diff --git a/.github/workflows/validate_artifacts.yml b/.github/workflows/validate_artifacts.yml
new file mode 100644
index 00000000..e57dfd85
--- /dev/null
+++ b/.github/workflows/validate_artifacts.yml
@@ -0,0 +1,40 @@
+name: Validate Artifacts
+
+on:
+ push:
+ branches:
+ - main
+ release:
+ types:
+ - created
+ - edited
+ - unpublished
+
+jobs:
+ validate_scw_artifact:
+ name: Validate SCW Artifact
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v1
+ - name: Set up Python 3.11
+ uses: actions/setup-python@v1
+ with:
+ python-version: 3.11
+ - name: Install dependencies
+ run: |
+ python -m pip install --upgrade pip
+ pip install -r lib/requirements.txt
+ - name: Install requests library
+ run: |
+ pip install requests
+ - name: Create artifact json file
+ run: |
+ python3 -B lib/generate_artifacts.py
+ - name: Upload artifact
+ uses: actions/upload-artifact@v1
+ with:
+ name: Secure Code Warrior Links
+ path: scw_links.json
+ - name: Validate links
+ run: |
+ python3 -B lib/validate_artifacts.py
diff --git a/.github/workflows/main.yml b/.github/workflows/validate_vrt.yml
similarity index 62%
rename from .github/workflows/main.yml
rename to .github/workflows/validate_vrt.yml
index 4469a897..bfa189dc 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/validate_vrt.yml
@@ -9,21 +9,21 @@ jobs:
steps:
- uses: actions/checkout@v1
- - name: Set up Python 3.7
+ - name: Set up Python 3.11
uses: actions/setup-python@v1
with:
- python-version: 3.7
+ python-version: 3.11
- name: Install dependencies
run: |
python -m pip install --upgrade pip
- pip install -r tests/requirements.txt
+ pip install -r lib/requirements.txt
- name: Lint with flake8
run: |
pip install flake8
# stop the build if there are Python syntax errors or undefined names
- flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
+ flake8 ./lib --count --select=E9,F63,F7,F82 --show-source --statistics
# exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
- flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+ flake8 ./lib --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
- name: Test with unittest
run: |
- python3 -B validate_vrt.py
+ python3 -B lib/validate_vrt.py
diff --git a/.gitignore b/.gitignore
index f3d74a9a..559b476a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,6 @@
*.pyc
*~
+
+# vscode config
+.vscode/
+.DS_STORE
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1d680fe5..43f2a30a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,41 +1,424 @@
# Change Log
+
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/)
## [Unreleased]
+
+### Added
+
+### Removed
+
+### Changed
+
+## [v1.16](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.15.1...v1.16) - 2025-06-23
+
+### Added
+
+- Broken Access Control (BAC) - Bypass of Password Confirmation - Change Password - P4
+- Sensitive Data Exposure - GraphQL Introspection Enabled - P5
+- AI Application Security - Training Data Poisoning - Backdoor Injection / Bias Manipulation - P1
+- AI Application Security - Model Extraction - API Query-Based Model Reconstruction - P1
+- AI Application Security - Sensitive Information Disclosure - Cross-Tenant PII Leakage/Exposure - P1
+- AI Application Security - Sensitive Information Disclosure - Key Leak - P1
+- AI Application Security - Remote Code Execution - Full System Compromise - P1
+- AI Application Security - Remote Code Execution - Sandboxed Container Code Execution - P2
+- AI Application Security - Prompt Injection - System Prompt Leakage - P2
+- AI Application Security - Vector and Embedding Weaknesses - Embedding Exfiltration / Model Extraction - P2
+- AI Application Security - Vector and Embedding Weaknesses - Semantic Indexing - P3
+- AI Application Security - Denial-of-Service (DoS) - Application-Wide - P2
+- AI Application Security - AI Safety - Misinformation / Wrong Factual Data - P4
+- AI Application Security - Insufficient Rate Limiting - Query Flooding / API Token Abuse - P4
+- AI Application Security - Denial-of-Service (DoS) - Tenant-Scoped - P4
+- AI Application Security - Adversarial Example Injection - AI Misclassification Attacks - P4
+- AI Application Security - Improper Output Handling - Cross-Site Scripting (XSS) - P3
+- AI Application Security - Improper Output Handling - Markdown/HTML Injection - P4
+- AI Application Security - Improper Input Handling - ANSI Escape Codes - P5
+- AI Application Security - Improper Input Handling - Unicode Confusables - P5
+- AI Application Security - Improper Input Handling - RTL Overrides - P5
+
+### Removed
+
+- AI Application Security - Large Language Model (LLM) Security - LLM Output Handling - P1
+- AI Application Security - Large Language Model (LLM) Security - Prompt Injection - P1
+- AI Application Security - Large Language Model (LLM) Security - Training Data Poisoning - P1
+- AIĀ Application Security - Large Language Model (LLM) Security - Excessive Agency/Permission Manipulation - P2
+
+### Other
+
+- Removed CVSS score for VRT entries with 'VARIES' priority, and added default CVSS (0 score) wherever missing.
+- Fixed 'deprecated-node-mapping.json' file to reflect the correct format and fill in missing values.
+
+## [v1.15.1](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.15...v1.15.1) - 2025-03-11
+
+### Added
+
+- Server Security Misconfiguration - Cache Deception - Varies
+
+### Other
+
+- Fixed minor issues with deprecated-node-mapping.json file.
+- Adding missing issues from deprecated-node-mapping.json file.
+
+## [v1.15](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.14.2...v1.15) - 2025-02-12
+
+### Added
+
+- Decentralized Application Misconfiguration - Insecure Data Storage - Plaintext Private Key - P1
+- Decentralized Application Misconfiguration - Insecure Data Storage - Sensitive Information Exposure - Varies
+- Decentralized Application Misconfiguration - Improper Authorization - Insufficient Signature Validation - Varies
+- Decentralized Application Misconfiguration - DeFi Security - Flash Loan Attack - Varies
+- Decentralized Application Misconfiguration - DeFi Security - Pricing Oracle Manipulation - Varies
+- Decentralized Application Misconfiguration - DeFi Security - Function-Level Accounting Error - Varies
+- Decentralized Application Misconfiguration - DeFi Security - Improper Implementation of Governance - Varies
+- Decentralized Application Misconfiguration - Marketplace Security - Signer Account Takeover - P1
+- Decentralized Application Misconfiguration - Marketplace Security - Unauthorized Asset Transfer - P1
+- Decentralized Application Misconfiguration - Marketplace Security - Orderbook Manipulation - P1
+- Decentralized Application Misconfiguration - Marketplace Security - Malicious Order Offer - P2
+- Decentralized Application Misconfiguration - Marketplace Security - Price or Fee Manipulation - P2
+- Decentralized Application Misconfiguration - Marketplace Security - OFAC Bypass - P3
+- Decentralized Application Misconfiguration - Marketplace Security - Improper Validation and Checks For Deposits and Withdrawals - Varies
+- Decentralized Application Misconfiguration - Marketplace Security - Miscalculated Accounting Logic - Varies
+- Decentralized Application Misconfiguration - Marketplace Security - Denial of Service - Varies
+- Decentralized Application Misconfiguration - Protocol Security Misconfiguration - Node-level Denial of Service - P1
+- Protocol Specific Misconfiguration - Frontrunning-Enabled Attack - P2
+- Protocol Specific Misconfiguration - Sandwich-Enabled Attack - P2
+- Protocol Specific Misconfiguration - Misconfigured Staking Logic - Varies
+- Protocol Specific Misconfiguration - Improper Validation and Finalization Logic - Varies
+- Smart Contract Misconfiguration - Reentrancy Attack - P1
+- Smart Contract Misconfiguration - Smart Contract Owner Takeover - P1
+- Smart Contract Misconfiguration - Uninitialized Variables - P1
+- Smart Contract Misconfiguration - Unauthorized Transfer of Funds - P1
+- Smart Contract Misconfiguration - Integer Overflow / Underflow - P2
+- Smart Contract Misconfiguration - Unauthorized Smart Contract Approval - P2
+- Smart Contract Misconfiguration - Irreversible Function Call - P3
+- Smart Contract Misconfiguration - Function-level Denial of Service - P3
+- Smart Contract Misconfiguration - Malicious Superuser Risk - P3
+- Smart Contract Misconfiguration - Improper Fee Implementation - P3
+- Smart Contract Misconfiguration - Improper Use of Modifier - P4
+- Smart Contract Misconfiguration - Improper Decimals Implementation - P4
+- Smart Contract Misconfiguration - Inaccurate Rounding Calculation - Varies
+- Smart Contract Misconfiguration - Bypass of Function Modifiers & Checks - Varies
+- Zero Knowledge Security Misconfiguration - Missing Constraint - Varies
+- Zero Knowledge Security Misconfiguration - Mismatching Bit Lengths - Varies
+- Zero Knowledge Security Misconfiguration - Misconfigured Trusted Setup - Varies
+- Zero Knowledge Security Misconfiguration - Missing Range Check - Varies
+- Zero Knowledge Security Misconfiguration - Improper Proof Validation and Finalization Logic - P1
+- Zero Knowledge Security Misconfiguration - Deanonymization of Data - P1
+- Blockchain Infrastructure Misconfiguration - Improper Bridge Validation and Verification Logic - Varies
+- Broken Authentication and Session Management - SAML Replay - P5
+
+### Changed
+
+FROM:
+
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/Iterable Object Identifiers - P1
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Edit/Delete Sensitive Information/Iterable Object Identifiers - P2
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read Sensitive Information/Iterable Object Identifiers - P3
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/Complex Object Identifiers(GUID) - P4
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Non-Sensitive Information - P5
+
+TO:
+
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify/View Sensitive Information(Iterable Object Identifiers) - P1
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify Sensitive Information(Iterable Object Identifiers) - P2
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - View Sensitive Information(Iterable Object Identifiers) - P3
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Modify/View Sensitive Information(Complex Object Identifiers GUID/UUID) - P4
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - View Non-Sensitive Information - P5
+
+### Other
+
+- CVSS Score correction for Server Security Misconfiguration - Mail Server Misconfiguration - Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain - P4.
+- All JSONs, i.e., VRT and its mapping JSONs are now alphabetically sorted.
+- Internal library changes to add a new helper script that aids in sorting the JSONs.
+
+## [v1.14.2](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.14.1...v1.14.2) - 2024-10-25
+
+### Removed
+
+- Server Security Misconfiguration - Misconfigured DNS - High Impact Subdomain Takeover - P2
+
+### Changed
+
+FROM:
+
+- Server Security Misconfiguration - Misconfigured DNS - Basic Subdomain Takeover - P3
+
+TO:
+
+- Server Security Misconfiguration - Misconfigured DNS - Subdomain Takeover - P3
+
+## [v1.14.1](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.14...v1.14.1) - 2024-07-18
+
+### Changed
+
+- `vulnerability-rating-taxononomy.json` correction
+
+## [v1.14](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.13...v1.14) - 2024-07-09
+
### Added
+- Server Security Misconfiguration - Email verification bypass - P5
+- Server Security Misconfiguration - Missing Subresource Integrity - P5
+- Sensitive Data Exposure - Token Leakage via Referer - Password Reset Token - P5
+- Server Security Misconfiguration - Software Package Takeover - VARIES
+- Broken Access Control (BAC) - Privilege Escalation - VARIES
+- Data Biases - Representation Bias - VARIES
+- Data Biases - Pre-existing Bias - VARIES
+- Algorithmic Biases - Processing Bias - VARIES
+- Algorithmic Biases - Aggregation Bias - VARIES
+- Societal Biases - Confirmation Bias - VARIES
+- Societal Biases - Systemic Bias - VARIES
+- Misinterpretation Biases - Context Ignorance - VARIES
+- Developer Biases - Implicit Bias - VARIES
+
### Removed
+- Broken Authentication and Session Management - Privilege Escalation - VARIES
+
+## [v1.13](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.12...v1.13) - 2024-04-02
+
+### Added
+
+- Physical Security Issues - Bypass of physical access control - VARIES
+- Physical Security Issues - Weakness in physical access control - Clonable Key - VARIES
+- Physical Security Issues - Weakness in physical access control - Master Key Identification - VARIES
+- Physical Security Issues - Weakness in physical access control - Commonly Keyed System - P2
+- Insecure OS/Firmware - Weakness in Firmware Updates - Firmware cannot be updated - VARIES
+- Insecure OS/Firmware - Weakness in Firmware Updates - Firmware does not validate update integrity- P3
+- Insecure OS/Firmware - Weakness in Firmware Updates - Firmware is not encrypted- P5
+- Insecure OS/Firmware - Kiosk Escape or Breakout - VARIES
+- Insecure OS/Firmware - Poorly Configured Disk Encryption - VARIES
+- Insecure OS/Firmware - Shared Credentials on Storage - P3
+- Insecure OS/Firmware - Over-Permissioned Credentials on Storage - P2
+- Insecure OS/Firmware - Local Administrator on default environment - P2
+- Insecure OS/Firmware - Poorly Configured Operating System Security - VARIES
+- Insecure OS/Firmware - Recovery of Disk Contains Sensitive Material - VARIES
+- Insecure OS/Firmware - Failure to Remove Sensitive Artifacts from Disk - VARIES
+- Insecure OS/Firmware - Data not encrypted at rest - Sensitive - VARIES
+- Insecure OS/Firmware - Data not encrypted at rest - Non sensitive - P5
+
+## [v1.12](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.11...v1.12) - 2023-12-18
+
+### Added
+
+- Application Level DoS - Excessive Resource Consumption - Injection (Prompt) - VARIES
+- AI Application Security - Large Language Model (LLM) Security - Prompt Injection - P1
+- AI Application Security - Large Language Model (LLM) Security - LLM Output Handling - P1
+- AI Application Security - Large Language Model (LLM) Security - Training Data Poisoning - P1
+- AI Application Security - Large Language Model (LLM) Security - Excessive Agency/Permission Manipulation - P2
+
+## [v1.11](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.10...v1.11) - 2023-11-20
+
+### Added
+
+- Sensitive Data Exposure - Disclosure of Secrets - PII Leakage/Exposure: VARIES
+- Server-Side Injection - Content Spoofing - HTML Content Injection: P5
+- Broken Authentication and Session Management - Failure to invalidate session - Permission change: VARIES
+- Server Security Misconfiguration - Request Smuggling: VARIES
+- Server-Side Injection - LDAP Injection: VARIES
+- Cryptographic Weakness - Insufficient Entropy - Limited Random Number Generator (RNG) Entropy Source: P4
+- Cryptographic Weakness - Insufficient_Entropy - Use of True Random Number Generator (TRNG) for Non-Security Purpose: P5
+- Cryptographic Weakness - Insufficient_Entropy - Pseudo-Random Number Generator (PRNG) Seed Reuse: P5
+- Cryptographic Weakness - Insufficient_Entropy - Predictable Pseudo-Random Number Generator (PRNG) Seed: P4
+- Cryptographic Weakness - Insufficient_Entropy - Small Seed Space in Pseudo-Random Number Generator (PRNG): P4
+- Cryptographic Weakness - Insufficient_Entropy - Initialization Vector (IV) Reuse: P5
+- Cryptographic Weakness - Insufficient_Entropy - Predictable Initialization Vector (IV): P4
+- Cryptographic Weakness - Insecure Implementation - Missing Cryptographic Step: VARIES
+- Cryptographic Weakness - Insecure Implementation - Improper Following of Specification (Other): VARIES
+- Cryptographic Weakness - Weak Hash - Lack of Salt: VARIES
+- Cryptographic Weakness - Weak Hash - Use of Predictable Salt: P5
+- Cryptographic Weakness - Weak Hash - Predictable Hash Collision: VARIES
+- Cryptographic Weakness - Insufficient Verification of Data Authenticity - Integrity Check Value (ICV): P4
+- Cryptographic Weakness - Insufficient Verification of Data Authenticity - Cryptographic Signature: VARIES
+- Cryptographic Weakness - Insecure Key Generation - Improper Asymmetric Prime Selection: VARIES
+- Cryptographic Weakness - Insecure Key Generation - Improper Asymmetric Exponent Selection: VARIES
+- Cryptographic Weakness - Insecure Key Generation - Insufficient Key Stretching: VARIES
+- Cryptographic Weakness - Insecure Key Generation - Insufficient Key Space: P3
+- Cryptographic Weakness - Insecure Key Generation - Key Exchage Without Entity Authentication: P3
+- Cryptographic Weakness - Key Reuse - Lack of Perfect Forward Secrecy: P4
+- Cryptographic Weakness - Key Reuse - Intra-Environment: P5
+- Cryptographic Weakness - Key Reuse - Inter-Environment: P2
+- Cryptographic Weakness - Side-Channel Attack - Padding Oracle Attack: P4
+- Cryptographic Weakness - Side-Channel Attack - Timing Attack: P4
+- Cryptographic Weakness - Side-Channel Attack - Power Analysis Attack: P5
+- Cryptographic Weakness - Side-Channel Attack - Emanations Attack: P5
+- Cryptographic Weakness - Side-Channel Attack - Differential Fault Analysis: VARIES
+- Cryptographic Weakness - Use of Expired Cryptographic Key (or Certificate): P4
+- Cryptographic Weakness - Incomplete Cleanup of Keying Material: P5
+- Cryptographic Weakness - Broken Cryptography - Use of Broken Cryptographic Primitive: P3
+- Cryptographic Weakness - Broken Cryptography - Use of Vulnerable Cryptographic Library: P4
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Non-Sensitive Information: P5
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information/GUID/Complex Object Identifiers: P4
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read Sensitive Information/Iterable Object Identifiers: P3
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Edit/Delete Sensitive Information/Iterable Object Identifiers: P2
+- Broken Access Control (BAC) - Insecure Direct Object References (IDOR) - Read/Edit/Delete Sensitive Information (PII)/Iterable Object Identifier: P1
+
### Changed
+FROM:
+
+- Cross-Site Scripting (XSS) - IE-Only - Older Version (< IE11): P5
+
+TO:
+
+- Cross-Site Scripting (XSS) - IE-Only: P5
+
+FROM:
+
+- Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal High Impact: P2
+- Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact: P3
+- Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - External: P4
+- Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - DNS Query Only : P5
+
+TO:
+
+- Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact: P2
+- Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact: P3
+- Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - Low impact: P5
+- Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - DNS Query Only: P5
+
+FROM:
+
+- Automotive Security Misconfiguration - Infotainment, Radio Head Unit - PII Leakage: P1
+
+TO:
+
+- Automotive Security Misconfiguration - Infotainment, Radio Head Unit - Sensitive data Leakage/Exposure: P1
+
+### Removed
+
+- Cross-Site Scripting (XSS) - IE-Only - IE11: P4
+- Cross-Site Scripting (XSS) - XSS Filter Disabled: P5
+- Broken Cryptography - Cryptographic Flaw - Incorrect Usage: P1
+
+## [v1.10.1](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.10...v1.10.1) - 2021-03-29
+
+### Changed
+
+- renamed `secure code warriors` mapping to `secure code warrior`
+
+## [v1.10](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.9...v1.10) - 2021-03-18
+
+### Added
+
+- insufficient_security_configurability.verification_of_contact_method_not_required
+- insufficient_security_configurability.weak_two_fa_implementation.two_fa_code_is_not_updated_after_new_code_is_requested
+- insufficient_security_configurability.weak_two_fa_implementation.old_two_fa_code_is_not_invalidated_after_new_code_is_generated
+- broken_authentication_and_session_management.weak_login_function.over_http
+- server_security_misconfiguration.oauth_misconfiguration.account_squatting
+- Third-party mapping to [Secure Code Warrior](https://www.securecodewarrior.com/) trainings
+- automotive_security_misconfiguration.can.injection_battery_management_system
+- automotive_security_misconfiguration.can.injection_steering_control
+- automotive_security_misconfiguration.can.injection_pyrotechnical_device_deployment_tool
+- automotive_security_misconfiguration.can.injection_headlights
+- automotive_security_misconfiguration.can.injection_sensors
+- automotive_security_misconfiguration.can.injection_vehicle_anti_theft_systems
+- automotive_security_misconfiguration.can.injection_powertrain
+- automotive_security_misconfiguration.can.injection_basic_safety_message
+- automotive_security_misconfiguration.battery_management_system
+- automotive_security_misconfiguration.battery_management_system.firmware_dump
+- automotive_security_misconfiguration.battery_management_system.fraudulent_interface
+- automotive_security_misconfiguration.gnss_gps
+- automotive_security_misconfiguration.gnss_gps.spoofing
+- automotive_security_misconfiguration.immobilizer
+- automotive_security_misconfiguration.immobilizer.engine_start
+- automotive_security_misconfiguration.abs
+- automotive_security_misconfiguration.abs.unintended_acceleration_brake
+- automotive_security_misconfiguration.rsu
+- automotive_security_misconfiguration.rsu.sybil_attack
+- automotive_security_misconfiguration.infotainment_radio_head_unit
+- automotive_security_misconfiguration.infotainment_radio_head_unit.pii_leakage
+- automotive_security_misconfiguration.infotainment_radio_head_unit.ota_firmware_manipulation
+- automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_can_bus_pivot
+- automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_no_can_bus_pivot
+- automotive_security_misconfiguration.infotainment_radio_head_unit.unauthorized_access_to_services
+- automotive_security_misconfiguration.infotainment_radio_head_unit.source_code_dump
+- automotive_security_misconfiguration.infotainment_radio_head_unit.dos_brick
+- automotive_security_misconfiguration.infotainment_radio_head_unit.default_credentials
+
+### Removed
+
+- insufficient_security_configurability.lack_of_verification_email
+- broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default
+- broken_authentication_and_session_management.weak_login_function.http_and_https_available
+- broken_authentication_and_session_management.weak_login_function.lan_only
+- cross_site_request_forgery_csrf.flash_based.high_impact
+- cross_site_request_forgery_csrf.flash_based.low_impact
+- automotive_security_misconfiguration.infotainment
+- automotive_security_misconfiguration.infotainment.pii_leakage
+- automotive_security_misconfiguration.infotainment.code_execution_can_bus_pivot
+- automotive_security_misconfiguration.infotainment.code_execution_no_can_bus_pivot
+- automotive_security_misconfiguration.infotainment.unauthorized_access_to_services
+- automotive_security_misconfiguration.infotainment.source_code_dump
+- automotive_security_misconfiguration.infotainment.dos_brick
+- automotive_security_misconfiguration.infotainment.default_credentials
+
+### Changed
+
+- server_security_misconfiguration.lack_of_security_headers.cache_control_for_a_non_sensitive_page updated remediation advice
+- server_security_misconfiguration.lack_of_security_headers.cache_control_for_a_sensitive_page updated remediation advice
+- cross_site_scripting_xss.flash_based priority changed from P4 to P5
+- cross_site_request_forgery_csrf.flash_based priority changed from null to P5 (due to children removal)
