[
{
"id": "ai_application_security",
"name": "AI Application Security",
"type": "category",
"children": [
{
"id": "adversarial_example_injection",
"name": "Adversarial Example Injection",
"type": "subcategory",
"children": [
{
"id": "ai_misclassification_attacks",
"name": "AI Misclassification Attacks",
"type": "variant",
"priority": 4
}
]
},
{
"id": "ai_safety",
"name": "AI Safety",
"type": "subcategory",
"children": [
{
"id": "misinformation_wrong_factual_data",
"name": "Misinformation / Wrong Factual Data",
"type": "variant",
"priority": 4
}
]
},
{
"id": "denial_of_service_dos",
"name": "Denial-of-Service (DoS)",
"type": "subcategory",
"children": [
{
"id": "application_wide",
"name": "Application-Wide",
"type": "variant",
"priority": 2
},
{
"id": "tenant_scoped",
"name": "Tenant-Scoped",
"type": "variant",
"priority": 4
}
]
},
{
"id": "improper_input_handling",
"name": "Improper Input Handling",
"type": "subcategory",
"children": [
{
"id": "ansi_escape_codes",
"name": "ANSI Escape Codes",
"type": "variant",
"priority": 5
},
{
"id": "rtl_overrides",
"name": "RTL Overrides",
"type": "variant",
"priority": 5
},
{
"id": "unicode_confusables",
"name": "Unicode Confusables",
"type": "variant",
"priority": 5
}
]
},
{
"id": "improper_output_handling",
"name": "Improper Output Handling",
"type": "subcategory",
"children": [
{
"id": "cross_site_scripting_xss",
"name": "Cross-Site Scripting (XSS)",
"type": "variant",
"priority": 3
},
{
"id": "markdown_html_injection",
"name": "Markdown/HTML Injection",
"type": "variant",
"priority": 4
}
]
},
{
"id": "insufficient_rate_limiting",
"name": "Insufficient Rate Limiting",
"type": "subcategory",
"children": [
{
"id": "query_flooding_api_token_abuse",
"name": "Query Flooding / API Token Abuse",
"type": "variant",
"priority": 4
}
]
},
{
"id": "model_extraction",
"name": "Model Extraction",
"type": "subcategory",
"children": [
{
"id": "api_query_based_model_reconstruction",
"name": "API Query-Based Model Reconstruction",
"type": "variant",
"priority": 1
}
]
},
{
"id": "prompt_injection",
"name": "Prompt Injection",
"type": "subcategory",
"children": [
{
"id": "system_prompt_leakage",
"name": "System Prompt Leakage",
"type": "variant",
"priority": 2
}
]
},
{
"id": "remote_code_execution",
"name": "Remote Code Execution",
"type": "subcategory",
"children": [
{
"id": "full_system_compromise",
"name": "Full System Compromise",
"type": "variant",
"priority": 1
},
{
"id": "sandboxed_container_code_execution",
"name": "Sandboxed Container Code Execution",
"type": "variant",
"priority": 2
}
]
},
{
"id": "sensitive_information_disclosure",
"name": "Sensitive Information Disclosure",
"type": "subcategory",
"children": [
{
"id": "cross_tenant_pii_leakage_exposure",
"name": "Cross-Tenant PII Leakage/Exposure",
"type": "variant",
"priority": 1
},
{
"id": "key_leak",
"name": "Key Leak",
"type": "variant",
"priority": 1
}
]
},
{
"id": "training_data_poisoning",
"name": "Training Data Poisoning",
"type": "subcategory",
"children": [
{
"id": "backdoor_injection_bias_manipulation",
"name": "Backdoor Injection / Bias Manipulation",
"type": "variant",
"priority": 1
}
]
},
{
"id": "vector_and_embedding_weaknesses",
"name": "Vector and Embedding Weaknesses",
"type": "subcategory",
"children": [
{
"id": "embedding_exfiltration_model_extraction",
"name": "Embedding Exfiltration / Model Extraction",
"type": "variant",
"priority": 2
},
{
"id": "semantic_indexing",
"name": "Semantic Indexing",
"type": "variant",
"priority": 3
}
]
}
]
},
{
"id": "algorithmic_biases",
"name": "Algorithmic Biases",
"type": "category",
"children": [
{
"id": "aggregation_bias",
"name": "Aggregation Bias",
"type": "subcategory",
"priority": null
},
{
"id": "processing_bias",
"name": "Processing Bias",
"type": "subcategory",
"priority": null
}
]
},
{
"id": "application_level_denial_of_service_dos",
"name": "Application-Level Denial-of-Service (DoS)",
"type": "category",
"children": [
{
"id": "app_crash",
"name": "App Crash",
"type": "subcategory",
"children": [
{
"id": "malformed_android_intents",
"name": "Malformed Android Intents",
"type": "variant",
"priority": 5
},
{
"id": "malformed_ios_url_schemes",
"name": "Malformed iOS URL Schemes",
"type": "variant",
"priority": 5
}
]
},
{
"id": "critical_impact_and_or_easy_difficulty",
"name": "Critical Impact and/or Easy Difficulty",
"type": "subcategory",
"priority": 2
},
{
"id": "excessive_resource_consumption",
"name": "Excessive Resource Consumption",
"type": "subcategory",
"children": [
{
"id": "injection_prompt",
"name": "Injection (Prompt)",
"type": "variant",
"priority": null
}
]
},
{
"id": "high_impact_and_or_medium_difficulty",
"name": "High Impact and/or Medium Difficulty",
"type": "subcategory",
"priority": 3
}
]
},
{
"id": "automotive_security_misconfiguration",
"name": "Automotive Security Misconfiguration",
"type": "category",
"children": [
{
"id": "abs",
"name": "Automatic Braking System (ABS)",
"type": "subcategory",
"children": [
{
"id": "unintended_acceleration_brake",
"name": "Unintended Acceleration / Brake",
"type": "variant",
"priority": 3
}
]
},
{
"id": "battery_management_system",
"name": "Battery Management System",
"type": "subcategory",
"children": [
{
"id": "firmware_dump",
"name": "Firmware Dump",
"type": "variant",
"priority": 3
},
{
"id": "fraudulent_interface",
"name": "Fraudulent Interface",
"type": "variant",
"priority": 4
}
]
},
{
"id": "can",
"name": "CAN",
"type": "subcategory",
"children": [
{
"id": "injection_basic_safety_message",
"name": "Injection (Basic Safety Message)",
"type": "variant",
"priority": 3
},
{
"id": "injection_battery_management_system",
"name": "Injection (Battery Management System)",
"type": "variant",
"priority": 3
},
{
"id": "injection_disallowed_messages",
"name": "Injection (Disallowed Messages)",
"type": "variant",
"priority": 4
},
{
"id": "injection_dos",
"name": "Injection (DoS)",
"type": "variant",
"priority": 4
},
{
"id": "injection_headlights",
"name": "Injection (Headlights)",
"type": "variant",
"priority": 3
},
{
"id": "injection_powertrain",
"name": "Injection (Powertrain)",
"type": "variant",
"priority": 3
},
{
"id": "injection_pyrotechnical_device_deployment_tool",
"name": "Injection (Pyrotechnical Device Deployment Tool)",
"type": "variant",
"priority": 3
},
{
"id": "injection_sensors",
"name": "Injection (Sensors)",
"type": "variant",
"priority": 3
},
{
"id": "injection_steering_control",
"name": "Injection (Steering Control)",
"type": "variant",
"priority": 3
},
{
"id": "injection_vehicle_anti_theft_systems",
"name": "Injection (Vehicle Anti-theft Systems)",
"type": "variant",
"priority": 3
}
]
},
{
"id": "gnss_gps",
"name": "GNSS / GPS",
"type": "subcategory",
"children": [
{
"id": "spoofing",
"name": "Spoofing",
"type": "variant",
"priority": 4
}
]
},
{
"id": "immobilizer",
"name": "Immobilizer",
"type": "subcategory",
"children": [
{
"id": "engine_start",
"name": "Engine Start",
"type": "variant",
"priority": 3
}
]
},
{
"id": "infotainment_radio_head_unit",
"name": "Infotainment, Radio Head Unit",
"type": "subcategory",
"children": [
{
"id": "code_execution_can_bus_pivot",
"name": "Code Execution (CAN Bus Pivot)",
"type": "variant",
"priority": 2
},
{
"id": "code_execution_no_can_bus_pivot",
"name": "Code Execution (No CAN Bus Pivot)",
"type": "variant",
"priority": 3
},
{
"id": "default_credentials",
"name": "Default Credentials",
"type": "variant",
"priority": 4
},
{
"id": "dos_brick",
