{
"metadata": { "release_date": "2019-04-15T18:00:00+00:00" }, "content": [ { "id": "server_security_misconfiguration", "name": "Server Security Misconfiguration", "type": "category", "children": [ { "id": "unsafe_cross_origin_resource_sharing", "name": "Unsafe Cross-Origin Resource Sharing", "type": "subcategory", "priority": null }, { "id": "path_traversal", "name": "Path Traversal", "type": "subcategory", "priority": null }, { "id": "directory_listing_enabled", "name": "Directory Listing Enabled", "type": "subcategory", "children": [ { "id": "sensitive_data_exposure", "name": "Sensitive Data Exposure", "type": "variant", "priority": null }, { "id": "non_sensitive_data_exposure", "name": "Non-Sensitive Data Exposure", "type": "variant", "priority": 5 } ] }, { "id": "same_site_scripting", "name": "Same-Site Scripting", "type": "subcategory", "priority": 5 }, { "id": "ssl_attack_breach_poodle_etc", "name": "SSL Attack (BREACH, POODLE etc.)", "type": "subcategory", "priority": null }, { "id": "using_default_credentials", "name": "Using Default Credentials", "type": "subcategory", "priority": 1 }, { "id": "misconfigured_dns", "name": "Misconfigured DNS", "type": "subcategory", "children": [ { "id": "basic_subdomain_takeover", "name": "Basic Subdomain Takeover", "type": "variant", "priority": 3 }, { "id": "high_impact_subdomain_takeover", "name": "High Impact Subdomain Takeover", "type": "variant", "priority": 2 }, { "id": "zone_transfer", "name": "Zone Transfer", "type": "variant", "priority": 4 }, { "id": "missing_caa_record", "name": "Missing Certification Authority Authorization (CAA) Record", "type": "variant", "priority": 5 } ] }, { "id": "mail_server_misconfiguration", "name": "Mail Server Misconfiguration", "type": "subcategory", "children": [ { "id": "no_spoofing_protection_on_email_domain", "name": "No Spoofing Protection on Email Domain", "type": "variant", "priority": 3 }, { "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain", "name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain", "type": "variant", "priority": 4 }, { "id": "email_spoofing_to_spam_folder", "name": "Email Spoofing to Spam Folder", "type": "variant", "priority": 5 }, { "id": "missing_or_misconfigured_spf_and_or_dkim", "name": "Missing or Misconfigured SPF and/or DKIM", "type": "variant", "priority": 5 }, { "id": "email_spoofing_on_non_email_domain", "name": "Email Spoofing on non-email domain", "type": "variant", "priority": 5 } ] }, { "id": "dbms_misconfiguration", "name": "Database Management System (DBMS) Misconfiguration", "type": "subcategory", "children": [ { "id": "excessively_privileged_user_dba", "name": "Excessively Privileged User / DBA", "type": "variant", "priority": 4 } ] }, { "id": "lack_of_password_confirmation", "name": "Lack of Password Confirmation", "type": "subcategory", "children": [ { "id": "change_email_address", "name": "Change Email Address", "type": "variant", "priority": 5 }, { "id": "change_password", "name": "Change Password", "type": "variant", "priority": 5 }, { "id": "delete_account", "name": "Delete Account", "type": "variant", "priority": 4 }, { "id": "manage_two_fa", "name": "Manage 2FA", "type": "variant", "priority": 5 } ] }, { "id": "no_rate_limiting_on_form", "name": "No Rate Limiting on Form", "type": "subcategory", "children": [ { "id": "registration", "name": "Registration", "type": "variant", "priority": 4 }, { "id": "login", "name": "Login", "type": "variant", "priority": 4 }, { "id": "email_triggering", "name": "Email-Triggering", "type": "variant", "priority": 4 }, { "id": "sms_triggering", "name": "SMS-Triggering", "type": "variant", "priority": 4 } ] }, { "id": "unsafe_file_upload", "name": "Unsafe File Upload", "type": "subcategory", "children": [ { "id": "no_antivirus", "name": "No Antivirus", "type": "variant", "priority": 5 }, { "id": "no_size_limit", "name": "No Size Limit", "type": "variant", "priority": 5 }, { "id": "file_extension_filter_bypass", "name": "File Extension Filter Bypass", "type": "variant", "priority": 5 } ] }, { "id": "cookie_scoped_to_parent_domain", "name": "Cookie Scoped