        "name": "Directory Listing Enabled",
        "type": "subcategory",
        "children": [
          {
            "id": "sensitive_data_exposure",
            "name": "Sensitive Data Exposure",
            "type": "variant",
            "priority": null
          },
          {
            "id": "non_sensitive_data_exposure",
            "name": "Non-Sensitive Data Exposure",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "same_site_scripting",
        "name": "Same-Site Scripting",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "ssl_attack_breach_poodle_etc",
        "name": "SSL Attack (BREACH, POODLE etc.)",
        "type": "subcategory",
        "priority": null
      },
      {
        "id": "using_default_credentials",
        "name": "Using Default Credentials",
        "type": "subcategory",
        "priority": 1
      },
      {
        "id": "misconfigured_dns",
        "name": "Misconfigured DNS",
        "type": "subcategory",
        "children": [
          {
            "id": "basic_subdomain_takeover",
            "name": "Basic Subdomain Takeover",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "high_impact_subdomain_takeover",
            "name": "High Impact Subdomain Takeover",
            "type": "variant",
            "priority": 2
          },
          {
            "id": "zone_transfer",
            "name": "Zone Transfer",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "missing_caa_record",
            "name": "Missing Certification Authority Authorization (CAA) Record",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "mail_server_misconfiguration",
        "name": "Mail Server Misconfiguration",
        "type": "subcategory",
        "children": [
          {
            "id": "no_spoofing_protection_on_email_domain",
            "name": "No Spoofing Protection on Email Domain",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
            "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "email_spoofing_to_spam_folder",
            "name": "Email Spoofing to Spam Folder",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "missing_or_misconfigured_spf_and_or_dkim",
            "name": "Missing or Misconfigured SPF and/or DKIM",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "email_spoofing_on_non_email_domain",
            "name": "Email Spoofing on Non-Email Domain",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "dbms_misconfiguration",
        "name": "Database Management System (DBMS) Misconfiguration",
        "type": "subcategory",
        "children": [
          {
            "id": "excessively_privileged_user_dba",
            "name": "Excessively Privileged User / DBA",
            "type": "variant",
            "priority": 4
          }
        ]
      },
      {
        "id": "lack_of_password_confirmation",
        "name": "Lack of Password Confirmation",
        "type": "subcategory",
        "children": [
          {
            "id": "change_email_address",
            "name": "Change Email Address",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "change_password",
            "name": "Change Password",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "delete_account",
            "name": "Delete Account",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "manage_two_fa",
            "name": "Manage 2FA",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "no_rate_limiting_on_form",
        "name": "No Rate Limiting on Form",
        "type": "subcategory",
        "children": [
          {
            "id": "registration",
            "name": "Registration",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "login",
            "name": "Login",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "email_triggering",
            "name": "Email-Triggering",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "sms_triggering",
            "name": "SMS-Triggering",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "change_password",
            "name": "Change Password",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "unsafe_file_upload",
        "name": "Unsafe File Upload",
        "type": "subcategory",
        "children": [
          {
            "id": "no_antivirus",
            "name": "No Antivirus",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "no_size_limit",
            "name": "No Size Limit",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "file_extension_filter_bypass",
            "name": "File Extension Filter Bypass",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "cookie_scoped_to_parent_domain",
        "name": "Cookie Scoped to Parent Domain",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "missing_secure_or_httponly_cookie_flag",
        "name": "Missing Secure or HTTPOnly Cookie Flag",
        "type": "subcategory",
        "children": [
          {
            "id": "session_token",
            "name": "Session Token",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "non_session_cookie",
            "name": "Non-Session Cookie",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "clickjacking",
        "name": "Clickjacking",
        "type": "subcategory",
        "children": [
          {
            "id": "sensitive_action",
            "name": "Sensitive Click-Based Action",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "form_input",
            "name": "Form Input",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "non_sensitive_action",
            "name": "Non-Sensitive Action",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "oauth_misconfiguration",
        "name": "OAuth Misconfiguration",
        "type": "subcategory",
        "children": [
          {
            "id": "account_takeover",
            "name": "Account Takeover",
            "type": "variant",
            "priority": 2
          },
          {
            "id": "account_squatting",