+- using_components_with_known_vulnerabilities.rosetta_flash priority changed from P4 to P5
+
+## [v1.9](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.8...v1.9) - 2020-05-22
+
+### Added
+
+- sensitive_data_exposure.disclosure_of_secrets.for_publicly_accessible_asset
+- sensitive_data_exposure.disclosure_of_secrets.for_internal_asset
+- sensitive_data_exposure.disclosure_of_secrets.pay_per_use_abuse
+- sensitive_data_exposure.disclosure_of_secrets.intentionally_public_sample_or_invalid
+- sensitive_data_exposure.disclosure_of_secrets.data_traffic_spam
+- sensitive_data_exposure.disclosure_of_secrets.non_corporate_user
+- server_side_injection.ssti.basic
+- server_side_injection.ssti.custom
+- sensitive_data_exposure.via_localstorage_sessionstorage.sensitive_token
+- sensitive_data_exposure.via_localstorage_sessionstorage.non_sensitive_token
+- mobile_security_misconfiguration.auto_backup_allowed_by_default
+- server_security_misconfiguration.no_rate_limiting_on_form.change_password
+- server_side_injection.content_spoofing.impersonation_via_broken_link_hijacking
+- cross_site_request_forgery_csrf.flash_based.high_impact
+- cross_site_request_forgery_csrf.flash_based.low_impact
+- insufficient_security_configurability.password_policy_bypass
+
+### Removed
+
+- sensitive_data_exposure.critically_sensitive_data.password_disclosure
+- sensitive_data_exposure.critically_sensitive_data.private_api_keys
+- sensitive_data_exposure.critically_sensitive_data
## [v1.8](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.7.1...v1.8) - 2019-09-25
+
### Added
+
- server_security_misconfiguration.race_condition
- server_security_misconfiguration.cache_poisoning
- indicators_of_compromise
- broken_authentication_and_session_management.failure_to_invalidate_session.on_two_fa_activation_change
### Removed
+
- mobile_security_misconfiguration.clipboard_enabled.on_sensitive_content
- mobile_security_misconfiguration.clipboard_enabled.on_non_sensitive_content
### Changed
+
- server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_non_email_domain name changed from "Email Spoofing on non-email domain" to "Email Spoofing on Non-Email Domain"
- mobile_security_misconfiguration.clipboard_enabled priority changed from null to P5 (due to children removal)
-## [v1.7.1](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.7...v1.7.1) - 2019-04-15
+## [v1.7.1](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.7...v1.7.1) - 2019-04-15
+
### Added
-- Remediation Advice and CVSS mappings for automotive_security_misconfiguration
-### Removed
+- Remediation Advice and CVSS mappings for automotive_security_misconfiguration
-### Changed
+## [v1.7](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.6...v1.7) - 2019-03-13
-## [v1.7](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.6...v1.7) - 2019-03-13
### Added
+
- sensitive_data_exposure.weak_password_reset_implementation.token_leakage_via_host_header_poisoning
- server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_non_email_domain
- broken_access_control.username_enumeration.non_brute_force
@@ -69,6 +452,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- server_side_injection.content_spoofing.email_hyperlink_injection_based_on_email_provider
### Removed
+
- broken_access_control.username_enumeration.data_leak
- insufficient_security_configurability.weak_2fa_implementation
- sensitive_data_exposure.token_leakage_via_referer.trusted_3rd_party
@@ -77,12 +461,15 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- cross_site_scripting_xss.ie_only.older_version_ie11
### Changed
+
- server_security_misconfiguration.username_enumeration name changed from "Username Enumeration" to "Username/Email Enumeration"
- broken_access_control.username_enumeration name changed from "Username Enumeration" to "Username/Email Enumeration"
- updated Remediation Advice reference URLs for OWASP
## [v1.6](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.5...v1.6) - 2018-09-13
+
### Added
+
- broken_access_control.server_side_request_forgery_ssrf.internal_high_impact
- broken_access_control.server_side_request_forgery_ssrf.internal_scan_and_or_medium_impact
- server_security_misconfiguration.mail_server_misconfiguration.no_spoofing_protection_on_email_domain
@@ -91,6 +478,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim
### Removed
+
- broken_access_control.server_side_request_forgery_ssrf.internal
- server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain
- server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_non_email_domain
@@ -99,7 +487,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- server_security_misconfiguration.mail_server_misconfiguration.missing_dmarc
## [v1.5](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.4...v1.5) - 2018-09-13
+
### Added
+
- unvalidated_redirects_and_forwards.open_redirect.flash_based
- cross_site_scripting_xss.flash_based
- server_side_injection.content_spoofing.flash_based_external_authentication_injection
@@ -125,6 +515,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- cross_site_request_forgery_csrf.csrf_token_not_unique_per_request
### Removed
+
- server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_email_domain
- server_security_misconfiguration.mail_server_misconfiguration.email_spoofable_via_third_party_api_misconfiguration
- cross_site_scripting_xss.stored.admin_to_anyone
@@ -132,6 +523,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- server_security_misconfiguration.captcha_bypass
### Changed
+
- broken_authentication_and_session_management.failure_to_invalidate_session.on_password_change updated remediation advice
- CWE mapping default changed from `[CWE-2000]` to `null`
- Updated python version to 3.6
@@ -141,7 +533,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- server_security_misconfiguration.captcha_bypass.brute_force moved via subcategory change to server_security_misconfiguration.captcha.brute_force
## [v1.4](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.3.1...v1.4) - 2018-04-13
+
### Added
+
- insufficient_security_configurability.weak_password_reset_implementation.token_is_not_invalidated_after_login
- server_side_injection.content_spoofing.rtlo
- mapping of VRT to CWE
@@ -164,6 +558,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- mapping of VRT to Remediation Advice
### Removed
+
- server_side_injection.sql_injection.error_based
- server_side_injection.sql_injection.blind
- broken_authentication_and_session_management.weak_login_function.over_http
@@ -175,6 +570,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- server_security_misconfiguration.using_default_credentials.staging_development_server
### Changed
+
- Use unittest for vrt validations
- broken_authentication_and_session_management.failure_to_invalidate_session.all_sessions name changed from "All Sessions" to "Concurrent Sessions On Logout"
- server_security_misconfiguration.oauth_misconfiguration.missing_state_parameter name changed from "Missing State Parameter" to "Missing/Broken State Parameter"
@@ -191,11 +587,15 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- server_security_misconfiguration.using_default_credentials priority changed from null to P1 (due to children removal)
## [v1.3.1](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.3...v1.3.1) - 2017-10-31
+
### Changed
+
- references to the invalid insufficient_security_configurability.weak_password_policy.no_password_policy updated to insufficient_security_configurability.no_password_policy
## [v1.3.0](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.2...v1.3) - 2017-09-22
+
### Added
+
- insecure_data_transport.cleartext_transmission_of_sensitive_data
- broken_access_control
- broken_access_control.idor
@@ -205,10 +605,12 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- server_security_misconfiguration.bitsquatting
### Removed
+
- missing_function_level_access_control
- insecure_direct_object_references_idor
### Changed
+
- missing_function_level_access_control.server_side_request_forgery_ssrf moved via category change to broken_access_control.server_side_request_forgery_ssrf
- missing_function_level_access_control.server_side_request_forgery_ssrf.internal moved via category change to broken_access_control.server_side_request_forgery_ssrf.internal
- missing_function_level_access_control.server_side_request_forgery_ssrf.external moved via category change to broken_access_control.server_side_request_forgery_ssrf.external
@@ -219,7 +621,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- cross_site_request_forgery_csrf.application_wide name changed from Applicaton-Wide to Application-Wide
## [v1.2.0](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.1...v1.2) - 2017-08-04
+
### Added
+
- sensitive_data_exposure.visible_detailed_error_page.descriptive_stack_trace
- sensitive_data_exposure.visible_detailed_error_page.detailed_server_configuration
- unvalidated_redirects_and_forwards.open_redirect.get_based
@@ -247,6 +651,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- insecure_data_storage.server_side_credentials_storage.plaintext
### Removed
+
- unvalidated_redirects_and_forwards.open_redirect.get_based_all_users
- unvalidated_redirects_and_forwards.open_redirect.get_based_authenticated
- unvalidated_redirects_and_forwards.open_redirect.get_based_unauthenticated
@@ -270,6 +675,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- insufficient_security_configurability.weak_password_policy.allows_password_to_be_same_as_email_username
### Changed
+
- sensitive_data_exposure.visible_detailed_error_page name changed from 'Visible Detailed Error Page' to 'Visible Detailed Error/Debug Page'
- server_security_misconfiguration.mail_server_misconfiguration.missing_dmarc name changed from 'Missing DMARC' to 'Missing DKIM/DMARC'
- insecure_data_transport.ssl_certificate_pinning moved via category change to mobile_security_misconfiguration.ssl_certificate_pinning
@@ -281,7 +687,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- insufficient_security_configurability.weak_password_policy priority changed from null to P5 (due to children removal)
## [v1.1.0](https://github.com/bugcrowd/vulnerability-rating-taxonomy/compare/v1.0...v1.1) - 2017-04-13
+
### Added
+
- directory_listing_enabled
- directory_listing_enabled.sensitive_data_exposure
- directory_listing_enabled.non_sensitive_data_exposure
@@ -294,10 +702,12 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
- cross_site_request_forgery_csrf.unauthenticated_action
### Removed
+
- poor_physical_security
- social_engineering
### Changed
+
- cross_site_scripting_xss.cookie_based priority changed from P4 to P5
## [1.0.0] - 2017-03-06
diff --git a/Dockerfile b/Dockerfile
index 12a05eb5..f0da0ce0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,8 @@
-FROM python:3.6
-
-RUN pip install jsonschema GitPython semantic_version
+FROM python:3.11
WORKDIR /tmp/vrt
-CMD [ "python3", "-B" , "./validate_vrt.py" ]
+ADD . /tmp/vrt
+
+RUN pip install -r lib/requirements.txt
+
+CMD [ "python3", "-B" , "./lib/validate_vrt.py" ]
diff --git a/README.md b/README.md
index d70661df..34045cbf 100644
--- a/README.md
+++ b/README.md
@@ -1,15 +1,15 @@
- 
+ 
- 
+ 
# Bugcrowd VRT
The current VRT release is located at [https://bugcrowd.com/vrt](https://bugcrowd.com/vulnerability-rating-taxonomy) as both a searchable page and downloadable PDF.
-The VRT is also available via our API. Documentation and examples of VRT API usage may be found [here](https://docs.bugcrowd.com/reference#vulnerability-rating-taxonomy).
+The VRT is also available via our API. Documentation and examples of VRT API usage may be found [here](https://documentation.bugcrowd.com/reference#view-versions).
## Background
At the beginning 2016, we released the Bugcrowd Vulnerability Rating Taxonomy (VRT) to provide a baseline vulnerability priority scale for bug hunters and organizations. Over the past year and a half this document has evolved to be a dynamic and valuable resource for the bug bounty community.
@@ -166,6 +166,9 @@ Each mapping should be setup in the following structure:
- [CWE](mappings/cwe/cwe.json)
- [Remediation Advice](mappings/remediation_advice/remediation_advice.json)
+#### Third-Party Managed Mappings
+- [Secure Code Warrior](third-party-mappings/remediation_training/secure-code-warrior-links.json)
+
## Supported Libraries
- [Ruby](https://github.com/bugcrowd/vrt-ruby)
diff --git a/deprecated-node-mapping.json b/deprecated-node-mapping.json
index 73d7fdc0..3e49435c 100644
--- a/deprecated-node-mapping.json
+++ b/deprecated-node-mapping.json
@@ -1,149 +1,332 @@
{
- "poor_physical_security": {
- "1.1": "other"
- },
- "social_engineering": {
- "1.1": "other"
- },
- "unvalidated_redirects_and_forwards.open_redirect.get_based_all_users": {
- "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
- },
- "unvalidated_redirects_and_forwards.open_redirect.get_based_authenticated": {
- "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
- },
- "unvalidated_redirects_and_forwards.open_redirect.get_based_unauthenticated": {
- "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
- },
- "broken_authentication_and_session_management.session_token_in_url.over_https": {
- "1.2": "sensitive_data_exposure.sensitive_token_in_url"
- },
- "broken_authentication_and_session_management.session_token_in_url.over_http": {
- "1.2": "sensitive_data_exposure.sensitive_token_in_url"
- },
- "broken_authentication_and_session_management.session_token_in_url": {
- "1.2": "sensitive_data_exposure.sensitive_token_in_url"
- },
- "insecure_data_transport": {
- "1.2": "mobile_security_misconfiguration"
- },
- "insecure_data_transport.ssl_certificate_pinning": {
- "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning"
- },
- "insecure_data_transport.ssl_certificate_pinning.absent": {
- "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.absent"
- },
- "insecure_data_transport.ssl_certificate_pinning.defeatable": {
- "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.defeatable"
- },
- "insecure_data_storage.credentials_stored_unencrypted": {
- "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted"
- },
- "insecure_data_storage.credentials_stored_unencrypted.on_external_storage": {
- "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_external_storage"
- },
- "insecure_data_storage.credentials_stored_unencrypted.on_internal_storage": {
- "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_internal_storage"
- },
- "insufficient_security_configurability.weak_password_policy.complexity_both_length_and_char_type_not_enforced": {
- "1.2": "insufficient_security_configurability.no_password_policy"
- },
- "missing_function_level_access_control": {
- "1.3": "broken_access_control"
- },
- "missing_function_level_access_control.server_side_request_forgery_ssrf": {
- "1.3": "broken_access_control.server_side_request_forgery_ssrf"
- },
- "missing_function_level_access_control.server_side_request_forgery_ssrf.internal": {
- "1.3": "broken_access_control.server_side_request_forgery_ssrf.internal"
- },
- "missing_function_level_access_control.server_side_request_forgery_ssrf.external": {
- "1.3": "broken_access_control.server_side_request_forgery_ssrf.external"
- },
- "missing_function_level_access_control.username_enumeration": {
- "1.3": "broken_access_control.username_enumeration"
- },
- "missing_function_level_access_control.username_enumeration.data_leak": {
- "1.3": "broken_access_control.username_enumeration.data_leak"
- },
- "missing_function_level_access_control.exposed_sensitive_android_intent": {
- "1.3": "broken_access_control.exposed_sensitive_android_intent"
- },
- "missing_function_level_access_control.exposed_sensitive_ios_url_scheme": {
- "1.3": "broken_access_control.exposed_sensitive_ios_url_scheme"
- },
- "insecure_direct_object_references_idor": {
- "1.3": "broken_access_control.idor"
- },
- "broken_authentication_and_session_management.weak_login_function.over_http": {
- "1.4": "broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default"
- },
- "cross_site_scripting_xss.ie_only.older_version_ie_10_11": {
- "1.4": "cross_site_scripting_xss.ie_only.ie11"
- },
- "cross_site_scripting_xss.ie_only.older_version_ie10": {
- "1.4": "cross_site_scripting_xss.ie_only.older_version_ie11"
- },
- "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_reset": {
- "1.4": "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_change"
- },
- "network_security_misconfiguration.telnet_enabled.credentials_required": {
- "1.4": "broken_authentication_and_session_management.weak_login_function.other_plaintext_protocol_no_secure_alternative"
- },
- "server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_email_domain": {
- "1.5": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain"
- },
- "server_security_misconfiguration.mail_server_misconfiguration.email_spoofable_via_third_party_api_misconfiguration": {
- "1.5": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain"
- },
- "cross_site_scripting_xss.stored.admin_to_anyone": {
- "1.5": "cross_site_scripting_xss.stored.privileged_user_to_privilege_elevation"
- },
- "server_security_misconfiguration.misconfigured_dns.subdomain_takeover": {
- "1.5": "server_security_misconfiguration.misconfigured_dns.basic_subdomain_takeover"
- },
- "server_security_misconfiguration.captcha_bypass": {
- "1.5": "server_security_misconfiguration.captcha"
- },
- "server_security_misconfiguration.captcha_bypass.implementation_vulnerability": {
- "1.5": "server_security_misconfiguration.captcha.implementation_vulnerability"
- },
- "server_security_misconfiguration.captcha_bypass.brute_force": {
- "1.5": "server_security_misconfiguration.captcha.brute_force"
- },
- "broken_access_control.server_side_request_forgery_ssrf.internal": {
- "1.6": "broken_access_control.server_side_request_forgery_ssrf.internal_high_impact"
- },
- "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain": {
- "1.6": "server_security_misconfiguration.mail_server_misconfiguration.no_spoofing_protection_on_email_domain"
- },
- "server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_non_email_domain": {
- "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
- },
- "server_security_misconfiguration.mail_server_misconfiguration.spf_uses_a_soft_fail": {
- "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
- },
- "server_security_misconfiguration.mail_server_misconfiguration.spf_includes_10_lookups": {
- "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
- },
- "server_security_misconfiguration.mail_server_misconfiguration.missing_dmarc": {
- "1.6": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain"
- },
- "broken_access_control.username_enumeration.data_leak": {
- "1.7": "broken_access_control.username_enumeration.non_brute_force"
- },
- "insufficient_security_configurability.weak_2fa_implementation": {
- "1.7": "insufficient_security_configurability.weak_two_fa_implementation"
- },
- "sensitive_data_exposure.token_leakage_via_referer.trusted_3rd_party": {
- "1.7": "sensitive_data_exposure.token_leakage_via_referer.trusted_third_party"
- },
- "sensitive_data_exposure.token_leakage_via_referer.untrusted_3rd_party": {
- "1.7": "sensitive_data_exposure.token_leakage_via_referer.untrusted_third_party"
- },
- "cross_site_scripting_xss.ie_only.ie11": {
- "1.7": "cross_site_scripting_xss.ie_only.ie_eleven"
- },
- "cross_site_scripting_xss.ie_only.older_version_ie11": {
- "1.7": "cross_site_scripting_xss.ie_only.older_version_ie_eleven"
- }
-}
+ "poor_physical_security": {
+ "1.1": "other"
+ },
+ "social_engineering": {
+ "1.1": "other"
+ },
+ "cross_site_scripting_xss.reflected.admin_to_anyone": {
+ "1.1": "other"
+ },
+ "cross_site_scripting_xss.reflected.non_admin_to_anyone": {
+ "1.1": "other"
+ },
+ "broken_authentication_and_session_management.authentication_bypass.horizontal": {
+ "1.2": "other"
+ },
+ "broken_authentication_and_session_management.authentication_bypass.vertical": {
+ "1.2": "other"
+ },
+ "insecure_data_storage.insecure_data_storage": {
+ "1.2": "other"
+ },
+ "insecure_data_storage.insecure_data_storage.password": {
+ "1.2": "other"
+ },
+ "insufficient_security_configurability.weak_password_policy.allows_password_to_be_same_as_email_username": {
+ "1.2": "other"
+ },
+ "insufficient_security_configurability.weak_password_policy.allows_reuse_of_old_passwords": {
+ "1.2": "other"
+ },
+ "insufficient_security_configurability.weak_password_policy.complexity_char_type_not_enforced": {
+ "1.2": "other"
+ },
+ "insufficient_security_configurability.weak_password_policy.complexity_length_not_enforced": {
+ "1.2": "other"
+ },
+ "sensitive_data_exposure.mixed_content.requires_being_a_man_in_the_middle": {
+ "1.2": "other"
+ },
+ "sensitive_data_exposure.mixed_content.sensitive_data_disclosure": {
+ "1.2": "other"
+ },
+ "sensitive_data_exposure.token_leakage_via_referer.over_https": {
+ "1.2": "other"
+ },
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_all_users": {
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
+ },
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_authenticated": {
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
+ },
+ "unvalidated_redirects_and_forwards.open_redirect.get_based_unauthenticated": {
+ "1.2": "unvalidated_redirects_and_forwards.open_redirect.get_based"
+ },
+ "broken_authentication_and_session_management.session_token_in_url.over_https": {
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
+ },
+ "broken_authentication_and_session_management.session_token_in_url.over_http": {
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
+ },
+ "broken_authentication_and_session_management.session_token_in_url": {
+ "1.2": "sensitive_data_exposure.sensitive_token_in_url"
+ },
+ "insecure_data_transport": {
+ "1.2": "mobile_security_misconfiguration"
+ },
+ "insecure_data_transport.ssl_certificate_pinning": {
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning"
+ },
+ "insecure_data_transport.ssl_certificate_pinning.absent": {
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.absent"
+ },
+ "insecure_data_transport.ssl_certificate_pinning.defeatable": {
+ "1.2": "mobile_security_misconfiguration.ssl_certificate_pinning.defeatable"
+ },
+ "insecure_data_storage.credentials_stored_unencrypted": {
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted"
+ },
+ "insecure_data_storage.credentials_stored_unencrypted.on_external_storage": {
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_external_storage"
+ },
+ "insecure_data_storage.credentials_stored_unencrypted.on_internal_storage": {
+ "1.2": "insecure_data_storage.sensitive_application_data_stored_unencrypted.on_internal_storage"
+ },
+ "insufficient_security_configurability.weak_password_policy.complexity_both_length_and_char_type_not_enforced": {
+ "1.2": "insufficient_security_configurability.no_password_policy"
+ },
+ "missing_function_level_access_control": {
+ "1.3": "broken_access_control"
+ },
+ "missing_function_level_access_control.server_side_request_forgery_ssrf": {
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf"
+ },
+ "missing_function_level_access_control.server_side_request_forgery_ssrf.internal": {
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf.internal"
+ },
+ "missing_function_level_access_control.server_side_request_forgery_ssrf.external": {
+ "1.3": "broken_access_control.server_side_request_forgery_ssrf.external"
+ },
+ "missing_function_level_access_control.username_enumeration": {
+ "1.3": "broken_access_control.username_enumeration"
+ },
