Info
This section provides information about the test's purpose, the type of vulnerability it targets, the test category and the overall impact. This section contains multiple descriptive keys that explain the test.
Name
The name key shows the name or title
of the test. It should make clear what the test does. The test name helps users quickly identify and understand the purpose of the assessment.
Example:
# THIS IS THE INFO SECTION
info:
# THIS IS NAME KEY
name: "CSRF Login attack"
Description
The description key provides a brief explanation of the test's objective
. This description may contain details about the target system, possible vulnerabilities, and anticipated assessment results.
Example:
info:
# THIS IS DESCRIPTION KEY
description: "Hackers trick users to log into their account by forging requests, exploiting server authentication."
Details
In addition to the description section, the details
key provides a more in-depth view. It explains how the API was detected to be vulnerable and also provides information on the test category. The details section may include information about the target system
, potential vulnerabilities
, and the expected outcome of the assessment.
Example:
info:
# THIS IS DETAILS KEY
details: "A login CSRF attack involves hackers tricking users into logging into an attacker-controlled account. By forging a request using their credentials and submitting it to the victim's browser, the server mistakenly authenticates the request, granting access to the attacker's account."
Impact
The impact
key describes the potential risks
or consequences
associated with the identified vulnerabilities. It helps users understand the severity and potential implications of the vulnerabilities if exploited by attackers.
Example:
info:
# THIS IS IMPACT KEY
impact: "Depending on the user account and information exposed, the impacts of an attack range from mild to severe. Some consequences of a successful login CSRF attack include: Deployment of malicious code, Unauthorized financial transactions and Data breach and sensitive information exposure"
Category
This key represents the exact category
to which the test belongs, for example, "Broken User Authentication" or "Broken Object Level Authorization".
Example:
info:
# THIS IS CATEGORY KEY
category:
name: NO_AUTH
shortName: Broken Authentication
displayName: Broken User Authentication (BUA)
SubCategory
The value of this key is exactly the same as the value of the Id key
.
Example:
info:
# THIS IS SUBCATEGORY KEY
subCategory: CSRF_LOGIN_ATTACK
Severity
This key is used to assign the severity of the test and can take on values HIGH
, MEDIUM
, or LOW
.
Example:
info:
# THIS IS SEVERITY KEY
severity: LOW
Tags
The tags
key is used to list relevant categories
or keywords that help users identify the test and understand its purpose.
Example:
info:
# THIS IS TAGS KEY
tags:
- Business logic
- OWASP top 10
- HackerOne top 10
References
The references section provides a list of resources
that can be used to obtain additional information about the test. These resources may include websites
, articles
, or other materials.
Example:
info:
# THIS IS REFERENCES KEY
references:
- "https://crashtest-security.com/csrf-login-attack/"
- "https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/cross-site-request-forgery-in-login-form-invicti/"
Last updated
Was this helpful?