            "name": "Account Squatting",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "missing_state_parameter",
            "name": "Missing/Broken State Parameter",
            "type": "variant",
            "priority": null
          },
          {
            "id": "insecure_redirect_uri",
            "name": "Insecure Redirect URI",
            "type": "variant",
            "priority": null
          }
        ]
      },
      {
        "id": "captcha",
        "name": "CAPTCHA",
        "type": "subcategory",
        "children": [
          {
            "id": "implementation_vulnerability",
            "name": "Implementation Vulnerability",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "brute_force",
            "name": "Brute Force",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "missing",
            "name": "Missing",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "exposed_admin_portal",
        "name": "Exposed Admin Portal",
        "type": "subcategory",
        "children": [
          {
            "id": "to_internet",
            "name": "To Internet",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "missing_dnssec",
        "name": "Missing DNSSEC",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "fingerprinting_banner_disclosure",
        "name": "Fingerprinting/Banner Disclosure",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "username_enumeration",
        "name": "Username/Email Enumeration",
        "type": "subcategory",
        "children": [
          {
            "id": "brute_force",
            "name": "Brute Force",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "potentially_unsafe_http_method_enabled",
        "name": "Potentially Unsafe HTTP Method Enabled",
        "type": "subcategory",
        "children": [
          {
            "id": "options",
            "name": "OPTIONS",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "trace",
            "name": "TRACE",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "insecure_ssl",
        "name": "Insecure SSL",
        "type": "subcategory",
        "children": [
          {
            "id": "lack_of_forward_secrecy",
            "name": "Lack of Forward Secrecy",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "insecure_cipher_suite",
            "name": "Insecure Cipher Suite",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "certificate_error",
            "name": "Certificate Error",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "rfd",
        "name": "Reflected File Download (RFD)",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "lack_of_security_headers",
        "name": "Lack of Security Headers",
        "type": "subcategory",
        "children": [
          {
            "id": "x_frame_options",
            "name": "X-Frame-Options",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "cache_control_for_a_non_sensitive_page",
            "name": "Cache-Control for a Non-Sensitive Page",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "x_xss_protection",
            "name": "X-XSS-Protection",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "strict_transport_security",
            "name": "Strict-Transport-Security",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "x_content_type_options",
            "name": "X-Content-Type-Options",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "content_security_policy",
            "name": "Content-Security-Policy",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "public_key_pins",
            "name": "Public-Key-Pins",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "x_content_security_policy",
            "name": "X-Content-Security-Policy",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "x_webkit_csp",
            "name": "X-Webkit-CSP",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "content_security_policy_report_only",
            "name": "Content-Security-Policy-Report-Only",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "cache_control_for_a_sensitive_page",
            "name": "Cache-Control for a Sensitive Page",
            "type": "variant",
            "priority": 4
          }
        ]
      },
      {
        "id": "waf_bypass",
        "name": "Web Application Firewall (WAF) Bypass",
        "type": "subcategory",
        "children": [
          {
            "id": "direct_server_access",
            "name": "Direct Server Access",
            "type": "variant",
            "priority": 4
          }
        ]
      },
      {
        "id": "race_condition",
        "name": "Race Condition",
        "type": "subcategory",
        "priority": null
      },
      {
        "id": "cache_poisoning",
        "name": "Cache Poisoning",
        "type": "subcategory",
        "priority": null
      },
      {
        "id": "bitsquatting",
        "name": "Bitsquatting",
        "type": "subcategory",
        "priority": 5
      }
    ]
  },
  {
    "id": "server_side_injection",
    "name": "Server-Side Injection",
    "type": "category",
    "children": [
      {
        "id": "file_inclusion",
        "name": "File Inclusion",
        "type": "subcategory",
        "children": [
          {
            "id": "local",
            "name": "Local",
            "type": "variant",
            "priority": 1
          }
        ]
      },
      {
        "id": "parameter_pollution",
        "name": "Parameter Pollution",
        "type": "subcategory",
        "children": [
          {
            "id": "social_media_sharing_buttons",
            "name": "Social Media Sharing Buttons",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "remote_code_execution_rce",
        "name": "Remote Code Execution (RCE)",
        "type": "subcategory",
        "priority": 1
      },
      {
        "id": "sql_injection",
        "name": "SQL Injection",
        "type": "subcategory",
        "priority": 1
      },
      {
        "id": "xml_external_entity_injection_xxe",
        "name": "XML External Entity Injection (XXE)",
