From a1cf9a020a93eeb655eacb72ce040ea56db4262d Mon Sep 17 00:00:00 2001 From: TimmyBc Date: Sun, 20 Apr 2025 11:10:16 +0200 Subject: [PATCH 1/5] GraphQL Introspection Enabled - P5 #450 --- mappings/cvss_v3/cvss_v3.json | 4 ++++ mappings/cwe/cwe.json | 6 ++++++ mappings/remediation_advice/remediation_advice.json | 6 +++++- vulnerability-rating-taxonomy.json | 6 ++++++ 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json index d1b042e1..6f00745c 100644 --- a/mappings/cvss_v3/cvss_v3.json +++ b/mappings/cvss_v3/cvss_v3.json @@ -921,6 +921,10 @@ { "id": "sensitive_data_exposure", "children": [ + { + "id": "graphql_introspection_enabled", + "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, { "id": "disclosure_of_known_public_information", "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N" diff --git a/mappings/cwe/cwe.json b/mappings/cwe/cwe.json index cadb68a2..786f2999 100644 --- a/mappings/cwe/cwe.json +++ b/mappings/cwe/cwe.json @@ -774,6 +774,12 @@ "CWE-934" ], "children": [ + { + "id": "graphql_introspection_enabled", + "cwe": [ + "CWE-200" + ] + }, { "id": "disclosure_of_known_public_information", "cwe": [ diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json index e38e5f4c..1373d069 100644 --- a/mappings/remediation_advice/remediation_advice.json +++ b/mappings/remediation_advice/remediation_advice.json @@ -1233,10 +1233,14 @@ "https://www.cvedetails.com/vulnerability-list/opginf-1/gain-information.html" ], "children": [ + { + "id": "graphql_introspection_enabled", + "remediation_advice": "Disable GraphQL introspection in production environments to prevent attackers from enumerating the API schema." + }, { "id": "disclosure_of_known_public_information", "remediation_advice": "As a best practice, avoid disclosing known public information unnecessarily." - }, + }, { "id": "disclosure_of_secrets", "remediation_advice": "1. Do not store secrets in source code that is publicly accessible such as in a public GitHub repository.\n2. Critically sensitive data should not be transmitted in cleartext. Make sure to only use `HTTPS` whenever transmitting passwords and private API keys.\n3. Set appropriate headers to prevent caching of sensitive data when served to end-user." diff --git a/vulnerability-rating-taxonomy.json b/vulnerability-rating-taxonomy.json index ceaf3193..b89dee98 100644 --- a/vulnerability-rating-taxonomy.json +++ b/vulnerability-rating-taxonomy.json @@ -1836,6 +1836,12 @@ "name": "Sensitive Data Exposure", "type": "category", "children": [ + { + "id": "graphql_introspection_enabled", + "name": "GraphQL Introspection Enabled", + "type": "subcategory", + "priority": 5 + }, { "id": "disclosure_of_known_public_information", "name": "Disclosure of Known Public Information", From a6e415a08f524034a7309f230e98a600e0a1f76b Mon Sep 17 00:00:00 2001 From: TimmyBc Date: Sun, 4 May 2025 10:49:01 +0200 Subject: [PATCH 2/5] Bypass of Password Confirmation on Password Change MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add: Broken Access Control – Bypass of Password Confirmation – Change Password --- mappings/cvss_v3/cvss_v3.json | 4 ++++ mappings/remediation_advice/remediation_advice.json | 7 +++++++ vulnerability-rating-taxonomy.json | 13 +++++++++++++ 3 files changed, 24 insertions(+) diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json index 6f00745c..75d82653 100644 --- a/mappings/cvss_v3/cvss_v3.json +++ b/mappings/cvss_v3/cvss_v3.json @@ -240,6 +240,10 @@ "id": "broken_access_control", "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "children": [ + { + "id": "bypass_of_password_confirmation", + "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" + }, { "id": "privilege_escalation", "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json index 1373d069..8489fb8d 100644 --- a/mappings/remediation_advice/remediation_advice.json +++ b/mappings/remediation_advice/remediation_advice.json @@ -358,6 +358,13 @@ { "id": "broken_access_control", "children": [ + { + "id": "bypass_of_password_confirmation", + "remediation_advice": "Ensure that password confirmation checks are enforced server-side for all sensitive operations. Do not rely solely on client-side enforcement, as it can be bypassed. Use middleware or access control logic to validate the user's current password before processing the request.", + "references": [ + "https://portswigger.net/web-security/access-control" + ] + }, { "id": "exposed_sensitive_android_intent", "remediation_advice": "1. If you use an intent to bind to a Service, ensure that your app is secure by using an explicit intent. Using an implicit intent to start a service is a security risk as you can't be certain what service will respond to the intent, and the user can't see which service starts.