"name": "Denial of Service (DoS / Brick)",
"type": "variant",
"priority": 4
},
{
"id": "ota_firmware_manipulation",
"name": "OTA Firmware Manipulation",
"type": "variant",
"priority": 2
},
{
"id": "sensitive_data_leakage_exposure",
"name": "Sensitive data Leakage/Exposure",
"type": "variant",
"priority": 1
},
{
"id": "source_code_dump",
"name": "Source Code Dump",
"type": "variant",
"priority": 4
},
{
"id": "unauthorized_access_to_services",
"name": "Unauthorized Access to Services (API / Endpoints)",
"type": "variant",
"priority": 3
}
]
},
{
"id": "rf_hub",
"name": "RF Hub",
"type": "subcategory",
"children": [
{
"id": "can_injection_interaction",
"name": "CAN Injection / Interaction",
"type": "variant",
"priority": 2
},
{
"id": "data_leakage_pull_encryption_mechanism",
"name": "Data Leakage / Pull Encryption Mechanism",
"type": "variant",
"priority": 3
},
{
"id": "key_fob_cloning",
"name": "Key Fob Cloning",
"type": "variant",
"priority": 1
},
{
"id": "relay",
"name": "Relay",
"type": "variant",
"priority": 5
},
{
"id": "replay",
"name": "Replay",
"type": "variant",
"priority": 5
},
{
"id": "roll_jam",
"name": "Roll Jam",
"type": "variant",
"priority": 5
},
{
"id": "unauthorized_access_turn_on",
"name": "Unauthorized Access / Turn On",
"type": "variant",
"priority": 4
}
]
},
{
"id": "rsu",
"name": "Roadside Unit (RSU)",
"type": "subcategory",
"children": [
{
"id": "sybil_attack",
"name": "Sybil Attack",
"type": "variant",
"priority": 4
}
]
}
]
},
{
"id": "blockchain_infrastructure_misconfiguration",
"name": "Blockchain Infrastructure Misconfiguration",
"type": "category",
"children": [
{
"id": "improper_bridge_validation_and_verification_logic",
"name": "Improper Bridge Validation and Verification Logic",
"type": "subcategory",
"priority": null
}
]
},
{
"id": "broken_access_control",
"name": "Broken Access Control (BAC)",
"type": "category",
"children": [
{
"id": "bypass_of_password_confirmation",
"name": "Bypass of Password Confirmation",
"type": "subcategory",
"children": [
{
"id": "change_password",
"name": "Change Password",
"type": "variant",
"priority": 4
}
]
},
{
"id": "exposed_sensitive_android_intent",
"name": "Exposed Sensitive Android Intent",
"type": "subcategory",
"priority": null
},
{
"id": "exposed_sensitive_ios_url_scheme",
"name": "Exposed Sensitive iOS URL Scheme",
"type": "subcategory",
"priority": null
},
{
"id": "idor",
"name": "Insecure Direct Object References (IDOR)",
"type": "subcategory",
"children": [
{
"id": "modify_sensitive_information_iterable_object_identifiers",
"name": "Modify Sensitive Information(Iterable Object Identifiers)",
"type": "variant",
"priority": 2
},
{
"id": "modify_view_sensitive_information_guid",
"name": "Modify/View Sensitive Information(Complex Object Identifiers GUID/UUID)",
"type": "variant",
"priority": 4
},
{
"id": "modify_view_sensitive_information_iterable_object_identifiers",
"name": "Modify/View Sensitive Information(Iterable Object Identifiers)",
"type": "variant",
"priority": 1
},
{
"id": "view_non_sensitive_information",
"name": "View Non-Sensitive Information",
"type": "variant",
"priority": 5
},
{
"id": "view_sensitive_information_iterable_object_identifiers",
"name": "View Sensitive Information(Iterable Object Identifiers)",
"type": "variant",
"priority": 3
}
]
},
{
"id": "privilege_escalation",
"name": "Privilege Escalation",
"type": "subcategory",
"priority": null
},
{
"id": "username_enumeration",
"name": "Username/Email Enumeration",
"type": "subcategory",
"children": [
{
"id": "non_brute_force",
"name": "Non-Brute Force",
"type": "variant",
"priority": 4
}
]
}
]
},
{
"id": "broken_authentication_and_session_management",
"name": "Broken Authentication and Session Management",
"type": "category",
"children": [
{
"id": "authentication_bypass",
"name": "Authentication Bypass",
"type": "subcategory",
"priority": 1
},
{
"id": "cleartext_transmission_of_session_token",
"name": "Cleartext Transmission of Session Token",
"type": "subcategory",
"priority": 4
},
{
"id": "concurrent_logins",
"name": "Concurrent Logins",
"type": "subcategory",
"priority": 5
},
{
"id": "failure_to_invalidate_session",
"name": "Failure to Invalidate Session",
"type": "subcategory",
"children": [
{
"id": "all_sessions",
"name": "Concurrent Sessions On Logout",
"type": "variant",
"priority": 5
},
{
"id": "long_timeout",
"name": "Long Timeout",
"type": "variant",
"priority": 5
},
{
"id": "on_email_change",
"name": "On Email Change",
"type": "variant",
"priority": 5
},
{
"id": "on_logout",
"name": "On Logout (Client and Server-Side)",
"type": "variant",
"priority": 4
},
{
"id": "on_logout_server_side_only",
"name": "On Logout (Server-Side Only)",
"type": "variant",
"priority": 5
},
{
"id": "on_password_change",
"name": "On Password Reset and/or Change",
"type": "variant",
"priority": 4
},
{
"id": "on_two_fa_activation_change",
"name": "On 2FA Activation/Change",
"type": "variant",
"priority": 5
},
{
"id": "permission_change",
"name": "On Permission Change",
"type": "variant",
"priority": null
}
]
},
{
"id": "saml_replay",
"name": "SAML Replay",
"type": "subcategory",
"priority": 5
},
{
"id": "session_fixation",
"name": "Session Fixation",
"type": "subcategory",
"children": [
{
"id": "local_attack_vector",
"name": "Local Attack Vector",
"type": "variant",
"priority": 5
},
{
"id": "remote_attack_vector",
"name": "Remote Attack Vector",
"type": "variant",
"priority": 3
}
]
},
{
"id": "two_fa_bypass",
"name": "Second Factor Authentication (2FA) Bypass",
"type": "subcategory",
"priority": 3
},
{
"id": "weak_login_function",
"name": "Weak Login Function",
"type": "subcategory",
"children": [
{
"id": "not_operational",
"name": "Not Operational or Intended Public Access",
"type": "variant",
"priority": 5
},
{
"id": "other_plaintext_protocol_no_secure_alternative",
"name": "Other Plaintext Protocol with no Secure Alternative",
"type": "variant",
"priority": 4
},
{
"id": "over_http",
"name": "Over HTTP",
"type": "variant",
"priority": 4
}
]
},
{
"id": "weak_registration_implementation",
"name": "Weak Registration Implementation",
"type": "subcategory",
"children": [
{
"id": "over_http",
"name": "Over HTTP",
"type": "variant",
"priority": 4
}
]
}
]
},
{
"id": "client_side_injection",
"name": "Client-Side Injection",
"type": "category",
"children": [
{
"id": "binary_planting",
"name": "Binary Planting",
"type": "subcategory",
"children": [
{
"id": "no_privilege_escalation",
"name": "No Privilege Escalation",
"type": "variant",
"priority": 5
},
{
"id": "non_default_folder_privilege_escalation",
"name": "Non-Default Folder Privilege Escalation",
"type": "variant",
"priority": 5
},
{
"id": "privilege_escalation",
"name": "Default Folder Privilege Escalation",
"type": "variant",
"priority": 3
}
]
}
]
},
{
"id": "cloud_security",
"name": "Cloud Security",
"type": "category",
"children": [
{
"id": "identity_and_access_management_iam_misconfigurations",
"name": "Identity and Access Management (IAM) Misconfigurations",
"type": "subcategory",
"children": [
{
"id": "overly_permissive_iam_roles",
"name": "Overly Permissive IAM Roles",
"type": "variant",
"priority": 2
},
{
"id": "publicly_accessible_iam_credentials",
"name": "Publicly Accessible IAM Credentials",
"type": "variant",
"priority": 1
}
]
},
{
"id": "logging_and_monitoring_issues",
"name": "Logging and Monitoring Issues",
"type": "subcategory",
"children": [
{
"id": "disabled_or_insufficient_logging",
"name": "Disabled or Insufficient Logging",