+ "missing_function_level_access_control.username_enumeration.data_leak": {
+ "1.3": "broken_access_control.username_enumeration.data_leak"
+ },
+ "missing_function_level_access_control.exposed_sensitive_android_intent": {
+ "1.3": "broken_access_control.exposed_sensitive_android_intent"
+ },
+ "missing_function_level_access_control.exposed_sensitive_ios_url_scheme": {
+ "1.3": "broken_access_control.exposed_sensitive_ios_url_scheme"
+ },
+ "insecure_direct_object_references_idor": {
+ "1.3": "broken_access_control.idor"
+ },
+ "broken_authentication_and_session_management.weak_login_function.over_http": {
+ "1.4": "broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default"
+ },
+ "cross_site_scripting_xss.ie_only.older_version_ie_10_11": {
+ "1.4": "cross_site_scripting_xss.ie_only.ie11"
+ },
+ "cross_site_scripting_xss.ie_only.older_version_ie10": {
+ "1.4": "cross_site_scripting_xss.ie_only.older_version_ie11"
+ },
+ "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_reset": {
+ "1.4": "broken_authentication_and_session_management.failure_to_invalidate_session.on_password_change"
+ },
+ "network_security_misconfiguration.telnet_enabled.credentials_required": {
+ "1.4": "broken_authentication_and_session_management.weak_login_function.other_plaintext_protocol_no_secure_alternative"
+ },
+ "server_security_misconfiguration.using_default_credentials.production_server": {
+ "1.4": "other"
+ },
+ "server_security_misconfiguration.using_default_credentials.staging_development_server": {
+ "1.4": "other"
+ },
+ "server_side_injection.sql_injection.blind": {
+ "1.4": "other"
+ },
+ "server_side_injection.sql_injection.error_based": {
+ "1.4": "other"
+ },
+ "server_security_misconfiguration.misconfigured_dns.subdomain_takeover": {
+ "1.5": "other"
+ },
+ "server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_email_domain": {
+ "1.5": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain"
+ },
+ "server_security_misconfiguration.mail_server_misconfiguration.email_spoofable_via_third_party_api_misconfiguration": {
+ "1.5": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain"
+ },
+ "cross_site_scripting_xss.stored.admin_to_anyone": {
+ "1.5": "cross_site_scripting_xss.stored.privileged_user_to_privilege_elevation"
+ },
+ "server_security_misconfiguration.captcha_bypass": {
+ "1.5": "server_security_misconfiguration.captcha"
+ },
+ "server_security_misconfiguration.captcha_bypass.implementation_vulnerability": {
+ "1.5": "server_security_misconfiguration.captcha.implementation_vulnerability"
+ },
+ "server_security_misconfiguration.captcha_bypass.brute_force": {
+ "1.5": "server_security_misconfiguration.captcha.brute_force"
+ },
+ "broken_access_control.server_side_request_forgery_ssrf.internal": {
+ "1.6": "broken_access_control.server_side_request_forgery_ssrf.internal_high_impact"
+ },
+ "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain": {
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.no_spoofing_protection_on_email_domain"
+ },
+ "server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_non_email_domain": {
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
+ },
+ "server_security_misconfiguration.mail_server_misconfiguration.spf_uses_a_soft_fail": {
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
+ },
+ "server_security_misconfiguration.mail_server_misconfiguration.spf_includes_10_lookups": {
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.missing_or_misconfigured_spf_and_or_dkim"
+ },
+ "server_security_misconfiguration.mail_server_misconfiguration.missing_dmarc": {
+ "1.6": "server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain"
+ },
+ "insufficient_security_configurability.weak_2fa_implementation.missing_failsafe": {
+ "1.7": "other"
+ },
+ "broken_access_control.username_enumeration.data_leak": {
+ "1.7": "broken_access_control.username_enumeration.non_brute_force"
+ },
+ "insufficient_security_configurability.weak_2fa_implementation": {
+ "1.7": "insufficient_security_configurability.weak_two_fa_implementation"
+ },
+ "sensitive_data_exposure.token_leakage_via_referer.trusted_3rd_party": {
+ "1.7": "sensitive_data_exposure.token_leakage_via_referer.trusted_third_party"
+ },
+ "sensitive_data_exposure.token_leakage_via_referer.untrusted_3rd_party": {
+ "1.7": "sensitive_data_exposure.token_leakage_via_referer.untrusted_third_party"
+ },
+ "cross_site_scripting_xss.ie_only.ie11": {
+ "1.7": "cross_site_scripting_xss.ie_only.ie_eleven"
+ },
+ "cross_site_scripting_xss.ie_only.older_version_ie11": {
+ "1.7": "cross_site_scripting_xss.ie_only.older_version_ie_eleven"
+ },
+ "mobile_security_misconfiguration.clipboard_enabled.on_non_sensitive_content": {
+ "1.8": "other"
+ },
+ "mobile_security_misconfiguration.clipboard_enabled.on_sensitive_content": {
+ "1.8": "other"
+ },
+ "sensitive_data_exposure.critically_sensitive_data.password_disclosure": {
+ "1.9": "sensitive_data_exposure.disclosure_of_secrets"
+ },
+ "sensitive_data_exposure.critically_sensitive_data.private_api_keys": {
+ "1.9": "sensitive_data_exposure.disclosure_of_secrets"
+ },
+ "sensitive_data_exposure.critically_sensitive_data": {
+ "1.9": "sensitive_data_exposure"
+ },
+ "insufficient_security_configurability.lack_of_verification_email": {
+ "1.10": "insufficient_security_configurability.verification_of_contact_method_not_required"
+ },
+ "broken_authentication_and_session_management.weak_login_function.https_not_available_or_http_by_default": {
+ "1.10": "broken_authentication_and_session_management.weak_login_function.over_http"
+ },
+ "broken_authentication_and_session_management.weak_login_function.http_and_https_available": {
+ "1.10": "broken_authentication_and_session_management.weak_login_function.over_http"
+ },
+ "broken_authentication_and_session_management.weak_login_function.lan_only": {
+ "1.10": "broken_authentication_and_session_management.weak_login_function.over_http"
+ },
+ "cross_site_request_forgery_csrf.flash_based.high_impact": {
+ "1.10": "cross_site_request_forgery_csrf.flash_based"
+ },
+ "cross_site_request_forgery_csrf.flash_based.low_impact": {
+ "1.10": "cross_site_request_forgery_csrf.flash_based"
+ },
+ "automotive_security_misconfiguration.infotainment": {
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit"
+ },
+ "automotive_security_misconfiguration.infotainment.pii_leakage": {
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.pii_leakage"
+ },
+ "automotive_security_misconfiguration.infotainment.code_execution_can_bus_pivot": {
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_can_bus_pivot"
+ },
+ "automotive_security_misconfiguration.infotainment.code_execution_no_can_bus_pivot": {
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.code_execution_no_can_bus_pivot"
+ },
+ "automotive_security_misconfiguration.infotainment.unauthorized_access_to_services": {
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.unauthorized_access_to_services"
+ },
+ "automotive_security_misconfiguration.infotainment.source_code_dump": {
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.source_code_dump"
+ },
+ "automotive_security_misconfiguration.infotainment.dos_brick": {
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.dos_brick"
+ },
+ "automotive_security_misconfiguration.infotainment.default_credentials": {
+ "1.10": "automotive_security_misconfiguration.infotainment_radio_head_unit.default_credentials"
+ },
+ "broken_cryptography": {
+ "1.11": "other"
+ },
+ "broken_cryptography.cryptographic_flaw": {
+ "1.11": "other"
+ },
+ "broken_cryptography.cryptographic_flaw.incorrect_usage": {
+ "1.11": "other"
+ },
+ "cross_site_scripting_xss.ie_only.ie_eleven": {
+ "1.11": "other"
+ },
+ "cross_site_scripting_xss.ie_only.older_version_ie_eleven": {
+ "1.11": "cross_site_scripting_xss.ie_only"
+ },
+ "cross_site_scripting_xss.ie_only.xss_filter_disabled": {
+ "1.11": "other"
+ },
+ "automotive_security_misconfiguration.infotainment_radio_head_unit.pii_leakage": {
+ "1.11": "automotive_security_misconfiguration.infotainment_radio_head_unit.sensitive_data_leakage_exposure"
+ },
+ "broken_access_control.server_side_request_forgery_ssrf": {
+ "1.11": "server_security_misconfiguration.server_side_request_forgery_ssrf"
+ },
+ "broken_access_control.server_side_request_forgery_ssrf.internal_high_impact": {
+ "1.11": "server_security_misconfiguration.server_side_request_forgery_ssrf.internal_high_impact"
+ },
+ "broken_access_control.server_side_request_forgery_ssrf.internal_scan_and_or_medium_impact": {
+ "1.11": "server_security_misconfiguration.server_side_request_forgery_ssrf.internal_scan_and_or_medium_impact"
+ },
+ "broken_access_control.server_side_request_forgery_ssrf.dns_query_only": {
+ "1.11": "server_security_misconfiguration.server_side_request_forgery_ssrf.external_dns_query_only"
+ },
+ "broken_access_control.server_side_request_forgery_ssrf.external": {
+ "1.11": "server_security_misconfiguration.server_side_request_forgery_ssrf.external_low_impact"
+ },
+ "broken_authentication_and_session_management.privilege_escalation": {
+ "1.14": "broken_access_control.privilege_escalation"
+ },
+ "server_security_misconfiguration.misconfigured_dns.high_impact_subdomain_takeover": {
+ "1.14.2": "other"
+ },
+ "server_security_misconfiguration.misconfigured_dns.basic_subdomain_takeover": {
+ "1.14.2": "server_security_misconfiguration.misconfigured_dns.subdomain_takeover"
+ },
+ "broken_access_control.idor.read_edit_delete_non_sensitive_information": {
+ "1.15": "broken_access_control.idor.view_non_sensitive_information"
+ },
+ "broken_access_control.idor.read_edit_delete_sensitive_information_guid": {
+ "1.15": "broken_access_control.idor.modify_view_sensitive_information_guid"
+ },
+ "broken_access_control.idor.read_sensitive_information_iterable_object_identifiers": {
+ "1.15": "broken_access_control.idor.modify_view_sensitive_information_iterable_object_identifiers"
+ },
+ "broken_access_control.idor.edit_delete_sensitive_information_iterable_object_identifiers": {
+ "1.15": "broken_access_control.idor.modify_sensitive_information_iterable_object_identifiers"
+ },
+ "broken_access_control.idor.read_edit_delete_sensitive_information_iterable_object_identifiers": {
+ "1.15": "broken_access_control.idor.modify_view_sensitive_information_iterable_object_identifiers"
+ },
+ "ai_application_security.llm_security.excessive_agency_permission_manipulation": {
+ "1.16": "other"
+ },
+ "ai_application_security.llm_security.llm_output_handling": {
+ "1.16": "other"
+ },
+ "ai_application_security.llm_security.prompt_injection": {
+ "1.16": "other"
+ },
+ "ai_application_security.llm_security.training_data_poisoning": {
+ "1.16": "other"
+ }
+}
\ No newline at end of file
diff --git a/lib/artifacts/__init__.py b/lib/artifacts/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/lib/artifacts/scw_artifact.py b/lib/artifacts/scw_artifact.py
new file mode 100644
index 00000000..96628dd6
--- /dev/null
+++ b/lib/artifacts/scw_artifact.py
@@ -0,0 +1,49 @@
+import json
+import requests
+
+BASE_SCW_URL = 'https://integration-api.securecodewarrior.com\
+/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey='
+OUTPUT_FILENAME = 'scw_links.json'
+
+
+def scw_url(vrt_id):
+ return f'{BASE_SCW_URL}{vrt_id.replace(".", ":")}'
+
+
+def scw_mapping(vrt_id):
+ path = scw_url(vrt_id)
+ print('Fetching...')
+ response = requests.get(path)
+ if response.status_code == 200:
+ print(f'Exists: {path}')
+ return path + '&redirect=true'
+ else:
+ print(f'Not Found: {path}')
+ return None
+
+
+def join_vrt_id(parent_id, child_id):
+ return '.'.join(
+ [parent_id, child_id]
+ ) if parent_id is not None else child_id
+
+
+def generate_urls(vrt, content, parent_id=None):
+ for node in vrt:
+ vrt_id = join_vrt_id(parent_id, node['id'])
+ content[vrt_id] = scw_mapping(vrt_id)
+ if 'children' in node:
+ content.update(
+ generate_urls(
+ node['children'],
+ {},
+ vrt_id
+ )
+ )
+
+ return content
+
+
+def write_artifact_file(mapping):
+ with open(OUTPUT_FILENAME, 'w') as outfile:
+ json.dump(mapping, outfile, indent=2, sort_keys=False)
diff --git a/lib/generate_artifacts.py b/lib/generate_artifacts.py
new file mode 100644
index 00000000..1c916073
--- /dev/null
+++ b/lib/generate_artifacts.py
@@ -0,0 +1,8 @@
+from utils import utils
+from artifacts import scw_artifact
+
+url_mapping = {}
+current_vrt = utils.get_json(utils.VRT_FILENAME)
+scw_artifact.write_artifact_file(
+ scw_artifact.generate_urls(current_vrt['content'], url_mapping)
+)
diff --git a/tests/requirements.txt b/lib/requirements.txt
similarity index 100%
rename from tests/requirements.txt
rename to lib/requirements.txt
diff --git a/lib/tests/__init__.py b/lib/tests/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/lib/tests/test_artifact_format.py b/lib/tests/test_artifact_format.py
new file mode 100644
index 00000000..0615e6bd
--- /dev/null
+++ b/lib/tests/test_artifact_format.py
@@ -0,0 +1,23 @@
+from utils import utils
+import os
+import unittest
+
+
+class TestArtifactFormat(unittest.TestCase):
+ def setUp(self):
+ print("\n`---{}---`".format(self._testMethodName))
+ self.scw_artifact_path = os.path.join(
+ utils.THIRD_PARTY_MAPPING_DIR,
+ utils.SCW_DIR,
+ utils.SCW_FILENAME
+ )
+
+ def test_artifact_loads_valid_json(self):
+ self.assertTrue(
+ utils.get_json(self.scw_artifact_path),
+ self.scw_artifact_path + ' is not valid JSON.'
+ )
+
+
+if __name__ == "__main__":
+ unittest.main()
diff --git a/tests/test_deprecated_mapping.py b/lib/tests/test_deprecated_mapping.py
similarity index 57%
rename from tests/test_deprecated_mapping.py
rename to lib/tests/test_deprecated_mapping.py
index 7abf8ecb..d501af91 100644
--- a/tests/test_deprecated_mapping.py
+++ b/lib/tests/test_deprecated_mapping.py
@@ -1,13 +1,21 @@
-import utils
+from utils import utils
import unittest
from semantic_version import Version
class TestDeprecatedMapping(unittest.TestCase):
def setUp(self):
+ print("\n`---{}---`".format(self._testMethodName))
self.vrt_versions = utils.all_versions(utils.VRT_FILENAME)
- self.last_tagged_version = max([Version.coerce(x) for x in self.vrt_versions.keys() if x != 'current'])
- self.deprecated_json = utils.get_json(utils.DEPRECATED_MAPPING_FILENAME)
+ self.last_tagged_version = max(
+ [
+ Version.coerce(x) for x in self.vrt_versions.keys()
+ if x != 'current'
+ ]
+ )
+ self.deprecated_json = utils.get_json(
+ utils.DEPRECATED_MAPPING_FILENAME
+ )
def test_old_vrt_ids_have_current_node(self):
for version, vrt in self.vrt_versions.items():
@@ -16,17 +24,28 @@ def test_old_vrt_ids_have_current_node(self):
for id_list in utils.all_id_lists(vrt):
vrt_id = '.'.join(id_list)
if vrt_id in self.deprecated_json:
- max_ver = sorted(self.deprecated_json[vrt_id].keys(), key=lambda s: map(int, s.split('.')))[-1]
+ max_ver = sorted(
+ self.deprecated_json[vrt_id].keys(),
+ key=lambda s: map(int, s.split('.'))
+ )[-1]
vrt_id = self.deprecated_json[vrt_id][max_ver]
id_list = vrt_id.split('.')
- self.assertTrue(vrt_id == 'other' or self.check_mapping(id_list),
- '%s from v%s has no mapping' % (vrt_id, version))
+ self.assertTrue(
+ vrt_id == 'other' or self.check_mapping(id_list),
+ '%s from v%s has no mapping' % (vrt_id, version)
+ )
def test_deprecated_nodes_map_valid_node(self):
for old_id, mapping in self.deprecated_json.items():
for new_version, new_id in mapping.items():
- self.assertTrue(new_id == 'other' or utils.id_valid(self.vrt_version(new_version), new_id.split('.')),
- new_id + ' is not valid')
+ self.assertTrue(
+ new_id == 'other' or utils.id_valid(
+ self.vrt_version(
+ new_version
+ ), new_id.split('.')
+ ),
+ new_id + ' is not valid'
+ )
def check_mapping(self, id_list):
if utils.id_valid(self.vrt_versions['current'], id_list):
@@ -44,5 +63,6 @@ def vrt_version(self, version):
else:
self.fail('Unknown version: %s' % version)
+
if __name__ == "__main__":
unittest.main()
diff --git a/tests/test_vrt.py b/lib/tests/test_vrt.py
similarity index 52%
rename from tests/test_vrt.py
rename to lib/tests/test_vrt.py
index 2af7ba76..97e0240a 100644
--- a/tests/test_vrt.py
+++ b/lib/tests/test_vrt.py
@@ -1,15 +1,21 @@
-import utils
+from utils import utils
import unittest
import subprocess
import jsonschema
import glob
import os
+
class TestVrt(unittest.TestCase):
def setUp(self):
+ print("\n`---{}---`".format(self._testMethodName))
+ self.vrt = utils.get_json(utils.VRT_FILENAME)
self.mappings = [
- { 'filename': f, 'name': os.path.splitext(os.path.basename(f))[0] }
- for f in glob.glob(utils.MAPPING_DIR + '/**/*.json', recursive=True) if 'schema' not in f
+ {'filename': f, 'name': os.path.splitext(os.path.basename(f))[0]}
+ for f in glob.glob(
+ utils.MAPPING_DIR + '/**/*.json', recursive=True
+ )
+ if 'schema' not in f
]
@unittest.skip('need to decide the best way to handle this')
@@ -18,15 +24,20 @@ def test_changelog_updated(self):
Checks if CHANGELOG.md is being updated with the current commit
and prompts the user if it isn't
"""
- p = subprocess.Popen('git diff HEAD --stat --staged CHANGELOG.md | wc -l', shell=True, stdout=subprocess.PIPE)
- out, err = p.communicate()
+ p = subprocess.Popen(
+ 'git diff HEAD --stat --staged CHANGELOG.md | wc -l',
+ shell=True, stdout=subprocess.PIPE
+ )
+ out, _err = p.communicate()
self.assertGreater(int(out), 0, 'CHANGELOG.md not updated')
def validate_schema(self, schema_file, data_file):
schema = utils.get_json(schema_file)
data = utils.get_json(data_file)
jsonschema.Draft4Validator.check_schema(schema)
- error = jsonschema.exceptions.best_match(jsonschema.Draft4Validator(schema).iter_errors(data))
+ error = jsonschema.exceptions.best_match(
+ jsonschema.Draft4Validator(schema).iter_errors(data)
+ )
if error:
raise error
@@ -39,26 +50,44 @@ def test_mapping_schemas(self):
f'{utils.MAPPING_DIR}/**/{mapping["name"]}.schema.json',
recursive=True
)[0]
- self.assertTrue(os.path.isfile(schema_file), 'Missing schema file for %s mapping' % mapping['name'])
+ self.assertTrue(
+ os.path.isfile(schema_file),
+ 'Missing schema file for %s mapping' % mapping['name']
+ )
self.validate_schema(schema_file, mapping['filename'])
def all_vrt_ids_have_mapping(self, mappping_filename, key):
- vrt = utils.get_json(utils.VRT_FILENAME)
mapping = utils.get_json(mappping_filename)
keyed_mapping = utils.key_by_id(mapping['content'])
- for vrt_id_list in utils.all_id_lists(vrt, include_internal=False):
- self.assertTrue(utils.has_mapping(keyed_mapping, vrt_id_list, key),
- 'no ' + key + ' mapping for ' + '.'.join(vrt_id_list))
+ for vrt_id_list in utils.all_id_lists(
+ self.vrt, include_internal=False
+ ):
+ result = utils.has_mapping(keyed_mapping, vrt_id_list, key)
+ if key == 'cwe' and not result:
+ print('WARNING: no ' + key + ' mapping for ' + '.'.join(
+ vrt_id_list
+ ))
+ else:
+ self.assertTrue(
+ utils.has_mapping(
+ keyed_mapping, vrt_id_list, key
+ ),
+ 'no ' + key + ' mapping for ' + '.'.join(vrt_id_list)
+ )
def test_all_vrt_ids_have_all_mappings(self):
for mapping in self.mappings:
self.all_vrt_ids_have_mapping(mapping['filename'], mapping['name'])
def only_map_valid_ids(self, mapping_filename):
- vrt_ids = utils.all_id_lists(utils.get_json(utils.VRT_FILENAME))
+ vrt_ids = utils.all_id_lists(self.vrt)
mapping_ids = utils.all_id_lists(utils.get_json(mapping_filename))
for id_list in mapping_ids:
- self.assertIn(id_list, vrt_ids, 'invalid id in ' + mapping_filename + ' - ' + '.'.join(id_list))
+ self.assertIn(
+ id_list,
+ vrt_ids,
+ 'invalid id in ' + mapping_filename + ' - ' + '.'.join(id_list)
+ )
def test_only_map_valid_ids(self):
for mapping in self.mappings:
diff --git a/lib/utils/__init__.py b/lib/utils/__init__.py
new file mode 100644
index 00000000..e69de29b
diff --git a/tests/utils.py b/lib/utils/utils.py
similarity index 57%
rename from tests/utils.py
rename to lib/utils/utils.py
index 67cd0cb6..7f0685ef 100644
--- a/tests/utils.py
+++ b/lib/utils/utils.py
@@ -1,18 +1,26 @@
-import json
-import git
+import json, git, os
VRT_FILENAME = 'vulnerability-rating-taxonomy.json'
DEPRECATED_MAPPING_FILENAME = 'deprecated-node-mapping.json'
VRT_SCHEMA_FILENAME = 'vrt.schema.json'
MAPPING_DIR = 'mappings'
+SCW_FILENAME = 'secure-code-warrior-links.json'
+SCW_DIR = 'remediation_training'
+THIRD_PARTY_MAPPING_DIR = 'third-party-mappings'
+CVSS_FILE = "cvss_v3/cvss_v3.json"
+CWE_FILE = "cwe/cwe.json"
+REMEDIATION_ADVICE_FILE = "remediation_advice/remediation_advice.json"
+
def get_json(filename):
with open(filename) as f:
return json.loads(f.read())
+
def all_versions(filename):
"""
- Find, open and parse all tagged versions of a json file, including the current version
+ Find, open and parse all tagged versions of a json file,
+ including the current version
:param filename: The filename to find
:return: a dictionary of all the versions, in the form
@@ -37,10 +45,12 @@ def id_valid(vrt, id_list):
Check if a vrt id is valid
:param vrt: The vrt object
- :param id_list: The vrt id, split into components, eg ['category', 'subcategory', 'variant']
+ :param id_list: The vrt id, split into components,
+ eg ['category', 'subcategory', 'variant']
:return: True/False
"""
- # this is not particularly efficient, but it's more readable than other options so until we need to care...
+ # this is not particularly efficient, but it's more readable than other
+ # options so until we need to care...
return id_list in all_id_lists(vrt)
@@ -49,7 +59,8 @@ def has_mapping(mapping, id_list, key):
Check if a vrt id has a mapping
:param mapping: The mapping object, keyed by id
- :param id_list: The vrt id, split into components, eg ['category', 'subcategory', 'variant']
+ :param id_list: The vrt id, split into components,
+ eg ['category', 'subcategory', 'variant']
:param key: The mapping key to look for, eg 'cvss_v3'
:return: True/False
"""
@@ -68,9 +79,16 @@ def key_by_id(mapping):
Converts arrays to hashes keyed by the id attribute for easier lookup. So
[{'id': 'one', 'foo': 'bar'}, {'id': 'two', 'foo': 'baz'}]
becomes
- {'one': {'id': 'one', 'foo': 'bar'}, 'two': {'id': 'two', 'foo': 'baz'}}
+ {
+ 'one': {'id': 'one', 'foo': 'bar'},
+ 'two': {'id': 'two', 'foo': 'baz'}
+ }
"""
- if isinstance(mapping, list) and isinstance(mapping[0], dict) and 'id' in mapping[0]:
+ if isinstance(
+ mapping, list
+ ) and isinstance(
+ mapping[0], dict
+ ) and 'id' in mapping[0]:
return {x['id']: key_by_id(x) for x in mapping}
elif isinstance(mapping, dict):
return {k: key_by_id(v) for k, v in mapping.items()}
@@ -80,10 +98,12 @@ def key_by_id(mapping):
def all_id_lists(vrt, include_internal=True):
"""
- Get all valid vrt ids for a given vrt object, including internal nodes by default
+ Get all valid vrt ids for a given vrt object, including internal nodes
+ by default
:param vrt: The vrt object
- :param include_internal: Whether to include internal nodes or only leaf nodes
+ :param include_internal: Whether to include internal nodes or only
+ leaf nodes
:return: ids in the form
[
['category'],
@@ -94,7 +114,10 @@ def all_id_lists(vrt, include_internal=True):
"""
def _all_id_lists(sub_vrt, prefix):
if isinstance(sub_vrt, list):
- return [vrt_id for entry in sub_vrt for vrt_id in _all_id_lists(entry, prefix)]
+ return [
+ vrt_id for entry in sub_vrt
+ for vrt_id in _all_id_lists(entry, prefix)
+ ]
elif isinstance(sub_vrt, dict):
if 'children' in sub_vrt:
new_prefix = prefix + [sub_vrt['id']]
@@ -108,3 +131,31 @@ def _all_id_lists(sub_vrt, prefix):
print(sub_vrt)
raise Exception('unexpected entry found')
return _all_id_lists(vrt['content'], [])
+
+def sort_jsons():
+ '''
+ Sort all corresponding JSONs for this project for better readability and
+ maintaining properly formatted JSON files.
