VRT-release-changes (#415)

TimmyBugcrowd · abhinav-nain · web-flow · commit 2553222244c2 · 2024-07-04T12:21:59.000-04:00
* VRT-release-changes

* Update cvss_v3.json

* Update cwe.json

* Adding SCW

---------

Co-authored-by: Abhinav Nain &lt;abhinav.nain@bugcrowd.com&gt;
diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json
@@ -31,6 +31,18 @@
           "id": "unsafe_cross_origin_resource_sharing",
           "cvss_v3": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
         },
+        {
+          "id": "software_package_takeover",
+          "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+        },        
+        {
+          "id": "email_verification_bypass",
+          "cvss_v3": "AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
+        },
+        {
+          "id": "missing_subresource_integrity",
+          "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N"
+        },        
         {
           "id": "request_smuggling",
           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
@@ -362,10 +374,6 @@
           "id": "two_fa_bypass",
           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
         },
-        {
-          "id": "privilege_escalation",
-          "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
-        },
         {
           "id": "cleartext_transmission_of_session_token",
           "cvss_v3": "AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"
@@ -581,7 +589,11 @@
             {
               "id": "over_http",
               "cvss_v3": "AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
-            }
+            },
+            {
+              "id": "password_reset_token",
+              "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+            }            
           ]
         },
         {
@@ -715,7 +727,11 @@
         {
           "id": "username_enumeration",
           "cvss_v3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
-        }
+        },
+        {
+          "id": "privilege_escalation",
+          "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"
+        }        
       ]
     },
     {
diff --git a/mappings/cwe/cwe.json b/mappings/cwe/cwe.json
@@ -204,10 +204,6 @@
           "id": "two_fa_bypass",
           "cwe": ["CWE-304"]
         },
-        {
-          "id": "privilege_escalation",
-          "cwe": ["CWE-269"]
-        },
         {
           "id": "cleartext_transmission_of_session_token",
           "cwe": ["CWE-319"]
@@ -306,6 +302,10 @@
           "id": "exposed_sensitive_android_intent",
           "cwe": ["CWE-927"]
         },
+        {
+          "id": "privilege_escalation",
+          "cwe": ["CWE-269"]
+        },        
         {
           "id": "exposed_sensitive_ios_url_scheme",
           "cwe": ["CWE-939"]
diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json
@@ -33,6 +33,30 @@
             "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
           ]
         },
+        {
+          "id": "email_verification_bypass",
+          "remediation_advice": "1. **Implement Robust Token Validation:** Ensure that any token used for email verification is securely generated and validated. Tokens should be long, random, and use secure hashing algorithms to prevent guessing attacks.\n2. **Secure Transmission:** Use HTTPS to protect the transmission of tokens over the network. Ensure that the tokens are not leaked via URLs in the `Referer` header by instructing users to avoid clicking on links from untrusted sources or by implementing measures to strip sensitive information from URLs.\n3. **Expire Tokens Quickly:** Set a short expiration time for verification tokens to limit the window of opportunity for an attacker. Once a token is used or expires, it should be invalidated immediately to prevent reuse.",
+          "references": [
+             "https://owasp.org/www-community/attacks/Email_Injection",
+             "https://portswigger.net/web-security/email-security"
+          ]
+        },
+        {
+          "id": "missing_subresource_integrity",
+          "remediation_advice": "1. **Implement SRI:** Add an `integrity` attribute with a base64-encoded hash to `<script>` and `<link>` tags for external resources. \n2. **Validate Hashes:** Always check the hashes of resources yourself before implementation to ensure they haven't been altered. \n3. **Update Hashes Regularly:** Monitor and update the hashes to reflect changes in the external libraries or resources you use.",
+          "references": [
+             "https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity",
+             "https://www.w3.org/TR/SRI/"
+          ]
+        },
+        {
+          "id": "software_package_takeover",
+          "remediation_advice": "1. **Monitor Dependencies:** Regularly review and update the dependencies in your software projects to ensure they are secure and maintained. Use tools that can automatically check for outdated or vulnerable packages. \n2. **Secure Access Rights:** Restrict and monitor access to package management systems and repositories to prevent unauthorized changes. Use two-factor authentication and strong access controls. \n3. **Verify Package Integrity:** Before deployment, verify the integrity and authenticity of packages using signatures or other verification methods.",
+          "references": [
+            "https://owasp.org/www-community/attacks/Subdomain_Takeover",
+            "https://snyk.io/blog/ten-git-hub-security-best-practices/"
+          ]
+        },                        
         {
           "id": "request_smuggling",
           "remediation_advice": "Implement a robust security configuration, including secure parsing and handling of HTTP requests, and consider deploying a Web Application Firewall (WAF) to detect and mitigate potential smuggling attacks.",
@@ -932,6 +956,14 @@
             "https://www.owasp.org/index.php/Mobile_Top_10_2016-M1-Improper_Platform_Usage"
           ]
         },
+        {
+          "id": "privilege_escalation",
+          "remediation_advice": "1. **Least Privilege Principle:** Enforce the least privilege principle by ensuring that users and processes operate using the minimum permissions necessary to perform their tasks. \n2. **Regular Audits:** Conduct regular audits of system permissions and user roles to identify and rectify excessive permissions or misconfigurations. \n3. **Patch Management:** Keep all systems, applications, and services up to date with the latest security patches to close vulnerabilities that could be exploited for privilege escalation.",
+          "references": [
+             "https://owasp.org/www-community/attacks/Privilege_escalation",