"type": "variant",
"priority": 5
}
]
},
{
"id": "misconfigured_services_and_apis",
"name": "Misconfigured Services and APIs",
"type": "subcategory",
"children": [
{
"id": "exposed_debug_or_admin_interfaces",
"name": "Exposed Debug or Admin Interfaces",
"type": "variant",
"priority": null
},
{
"id": "insecure_api_endpoints",
"name": "Insecure API Endpoints",
"type": "variant",
"priority": 4
}
]
},
{
"id": "network_configuration_issues",
"name": "Network Configuration Issues",
"type": "subcategory",
"children": [
{
"id": "lack_of_network_segmentation",
"name": "Lack of Network Segmentation",
"type": "variant",
"priority": 3
},
{
"id": "open_management_ports_to_the_internet",
"name": "Open Management Ports to the Internet",
"type": "variant",
"priority": 3
}
]
},
{
"id": "storage_misconfigurations",
"name": "Storage Misconfigurations",
"type": "subcategory",
"children": [
{
"id": "publicly_accessible_cloud_storage",
"name": "Publicly Accessible Cloud Storage",
"type": "variant",
"priority": null
},
{
"id": "unencrypted_sensitive_data_at_rest",
"name": "Unencrypted Sensitive Data at Rest",
"type": "variant",
"priority": 2
}
]
}
]
},
{
"id": "cross_site_request_forgery_csrf",
"name": "Cross-Site Request Forgery (CSRF)",
"type": "category",
"children": [
{
"id": "action_specific",
"name": "Action-Specific",
"type": "subcategory",
"children": [
{
"id": "authenticated_action",
"name": "Authenticated Action",
"type": "variant",
"priority": null
},
{
"id": "logout",
"name": "Logout",
"type": "variant",
"priority": 5
},
{
"id": "unauthenticated_action",
"name": "Unauthenticated Action",
"type": "variant",
"priority": null
}
]
},
{
"id": "application_wide",
"name": "Application-Wide",
"type": "subcategory",
"priority": 2
},
{
"id": "csrf_token_not_unique_per_request",
"name": "CSRF Token Not Unique Per Request",
"type": "subcategory",
"priority": 5
},
{
"id": "flash_based",
"name": "Flash-Based",
"type": "subcategory",
"priority": 5
}
]
},
{
"id": "cross_site_scripting_xss",
"name": "Cross-Site Scripting (XSS)",
"type": "category",
"children": [
{
"id": "cookie_based",
"name": "Cookie-Based",
"type": "subcategory",
"priority": 5
},
{
"id": "flash_based",
"name": "Flash-Based",
"type": "subcategory",
"priority": 5
},
{
"id": "ie_only",
"name": "IE-Only",
"type": "subcategory",
"priority": 5
},
{
"id": "off_domain",
"name": "Off-Domain",
"type": "subcategory",
"children": [
{
"id": "data_uri",
"name": "Data URI",
"type": "variant",
"priority": 4
}
]
},
{
"id": "referer",
"name": "Referer",
"type": "subcategory",
"priority": 4
},
{
"id": "reflected",
"name": "Reflected",
"type": "subcategory",
"children": [
{
"id": "non_self",
"name": "Non-Self",
"type": "variant",
"priority": 3
},
{
"id": "self",
"name": "Self",
"type": "variant",
"priority": 5
}
]
},
{
"id": "stored",
"name": "Stored",
"type": "subcategory",
"children": [
{
"id": "non_admin_to_anyone",
"name": "Non-Privileged User to Anyone",
"type": "variant",
"priority": 2
},
{
"id": "privileged_user_to_no_privilege_elevation",
"name": "Privileged User to No Privilege Elevation",
"type": "variant",
"priority": 4
},
{
"id": "privileged_user_to_privilege_elevation",
"name": "Privileged User to Privilege Elevation",
"type": "variant",
"priority": 3
},
{
"id": "self",
"name": "Self",
"type": "variant",
"priority": 5
},
{
"id": "url_based",
"name": "CSRF/URL-Based",
"type": "variant",
"priority": 3
}
]
},
{
"id": "trace_method",
"name": "TRACE Method",
"type": "subcategory",
"priority": 5
},
{
"id": "universal_uxss",
"name": "Universal (UXSS)",
"type": "subcategory",
"priority": 4
}
]
},
{
"id": "cryptographic_weakness",
"name": "Cryptographic Weakness",
"type": "category",
"children": [
{
"id": "broken_cryptography",
"name": "Broken Cryptography",
"type": "subcategory",
"children": [
{
"id": "use_of_broken_cryptographic_primitive",
"name": "Use of Broken Cryptographic Primitive",
"type": "variant",
"priority": 3
},
{
"id": "use_of_vulnerable_cryptographic_library",
"name": "Use of Vulnerable Cryptographic Library",
"type": "variant",
"priority": 4
}
]
},
{
"id": "incomplete_cleanup_of_keying_material",
"name": "Incomplete Cleanup of Keying Material",
"type": "subcategory",
"priority": 5
},
{
"id": "insecure_implementation",
"name": "Insecure Implementation",
"type": "subcategory",
"children": [
{
"id": "improper_following_of_specification",
"name": "Improper Following of Specification (Other)",
"type": "variant",
"priority": null
},
{
"id": "missing_cryptographic_step",
"name": "Missing Cryptographic Step",
"type": "variant",
"priority": null
}
]
},
{
"id": "insecure_key_generation",
"name": "Insecure Key Generation",
"type": "subcategory",
"children": [
{
"id": "improper_asymmetric_exponent_selection",
"name": "Improper Asymmetric Exponent Selection",
"type": "variant",
"priority": null
},
{
"id": "improper_asymmetric_prime_selection",
"name": "Improper Asymmetric Prime Selection",
"type": "variant",
"priority": null
},
{
"id": "insufficient_key_space",
"name": "Insufficient Key Space",
"type": "variant",
"priority": 3
},
{
"id": "insufficient_key_stretching",
"name": "Insufficient Key Stretching",
"type": "variant",
"priority": null
},
{
"id": "key_exchange_without_entity_authentication",
"name": "Key Exchage Without Entity Authentication",
"type": "variant",
"priority": 4
}
]
},
{
"id": "insufficient_entropy",
"name": "Insufficient Entropy",
"type": "subcategory",
"children": [
{
"id": "initialization_vector_reuse",
"name": "Initialization Vector (IV) Reuse",
"type": "variant",
"priority": 5
},
{
"id": "limited_rng_entropy_source",
"name": "Limited Random Number Generator (RNG) Entropy Source",
"type": "variant",
"priority": 4
},
{
"id": "predictable_initialization_vector",
"name": "Predictable Initialization Vector (IV)",
"type": "variant",
"priority": 4
},
{
"id": "predictable_prng_seed",
"name": "Predictable Pseudo-Random Number Generator (PRNG) Seed",
"type": "variant",
"priority": 4
},
{
"id": "prng_seed_reuse",
"name": "Pseudo-Random Number Generator (PRNG) Seed Reuse",
"type": "variant",
"priority": 5
},
{
"id": "small_seed_space_in_prng",
"name": "Small Seed Space in Pseudo-Random Number Generator (PRNG)",
"type": "variant",
"priority": 4
},
{
"id": "use_of_trng_for_nonsecurity_purpose",
"name": "Use of True Random Number Generator (TRNG) for Non-Security Purpose",
"type": "variant",
"priority": 5
}
]
},
{
"id": "insufficient_verification_of_data_authenticity",
"name": "Insufficient Verification of Data Authenticity",
"type": "subcategory",
"children": [
{
"id": "cryptographic_signature",
"name": "Cryptographic Signature",
"type": "variant",
"priority": null
},
{
"id": "identity_check_value",
"name": "Integrity Check Value (ICV)",
"type": "variant",
"priority": 4
}
]
},
{
"id": "key_reuse",
"name": "Key Reuse",
"type": "subcategory",
"children": [
{
"id": "inter_environment",
"name": "Inter-Environment",
"type": "variant",
"priority": 2
},
{
"id": "intra_environment",
"name": "Intra-Environment",
"type": "variant",
"priority": 5
},
{
"id": "lack_of_perfect_forward_secrecy",
"name": "Lack of Perfect Forward Secrecy",
"type": "variant",
"priority": 4
}
]
},
{
"id": "side_channel_attack",
"name": "Side-Channel Attack",
"type": "subcategory",
"children": [
{
"id": "differential_fault_analysis",
"name": "Differential Fault Analysis",
"type": "variant",
"priority": null
},
{
"id": "emanations_attack",
"name": "Emanations Attack",
"type": "variant",
