Info

This section provides information about the test's purpose, the type of vulnerability it targets, the test category and the overall impact. This section contains multiple descriptive keys that explain the test.

Name

The name key shows the name or title of the test. It should make clear what the test does. The test name helps users quickly identify and understand the purpose of the assessment.

Example:

# THIS IS THE INFO SECTION
info:
	# THIS IS NAME KEY
  name: "CSRF Login attack"

Description

The description key provides a brief explanation of the test's objective. This description may contain details about the target system, possible vulnerabilities, and anticipated assessment results.

Example:

info:
	# THIS IS DESCRIPTION KEY
  description: "Hackers trick users to log into their account by forging requests, exploiting server authentication."
 

Details

In addition to the description section, the details key provides a more in-depth view. It explains how the API was detected to be vulnerable and also provides information on the test category. The details section may include information about the target system, potential vulnerabilities, and the expected outcome of the assessment.

Example:

info:
	# THIS IS DETAILS KEY
  details: "A login CSRF attack involves hackers tricking users into logging into an attacker-controlled account. By forging a request using their credentials and submitting it to the victim's browser, the server mistakenly authenticates the request, granting access to the attacker's account."

Impact

The impact key describes the potential risks or consequences associated with the identified vulnerabilities. It helps users understand the severity and potential implications of the vulnerabilities if exploited by attackers.

Example:

info:
	# THIS IS IMPACT KEY
	impact: "Depending on the user account and information exposed, the impacts of an attack range from mild to severe. Some consequences of a successful login CSRF attack include: Deployment of malicious code, Unauthorized financial transactions and Data breach and sensitive information exposure"

Category

This key represents the exact category to which the test belongs, for example, "Broken User Authentication" or "Broken Object Level Authorization".

Example:

info:
	# THIS IS CATEGORY KEY
category:
    name: NO_AUTH
    shortName: Broken Authentication
    displayName: Broken User Authentication (BUA)

SubCategory

The value of this key is exactly the same as the value of the Id key.

Example:

info:
	# THIS IS SUBCATEGORY KEY
	subCategory: CSRF_LOGIN_ATTACK

Severity

This key is used to assign the severity of the test and can take on values HIGH, MEDIUM, or LOW.

Example:

info:
	# THIS IS SEVERITY KEY
	severity: LOW

Tags

The tags key is used to list relevant categories or keywords that help users identify the test and understand its purpose.

Example:

info:
	# THIS IS TAGS KEY
	tags: 
		- Business logic
    - OWASP top 10
    - HackerOne top 10

References

The references section provides a list of resources that can be used to obtain additional information about the test. These resources may include websites, articles, or other materials.

Example:

info:
	# THIS IS REFERENCES KEY
	references: 
		- "https://crashtest-security.com/csrf-login-attack/"
    - "https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/cross-site-request-forgery-in-login-form-invicti/"