Skip to content

Releases: OmarRao/analyzer

v6.0.0 — LDAP, OAuth, 2FA Bypass, Password Reset Poisoning, GraphQL, JWT Confusion, Docker, Postman

Choose a tag to compare

@OmarRao OmarRao released this 24 Jun 14:19

VulnBank v6.0.0 — New Vulnerability Classes

New Attack Surfaces

LDAP Injection (CWE-90) — \�pi/ldap.py
Filter string injection ((&(objectClass=user)(uid={username}))), anonymous search, plaintext password return

OAuth Misconfiguration — \�pi/oauth.py
Missing state parameter, open redirect on callback, SSRF via user-controlled token_endpoint, hardcoded client_secret, weak access tokens

2FA Bypass — \�pi/mfa.py
Hardcoded master bypass code \

v5.0.0 - Complete 6-Framework Coverage + CWE-362/CWE-840

Choose a tag to compare

@OmarRao OmarRao released this 23 Jun 20:41

VulnBank v5.0.0 - Complete 6-Framework Coverage + New Vulnerability Classes

6-Framework Annotation Standard

Every vulnerability in every file now annotated with:

  • CWE identifier
  • MITRE ATT&CK v14 technique
  • OWASP Top 10 / API Security / LLM Top 10
  • PCI DSS v4.0 requirements
  • NIST SP 800-53 Rev 5 controls
  • SANS/CWE Top 25 (2023) rankings
  • ISO 27001:2022 Annex A controls (NEW)

Files Annotated in v5.0.0

  • config.py, models.py
  • api/auth.py, accounts.py, admin.py, files.py, loans.py, payments.py, reports.py, transactions.py, users.py
  • jobs/scheduled.py
  • utils/formatters.py, validators.py

New Vulnerability Classes

  • CWE-362: Race condition/TOCTOU on /api/transfer/bulk (double-spend via concurrent requests)
  • CWE-840: Business logic flaw on /api/transfer/negative (negative amount balance theft)

ISO 27001:2022 Coverage

11 Annex A controls mapped including A.8.28 (Secure coding), A.5.17 (Authentication info), A.8.24 (Cryptography), A.8.3 (Access restriction), A.8.20 (Network security)

v4.1.0 - Full Multi-Framework Annotations: Middleware & Services

Choose a tag to compare

@OmarRao OmarRao released this 22 Jun 17:45

What's New

All 6 middleware and service modules now carry the same 5-framework annotation standard as �pp.py.

Files Updated

File New Framework Coverage
middleware/auth.py PCI DSS Req 6.2.4/7.2/7.3/8.3.6/8.6.x; NIST AC-3/6, IA-5/8, SC-5/8/13, SI-10; SANS Top 25
services/crypto_service.py PCI DSS Req 3.3.1/3.5.1/4.2.1/8.3.6/8.6.3; NIST IA-5(1), SC-13/28, SI-3/10; SANS Top 25
services/email.py PCI DSS Req 1.3/6.2.4/8.6.x; NIST AC-4, SC-7, SI-10; SANS Top 25
services/logger.py PCI DSS Req 3.3.1/3.4/6.2.4/10.3.3; NIST AU-3/9, SC-28, SI-10; SANS Top 25
services/notification.py PCI DSS Req 1.3/6.2.4/7.3/8.6.x; NIST AC-3/4, SC-7, SI-10; SANS Top 25
services/search.py PCI DSS Req 1.3/6.2.4; NIST AC-4, AU-3, SC-7, SI-10; SANS Top 25

New Vulnerability Findings Added During Annotation Pass

  • services/crypto_service.py - CWE-208 (timing attack) in �erify_signature() via non-constant-time ==
  • services/email.py - CWE-915 (mass assignment) in update_email_preferences()
  • services/notification.py - CWE-285 BOLA in delete_notification() - no ownership check
  • services/search.py - CWE-208 username enumeration in suggest_users() autocomplete

Framework Coverage (All Modules Combined)

  • PCI DSS v4.0 - 15+ requirements across payment, auth, crypto, access control, logging, network
  • NIST SP 800-53 Rev 5 - 20+ controls across AC, AU, CA, CM, IA, SA, SC, SI families
  • SANS/CWE Top 25 - #2 XSS, #3 SQLi, #5 CMDi, #8 Path Traversal, #9 CSRF, #18 Hardcoded Creds, #19 SSRF, #23 XXE

v4.0.0 - Multi-Framework Security Annotations

Choose a tag to compare

@OmarRao OmarRao released this 22 Jun 17:10

What's New

Five Security Frameworks - One Codebase

Every vulnerability in VulnBank now carries annotations for 5 security frameworks simultaneously:

New in v4.0.0:

  • PCI DSS v4.0 - 13 requirements mapped across all vulnerability types. Particularly relevant given VulnBank's banking context. Key mappings: Req 6.2.4 (all injection classes), Req 7.x (access control), Req 8.x (authentication), Req 3.x/4.x (cryptography).