"priority": 5
},
{
"id": "padding_oracle_attack",
"name": "Padding Oracle Attack",
"type": "variant",
"priority": 4
},
{
"id": "power_analysis_attack",
"name": "Power Analysis Attack",
"type": "variant",
"priority": 5
},
{
"id": "timing_attack",
"name": "Timing Attack",
"type": "variant",
"priority": 4
}
]
},
{
"id": "use_of_expired_cryptographic_key_or_cert",
"name": "Use of Expired Cryptographic Key (or Certificate)",
"type": "subcategory",
"priority": 4
},
{
"id": "weak_hash",
"name": "Weak Hash",
"type": "subcategory",
"children": [
{
"id": "lack_of_salt",
"name": "Lack of Salt",
"type": "variant",
"priority": null
},
{
"id": "predictable_hash_collision",
"name": "Predictable Hash Collision",
"type": "variant",
"priority": null
},
{
"id": "use_of_predictable_salt",
"name": "Use of Predictable Salt",
"type": "variant",
"priority": 5
}
]
}
]
},
{
"id": "data_biases",
"name": "Data Biases",
"type": "category",
"children": [
{
"id": "pre_existing_bias",
"name": "Pre-existing Bias",
"type": "subcategory",
"priority": null
},
{
"id": "representation_bias",
"name": "Representation Bias",
"type": "subcategory",
"priority": null
}
]
},
{
"id": "decentralized_application_misconfiguration",
"name": "Decentralized Application Misconfiguration",
"type": "category",
"children": [
{
"id": "defi_security",
"name": "DeFi Security",
"type": "subcategory",
"children": [
{
"id": "flash_loan_attack",
"name": "Flash Loan Attack",
"type": "variant",
"priority": null
},
{
"id": "function_level_accounting_error",
"name": "Function-Level Accounting Error",
"type": "variant",
"priority": null
},
{
"id": "improper_implementation_of_governance",
"name": "Improper Implementation of Governance",
"type": "variant",
"priority": null
},
{
"id": "pricing_oracle_manipulation",
"name": "Pricing Oracle Manipulation",
"type": "variant",
"priority": null
}
]
},
{
"id": "improper_authorization",
"name": "Improper Authorization",
"type": "subcategory",
"children": [
{
"id": "insufficient_signature_validation",
"name": "Insufficient Signature Validation",
"type": "variant",
"priority": null
}
]
},
{
"id": "insecure_data_storage",
"name": "Insecure Data Storage",
"type": "subcategory",
"children": [
{
"id": "plaintext_private_key",
"name": "Plaintext Private Key",
"type": "variant",
"priority": 1
},
{
"id": "sensitive_information_exposure",
"name": "Sensitive Information Exposure",
"type": "variant",
"priority": null
}
]
},
{
"id": "marketplace_security",
"name": "Marketplace Security",
"type": "subcategory",
"children": [
{
"id": "denial_of_service",
"name": "Denial of Service",
"type": "variant",
"priority": null
},
{
"id": "improper_validation_and_checks_for_deposits_and_withdrawals",
"name": "Improper Validation and Checks For Deposits and Withdrawals",
"type": "variant",
"priority": null
},
{
"id": "malicious_order_offer",
"name": "Malicious Order Offer",
"type": "variant",
"priority": 2
},
{
"id": "miscalculated_accounting_logic",
"name": "Miscalculated Accounting Logic",
"type": "variant",
"priority": null
},
{
"id": "ofac_bypass",
"name": "OFAC Bypass",
"type": "variant",
"priority": 3
},
{
"id": "orderbook_manipulation",
"name": "Orderbook Manipulation",
"type": "variant",
"priority": 1
},
{
"id": "price_or_fee_manipulation",
"name": "Price or Fee Manipulation",
"type": "variant",
"priority": 2
},
{
"id": "signer_account_takeover",
"name": "Signer Account Takeover",
"type": "variant",
"priority": 1
},
{
"id": "unauthorized_asset_transfer",
"name": "Unauthorized Asset Transfer",
"type": "variant",
"priority": 1
}
]
},
{
"id": "protocol_security_misconfiguration",
"name": "Protocol Security Misconfiguration",
"type": "subcategory",
"children": [
{
"id": "node_level_denial_of_service",
"name": "Node-level Denial of Service",
"type": "variant",
"priority": 1
}
]
}
]
},
{
"id": "developer_biases",
"name": "Developer Biases",
"type": "category",
"children": [
{
"id": "implicit_bias",
"name": "Implicit Bias",
"type": "subcategory",
"priority": null
}
]
},
{
"id": "external_behavior",
"name": "External Behavior",
"type": "category",
"children": [
{
"id": "browser_feature",
"name": "Browser Feature",
"type": "subcategory",
"children": [
{
"id": "aggressive_offline_caching",
"name": "Aggressive Offline Caching",
"type": "variant",
"priority": 5
},
{
"id": "autocomplete_enabled",
"name": "Autocomplete Enabled",
"type": "variant",
"priority": 5
},
{
"id": "autocorrect_enabled",
"name": "Autocorrect Enabled",
"type": "variant",
"priority": 5
},
{
"id": "plaintext_password_field",
"name": "Plaintext Password Field",
"type": "variant",
"priority": 5
},
{
"id": "save_password",
"name": "Save Password",
"type": "variant",
"priority": 5
}
]
},
{
"id": "captcha_bypass",
"name": "Captcha Bypass",
"type": "subcategory",
"children": [
{
"id": "crowdsourcing",
"name": "Crowdsourcing",
"type": "variant",
"priority": 5
}
]
},
{
"id": "csv_injection",
"name": "CSV Injection",
"type": "subcategory",
"priority": 5
},
{
"id": "system_clipboard_leak",
"name": "System Clipboard Leak",
"type": "subcategory",
"children": [
{
"id": "shared_links",
"name": "Shared Links",
"type": "variant",
"priority": 5
}
]
},
{
"id": "user_password_persisted_in_memory",
"name": "User Password Persisted in Memory",
"type": "subcategory",
"priority": 5
}
]
},
{
"id": "indicators_of_compromise",
"name": "Indicators of Compromise",
"type": "category",
"priority": null
},
{
"id": "insecure_data_storage",
"name": "Insecure Data Storage",
"type": "category",
"children": [
{
"id": "non_sensitive_application_data_stored_unencrypted",
"name": "Non-Sensitive Application Data Stored Unencrypted",
"type": "subcategory",
"priority": 5
},
{
"id": "screen_caching_enabled",
"name": "Screen Caching Enabled",
"type": "subcategory",
"priority": 5
},
{
"id": "sensitive_application_data_stored_unencrypted",
"name": "Sensitive Application Data Stored Unencrypted",
"type": "subcategory",
"children": [
{
"id": "on_external_storage",
"name": "On External Storage",
"type": "variant",
"priority": 4
},
{
"id": "on_internal_storage",
"name": "On Internal Storage",
"type": "variant",
"priority": 5
}
]
},
{
"id": "server_side_credentials_storage",
"name": "Server-Side Credentials Storage",
"type": "subcategory",
"children": [
{
"id": "plaintext",
"name": "Plaintext",
"type": "variant",
"priority": 4
}
]
}
]
},
{
"id": "insecure_data_transport",
"name": "Insecure Data Transport",
"type": "category",
"children": [
{
"id": "cleartext_transmission_of_sensitive_data",
"name": "Cleartext Transmission of Sensitive Data",
"type": "subcategory",
"priority": null
},
{
"id": "executable_download",
"name": "Executable Download",
"type": "subcategory",
"children": [
{
"id": "no_secure_integrity_check",
"name": "No Secure Integrity Check",
"type": "variant",
"priority": 4
},
{
"id": "secure_integrity_check",
"name": "Secure Integrity Check",
"type": "variant",
"priority": 5
}
]
}
]
},
{
"id": "insecure_os_firmware",
"name": "Insecure OS/Firmware",
"type": "category",
"children": [
{
"id": "command_injection",
"name": "Command Injection",
"type": "subcategory",
"priority": 1
},
{
"id": "data_not_encrypted_at_rest",
"name": "Data not encrypted at rest",
"type": "subcategory",
"children": [
{
"id": "non_sensitive",
"name": "Non sensitive",
"type": "variant",
"priority": 5
},
{
"id": "sensitive",
"name": "Sensitive",
"type": "variant",
"priority": null
}
]
},
{
"id": "failure_to_remove_sensitive_artifacts_from_disk",