        "type": "subcategory",
        "priority": 1
      },
      {
        "id": "http_response_manipulation",
        "name": "HTTP Response Manipulation",
        "type": "subcategory",
        "children": [
          {
            "id": "response_splitting_crlf",
            "name": "Response Splitting (CRLF)",
            "type": "variant",
            "priority": 3
          }
        ]
      },
      {
        "id": "content_spoofing",
        "name": "Content Spoofing",
        "type": "subcategory",
        "children": [
          {
            "id": "iframe_injection",
            "name": "iframe Injection",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "impersonation_via_broken_link_hijacking",
            "name": "Impersonation via Broken Link Hijacking",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "external_authentication_injection",
            "name": "External Authentication Injection",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "flash_based_external_authentication_injection",
            "name": "Flash Based External Authentication Injection",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "email_html_injection",
            "name": "Email HTML Injection",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "email_hyperlink_injection_based_on_email_provider",
            "name": "Email Hyperlink Injection Based on Email Provider",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "text_injection",
            "name": "Text Injection",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "homograph_idn_based",
            "name": "Homograph/IDN-Based",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "rtlo",
            "name": "Right-to-Left Override (RTLO)",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "ssti",
        "name": "Server-Side Template Injection (SSTI)",
        "type": "subcategory",
        "children": [
          {
            "id": "basic",
            "name": "Basic",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "custom",
            "name": "Custom",
            "type": "variant",
            "priority": null
          }
        ]
      }
    ]
  },
  {
    "id": "broken_authentication_and_session_management",
    "name": "Broken Authentication and Session Management",
    "type": "category",
    "children": [
      {
        "id": "authentication_bypass",
        "name": "Authentication Bypass",
        "type": "subcategory",
        "priority": 1
      },
      {
        "id": "two_fa_bypass",
        "name": "Second Factor Authentication (2FA) Bypass",
        "type": "subcategory",
        "priority": 3
      },
      {
        "id": "privilege_escalation",
        "name": "Privilege Escalation",
        "type": "subcategory",
        "priority": null
      },
      {
        "id": "cleartext_transmission_of_session_token",
        "name": "Cleartext Transmission of Session Token",
        "type": "subcategory",
        "priority": 4
      },
      {
        "id": "weak_login_function",
        "name": "Weak Login Function",
        "type": "subcategory",
        "children": [
          {
            "id": "not_operational",
            "name": "Not Operational or Intended Public Access",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "other_plaintext_protocol_no_secure_alternative",
            "name": "Other Plaintext Protocol with no Secure Alternative",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "over_http",
            "name": "Over HTTP",
            "type": "variant",
            "priority": 4
          }
        ]
      },
      {
        "id": "session_fixation",
        "name": "Session Fixation",
        "type": "subcategory",
        "children": [
          {
            "id": "remote_attack_vector",
            "name": "Remote Attack Vector",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "local_attack_vector",
            "name": "Local Attack Vector",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "failure_to_invalidate_session",
        "name": "Failure to Invalidate Session",
        "type": "subcategory",
        "children": [
          {
            "id": "on_logout",
            "name": "On Logout (Client and Server-Side)",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "on_logout_server_side_only",
            "name": "On Logout (Server-Side Only)",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "on_password_change",
            "name": "On Password Reset and/or Change",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "all_sessions",
            "name": "Concurrent Sessions On Logout",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "on_email_change",
            "name": "On Email Change",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "on_two_fa_activation_change",
            "name": "On 2FA Activation/Change",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "long_timeout",
            "name": "Long Timeout",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "concurrent_logins",
        "name": "Concurrent Logins",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "weak_registration_implementation",
        "name": "Weak Registration Implementation",
        "type": "subcategory",
        "children": [
          {
            "id": "over_http",
            "name": "Over HTTP",
            "type": "variant",
            "priority": 4
          }
        ]
      }
    ]
  },
  {
    "id": "sensitive_data_exposure",
    "name": "Sensitive Data Exposure",
    "type": "category",
    "children": [
      {
        "id": "disclosure_of_secrets",
        "name": "Disclosure of Secrets",
        "type": "subcategory",
        "children": [
          {
            "id": "for_publicly_accessible_asset",
            "name": "For Publicly Accessible Asset",
            "type": "variant",
            "priority": 1
          },
          {
            "id": "for_internal_asset",