+ '''
+ def sort_json(json_data):
+ def sort_json_blocks(block_data):
+ sorted_blocks = list(sorted(block_data, key = lambda a: a['id']))
+ for idx, block in enumerate(sorted_blocks):
+ if 'children' in block and block['children']!=[]:
+ sorted_children = sort_json_blocks(block['children'])
+ sorted_blocks[idx]['children'] = sorted_children
+ return sorted_blocks
+ json_data['content'] = sort_json_blocks(json_data['content'])
+ return json_data
+
+ for json_path in [
+ VRT_FILENAME,
+ os.path.join(MAPPING_DIR, CVSS_FILE),
+ os.path.join(MAPPING_DIR, CWE_FILE),
+ os.path.join(MAPPING_DIR, REMEDIATION_ADVICE_FILE)
+ ]:
+ data = sort_json(get_json(json_path))
+ print("`{}` JSON data sorted!".format(json_path))
+ output = json.dumps(data, indent=2)
+ open(json_path, "w").write(output)
+ print("- Writing {} bytes.\n".format(len(output)))
diff --git a/lib/validate_artifacts.py b/lib/validate_artifacts.py
new file mode 100644
index 00000000..8259778c
--- /dev/null
+++ b/lib/validate_artifacts.py
@@ -0,0 +1,27 @@
+import os
+import sys
+import json
+from utils import utils
+from artifacts import scw_artifact
+
+artifact_json = utils.get_json(scw_artifact.OUTPUT_FILENAME)
+repo_path = os.path.join(
+ utils.THIRD_PARTY_MAPPING_DIR,
+ utils.SCW_DIR,
+ utils.SCW_FILENAME
+)
+print(os.path.abspath(repo_path))
+repo_json = utils.get_json(repo_path)
+
+sorted_artifact_json = json.dumps(artifact_json, sort_keys=True)
+sorted_repo_json = json.dumps(repo_json, sort_keys=True)
+
+if sorted_artifact_json == sorted_repo_json:
+ print('SCW Document is valid!')
+ sys.exit(0)
+else:
+ print(
+ 'SCW Document is invalid, copy the artifact to the remediation\
+ training'
+ )
+ sys.exit(1)
diff --git a/validate_vrt.py b/lib/validate_vrt.py
similarity index 100%
rename from validate_vrt.py
rename to lib/validate_vrt.py
diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json
index 51165445..492dfb3d 100644
--- a/mappings/cvss_v3/cvss_v3.json
+++ b/mappings/cvss_v3/cvss_v3.json
@@ -4,713 +4,719 @@
},
"content": [
{
- "id": "server_security_misconfiguration",
+ "id": "ai_application_security",
"children": [
{
- "id": "unsafe_cross_origin_resource_sharing",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
+ "id": "adversarial_example_injection",
+ "children": [
+ {
+ "id": "ai_misclassification_attacks",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L"
+ }
+ ]
},
{
- "id": "path_traversal",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ "id": "ai_safety",
+ "children": [
+ {
+ "id": "misinformation_wrong_factual_data",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"
+ }
+ ]
},
{
- "id": "directory_listing_enabled",
+ "id": "denial_of_service_dos",
"children": [
{
- "id": "sensitive_data_exposure",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ "id": "application_wide",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
},
{
- "id": "non_sensitive_data_exposure",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ "id": "tenant_scoped",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"
}
]
},
{
- "id": "same_site_scripting",
- "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
- },
- {
- "id": "ssl_attack_breach_poodle_etc",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
- },
- {
- "id": "using_default_credentials",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
- },
- {
- "id": "misconfigured_dns",
+ "id": "improper_input_handling",
"children": [
{
- "id": "basic_subdomain_takeover",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
- },
- {
- "id": "high_impact_subdomain_takeover",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
+ "id": "ansi_escape_codes",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
},
{
- "id": "zone_transfer",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ "id": "rtl_overrides",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
},
{
- "id": "missing_caa_record",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ "id": "unicode_confusables",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"
}
]
},
{
- "id": "mail_server_misconfiguration",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
+ "id": "improper_output_handling",
"children": [
{
- "id": "no_spoofing_protection_on_email_domain",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+ "id": "cross_site_scripting_xss",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
},
{
- "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
+ "id": "markdown_html_injection",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
]
},
{
- "id": "dbms_misconfiguration",
+ "id": "insufficient_rate_limiting",
"children": [
{
- "id": "excessively_privileged_user_dba",
- "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
+ "id": "query_flooding_api_token_abuse",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"
}
]
},
{
- "id": "lack_of_password_confirmation",
- "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L",
+ "id": "model_extraction",
"children": [
{
- "id": "manage_two_fa",
- "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
+ "id": "api_query_based_model_reconstruction",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
]
},
{
- "id": "no_rate_limiting_on_form",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
+ "id": "prompt_injection",
"children": [
{
- "id": "login",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ "id": "system_prompt_leakage",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N"
}
]
},
{
- "id": "unsafe_file_upload",
+ "id": "remote_code_execution",
"children": [
{
- "id": "no_antivirus",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
- },
- {
- "id": "no_size_limit",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ "id": "full_system_compromise",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
- "id": "file_extension_filter_bypass",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ "id": "sandboxed_container_code_execution",
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H"
}
]
},
{
- "id": "cookie_scoped_to_parent_domain",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "missing_secure_or_httponly_cookie_flag",
+ "id": "sensitive_information_disclosure",
"children": [
{
- "id": "session_token",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ "id": "cross_tenant_pii_leakage_exposure",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"
},
{
- "id": "non_session_cookie",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ "id": "key_leak",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
]
},
{
- "id": "clickjacking",
+ "id": "training_data_poisoning",
"children": [
{
- "id": "sensitive_action",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
- },
- {
- "id": "form_input",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
- },
- {
- "id": "non_sensitive_action",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
+ "id": "backdoor_injection_bias_manipulation",
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"
}
]
},
{
- "id": "oauth_misconfiguration",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
+ "id": "vector_and_embedding_weaknesses",
"children": [
{
- "id": "account_takeover",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ "id": "embedding_exfiltration_model_extraction",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"
+ },
+ {
+ "id": "semantic_indexing",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
]
+ }
+ ]
+ },
+ {
+ "id": "algorithmic_biases",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "application_level_denial_of_service_dos",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
+ "children": [
+ {
+ "id": "critical_impact_and_or_easy_difficulty",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
- "id": "captcha",
+ "id": "excessive_resource_consumption",
"children": [
{
- "id": "implementation_vulnerability",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
- },
- {
- "id": "brute_force",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "missing",
+ "id": "injection_prompt",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
}
- ]
- },
- {
- "id": "exposed_admin_portal",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "missing_dnssec",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "fingerprinting_banner_disclosure",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "username_enumeration",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "potentially_unsafe_http_method_enabled",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ ],
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H"
},
{
- "id": "insecure_ssl",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "rfd",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
- },
+ "id": "high_impact_and_or_medium_difficulty",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ]
+ },
+ {
+ "id": "automotive_security_misconfiguration",
+ "children": [
{
- "id": "lack_of_security_headers",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N",
+ "id": "abs",
"children": [
{
- "id": "cache_control_for_a_sensitive_page",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ "id": "unintended_acceleration_brake",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
}
]
},
{
- "id": "waf_bypass",
+ "id": "battery_management_system",
"children": [
{
- "id": "direct_server_access",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ "id": "firmware_dump",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
+ },
+ {
+ "id": "fraudulent_interface",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H"
}
]
},
{
- "id": "race_condition",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "cache_poisoning",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "bitsquatting",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
- }
- ]
- },
- {
- "id": "server_side_injection",
- "children": [
- {
- "id": "file_inclusion",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
- },
- {
- "id": "parameter_pollution",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "remote_code_execution_rce",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
- },
- {
- "id": "sql_injection",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
- },
- {
- "id": "xml_external_entity_injection_xxe",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
- },
- {
- "id": "http_response_manipulation",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
- },
- {
- "id": "content_spoofing",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
+ "id": "can",
"children": [
{
- "id": "iframe_injection",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
+ "id": "injection_basic_safety_message",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
},
{
- "id": "external_authentication_injection",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ "id": "injection_battery_management_system",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
},
{
- "id": "flash_based_external_authentication_injection",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ "id": "injection_disallowed_messages",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
- "id": "email_html_injection",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
- }
- ]
- }
- ]
- },
- {
- "id": "broken_authentication_and_session_management",
- "children": [
- {
- "id": "authentication_bypass",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
- },
- {
- "id": "two_fa_bypass",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
- },
- {
- "id": "privilege_escalation",
- "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
- },
- {
- "id": "cleartext_transmission_of_session_token",
- "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
- },
- {
- "id": "weak_login_function",
- "children": [
+ "id": "injection_dos",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ },
{
- "id": "not_operational",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ "id": "injection_headlights",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
},
{
- "id": "other_plaintext_protocol_no_secure_alternative",
- "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+ "id": "injection_powertrain",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
},
{
- "id": "lan_only",
- "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ "id": "injection_pyrotechnical_device_deployment_tool",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
},
{
- "id": "http_and_https_available",
- "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+ "id": "injection_sensors",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+ },
+ {
+ "id": "injection_steering_control",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
},
{
- "id": "https_not_available_or_http_by_default",
- "cvss_v3": "AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ "id": "injection_vehicle_anti_theft_systems",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
}
]
},
{
- "id": "session_fixation",
+ "id": "gnss_gps",
"children": [
{
- "id": "remote_attack_vector",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
- },
+ "id": "spoofing",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
+ }
+ ]
+ },
+ {
+ "id": "immobilizer",
+ "children": [
{
- "id": "local_attack_vector",
- "cvss_v3": "AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
+ "id": "engine_start",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
}
]
},
{
- "id": "failure_to_invalidate_session",
+ "id": "infotainment_radio_head_unit",
"children": [
{
- "id": "on_logout",
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
+ "id": "code_execution_can_bus_pivot",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
- "id": "on_logout_server_side_only",
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
+ "id": "code_execution_no_can_bus_pivot",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
},
{
- "id": "on_password_change",
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
+ "id": "default_credentials",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
- "id": "all_sessions",
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
+ "id": "dos_brick",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
{
- "id": "on_email_change",
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
+ "id": "ota_firmware_manipulation",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
{
- "id": "on_two_fa_activation_change",
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
+ "id": "sensitive_data_leakage_exposure",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
},
{
- "id": "long_timeout",
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
- }
- ]
- },
- {
- "id": "concurrent_logins",
- "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "weak_registration_implementation",
- "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
- }
- ]
- },
- {
- "id": "sensitive_data_exposure",
- "children": [
- {
- "id": "critically_sensitive_data",
- "children": [
- {
- "id": "password_disclosure",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
+ "id": "source_code_dump",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
},
{
- "id": "private_api_keys",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
+ "id": "unauthorized_access_to_services",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
}
]
},
{
- "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
+ "id": "rf_hub",
"children": [
{
- "id": "automatic_user_enumeration",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ "id": "can_injection_interaction",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
- "id": "manual_user_enumeration",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
- }
- ]
- },
- {
- "id": "visible_detailed_error_page",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
- "children": [
+ "id": "data_leakage_pull_encryption_mechanism",
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
+ },
{
- "id": "detailed_server_configuration",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
- }
- ]
- },
- {
- "id": "disclosure_of_known_public_information",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "token_leakage_via_referer",
- "children": [
+ "id": "key_fob_cloning",
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
+ },
{
- "id": "trusted_third_party",
- "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
+ "id": "relay",
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
},
{
- "id": "untrusted_third_party",
- "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
+ "id": "replay",
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
},
{
- "id": "over_http",
- "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
+ "id": "roll_jam",
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "unauthorized_access_turn_on",
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"
}
]
},
{
- "id": "sensitive_token_in_url",
- "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
- },
- {
- "id": "non_sensitive_token_in_url",
- "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "weak_password_reset_implementation",
- "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
+ "id": "rsu",
"children": [
{
- "id": "token_leakage_via_host_header_poisoning",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
+ "id": "sybil_attack",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H"
}
]
- },
+ }
+ ]
+ },
+ {
+ "id": "blockchain_infrastructure_misconfiguration",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "broken_access_control",
+ "children": [
{
- "id": "mixed_content",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
+ "id": "bypass_of_password_confirmation",
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
},
{
- "id": "sensitive_data_hardcoded",
+ "id": "exposed_sensitive_android_intent",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
- "id": "internal_ip_disclosure",
+ "id": "exposed_sensitive_ios_url_scheme",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
- "id": "xssi",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
+ "id": "privilege_escalation",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
- "id": "json_hijacking",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
+ "id": "username_enumeration",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
- ]
+ ],
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
{
- "id": "cross_site_scripting_xss",
+ "id": "broken_authentication_and_session_management",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
- "id": "stored",
+ "id": "authentication_bypass",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
+ },
+ {
+ "id": "cleartext_transmission_of_session_token",
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "concurrent_logins",
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "failure_to_invalidate_session",
"children": [
{
- "id": "non_admin_to_anyone",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
+ "id": "all_sessions",
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
},
{
- "id": "privileged_user_to_privilege_elevation",
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"
+ "id": "long_timeout",
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
},
{
- "id": "privileged_user_to_no_privilege_elevation",
- "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
+ "id": "on_email_change",
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
},
{
- "id": "url_based",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ "id": "on_logout",
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
},
{
- "id": "self",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ "id": "on_logout_server_side_only",
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "on_password_change",
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "on_two_fa_activation_change",
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N"
}
]
},
{
- "id": "reflected",
+ "id": "saml_replay",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"
+ },
+ {
+ "id": "session_fixation",
"children": [
{
- "id": "non_self",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ "id": "local_attack_vector",
+ "cvss_v3": "AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"
},
{
- "id": "self",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ "id": "remote_attack_vector",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
}
]
},
{
- "id": "flash_based",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
- },
- {
- "id": "cookie_based",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
+ "id": "two_fa_bypass",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
- "id": "ie_only",
+ "id": "weak_login_function",
"children": [
{
- "id": "ie_eleven",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
- },
- {
- "id": "xss_filter_disabled",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ "id": "other_plaintext_protocol_no_secure_alternative",
+ "cvss_v3": "AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
},
{
- "id": "older_version_ie_eleven",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N"
+ "id": "over_http",
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
}
]
},
{
- "id": "referer",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
- },
- {
- "id": "trace_method",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "universal_uxss",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
- },
- {
- "id": "off_domain",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ "id": "weak_registration_implementation",
+ "cvss_v3": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
}
]
},
{
- "id": "broken_access_control",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+ "id": "client_side_injection",
"children": [
{
- "id": "server_side_request_forgery_ssrf",
+ "id": "binary_planting",
"children": [
{
- "id": "internal_high_impact",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
+ "id": "no_privilege_escalation",
+ "cvss_v3": "AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
},
{
- "id": "internal_scan_and_or_medium_impact",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
+ "id": "non_default_folder_privilege_escalation",
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
},
{
- "id": "external",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
+ "id": "privilege_escalation",
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
]
- },
- {
- "id": "username_enumeration",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
]
},
{
"id": "cross_site_request_forgery_csrf",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
- {
- "id": "application_wide",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
- },
{
"id": "action_specific",
"children": [
- {
- "id": "authenticated_action",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
- },
- {
- "id": "unauthenticated_action",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
- },
{
"id": "logout",
"cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
}
]
},
+ {
+ "id": "application_wide",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
+ },
{
"id": "csrf_token_not_unique_per_request",
"cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "flash_based",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
}
]
},
{
- "id": "application_level_denial_of_service_dos",
+ "id": "cross_site_scripting_xss",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
- "id": "critical_impact_and_or_easy_difficulty",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ "id": "cookie_based",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
},
{
- "id": "high_impact_and_or_medium_difficulty",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ "id": "flash_based",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N"
},
{
- "id": "app_crash",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- }
- ]
- },
- {
- "id": "unvalidated_redirects_and_forwards",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
- "children": [
+ "id": "ie_only",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
{
- "id": "open_redirect",
+ "id": "off_domain",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "id": "referer",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "id": "reflected",
"children": [
{
- "id": "get_based",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ "id": "non_self",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+ }
+ ]
+ },
+ {
+ "id": "stored",
+ "children": [
+ {
+ "id": "non_admin_to_anyone",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
+ },
+ {
+ "id": "privileged_user_to_no_privilege_elevation",
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
+ },
+ {
+ "id": "privileged_user_to_privilege_elevation",
+ "cvss_v3": "AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"
+ },
+ {
+ "id": "url_based",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
]
+ },
+ {
+ "id": "universal_uxss",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
}
]
},
{
- "id": "external_behavior",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
- {
- "id": "insufficient_security_configurability",
+ "id": "cryptographic_weakness",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
- "id": "no_password_policy",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
+ "id": "broken_cryptography",
+ "children": [
+ {
+ "id": "use_of_broken_cryptographic_primitive",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ },
+ {
+ "id": "use_of_vulnerable_cryptographic_library",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
+ }
+ ]
},
{
- "id": "weak_password_reset_implementation",
+ "id": "incomplete_cleanup_of_keying_material",
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L"
+ },
+ {
+ "id": "insecure_key_generation",
"children": [
{
- "id": "token_is_not_invalidated_after_use",
+ "id": "insufficient_key_space",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ },
+ {
+ "id": "key_exchange_without_entity_authentication",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
+ }
+ ]
+ },
+ {
+ "id": "insufficient_entropy",
+ "children": [
+ {
+ "id": "initialization_vector_reuse",
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "limited_rng_entropy_source",
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "predictable_initialization_vector",
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "predictable_prng_seed",
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "prng_seed_reuse",
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "small_seed_space_in_prng",
"cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "use_of_trng_for_nonsecurity_purpose",
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"
}
]
},
{
- "id": "weak_two_fa_implementation",
+ "id": "insufficient_verification_of_data_authenticity",
"children": [
{
- "id": "two_fa_secret_cannot_be_rotated",