"name": "Failure to Remove Sensitive Artifacts from Disk",
"type": "subcategory",
"priority": null
},
{
"id": "hardcoded_password",
"name": "Hardcoded Password",
"type": "subcategory",
"children": [
{
"id": "non_privileged_user",
"name": "Non-Privileged User",
"type": "variant",
"priority": 2
},
{
"id": "privileged_user",
"name": "Privileged User",
"type": "variant",
"priority": 1
}
]
},
{
"id": "kiosk_escape_or_breakout",
"name": "Kiosk Escape or Breakout",
"type": "subcategory",
"priority": null
},
{
"id": "local_administrator_on_default_environment",
"name": "Local Administrator on default environment",
"type": "subcategory",
"priority": 2
},
{
"id": "over_permissioned_credentials_on_storage",
"name": "Over-Permissioned Credentials on Storage",
"type": "subcategory",
"priority": 2
},
{
"id": "poorly_configured_disk_encryption",
"name": "Poorly Configured Disk Encryption",
"type": "subcategory",
"priority": null
},
{
"id": "poorly_configured_operating_system_security",
"name": "Poorly Configured Operating System Security",
"type": "subcategory",
"priority": null
},
{
"id": "recovery_of_disk_contains_sensitive_material",
"name": "Recovery of Disk Contains Sensitive Material",
"type": "subcategory",
"priority": null
},
{
"id": "shared_credentials_on_storage",
"name": "Shared Credentials on Storage",
"type": "subcategory",
"priority": 3
},
{
"id": "weakness_in_firmware_updates",
"name": "Weakness in Firmware Updates",
"type": "subcategory",
"children": [
{
"id": "firmware_cannot_be_updated",
"name": "Firmware cannot be updated",
"type": "variant",
"priority": null
},
{
"id": "firmware_does_not_validate_update_integrity",
"name": "Firmware does not validate update integrity",
"type": "variant",
"priority": 3
},
{
"id": "firmware_is_not_encrypted",
"name": "Firmware is not encrypted",
"type": "variant",
"priority": 5
}
]
}
]
},
{
"id": "insufficient_security_configurability",
"name": "Insufficient Security Configurability",
"type": "category",
"children": [
{
"id": "lack_of_notification_email",
"name": "Lack of Notification Email",
"type": "subcategory",
"priority": 5
},
{
"id": "no_password_policy",
"name": "No Password Policy",
"type": "subcategory",
"priority": 4
},
{
"id": "password_policy_bypass",
"name": "Password Policy Bypass",
"type": "subcategory",
"priority": 5
},
{
"id": "verification_of_contact_method_not_required",
"name": "Verification of Contact Method not Required",
"type": "subcategory",
"priority": 5
},
{
"id": "weak_password_policy",
"name": "Weak Password Policy",
"type": "subcategory",
"priority": 5
},
{
"id": "weak_password_reset_implementation",
"name": "Weak Password Reset Implementation",
"type": "subcategory",
"children": [
{
"id": "token_has_long_timed_expiry",
"name": "Token Has Long Timed Expiry",
"type": "variant",
"priority": 5
},
{
"id": "token_is_not_invalidated_after_email_change",
"name": "Token is Not Invalidated After Email Change",
"type": "variant",
"priority": 5
},
{
"id": "token_is_not_invalidated_after_login",
"name": "Token is Not Invalidated After Login",
"type": "variant",
"priority": 5
},
{
"id": "token_is_not_invalidated_after_new_token_is_requested",
"name": "Token is Not Invalidated After New Token is Requested",
"type": "variant",
"priority": 5
},
{
"id": "token_is_not_invalidated_after_password_change",
"name": "Token is Not Invalidated After Password Change",
"type": "variant",
"priority": 5
},
{
"id": "token_is_not_invalidated_after_use",
"name": "Token is Not Invalidated After Use",
"type": "variant",
"priority": 4
}
]
},
{
"id": "weak_registration_implementation",
"name": "Weak Registration Implementation",
"type": "subcategory",
"children": [
{
"id": "allows_disposable_email_addresses",
"name": "Allows Disposable Email Addresses",
"type": "variant",
"priority": 5
}
]
},
{
"id": "weak_two_fa_implementation",
"name": "Weak 2FA Implementation",
"type": "subcategory",
"children": [
{
"id": "missing_failsafe",
"name": "Missing Failsafe",
"type": "variant",
"priority": 5
},
{
"id": "old_two_fa_code_is_not_invalidated_after_new_code_is_generated",
"name": "Old 2FA Code is Not Invalidated After New Code is Generated",
"type": "variant",
"priority": 5
},
{
"id": "two_fa_code_is_not_updated_after_new_code_is_requested",
"name": "2FA Code is Not Updated After New Code is Requested",
"type": "variant",
"priority": 5
},
{
"id": "two_fa_secret_cannot_be_rotated",
"name": "2FA Secret Cannot be Rotated",
"type": "variant",
"priority": 4
},
{
"id": "two_fa_secret_remains_obtainable_after_two_fa_is_enabled",
"name": "2FA Secret Remains Obtainable After 2FA is Enabled",
"type": "variant",
"priority": 4
}
]
}
]
},
{
"id": "lack_of_binary_hardening",
"name": "Lack of Binary Hardening",
"type": "category",
"children": [
{
"id": "lack_of_exploit_mitigations",
"name": "Lack of Exploit Mitigations",
"type": "subcategory",
"priority": 5
},
{
"id": "lack_of_jailbreak_detection",
"name": "Lack of Jailbreak Detection",
"type": "subcategory",
"priority": 5
},
{
"id": "lack_of_obfuscation",
"name": "Lack of Obfuscation",
"type": "subcategory",
"priority": 5
},
{
"id": "runtime_instrumentation_based",
"name": "Runtime Instrumentation-Based",
"type": "subcategory",
"priority": 5
}
]
},
{
"id": "misinterpretation_biases",
"name": "Misinterpretation Biases",
"type": "category",
"children": [
{
"id": "context_ignorance",
"name": "Context Ignorance",
"type": "subcategory",
"priority": null
}
]
},
{
"id": "mobile_security_misconfiguration",
"name": "Mobile Security Misconfiguration",
"type": "category",
"children": [
{
"id": "auto_backup_allowed_by_default",
"name": "Auto Backup Allowed by Default",
"type": "subcategory",
"priority": 5
},
{
"id": "clipboard_enabled",
"name": "Clipboard Enabled",
"type": "subcategory",
"priority": 5
},
{
"id": "ssl_certificate_pinning",
"name": "SSL Certificate Pinning",
"type": "subcategory",
"children": [
{
"id": "absent",
"name": "Absent",
"type": "variant",
"priority": 5
},
{
"id": "defeatable",
"name": "Defeatable",
"type": "variant",
"priority": 5
}
]
},
{
"id": "tapjacking",
"name": "Tapjacking",
"type": "subcategory",
"priority": 5
}
]
},
{
"id": "network_security_misconfiguration",
"name": "Network Security Misconfiguration",
"type": "category",
"children": [
{
"id": "telnet_enabled",
"name": "Telnet Enabled",
"type": "subcategory",
"priority": 5
}
]
},
{
"id": "physical_security_issues",
"name": "Physical Security Issues",
"type": "category",
"children": [
{
"id": "bypass_of_physical_access_control",
"name": "Bypass of physical access control",
"type": "subcategory",
"priority": null
},
{
"id": "weakness_in_physical_access_control",
"name": "Weakness in physical access control",
"type": "subcategory",
"children": [
{
"id": "cloneable_key",
"name": "Cloneable Key",
"type": "variant",
"priority": null
},
{
"id": "commonly_keyed_system",
"name": "Commonly Keyed System",
"type": "variant",
"priority": 2
},
{
"id": "master_key_identification",
"name": "Master Key Identification",
"type": "variant",
"priority": null
}
]
}
]
},
{
"id": "privacy_concerns",
"name": "Privacy Concerns",
"type": "category",
"children": [
{
"id": "unnecessary_data_collection",
"name": "Unnecessary Data Collection",
"type": "subcategory",
"children": [
{
"id": "wifi_ssid_password",
"name": "WiFi SSID+Password",
"type": "variant",
"priority": 4
}
]
}
]
},
{
"id": "protocol_specific_misconfiguration",
"name": "Protocol Specific Misconfiguration",
"type": "category",
"children": [