to Parent Domain", "type": "subcategory", "priority": 5 }, { "id": "missing_secure_or_httponly_cookie_flag", "name": "Missing Secure or HTTPOnly Cookie Flag", "type": "subcategory", "children": [ { "id": "session_token", "name": "Session Token", "type": "variant", "priority": 4 }, { "id": "non_session_cookie", "name": "Non-Session Cookie", "type": "variant", "priority": 5 } ] }, { "id": "clickjacking", "name": "Clickjacking", "type": "subcategory", "children": [ { "id": "sensitive_action", "name": "Sensitive Click-Based Action", "type": "variant", "priority": 4 }, { "id": "form_input", "name": "Form Input", "type": "variant", "priority": 5 }, { "id": "non_sensitive_action", "name": "Non-Sensitive Action", "type": "variant", "priority": 5 } ] }, { "id": "oauth_misconfiguration", "name": "OAuth Misconfiguration", "type": "subcategory", "children": [ { "id": "account_takeover", "name": "Account Takeover", "type": "variant", "priority": 2 }, { "id": "missing_state_parameter", "name": "Missing/Broken State Parameter", "type": "variant", "priority": null }, { "id": "insecure_redirect_uri", "name": "Insecure Redirect URI", "type": "variant", "priority": null } ] }, { "id": "captcha", "name": "CAPTCHA", "type": "subcategory", "children": [ { "id": "implementation_vulnerability", "name": "Implementation Vulnerability", "type": "variant", "priority": 4 }, { "id": "brute_force", "name": "Brute Force", "type": "variant", "priority": 5 }, { "id": "missing", "name": "Missing", "type": "variant", "priority": 5 } ] }, { "id": "exposed_admin_portal", "name": "Exposed Admin Portal", "type": "subcategory", "children": [ { "id": "to_internet", "name": "To Internet", "type": "variant", "priority": 5 } ] }, { "id": "missing_dnssec", "name": "Missing DNSSEC", "type": "subcategory", "priority": 5 }, { "id": "fingerprinting_banner_disclosure", "name": "Fingerprinting/Banner Disclosure", "type": "subcategory", "priority": 5 }, { "id": "username_enumeration", "name": "Username/Email Enumeration", "type": "subcategory", "children": [ { "id": "brute_force", "name": "Brute Force", "type": "variant", "priority": 5 } ] }, { "id": "potentially_unsafe_http_method_enabled", "name": "Potentially Unsafe HTTP Method Enabled", "type": "subcategory", "children": [ { "id": "options", "name": "OPTIONS", "type": "variant", "priority": 5 }, { "id": "trace", "name": "TRACE", "type": "variant", "priority": 5 } ] }, { "id": "insecure_ssl", "name": "Insecure SSL", "type": "subcategory", "children": [ { "id": "lack_of_forward_secrecy", "name": "Lack of Forward Secrecy", "type": "variant", "priority": 5 }, { "id": "insecure_cipher_suite", "name": "Insecure Cipher Suite", "type": "variant", "priority": 5 }, { "id": "certificate_error", "name": "Certificate Error", "type": "variant", "priority": 5 } ] }, { "id": "rfd", "name": "Reflected File Download (RFD)", "type": "subcategory", "priority": 5 }, { "id": "lack_of_security_headers", "name": "Lack of Security Headers", "type": "subcategory", "children": [ { "id": "x_frame_options", "name": "X-Frame-Options", "type": "variant", "priority": 5 }, { "id": "cache_control_for_a_non_sensitive_page", "name": "Cache-Control for a Non-Sensitive Page", "type": "variant", "priority": 5 }, { "id": "x_xss_protection", "name": "X-XSS-Protection", "type": "variant", "priority": 5 }, { "id": "strict_transport_security", "name": "Strict-Transport-Security", "type": "variant", "priority": 5 }, { "id": "x_content_type_options", "name": "X-Content-Type-Options", "type": "variant", "priority": 5 }, { "id": "content_security_policy", "name": "Content-Security-Policy", "type": "variant", "priority": 5 }, { "id": "public_key_pins", "name": "Public-Key-Pins", "type": "variant", "priority": 5 }, { "id": "x_content_security_policy", "name": "X-Content-Security-Policy", "type": "variant", "priority": 5 }, { "id": "x_webkit_csp", "name": "X-Webkit-CSP", "type": "variant", "priority": 5 }, { "id": "content_security_policy_report_only", "name": "Content-Security-Policy-Report-Only", "type": "variant", "priority": 5 }, { "id": "cache_control_for_a_sensitive_page", "name": "Cache-Control