vulnerability-rating-taxonomy
vulnerability-rating-taxonomy copied to clipboard
bugcrowd
Updating the SSRF category
Changing the SSRF top category and moving External SSRF to P5. FROM: P2 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal High Impact P3 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact P4 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - External P5 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - DNS Query Only
TO: P2 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact P3 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External(GET request)/DNS Query Only
Tests will all need to function and pass before this can be merged, they seem to be failing on invalid syntax in a JSON file. The original submitter of the PR may also be able to assist as needed.
External (GET request) / DNS Query Only might be a bit confusing because it seems to conflate two distinct concepts. I think it's best to keep them separate like below:
- External - GET Request Only
- External - DNS Query Only
Current:
- P2 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal High Impact
- P3 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact
- P4 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - External
- P5 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - DNS Query Only
Proposed:
- P2 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact
- P3 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact
- P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - GET Request Only
- P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - DNS Query Only
The tests were failing due to syntax errors in the VRT JSON. I reverted to the last known good version from the master branch. Then, I updated the parent category to Server Security Misconfiguration.
However, the tests continued to fail with the following error:
$ python3 -B lib/validate_vrt.py
...Fs...
======================================================================
FAIL: test_all_vrt_ids_have_all_mappings (tests.test_vrt.TestVrt)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/user/projects/vulnerability-rating-taxonomy/lib/tests/test_vrt.py", line 55, in test_all_vrt_ids_have_all_mappings
self.all_vrt_ids_have_mapping(mapping['filename'], mapping['name'])
File "/Users/user/projects/vulnerability-rating-taxonomy/lib/tests/test_vrt.py", line 50, in all_vrt_ids_have_mapping
self.assertTrue(utils.has_mapping(keyed_mapping, vrt_id_list, key),
AssertionError: False is not true : no cvss_v3 mapping for server_security_misconfiguration.server_side_request_forgery_ssrf.dns_query_only
----------------------------------------------------------------------
Ran 8 tests in 1.136s
FAILED (failures=1, skipped=1)
We might encounter this issue again during reclassification of entries in the future, so I'll document the cause and resolution for future reference.
When SSRF was nested under Broken Access Control, this error didn't occur. The reason is straightforward but not immediately intuitive: the all_vrt_ids_have_mapping() test uses a function called has_mapping(), which recursively verifies the existence of a CVSS V3 mapping for each category, starting from the parent category. While Broken Access Control has a default CVSS mapping, Server Security Misconfiguration does not. The absence of this mapping was the cause of the AssertionError. To resolve this, a specific CVSS mapping was added for dns_query_only under server_side_request_forgery_ssrf in the server_security_misconfiguration category.
Summary of the changes in this PR:
- Recategorized Server-Side Request Forgery (SSRF) from
Broken Access ControltoServer Security Misconfiguration. - Split the
ExternalSSRF variant intoexternal_get_request_onlyanddns_query_only. - Added a specific CVSS v3 mapping for
dns_query_onlyunderserver_side_request_forgery_ssrfin theserver_security_misconfigurationcategory in thecvss_v3.jsonfile. - Updated the corresponding mappings in
mappings/cvss_v3/cvss_v3.json,mappings/cwe/cwe.json, andmappings/remediation_advice/remediation_advice.jsonfiles.
This should fix #339 and #354. If the changes look good, we can merge this.
@vortexau @trimkadriu Please review when you have a chance. Thanks!
As per discussion, I've made changes and this is how it looks now: P2 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact P3 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - Low Impact P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - DNS Query Only
@TimmyBugcrowd The agreed option was slightly different. External - Low Impact already covers External - DNS Query Only as well, so we can remove P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - DNS Query Only entirely.
It should look like:
- P2 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact
- P3 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact
- P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - Low Impact