Skip to content

v1.2
Compare
Choose a tag to compare
@barnett barnett released this 04 Aug 19:49
· 129 commits to master since this release
v1.2
7e3ea03

Available on Bugcrowd here: https://bugcrowd.com/vulnerability-rating-taxonomy/1.2

Added

  • sensitive_data_exposure.visible_detailed_error_page.descriptive_stack_trace
  • sensitive_data_exposure.visible_detailed_error_page.detailed_server_configuration
  • unvalidated_redirects_and_forwards.open_redirect.get_based
  • sensitive_data_exposure.internal_ip_disclosure
  • sensitive_data_exposure.visible_detailed_error_page.full_path_disclosure
  • server_security_misconfiguration.cookie_scoped_to_parent_domain
  • client_side_injection.binary_planting
  • client_side_injection.binary_planting.privilege_escalation
  • client_side_injection.binary_planting.no_privilege_escalation
  • sensitive_data_exposure.token_leakage_via_referer.trusted_3rd_party
  • sensitive_data_exposure.token_leakage_via_referer.untrusted_3rd_party
  • server_security_misconfiguration.fingerprinting_banner_disclosure
  • server_security_misconfiguration.lack_of_password_confirmation.manage_two_fa
  • sensitive_data_exposure.json_hijacking
  • cross_site_request_forgery_csrf.action_specific.logout
  • broken_authentication_and_session_management.privilege_escalation
  • insecure_data_transport.executable_download
  • insecure_data_transport.executable_download.no_secure_integrity_check
  • insecure_data_transport.executable_download.secure_integrity_check
  • server_security_misconfiguration.rfd
  • sensitive_data_exposure.xssi
  • server_security_misconfiguration.misconfigured_dns.zone_transfer
  • insufficient_security_configurability.weak_password_policy.no_password_policy
  • insecure_data_storage.server_side_credentials_storage
  • insecure_data_storage.server_side_credentials_storage.plaintext

Removed

  • unvalidated_redirects_and_forwards.open_redirect.get_based_all_users
  • unvalidated_redirects_and_forwards.open_redirect.get_based_authenticated
  • unvalidated_redirects_and_forwards.open_redirect.get_based_unauthenticated
  • sensitive_data_exposure.token_leakage_via_referer.over_https
  • sensitive_data_exposure.mixed_content.sensitive_data_disclosure
  • sensitive_data_exposure.mixed_content.requires_being_a_man_in_the_middle
  • broken_authentication_and_session_management.session_token_in_url
  • broken_authentication_and_session_management.session_token_in_url.over_http
  • broken_authentication_and_session_management.session_token_in_url.over_https
  • broken_authentication_and_session_management.authentication_bypass.vertical
  • broken_authentication_and_session_management.authentication_bypass.horizontal
  • insecure_data_storage.credentials_stored_unencrypted
  • insecure_data_storage.credentials_stored_unencrypted.on_external_storage
  • insecure_data_storage.credentials_stored_unencrypted.on_internal_storage
  • insecure_data_storage.insecure_data_storage
  • insecure_data_storage.insecure_data_storage.password
  • insufficient_security_configurability.weak_password_policy.complexity_both_length_and_char_type_not_enforced
  • insufficient_security_configurability.weak_password_policy.complexity_length_not_enforced
  • insufficient_security_configurability.weak_password_policy.complexity_char_type_not_enforced
  • insufficient_security_configurability.weak_password_policy.allows_reuse_of_old_passwords
  • insufficient_security_configurability.weak_password_policy.allows_password_to_be_same_as_email_username

Changed

  • sensitive_data_exposure.visible_detailed_error_page name changed from 'Visible Detailed Error Page' to 'Visible Detailed Error/Debug Page'
  • server_security_misconfiguration.mail_server_misconfiguration.missing_dmarc name changed from 'Missing DMARC' to 'Missing DKIM/DMARC'
  • insecure_data_transport.ssl_certificate_pinning moved via category change to mobile_security_misconfiguration.ssl_certificate_pinning
  • insecure_data_transport.ssl_certificate_pinning.absent moved via category change to mobile_security_misconfiguration.ssl_certificate_pinning.absent
  • insecure_data_transport.ssl_certificate_pinning.defeatable moved via category change to mobile_security_misconfiguration.ssl_certificate_pinning.defeatable
  • sensitive_data_exposure.mixed_content name changed from 'Mixed Content' to 'Mixed Content (HTTPS Sourcing HTTP)'
  • sensitive_data_exposure.mixed_content priority changed from null to P5 (due to children removal)
  • broken_authentication_and_session_management.authentication_bypass priority changed from null to P1 (due to children removal)
  • insufficient_security_configurability.weak_password_policy priority changed from null to P5 (due to children removal)
Assets 2