for a Sensitive Page", "type": "variant", "priority": 4 } ] }, { "id": "waf_bypass", "name": "Web Application Firewall (WAF) Bypass", "type": "subcategory", "children": [ { "id": "direct_server_access", "name": "Direct Server Access", "type": "variant", "priority": 4 } ] }, { "id": "bitsquatting", "name": "Bitsquatting", "type": "subcategory", "priority": 5 } ] }, { "id": "server_side_injection", "name": "Server-Side Injection", "type": "category", "children": [ { "id": "file_inclusion", "name": "File Inclusion", "type": "subcategory", "children": [ { "id": "local", "name": "Local", "type": "variant", "priority": 1 } ] }, { "id": "parameter_pollution", "name": "Parameter Pollution", "type": "subcategory", "children": [ { "id": "social_media_sharing_buttons", "name": "Social Media Sharing Buttons", "type": "variant", "priority": 5 } ] }, { "id": "remote_code_execution_rce", "name": "Remote Code Execution (RCE)", "type": "subcategory", "priority": 1 }, { "id": "sql_injection", "name": "SQL Injection", "type": "subcategory", "priority": 1 }, { "id": "xml_external_entity_injection_xxe", "name": "XML External Entity Injection (XXE)", "type": "subcategory", "priority": 1 }, { "id": "http_response_manipulation", "name": "HTTP Response Manipulation", "type": "subcategory", "children": [ { "id": "response_splitting_crlf", "name": "Response Splitting (CRLF)", "type": "variant", "priority": 3 } ] }, { "id": "content_spoofing", "name": "Content Spoofing", "type": "subcategory", "children": [ { "id": "iframe_injection", "name": "iframe Injection", "type": "variant", "priority": 3 }, { "id": "external_authentication_injection", "name": "External Authentication Injection", "type": "variant", "priority": 4 }, { "id": "flash_based_external_authentication_injection", "name": "Flash Based External Authentication Injection", "type": "variant", "priority": 5 }, { "id": "email_html_injection", "name": "Email HTML Injection", "type": "variant", "priority": 4 }, { "id": "email_hyperlink_injection_based_on_email_provider", "name": "Email Hyperlink Injection Based on Email Provider", "type": "variant", "priority": 5 }, { "id": "text_injection", "name": "Text Injection", "type": "variant", "priority": 5 }, { "id": "homograph_idn_based", "name": "Homograph/IDN-Based", "type": "variant", "priority": 5 }, { "id": "rtlo", "name": "Right-to-Left Override (RTLO)", "type": "variant", "priority": 5 } ] } ] }, { "id": "broken_authentication_and_session_management", "name": "Broken Authentication and Session Management", "type": "category", "children": [ { "id": "authentication_bypass", "name": "Authentication Bypass", "type": "subcategory", "priority": 1 }, { "id": "two_fa_bypass", "name": "Second Factor Authentication (2FA) Bypass", "type": "subcategory", "priority": 3 }, { "id": "privilege_escalation", "name": "Privilege Escalation", "type": "subcategory", "priority": null }, { "id": "cleartext_transmission_of_session_token", "name": "Cleartext Transmission of Session Token", "type": "subcategory", "priority": 4 }, { "id": "weak_login_function", "name": "Weak Login Function", "type": "subcategory", "children": [ { "id": "not_operational", "name": "Not Operational or Intended Public Access", "type": "variant", "priority": 5 }, { "id": "other_plaintext_protocol_no_secure_alternative", "name": "Other Plaintext Protocol with no Secure Alternative", "type": "variant", "priority": 4 }, { "id": "lan_only", "name": "LAN Only", "type": "variant", "priority": 4 }, { "id": "http_and_https_available", "name": "HTTP and HTTPS Available", "type": "variant", "priority": 4 }, { "id": "https_not_available_or_http_by_default", "name": "HTTPS not Available or HTTP by Default", "type": "variant", "priority": 3 } ] }, { "id": "session_fixation", "name": "Session Fixation", "type": "subcategory", "children": [ { "id": "remote_attack_vector", "name": "Remote Attack Vector", "type": "variant", "priority": 3 }, { "id": "local_attack_vector", "name": "Local Attack Vector", "type": "variant", "priority": 5 } ] }, { "id": "failure_to_invalidate_session", "name": "Failure