  • NIST SP 800-53 Rev 5 - 17 controls across 7 control families: SI-10 (input validation), AC-3/4/6 (access enforcement + least privilege), SC-5/7/8/13 (comms/boundary/crypto protection), IA-5/8 (authentication), CM-6/7 (config management), SI-3 (malicious code).

  • SANS/CWE Top 25 (2023) - 10 of the top-ranked dangerous weakness categories represented: #2 XSS, #3 SQLi, #5 OS CMDi, #8 Path Traversal, #9 CSRF, #18 Hardcoded Creds, #19 SSRF, #23 XXE, plus CWE-502, CWE-347, CWE-601, CWE-916, CWE-1333.

Previously existing:

  • CWE identifiers
  • MITRE ATT&CK v14 technique IDs
  • OWASP Top 10 2021 / API Top 10 2023 / LLM Top 10 2025

README Framework Tables

Three new reference tables added:

  • PCI DSS v4.0 coverage (13 requirements)
  • NIST SP 800-53 Rev 5 coverage (17 controls, 7 families)
  • SANS/CWE Top 25 ranking table (13 CWEs)

Updated Contributing Guide

New vuln PRs must now include all 5 framework IDs in the inline comment annotation.

v3.0.0 - Latest Threat Classes

Choose a tag to compare

@OmarRao OmarRao released this 17 Jun 14:34

Latest Threat Classes

10 new vulnerability patterns added across 6 new CWE categories. VulnBank now covers 500+ findings, 28 CWE categories, and 14 MITRE ATT&CK techniques.

New Vulnerabilities

Endpoint Vulnerability Standard
GET /notify SSTI - Jinja2 template injection via unsanitised msg param CWE-94
POST /api/ai/advice Prompt Injection - user input concatenated into LLM system prompt OWASP LLM01:2025
POST /api/users/update Mass Assignment - unrestricted JSON field merge allows role escalation CWE-915 / OWASP API3:2023
POST /api/token/verify JWT Algorithm Confusion - "alg":"none" accepted, signature bypassed CWE-347 / OWASP API2:2023
GET /api/transactions/<id> BOLA - no ownership check, any user reads any transaction CWE-285 / OWASP API1:2023
GET /api/validate/email ReDoS - catastrophic regex backtracking on crafted input CWE-1333
GET /api/account/balance CORS Misconfiguration - wildcard origin + credentials allows cross-origin data theft CWE-942
POST /api/import/statement XXE - XML external entity via unprotected ElementTree parser CWE-611
POST /api/settings/merge Prototype Pollution - unrestricted dict merge overwrites internal keys CWE-1321
GET /api/redirect HTTP Response Splitting - unsanitised Location header, CRLF injectable CWE-113

Why These?

These are the vulnerability classes most commonly exploited in recent breaches:

  • Prompt Injection is the #1 LLM security risk (OWASP LLM Top 10 2025)
  • BOLA / Mass Assignment dominate the OWASP API Security Top 10 2023
  • JWT algorithm confusion underpins recent auth bypass CVEs
  • ReDoS has caused production outages at Cloudflare, Stack Overflow, and others

Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy

v2.0.0 - Multi-Module Expansion

Choose a tag to compare

@OmarRao OmarRao released this 15 Jun 17:39

Multi-Module Expansion

Major expansion - 400+ security findings across 22 CWE categories and 12 MITRE ATT&CK techniques.

New Modules

Module Vulnerabilities
api/auth.py SAML XXE, JWT bypass, MFA hardcode, OAuth SSRF
api/accounts.py IDOR, CMDi, SSRF, dynamic SQLi
api/admin.py Unauthenticated endpoints, pickle RCE, mass SQLi
api/files.py Unrestricted upload, path traversal, CMDi
api/loans.py Business logic abuse, injection
api/payments.py CSRF, race conditions
api/reports.py CSV injection, XSS, path traversal
api/transactions.py IDOR, SQLi
api/users.py Mass assignment, enumeration
services/crypto_service.py MD5, ECB mode, hardcoded IV
services/email.py Header injection, SSRF
services/logger.py Log injection, sensitive data in logs
services/notification.py SSRF, template injection
services/search.py SQLi, SSRF, XXE
middleware/auth.py JWT algorithm confusion, bypass
jobs/scheduled.py CMDi, path traversal in cron
utils/formatters.py SSTI, CSV injection
utils/validators.py Regex DoS, bypass patterns

New CWE Types Added

CWE-208, CWE-209, CWE-285, CWE-312, CWE-347, CWE-434, CWE-532, CWE-601, CWE-916, CWE-1236


Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy

v1.0.0 - Initial VulnBank Release

Choose a tag to compare

@OmarRao OmarRao released this 15 Jun 17:39

Initial release of VulnBank - deliberately vulnerable Flask banking app. 12 CWE types, 6 MITRE ATT\u0026CK techniques. Test target for SecureScope.\n\nBuilt by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy\nhttps://www.linkedin.com/in/omarrao/