+             "https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege"
+          ]
+        },        
         {
           "id": "exposed_sensitive_ios_url_scheme",
           "remediation_advice": "Apple does not enforce the unique naming for App schemes, making it possible for a malicious app to use the same URL Scheme as a legitimate app, effectively hijacking the URL Scheme. As a result, it is important to keep the URL Scheme from being exposed.",
diff --git a/third-party-mappings/remediation_training/secure-code-warrior-links.json b/third-party-mappings/remediation_training/secure-code-warrior-links.json
@@ -88,6 +88,9 @@
   "server_security_misconfiguration.waf_bypass": null,
   "server_security_misconfiguration.waf_bypass.direct_server_access": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:waf_bypass:direct_server_access&redirect=true",
   "server_security_misconfiguration.race_condition": null,
+  "server_security_misconfiguration.email_verification_bypass": null,
+  "server_security_misconfiguration.missing_subresource_integrity": null,
+  "server_security_misconfiguration.software_package_takeover": null,
   "server_security_misconfiguration.cache_poisoning": null,
   "server_security_misconfiguration.bitsquatting": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:bitsquatting&redirect=true",
   "server_side_injection": null,
@@ -118,7 +121,6 @@
   "broken_authentication_and_session_management": null,
   "broken_authentication_and_session_management.authentication_bypass": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=broken_authentication_and_session_management:authentication_bypass&redirect=true",
   "broken_authentication_and_session_management.two_fa_bypass": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=broken_authentication_and_session_management:two_fa_bypass&redirect=true",
-  "broken_authentication_and_session_management.privilege_escalation": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=broken_authentication_and_session_management:privilege_escalation&redirect=true",
   "broken_authentication_and_session_management.cleartext_transmission_of_session_token": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=broken_authentication_and_session_management:cleartext_transmission_of_session_token&redirect=true",
   "broken_authentication_and_session_management.weak_login_function": null,
   "broken_authentication_and_session_management.weak_login_function.not_operational": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=broken_authentication_and_session_management:weak_login_function:not_operational&redirect=true",
@@ -160,6 +162,7 @@
   "sensitive_data_exposure.token_leakage_via_referer.trusted_third_party": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=sensitive_data_exposure:token_leakage_via_referer:trusted_third_party&redirect=true",
   "sensitive_data_exposure.token_leakage_via_referer.untrusted_third_party": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=sensitive_data_exposure:token_leakage_via_referer:untrusted_third_party&redirect=true",
   "sensitive_data_exposure.token_leakage_via_referer.over_http": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=sensitive_data_exposure:token_leakage_via_referer:over_http&redirect=true",
+  "sensitive_data_exposure.token_leakage_via_referer.password_reset_token": null,
   "sensitive_data_exposure.sensitive_token_in_url": null,
   "sensitive_data_exposure.sensitive_token_in_url.user_facing": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=sensitive_data_exposure:sensitive_token_in_url:user_facing&redirect=true",
   "sensitive_data_exposure.sensitive_token_in_url.in_the_background": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=sensitive_data_exposure:sensitive_token_in_url:in_the_background&redirect=true",
@@ -206,6 +209,7 @@
   "broken_access_control.username_enumeration": null,
   "broken_access_control.username_enumeration.non_brute_force": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=broken_access_control:username_enumeration:non_brute_force&redirect=true",
   "broken_access_control.exposed_sensitive_android_intent": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=broken_access_control:exposed_sensitive_android_intent&redirect=true",
+  "broken_access_control.privilege_escalation": null,
   "broken_access_control.exposed_sensitive_ios_url_scheme": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=broken_access_control:exposed_sensitive_ios_url_scheme&redirect=true",
   "cross_site_request_forgery_csrf": null,
   "cross_site_request_forgery_csrf.application_wide": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=cross_site_request_forgery_csrf:application_wide&redirect=true",
diff --git a/vulnerability-rating-taxonomy.json b/vulnerability-rating-taxonomy.json
@@ -554,6 +554,24 @@
           "type": "subcategory",
           "priority": null
         },
+        {
+          "id": "email_verification_bypass",
+          "name": "Email Verification Bypass",
+          "type": "subcategory",
+          "priority": 5
+        },
+        {
+          "id": "missing_subresource_integrity",
+          "name": "Missing Subresource Integrity",
+          "type": "subcategory",
+          "priority": 5
+        },      
+        {
+          "id": "software_package_takeover",
+          "name": "Software Package Takeover",
+          "type": "subcategory",
+          "priority": null
+        },                  
         {
           "id": "cache_poisoning",
           "name": "Cache Poisoning",
@@ -741,12 +759,6 @@
           "type": "subcategory",
           "priority": 3
         },
-        {
-          "id": "privilege_escalation",
-          "name": "Privilege Escalation",
-          "type": "subcategory",
-          "priority": null
-        },
         {
           "id": "cleartext_transmission_of_session_token",
           "name": "Cleartext Transmission of Session Token",
@@ -999,7 +1011,13 @@
               "name": "Over HTTP",
               "type": "variant",
               "priority": 4
-            }
+            },
+            {
+              "id": "password_reset_token",
+              "name": "Password Reset Token",
+              "type": "subcategory",
+              "priority": 5
+            }         
           ]
         },
         {
@@ -1289,6 +1307,12 @@
           "type": "subcategory",
           "priority": null
         },
+        {
+          "id": "privilege_escalation",
+          "name": "Privilege Escalation",
+          "type": "subcategory",
+          "priority": null
+        },        
         {
           "id": "exposed_sensitive_ios_url_scheme",
           "name": "Exposed Sensitive iOS URL Scheme",