\n2. If data within a broadcast intent may be sensitive, you should consider applying a permission to make sure that malicious applications can't register to receive those messages without appropriate permissions. In these circumstances you may also consider invoking the receiver directly rather than raising a broadcast.\n3. By default, receivers are exported and can be invoked by any other application. If your BroadcastReceiver is intended for use by other applications, you may want to apply security permissions to receivers using the element within the application manifest. This prevents applications without appropriate permissions from sending an intent to the BroadcastReceiver.\n", diff --git a/vulnerability-rating-taxonomy.json b/vulnerability-rating-taxonomy.json index b89dee98..72397ae5 100644 --- a/vulnerability-rating-taxonomy.json +++ b/vulnerability-rating-taxonomy.json @@ -378,6 +378,19 @@ "name": "Broken Access Control (BAC)", "type": "category", "children": [ + { + "id": "bypass_of_password_confirmation", + "name": "Bypass of Password Confirmation", + "type": "subcategory", + "children": [ + { + "id": "change_password", + "name": "Change Password", + "type": "variant", + "priority": 4 + } + ] + }, { "id": "exposed_sensitive_android_intent", "name": "Exposed Sensitive Android Intent", From 7570040d45c185ee6d5e5548ddaa2508483eeab2 Mon Sep 17 00:00:00 2001 From: TimmyBc Date: Sun, 4 May 2025 10:53:01 +0200 Subject: [PATCH 3/5] Revert "Bypass of Password Confirmation on Password Change" This reverts commit a6e415a08f524034a7309f230e98a600e0a1f76b. --- mappings/cvss_v3/cvss_v3.json | 4 ---- mappings/remediation_advice/remediation_advice.json | 7 ------- vulnerability-rating-taxonomy.json | 13 ------------- 3 files changed, 24 deletions(-) diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json index 75d82653..6f00745c 100644 --- a/mappings/cvss_v3/cvss_v3.json +++ b/mappings/cvss_v3/cvss_v3.json @@ -240,10 +240,6 @@ "id": "broken_access_control", "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "children": [ - { - "id": "bypass_of_password_confirmation", - "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" - }, { "id": "privilege_escalation", "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json index 8489fb8d..1373d069 100644 --- a/mappings/remediation_advice/remediation_advice.json +++ b/mappings/remediation_advice/remediation_advice.json @@ -358,13 +358,6 @@ { "id": "broken_access_control", "children": [ - { - "id": "bypass_of_password_confirmation", - "remediation_advice": "Ensure that password confirmation checks are enforced server-side for all sensitive operations. Do not rely solely on client-side enforcement, as it can be bypassed. Use middleware or access control logic to validate the user's current password before processing the request.", - "references": [ - "https://portswigger.net/web-security/access-control" - ] - }, { "id": "exposed_sensitive_android_intent", "remediation_advice": "1. If you use an intent to bind to a Service, ensure that your app is secure by using an explicit intent. Using an implicit intent to start a service is a security risk as you can't be certain what service will respond to the intent, and the user can't see which service starts.\n2. If data within a broadcast intent may be sensitive, you should consider applying a permission to make sure that malicious applications can't register to receive those messages without appropriate permissions. In these circumstances you may also consider invoking the receiver directly rather than raising a broadcast.\n3. By default, receivers are exported and can be invoked by any other application. If your BroadcastReceiver is intended for use by other applications, you may want to apply security permissions to receivers using the element within the application manifest. This prevents applications without appropriate permissions from sending an intent to the BroadcastReceiver.