{
"id": "frontrunning_enabled_attack",
"name": "Frontrunning-Enabled Attack",
"type": "subcategory",
"priority": 2
},
{
"id": "improper_validation_and_finalization_logic",
"name": "Improper Validation and Finalization Logic",
"type": "subcategory",
"priority": null
},
{
"id": "misconfigured_staking_logic",
"name": "Misconfigured Staking Logic",
"type": "subcategory",
"priority": null
},
{
"id": "sandwich_enabled_attack",
"name": "Sandwich-Enabled Attack",
"type": "subcategory",
"priority": 2
}
]
},
{
"id": "sensitive_data_exposure",
"name": "Sensitive Data Exposure",
"type": "category",
"children": [
{
"id": "disclosure_of_known_public_information",
"name": "Disclosure of Known Public Information",
"type": "subcategory",
"priority": 5
},
{
"id": "disclosure_of_secrets",
"name": "Disclosure of Secrets",
"type": "subcategory",
"children": [
{
"id": "data_traffic_spam",
"name": "Data/Traffic Spam",
"type": "variant",
"priority": 5
},
{
"id": "for_internal_asset",
"name": "For Internal Asset",
"type": "variant",
"priority": 3
},
{
"id": "for_publicly_accessible_asset",
"name": "For Publicly Accessible Asset",
"type": "variant",
"priority": 1
},
{
"id": "intentionally_public_sample_or_invalid",
"name": "Intentionally Public, Sample or Invalid",
"type": "variant",
"priority": 5
},
{
"id": "non_corporate_user",
"name": "Non-Corporate User",
"type": "variant",
"priority": 5
},
{
"id": "pay_per_use_abuse",
"name": "Pay-Per-Use Abuse",
"type": "variant",
"priority": 4
},
{
"id": "pii_leakage_exposure",
"name": "PII Leakage/Exposure",
"type": "variant",
"priority": null
}
]
},
{
"id": "exif_geolocation_data_not_stripped_from_uploaded_images",
"name": "EXIF Geolocation Data Not Stripped From Uploaded Images",
"type": "subcategory",
"children": [
{
"id": "automatic_user_enumeration",
"name": "Automatic User Enumeration",
"type": "variant",
"priority": 3
},
{
"id": "manual_user_enumeration",
"name": "Manual User Enumeration",
"type": "variant",
"priority": 4
}
]
},
{
"id": "graphql_introspection_enabled",
"name": "GraphQL Introspection Enabled",
"type": "subcategory",
"priority": 5
},
{
"id": "internal_ip_disclosure",
"name": "Internal IP Disclosure",
"type": "subcategory",
"priority": 5
},
{
"id": "json_hijacking",
"name": "JSON Hijacking",
"type": "subcategory",
"priority": 5
},
{
"id": "mixed_content",
"name": "Mixed Content (HTTPS Sourcing HTTP)",
"type": "subcategory",
"priority": 5
},
{
"id": "non_sensitive_token_in_url",
"name": "Non-Sensitive Token in URL",
"type": "subcategory",
"priority": 5
},
{
"id": "sensitive_data_hardcoded",
"name": "Sensitive Data Hardcoded",
"type": "subcategory",
"children": [
{
"id": "file_paths",
"name": "File Paths",
"type": "variant",
"priority": 5
},
{
"id": "oauth_secret",
"name": "OAuth Secret",
"type": "variant",
"priority": 5
}
]
},
{
"id": "sensitive_token_in_url",
"name": "Sensitive Token in URL",
"type": "subcategory",
"children": [
{
"id": "in_the_background",
"name": "In the Background",
"type": "variant",
"priority": 5
},
{
"id": "on_password_reset",
"name": "On Password Reset",
"type": "variant",
"priority": 5
},
{
"id": "user_facing",
"name": "User Facing",
"type": "variant",
"priority": 4
}
]
},
{
"id": "token_leakage_via_referer",
"name": "Token Leakage via Referer",
"type": "subcategory",
"children": [
{
"id": "over_http",
"name": "Over HTTP",
"type": "variant",
"priority": 4
},
{
"id": "password_reset_token",
"name": "Password Reset Token",
"type": "variant",
"priority": 5
},
{
"id": "trusted_third_party",
"name": "Trusted 3rd Party",
"type": "variant",
"priority": 5
},
{
"id": "untrusted_third_party",
"name": "Untrusted 3rd Party",
"type": "variant",
"priority": 4
}
]
},
{
"id": "via_localstorage_sessionstorage",
"name": "Via localStorage/sessionStorage",
"type": "subcategory",
"children": [
{
"id": "non_sensitive_token",
"name": "Non-Sensitive Token",
"type": "variant",
"priority": 5
},
{
"id": "sensitive_token",
"name": "Sensitive Token",
"type": "variant",
"priority": 4
}
]
},
{
"id": "visible_detailed_error_page",
"name": "Visible Detailed Error/Debug Page",
"type": "subcategory",
"children": [
{
"id": "descriptive_stack_trace",
"name": "Descriptive Stack Trace",
"type": "variant",
"priority": 5
},
{
"id": "detailed_server_configuration",
"name": "Detailed Server Configuration",
"type": "variant",
"priority": 4
},
{
"id": "full_path_disclosure",
"name": "Full Path Disclosure",
"type": "variant",
"priority": 5
}
]
},
{
"id": "weak_password_reset_implementation",
"name": "Weak Password Reset Implementation",
"type": "subcategory",
"children": [
{
"id": "password_reset_token_sent_over_http",
"name": "Password Reset Token Sent Over HTTP",
"type": "variant",
"priority": 4
},
{
"id": "token_leakage_via_host_header_poisoning",
"name": "Token Leakage via Host Header Poisoning",
"type": "variant",
"priority": 2
}
]
},
{
"id": "xssi",
"name": "Cross Site Script Inclusion (XSSI)",
"type": "subcategory",
"priority": null
}
]
},
{
"id": "server_security_misconfiguration",
"name": "Server Security Misconfiguration",
"type": "category",
"children": [
{
"id": "bitsquatting",
"name": "Bitsquatting",
"type": "subcategory",
"priority": 5
},
{
"id": "cache_deception",
"name": "Cache Deception",
"type": "subcategory",
"priority": null
},
{
"id": "cache_poisoning",
"name": "Cache Poisoning",
"type": "subcategory",
"priority": null
},
{
"id": "captcha",
"name": "CAPTCHA",
"type": "subcategory",
"children": [
{
"id": "brute_force",
"name": "Brute Force",
"type": "variant",
"priority": 5
},
{
"id": "implementation_vulnerability",
"name": "Implementation Vulnerability",
"type": "variant",
"priority": 4
},
{
"id": "missing",
"name": "Missing",
"type": "variant",
"priority": 5
}
]
},
{
"id": "clickjacking",
"name": "Clickjacking",
"type": "subcategory",
"children": [
{
"id": "form_input",
"name": "Form Input",
"type": "variant",
"priority": 5
},
{
"id": "non_sensitive_action",
"name": "Non-Sensitive Action",
"type": "variant",
"priority": 5
},
{
"id": "sensitive_action",
"name": "Sensitive Click-Based Action",
"type": "variant",
"priority": 4
}
]
},
{
"id": "cookie_scoped_to_parent_domain",
"name": "Cookie Scoped to Parent Domain",
"type": "subcategory",
"priority": 5
},
{
"id": "dbms_misconfiguration",
"name": "Database Management System (DBMS) Misconfiguration",
"type": "subcategory",
"children": [
{
"id": "excessively_privileged_user_dba",
"name": "Excessively Privileged User / DBA",
"type": "variant",
"priority": 4
}
]
},
{
"id": "directory_listing_enabled",
"name": "Directory Listing Enabled",
"type": "subcategory",
"children": [
{
"id": "non_sensitive_data_exposure",
"name": "Non-Sensitive Data Exposure",
"type": "variant",
"priority": 5
},
{
"id": "sensitive_data_exposure",
"name": "Sensitive Data Exposure",
"type": "variant",
"priority": null
}
]
},
{
"id": "email_verification_bypass",
"name": "Email Verification Bypass",
"type": "subcategory",
"priority": 5
},
{
"id": "exposed_portal",
"name": "Exposed Portal",
"type": "subcategory",
"children": [
{
"id": "admin_portal",
"name": "Admin Portal",
"type": "variant",
"priority": 1
},
{
"id": "non_admin_portal",
"name": "Non-Admin Portal",
"type": "variant",
"priority": 3
},
{
"id": "protected",
"name": "Protected",
"type": "variant",
"priority": 5
}
]
},
{
"id": "fingerprinting_banner_disclosure",
"name": "Fingerprinting/Banner Disclosure",
"type": "subcategory",
"priority": 5
},
{
"id": "insecure_ssl",
"name": "Insecure SSL",