to Invalidate Session", "type": "subcategory", "children": [ { "id": "on_logout", "name": "On Logout (Client and Server-Side)", "type": "variant", "priority": 4 }, { "id": "on_logout_server_side_only", "name": "On Logout (Server-Side Only)", "type": "variant", "priority": 5 }, { "id": "on_password_change", "name": "On Password Reset and/or Change", "type": "variant", "priority": 4 }, { "id": "all_sessions", "name": "Concurrent Sessions On Logout", "type": "variant", "priority": 5 }, { "id": "on_email_change", "name": "On Email Change", "type": "variant", "priority": 5 }, { "id": "long_timeout", "name": "Long Timeout", "type": "variant", "priority": 5 } ] }, { "id": "concurrent_logins", "name": "Concurrent Logins", "type": "subcategory", "priority": 5 }, { "id": "weak_registration_implementation", "name": "Weak Registration Implementation", "type": "subcategory", "children": [ { "id": "over_http", "name": "Over HTTP", "type": "variant", "priority": 4 } ] } ] }, { "id": "sensitive_data_exposure", "name": "Sensitive Data Exposure", "type": "category", "children": [ { "id": "critically_sensitive_data", "name": "Critically Sensitive Data", "type": "subcategory", "children": [ { "id": "password_disclosure", "name": "Password Disclosure", "type": "variant", "priority": 1 }, { "id": "private_api_keys", "name": "Private API Keys", "type": "variant", "priority": 1 } ] }, { "id": "exif_geolocation_data_not_stripped_from_uploaded_images", "name": "EXIF Geolocation Data Not Stripped From Uploaded Images", "type": "subcategory", "children": [ { "id": "automatic_user_enumeration", "name": "Automatic User Enumeration", "type": "variant", "priority": 3 }, { "id": "manual_user_enumeration", "name": "Manual User Enumeration", "type": "variant", "priority": 4 } ] }, { "id": "visible_detailed_error_page", "name": "Visible Detailed Error/Debug Page", "type": "subcategory", "children": [ { "id": "detailed_server_configuration", "name": "Detailed Server Configuration", "type": "variant", "priority": 4 }, { "id": "full_path_disclosure", "name": "Full Path Disclosure", "type": "variant", "priority": 5 }, { "id": "descriptive_stack_trace", "name": "Descriptive Stack Trace", "type": "variant", "priority": 5 } ] }, { "id": "disclosure_of_known_public_information", "name": "Disclosure of Known Public Information", "type": "subcategory", "priority": 5 }, { "id": "token_leakage_via_referer", "name": "Token Leakage via Referer", "type": "subcategory", "children": [ { "id": "trusted_third_party", "name": "Trusted 3rd Party", "type": "variant", "priority": 5 }, { "id": "untrusted_third_party", "name": "Untrusted 3rd Party", "type": "variant", "priority": 4 }, { "id": "over_http", "name": "Over HTTP", "type": "variant", "priority": 4 } ] }, { "id": "sensitive_token_in_url", "name": "Sensitive Token in URL", "type": "subcategory", "children": [ { "id": "user_facing", "name": "User Facing", "type": "variant", "priority": 4 }, { "id": "in_the_background", "name": "In the Background", "type": "variant", "priority": 5 }, { "id": "on_password_reset", "name": "On Password Reset", "type": "variant", "priority": 5 } ] }, { "id": "non_sensitive_token_in_url", "name": "Non-Sensitive Token in URL", "type": "subcategory", "priority": 5 }, { "id": "weak_password_reset_implementation", "name": "Weak Password Reset Implementation", "type": "subcategory", "children": [ { "id": "password_reset_token_sent_over_http", "name": "Password Reset Token Sent Over HTTP", "type": "variant", "priority": 4 }, { "id": "token_leakage_via_host_header_poisoning", "name": "Token Leakage via Host Header Poisoning", "type": "variant", "priority": 2 } ] }, { "id": "mixed_content", "name": "Mixed Content (HTTPS Sourcing HTTP)", "type": "subcategory", "priority": 5 }, { "id": "sensitive_data_hardcoded", "name": "Sensitive Data Hardcoded", "type": "subcategory", "children": [ { "id": "oauth_secret", "name": "OAuth Secret", "type": "variant", "priority": 5 }, { "id": "file_paths", "name": "File Paths", "type": "variant", "priority": 5 } ] }, { "id": "internal_ip_disclosure", "name": "Internal IP