            "name": "For Internal Asset",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "pay_per_use_abuse",
            "name": "Pay-Per-Use Abuse",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "intentionally_public_sample_or_invalid",
            "name": "Intentionally Public, Sample or Invalid",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "data_traffic_spam",
            "name": "Data/Traffic Spam",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "non_corporate_user",
            "name": "Non-Corporate User",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
        "name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
        "type": "subcategory",
        "children": [
          {
            "id": "automatic_user_enumeration",
            "name": "Automatic User Enumeration",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "manual_user_enumeration",
            "name": "Manual User Enumeration",
            "type": "variant",
            "priority": 4
          }
        ]
      },
      {
        "id": "visible_detailed_error_page",
        "name": "Visible Detailed Error/Debug Page",
        "type": "subcategory",
        "children": [
          {
            "id": "detailed_server_configuration",
            "name": "Detailed Server Configuration",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "full_path_disclosure",
            "name": "Full Path Disclosure",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "descriptive_stack_trace",
            "name": "Descriptive Stack Trace",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "disclosure_of_known_public_information",
        "name": "Disclosure of Known Public Information",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "token_leakage_via_referer",
        "name": "Token Leakage via Referer",
        "type": "subcategory",
        "children": [
          {
            "id": "trusted_third_party",
            "name": "Trusted 3rd Party",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "untrusted_third_party",
            "name": "Untrusted 3rd Party",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "over_http",
            "name": "Over HTTP",
            "type": "variant",
            "priority": 4
          }
        ]
      },
      {
        "id": "sensitive_token_in_url",
        "name": "Sensitive Token in URL",
        "type": "subcategory",
        "children": [
          {
            "id": "user_facing",
            "name": "User Facing",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "in_the_background",
            "name": "In the Background",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "on_password_reset",
            "name": "On Password Reset",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "non_sensitive_token_in_url",
        "name": "Non-Sensitive Token in URL",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "weak_password_reset_implementation",
        "name": "Weak Password Reset Implementation",
        "type": "subcategory",
        "children": [
          {
            "id": "password_reset_token_sent_over_http",
            "name": "Password Reset Token Sent Over HTTP",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "token_leakage_via_host_header_poisoning",
            "name": "Token Leakage via Host Header Poisoning",
            "type": "variant",
            "priority": 2
          }
        ]
      },
      {
        "id": "mixed_content",
        "name": "Mixed Content (HTTPS Sourcing HTTP)",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "sensitive_data_hardcoded",
        "name": "Sensitive Data Hardcoded",
        "type": "subcategory",
        "children": [
          {
            "id": "oauth_secret",
            "name": "OAuth Secret",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "file_paths",
            "name": "File Paths",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "internal_ip_disclosure",
        "name": "Internal IP Disclosure",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "xssi",
        "name": "Cross Site Script Inclusion (XSSI)",
        "type": "subcategory",
        "priority": null
      },
      {
        "id": "json_hijacking",
        "name": "JSON Hijacking",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "via_localstorage_sessionstorage",
        "name": "Via localStorage/sessionStorage",
        "type": "subcategory",
        "children": [
          {
            "id": "sensitive_token",
            "name": "Sensitive Token",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "non_sensitive_token",
            "name": "Non-Sensitive Token",
            "type": "variant",
            "priority": 5
          }
        ]
      }
    ]
  },
  {
    "id": "cross_site_scripting_xss",
    "name": "Cross-Site Scripting (XSS)",
    "type": "category",
    "children": [
      {
        "id": "stored",
        "name": "Stored",
        "type": "subcategory",
        "children": [
          {
            "id": "non_admin_to_anyone",
            "name": "Non-Privileged User to Anyone",
            "type": "variant",
            "priority": 2
          },
          {
            "id": "privileged_user_to_privilege_elevation",
            "name": "Privileged User to Privilege Elevation",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "privileged_user_to_no_privilege_elevation",
            "name": "Privileged User to No Privilege Elevation",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "url_based",
            "name": "CSRF/URL-Based",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "self",
            "name": "Self",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "reflected",
        "name": "Reflected",
        "type": "subcategory",
        "children": [
          {
            "id": "non_self",
            "name": "Non-Self",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "self",
            "name": "Self",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "flash_based",
