Releases: OmarRao/analyzer
Release list
v6.0.0 — LDAP, OAuth, 2FA Bypass, Password Reset Poisoning, GraphQL, JWT Confusion, Docker, Postman
VulnBank v6.0.0 — New Vulnerability Classes
New Attack Surfaces
LDAP Injection (CWE-90) — \�pi/ldap.py
Filter string injection ((&(objectClass=user)(uid={username}))), anonymous search, plaintext password return
OAuth Misconfiguration — \�pi/oauth.py
Missing state parameter, open redirect on callback, SSRF via user-controlled token_endpoint, hardcoded client_secret, weak access tokens
2FA Bypass — \�pi/mfa.py
Hardcoded master bypass code \
v5.0.0 - Complete 6-Framework Coverage + CWE-362/CWE-840
VulnBank v5.0.0 - Complete 6-Framework Coverage + New Vulnerability Classes
6-Framework Annotation Standard
Every vulnerability in every file now annotated with:
- CWE identifier
- MITRE ATT&CK v14 technique
- OWASP Top 10 / API Security / LLM Top 10
- PCI DSS v4.0 requirements
- NIST SP 800-53 Rev 5 controls
- SANS/CWE Top 25 (2023) rankings
- ISO 27001:2022 Annex A controls (NEW)
Files Annotated in v5.0.0
- config.py, models.py
- api/auth.py, accounts.py, admin.py, files.py, loans.py, payments.py, reports.py, transactions.py, users.py
- jobs/scheduled.py
- utils/formatters.py, validators.py
New Vulnerability Classes
- CWE-362: Race condition/TOCTOU on /api/transfer/bulk (double-spend via concurrent requests)
- CWE-840: Business logic flaw on /api/transfer/negative (negative amount balance theft)
ISO 27001:2022 Coverage
11 Annex A controls mapped including A.8.28 (Secure coding), A.5.17 (Authentication info), A.8.24 (Cryptography), A.8.3 (Access restriction), A.8.20 (Network security)
v4.1.0 - Full Multi-Framework Annotations: Middleware & Services
What's New
All 6 middleware and service modules now carry the same 5-framework annotation standard as �pp.py.
Files Updated
| File | New Framework Coverage |
|---|---|
| middleware/auth.py | PCI DSS Req 6.2.4/7.2/7.3/8.3.6/8.6.x; NIST AC-3/6, IA-5/8, SC-5/8/13, SI-10; SANS Top 25 |
| services/crypto_service.py | PCI DSS Req 3.3.1/3.5.1/4.2.1/8.3.6/8.6.3; NIST IA-5(1), SC-13/28, SI-3/10; SANS Top 25 |
| services/email.py | PCI DSS Req 1.3/6.2.4/8.6.x; NIST AC-4, SC-7, SI-10; SANS Top 25 |
| services/logger.py | PCI DSS Req 3.3.1/3.4/6.2.4/10.3.3; NIST AU-3/9, SC-28, SI-10; SANS Top 25 |
| services/notification.py | PCI DSS Req 1.3/6.2.4/7.3/8.6.x; NIST AC-3/4, SC-7, SI-10; SANS Top 25 |
| services/search.py | PCI DSS Req 1.3/6.2.4; NIST AC-4, AU-3, SC-7, SI-10; SANS Top 25 |
New Vulnerability Findings Added During Annotation Pass
- services/crypto_service.py - CWE-208 (timing attack) in �erify_signature() via non-constant-time ==
- services/email.py - CWE-915 (mass assignment) in update_email_preferences()
- services/notification.py - CWE-285 BOLA in delete_notification() - no ownership check
- services/search.py - CWE-208 username enumeration in suggest_users() autocomplete
Framework Coverage (All Modules Combined)
- PCI DSS v4.0 - 15+ requirements across payment, auth, crypto, access control, logging, network
- NIST SP 800-53 Rev 5 - 20+ controls across AC, AU, CA, CM, IA, SA, SC, SI families
- SANS/CWE Top 25 - #2 XSS, #3 SQLi, #5 CMDi, #8 Path Traversal, #9 CSRF, #18 Hardcoded Creds, #19 SSRF, #23 XXE
v4.0.0 - Multi-Framework Security Annotations
What's New
Five Security Frameworks - One Codebase
Every vulnerability in VulnBank now carries annotations for 5 security frameworks simultaneously:
New in v4.0.0:
-
PCI DSS v4.0 - 13 requirements mapped across all vulnerability types. Particularly relevant given VulnBank's banking context. Key mappings: Req 6.2.4 (all injection classes), Req 7.x (access control), Req 8.x (authentication), Req 3.x/4.x (cryptography).
-
NIST SP 800-53 Rev 5 - 17 controls across 7 control families: SI-10 (input validation), AC-3/4/6 (access enforcement + least privilege), SC-5/7/8/13 (comms/boundary/crypto protection), IA-5/8 (authentication), CM-6/7 (config management), SI-3 (malicious code).