- "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ "id": "identity_check_value",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"
+ }
+ ]
+ },
+ {
+ "id": "key_reuse",
+ "children": [
+ {
+ "id": "inter_environment",
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"
},
{
- "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
+ "id": "intra_environment",
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"
+ },
+ {
+ "id": "lack_of_perfect_forward_secrecy",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ }
+ ]
+ },
+ {
+ "id": "side_channel_attack",
+ "children": [
+ {
+ "id": "emanations_attack",
+ "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "padding_oracle_attack",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "power_analysis_attack",
"cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "timing_attack",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ }
+ ]
+ },
+ {
+ "id": "use_of_expired_cryptographic_key_or_cert",
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"
+ },
+ {
+ "id": "weak_hash",
+ "children": [
+ {
+ "id": "use_of_predictable_salt",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"
}
]
}
]
},
{
- "id": "using_components_with_known_vulnerabilities",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
- "children": [
- {
- "id": "rosetta_flash",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
- }
- ]
+ "id": "data_biases",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "decentralized_application_misconfiguration",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "developer_biases",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "external_behavior",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "indicators_of_compromise",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "insecure_data_storage",
@@ -736,17 +742,10 @@
}
]
},
- {
- "id": "lack_of_binary_hardening",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- },
{
"id": "insecure_data_transport",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
- {
- "id": "cleartext_transmission_of_sensitive_data",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
- },
{
"id": "executable_download",
"children": [
@@ -764,57 +763,109 @@
},
{
"id": "insecure_os_firmware",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
"id": "command_injection",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
},
+ {
+ "id": "data_not_encrypted_at_rest",
+ "children": [
+ {
+ "id": "non_sensitive",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ }
+ ]
+ },
{
"id": "hardcoded_password",
"children": [
+ {
+ "id": "non_privileged_user",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ },
{
"id": "privileged_user",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
+ }
+ ]
+ },
+ {
+ "id": "local_administrator_on_default_environment",
+ "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+ },
+ {
+ "id": "over_permissioned_credentials_on_storage",
+ "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+ },
+ {
+ "id": "shared_credentials_on_storage",
+ "cvss_v3": "AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+ },
+ {
+ "id": "weakness_in_firmware_updates",
+ "children": [
+ {
+ "id": "firmware_does_not_validate_update_integrity",
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H"
},
{
- "id": "non_privileged_user",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ "id": "firmware_is_not_encrypted",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
]
}
]
},
{
- "id": "broken_cryptography",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
- },
- {
- "id": "privacy_concerns",
+ "id": "insufficient_security_configurability",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
- "id": "unnecessary_data_collection",
+ "id": "no_password_policy",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "weak_password_reset_implementation",
"children": [
{
- "id": "wifi_ssid_password",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ "id": "token_is_not_invalidated_after_use",
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"
+ }
+ ]
+ },
+ {
+ "id": "weak_two_fa_implementation",
+ "children": [
+ {
+ "id": "two_fa_secret_cannot_be_rotated",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
+ "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
}
]
}
]
},
{
- "id": "network_security_misconfiguration",
- "children": [
- {
- "id": "telnet_enabled",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
- }
- ]
+ "id": "lack_of_binary_hardening",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "misinterpretation_biases",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
"id": "mobile_security_misconfiguration",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
+ {
+ "id": "auto_backup_allowed_by_default",
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+ },
{
"id": "clipboard_enabled",
"cvss_v3": "AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N"
@@ -822,114 +873,463 @@
]
},
{
- "id": "client_side_injection",
+ "id": "network_security_misconfiguration",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "physical_security_issues",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"children": [
{
- "id": "binary_planting",
+ "id": "weakness_in_physical_access_control",
"children": [
{
- "id": "privilege_escalation",
- "cvss_v3": "AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
- },
- {
- "id": "non_default_folder_privilege_escalation",
- "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"
- },
- {
- "id": "no_privilege_escalation",
- "cvss_v3": "AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
+ "id": "commonly_keyed_system",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
}
]
}
]
},
{
- "id": "automotive_security_misconfiguration",
+ "id": "privacy_concerns",
"children": [
{
- "id": "infotainment",
+ "id": "unnecessary_data_collection",
"children": [
{
- "id": "pii_leakage",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
- },
+ "id": "wifi_ssid_password",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "id": "protocol_specific_misconfiguration",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "sensitive_data_exposure",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
+ "children": [
+ {
+ "id": "disclosure_of_secrets",
+ "children": [
{
- "id": "code_execution_can_bus_pivot",
- "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+ "id": "for_internal_asset",
+ "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L"
},
{
- "id": "code_execution_no_can_bus_pivot",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
+ "id": "for_publicly_accessible_asset",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
},
{
- "id": "unauthorized_access_to_services",
- "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"
+ "id": "pay_per_use_abuse",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ]
+ },
+ {
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
+ "children": [
+ {
+ "id": "automatic_user_enumeration",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
},
{
- "id": "source_code_dump",
- "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
+ "id": "manual_user_enumeration",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ]
+ },
+ {
+ "id": "graphql_introspection_enabled",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "id": "json_hijacking",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "mixed_content",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:N"
+ },
+ {
+ "id": "non_sensitive_token_in_url",
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "sensitive_token_in_url",
+ "cvss_v3": "AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "token_leakage_via_referer",
+ "children": [
+ {
+ "id": "over_http",
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
},
{
- "id": "dos_brick",
+ "id": "password_reset_token",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "id": "trusted_third_party",
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "untrusted_third_party",
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N"
+ }
+ ]
+ },
+ {
+ "id": "via_localstorage_sessionstorage",
+ "children": [
+ {
+ "id": "non_sensitive_token",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "sensitive_token",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ]
+ },
+ {
+ "id": "visible_detailed_error_page",
+ "children": [
+ {
+ "id": "detailed_server_configuration",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ]
+ },
+ {
+ "id": "weak_password_reset_implementation",
+ "children": [
+ {
+ "id": "token_leakage_via_host_header_poisoning",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"
+ }
+ ],
+ "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"
+ }
+ ]
+ },
+ {
+ "id": "server_security_misconfiguration",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
+ "children": [
+ {
+ "id": "bitsquatting",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ },
+ {
+ "id": "captcha",
+ "children": [
+ {
+ "id": "brute_force",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "implementation_vulnerability",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ]
+ },
+ {
+ "id": "clickjacking",
+ "children": [
+ {
+ "id": "form_input",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
},
{
- "id": "default_credentials",
+ "id": "non_sensitive_action",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "sensitive_action",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ }
+ ]
+ },
+ {
+ "id": "dbms_misconfiguration",
+ "children": [
+ {
+ "id": "excessively_privileged_user_dba",
+ "cvss_v3": "AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N"
+ }
+ ]
+ },
+ {
+ "id": "email_verification_bypass",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "insecure_ssl",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "lack_of_password_confirmation",
+ "children": [
+ {
+ "id": "manage_two_fa",
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"
+ },
+ {
+ "id": "lack_of_security_headers",
+ "children": [
+ {
+ "id": "cache_control_for_a_sensitive_page",
"cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
+ ],
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "mail_server_misconfiguration",
+ "children": [
+ {
+ "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ },
+ {
+ "id": "no_spoofing_protection_on_email_domain",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+ }
]
},
{
- "id": "rf_hub",
+ "id": "misconfigured_dns",
"children": [
{
- "id": "key_fob_cloning",
- "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
+ "id": "missing_caa_record",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
- "id": "can_injection_interaction",
- "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ "id": "subdomain_takeover",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
},
{
- "id": "data_leakage_pull_encryption_mechanism",
- "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
+ "id": "zone_transfer",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ]
+ },
+ {
+ "id": "missing_dnssec",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "missing_secure_or_httponly_cookie_flag",
+ "children": [
+ {
+ "id": "session_token",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ]
+ },
+ {
+ "id": "missing_subresource_integrity",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "no_rate_limiting_on_form",
+ "children": [
+ {
+ "id": "change_password",
+ "cvss_v3": "AV:P/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L"
},
{
- "id": "unauthorized_access_turn_on",
- "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"
+ "id": "login",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
+ }
+ ],
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"
+ },
+ {
+ "id": "oauth_misconfiguration",
+ "children": [
+ {
+ "id": "account_squatting",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"
},
{
- "id": "roll_jam",
- "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
+ "id": "account_takeover",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
},
{
- "id": "replay",
- "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
+ "id": "insecure_redirect_uri",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
},
{
- "id": "relay",
- "cvss_v3": "AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
+ "id": "missing_state_parameter",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ }
+ ],
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ },
+ {
+ "id": "rfd",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
+ },
+ {
+ "id": "same_site_scripting",
+ "cvss_v3": "AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N"
+ },
+ {
+ "id": "server_side_request_forgery_ssrf",
+ "children": [
+ {
+ "id": "external_dns_query_only",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
+ },
+ {
+ "id": "external_low_impact",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L"
+ },
+ {
+ "id": "internal_high_impact",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"
+ },
+ {
+ "id": "internal_scan_and_or_medium_impact",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"
}
]
},
{
- "id": "can",
+ "id": "unsafe_file_upload",
"children": [
{
- "id": "injection_disallowed_messages",
- "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ "id": "no_antivirus",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N"
},
{
- "id": "injection_dos",
- "cvss_v3": "AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ "id": "no_size_limit",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ]
+ },
+ {
+ "id": "using_default_credentials",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
+ },
+ {
+ "id": "waf_bypass",
+ "children": [
+ {
+ "id": "direct_server_access",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
}
]
}
]
},
{
- "id": "indicators_of_compromise",
+ "id": "server_side_injection",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
+ "children": [
+ {
+ "id": "content_spoofing",
+ "children": [
+ {
+ "id": "email_html_injection",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ },
+ {
+ "id": "external_authentication_injection",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ },
+ {
+ "id": "html_content_injection",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "iframe_injection",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "impersonation_via_broken_link_hijacking",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "file_inclusion",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+ },
+ {
+ "id": "http_response_manipulation",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+ },
+ {
+ "id": "remote_code_execution_rce",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ },
+ {
+ "id": "sql_injection",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+ },
+ {
+ "id": "ssti",
+ "children": [
+ {
+ "id": "basic",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ]
+ },
+ {
+ "id": "xml_external_entity_injection_xxe",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
+ }
+ ]
+ },
+ {
+ "id": "smart_contract_misconfiguration",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "societal_biases",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+ },
+ {
+ "id": "unvalidated_redirects_and_forwards",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
+ "children": [
+ {
+ "id": "open_redirect",
+ "children": [
+ {
+ "id": "get_based",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "id": "using_components_with_known_vulnerabilities",
+ "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
+ "children": [
+ {
+ "id": "rosetta_flash",
+ "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
+ }
+ ]
+ },
+ {
+ "id": "zero_knowledge_security_misconfiguration",
"cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
}
]
-}
+}
\ No newline at end of file
diff --git a/mappings/cwe/cwe.json b/mappings/cwe/cwe.json
index 8da3c098..395db0c8 100644
--- a/mappings/cwe/cwe.json
+++ b/mappings/cwe/cwe.json
@@ -4,111 +4,904 @@
},
"content": [
{
- "id": "server_security_misconfiguration",
- "cwe": ["CWE-16"],
+ "id": "ai_application_security",
+ "cwe": null
+ },
+ {
+ "id": "algorithmic_biases",
+ "cwe": null,
"children": [
{
- "id": "unsafe_cross_origin_resource_sharing",
- "cwe": ["CWE-942"]
+ "id": "aggregation_bias",
+ "cwe": null
},
{
- "id": "path_traversal",
- "cwe": ["CWE-22", "CWE-73"]
+ "id": "processing_bias",
+ "cwe": null
+ }
+ ]
+ },
+ {
+ "id": "application_level_denial_of_service_dos",
+ "cwe": [
+ "CWE-400"
+ ]
+ },
+ {
+ "id": "automotive_security_misconfiguration",
+ "cwe": null,
+ "children": [
+ {
+ "id": "abs",
+ "cwe": null
},
{
- "id": "directory_listing_enabled",
- "cwe": ["CWE-548"]
+ "id": "battery_management_system",
+ "cwe": null
},
{
- "id": "ssl_attack_breach_poodle_etc",
- "cwe": ["CWE-310"]
+ "id": "can",
+ "cwe": null
},
{
- "id": "using_default_credentials",
- "cwe": ["CWE-255", "CWE-521"]
+ "id": "gnss_gps",
+ "cwe": null
},
{
- "id": "misconfigured_dns",
+ "id": "immobilizer",
+ "cwe": null
+ },
+ {
+ "id": "infotainment_radio_head_unit",
+ "cwe": null
+ },
+ {
+ "id": "rf_hub",
+ "cwe": null
+ },
+ {
+ "id": "rsu",
+ "cwe": null
+ }
+ ]
+ },
+ {
+ "id": "blockchain_infrastructure_misconfiguration",
+ "cwe": null
+ },
+ {
+ "id": "broken_access_control",
+ "cwe": [
+ "CWE-723"
+ ],
+ "children": [
+ {
+ "id": "exposed_sensitive_android_intent",
+ "cwe": [
+ "CWE-927"
+ ]
+ },
+ {
+ "id": "exposed_sensitive_ios_url_scheme",
+ "cwe": [
+ "CWE-939"
+ ]
+ },
+ {
+ "id": "idor",
+ "cwe": [
+ "CWE-932"
+ ]
+ },
+ {
+ "id": "privilege_escalation",
+ "cwe": [
+ "CWE-269"
+ ]
+ },
+ {
+ "id": "username_enumeration",
+ "cwe": [
+ "CWE-200"
+ ]
+ }
+ ]
+ },
+ {
+ "id": "broken_authentication_and_session_management",
+ "cwe": [
+ "CWE-930"
+ ],
+ "children": [
+ {
+ "id": "authentication_bypass",
+ "cwe": [
+ "CWE-287"
+ ]
+ },
+ {
+ "id": "cleartext_transmission_of_session_token",
+ "cwe": [
+ "CWE-319"
+ ]
+ },
+ {
+ "id": "concurrent_logins",
+ "cwe": [
+ "CWE-1018"
+ ]
+ },
+ {
+ "id": "failure_to_invalidate_session",
+ "cwe": [
+ "CWE-613"
+ ]
+ },
+ {
+ "id": "session_fixation",
+ "cwe": [
+ "CWE-384"
+ ]
+ },
+ {
+ "id": "two_fa_bypass",
+ "cwe": [
+ "CWE-304"
+ ]
+ },
+ {
+ "id": "weak_login_function",
+ "cwe": [
+ "CWE-523"
+ ]
+ },
+ {
+ "id": "weak_registration_implementation",
"children": [
{
- "id": "zone_transfer",
- "cwe": ["CWE-669"]
+ "id": "over_http",
+ "cwe": [
+ "CWE-311"
+ ]
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "id": "client_side_injection",
+ "cwe": [
+ "CWE-929"
+ ]
+ },
+ {
+ "id": "cross_site_request_forgery_csrf",
+ "cwe": [
+ "CWE-352"
+ ]
+ },
+ {
+ "id": "cross_site_scripting_xss",
+ "cwe": [
+ "CWE-79"
+ ]
+ },
+ {
+ "id": "cryptographic_weakness",
+ "cwe": [
+ "CWE-310",
+ "CWE-1205"
+ ],
+ "children": [
+ {
+ "id": "broken_cryptography",
+ "cwe": [
+ "CWE-327"
+ ],
+ "children": [
+ {
+ "id": "use_of_broken_cryptographic_primitive",
+ "cwe": [
+ "CWE-327"
+ ]
+ },
+ {
+ "id": "use_of_vulnerable_cryptographic_library",
+ "cwe": [
+ "CWE-327"
+ ]
}
]
},
{
- "id": "dbms_misconfiguration",
+ "id": "incomplete_cleanup_of_keying_material",
+ "cwe": [
+ "CWE-459"
+ ]
+ },
+ {
+ "id": "insecure_implementation",
+ "cwe": [
+ "CWE-573"
+ ],
"children": [
{
- "id": "excessively_privileged_user_dba",
- "cwe": ["CWE-250"]
+ "id": "improper_following_of_specification",
+ "cwe": [
+ "CWE-358",
+ "CWE-573"
+ ]
+ },
+ {
+ "id": "missing_cryptographic_step",
+ "cwe": [
+ "CWE-325"
+ ]
}
]
},
{
- "id": "lack_of_password_confirmation",
+ "id": "insecure_key_generation",
+ "cwe": null,
"children": [
{
- "id": "change_password",
- "cwe": ["CWE-620"]
+ "id": "improper_asymmetric_exponent_selection",
+ "cwe": [
+ "CWE-326",
+ "CWE-1240"
+ ]
+ },
+ {
+ "id": "improper_asymmetric_prime_selection",
+ "cwe": [
+ "CWE-326",
+ "CWE-1240"
+ ]
+ },
+ {
+ "id": "insufficient_key_space",
+ "cwe": [
+ "CWE-326",
+ "CWE-331",
+ "CWE-1240"
+ ]
+ },
+ {
+ "id": "insufficient_key_stretching",
+ "cwe": [
+ "CWE-326",
+ "CWE-1240"
+ ]
+ },
+ {
+ "id": "key_exchange_without_entity_authentication",
+ "cwe": [
+ "CWE-322"
+ ]
}
]
},
{
- "id": "no_rate_limiting_on_form",
- "cwe": ["CWE-799"],
+ "id": "insufficient_entropy",
+ "cwe": [
+ "CWE-330",
+ "CWE-331"
+ ],
"children": [
{
- "id": "login",
- "cwe": ["CWE-307"]
+ "id": "initialization_vector_reuse",
+ "cwe": [
+ "CWE-1204"
+ ]
+ },
+ {
+ "id": "limited_rng_entropy_source",
+ "cwe": [
+ "CWE-338",
+ "CWE-332"
+ ]
+ },
+ {
+ "id": "predictable_initialization_vector",
+ "cwe": [
+ "CWE-340"
+ ]
+ },
+ {
+ "id": "predictable_prng_seed",
+ "cwe": [
+ "CWE-337"
+ ]
+ },
+ {
+ "id": "prng_seed_reuse",
+ "cwe": [
+ "CWE-336"
+ ]
+ },
+ {
+ "id": "small_seed_space_in_prng",
+ "cwe": [
+ "CWE-339",
+ "CWE-334"
+ ]
+ },
+ {
+ "id": "use_of_trng_for_nonsecurity_purpose",
+ "cwe": [
+ "CWE-333"
+ ]
}
]
},
{
- "id": "unsafe_file_upload",
+ "id": "insufficient_verification_of_data_authenticity",
+ "cwe": [
+ "CWE-345"
+ ],
"children": [
{
- "id": "file_extension_filter_bypass",
- "cwe": ["CWE-434", "CWE-646"]
+ "id": "cryptographic_signature",
+ "cwe": [
+ "CWE-347"
+ ]
+ },
+ {
+ "id": "identity_check_value",
+ "cwe": [
+ "CWE-353",
+ "CWE-354",
+ "CWE-924"
+ ]
}
]
},
{
- "id": "missing_secure_or_httponly_cookie_flag",
- "cwe": ["CWE-614", "CWE-1004"]
+ "id": "key_reuse",
+ "cwe": [
+ "CWE-323"
+ ],
+ "children": [
+ {
+ "id": "inter_environment",
+ "cwe": [
+ "CWE-323"
+ ]
+ },
+ {
+ "id": "intra_environment",
+ "cwe": [
+ "CWE-323"
+ ]
+ },
+ {
+ "id": "lack_of_perfect_forward_secrecy",
+ "cwe": [
+ "CWE-323"
+ ]
+ }
+ ]
+ },
+ {
+ "id": "side_channel_attack",
+ "cwe": [
+ "CWE-203",
+ "CWE-1300"
+ ],
+ "children": [
+ {
+ "id": "differential_fault_analysis",
+ "cwe": [
+ "CWE-204",
+ "CWE-205"
+ ]
+ },
+ {
+ "id": "emanations_attack",
+ "cwe": [
+ "CWE-1300"
+ ]
+ },
+ {
+ "id": "padding_oracle_attack",
+ "cwe": [
+ "CWE-780"
+ ]
+ },
+ {
+ "id": "power_analysis_attack",
+ "cwe": [
+ "CWE-1300"
+ ]
+ },
+ {
+ "id": "timing_attack",
+ "cwe": [
+ "CWE-208"
+ ]
+ }
+ ]
+ },
+ {
+ "id": "use_of_expired_cryptographic_key_or_cert",
+ "cwe": [
+ "CWE-295",
+ "CWE-298",
+ "CWE-299",
+ "CWE-324"
+ ]
+ },
+ {
+ "id": "weak_hash",
+ "cwe": [
+ "CWE-328"
+ ],
+ "children": [
+ {
+ "id": "lack_of_salt",
+ "cwe": [
+ "CWE-759",
+ "CWE-916"
+ ]
+ },
+ {
+ "id": "predictable_hash_collision",
+ "cwe": [
+ "CWE-328"
+ ]
+ },
+ {
+ "id": "use_of_predictable_salt",
+ "cwe": [
+ "CWE-760"
+ ]
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "id": "data_biases",
+ "cwe": null,
+ "children": [
+ {
+ "id": "pre_existing_bias",
+ "cwe": null
+ },
+ {
+ "id": "representation_bias",
+ "cwe": null
+ }
+ ]
+ },
+ {
+ "id": "decentralized_application_misconfiguration",
+ "cwe": null
+ },
+ {
+ "id": "developer_biases",
+ "cwe": null,
+ "children": [
+ {
+ "id": "implicit_bias",
+ "cwe": null
+ }
+ ]
+ },
+ {
+ "id": "external_behavior",
+ "cwe": null
+ },
+ {
+ "id": "indicators_of_compromise",
+ "cwe": null
+ },
+ {
+ "id": "insecure_data_storage",
+ "cwe": [
+ "CWE-729",
+ "CWE-922"
+ ],
+ "children": [
+ {
+ "id": "non_sensitive_application_data_stored_unencrypted",
+ "cwe": [
+ "CWE-312"
+ ]
+ },
+ {
+ "id": "sensitive_application_data_stored_unencrypted",
+ "cwe": [
+ "CWE-312"
+ ]
+ },
+ {
+ "id": "server_side_credentials_storage",
+ "cwe": [
+ "CWE-522"
+ ],
+ "children": [
+ {
+ "id": "plaintext",
+ "cwe": [
+ "CWE-256"
+ ]
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "id": "insecure_data_transport",
+ "cwe": [
+ "CWE-311",
+ "CWE-319"
+ ],
+ "children": [
+ {
+ "id": "cleartext_transmission_of_sensitive_data",
+ "cwe": [
+ "CWE-319"
+ ]
+ },
+ {
+ "id": "executable_download",
+ "children": [
+ {
+ "id": "no_secure_integrity_check",
+ "cwe": [
+ "CWE-353",
+ "CWE-354",
+ "CWE-494"
+ ]
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "id": "insecure_os_firmware",
+ "children": [
+ {
+ "id": "command_injection",
+ "cwe": [
+ "CWE-77"
+ ]
+ },
+ {
+ "id": "data_not_encrypted_at_rest",
+ "children": [
+ {
+ "id": "non_sensitive",
+ "cwe": [
+ "CWE-311"
+ ]
+ },
+ {
+ "id": "sensitive",
+ "cwe": [
+ "CWE-311"
+ ]
+ }
+ ]
+ },
+ {
+ "id": "failure_to_remove_sensitive_artifacts_from_disk",
+ "cwe": [
+ "CWE-459"
+ ]
+ },
+ {
+ "id": "hardcoded_password",
+ "cwe": [
+ "CWE-259"
+ ]
+ },
+ {
+ "id": "kiosk_escape_or_breakout",
+ "cwe": [
+ "CWE-284"
+ ]
+ },
+ {
+ "id": "local_administrator_on_default_environment",
+ "cwe": [
+ "CWE-276"
+ ]
+ },
+ {
+ "id": "over_permissioned_credentials_on_storage",
+ "cwe": [
+ "CWE-250"
+ ]
+ },
+ {
+ "id": "poorly_configured_disk_encryption",
+ "cwe": [
+ "CWE-326"
+ ]
+ },
+ {
+ "id": "poorly_configured_operating_system_security",
+ "cwe": [
+ "CWE-16"
+ ]
+ },
+ {
+ "id": "recovery_of_disk_contains_sensitive_material",
+ "cwe": [
+ "CWE-522"
+ ]
+ },
+ {
+ "id": "shared_credentials_on_storage",
+ "cwe": [
+ "CWE-798"
+ ]
+ },
+ {
+ "id": "weakness_in_firmware_updates",
+ "children": [
+ {
+ "id": "firmware_cannot_be_updated",
+ "cwe": [
+ "CWE-434"
+ ]
+ },
+ {
+ "id": "firmware_does_not_validate_update_integrity",
+ "cwe": [
+ "CWE-434"
+ ]
+ },
+ {
+ "id": "firmware_is_not_encrypted",
+ "cwe": [
+ "CWE-434"
+ ]
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "id": "insufficient_security_configurability",
+ "cwe": [
+ "CWE-16"
+ ],
+ "children": [
+ {
+ "id": "no_password_policy",
+ "cwe": [
+ "CWE-521"
+ ]
+ },
+ {
+ "id": "password_policy_bypass",
+ "cwe": [
+ "CWE-521"
+ ]
+ },
+ {
+ "id": "weak_password_policy",
+ "cwe": [
+ "CWE-521"
+ ]
+ },
+ {
+ "id": "weak_password_reset_implementation",
+ "cwe": [
+ "CWE-640"
+ ]
+ }
+ ]
+ },
+ {
+ "id": "lack_of_binary_hardening",
+ "cwe": [
+ "CWE-693"
+ ]
+ },
+ {
+ "id": "misinterpretation_biases",
+ "cwe": null,
+ "children": [
+ {
+ "id": "context_ignorance",
+ "cwe": null
+ }
+ ]
+ },
+ {
+ "id": "mobile_security_misconfiguration",
+ "cwe": [
+ "CWE-919"
+ ]
+ },
+ {
+ "id": "network_security_misconfiguration",
+ "cwe": [
+ "CWE-16"
+ ]
+ },
+ {
+ "id": "physical_security_issues",
+ "children": [
+ {
+ "id": "bypass_of_physical_access_control",
+ "cwe": [
+ "CWE-1300"
+ ]
+ },
+ {
+ "id": "weakness_in_physical_access_control",
+ "children": [
+ {
+ "id": "cloneable_key",
+ "cwe": [
+ "CWE-1300"
+ ]
+ },
+ {
+ "id": "commonly_keyed_system",
+ "cwe": [
+ "CWE-284"
+ ]
+ },
+ {
+ "id": "master_key_identification",
+ "cwe": [
+ "CWE-284"
+ ]
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "id": "privacy_concerns",
+ "cwe": [
+ "CWE-359"
+ ]
+ },
+ {
+ "id": "protocol_specific_misconfiguration",
+ "cwe": null
+ },
+ {
+ "id": "sensitive_data_exposure",
+ "cwe": [
+ "CWE-934"
+ ],
+ "children": [
+ {
+ "id": "disclosure_of_known_public_information",
+ "cwe": [
+ "CWE-200"
+ ]
+ },
+ {
+ "id": "disclosure_of_secrets",
+ "children": [
+ {
+ "id": "pii_leakage_exposure",
+ "cwe": [
+ "CWE-200"
