Add Password Policy Bypass (#290)

* Add Password Policy Bypass

* Fix Pass Policy JSON validation error

CHANGELOG.md

@@ -20,6 +20,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/) and this p
 - server_side_injection.content_spoofing.impersonation_via_broken_link_hijacking
 - cross_site_request_forgery_csrf.flash_based.high_impact
 - cross_site_request_forgery_csrf.flash_based.low_impact
+- insufficient_security_configurability.password_policy_bypass
 
 ### Removed
 - sensitive_data_exposure.critically_sensitive_data.password_disclosure

mappings/cwe/cwe.json

@@ -337,6 +337,10 @@
           "id": "no_password_policy",
           "cwe": ["CWE-521"]
         },
+        {
+          "id": "password_policy_bypass",
+          "cwe": ["CWE-521"]
+        },
         {
           "id": "weak_password_reset_implementation",
           "cwe": ["CWE-640"]

mappings/remediation_advice/remediation_advice.json

@@ -1022,6 +1022,10 @@
             "https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md#implement-proper-password-strength-controls"
           ]
         },
+        {
+          "id": "password_policy_bypass",
+          "remediation_advice": "Consider eliminating any potential for users bypassing your platform's password policy enforcement. For instance if the password policy is only enforced on the client side, consider adding a corresponding validation on the server side."
+        },
         {
           "id": "weak_password_reset_implementation",
           "references": [

vulnerability-rating-taxonomy.json

@@ -1511,6 +1511,12 @@
           "type": "subcategory",
           "priority": 4
         },
+        {
+          "id": "password_policy_bypass",
+          "name": "Password Policy Bypass",
+          "type": "subcategory",
+          "priority": 5
+        },
         {
           "id": "weak_password_reset_implementation",
           "name": "Weak Password Reset Implementation",