        "name": "Flash-Based",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "cookie_based",
        "name": "Cookie-Based",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "ie_only",
        "name": "IE-Only",
        "type": "subcategory",
        "children": [
          {
            "id": "ie_eleven",
            "name": "IE11",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "xss_filter_disabled",
            "name": "XSS Filter Disabled",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "older_version_ie_eleven",
            "name": "Older Version (< IE11)",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "referer",
        "name": "Referer",
        "type": "subcategory",
        "priority": 4
      },
      {
        "id": "trace_method",
        "name": "TRACE Method",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "universal_uxss",
        "name": "Universal (UXSS)",
        "type": "subcategory",
        "priority": 4
      },
      {
        "id": "off_domain",
        "name": "Off-Domain",
        "type": "subcategory",
        "children": [
          {
            "id": "data_uri",
            "name": "Data URI",
            "type": "variant",
            "priority": 4
          }
        ]
      }
    ]
  },
  {
    "id": "broken_access_control",
    "name": "Broken Access Control (BAC)",
    "type": "category",
    "children": [
      {
        "id": "idor",
        "name": "Insecure Direct Object References (IDOR)",
        "type": "subcategory",
        "priority": null
      },
      {
        "id": "server_side_request_forgery_ssrf",
        "name": "Server-Side Request Forgery (SSRF)",
        "type": "subcategory",
        "children": [
          {
            "id": "internal_high_impact",
            "name": "Internal High Impact",
            "type": "variant",
            "priority": 2
          },
          {
            "id": "internal_scan_and_or_medium_impact",
            "name": "Internal Scan and/or Medium Impact",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "external",
            "name": "External",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "dns_query_only",
            "name": "DNS Query Only",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "username_enumeration",
        "name": "Username/Email Enumeration",
        "type": "subcategory",
        "children": [
          {
            "id": "non_brute_force",
            "name": "Non-Brute Force",
            "type": "variant",
            "priority": 4
          }
        ]
      },
      {
        "id": "exposed_sensitive_android_intent",
        "name": "Exposed Sensitive Android Intent",
        "type": "subcategory",
        "priority": null
      },
      {
        "id": "exposed_sensitive_ios_url_scheme",
        "name": "Exposed Sensitive iOS URL Scheme",
        "type": "subcategory",
        "priority": null
      }
    ]
  },
  {
    "id": "cross_site_request_forgery_csrf",
    "name": "Cross-Site Request Forgery (CSRF)",
    "type": "category",
    "children": [
      {
        "id": "application_wide",
        "name": "Application-Wide",
        "type": "subcategory",
        "priority": 2
      },
      {
        "id": "action_specific",
        "name": "Action-Specific",
        "type": "subcategory",
        "children": [
          {
            "id": "authenticated_action",
            "name": "Authenticated Action",
            "type": "variant",
            "priority": null
          },
          {
            "id": "unauthenticated_action",
            "name": "Unauthenticated Action",
            "type": "variant",
            "priority": null
          },
          {
            "id": "logout",
            "name": "Logout",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "csrf_token_not_unique_per_request",
        "name": "CSRF Token Not Unique Per Request",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "flash_based",
        "name": "Flash-Based",
        "type": "subcategory",
        "priority": 5
      }
    ]
  },
  {
    "id": "application_level_denial_of_service_dos",
    "name": "Application-Level Denial-of-Service (DoS)",
    "type": "category",
    "children": [
      {
        "id": "critical_impact_and_or_easy_difficulty",
        "name": "Critical Impact and/or Easy Difficulty",
        "type": "subcategory",
        "priority": 2
      },
      {
        "id": "high_impact_and_or_medium_difficulty",
        "name": "High Impact and/or Medium Difficulty",
        "type": "subcategory",
        "priority": 3
      },
      {
        "id": "app_crash",
        "name": "App Crash",
        "type": "subcategory",
        "children": [
          {
            "id": "malformed_android_intents",
            "name": "Malformed Android Intents",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "malformed_ios_url_schemes",
            "name": "Malformed iOS URL Schemes",
            "type": "variant",
            "priority": 5
          }
        ]
      }
    ]
  },
  {
    "id": "unvalidated_redirects_and_forwards",
    "name": "Unvalidated Redirects and Forwards",
    "type": "category",
    "children": [
      {
        "id": "open_redirect",
        "name": "Open Redirect",
        "type": "subcategory",
        "children": [
          {
            "id": "get_based",
            "name": "GET-Based",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "post_based",
            "name": "POST-Based",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "header_based",
            "name": "Header-Based",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "flash_based",
            "name": "Flash-Based",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "tabnabbing",
        "name": "Tabnabbing",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "lack_of_security_speed_bump_page",
        "name": "Lack of Security Speed Bump Page",
        "type": "subcategory",
        "priority": 5