+ ]
+ }
+ ]
+ },
+ {
+ "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
+ "cwe": [
+ "CWE-200"
+ ]
+ },
+ {
+ "id": "graphql_introspection_enabled",
+ "cwe": [
+ "CWE-200"
+ ]
+ },
+ {
+ "id": "non_sensitive_token_in_url",
+ "cwe": [
+ "CWE-200"
+ ]
+ },
+ {
+ "id": "sensitive_token_in_url",
+ "cwe": [
+ "CWE-200"
+ ]
+ },
+ {
+ "id": "token_leakage_via_referer",
+ "cwe": [
+ "CWE-200"
+ ]
+ },
+ {
+ "id": "via_localstorage_sessionstorage",
+ "cwe": [
+ "CWE-922"
+ ]
+ },
+ {
+ "id": "visible_detailed_error_page",
+ "cwe": [
+ "CWE-209",
+ "CWE-215"
+ ]
+ },
+ {
+ "id": "weak_password_reset_implementation",
+ "cwe": [
+ "CWE-640"
+ ]
+ }
+ ]
+ },
+ {
+ "id": "server_security_misconfiguration",
+ "cwe": [
+ "CWE-16"
+ ],
+ "children": [
+ {
+ "id": "cache_poisoning",
+ "cwe": [
+ "CWE-444"
+ ]
+ },
+ {
+ "id": "captcha",
+ "cwe": [
+ "CWE-804"
+ ]
},
{
"id": "clickjacking",
- "cwe": ["CWE-451"]
+ "cwe": [
+ "CWE-451"
+ ]
},
{
- "id": "oauth_misconfiguration",
- "cwe": ["CWE-303"],
+ "id": "dbms_misconfiguration",
"children": [
{
- "id": "missing_state_parameter",
- "cwe": ["CWE-352"]
- },
- {
- "id": "insecure_redirect_uri",
- "cwe": ["CWE-601"]
+ "id": "excessively_privileged_user_dba",
+ "cwe": [
+ "CWE-250"
+ ]
}
]
},
{
- "id": "captcha",
- "cwe": ["CWE-804"]
- },
- {
- "id": "username_enumeration",
- "cwe": ["CWE-204"]
+ "id": "directory_listing_enabled",
+ "cwe": [
+ "CWE-548"
+ ]
},
{
"id": "insecure_ssl",
"children": [
{
"id": "insecure_cipher_suite",
- "cwe": ["CWE-326"]
+ "cwe": [
+ "CWE-326"
+ ]
+ }
+ ]
+ },
+ {
+ "id": "lack_of_password_confirmation",
+ "children": [
+ {
+ "id": "change_password",
+ "cwe": [
+ "CWE-620"
+ ]
}
]
},
@@ -117,337 +910,258 @@
"children": [
{
"id": "cache_control_for_a_non_sensitive_page",
- "cwe": ["CWE-525"]
+ "cwe": [
+ "CWE-525"
+ ]
},
{
"id": "cache_control_for_a_sensitive_page",
- "cwe": ["CWE-525"]
+ "cwe": [
+ "CWE-525"
+ ]
}
]
},
{
- "id": "race_condition",
- "cwe": ["CWE-362", "CWE-366", "CWE-368", "CWE-421"]
- },
- {
- "id": "cache_poisoning",
- "cwe": ["CWE-444"]
- }
- ]
- },
- {
- "id": "server_side_injection",
- "cwe": ["CWE-929"],
- "children": [
- {
- "id": "file_inclusion",
- "cwe": ["CWE-73", "CWE-714"]
- },
- {
- "id": "remote_code_execution_rce",
- "cwe": ["CWE-77", "CWE-78", "CWE-94", "CWE-95"]
- },
- {
- "id": "sql_injection",
- "cwe": ["CWE-89"]
+ "id": "misconfigured_dns",
+ "children": [
+ {
+ "id": "zone_transfer",
+ "cwe": [
+ "CWE-669"
+ ]
+ }
+ ]
},
{
- "id": "xml_external_entity_injection_xxe",
- "cwe": ["CWE-611"]
+ "id": "missing_secure_or_httponly_cookie_flag",
+ "cwe": [
+ "CWE-614",
+ "CWE-1004"
+ ]
},
{
- "id": "http_response_manipulation",
+ "id": "no_rate_limiting_on_form",
+ "cwe": [
+ "CWE-799"
+ ],
"children": [
{
- "id": "response_splitting_crlf",
- "cwe": ["CWE-113"]
+ "id": "login",
+ "cwe": [
+ "CWE-307"
+ ]
}
]
},
{
- "id": "content_spoofing",
+ "id": "oauth_misconfiguration",
+ "cwe": [
+ "CWE-303"
+ ],
"children": [
{
- "id": "homograph_idn_based",
- "cwe": ["CWE-1007"]
+ "id": "insecure_redirect_uri",
+ "cwe": [
+ "CWE-601"
+ ]
+ },
+ {
+ "id": "missing_state_parameter",
+ "cwe": [
+ "CWE-352"
+ ]
}
]
- }
- ]
- },
- {
- "id": "broken_authentication_and_session_management",
- "cwe": ["CWE-930"],
- "children": [
- {
- "id": "authentication_bypass",
- "cwe": ["CWE-287"]
},
{
- "id": "two_fa_bypass",
- "cwe": ["CWE-304"]
- },
- {
- "id": "privilege_escalation",
- "cwe": ["CWE-269"]
+ "id": "path_traversal",
+ "cwe": [
+ "CWE-22",
+ "CWE-73"
+ ]
},
{
- "id": "cleartext_transmission_of_session_token",
- "cwe": ["CWE-319"]
+ "id": "race_condition",
+ "cwe": [
+ "CWE-362",
+ "CWE-366",
+ "CWE-368",
+ "CWE-421"
+ ]
},
{
- "id": "weak_login_function",
- "cwe": ["CWE-523"]
+ "id": "request_smuggling",
+ "cwe": [
+ "CWE-444"
+ ]
},
{
- "id": "session_fixation",
- "cwe": ["CWE-384"]
+ "id": "server_side_request_forgery_ssrf",
+ "cwe": [
+ "CWE-918",
+ "CWE-441"
+ ]
},
{
- "id": "failure_to_invalidate_session",
- "cwe": ["CWE-613"]
+ "id": "ssl_attack_breach_poodle_etc",
+ "cwe": [
+ "CWE-310"
+ ]
},
{
- "id": "concurrent_logins",
- "cwe": ["CWE-1018"]
+ "id": "unsafe_cross_origin_resource_sharing",
+ "cwe": [
+ "CWE-942"
+ ]
},
{
- "id": "weak_registration_implementation",
+ "id": "unsafe_file_upload",
"children": [
{
- "id": "over_http",
- "cwe": ["CWE-311"]
+ "id": "file_extension_filter_bypass",
+ "cwe": [
+ "CWE-434",
+ "CWE-646"
+ ]
}
]
+ },
+ {
+ "id": "username_enumeration",
+ "cwe": [
+ "CWE-204"
+ ]
+ },
+ {
+ "id": "using_default_credentials",
+ "cwe": [
+ "CWE-255",
+ "CWE-521"
+ ]
}
]
},
{
- "id": "sensitive_data_exposure",
- "cwe": ["CWE-934"],
+ "id": "server_side_injection",
+ "cwe": [
+ "CWE-929"
+ ],
"children": [
{
- "id": "critically_sensitive_data",
+ "id": "content_spoofing",
+ "cwe": [
+ "CWE-451"
+ ],
"children": [
{
- "id": "password_disclosure",
- "cwe": ["CWE-522"]
- },
- {
- "id": "private_api_keys",
- "cwe": ["CWE-522"]
+ "id": "homograph_idn_based",
+ "cwe": [
+ "CWE-1007"
+ ]
}
]
},
{
- "id": "exif_geolocation_data_not_stripped_from_uploaded_images",
- "cwe": ["CWE-200"]
+ "id": "file_inclusion",
+ "cwe": [
+ "CWE-73",
+ "CWE-714"
+ ]
},
{
- "id": "visible_detailed_error_page",
- "cwe": ["CWE-209", "CWE-215"]
+ "id": "http_response_manipulation",
+ "children": [
+ {
+ "id": "response_splitting_crlf",
+ "cwe": [
+ "CWE-113"
+ ]
+ }
+ ]
},
{
- "id": "disclosure_of_known_public_information",
- "cwe": ["CWE-200"]
+ "id": "ldap_injection",
+ "cwe": [
+ "CWE-90"
+ ]
},
{
- "id": "token_leakage_via_referer",
- "cwe": ["CWE-200"]
+ "id": "remote_code_execution_rce",
+ "cwe": [
+ "CWE-77",
+ "CWE-78",
+ "CWE-94",
+ "CWE-95"
+ ]
},
{
- "id": "sensitive_token_in_url",
- "cwe": ["CWE-200"]
+ "id": "sql_injection",
+ "cwe": [
+ "CWE-89"
+ ]
},
{
- "id": "non_sensitive_token_in_url",
- "cwe": ["CWE-200"]
+ "id": "ssti",
+ "cwe": [
+ "CWE-94"
+ ]
},
{
- "id": "weak_password_reset_implementation",
- "cwe": ["CWE-640"]
+ "id": "xml_external_entity_injection_xxe",
+ "cwe": [
+ "CWE-611"
+ ]
}
]
},
{
- "id": "cross_site_scripting_xss",
- "cwe": ["CWE-79"]
+ "id": "smart_contract_misconfiguration",
+ "cwe": null
},
{
- "id": "broken_access_control",
- "cwe": ["CWE-723"],
+ "id": "societal_biases",
+ "cwe": null,
"children": [
{
- "id": "idor",
- "cwe": ["CWE-932"]
- },
- {
- "id": "server_side_request_forgery_ssrf",
- "cwe": ["CWE-918", "CWE-441"]
- },
- {
- "id": "username_enumeration",
- "cwe": ["CWE-200"]
- },
- {
- "id": "exposed_sensitive_android_intent",
- "cwe": ["CWE-927"]
+ "id": "confirmation_bias",
+ "cwe": null
},
{
- "id": "exposed_sensitive_ios_url_scheme",
- "cwe": ["CWE-939"]
+ "id": "systemic_bias",
+ "cwe": null
}
]
},
- {
- "id": "cross_site_request_forgery_csrf",
- "cwe": ["CWE-352"]
- },
- {
- "id": "application_level_denial_of_service_dos",
- "cwe": ["CWE-400"]
- },
{
"id": "unvalidated_redirects_and_forwards",
- "cwe": ["CWE-601"],
+ "cwe": [
+ "CWE-601"
+ ],
"children": [
{
"id": "open_redirect",
- "cwe": ["CWE-601"]
- },
- {
- "id": "tabnabbing",
- "cwe": ["CWE-1022"]
- }
- ]
- },
- {
- "id": "external_behavior",
- "cwe": null
- },
- {
- "id": "insufficient_security_configurability",
- "cwe": ["CWE-16"],
- "children": [
- {
- "id": "weak_password_policy",
- "cwe": ["CWE-521"]
- },
- {
- "id": "no_password_policy",
- "cwe": ["CWE-521"]
- },
- {
- "id": "weak_password_reset_implementation",
- "cwe": ["CWE-640"]
- }
- ]
- },
- {
- "id": "using_components_with_known_vulnerabilities",
- "cwe": ["CWE-937"]
- },
- {
- "id": "insecure_data_storage",
- "cwe": ["CWE-729", "CWE-922"],
- "children": [
- {
- "id": "sensitive_application_data_stored_unencrypted",
- "cwe": ["CWE-312"]
- },
- {
- "id": "server_side_credentials_storage",
- "cwe": ["CWE-522"],
- "children": [
- {
- "id": "plaintext",
- "cwe": ["CWE-256"]
- }
+ "cwe": [
+ "CWE-601"
]
},
{
- "id": "non_sensitive_application_data_stored_unencrypted",
- "cwe": ["CWE-312"]
- }
- ]
- },
- {
- "id": "lack_of_binary_hardening",
- "cwe": ["CWE-693"]
- },
- {
- "id": "insecure_data_transport",
- "cwe": ["CWE-311", "CWE-319"],
- "children": [
- {
- "id": "cleartext_transmission_of_sensitive_data",
- "cwe": ["CWE-319"]
- },
- {
- "id": "executable_download",
- "children": [
- {
- "id": "no_secure_integrity_check",
- "cwe": ["CWE-353", "CWE-354", "CWE-494"]
- }
+ "id": "tabnabbing",
+ "cwe": [
+ "CWE-1022"
]
}
]
},
{
- "id": "insecure_os_firmware",
- "children": [
- {
- "id": "command_injection",
- "cwe": ["CWE-77"]
- },
- {
- "id": "hardcoded_password",
- "cwe": ["CWE-259"]
- }
- ]
- },
- {
- "id": "broken_cryptography",
- "cwe": ["CWE-310"]
- },
- {
- "id": "privacy_concerns",
- "cwe": ["CWE-359"]
- },
- {
- "id": "network_security_misconfiguration",
- "cwe": ["CWE-16"]
- },
- {
- "id": "mobile_security_misconfiguration",
- "cwe": ["CWE-919"]
- },
- {
- "id": "client_side_injection",
- "cwe": ["CWE-929"]
- },
- {
- "id": "automotive_security_misconfiguration",
- "cwe": null,
- "children": [
- {
- "id": "infotainment",
- "cwe": null
- },
- {
- "id": "rf_hub",
- "cwe": null
- },
- {
- "id": "can",
- "cwe": null
- }
+ "id": "using_components_with_known_vulnerabilities",
+ "cwe": [
+ "CWE-937"
]
},
{
- "id": "indicators_of_compromise",
+ "id": "zero_knowledge_security_misconfiguration",
"cwe": null
}
]
-}
+}
\ No newline at end of file
diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json
index b6e25de2..24ba0d57 100644
--- a/mappings/remediation_advice/remediation_advice.json
+++ b/mappings/remediation_advice/remediation_advice.json
@@ -1,1372 +1,1869 @@
{
"metadata": {
"default": null,
- "keys": ["remediation_advice", "references"]
+ "keys": [
+ "remediation_advice",
+ "references"
+ ]
},
"content": [
{
- "id": "server_security_misconfiguration",
+ "id": "ai_application_security",
+ "remediation_advice": "Secure AI apps by isolating tenants, enforcing strict input/output validation, and limiting API access. Use adversarial training, prompt escaping, and differential privacy. Sanitize all content to block XSS, Unicode abuse, and injections. Apply rate limiting and monitor for abnormal usage. Protect model APIs from extraction or abuse. Follow OWASP LLM Top 10, MITRE ATLAS, and SAIF for best practices.",
"references": [
- "https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration",
- "http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration"
- ],
+ "https://owasp.org/www-project-top-10-for-large-language-model-applications/"
+ ]
+ },
+ {
+ "id": "algorithmic_biases",
"children": [
{
- "id": "unsafe_cross_origin_resource_sharing",
- "remediation_advice": "1. **Origin & Access-Control-Allow-Origin:** The Origin header is always sent by the browser in a `CORS` request and indicates the origin of the request. The Origin header can not be changed from JavaScript however relying on this header for Access Control checks is not a good idea as it may be spoofed outside the browser, so you still need to check that application-level protocols are used to protect sensitive data.\n2. **Access-Control-Allow-Origin** is a response header used by a server to indicate which domains are allowed to read the response. Based on the `CORS W3 Specification` it is up to the client to determine and enforce the restriction of whether the client has access to the response data based on this header.\n3. Make sure that there are no insecure configurations using a wildcard as value which looks like `Access-Control-Allow-Origin: *` as this header means all domains are allowed access to the resource. \n4. Make sure that when the server returns back the Origin header that there are additional checks so that access of sensitive data is not allowed.\n5. The `Access-Control-Request-Method` header is used when a browser performs a preflight `OPTIONS` request and let the client indicate the request method of the final request. On the other hand, the `Access-Control-Allow-Method` is a response header used by the server to describe the methods the clients are allowed to use.\n6. **Access-Control-Request-Headers & Access-Control-Allow-Headers:** These two headers are used between the browser and the server to determine which headers can be used to perform a cross-origin request.\n7. **Access-Control-Allow-Credentials:** This header as part of a preflight request indicates that the final request can include user credentials.\n8. **Input validation:** XMLHttpRequest L2 (or XHR L2) introduces the possibility of creating a cross-domain request using the XHR API for backwards compatibility. This can introduce security vulnerabilities that in XHR L1 were not present. Interesting points of the code to exploit would be URLs that are passed to XMLHttpRequest without validation, specially if absolute URLS are allowed because that could lead to code injection. Likewise, other part of the application that can be exploited is if the response data is not escaped and we can control it by providing user-supplied input.\n9. **Other headers:** There are other headers involved like Access-Control-Max-Age that determines the time a preflight request can be cached in the browser, or Access-Control-Expose-Headers that indicates which headers are safe to expose to the API of a CORS API specification, both are response headers specified in the CORS W3C document.",
- "references": [
- "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/HTML5_Security_Cheat_Sheet.md#cross-origin-resource-sharing",
- "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
- ]
- },
- {
- "id": "path_traversal",
- "remediation_advice": "1. Prefer working without user input when using file system calls\n2. Use indexes rather than actual portions of file names when templating or using language files (i.e. value 5 from the user submission = Czechoslovakian, rather than expecting the user to return āCzechoslovakianā)\n3. Ensure the user cannot supply all parts of the path ā surround it with your path code\n4. Validate the userās input by only accepting known good ā do not sanitize the data\n5. Use `chroot`ed jails and code access policies to restrict where the files can be obtained or saved to\n6. If forced to use user input for file operations, normalize the input before using in file I/O APIs, such as the [Java SE URI normalize() method](http://docs.oracle.com/javase/7/docs/api/java/net/URI.html#normalize).",
- "references": [
- "https://www.owasp.org/index.php/Path_Traversal",
- "https://www.owasp.org/index.php/File_System#Path_traversal",
- "http://projects.webappsec.org/w/page/13246952/Path%20Traversal"
- ]
- },
- {
- "id": "directory_listing_enabled",
- "remediation_advice": "Restrict directory listings being displayed from the server configuration. \n\nExample for Apache:\n\n1. Edit the server configuration file or edit/create directory .htaccess\n2. Add the following line:\nOptions -Indexes\n3. If it is the last line, make sure you have a new line after it.",
+ "id": "aggregation_bias",
+ "remediation_advice": "Ensure that data aggregation methods maintain the integrity of subgroups, preventing dilution of minority data.",
"references": [
- "http://projects.webappsec.org/w/page/13246922/Directory%20Indexing"
+ "https://www.microsoft.com/en-us/ai/responsible-ai-resources"
]
},
{
- "id": "same_site_scripting",
- "remediation_advice": "As a best practice, do not resolve targets or hostnames to 127.0.0.1 or similar addresses.",
+ "id": "processing_bias",
+ "remediation_advice": "Design algorithms to process all data fairly, implementing checks to detect and mitigate biases that arise during data processing.",
"references": [
- "http://seclists.org/bugtraq/2008/Jan/270"
+ "https://paperswithcode.com/task/fairness-in-ml"
]
- },
+ }
+ ]
+ },
+ {
+ "id": "application_level_denial_of_service_dos",
+ "remediation_advice": "There are techniques to avoid some DoS attacks at the code level such as: Performing thorough input validations, avoiding highly CPU consuming operations, and operations which must wait for completion of large tasks to proceed, splitting operations to chunks, setting timeout timers for unreasonable time, trying to create as few bottlenecks as possible.",
+ "references": [
+ "https://www.owasp.org/index.php/Application_Denial_of_Service",
+ "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Denial_of_Service_Cheat_Sheet.md",
+ "http://projects.webappsec.org/Denial-of-Service",
+ "https://www.cvedetails.com/vulnerability-list/opdos-1/denial-of-service.html",
+ "https://www.owasp.org/images/d/da/OWASP_IL_7_Application_DOS.pdf"
+ ]
+ },
+ {
+ "id": "automotive_security_misconfiguration",
+ "remediation_advice": "",
+ "children": [
{
- "id": "ssl_attack_breach_poodle_etc",
- "remediation_advice": "Disable SSL and use updated version of TLS that is not susceptible to the latest variation of the TLS attack.",
- "references": [
- "https://access.redhat.com/articles/1232123",
- "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.md",
- "http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection"
+ "id": "abs",
+ "children": [
+ {
+ "id": "unintended_acceleration_brake",
+ "remediation_advice": "Implement a secure gateway to protect against ABS attacks.",
+ "references": [
+ "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
+ ]
+ }
]
},
{
- "id": "using_default_credentials",
- "remediation_advice": "1. If possible consider disabling external access.\n2. Never use default credentials as it is trivial for an attacker to gain access by providing known or easy to guess credentials.\n3. Always change any kind of default credentials as the first step of setting up any kind of environment.\n4. Passwords should meet or exceed proper password strength requirements.",
- "references": [
- "https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002)",
- "https://www.owasp.org/index.php/Configuration#Default_passwords",
- "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md"
+ "id": "battery_management_system",
+ "children": [
+ {
+ "id": "firmware_dump",
+ "remediation_advice": "Implement secure boot, obfuscate the code, and compression algorithm with hardware-backed dictionary. Find creative ways to break disassemblers and debuggers.",
+ "references": [
+ "https://en.wikipedia.org/wiki/Security_through_obscurityhttps://www.researchgate.net/publication/320859156_Source_Code_Vulnerabilities_in_IoT_Software_Systems"
+ ]
+ },
+ {
+ "id": "fraudulent_interface",
+ "remediation_advice": "Protect and make sure the battery management system provides prevention from operating outside its safe operating area.",
+ "references": [
+ "https://en.wikipedia.org/wiki/Battery_management_system"
+ ]
+ }
]
},
{
- "id": "misconfigured_dns",
+ "id": "can",
"children": [
{
- "id": "basic_subdomain_takeover",
- "remediation_advice": "1. Set up your external service so it fully listens to your wildcard DNS.\n2. Keep your DNS-entries constantly vetted and restricted.",
+ "id": "injection_basic_safety_message",
+ "remediation_advice": "Filter malicious CANBus requests or codes that can be used to manipulate the Basic Safety Message.",
"references": [
- "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/"
+ "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
]
},
{
- "id": "high_impact_subdomain_takeover",
- "remediation_advice": "1. Set up your external service so it fully listens to your wildcard DNS.\n2. Keep your DNS-entries constantly vetted and restricted.",
+ "id": "injection_battery_management_system",
+ "remediation_advice": "Filter malicious CANBus requests or codes that can be injected into the battery management system.",
"references": [
- "https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/"
+ "https://i.blackhat.com/USA-20/Wednesday/us-20-Kiley-Reverse-Engineering-The-Tesla-Battery-Management-System-To-Increase-Power-Available.pdf"
]
},
{
- "id": "zone_transfer",
- "remediation_advice": "Do not allow DNS zone transfers.",
+ "id": "injection_disallowed_messages",
+ "remediation_advice": "Filter malicious CANbus requests or codes especially if not included in the DBC file by implementing a secure gateway.",
"references": [
- "https://www.sans.org/reading-room/whitepapers/dns/securing-dns-zone-transfer-868",
- "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0532"
+ "https://news.voyage.auto/an-introduction-to-the-can-bus-how-to-programmatically-control-a-car-f1b18be4f377"
]
},
{
- "id": "missing_caa_record",
- "remediation_advice": "As the domain name holder you can modify the DNS zone file to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain.",
+ "id": "injection_dos",
+ "remediation_advice": "Filter malicious CANbus requests or codes by implementing a secure gateway, as well as limit access to input ports (specifically OBD-II) on automobiles as pointed out by CERT.",
"references": [
- "https://tools.ietf.org/html/rfc6844"
+ "https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-209-01",
+ "http://www.autoconnectedcar.com/2017/08/connect-car-can-bus-cant-handle-dos-hacksattacks-researchers-report-can-standard-can-be-changed/"
]
- }
- ]
- },
- {
- "id": "mail_server_misconfiguration",
- "children": [
+ },
{
- "id": "no_spoofing_protection_on_email_domain",
- "remediation_advice": "Create a DMARC policy to prevent email spoofing. Please note that if your DMARC policy is not set up properly it may result in email delivery issues.",
+ "id": "injection_headlights",
+ "remediation_advice": "Filter malicious CANBus requests or codes that can be injected into the headlights.",
"references": [
- "https://mxtoolbox.com/DMARCRecordGenerator.aspx",
- "https://dmarc.org/2016/03/best-practices-for-email-senders/",
- "https://www.ftc.gov/system/files/documents/reports/businesses-can-help-stop-phishing-protect-their-brands-using-email-authentication-ftc-staff/email_authentication_staff_perspective.pdf"
+ "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
]
},
{
- "id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
- "remediation_advice": "SPF is not a sufficient email spoofing protection in case of some of the largest email providers. Emails spoofed for domains having properly configured hard fail SPF records may still be delivered to the recipient's inbox. In order to fully prevent email spoofing create a DMARC record with āp=rejectā policy. Please note that if your DMARC policy is not set up properly it may result in email delivery issues.",
+ "id": "injection_powertrain",
+ "remediation_advice": "Filter malicious CANBus requests or codes that can be used to manipulate the Powertrain.",
"references": [
- "https://mxtoolbox.com/DMARCRecordGenerator.aspx",
- "https://dmarc.org/2016/03/best-practices-for-email-senders/",
- "https://www.ftc.gov/system/files/documents/reports/businesses-can-help-stop-phishing-protect-their-brands-using-email-authentication-ftc-staff/email_authentication_staff_perspective.pdf"
+ "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
]
},
{
- "id": "email_spoofing_to_spam_folder",
- "remediation_advice": "In order to fully prevent email spoofing create a DMARC record with āp=rejectā policy. Please note that if your DMARC policy is not set up properly it will result in email delivery issues.",
+ "id": "injection_pyrotechnical_device_deployment_tool",
+ "remediation_advice": "Countermeasures of this attack include selection of suitable technologies, hard-wired plausibility checks, usage of cryptography, and hardening against brute force attacks of the keys or algorithms.",
"references": [
- "https://dmarc.org/wiki/FAQ#My_mail_is_going_to_the_spam_folder_now.2C_is_DMARC_the_problem.3F",
- "https://mxtoolbox.com/DMARCRecordGenerator.aspx",
- "http://www.openspf.org/SPF_Record_Syntax"
+ "https://www.rapid7.com/db/modules/post/hardware/automotive/pdt/"
]
},
{
- "id": "missing_or_misconfigured_spf_and_or_dkim",
- "remediation_advice": "1. Consider adding email spoofing protections for all your domains as attackers may resort to spoofing those, regardless of whether emails originate from them or not. Victims can still be fooled by seeing your domain.\n2. Consider using -all instead of ~all in the SPF record. Please be aware that using -all may result in email delivery issues.\n3. Since there is a limit of 10 DNS lookups per SPF record, specifying an IP address or address range is preferable for long lists of outgoing mail servers.",
+ "id": "injection_sensors",
+ "remediation_advice": "Filter malicious CANBus requests or codes that can be used to manipulate the sensors.",
"references": [
- "http://www.openspf.org/SPF_Record_Syntax",
- "http://www.openspf.org/FAQ/Common_mistakes#include"
+ "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
]
},
{
- "id": "email_spoofing_on_non_email_domain",
- "remediation_advice": "Consider adding email spoofing protections for all your domains as attackers may resort to spoofing those, regardless of whether emails originate from them or not. Victims can still be fooled by seeing your domain.",
+ "id": "injection_steering_control",
+ "remediation_advice": "Filter malicious CANBus requests or codes that can be injected into the steering control.",
"references": [
- "https://mxtoolbox.com/DMARCRecordGenerator.aspx",
- "https://dmarc.org/2016/03/best-practices-for-email-senders/",
- "https://www.ftc.gov/system/files/documents/reports/businesses-can-help-stop-phishing-protect-their-brands-using-email-authentication-ftc-staff/email_authentication_staff_perspective.pdf"
+ "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
+ ]
+ },
+ {
+ "id": "injection_vehicle_anti_theft_systems",
+ "remediation_advice": "Filter malicious CANBus requests or codes that can be used to manipulate the Vehicle Anti-theft Systems.",
+ "references": [
+ "https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1484-3"
]
}
]
},
{
- "id": "dbms_misconfiguration",
+ "id": "gnss_gps",
"children": [
{
- "id": "excessively_privileged_user_dba",
- "remediation_advice": "Ensure that the current DBMS session user has the least amount of privilege necessary.",
+ "id": "spoofing",
+ "remediation_advice": "Implement a system that detects GPS spoofing which evaluates or prevents the system from believing and acting on false data.",
"references": [
- "https://www.owasp.org/index.php/Least_privilege"
+ "https://www.kaspersky.com/blog/gps-spoofing-protection/26837/"
]
}
]
},
{
- "id": "lack_of_password_confirmation",
+ "id": "immobilizer",
"children": [
{
- "id": "change_email_address",
- "remediation_advice": "1. Use a password confirmation if the email address associated with the account is going to be changed.\n2. As a best practice, send the original email address a confirmation that the email address on their account is being changed. Have the user confirm that they want to change their email address as well as prompting the user for their password."
