User:Tritter/Working/Web Security Severity Ratings

Severity Ratings

In all cases, the severity of server and web application bugs is dependent on the critically of the service and the value of the data that could be compromised. Thus while the table below provides very broad guidelines, they cannot be directly used to determine the severity of a bug absent the consideration of the affected service.

Severity Ratings & Examples

The following items are keywords for the severity of an issue.

sec-critical: Critical vulnerabilities are urgent security issues that present an ongoing or immediate danger to users of our services. Often-times there is no difference technically between a sec-critical and a sec-high, the difference is purely related to to the classification of the site and the risk to users.

sec-critical Examples:
Remote Code Execution on a Critical or Core site. Authentication Flaws (which lead to account compromise) Session Management Flaws (which lead to account compromise) Stored Cross-site Scripting (XSS) Reflected XSS on a Critical Site

sec-high: Typically, sec-high issues are exploitable web vulnerabilities that can lead to the targeted compromise of a small number of users.

sec-high Examples:
Reflected XSS on a non Critical or Core site CSRF Failure to use TLS where needed to ensure confidential/security

sec-moderate: Vulnerabilities which can provide an attacker additional information or positioning that could be used in combination with other vulnerabilities. Disclosure of sensitive information that represents a violation of privacy but by itself does not expose the user or organization to immediate risk. The vulnerability combined with another moderate vulnerability could result in an attack of high or critical severity (aka stepping stone). The lack of standard defense in depth techniques and security controls.

sec-moderate Examples:
XSS blocked by CSP Detection of arbitrary local files Missing Additional Security Controls (x-frame options, SECURE/HTTPOnly flags, etc) Error Handling Issues

sec-low: Minor security vulnerabilities such as leaks or spoofs of non-sensitive information. Missing best practice security controls

sec-low Examples:
Lack of proper input validation (not resulting in XSS or injection) Content spoofing (non-html)

Additional Whiteboard Tracking Tags & Flags

wsectype- Keywords

wsectype- keywords are assigned to bugs to indicate the type of a vulnerability. These should be assigned to every vulnerability. If you feel you can identify the type of a security bug we encourage you to classify it yourself.

Code	Description
wsec-applogic	Issues relating to the application logic
wsec-appmisconfig	Application misconfiguration
wsec-authentication	Website or server authentication security issues (lockouts, password policy, etc)
wsec-authorization	Web/server authorization security issues
wsec-automation-attack	Application is vulnerable to automation attacks
wsec-bruteforce	Application is vulnerable to bruteforce attacks
wsec-client	Web client side related vulnerability
wsec-cookie	Cookie related errors (HTTPOnly / Secure Flag, incorrect domain / path)
wsec-crossdomain	Issue such as x-frame-options, crossdomain.xml, cross site sharing settings
wsec-crypto	Crypto related items such as password hashing
wsec-csrf	Cross-Site Request Forgery (CSRF) bugs in server products
wsec-deplib	Known vulnerability in a dependant library
wsec-dir-index	Directory index incorrectly accessible
wsec-disclosure	Disclosure of sensitive data, personal information, etc from a web service
wsec-dos	Used to denote web server Denial of Service bugs. For similar bugs in client software please use csectype-dos instead.
wsec-email	Email related vulnerability
wsec-errorhandling	Any error handling issue
wsec-fileinclusion	Local or remote file inclusion possible
wsec-headers	Missing or misconfigured security headers
wsec-http	Application is incorrectly accessible over http
wsec-http-header-inject	Application vulnerable to header injection attacks
wsec-impersonation	Impersonation / Spoofing attacks (UI Redress, etc)
wsec-injection	Injection attacks other than SQLi or XSS
wsec-input	Failure to perform input validation. Most often you will probably use the xss tag instead
wsec-logging	Logging issues such as requests for CEF log points.
wsec-nullbyte	Application is vulnerable to null byte injection
wsec-objref	Insecure direct object references used
wsec-oscmd	Application is vulnerable to Operating System command injection
wsec-other	Web/server security issues that don't fit into other categories
wsec-overflow	Application is vulnerable to overflow attacks
wsec-redirect	Open redirect vulnerability
wsec-selfxss	Self cross site scripting
wsec-serialization	Insecure deserialization
wsec-servermisconfig	Server misconfiguration
wsec-session	Issues related to sesson management (Session fixation, etc)
wsec-sqli	SQL Injection
wsec-ssrf	Server Side Request Forgery (SSRF) bugs in server products. CWE-918
wsec-takeover	Domain vulnerable to takeover
wsec-tls	TLS related issues
wsec-traversal	Directory traversal possible
wsec-weakpasswd	Weak passwords can be used
wsec-xml	XML related vulnerability including XML External Entity (XXE) processing
wsec-xss	Cross-Site Scripting (XSS) bugs in server products

Flags

Flag

Description

Settings

sec-bounty

Shows the status of a bug with regards to a bounty payout per our bounty guidlines

Setting	Description
'?'	Bug is nominated for review by the bounty committee
'+'	Bug has been accepted and a payment will be made
'-'	Bug does not meet criteria and a payment will not be made

sec-bounty-hof

Shows the status of a bug with regards to a bounty hall of fame entry

Setting	Description
'?'	Bug is nominated for review by the bounty committee
'+'	Bug has been accepted and an entry in the hall of fame will occur
'-'	Bug does not meet criteria and a hall of fame entry will not be made