Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update VRT language to remove ambiguity between subcategories #404

Open
danzajork opened this issue Jan 20, 2024 · 1 comment
Open

Update VRT language to remove ambiguity between subcategories #404

danzajork opened this issue Jan 20, 2024 · 1 comment

Comments

@danzajork
Copy link

Background

The forward slash (/) has historically indicated "or" when selecting a VRT category.

For example, the VRT Server Security Misconfiguration > Username/Email Enumeration > Brute Force can be read as a security misconfiguration allowing an attacker to brute force usernames or email addresses. This has been the case for most VRT language to date and is the correct way to interpret it.

Issue

With the introduction of the new IDOR variants, the forward slash seems to imply "and" instead of "or".

Examples:
Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Read/Edit/Delete Sensitive Information/Iterable Object Identifiers
Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Edit/Delete Sensitive Information/Iterable Object Identifiers
Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Read Sensitive Information/Iterable Object Identifiers

In the above examples, the forward slash used in the IDOR variants implies "and". If it did imply "or" there would be no need for Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Read Sensitive Information/Iterable Object Identifiers since reading of sensitive information would be covered under Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Read/Edit/Delete Sensitive Information/Iterable Object Identifiers.

The Merriam-Webster Dictionary defines a slash as

a mark / used typically to denote "or" (as in and/or), "and or" (as in straggler/deserter), or "per" (as in feet/second)

https://www.merriam-webster.com/dictionary/slash

My suggestion is to standardize the VRT usage of the forward slash to mean "or". This should also be documented in a VRT style guide for those looking to contribute to the project or for those looking to understand the language used within the VRT.

Alternatively, the VRT could be updated to not use a slash when a phrase would be clearer. For example:

Server Security Misconfiguration > Username or Email Enumeration > Brute Force

not

Server Security Misconfiguration > Username/Email Enumeration > Brute Force

Additional example:

Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Read, Edit, and Delete Sensitive Information via Iterable Object Identifiers

not

Broken Access Control (BAC) > Insecure Direct Object References (IDOR) > Read/Edit/Delete Sensitive Information/Iterable Object Identifiers
@TimmyBugcrowd
Copy link
Contributor

Thank you for this suggestion. We will definitely address this with the next realease!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danzajork @TimmyBugcrowd