VRT Category Suggestion - Informational (P5) Update #502
Description
A set of P5/Varies findings typically found within Penetration Test engagements, which also reflect well into Bug Bounty programs:
Varies: Server Security Misconfiguration -> Misconfigured File Share -> Anonymous FTP Enabled
Varies: Server Security Misconfiguration -> Misconfigured File Share -> Anonymous SMB Enabled
P5: Server Security Misconfiguration -> Misconfigured File Share -> Non-Sensitive Data Exposure via Anonymous FTP/SMB Enabled
P5: Broken Authentication and Session Management -> Excessive JSON Web Token (JWT) Lifetime
P5: Broken Authentication and Session Management -> Secret Questions Used for Account Verification
P5: Insufficient Security Configurability -> No 2FA Implementation
P5: Insufficient Security Configurability -> No Account Lockout
P5: Insufficient Security Configurability -> Weak JSON Web Token (JWT) Hashing Algorithm
P5: Sensitive Date Exposure -> Disclosure of Secrets -> Sensitive Information Disclosed in JSON Web Token (JWT)
P5: Sensitive Date Exposure -> Disclosure of Secrets -> Publicly accessible Robots.txt
P5: Server Security Misconfiguration -> Fingerprinting/Banner Disclosure -> Software Versions Disclosed in Response Headers
P5: Server Security Misconfiguration -> Misconfigured Security Headers -> Insecure Content-Security-Policy
P5: Using Components with Known Vulnerabilities -> Unpatched Javascript Libraries