Disclosure", "type": "subcategory", "priority": 5 }, { "id": "xssi", "name": "Cross Site Script Inclusion (XSSI)", "type": "subcategory", "priority": null }, { "id": "json_hijacking", "name": "JSON Hijacking", "type": "subcategory", "priority": 5 } ] }, { "id": "cross_site_scripting_xss", "name": "Cross-Site Scripting (XSS)", "type": "category", "children": [ { "id": "stored", "name": "Stored", "type": "subcategory", "children": [ { "id": "non_admin_to_anyone", "name": "Non-Privileged User to Anyone", "type": "variant", "priority": 2 }, { "id": "privileged_user_to_privilege_elevation", "name": "Privileged User to Privilege Elevation", "type": "variant", "priority": 3 }, { "id": "privileged_user_to_no_privilege_elevation", "name": "Privileged User to No Privilege Elevation", "type": "variant", "priority": 4 }, { "id": "url_based", "name": "CSRF/URL-Based", "type": "variant", "priority": 3 }, { "id": "self", "name": "Self", "type": "variant", "priority": 5 } ] }, { "id": "reflected", "name": "Reflected", "type": "subcategory", "children": [ { "id": "non_self", "name": "Non-Self", "type": "variant", "priority": 3 }, { "id": "self", "name": "Self", "type": "variant", "priority": 5 } ] }, { "id": "flash_based", "name": "Flash-Based", "type": "subcategory", "priority": 4 }, { "id": "cookie_based", "name": "Cookie-Based", "type": "subcategory", "priority": 5 }, { "id": "ie_only", "name": "IE-Only", "type": "subcategory", "children": [ { "id": "ie_eleven", "name": "IE11", "type": "variant", "priority": 4 }, { "id": "xss_filter_disabled", "name": "XSS Filter Disabled", "type": "variant", "priority": 5 }, { "id": "older_version_ie_eleven", "name": "Older Version (< IE11)", "type": "variant", "priority": 5 } ] }, { "id": "referer", "name": "Referer", "type": "subcategory", "priority": 4 }, { "id": "trace_method", "name": "TRACE Method", "type": "subcategory", "priority": 5 }, { "id": "universal_uxss", "name": "Universal (UXSS)", "type": "subcategory", "priority": 4 }, { "id": "off_domain", "name": "Off-Domain", "type": "subcategory", "children": [ { "id": "data_uri", "name": "Data URI", "type": "variant", "priority": 4 } ] } ] }, { "id": "broken_access_control", "name": "Broken Access Control (BAC)", "type": "category", "children": [ { "id": "idor", "name": "Insecure Direct Object References (IDOR)", "type": "subcategory", "priority": null }, { "id": "server_side_request_forgery_ssrf", "name": "Server-Side Request Forgery (SSRF)", "type": "subcategory", "children": [ { "id": "internal_high_impact", "name": "Internal High Impact", "type": "variant", "priority": 2 }, { "id": "internal_scan_and_or_medium_impact", "name": "Internal Scan and/or Medium Impact", "type": "variant", "priority": 3 }, { "id": "external", "name": "External", "type": "variant", "priority": 4 }, { "id": "dns_query_only", "name": "DNS Query Only", "type": "variant", "priority": 5 } ] }, { "id": "username_enumeration", "name": "Username/Email Enumeration", "type": "subcategory", "children": [ { "id": "non_brute_force", "name": "Non-Brute Force", "type": "variant", "priority": 4 } ] }, { "id": "exposed_sensitive_android_intent", "name": "Exposed Sensitive Android Intent", "type": "subcategory", "priority": null }, { "id": "exposed_sensitive_ios_url_scheme", "name": "Exposed Sensitive iOS URL Scheme", "type": "subcategory", "priority": null } ] }, { "id": "cross_site_request_forgery_csrf", "name": "Cross-Site Request Forgery (CSRF)", "type": "category", "children": [ { "id": "application_wide", "name": "Application-Wide", "type": "subcategory", "priority": 2 }, { "id": "action_specific", "name": "Action-Specific", "type": "subcategory", "children": [ { "id": "authenticated_action", "name": "Authenticated Action", "type": "variant", "priority": null }, { "id": "unauthenticated_action", "name": "Unauthenticated Action", "type": "variant", "priority": null }, { "id": "logout", "name": "Logout", "type": "variant", "priority": 5 } ] }, { "id": "csrf_token_not_unique_per_request", "name": "CSRF Token Not Unique Per Request", "type": "subcategory", "priority": 5 } ] }, { "id": "application_level_denial_of_service_dos", "name": "Application-Level Denial-of-Service (DoS)", "type": "category", "children": [ { "id": "critical_impact_and_or_easy_difficulty", "name": "Critical Impact and/or Easy Difficulty", "type": "subcategory", "priority": 2 }, { "id": "high_impact_and_or_medium_difficulty", "name": "High Impact and/or Medium Difficulty", "type": "subcategory", "priority": 3 }, { "id": "app_crash", "name": "App Crash", "type": "subcategory", "children": [ { "id": "malformed_android_intents", "name": "Malformed Android Intents", "type": "variant", "priority": 5 }, { "id": "malformed_ios_url_schemes", "name": "Malformed iOS URL Schemes", "type": "variant", "priority": 5 } ] } ] }, { "id": "unvalidated_redirects_and_forwards", "name": "Unvalidated Redirects and Forwards", "type": "category", "children": [ { "id": "open_redirect", "name": "Open Redirect", "type": "subcategory", "children": [ { "id": "get_based", "name": "GET-Based", "type": "variant", "priority": 4 }, { "id": "post_based", "name": "POST-Based", "type": "variant", "priority": 5 }, { "id": "header_based", "name": "Header-Based", "type": "variant", "priority": 5 }, { "id": "flash_based", "name": "Flash-Based", "type": "variant", "priority": 5 } ] }, { "id": "tabnabbing", "name": "Tabnabbing", "type": "subcategory", "priority": 5 }, { "id": "lack_of_security_speed_bump_page", "name": "Lack of Security Speed Bump Page", "type": "subcategory", "priority": 5 } ] }, { "id": "external_behavior", "name": "External Behavior", "type": "category", "children": [ { "id": "browser_feature", "name": "Browser Feature", "type": "subcategory", "children": [ { "id": "plaintext_password_field", "name": "Plaintext Password Field", "type": "variant", "priority": 5 }, { "id": "save_password", "name": "Save Password", "type": "variant", "priority": 5 }, { "id": "autocomplete_enabled", "name": "Autocomplete Enabled", "type": "variant", "priority": 5 }, { "id": "autocorrect_enabled", "name": "Autocorrect Enabled", "type": "variant", "priority": 5 }, { "id": "aggressive_offline_caching", "name": "Aggressive Offline Caching", "type": "variant", "priority": 5 } ] }, { "id": "csv_injection", "name": "CSV Injection", "type": "subcategory", "priority": 5 }, { "id": "captcha_bypass", "name": "Captcha Bypass", "type": "subcategory", "children": [ { "id": "crowdsourcing", "name": "Crowdsourcing", "type": "variant", "priority": 5 } ] }, { "id": "system_clipboard_leak", "name": "System Clipboard Leak", "type": "subcategory", "children": [ { "id": "shared_links", "name": "Shared Links", "type": "variant", "priority": 5 } ] }, { "id": "user_password_persisted_in_memory", "name": "User Password Persisted in Memory", "type": "subcategory", "priority": 5 } ] }, { "id": "insufficient_security_configurability", "name": "Insufficient Security Configurability", "type": "category", "children": [ { "id": "weak_password_policy", "name": "Weak Password Policy", "type": "subcategory", "priority": 5 }, { "id": "no_password_policy", "name": "No Password Policy", "type": "subcategory", "priority": 4 }, { "id": "weak_password_reset_implementation", "name": "Weak Password Reset Implementation", "type": "subcategory", "children": [ { "id": "token_is_not_invalidated_after_use", "name": "Token is Not Invalidated After Use", "type": "variant", "priority": 4 }, { "id": "token_is_not_invalidated_after_email_change", "name": "Token is Not Invalidated After Email Change", "type": "variant", "priority": 5 }, { "id": "token_is_not_invalidated_after_password_change", "name": "Token is Not Invalidated After Password Change", "type": "variant", "priority": 5 }, { "id": "token_has_long_timed_expiry", "name": "Token Has Long Timed Expiry", "type": "variant", "priority": 5 }, { "id": "token_is_not_invalidated_after_new_token_is_requested", "name": "Token is Not Invalidated After New Token is Requested", "type": "variant", "priority": 5 }, { "id": "token_is_not_invalidated_after_login", "name": "Token is Not Invalidated After Login", "type": "variant", "priority": 5 } ] }, { "id": "lack_of_verification_email", "name": "Lack of Verification