-
SANS/CWE Top 25 (2023) - 10 of the top-ranked dangerous weakness categories represented: #2 XSS, #3 SQLi, #5 OS CMDi, #8 Path Traversal, #9 CSRF, #18 Hardcoded Creds, #19 SSRF, #23 XXE, plus CWE-502, CWE-347, CWE-601, CWE-916, CWE-1333.
Previously existing:
- CWE identifiers
- MITRE ATT&CK v14 technique IDs
- OWASP Top 10 2021 / API Top 10 2023 / LLM Top 10 2025
README Framework Tables
Three new reference tables added:
- PCI DSS v4.0 coverage (13 requirements)
- NIST SP 800-53 Rev 5 coverage (17 controls, 7 families)
- SANS/CWE Top 25 ranking table (13 CWEs)
Updated Contributing Guide
New vuln PRs must now include all 5 framework IDs in the inline comment annotation.
v3.0.0 - Latest Threat Classes
Latest Threat Classes
10 new vulnerability patterns added across 6 new CWE categories. VulnBank now covers 500+ findings, 28 CWE categories, and 14 MITRE ATT&CK techniques.
New Vulnerabilities
| Endpoint | Vulnerability | Standard |
|---|---|---|
GET /notify |
SSTI - Jinja2 template injection via unsanitised msg param |
CWE-94 |
POST /api/ai/advice |
Prompt Injection - user input concatenated into LLM system prompt | OWASP LLM01:2025 |
POST /api/users/update |
Mass Assignment - unrestricted JSON field merge allows role escalation | CWE-915 / OWASP API3:2023 |
POST /api/token/verify |
JWT Algorithm Confusion - "alg":"none" accepted, signature bypassed |
CWE-347 / OWASP API2:2023 |
GET /api/transactions/<id> |
BOLA - no ownership check, any user reads any transaction | CWE-285 / OWASP API1:2023 |
GET /api/validate/email |
ReDoS - catastrophic regex backtracking on crafted input | CWE-1333 |
GET /api/account/balance |
CORS Misconfiguration - wildcard origin + credentials allows cross-origin data theft | CWE-942 |
POST /api/import/statement |
XXE - XML external entity via unprotected ElementTree parser | CWE-611 |
POST /api/settings/merge |
Prototype Pollution - unrestricted dict merge overwrites internal keys | CWE-1321 |
GET /api/redirect |
HTTP Response Splitting - unsanitised Location header, CRLF injectable | CWE-113 |
Why These?
These are the vulnerability classes most commonly exploited in recent breaches:
- Prompt Injection is the #1 LLM security risk (OWASP LLM Top 10 2025)
- BOLA / Mass Assignment dominate the OWASP API Security Top 10 2023
- JWT algorithm confusion underpins recent auth bypass CVEs
- ReDoS has caused production outages at Cloudflare, Stack Overflow, and others
Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy
v2.0.0 - Multi-Module Expansion
Multi-Module Expansion
Major expansion - 400+ security findings across 22 CWE categories and 12 MITRE ATT&CK techniques.
New Modules
| Module | Vulnerabilities |
|---|---|
api/auth.py |
SAML XXE, JWT bypass, MFA hardcode, OAuth SSRF |
api/accounts.py |
IDOR, CMDi, SSRF, dynamic SQLi |
api/admin.py |
Unauthenticated endpoints, pickle RCE, mass SQLi |
api/files.py |
Unrestricted upload, path traversal, CMDi |
api/loans.py |
Business logic abuse, injection |
api/payments.py |
CSRF, race conditions |
api/reports.py |
CSV injection, XSS, path traversal |
api/transactions.py |
IDOR, SQLi |
api/users.py |
Mass assignment, enumeration |
services/crypto_service.py |
MD5, ECB mode, hardcoded IV |
services/email.py |
Header injection, SSRF |
services/logger.py |
Log injection, sensitive data in logs |
services/notification.py |
SSRF, template injection |
services/search.py |
SQLi, SSRF, XXE |
middleware/auth.py |
JWT algorithm confusion, bypass |
jobs/scheduled.py |
CMDi, path traversal in cron |
utils/formatters.py |
SSTI, CSV injection |
utils/validators.py |
Regex DoS, bypass patterns |
New CWE Types Added
CWE-208, CWE-209, CWE-285, CWE-312, CWE-347, CWE-434, CWE-532, CWE-601, CWE-916, CWE-1236
Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy
v1.0.0 - Initial VulnBank Release
Initial release of VulnBank - deliberately vulnerable Flask banking app. 12 CWE types, 6 MITRE ATT\u0026CK techniques. Test target for SecureScope.\n\nBuilt by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy\nhttps://www.linkedin.com/in/omarrao/