"type": "subcategory",
"children": [
{
"id": "certificate_error",
"name": "Certificate Error",
"type": "variant",
"priority": 5
},
{
"id": "insecure_cipher_suite",
"name": "Insecure Cipher Suite",
"type": "variant",
"priority": 5
},
{
"id": "lack_of_forward_secrecy",
"name": "Lack of Forward Secrecy",
"type": "variant",
"priority": 5
}
]
},
{
"id": "lack_of_password_confirmation",
"name": "Lack of Password Confirmation",
"type": "subcategory",
"children": [
{
"id": "change_email_address",
"name": "Change Email Address",
"type": "variant",
"priority": 5
},
{
"id": "change_password",
"name": "Change Password",
"type": "variant",
"priority": 5
},
{
"id": "delete_account",
"name": "Delete Account",
"type": "variant",
"priority": 4
},
{
"id": "manage_two_fa",
"name": "Manage 2FA",
"type": "variant",
"priority": 5
}
]
},
{
"id": "lack_of_security_headers",
"name": "Lack of Security Headers",
"type": "subcategory",
"children": [
{
"id": "cache_control_for_a_non_sensitive_page",
"name": "Cache-Control for a Non-Sensitive Page",
"type": "variant",
"priority": 5
},
{
"id": "cache_control_for_a_sensitive_page",
"name": "Cache-Control for a Sensitive Page",
"type": "variant",
"priority": 4
},
{
"id": "content_security_policy",
"name": "Content-Security-Policy",
"type": "variant",
"priority": 5
},
{
"id": "content_security_policy_report_only",
"name": "Content-Security-Policy-Report-Only",
"type": "variant",
"priority": 5
},
{
"id": "public_key_pins",
"name": "Public-Key-Pins",
"type": "variant",
"priority": 5
},
{
"id": "strict_transport_security",
"name": "Strict-Transport-Security",
"type": "variant",
"priority": 5
},
{
"id": "x_content_security_policy",
"name": "X-Content-Security-Policy",
"type": "variant",
"priority": 5
},
{
"id": "x_content_type_options",
"name": "X-Content-Type-Options",
"type": "variant",
"priority": 5
},
{
"id": "x_frame_options",
"name": "X-Frame-Options",
"type": "variant",
"priority": 5
},
{
"id": "x_webkit_csp",
"name": "X-Webkit-CSP",
"type": "variant",
"priority": 5
},
{
"id": "x_xss_protection",
"name": "X-XSS-Protection",
"type": "variant",
"priority": 5
}
]
},
{
"id": "mail_server_misconfiguration",
"name": "Mail Server Misconfiguration",
"type": "subcategory",
"children": [
{
"id": "email_spoofing_on_non_email_domain",
"name": "Email Spoofing on Non-Email Domain",
"type": "variant",
"priority": 5
},
{
"id": "email_spoofing_to_inbox_due_to_missing_or_misconfigured_dmarc_on_email_domain",
"name": "Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain",
"type": "variant",
"priority": 4
},
{
"id": "email_spoofing_to_spam_folder",
"name": "Email Spoofing to Spam Folder",
"type": "variant",
"priority": 5
},
{
"id": "missing_or_misconfigured_spf_and_or_dkim",
"name": "Missing or Misconfigured SPF and/or DKIM",
"type": "variant",
"priority": 5
},
{
"id": "no_spoofing_protection_on_email_domain",
"name": "No Spoofing Protection on Email Domain",
"type": "variant",
"priority": 3
}
]
},
{
"id": "misconfigured_dns",
"name": "Misconfigured DNS",
"type": "subcategory",
"children": [
{
"id": "missing_caa_record",
"name": "Missing Certification Authority Authorization (CAA) Record",
"type": "variant",
"priority": 5
},
{
"id": "subdomain_takeover",
"name": "Subdomain Takeover",
"type": "variant",
"priority": 3
},
{
"id": "zone_transfer",
"name": "Zone Transfer",
"type": "variant",
"priority": 4
}
]
},
{
"id": "missing_dnssec",
"name": "Missing DNSSEC",
"type": "subcategory",
"priority": 5
},
{
"id": "missing_secure_or_httponly_cookie_flag",
"name": "Missing Secure or HTTPOnly Cookie Flag",
"type": "subcategory",
"children": [
{
"id": "non_session_cookie",
"name": "Non-Session Cookie",
"type": "variant",
"priority": 5
},
{
"id": "session_token",
"name": "Session Token",
"type": "variant",
"priority": 4
}
]
},
{
"id": "missing_subresource_integrity",
"name": "Missing Subresource Integrity",
"type": "subcategory",
"priority": 5
},
{
"id": "no_rate_limiting_on_form",
"name": "No Rate Limiting on Form",
"type": "subcategory",
"children": [
{
"id": "change_password",
"name": "Change Password",
"type": "variant",
"priority": 5
},
{
"id": "email_triggering",
"name": "Email-Triggering",
"type": "variant",
"priority": 4
},
{
"id": "login",
"name": "Login",
"type": "variant",
"priority": 4
},
{
"id": "registration",
"name": "Registration",
"type": "variant",
"priority": 4
},
{
"id": "sms_triggering",
"name": "SMS-Triggering",
"type": "variant",
"priority": 4
}
]
},
{
"id": "oauth_misconfiguration",
"name": "OAuth Misconfiguration",
"type": "subcategory",
"children": [
{
"id": "account_squatting",
"name": "Account Squatting",
"type": "variant",
"priority": 4
},
{
"id": "account_takeover",
"name": "Account Takeover",
"type": "variant",
"priority": 2
},
{
"id": "insecure_redirect_uri",
"name": "Insecure Redirect URI",
"type": "variant",
"priority": null
},
{
"id": "missing_state_parameter",
"name": "Missing/Broken State Parameter",
"type": "variant",
"priority": null
}
]
},
{
"id": "path_traversal",
"name": "Path Traversal",
"type": "subcategory",
"priority": null
},
{
"id": "potentially_unsafe_http_method_enabled",
"name": "Potentially Unsafe HTTP Method Enabled",
"type": "subcategory",
"children": [
{
"id": "options",
"name": "OPTIONS",
"type": "variant",
"priority": 5
},
{
"id": "trace",
"name": "TRACE",
"type": "variant",
"priority": 5
}
]
},
{
"id": "race_condition",
"name": "Race Condition",
"type": "subcategory",
"priority": null
},
{
"id": "request_smuggling",
"name": "HTTP Request Smuggling",
"type": "subcategory",
"priority": null
},
{
"id": "rfd",
"name": "Reflected File Download (RFD)",
"type": "subcategory",
"priority": 5
},
{
"id": "same_site_scripting",
"name": "Same-Site Scripting",
"type": "subcategory",
"priority": 5
},
{
"id": "server_side_request_forgery_ssrf",
"name": "Server-Side Request Forgery (SSRF)",
"type": "subcategory",
"children": [
{
"id": "external_dns_query_only",
"name": "External - DNS Query Only",
"type": "variant",
"priority": 5
},
{
"id": "external_low_impact",
"name": "External - Low impact",
"type": "variant",
"priority": 5
},
{
"id": "internal_high_impact",
"name": "Internal High Impact",
"type": "variant",
"priority": 2
},
{
"id": "internal_scan_and_or_medium_impact",
"name": "Internal Scan and/or Medium Impact",
"type": "variant",
"priority": 3
}
]
},
{
"id": "software_package_takeover",
"name": "Software Package Takeover",
"type": "subcategory",
"priority": null
},
{
"id": "ssl_attack_breach_poodle_etc",
"name": "SSL Attack (BREACH, POODLE etc.)",
"type": "subcategory",
"priority": null
},
{
"id": "unsafe_cross_origin_resource_sharing",
"name": "Unsafe Cross-Origin Resource Sharing",
"type": "subcategory",
"priority": null
},
{
"id": "unsafe_file_upload",
"name": "Unsafe File Upload",
"type": "subcategory",
"children": [
{
"id": "file_extension_filter_bypass",
"name": "File Extension Filter Bypass",
"type": "variant",
"priority": 5
},
{
"id": "no_antivirus",
"name": "No Antivirus",
"type": "variant",
"priority": 5
},
{
"id": "no_size_limit",
"name": "No Size Limit",
"type": "variant",
"priority": 5
}
]
},
{
"id": "username_enumeration",
"name": "Username/Email Enumeration",
"type": "subcategory",
"children": [
{
"id": "brute_force",
"name": "Brute Force",
"type": "variant",
"priority": 5
}
]
},
{
"id": "using_default_credentials",
"name": "Using Default Credentials",
"type": "subcategory",
"priority": 1
},
{
"id": "waf_bypass",
"name": "Web Application Firewall (WAF) Bypass",