\n", diff --git a/vulnerability-rating-taxonomy.json b/vulnerability-rating-taxonomy.json index 72397ae5..b89dee98 100644 --- a/vulnerability-rating-taxonomy.json +++ b/vulnerability-rating-taxonomy.json @@ -378,19 +378,6 @@ "name": "Broken Access Control (BAC)", "type": "category", "children": [ - { - "id": "bypass_of_password_confirmation", - "name": "Bypass of Password Confirmation", - "type": "subcategory", - "children": [ - { - "id": "change_password", - "name": "Change Password", - "type": "variant", - "priority": 4 - } - ] - }, { "id": "exposed_sensitive_android_intent", "name": "Exposed Sensitive Android Intent", From b7fad0d2789f14782dd04147e920d1c65bce1d1b Mon Sep 17 00:00:00 2001 From: TimmyBc Date: Sun, 4 May 2025 11:25:55 +0200 Subject: [PATCH 4/5] Revert "Bypass of Password Confirmation on Password Change" This reverts commit 3418212fd5ec34b5d96bb48097113c6329265c6c. From 7bff2e7a5224ff295a3121eae32d3c487c804247 Mon Sep 17 00:00:00 2001 From: TimmyBc Date: Sun, 4 May 2025 10:49:01 +0200 Subject: [PATCH 5/5] Bypass of Password Confirmation on Password Change MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add: Broken Access Control – Bypass of Password Confirmation – Change Password --- mappings/cvss_v3/cvss_v3.json | 4 ++++ mappings/remediation_advice/remediation_advice.json | 7 +++++++ vulnerability-rating-taxonomy.json | 13 +++++++++++++ 3 files changed, 24 insertions(+) diff --git a/mappings/cvss_v3/cvss_v3.json b/mappings/cvss_v3/cvss_v3.json index 6f00745c..75d82653 100644 --- a/mappings/cvss_v3/cvss_v3.json +++ b/mappings/cvss_v3/cvss_v3.json @@ -240,6 +240,10 @@ "id": "broken_access_control", "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "children": [ + { + "id": "bypass_of_password_confirmation", + "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" + }, { "id": "privilege_escalation", "cvss_v3": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N" diff --git a/mappings/remediation_advice/remediation_advice.json b/mappings/remediation_advice/remediation_advice.json index 1373d069..8489fb8d 100644 --- a/mappings/remediation_advice/remediation_advice.json +++ b/mappings/remediation_advice/remediation_advice.json @@ -358,6 +358,13 @@ { "id": "broken_access_control", "children": [ + { + "id": "bypass_of_password_confirmation", + "remediation_advice": "Ensure that password confirmation checks are enforced server-side for all sensitive operations. Do not rely solely on client-side enforcement, as it can be bypassed. Use middleware or access control logic to validate the user's current password before processing the request.", + "references": [ + "https://portswigger.net/web-security/access-control" + ] + }, { "id": "exposed_sensitive_android_intent", "remediation_advice": "1. If you use an intent to bind to a Service, ensure that your app is secure by using an explicit intent. Using an implicit intent to start a service is a security risk as you can't be certain what service will respond to the intent, and the user can't see which service starts.\n2. If data within a broadcast intent may be sensitive, you should consider applying a permission to make sure that malicious applications can't register to receive those messages without appropriate permissions. In these circumstances you may also consider invoking the receiver directly rather than raising a broadcast.\n3. By default, receivers are exported and can be invoked by any other application. If your BroadcastReceiver is intended for use by other applications, you may want to apply security permissions to receivers using the element within the application manifest. This prevents applications without appropriate permissions from sending an intent to the BroadcastReceiver.\n", diff --git a/vulnerability-rating-taxonomy.json b/vulnerability-rating-taxonomy.json index b89dee98..72397ae5 100644 --- a/vulnerability-rating-taxonomy.json +++ b/vulnerability-rating-taxonomy.json @@ -378,6 +378,19 @@ "name": "Broken Access Control (BAC)", "type": "category", "children": [ + { + "id": "bypass_of_password_confirmation", + "name": "Bypass of Password Confirmation", + "type": "subcategory", + "children": [ + { + "id": "change_password", + "name": "Change Password", + "type": "variant", + "priority": 4 + } + ] + }, { "id": "exposed_sensitive_android_intent", "name": "Exposed Sensitive Android Intent",