Email", "type": "subcategory", "priority": 5 }, { "id": "lack_of_notification_email", "name": "Lack of Notification Email", "type": "subcategory", "priority": 5 }, { "id": "weak_registration_implementation", "name": "Weak Registration Implementation", "type": "subcategory", "children": [ { "id": "allows_disposable_email_addresses", "name": "Allows Disposable Email Addresses", "type": "variant", "priority": 5 } ] }, { "id": "weak_two_fa_implementation", "name": "Weak 2FA Implementation", "type": "subcategory", "children": [ { "id": "two_fa_secret_cannot_be_rotated", "name": "2FA Secret Cannot be Rotated", "type": "variant", "priority": 4 }, { "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled", "name": "2FA Secret Remains Obtainable After 2FA is Enabled", "type": "variant", "priority": 4 }, { "id": "missing_failsafe", "name": "Missing Failsafe", "type": "variant", "priority": 5 } ] } ] }, { "id": "using_components_with_known_vulnerabilities", "name": "Using Components with Known Vulnerabilities", "type": "category", "children": [ { "id": "rosetta_flash", "name": "Rosetta Flash", "type": "subcategory", "priority": 4 }, { "id": "outdated_software_version", "name": "Outdated Software Version", "type": "subcategory", "priority": 5 }, { "id": "captcha_bypass", "name": "Captcha Bypass", "type": "subcategory", "children": [ { "id": "ocr_optical_character_recognition", "name": "OCR (Optical Character Recognition)", "type": "variant", "priority": 5 } ] } ] }, { "id": "insecure_data_storage", "name": "Insecure Data Storage", "type": "category", "children": [ { "id": "sensitive_application_data_stored_unencrypted", "name": "Sensitive Application Data Stored Unencrypted", "type": "subcategory", "children": [ { "id": "on_external_storage", "name": "On External Storage", "type": "variant", "priority": 4 }, { "id": "on_internal_storage", "name": "On Internal Storage", "type": "variant", "priority": 5 } ] }, { "id": "server_side_credentials_storage", "name": "Server-Side Credentials Storage", "type": "subcategory", "children": [ { "id": "plaintext", "name": "Plaintext", "type": "variant", "priority": 4 } ] }, { "id": "non_sensitive_application_data_stored_unencrypted", "name": "Non-Sensitive Application Data Stored Unencrypted", "type": "subcategory", "priority": 5 }, { "id": "screen_caching_enabled", "name": "Screen Caching Enabled", "type": "subcategory", "priority": 5 } ] }, { "id": "lack_of_binary_hardening", "name": "Lack of Binary Hardening", "type": "category", "children": [ { "id": "lack_of_exploit_mitigations", "name": "Lack of Exploit Mitigations", "type": "subcategory", "priority": 5 }, { "id": "lack_of_jailbreak_detection", "name": "Lack of Jailbreak Detection", "type": "subcategory", "priority": 5 }, { "id": "lack_of_obfuscation", "name": "Lack of Obfuscation", "type": "subcategory", "priority": 5 }, { "id": "runtime_instrumentation_based", "name": "Runtime Instrumentation-Based", "type": "subcategory", "priority": 5 } ] }, { "id": "insecure_data_transport", "name": "Insecure Data Transport", "type": "category", "children": [ { "id": "cleartext_transmission_of_sensitive_data", "name": "Cleartext Transmission of Sensitive Data", "type": "subcategory", "priority": null }, { "id": "executable_download", "name": "Executable Download", "type": "subcategory", "children": [ { "id": "no_secure_integrity_check", "name": "No Secure Integrity Check", "type": "variant", "priority": 4 }, { "id": "secure_integrity_check", "name": "Secure Integrity Check", "type": "variant", "priority": 5 } ] } ] }, { "id": "insecure_os_firmware", "name": "Insecure OS/Firmware", "type": "category", "children": [ { "id": "command_injection", "name": "Command Injection", "type": "subcategory", "priority": 1 }, { "id": "hardcoded_password", "name": "Hardcoded Password", "type": "subcategory", "children": [ { "id": "privileged_user", "name": "Privileged User", "type": "variant", "priority": 1 }, { "id": "non_privileged_user", "name": "Non-Privileged User", "type": "variant", "priority": 2 } ] } ] }, { "id": "broken_cryptography", "name": "Broken