Security Severity Ratings/Web

From MozillaWiki
Jump to: navigation, search

Severity Ratings

In all cases, the severity of server and web application bugs is dependent on the critically of the service and the value of the data that could be compromised. Thus while the table below provides very broad guidelines, they cannot be directly used to determine the severity of a bug absent the consideration of the affected service.

Severity Ratings & Examples

The following items are keywords for the severity of an issue.

sec-critical
Critical vulnerabilities are urgent security issues that present an ongoing or immediate danger to users of our services. Often-times there is no difference technically between a sec-critical and a sec-high, the difference is purely related to to the classification of the site and the risk to users.
sec-critical Examples:
  • Remote Code Execution on a Critical or Core site.
  • Authentication Flaws (which lead to account compromise)
  • Session Management Flaws (which lead to account compromise)
  • Stored Cross-site Scripting (XSS)
  • Reflected XSS on a Critical Site
sec-high
Typically, sec-high issues are exploitable web vulnerabilities that can lead to the targeted compromise of a small number of users.
sec-high Examples:
  • Reflected XSS on a non Critical or Core site
  • CSRF
  • Failure to use TLS where needed to ensure confidential/security
sec-moderate
Vulnerabilities which can provide an attacker additional information or positioning that could be used in combination with other vulnerabilities. Disclosure of sensitive information that represents a violation of privacy but by itself does not expose the user or organization to immediate risk. The vulnerability combined with another moderate vulnerability could result in an attack of high or critical severity (aka stepping stone). The lack of standard defense in depth techniques and security controls.
sec-moderate Examples:
  • XSS blocked by CSP
  • Detection of arbitrary local files
  • Missing Additional Security Controls (x-frame options, SECURE/HTTPOnly flags, etc)
  • Error Handling Issues
sec-low
Minor security vulnerabilities such as leaks or spoofs of non-sensitive information. Missing best practice security controls
sec-low Examples:
  • Lack of proper input validation (not resulting in XSS or injection)
  • Content spoofing (non-html)

Additional Whiteboard Tracking Tags & Flags

wsectype- Keywords

wsectype- keywords are assigned to bugs to indicate the type of a website vulnerability. These should be assigned to every vulnerability. If you feel you can identify the type of a security bug we encourage you to classify it yourself.

Code Description
wsec-applogic Issues relating to the application logic
wsec-appmisconfig Application misconfiguration
wsec-authentication Website or server authentication security issues (lockouts, password policy, etc)
wsec-authorization Web/server authorization security issues
wsec-automation-attack Application is vulnerable to automation attacks
wsec-bruteforce Application is vulnerable to bruteforce attacks
wsec-client Web client side related vulnerability
wsec-cookie Cookie related errors (HTTPOnly / Secure Flag, incorrect domain / path)
wsec-crossdomain Issue such as x-frame-options, crossdomain.xml, cross site sharing settings
wsec-crypto Crypto related items such as password hashing
wsec-csrf Cross-Site Request Forgery (CSRF) bugs in server products
wsec-deplib Known vulnerability in a dependant library
wsec-dir-index Directory index incorrectly accessible
wsec-disclosure Disclosure of sensitive data, personal information, etc from a web service
wsec-dos Used to denote web server Denial of Service bugs. For similar bugs in client software please use csectype-dos instead.
wsec-email Email related vulnerability
wsec-errorhandling Any error handling issue
wsec-fileinclusion Local or remote file inclusion possible
wsec-headers Missing or misconfigured security headers
wsec-http Application is incorrectly accessible over http
wsec-http-header-inject Application vulnerable to header injection attacks
wsec-impersonation Impersonation / Spoofing attacks (UI Redress, etc)
wsec-injection Injection attacks other than SQLi or XSS
wsec-input Failure to perform input validation. Most often you will probably use the xss tag instead
wsec-logging Logging issues such as requests for CEF log points.
wsec-nullbyte Application is vulnerable to null byte injection
wsec-objref Insecure direct object references used
wsec-oscmd Application is vulnerable to Operating System command injection
wsec-other Web/server security issues that don't fit into other categories
wsec-overflow Application is vulnerable to overflow attacks
wsec-redirect Open redirect vulnerability
wsec-selfxss Self cross site scripting
wsec-serialization Insecure deserialization
wsec-servermisconfig Server misconfiguration
wsec-session Issues related to sesson management (Session fixation, etc)
wsec-sqli SQL Injection
wsec-ssrf Server Side Request Forgery (SSRF) bugs in server products. CWE-918
wsec-takeover Domain vulnerable to takeover
wsec-tls TLS related issues
wsec-traversal Directory traversal possible
wsec-weakpasswd Weak passwords can be used
wsec-xml XML related vulnerability including XML External Entity (XXE) processing
wsec-xss Cross-Site Scripting (XSS) bugs in server products

secopstype- Keywords

secopstype- keywords are assigned to bugs to indicate the type of a client or website vulnerability. If you feel you can identify the type of a security bug we encourage you to classify it yourself.

Code Description
secops-cred-leak Issues relating to credentials leak of Mozilla related accounts

Flags

Flags
Flag Description Settings
sec-bounty Shows the status of a bug with regards to a bounty payout per our bounty guidlines
Setting Description
'?' Bug is nominated for review by the bounty committee
'+' Bug has been accepted and a payment will be made
'-' Bug does not meet criteria and a payment will not be made
sec-bounty-hof Shows the status of a bug with regards to a bounty hall of fame entry
Setting Description
'?' Bug is nominated for review by the bounty committee
'+' Bug has been accepted and an entry in the hall of fame will occur
'-' Bug does not meet criteria and a hall of fame entry will not be made