Skip to content

v1.5
Compare
Choose a tag to compare
@barnett barnett released this 13 Sep 17:14
· 71 commits to master since this release
v1.5
6315eff
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Added

  • unvalidated_redirects_and_forwards.open_redirect.flash_based
  • cross_site_scripting_xss.flash_based
  • server_side_injection.content_spoofing.flash_based_external_authentication_injection
  • broken_authentication_and_session_management.session_fixation.remote_attack_vector
  • broken_authentication_and_session_management.session_fixation.local_attack_vector
  • broken_authentication_and_session_management.cleartext_transmission_of_session_token
  • broken_access_control.server_side_request_forgery_ssrf.dns_query_only
  • mobile_security_misconfiguration.clipboard_enabled
  • mobile_security_misconfiguration.clipboard_enabled.on_sensitive_content
  • mobile_security_misconfiguration.clipboard_enabled.on_non_sensitive_content
  • server_security_misconfiguration.waf_bypass.direct_server_access
  • broken_authentication_and_session_management.two_fa_bypass
  • server_security_misconfiguration.no_rate_limiting_on_form.sms_triggering
  • server_security_misconfiguration.mail_server_misconfiguration.email_spoofing_on_email_domain
  • server_security_misconfiguration.insecure_ssl.certificate_error
  • cross_site_scripting_xss.stored.privileged_user_to_privilege_elevation
  • cross_site_scripting_xss.stored.privileged_user_to_no_privilege_elevation
  • server_security_misconfiguration.clickjacking.form_input
  • server_security_misconfiguration.misconfigured_dns.basic_subdomain_takeover
  • server_security_misconfiguration.misconfigured_dns.high_impact_subdomain_takeover
  • server_security_misconfiguration.captcha
  • server_security_misconfiguration.captcha.missing
  • cross_site_request_forgery_csrf.csrf_token_not_unique_per_request

Removed

  • server_security_misconfiguration.mail_server_misconfiguration.missing_spf_on_email_domain
  • server_security_misconfiguration.mail_server_misconfiguration.email_spoofable_via_third_party_api_misconfiguration
  • cross_site_scripting_xss.stored.admin_to_anyone
  • server_security_misconfiguration.misconfigured_dns.subdomain_takeover
  • server_security_misconfiguration.captcha_bypass

Changed

  • broken_authentication_and_session_management.failure_to_invalidate_session.on_password_change updated remediation advice
  • CWE mapping default changed from [CWE-2000] to null
  • Updated python version to 3.6
  • cross_site_scripting_xss.stored.non_admin_to_anyone name changed from "Non-Admin to Anyone" to "Non-Privileged User to Anyone"
  • server_security_misconfiguration.clickjacking.sensitive_action name changed from "Sensitive Action" to "Sensitive Click-Based Action"
  • server_security_misconfiguration.captcha_bypass.implementation_vulnerability moved via subcategory change to server_security_misconfiguration.captcha.implementation_vulnerability
  • server_security_misconfiguration.captcha_bypass.brute_force moved via subcategory change to server_security_misconfiguration.captcha.brute_force
Assets 2
Loading