Cryptography", "type": "category", "children": [ { "id": "cryptographic_flaw", "name": "Cryptographic Flaw", "type": "subcategory", "children": [ { "id": "incorrect_usage", "name": "Incorrect Usage", "type": "variant", "priority": 1 } ] } ] }, { "id": "privacy_concerns", "name": "Privacy Concerns", "type": "category", "children": [ { "id": "unnecessary_data_collection", "name": "Unnecessary Data Collection", "type": "subcategory", "children": [ { "id": "wifi_ssid_password", "name": "WiFi SSID+Password", "type": "variant", "priority": 4 } ] } ] }, { "id": "network_security_misconfiguration", "name": "Network Security Misconfiguration", "type": "category", "children": [ { "id": "telnet_enabled", "name": "Telnet Enabled", "type": "subcategory", "priority": 5 } ] }, { "id": "mobile_security_misconfiguration", "name": "Mobile Security Misconfiguration", "type": "category", "children": [ { "id": "ssl_certificate_pinning", "name": "SSL Certificate Pinning", "type": "subcategory", "children": [ { "id": "absent", "name": "Absent", "type": "variant", "priority": 5 }, { "id": "defeatable", "name": "Defeatable", "type": "variant", "priority": 5 } ] }, { "id": "tapjacking", "name": "Tapjacking", "type": "subcategory", "priority": 5 }, { "id": "clipboard_enabled", "name": "Clipboard Enabled", "type": "subcategory", "children": [ { "id": "on_sensitive_content", "name": "On Sensitive Content", "type": "variant", "priority": 4 }, { "id": "on_non_sensitive_content", "name": "On Non-Sensitive Content", "type": "variant", "priority": 5 } ] } ] }, { "id": "client_side_injection", "name": "Client-Side Injection", "type": "category", "children": [ { "id": "binary_planting", "name": "Binary Planting", "type": "subcategory", "children": [ { "id": "privilege_escalation", "name": "Default Folder Privilege Escalation", "type": "variant", "priority": 3 }, { "id": "non_default_folder_privilege_escalation", "name": "Non-Default Folder Privilege Escalation", "type": "variant", "priority": 5 }, { "id": "no_privilege_escalation", "name": "No Privilege Escalation", "type": "variant", "priority": 5 } ] } ] }, { "id": "automotive_security_misconfiguration", "name": "Automotive Security Misconfiguration", "type": "category", "children": [ { "id": "infotainment", "name": "Infotainment", "type": "subcategory", "children": [ { "id": "pii_leakage", "name": "PII Leakage", "type": "variant", "priority": 1 }, { "id": "code_execution_can_bus_pivot", "name": "Code Execution (CAN Bus Pivot)", "type": "variant", "priority": 2 }, { "id": "code_execution_no_can_bus_pivot", "name": "Code Execution (No CAN Bus Pivot)", "type": "variant", "priority": 3 }, { "id": "unauthorized_access_to_services", "name": "Unauthorized Access to Services (API / Endpoints)", "type": "variant", "priority": 3 }, { "id": "source_code_dump", "name": "Source Code Dump", "type": "variant", "priority": 4 }, { "id": "dos_brick", "name": "Denial of Service (DoS / Brick)", "type": "variant", "priority": 4 }, { "id": "default_credentials", "name": "Default Credentials", "type": "variant", "priority": 4 } ] }, { "id": "rf_hub", "name": "RF Hub", "type": "subcategory", "children": [ { "id": "key_fob_cloning", "name": "Key Fob Cloning", "type": "variant", "priority": 1 }, { "id": "can_injection_interaction", "name": "CAN Injection / Interaction", "type": "variant", "priority": 2 }, { "id": "data_leakage_pull_encryption_mechanism", "name": "Data Leakage / Pull Encryption Mechanism", "type": "variant", "priority": 3 }, { "id": "unauthorized_access_turn_on", "name": "Unauthorized Access / Turn On", "type": "variant", "priority": 4 }, { "id": "roll_jam", "name": "Roll Jam", "type": "variant", "priority": 5 }, { "id": "replay", "name": "Replay", "type": "variant", "priority": 5 }, { "id": "relay", "name": "Relay", "type": "variant", "priority": 5 } ] }, { "id": "can", "name": "CAN", "type": "subcategory", "children": [ { "id": "injection_disallowed_messages", "name": "Injection (Disallowed Messages)", "type": "variant", "priority": 4 }, { "id": "injection_dos", "name": "Injection (DoS)", "type": "variant", "priority": 4 } ] } ] } ]
}