-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating the SSRF category #359
Conversation
Tests will all need to function and pass before this can be merged, they seem to be failing on invalid syntax in a JSON file. The original submitter of the PR may also be able to assist as needed. |
This reverts commit 785bd8b.
…curity Misconfiguration`
Current:
Proposed:
|
… Only` and `DNS Query Only`
…nal` SSRF variant
The tests were failing due to syntax errors in the VRT JSON. I reverted to the last known good version from the master branch. Then, I updated the parent category to However, the tests continued to fail with the following error:
We might encounter this issue again during reclassification of entries in the future, so I'll document the cause and resolution for future reference. When SSRF was nested under Summary of the changes in this PR:
|
This should fix #339 and #354. If the changes look good, we can merge this. @vortexau @trimkadriu Please review when you have a chance. Thanks! |
Minor updates to be made around the P5s before approval can be provided. |
As per discussion, I've made changes and this is how it looks now: |
merged to the intermediate branch. |
@TimmyBugcrowd The agreed option was slightly different. It should look like:
|
As per the VRT update in XXX - bugcrowd/vulnerability-rating-taxonomy#359
Changing the SSRF top category and moving External SSRF to P5.
FROM:
P2 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal High Impact
P3 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact
P4 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - External
P5 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - DNS Query Only
TO:
P2 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact
P3 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact
P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External(GET request)/DNS Query Only