- },
- {
- "id": "change_password",
- "remediation_advice": "Use a password confirmation if the original password associated with the account is going to be changed."
- },
- {
- "id": "delete_account",
- "remediation_advice": "Use a password confirmation if there is a request to delete the account."
- },
- {
- "id": "manage_two_fa",
- "remediation_advice": "Use a password confirmation when managing 2FA settings."
+ "id": "engine_start",
+ "remediation_advice": "Implement a secure gateway to protect against immobilizer attacks, assign significant bytes in data and a method to send an abnormal signal overwriting the false data when a communication error has occurred.",
+ "references": [
+ "https://www.kaspersky.com/blog/36c3-immobilizers/32419/"
+ ]
}
]
},
{
- "id": "no_rate_limiting_on_form",
- "references": [
- "https://www.owasp.org/index.php?title=OWASP_Periodic_Table_of_Vulnerabilities_-_Brute_Force_(Generic)_/_Insufficient_Anti-automation&setlang=en",
- "http://projects.webappsec.org/w/page/13246938/Insufficient%20Anti-automation"
- ],
+ "id": "infotainment_radio_head_unit",
"children": [
{
- "id": "registration",
- "remediation_advice": "1. Use a `CAPTCHA` to limit user registration requests.\n2. Use a rate limit per IP address to throttle the amount of user registration requests that can be made in a certain amount of time."
+ "id": "code_execution_can_bus_pivot",
+ "remediation_advice": "Filter arbitrary commands and apply input validation to any media devices to prevent executing from the infotainment system. Make sure that the infotainment system is on a sandbox module and does not have direct interaction to the CANbus network.",
+ "references": [
+ "https://motherboard.vice.com/en_us/article/3kvw8y/researchers-hack-car-infotainment-system-and-find-sensitive-user-data-inside",
+ "https://www.bleepingcomputer.com/news/security/you-can-hack-some-mazda-cars-with-a-usb-flash-drive/",
+ "http://illmatics.com/carhacking.html"
+ ]
},
{
- "id": "login",
- "remediation_advice": "1. Use a `CAPTCHA` to limit login attempts.\n2. Use a rate limit per IP address to throttle the amount of login requests that can be made in a certain amount of time.\n3. Be careful about locking a user account out as a result of rate limiting."
+ "id": "code_execution_no_can_bus_pivot",
+ "remediation_advice": "Filter arbitrary commands and apply input validation to any media devices to prevent executing from the infotainment system.",
+ "references": [
+ "https://motherboard.vice.com/en_us/article/3kvw8y/researchers-hack-car-infotainment-system-and-find-sensitive-user-data-inside",
+ "https://www.bleepingcomputer.com/news/security/you-can-hack-some-mazda-cars-with-a-usb-flash-drive/",
+ "http://illmatics.com/carhacking.html"
+ ]
},
{
- "id": "email_triggering",
- "remediation_advice": "1. Use a `CAPTCHA` to limit email triggering requests.\n2. Use a rate limit per IP address to throttle the amount of email triggering requests that can be made in a certain amount of time."
+ "id": "default_credentials",
+ "remediation_advice": "Do not ship infotainment systems with any configured accounts or with default and common usernames and passwords. Do not hard code any backdoor accounts or special access mechanisms.",
+ "references": [
+ "https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002)",
+ "https://www.owasp.org/index.php/Configuration#Default_passwords"
+ ]
},
{
- "id": "sms_triggering",
- "remediation_advice": "1. Use a `CAPTCHA` to limit SMS triggering requests.\n2. Use a rate limit per IP address to throttle the amount of SMS triggering requests that can be made in a certain amount of time."
- }
- ]
- },
- {
- "id": "unsafe_file_upload",
- "references": [
- "https://www.owasp.org/index.php/Unrestricted_File_Upload",
- "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Protect_FileUpload_Against_Malicious_File.md"
- ],
- "children": [
- {
- "id": "no_antivirus",
- "remediation_advice": "As a best practice, consider using endpoint protection to check uploaded files for malware and viruses."
+ "id": "dos_brick",
+ "remediation_advice": "Filter malicious payloads or string attacks. Apply rate limiting on the app level side.",
+ "references": [
+ "https://www.owasp.org/index.php/Application_Denial_of_Service",
+ "https://www.forbes.com/sites/leemathews/2017/04/10/a-malware-outbreak-is-bricking-insecure-iot-devices/#36603e4a29a3",
+ "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Denial_of_Service_Cheat_Sheet.md"
+ ]
},
{
- "id": "no_size_limit",
- "remediation_advice": "Have a server-side check for the size limit of file uploads."
+ "id": "ota_firmware_manipulation",
+ "remediation_advice": "Implement key signing and firmware verification.",
+ "references": [
+ "https://www.wired.com/2015/02/firmware-vulnerable-hacking-can-done/"
+ ]
},
{
- "id": "file_extension_filter_bypass",
- "remediation_advice": "As a best practice, consider using a whitelist of accepted file extensions in order to mitigate against a bypass."
- }
- ]
- },
- {
- "id": "cookie_scoped_to_parent_domain",
- "remediation_advice": "If possible do not set the domain for the session cookie. If domain is not set, so by default, the cookie will be a host only cookie, meaning accessible explicitly to the domain from which it was set.",
- "references": [
- "https://tools.ietf.org/html/rfc6265"
- ]
- },
- {
- "id": "missing_secure_or_httponly_cookie_flag",
- "references": [
- "https://www.owasp.org/index.php/SecureFlag",
- "https://www.owasp.org/index.php/HttpOnly"
- ],
- "children": [
+ "id": "sensitive_data_leakage_exposure",
+ "remediation_advice": "Do not store sensitive data such as call logs, text messages, and contact lists or names as plaintext in the infotainment system.",
+ "references": [
+ "https://www.prnewswire.com/news-releases/carsblues-vehicle-hack-exploits-vehicle-infotainment-systems-allowing-access-to-call-logs-text-messages-and-more-300751244.html"
+ ]
+ },
{
- "id": "session_token",
- "remediation_advice": "Set the `Secure` and `HTTPOnly` cookie flags for the session token."
+ "id": "source_code_dump",
+ "remediation_advice": "Obfuscate the code and find creative ways to break disassemblers and debuggers.",
+ "references": [
+ "https://en.wikipedia.org/wiki/Security_through_obscurity",
+ "https://www.researchgate.net/publication/320859156_Source_Code_Vulnerabilities_in_IoT_Software_Systems"
+ ]
},
{
- "id": "non_session_cookie",
- "remediation_advice": "Consider setting the `Secure` and `HTTPOnly` cookie flags for sensitive cookies."
+ "id": "unauthorized_access_to_services",
+ "remediation_advice": "Filter services that allow you to control the vehicle or infotainment system from being accessed by unauthorized users. Apply authentication mechanisms to certain endpoints.",
+ "references": [
+ "https://www.troyhunt.com/controlling-vehicle-features-of-nissan/"
+ ]
}
]
},
{
- "id": "clickjacking",
- "references": [
- "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md",
- "https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo_bp"
- ],
+ "id": "rf_hub",
"children": [
{
- "id": "sensitive_action",
- "remediation_advice": "1. Use the `X-Frame-Options: DENY` HTTP response header on pages with sensitive information, to disallow framing of the page on external resources.\n2. In the case where `DENY` is not an option, use `X-Frame-Options: SAMEORIGIN`.\n3. In the case where `SAMEORIGIN` is not an option, `X-Frame-Options: ALLOW-FROM https://example.com/`."
+ "id": "can_injection_interaction",
+ "remediation_advice": "Implement a secure gateway that prevents CAN Injection from the RF Hub.",
+ "references": [
+ "https://www.reddit.com/r/CarHacking/comments/73qs0x/chrysler_sgw_security_gateway/"
+ ]
},
{
- "id": "form_input",
- "remediation_advice": "1. Use the `X-Frame-Options: DENY` HTTP response header on pages with sensitive information, to disallow framing of the page on external resources.\n2. In the case where `DENY` is not an option, use `X-Frame-Options: SAMEORIGIN`.\n3. In the case where `SAMEORIGIN` is not an option, `X-Frame-Options: ALLOW-FROM https://example.com/`."
+ "id": "data_leakage_pull_encryption_mechanism",
+ "remediation_advice": "Inspect outgoing traffic from the RF Hub and make sure encryption mechanism cannot be extracted.",
+ "references": [
+ "https://www.networkworld.com/article/2284289/data-leak-prevention-and-encryption--tools-that-can-work-together.html"
+ ]
},
{
- "id": "non_sensitive_action",
- "remediation_advice": "As a best practice, consider adding the `X-FRAME-OPTIONS: SAMEORIGIN` HTTP response header to all responses going to the user's browser to avoid unnecessary cross-origin iframe access."
- }
- ]
- },
- {
- "id": "oauth_misconfiguration",
- "children": [
- {
- "id": "account_takeover",
- "remediation_advice": "Ensure correct implementation of OAuth protocol in order to protect client secrets and tokens, and provide secure access controls.",
+ "id": "key_fob_cloning",
+ "remediation_advice": "Implement key fob encryption.",
"references": [
- "https://tools.ietf.org/html/rfc6819"
+ "https://electronics.howstuffworks.com/gadgets/automotive/unlock-car-door-remote1.htm",
+ "https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/"
]
},
{
- "id": "missing_state_parameter",
- "remediation_advice": "The OAuth state parameter is a form of CSRF protection, ensure that it is in place and properly validated."
+ "id": "relay",
+ "remediation_advice": "Block the transmission of unwanted radio signals and block all forms of the amplification attacks.",
+ "references": [
+ "https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can-steal-car/",
+ "https://www.wired.com/2016/03/study-finds-24-car-models-open-unlocking-ignition-hack/"
+ ]
},
{
- "id": "insecure_redirect_uri",
- "remediation_advice": "When the application starts the OAuth flow, it will direct the user to your serviceās authorization endpoint. The request will have several parameters in the URL, including a redirect URL.\n\nAt this point, the authorization server must validate the redirect URL to ensure the URL in the request matches one of the registered URLs for the application. The request will also have a client_id parameter, so the service should look up the redirect URLs based on that. It is entirely possible for an attacker to craft an authorization request with one appās client ID and the attackerās redirect URL, which is why registration is required.\n\nThe service should look for an exact match of the URL, and avoid matching on only part of the specific URL. (The client can use the state parameter if it needs to customize each request.) Simple string matching is sufficient since the redirect URL canāt be customized per request. All the server needs to do is check that the redirect URL in the request matches one of the redirect URLs the developer entered when registering their application.\n\nIf the redirect URL is not one of the registered redirect URLs, then the server must immediately show an error indicating such, and not redirect the user. This avoids having your authorization server be used as an open redirector.",
+ "id": "replay",
+ "remediation_advice": "Block the transmission of unwanted radio signals and block all forms of the amplification attacks.",
"references": [
- "https://www.oauth.com/oauth2-servers/redirect-uris/"
+ "https://www.wired.com/2017/04/just-pair-11-radio-gadgets-can-steal-car/",
+ "https://www.wired.com/2016/03/study-finds-24-car-models-open-unlocking-ignition-hack/"
]
- }
- ]
- },
- {
- "id": "captcha",
- "children": [
- {
- "id": "implementation_vulnerability",
- "remediation_advice": "1. Introduce a proper server-side check for the `CAPTCHA`.\n2. Make sure that the user input matches the `CAPTCHA`.\n3. Make sure that the `CAPTCHA` is difficult to solve by computers."
},
{
- "id": "brute_force",
- "remediation_advice": "As a best practice, consider disallowing multiple attempts to guess the same CAPTCHA."
+ "id": "roll_jam",
+ "remediation_advice": "Update how rolling codes work in vehicles and do over-the-air update capabilities.",
+ "references": [
+ "https://makezine.com/2015/08/11/anatomy-of-the-rolljam-wireless-car-hack/"
+ ]
},
{
- "id": "missing",
- "remediation_advice": "As a best practice, consider using CAPTCHAs to prevent automated software from engaging in abusive activities on your site."
+ "id": "unauthorized_access_turn_on",
+ "remediation_advice": ""
}
]
},
{
- "id": "exposed_admin_portal",
+ "id": "rsu",
"children": [
{
- "id": "to_internet",
- "remediation_advice": "As a best practice, consider restricting admin portal access to internal users only."
+ "id": "sybil_attack",
+ "remediation_advice": "Known approaches to Sybil attack prevention include identity validation, social trust graph algorithms, or economic costs, personhood validation, and application-specific defenses.",
+ "references": [
+ "https://en.wikipedia.org/wiki/Sybil_attack"
+ ]
}
]
- },
+ }
+ ]
+ },
+ {
+ "id": "blockchain_infrastructure_misconfiguration",
+ "remediation_advice": "1. Implement secure default settings and restrict administrative access to nodes and infrastructure.\n2. Regularly audit and validate network configurations against industry best practices.\n3. Use automated tools to detect and resolve misconfigurations in real time.\n4. Harden consensus mechanisms by enforcing robust cryptographic standards and validating peer integrity.\n5. Monitor network activity to detect and mitigate potential exploits stemming from misconfigurations.",
+ "references": [
+ "https://nordlayer.com/blog/blockchain-security-issues/"
+ ]
+ },
+ {
+ "id": "broken_access_control",
+ "children": [
{
- "id": "missing_dnssec",
- "remediation_advice": "As a best practice, consider utilizing the Domain Name System Security Extensions, as this will help the DNS protocol to be less susceptible to certain attacks.",
+ "id": "bypass_of_password_confirmation",
+ "remediation_advice": "Ensure that password confirmation checks are enforced server-side for all sensitive operations. Do not rely solely on client-side enforcement, as it can be bypassed. Use middleware or access control logic to validate the user's current password before processing the request.",
"references": [
- "https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en"
+ "https://portswigger.net/web-security/access-control"
]
},
{
- "id": "fingerprinting_banner_disclosure",
- "remediation_advice": "As a best practice, do not expose the specific software version."
+ "id": "exposed_sensitive_android_intent",
+ "remediation_advice": "1. If you use an intent to bind to a Service, ensure that your app is secure by using an explicit intent. Using an implicit intent to start a service is a security risk as you can't be certain what service will respond to the intent, and the user can't see which service starts.\n2. If data within a broadcast intent may be sensitive, you should consider applying a permission to make sure that malicious applications can't register to receive those messages without appropriate permissions. In these circumstances you may also consider invoking the receiver directly rather than raising a broadcast.\n3. By default, receivers are exported and can be invoked by any other application. If your BroadcastReceiver is intended for use by other applications, you may want to apply security permissions to receivers using the element within the application manifest. This prevents applications without appropriate permissions from sending an intent to the BroadcastReceiver.\n",
+ "references": [
+ "https://www.owasp.org/index.php/Mobile_Top_10_2016-M1-Improper_Platform_Usage"
+ ]
},
{
- "id": "username_enumeration",
- "children": [
- {
- "id": "brute_force",
- "remediation_advice": "Login: When an authentication request fails, ensure that all responses are identical, regardless of whether it was the username or the password that caused the authentication to fail. The HTTP response needs to be the same as well. There should not be a single byte or bit difference.\n\nReset Password: There can not be a discrepancy in the form responses when using the reset a password functionality. The same message should be sent, back to the user, regardless of whether the username or email exists as an account or not.\n\nRegistration: As a best practice to prevent usernames from being enumerated when creating an account, the username should be an email address. When an attempt is made to create a new user account, the same message can be displayed regardless of whether the email address exists in the system or not. For example: \"A confirmation has been sent to the email provided.\"",
- "references": [
- "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md#authentication-and-error-messages"
- ]
- }
+ "id": "exposed_sensitive_ios_url_scheme",
+ "remediation_advice": "Apple does not enforce the unique naming for App schemes, making it possible for a malicious app to use the same URL Scheme as a legitimate app, effectively hijacking the URL Scheme. As a result, it is important to keep the URL Scheme from being exposed.",
+ "references": [
+ "https://www.owasp.org/index.php/Mobile_Top_10_2016-M1-Improper_Platform_Usage",
+ "https://developer.apple.com/library/content/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/Inter-AppCommunication/Inter-AppCommunication.html"
]
},
{
- "id": "potentially_unsafe_http_method_enabled",
+ "id": "idor",
+ "remediation_advice": "1. **Use per user or session indirect object references.** This prevents attackers from directly targeting unauthorized resources. For example, instead of using the resource's database key, a drop-down list of six resources authorized for the current user could use the numbers 1 to 6 to indicate which value the user selected. The application has to map the per-user indirect reference back to the actual database key on the server. OWASP's `ESAPI` includes both sequential and random access reference maps that developers can use to eliminate direct object references.\n2. **Check access.** Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.",
"references": [
- "https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)"
- ],
- "children": [
- {
- "id": "options",
- "remediation_advice": "As a best practice, consider turning off the `OPTIONS` HTTP request method, unless absolutely necessary. The OPTIONS method provides a list of the methods that are supported by the web server."