"type": "subcategory",
"children": [
{
"id": "direct_server_access",
"name": "Direct Server Access",
"type": "variant",
"priority": 4
}
]
}
]
},
{
"id": "server_side_injection",
"name": "Server-Side Injection",
"type": "category",
"children": [
{
"id": "content_spoofing",
"name": "Content Spoofing",
"type": "subcategory",
"children": [
{
"id": "email_html_injection",
"name": "Email HTML Injection",
"type": "variant",
"priority": 4
},
{
"id": "email_hyperlink_injection_based_on_email_provider",
"name": "Email Hyperlink Injection Based on Email Provider",
"type": "variant",
"priority": 5
},
{
"id": "external_authentication_injection",
"name": "External Authentication Injection",
"type": "variant",
"priority": 4
},
{
"id": "flash_based_external_authentication_injection",
"name": "Flash Based External Authentication Injection",
"type": "variant",
"priority": 5
},
{
"id": "homograph_idn_based",
"name": "Homograph/IDN-Based",
"type": "variant",
"priority": 5
},
{
"id": "html_content_injection",
"name": "HTML Content Injection",
"type": "variant",
"priority": 5
},
{
"id": "iframe_injection",
"name": "iframe Injection",
"type": "variant",
"priority": 3
},
{
"id": "impersonation_via_broken_link_hijacking",
"name": "Impersonation via Broken Link Hijacking",
"type": "variant",
"priority": 4
},
{
"id": "rtlo",
"name": "Right-to-Left Override (RTLO)",
"type": "variant",
"priority": 5
},
{
"id": "text_injection",
"name": "Text Injection",
"type": "variant",
"priority": 5
}
]
},
{
"id": "exposed_data",
"name": "Exposed Data",
"type": "subcategory",
"children": [
{
"id": "non_sensitive_data",
"name": "Non Sensitive Data",
"type": "variant",
"priority": 5
},
{
"id": "sensitive_data",
"name": "Sensitive Data",
"type": "variant",
"priority": null
}
]
},
{
"id": "file_inclusion",
"name": "File Inclusion",
"type": "subcategory",
"children": [
{
"id": "local",
"name": "Local",
"type": "variant",
"priority": 1
}
]
},
{
"id": "http_response_manipulation",
"name": "HTTP Response Manipulation",
"type": "subcategory",
"children": [
{
"id": "response_splitting_crlf",
"name": "Response Splitting (CRLF)",
"type": "variant",
"priority": 3
}
]
},
{
"id": "ldap_injection",
"name": "LDAP Injection",
"type": "subcategory",
"priority": null
},
{
"id": "parameter_pollution",
"name": "Parameter Pollution",
"type": "subcategory",
"children": [
{
"id": "social_media_sharing_buttons",
"name": "Social Media Sharing Buttons",
"type": "variant",
"priority": 5
}
]
},
{
"id": "remote_code_execution_rce",
"name": "Remote Code Execution (RCE)",
"type": "subcategory",
"priority": 1
},
{
"id": "sql_injection",
"name": "SQL Injection",
"type": "subcategory",
"priority": 1
},
{
"id": "ssti",
"name": "Server-Side Template Injection (SSTI)",
"type": "subcategory",
"children": [
{
"id": "basic",
"name": "Basic",
"type": "variant",
"priority": 4
},
{
"id": "custom",
"name": "Custom",
"type": "variant",
"priority": null
}
]
},
{
"id": "xml_external_entity_injection_xxe",
"name": "XML External Entity Injection (XXE)",
"type": "subcategory",
"priority": 1
}
]
},
{
"id": "smart_contract_misconfiguration",
"name": "Smart Contract Misconfiguration",
"type": "category",
"children": [
{
"id": "bypass_of_function_modifiers_and_checks",
"name": "Bypass of Function Modifiers and Checks",
"type": "subcategory",
"priority": null
},
{
"id": "function_level_denial_of_service",
"name": "Function-level Denial of Service",
"type": "subcategory",
"priority": 3
},
{
"id": "improper_decimals_implementation",
"name": "Improper Decimals Implementation",
"type": "subcategory",
"priority": 4
},
{
"id": "improper_fee_implementation",
"name": "Improper Fee Implementation",
"type": "subcategory",
"priority": 3
},
{
"id": "improper_use_of_modifier",
"name": "Improper Use of Modifier",
"type": "subcategory",
"priority": 4
},
{
"id": "inaccurate_rounding_calculation",
"name": "Inaccurate Rounding Calculation",
"type": "subcategory",
"priority": null
},
{
"id": "integer_overflow_underflow",
"name": "Integer Overflow / Underflow",
"type": "subcategory",
"priority": 2
},
{
"id": "irreversible_function_call",
"name": "Irreversible Function Call",
"type": "subcategory",
"priority": 3
},
{
"id": "malicious_superuser_risk",
"name": "Malicious Superuser Risk",
"type": "subcategory",
"priority": 3
},
{
"id": "reentrancy_attack",
"name": "Reentrancy Attack",
"type": "subcategory",
"priority": 1
},
{
"id": "smart_contract_owner_takeover",
"name": "Smart Contract Owner Takeover",
"type": "subcategory",
"priority": 1
},
{
"id": "unauthorized_smart_contract_approval",
"name": "Unauthorized Smart Contract Approval",
"type": "subcategory",
"priority": 2
},
{
"id": "unauthorized_transfer_of_funds",
"name": "Unauthorized Transfer of Funds",
"type": "subcategory",
"priority": 1
},
{
"id": "uninitialized_variables",
"name": "Uninitialized Variables",
"type": "subcategory",
"priority": 1
}
]
},
{
"id": "societal_biases",
"name": "Societal Biases",
"type": "category",
"children": [
{
"id": "confirmation_bias",
"name": "Confirmation Bias",
"type": "subcategory",
"priority": null
},
{
"id": "systemic_bias",
"name": "Systemic Bias",
"type": "subcategory",
"priority": null
}
]
},
{
"id": "unvalidated_redirects_and_forwards",
"name": "Unvalidated Redirects and Forwards",
"type": "category",
"children": [
{
"id": "lack_of_security_speed_bump_page",
"name": "Lack of Security Speed Bump Page",
"type": "subcategory",
"priority": 5
},
{
"id": "open_redirect",
"name": "Open Redirect",
"type": "subcategory",
"children": [
{
"id": "flash_based",
"name": "Flash-Based",
"type": "variant",
"priority": 5
},
{
"id": "get_based",
"name": "GET-Based",
"type": "variant",
"priority": 4
},
{
"id": "header_based",
"name": "Header-Based",
"type": "variant",
"priority": 5
},
{
"id": "post_based",
"name": "POST-Based",
"type": "variant",
"priority": 5
}
]
},
{
"id": "tabnabbing",
"name": "Tabnabbing",
"type": "subcategory",
"priority": 5
}
]
},
{
"id": "using_components_with_known_vulnerabilities",
"name": "Using Components with Known Vulnerabilities",
"type": "category",
"children": [
{
"id": "captcha_bypass",
"name": "Captcha Bypass",
"type": "subcategory",
"children": [
{
"id": "ocr_optical_character_recognition",
"name": "OCR (Optical Character Recognition)",
"type": "variant",
"priority": 5
}
]
},
{
"id": "outdated_software_version",
"name": "Outdated Software Version",
"type": "subcategory",
"priority": 5
},
{
"id": "rosetta_flash",
"name": "Rosetta Flash",
"type": "subcategory",
"priority": 5
}
]
},
{
"id": "zero_knowledge_security_misconfiguration",
"name": "Zero Knowledge Security Misconfiguration",
"type": "category",
"children": [
{
"id": "deanonymization_of_data",
"name": "Deanonymization of Data",
"type": "subcategory",
"priority": 1
},
{
"id": "improper_proof_validation_and_finalization_logic",
"name": "Improper Proof Validation and Finalization Logic",
"type": "subcategory",
"priority": 1
},
{
"id": "misconfigured_trusted_setup",
"name": "Misconfigured Trusted Setup",
"type": "subcategory",
"priority": null
},
{
"id": "mismatching_bit_lengths",
"name": "Mismatching Bit Lengths",
"type": "subcategory",
"priority": null
},
{
"id": "missing_constraint",
"name": "Missing Constraint",
"type": "subcategory",
"priority": null
},
{
"id": "missing_range_check",
"name": "Missing Range Check",
"type": "subcategory",
"priority": null
}
]
},
{
"id": "other",
"name": "Other",
"priority": null,
"type": "category"
}
]