      }
    ]
  },
  {
    "id": "external_behavior",
    "name": "External Behavior",
    "type": "category",
    "children": [
      {
        "id": "browser_feature",
        "name": "Browser Feature",
        "type": "subcategory",
        "children": [
          {
            "id": "plaintext_password_field",
            "name": "Plaintext Password Field",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "save_password",
            "name": "Save Password",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "autocomplete_enabled",
            "name": "Autocomplete Enabled",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "autocorrect_enabled",
            "name": "Autocorrect Enabled",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "aggressive_offline_caching",
            "name": "Aggressive Offline Caching",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "csv_injection",
        "name": "CSV Injection",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "captcha_bypass",
        "name": "Captcha Bypass",
        "type": "subcategory",
        "children": [
          {
            "id": "crowdsourcing",
            "name": "Crowdsourcing",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "system_clipboard_leak",
        "name": "System Clipboard Leak",
        "type": "subcategory",
        "children": [
          {
            "id": "shared_links",
            "name": "Shared Links",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "user_password_persisted_in_memory",
        "name": "User Password Persisted in Memory",
        "type": "subcategory",
        "priority": 5
      }
    ]
  },
  {
    "id": "insufficient_security_configurability",
    "name": "Insufficient Security Configurability",
    "type": "category",
    "children": [
      {
        "id": "weak_password_policy",
        "name": "Weak Password Policy",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "no_password_policy",
        "name": "No Password Policy",
        "type": "subcategory",
        "priority": 4
      },
      {
        "id": "password_policy_bypass",
        "name": "Password Policy Bypass",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "weak_password_reset_implementation",
        "name": "Weak Password Reset Implementation",
        "type": "subcategory",
        "children": [
          {
            "id": "token_is_not_invalidated_after_use",
            "name": "Token is Not Invalidated After Use",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "token_is_not_invalidated_after_email_change",
            "name": "Token is Not Invalidated After Email Change",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "token_is_not_invalidated_after_password_change",
            "name": "Token is Not Invalidated After Password Change",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "token_has_long_timed_expiry",
            "name": "Token Has Long Timed Expiry",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "token_is_not_invalidated_after_new_token_is_requested",
            "name": "Token is Not Invalidated After New Token is Requested",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "token_is_not_invalidated_after_login",
            "name": "Token is Not Invalidated After Login",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "verification_of_contact_method_not_required",
        "name": "Verification of Contact Method not Required",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "lack_of_notification_email",
        "name": "Lack of Notification Email",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "weak_registration_implementation",
        "name": "Weak Registration Implementation",
        "type": "subcategory",
        "children": [
          {
            "id": "allows_disposable_email_addresses",
            "name": "Allows Disposable Email Addresses",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "weak_two_fa_implementation",
        "name": "Weak 2FA Implementation",
        "type": "subcategory",
        "children": [
          {
            "id": "two_fa_secret_cannot_be_rotated",
            "name": "2FA Secret Cannot be Rotated",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
            "name": "2FA Secret Remains Obtainable After 2FA is Enabled",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "missing_failsafe",
            "name": "Missing Failsafe",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "two_fa_code_is_not_updated_after_new_code_is_requested",
            "name": "2FA Code is Not Updated After New Code is Requested",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "old_two_fa_code_is_not_invalidated_after_new_code_is_generated",
            "name": "Old 2FA Code is Not Invalidated After New Code is Generated",
            "type": "variant",
            "priority": 5
          }
        ]
      }
    ]
  },
  {
    "id": "using_components_with_known_vulnerabilities",
    "name": "Using Components with Known Vulnerabilities",
    "type": "category",
    "children": [
      {
        "id": "rosetta_flash",
        "name": "Rosetta Flash",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "outdated_software_version",
        "name": "Outdated Software Version",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "captcha_bypass",
        "name": "Captcha Bypass",
        "type": "subcategory",
        "children": [
          {
            "id": "ocr_optical_character_recognition",
            "name": "OCR (Optical Character Recognition)",
            "type": "variant",
            "priority": 5
          }
        ]
      }
    ]
  },
  {
    "id": "insecure_data_storage",
    "name": "Insecure Data Storage",
    "type": "category",
    "children": [
      {
        "id": "sensitive_application_data_stored_unencrypted",
        "name": "Sensitive Application Data Stored Unencrypted",
        "type": "subcategory",
        "children": [
          {
            "id": "on_external_storage",
