Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Simplify Action.Hacking, combining all children of exploit vuln #479

Open
alexcpsec-vz opened this issue Sep 26, 2024 · 0 comments
Open

Simplify Action.Hacking, combining all children of exploit vuln #479

alexcpsec-vz opened this issue Sep 26, 2024 · 0 comments
Labels
accepted deferred schema change

Comments

@alexcpsec-vz
Copy link

VERIS was never meant to have such level of detail.

At the time (before ATT&CK) it was deemed helpful to mimic the OWASP list, but it does not get used.

The varieties below will be removed and their entries added to "Exploit vuln"

        "Cache poisoning": "Cache poisoning. Child of 'Exploit vuln'.",
        "Cryptanalysis": "Cryptanalysis. Child of 'Exploit vuln'.",
        "CSRF": "Cross-site request forgery. Child of 'Exploit vuln'.",
        "Forced browsing": "Forced browsing or predictable resource location. Child of 'Exploit vuln'.",
        "Format string attack": "Format string attack. Child of 'Exploit vuln'.",
        "Fuzz testing": "Fuzz testing. Child of 'Exploit vuln'.",
        "HTTP request smuggling": "HTTP request smuggling. Child of 'Exploit vuln'.",
        "HTTP request splitting": "HTTP request splitting. Child of 'Exploit vuln'.",
        "HTTP response smuggling": "HTTP response smuggling. Child of 'Exploit vuln'.",
        "HTTP response splitting": "HTTP response splitting. Child of 'Exploit vuln'.",
        "Insecure deserialization": "iterating over sequential or obvious values. https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization. Child of 'Exploit vuln'.",
        "Integer overflows": "Integer overflows. Child of 'Exploit vuln'.",
        "LDAP injection": "LDAP injection. Child of 'Exploit vuln'.",
        "Mail command injection": "Mail command injection. Child of 'Exploit vuln'.",
        "Null byte injection": "Null byte injection. Child of 'Exploit vuln'.",
        "OS commanding": "OS commanding. Child of 'Exploit vuln'.",
        "Path traversal": "Path traversal. Child of 'Exploit vuln'.",
        "Reverse engineering": "Reverse engineering. Child of 'Exploit vuln'.",
        "RFI": "Remote file inclusion. Child of 'Exploit vuln'.",
        "Routing detour": "Routing detour. Child of 'Exploit vuln'.",
        "Session fixation": "Session fixation. Child of 'Exploit vuln'.",
        "Session prediction": "Credential or session prediction. Child of 'Exploit vuln'.",
        "Session replay": "Session replay. Child of 'Exploit vuln'.",
        "Soap array abuse": "Soap array abuse. Child of 'Exploit vuln'.",
        "Special element injection": "Special element injection. Child of 'Exploit vuln'.",
        "SSI injection": "SSI injection. Child of 'Exploit vuln'.",
        "URL redirector abuse": "URL redirector abuse. Child of 'Exploit vuln'.",
        "User breakout": "Elevation of privilege by another customer in shared environment. Child of 'Exploit vuln'.",
        "Virtual machine escape": "Virtual machine escape. Child of 'Exploit vuln'.",
        "XML attribute blowup": "XML attribute blowup. Child of 'Exploit vuln'.",
        "XML entity expansion": "XML entity expansion. Child of 'Exploit vuln'.",
        "XML external entities": "XML external entities. Child of 'Exploit vuln'.",
        "XML injection": "XML injection. Child of 'Exploit vuln'.",
        "XPath injection": "XPath injection. Child of 'Exploit vuln'.",
        "XQuery injection": "XQuery injection. Child of 'Exploit vuln'.",
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
accepted deferred schema change
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@planglois925 @alexcpsec-vz