- },
- {
- "id": "trace",
- "remediation_advice": "As a best practice, consider turning off the `TRACE` HTTP request method unless absolutely necessary. Doing so will mitigate against potential Cross Site Tracing attacks.",
- "references": [
- "https://www.owasp.org/index.php/Cross_Site_Tracing"
- ]
- }
+ "https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References",
+ "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.md"
]
},
{
- "id": "insecure_ssl",
- "children": [
- {
- "id": "lack_of_forward_secrecy",
- "remediation_advice": "As a best practice, consider using Forward Secrecy. This ensures that broad decrypting of recorded HTTPS sessions can not happen, should the private key become publicly accessible.",
- "references": [
- "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.md#rule---prefer-ephemeral-key-exchanges"
- ]
- },
- {
- "id": "insecure_cipher_suite",
- "remediation_advice": "As a best practice, consider supporting only cipher suites that are known to be secure.",
- "references": [
- "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.md#rule---only-support-strong-cryptographic-ciphers"
- ]
- },
- {
- "id": "certificate_error",
- "remediation_advice": "As a best practice, consider resolving any SSL certificate errors in order to establish trust and allow secure connections.",
- "references": [
- "https://cheapsslsecurity.com/blog/google-chrome-ssl-certificate-errors-troubleshoot-guide/"
- ]
- }
+ "id": "privilege_escalation",
+ "remediation_advice": "1. **Least Privilege Principle:** Enforce the least privilege principle by ensuring that users and processes operate using the minimum permissions necessary to perform their tasks. \n2. **Regular Audits:** Conduct regular audits of system permissions and user roles to identify and rectify excessive permissions or misconfigurations. \n3. **Patch Management:** Keep all systems, applications, and services up to date with the latest security patches to close vulnerabilities that could be exploited for privilege escalation.",
+ "references": [
+ "https://owasp.org/www-community/attacks/Privilege_escalation",
+ "https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege"
]
},
{
- "id": "rfd",
- "remediation_advice": "1. Sanitize your API inputs (in this case they should just allow alphanumerics). Escaping is not sufficient.\n2. Add `Content-Disposition: attachment; filename=\"foo.bar\"` on APIs that are not going to be rendered.\n3. Add `X-Content-Type-Options: nosniff` header to API responses.",
+ "id": "username_enumeration",
+ "remediation_advice": "Ensure that the application does not reveal existing user names and any data associated with them, whether it's a consequence of misconfiguration or a design decision.",
"references": [
- "https://www.owasp.org/index.php/Reflected_File_Download"
+ "https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control",
+ "https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure",
+ "http://projects.webappsec.org/w/page/13246936/Information%20Leakage"
+ ]
+ }
+ ]
+ },
+ {
+ "id": "broken_authentication_and_session_management",
+ "remediation_advice": "1. **API:** Use security focused APIs to check for proper security controls.\n2. **Session Management:** Use proper session management checks to disallow unauthenticated users accessing protected and sensitive resources.\n3. **Access Control:** Use proper access control checks to disallow unprivileged users from accessing protected and sensitive resources.",
+ "references": [
+ "https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication",
+ "https://www.owasp.org/index.php/Broken_Authentication_and_Session_Management",
+ "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md",
+ "http://projects.webappsec.org/Insufficient-Authentication",
+ "https://www.cvedetails.com/vulnerability-list/opgpriv-1/gain-privilege.html"
+ ],
+ "children": [
+ {
+ "id": "cleartext_transmission_of_session_token",
+ "remediation_advice": "Ensure that session tokens are transmitted over protected channels at all times. If the secure cookie flag is not an option ensure that the application does not support unencrypted communication.",
+ "references": [
+ "https://www.owasp.org/index.php/Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-003)",
+ "https://www.owasp.org/index.php/SecureFlag"
]
},
{
- "id": "lack_of_security_headers",
+ "id": "concurrent_logins",
+ "remediation_advice": "As a best practice, consider disallowing multiple concurrent user sessions or logins."
+ },
+ {
+ "id": "failure_to_invalidate_session",
"children": [
{
- "id": "x_frame_options",
- "remediation_advice": "As a best practice, consider using the X-Frame-Options header as it will help mitigate against potential Clickjacking or other UI redressing attacks.",
- "references": [
- "https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo_bp",
- "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options"
- ]
- },
- {
- "id": "cache_control_for_a_non_sensitive_page",
- "remediation_advice": "As a best practice, consider using the `Cache-Control: no-cache` as it will help insure that the browser does not cache pages. Although the page may not currently contain sensitive data, sensitive data may be unintentionally placed there in the future.",
- "references": [
- "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control"
- ]
- },
- {
- "id": "x_xss_protection",
- "remediation_advice": "As a best practice, consider using the `X-XSS-Protection` header as it will help ensure browsers that support this header will detect and help mitigate against reflected Cross Site Scripting. It is important to note that this will not completely mitigate against all reflected Cross Site Scripting attacks, but will help prevent many generic injection attacks.",
- "references": [
- "https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xxxsp_bp",
- "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection"
- ]
- },
- {
- "id": "strict_transport_security",
- "remediation_advice": "As a best practice, consider using the `Strict-Transport-Security` header as it will help ensure protection against TLS protocol downgrade attacks and cookie hijacking. The header also ensures that browsers are only serving requests using a secure HTTPS connection.",
- "references": [
- "https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts",
- "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security"
- ]
+ "id": "all_sessions",
+ "remediation_advice": "As a best practice, consider invalidating all user sessions on logout."
},
{
- "id": "x_content_type_options",
- "remediation_advice": "As a best practice, consider using the `X-Content-Type-Options: nosniff` header as it will help prevent ambiguous handling of file types via Content Sniffing. Adding this header will prevent Cross Site Scripting attacks on files that do not have an explicit file type of \"text/html\".",
- "references": [
- "https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xcto",
- "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options"
- ]
+ "id": "long_timeout",
+ "remediation_advice": "As a best practice, consider invalidating sessions after a shorter period of time."
},
{
- "id": "content_security_policy",
- "remediation_advice": "As a best practice, consider using the `Content-Security-Policy` header as it will help prevent Cross Site Scripting as well as other types of injection attacks. However, be aware that Content Security Policy has a significant impact on how the browser renders pages, so careful tuning is required.",
- "references": [
- "https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#csp",
- "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"
- ]
+ "id": "on_email_change",
+ "remediation_advice": "As a best practice, consider invalidating all sessions upon email change."
},
{
- "id": "public_key_pins",
- "remediation_advice": "As a best practice, consider using the `Public-Key-Pins` header as it will help prevent website impersonation by mis-issued or otherwise fraudulent certificates. It is important to note that if this header is used incorrectly, it may prevent users from accessing a resource for an extended period of time.",
+ "id": "on_logout",
+ "remediation_advice": "Properly invalidate the session on the client and server-side when the user logs out of their session.",
"references": [
- "https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hpkp",
- "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Public-Key-Pins"
+ "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#manual-session-expiration"
]
},
{
- "id": "x_content_security_policy",
- "remediation_advice": "As a best practice, consider using the `X-Content-Security-Policy` header as it will help prevent Cross Site Scripting as well as other types of injection attacks. However, be aware that Content Security Policy has a significant impact on how the browser renders pages, so careful tuning is required.",
+ "id": "on_logout_server_side_only",
+ "remediation_advice": "Properly invalidate the session on the server-side when the user logs out of their session.",
"references": [
- "https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#csp",
- "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"
+ "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#manual-session-expiration"
]
},
{
- "id": "x_webkit_csp",
- "remediation_advice": "As a best practice, consider using the `X-Webkit-CSP` header as it will help prevent Cross Site Scripting as well as other types of injection attacks. However, be aware that Content Security Policy has a significant impact on how the browser renders pages, so careful tuning is required.",
+ "id": "on_password_change",
+ "remediation_advice": "Properly invalidate all user sessions server-side when the user resets their password and at a minimum, invalidate all non-current user sessions sever-side when the user changes their password.",
"references": [
- "https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#csp",
- "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"
+ "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Session_Management_Cheat_Sheet.md#renew-the-session-id-after-any-privilege-level-change"
]
},
{
- "id": "content_security_policy_report_only",
- "remediation_advice": "As a best practice, consider using the `Content-Security-Policy-Report-Only` header as it will help when testing out the implementation of a Content Security Policy, to prevent Cross Site Scripting as well as other types of injection attacks.",
- "references": [
- "https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#csp",
- "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only"
- ]
+ "id": "on_two_fa_activation_change",
+ "remediation_advice": "As a best practice, consider invalidating all sessions upon 2FA activation or change."
},
{
- "id": "cache_control_for_a_sensitive_page",
- "remediation_advice": "Add the `Cache-Control` HTTP response header such as `Cache-Control: no-cache`, as it will help insure that the browser does not cache sensitive pages."
+ "id": "permission_change",
+ "remediation_advice": "Review and update the necessary permissions, ensuring they align with the new requirements, and consider implementing a robust permission management system for better control and tracking."
}
]
},
{
- "id": "waf_bypass",
- "children": [
- {
- "id": "direct_server_access",
- "remediation_advice": "To ensure that your origin servers cannot be accessed directly, only accept traffic coming from your Web Application Firewall provider's IP ranges, rather than trusting that your servers remain inaccessible due to their IP's being secret.",
- "references": [
- "https://blog.christophetd.fr/bypassing-cloudflare-using-internet-wide-scan-data/"
- ]
- }
+ "id": "saml_replay",
+ "references": [
+ "https://snyk.io/blog/common-saml-vulnerabilities-remediate/",
+ "https://support.okta.com/help/s/article/okta-service-has-protection-against-replay-attacks?language=en_US"
]
},
{
- "id": "race_condition",
- "remediation_advice": "The key to preventing a race condition is to find a way to synchronize or otherwise strictly control the order of operations in potentially vulnerable functions and actions. The best way to do this is through locks. Most programming languages have a built-in locking functionality for data; for example, Python has āthreading.Lockā, and Go has āsync.Mutexā. Refer to the documentation for your programming language of choice for more information. If the language has multi-threaded or asynchronous capabilities built-in, it should have some form of locking mechanism available to you.",
+ "id": "session_fixation",
+ "remediation_advice": "Always regenerate the session token after the users properly authenticate.",
"references": [
- "https://lightningsecurity.io/blog/race-conditions/",
- "https://blog.securitycompass.com/moving-beyond-the-owasp-top-10-part-1-race-conditions-912dccbb7c14",
- "https://medium.com/in-the-weeds/fixing-a-race-condition-c8b475fbb994",
- "https://blog.arkency.com/2015/09/testing-race-conditions/",
- "http://www.javacreed.com/what-is-race-condition-and-how-to-prevent-it/",
- "https://blog.golang.org/race-detector"
+ "http://projects.webappsec.org/w/page/13246960/Session%20Fixation"
]
},
{
- "id": "cache_poisoning",
- "remediation_advice": "The most robust defense against cache poisoning is to disable caching. This is plainly unrealistic advice for some, but it's likely that some websites that start using a service like Cloudflare for DDoS protection or easy SSL end up vulnerable to cache poisoning simply because caching is enabled by default.\n\nRestricting caching to purely static responses is also effective, provided you're sufficiently wary about what you define as 'static'.\n\nLikewise, avoiding taking input from headers and cookies is an effective way to prevent cache poisoning, but it's hard to know if other layers and frameworks are sneaking in support for extra headers. You might want to audit every page of your application with Param Miner to flush out unkeyed inputs.\n\nOnce you've identified unkeyed inputs in your application, the ideal solution is to outright disable them. Failing that, you could strip the inputs at the cache layer, or add them to the cache key. Some caches let you use the Vary header to key unkeyed inputs, and others let you define custom cache keys but may restrict this feature to 'enterprise' customers.\n\nFinally, regardless of whether your application has a cache, some of your clients may have a cache at their end and as such client-side vulnerabilities like XSS in HTTP headers should never be ignored.",
+ "id": "two_fa_bypass",
"references": [
- "https://portswigger.net/blog/practical-web-cache-poisoning"
+ "https://www.owasp.org/index.php/Testing_Multiple_Factors_Authentication_(OWASP-AT-009)"
]
},
{
- "id": "bitsquatting",
- "remediation_advice": "As a best practice, consider registering any potential bitsquatting domain names.",
+ "id": "weak_login_function",
+ "remediation_advice": "Login forms should always be served over `HTTPS`, as well as all credentials should be transmitted over an encrypted channel at all times.\n\nAlways provide secure protocols for authentication connections as well as consider disabling any insecure protocols that are available.",
"references": [
- "http://dinaburg.org/bitsquatting.html"
+ "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md#transmit-passwords-only-over-tls-or-other-strong-transport"
]
}
]
},
{
- "id": "server_side_injection",
- "remediation_advice": "Preventing injection requires keeping untrusted data separate from commands and queries.",
- "references": [
- "https://www.owasp.org/index.php/Top_10-2017_A1-Injection"
- ],
+ "id": "client_side_injection",
"children": [
{
- "id": "file_inclusion",
- "remediation_advice": "1. Don't allow user input in file paths. If hard-coding is not an option, select input from a limited list via an index variable.\n2. If dynamic path concatenation is a must have. Only accept required characters. Allow `a-z 0-9` and do not allow `..` or `/` or `%00` (null byte) or any unexpected characters.\n3. For API's allow only inclusion for a specific directory and those below it, this stops traversal attacks.",
+ "id": "binary_planting",
+ "remediation_advice": "1. Use fully qualified paths when loading binaries.\n2. Remove the current working directory (CWD) from the binary search path or if the application depends on loading a binary from the current directory, the path should be obtained first and used to pass in a fully qualified path.\n3. Secure access permissions on a local directory as to not allow a local attacker to plant a malicious binary in a trusted location.",
"references": [
- "http://resources.infosecinstitute.com/file-inclusion-attacks/",
- "https://en.wikipedia.org/wiki/File_inclusion_vulnerability",
- "https://www.cvedetails.com/vulnerability-list/opfileinc-1/file-inclusion.html"
+ "http://www.binaryplanting.com/guidelinesDevelopers.htm"
]
- },
+ }
+ ]
+ },
+ {
+ "id": "cross_site_request_forgery_csrf",
+ "remediation_advice": "1. Consider using a known and secure CSRF synchronizer API and apply the generated CSRF token to every request. If infeasible to apply to every request, generate a CSRF token for the entire session and apply that to every request or, at minimum, every request considered sensitive. Always make sure to check the actual CSRF token.\n2. Consider verifying using same-origin rules to the source and target by checking the `Origin` and `Referer` headers.\n3. Consider using the `Double Submit Cookie` pattern.\n4. Consider using the `Encrypted Token` pattern.\n5. Consider protecting REST services by using the `X-Requested-With: XMLHttpRequest` header in all requests.\n6. Consider using re-authentication in cases where the request is particularly sensitive. This is the most effective CSRF prevention technique, however it does disturb the entire user experience.",
+ "references": [
+ "https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)",
+ "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md",
+ "http://projects.webappsec.org/w/page/13246919/Cross%20Site%20Request%20Forgery",
+ "https://www.cvedetails.com/vulnerability-list/opcsrf-1/csrf.html"
+ ]
+ },
+ {
+ "id": "cross_site_scripting_xss",
+ "remediation_advice": "1. Always treat all user input as untrusted data.\n2. Never insert untrusted data except in allowed locations.\n3. Always input or output-encode all data coming into or out of the application.\n4. Always whitelist allowed characters and seldom use blacklisting of characters except in certain use cases.\n5. Always use a well-known and security encoding API for input and output encoding such as the `OWASP ESAPI`.\n6. Never try to write input and output encoders unless absolutely necessary. Chances are that someone has already written a good one.\n7. Never use the DOM function `innerHtml` and instead use the functions `innerText` and `textContent` to prevent against DOM-based XSS.\n8. As a best practice, consider using the `HTTPOnly` flag on cookies that are session tokens or sensitive tokens.\n9. As a best practice, consider implementing `Content Security Policy` to protect against XSS and other injection type attacks.\n10. As a best practice, consider using an auto-escaping templating system.",
+ "references": [
+ "https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)",
+ "https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)",
+ "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md",
+ "http://projects.webappsec.org/Cross-Site+Scripting",
+ "https://www.cvedetails.com/vulnerability-list/opxss-1/xss.html"
+ ],
+ "children": [
{
- "id": "remote_code_execution_rce",
- "remediation_advice": "The most effective method of eliminating Code Injection vulnerabilities is to avoid code evaluation at all costs unless absolutely and explicitly necessary (i.e. there is no possibility of achieving the same result without code evaluation). In the event where code evaluation is necessary, it is crucial for any user input to be very strongly validated, with as many restrictions as possible on user input.",
+ "id": "trace_method",
+ "remediation_advice": "As the TRACE method can be utilized to bypass certain protections, consider disabling the HTTP method TRACE.",
"references": [
- "https://www.owasp.org/index.php/Command_Injection",
- "https://www.cvedetails.com/vulnerability-list/opec-1/execute-code.html"
+ "https://www.owasp.org/index.php/Cross_Site_Tracing"
]
- },
+ }
+ ]
+ },
+ {
+ "id": "cryptographic_weakness",
+ "children": [
{
- "id": "sql_injection",
- "remediation_advice": "Ensure that proper server-side input validation is performed on all sources of user input. Various protections should be implemented using the following in order of effectiveness:\n\n1. **Errors:** Ensure that SQL errors are turned off and not reflected back to a user when an error occurs as to not expose valuable information to an attacker.\n2. **Parameterize Queries:** Ensure that when a userās input is added to a backend SQL query, it is not string appended but placed into the specific SQL parameter. The method to perform this varies from language to language.\n3. **Server-Side Input Length:** Limit the length of each field depending on its type. For example, a name should be less than **_16 characters long_**, and an ID should be less than **_5 characters long_**.\n4. **Whitelist:** Create character ranges (ie. Numeric, alpha, alphanumeric, alphanumeric with specific characters) and ensure that each input is restricted to the minimum length whitelist necessary.\n5. **Blacklist:** Disallow common injection characters such as `\"<>\\/?*()&`, `SQL` and `SCRIPT` commands such as `SELECT`, `INSERT`, `UPDATE`, `DROP`, and `SCRIPT`, newlines `%0A`, carriage returns `%0D`, null characters `%00` and unnecessary or bad encoding schemas (malformed `ASCII`, `UTF-7`, `UTF-8`, `UTF-16`, `Unicode`, etc.).\n6. **Logging and Web Specific IDS/IPS (Intrusion Detection/Prevention System):** Ensure that proper logging is taking place and is being reviewed, and any malicious traffic which generates an alert is promptly throttled and eventually blacklisted.",
- "references": [
- "https://www.owasp.org/index.php/SQL_Injection",
- "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.md",
- "http://projects.webappsec.org/SQL-Injection",
- "https://www.cvedetails.com/vulnerability-list/opsqli-1/sql-injection.html"
+ "id": "broken_cryptography",
+ "children": [
+ {
+ "id": "use_of_broken_cryptographic_primitive",
+ "remediation_advice": "The use of broken, weak, or flawed cryptographic algorithms can allow an attacker to decrypt sensistive information. Ensure the application makes use of only trustworthy cryprographic algorithms as indicated by relevant security standard(s) and regulation(s).",
+ "references": [
+ "https://codeql.github.com/codeql-query-help/java/java-weak-cryptographic-algorithm/",
+ "https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf",
+ "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf"
+ ]
+ },
+ {
+ "id": "use_of_vulnerable_cryptographic_library",
+ "remediation_advice": "The identification, patching, and disclosure of vulnerabilities in third-party libraries, including cryptographic libraries, is a daily occurrence. In some cases, cryptographic libraries are deemed 'broken' and deprecated. Ensure the application is updated to include the latest secure version of all third-party cryptographic libraries and replace known 'broken' cryptographic libraries with secure alternatives.",
+ "references": [
+ "https://www.ubiqsecurity.com/bouncy-castle-and-the-impact-of-cryptographic-vulnerabilities/",
+ "https://blog.cryptographyengineering.com/2013/09/20/rsa-warns-developers-against-its-own/"
+ ]
+ }
]
},
{
- "id": "xml_external_entity_injection_xxe",
- "remediation_advice": "Because user supplied XML input comes from an \"untrusted source\" it is very difficult to properly validate the XML document in a manner to prevent against this type of attack. \n\nInstead, the XML processor should be configured to use only locally defined `Document Type Definition (DTD)` and disallow any inline DTD that is specified within user supplied XML documents. \n\nDue to the fact that there are numerous XML parsing engines available for different programming languages, each has its own mechanism for disabling inline DTD to prevent XXE. You may need to search your XML parser's documentation for how to `disable inline DTD` specifically.",
+ "id": "incomplete_cleanup_of_keying_material",
+ "remediation_advice": "Ensure the application erases all non-volatile copies of sensitive cryptographic data in memory or other non-volatile storage when no longer needed by the application. Ensure the application does not retain sensitive cryptographic data in memory longer than necessary by storing the data in protected volatile storage (e.g. TPM) and open/close handles to the data upon each new invocation of the cryptographic routine.",
"references": [
- "https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing",
- "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md",
- "http://projects.webappsec.org/XML-External-Entities",
- "https://www.gracefulsecurity.com/xml-external-entity-injection-xxe-vulnerabilities/"
+ "https://documentation-service.arm.com/static/624af896b059dc5ff9a8fbda"
]
},
{
- "id": "http_response_manipulation",
+ "id": "insecure_implementation",
"children": [
{
- "id": "response_splitting_crlf",
- "remediation_advice": "Apply proper input validation and check for `CRLF` characters and `null byte` characters whenever user supplied input is used in HTTP response headers.",
+ "id": "improper_following_of_specification",
+ "remediation_advice": "As a general rule, cryptographic alorithms are difficult to properly implement and developers should rely on well-vetted cryptographic libraries rather than homegrown implementations. When it is necessary to develop a homegrown implementation, ensure the implementation adheres to all requirements for the cryptographic parameters.",
"references": [
- "https://www.owasp.org/index.php/CRLF_Injection",
- "http://projects.webappsec.org/w/page/13246931/HTTP%20Response%20Splitting",
- "https://www.cvedetails.com/vulnerability-list/ophttprs-1/http-response-splitting.html"
+ "https://www.rfc-editor.org/rfc/rfc7696",
+ "https://www.rfc-editor.org/rfc/rfc3565"
+ ]
+ },
+ {
+ "id": "missing_cryptographic_step",
+ "remediation_advice": "Oftentimes cryptographic algorithms involve complex and time-consuming mathematical operations to ensure the security of the product (e.g. ciphertext, hash value). In some instances, such as in limited power systems, costly cryptographic steps may be skipped. As a general rule, cryptographic alorithms are difficult to properly implement and developers should rely on well-vetted cryptographic libraries rather than homegrown implementations. When it is necessary to develop a homegrown implementation, always thoroughly review the algorithm specification and properly implement each computational step.",
+ "references": [
+ "https://www.rfc-editor.org/rfc/rfc3565",
+ "https://nvd.nist.gov/vuln/detail/CVE-2022-29053",
+ "https://www.fortiguard.com/psirt/FG-IR-22-158"
]
}
]
},
{
- "id": "content_spoofing",
- "remediation_advice": "1. Always treat all user input as untrusted data.\n2. Always input or output encode all data coming into or out of the application.\n3. Always whitelist allowed characters and seldom use blacklisting of characters unless in certain use cases.\n4. Always use a well known and security encoding API for input and output encoding such as the `OWASP ESAPI`.\n5. Never try to write input and output encoders unless absolutely necessary. Chances are that someone has already written a good one.",
- "references": [
- "http://projects.webappsec.org/w/page/13246917/Content%20Spoofing"
- ],
+ "id": "insecure_key_generation",
"children": [
{
- "id": "iframe_injection",
+ "id": "improper_asymmetric_exponent_selection",
+ "remediation_advice": "When implementing an asymmetric cryptography algorithm that relies upon exponentiation:\n\n(a) ensure that private exponent selection allows for a sufficiently large number to be chosen; and\n(b) always use a uniquely-generated random number for the private exponent.",
"references": [
- "http://resources.infosecinstitute.com/iframe-security-risk/"
+ "https://medium.com/curiositypapers/a-complete-explanation-of-rsa-asymmetric-encryption-742c5971e0f",
+ "https://www.iacr.org/archive/eurocrypt2000/1807/18070374-new.pdf",
+ "https://www.rfc-editor.org/rfc/rfc8017"
]
},
{
- "id": "external_authentication_injection",
- "remediation_advice": "Even if unsafe HTML tags like `