            "name": "On External Storage",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "on_internal_storage",
            "name": "On Internal Storage",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "server_side_credentials_storage",
        "name": "Server-Side Credentials Storage",
        "type": "subcategory",
        "children": [
          {
            "id": "plaintext",
            "name": "Plaintext",
            "type": "variant",
            "priority": 4
          }
        ]
      },
      {
        "id": "non_sensitive_application_data_stored_unencrypted",
        "name": "Non-Sensitive Application Data Stored Unencrypted",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "screen_caching_enabled",
        "name": "Screen Caching Enabled",
        "type": "subcategory",
        "priority": 5
      }
    ]
  },
  {
    "id": "lack_of_binary_hardening",
    "name": "Lack of Binary Hardening",
    "type": "category",
    "children": [
      {
        "id": "lack_of_exploit_mitigations",
        "name": "Lack of Exploit Mitigations",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "lack_of_jailbreak_detection",
        "name": "Lack of Jailbreak Detection",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "lack_of_obfuscation",
        "name": "Lack of Obfuscation",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "runtime_instrumentation_based",
        "name": "Runtime Instrumentation-Based",
        "type": "subcategory",
        "priority": 5
      }
    ]
  },
  {
    "id": "insecure_data_transport",
    "name": "Insecure Data Transport",
    "type": "category",
    "children": [
      {
        "id": "cleartext_transmission_of_sensitive_data",
        "name": "Cleartext Transmission of Sensitive Data",
        "type": "subcategory",
        "priority": null
      },
      {
        "id": "executable_download",
        "name": "Executable Download",
        "type": "subcategory",
        "children": [
          {
            "id": "no_secure_integrity_check",
            "name": "No Secure Integrity Check",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "secure_integrity_check",
            "name": "Secure Integrity Check",
            "type": "variant",
            "priority": 5
          }
        ]
      }
    ]
  },
  {
    "id": "insecure_os_firmware",
    "name": "Insecure OS/Firmware",
    "type": "category",
    "children": [
      {
        "id": "command_injection",
        "name": "Command Injection",
        "type": "subcategory",
        "priority": 1
      },
      {
        "id": "hardcoded_password",
        "name": "Hardcoded Password",
        "type": "subcategory",
        "children": [
          {
            "id": "privileged_user",
            "name": "Privileged User",
            "type": "variant",
            "priority": 1
          },
          {
            "id": "non_privileged_user",
            "name": "Non-Privileged User",
            "type": "variant",
            "priority": 2
          }
        ]
      }
    ]
  },
  {
    "id": "broken_cryptography",
    "name": "Broken Cryptography",
    "type": "category",
    "children": [
      {
        "id": "cryptographic_flaw",
        "name": "Cryptographic Flaw",
        "type": "subcategory",
        "children": [
          {
            "id": "incorrect_usage",
            "name": "Incorrect Usage",
            "type": "variant",
            "priority": 1
          }
        ]
      }
    ]
  },
  {
    "id": "privacy_concerns",
    "name": "Privacy Concerns",
    "type": "category",
    "children": [
      {
        "id": "unnecessary_data_collection",
        "name": "Unnecessary Data Collection",
        "type": "subcategory",
        "children": [
          {
            "id": "wifi_ssid_password",
            "name": "WiFi SSID+Password",
            "type": "variant",
            "priority": 4
          }
        ]
      }
    ]
  },
  {
    "id": "network_security_misconfiguration",
    "name": "Network Security Misconfiguration",
    "type": "category",
    "children": [
      {
        "id": "telnet_enabled",
        "name": "Telnet Enabled",
        "type": "subcategory",
        "priority": 5
      }
    ]
  },
  {
    "id": "mobile_security_misconfiguration",
    "name": "Mobile Security Misconfiguration",
    "type": "category",
    "children": [
      {
        "id": "ssl_certificate_pinning",
        "name": "SSL Certificate Pinning",
        "type": "subcategory",
        "children": [
          {
            "id": "absent",
            "name": "Absent",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "defeatable",
            "name": "Defeatable",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "tapjacking",
        "name": "Tapjacking",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "clipboard_enabled",
        "name": "Clipboard Enabled",
        "type": "subcategory",
        "priority": 5
      },
      {
        "id": "auto_backup_allowed_by_default",
        "name": "Auto Backup Allowed by Default",
        "type": "subcategory",
        "priority": 5
      }
    ]
  },
  {
    "id": "client_side_injection",
    "name": "Client-Side Injection",
    "type": "category",
    "children": [
      {
        "id": "binary_planting",
        "name": "Binary Planting",
        "type": "subcategory",
        "children": [
          {
            "id": "privilege_escalation",
            "name": "Default Folder Privilege Escalation",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "non_default_folder_privilege_escalation",
            "name": "Non-Default Folder Privilege Escalation",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "no_privilege_escalation",
            "name": "No Privilege Escalation",
            "type": "variant",
            "priority": 5
          }
        ]
      }
    ]
  },
  {
    "id": "automotive_security_misconfiguration",
    "name": "Automotive Security Misconfiguration",
    "type": "category",
    "children": [
      {
        "id": "infotainment_radio_head_unit",
        "name": "Infotainment, Radio Head Unit",
        "type": "subcategory",
        "children": [
          {
            "id": "pii_leakage",
            "name": "PII Leakage",
            "type": "variant",
            "priority": 1
          },
          {
            "id": "ota_firmware_manipulation",
            "name": "OTA Firmware Manipulation",
            "type": "variant",
            "priority": 2
          },
          {
            "id": "code_execution_can_bus_pivot",
            "name": "Code Execution (CAN Bus Pivot)",
            "type": "variant",
            "priority": 2
          },
          {
            "id": "code_execution_no_can_bus_pivot",
            "name": "Code Execution (No CAN Bus Pivot)",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "unauthorized_access_to_services",
            "name": "Unauthorized Access to Services (API / Endpoints)",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "source_code_dump",
            "name": "Source Code Dump",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "dos_brick",
            "name": "Denial of Service (DoS / Brick)",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "default_credentials",
            "name": "Default Credentials",
            "type": "variant",
            "priority": 4
          }
        ]
      },
      {
        "id": "rf_hub",
        "name": "RF Hub",
        "type": "subcategory",
        "children": [
          {
            "id": "key_fob_cloning",
            "name": "Key Fob Cloning",
            "type": "variant",
            "priority": 1
          },
          {
            "id": "can_injection_interaction",
            "name": "CAN Injection / Interaction",
            "type": "variant",
            "priority": 2
          },
          {
            "id": "data_leakage_pull_encryption_mechanism",
            "name": "Data Leakage / Pull Encryption Mechanism",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "unauthorized_access_turn_on",
            "name": "Unauthorized Access / Turn On",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "roll_jam",
            "name": "Roll Jam",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "replay",
            "name": "Replay",
            "type": "variant",
            "priority": 5
          },
          {
            "id": "relay",
            "name": "Relay",
            "type": "variant",
            "priority": 5
          }
        ]
      },
      {
        "id": "can",
        "name": "CAN",
        "type": "subcategory",
        "children": [
          {
            "id": "injection_battery_management_system",
            "name": "Injection (Battery Management System)",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "injection_steering_control",
            "name": "Injection (Steering Control)",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "injection_pyrotechnical_device_deployment_tool",
            "name": "Injection (Pyrotechnical Device Deployment Tool)",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "injection_headlights",
            "name": "Injection (Headlights)",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "injection_sensors",
            "name": "Injection (Sensors)",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "injection_vehicle_anti_theft_systems",
            "name": "Injection (Vehicle Anti-theft Systems)",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "injection_powertrain",
            "name": "Injection (Powertrain)",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "injection_basic_safety_message",
            "name": "Injection (Basic Safety Message)",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "injection_disallowed_messages",
            "name": "Injection (Disallowed Messages)",
            "type": "variant",
            "priority": 4
          },
          {
            "id": "injection_dos",
            "name": "Injection (DoS)",
            "type": "variant",
            "priority": 4
          }
        ]
      },
      {
        "id": "battery_management_system",
        "name": "Battery Management System",
        "type": "subcategory",
        "children": [
          {
            "id": "firmware_dump",
            "name": "Firmware Dump",
            "type": "variant",
            "priority": 3
          },
          {
            "id": "fraudulent_interface",
            "name": "Fraudulent Interface",
            "type": "variant",
            "priority": 4
          }
        ]
      },
      {
        "id": "gnss_gps",
        "name": "GNSS / GPS",
        "type": "subcategory",
        "children": [
          {
            "id": "spoofing",
            "name": "Spoofing",
            "type": "variant",
            "priority": 4
          }
        ]
      },
      {
        "id": "immobilizer",
        "name": "Immobilizer",
        "type": "subcategory",
        "children": [
          {
            "id": "engine_start",
            "name": "Engine Start",
            "type": "variant",
            "priority": 3
          }
        ]
      },
      {
        "id": "abs",
        "name": "Automatic Braking System (ABS)",
        "type": "subcategory",
        "children": [
          {
            "id": "unintended_acceleration_brake",
            "name": "Unintended Acceleration / Brake",
            "type": "variant",
            "priority": 3
          }
        ]
      },
      {
        "id": "rsu",
        "name": "Roadside Unit (RSU)",
        "type": "subcategory",
        "children": [
          {
            "id": "sybil_attack",
            "name": "Sybil Attack",
            "type": "variant",
            "priority": 4
          }
        ]
      }
    ]
  },
  {
    "id": "indicators_of_compromise",
    "name": "Indicators of Compromise",
    "type": "category",
    "priority": null
  }
]

}