Updating the SSRF category

[TimmyBugcrowd]

Changing the SSRF top category and moving External SSRF to P5.
FROM:
P2 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal High Impact
P3 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact
P4 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - External
P5 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - DNS Query Only

TO:
P2 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact
P3 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact
P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External(GET request)/DNS Query Only

[vortexau]

Tests will all need to function and pass before this can be merged, they seem to be failing on invalid syntax in a JSON file. The original submitter of the PR may also be able to assist as needed.

[amalmurali47]

External (GET request) / DNS Query Only might be a bit confusing because it seems to conflate two distinct concepts. I think it's best to keep them separate like below:

• External - GET Request Only
• External - DNS Query Only

Current:

• P2 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal High Impact
• P3 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact
• P4 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - External
• P5 - Broken Access Control (BAC) - Server-Side Request Forgery (SSRF) - DNS Query Only

Proposed:

• P2 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact
• P3 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact
• P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - GET Request Only
• P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - DNS Query Only

[amalmurali47]

The tests were failing due to syntax errors in the VRT JSON. I reverted to the last known good version from the master branch. Then, I updated the parent category to Server Security Misconfiguration.

However, the tests continued to fail with the following error:

$ python3 -B lib/validate_vrt.py
...Fs...
======================================================================
FAIL: test_all_vrt_ids_have_all_mappings (tests.test_vrt.TestVrt)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/user/projects/vulnerability-rating-taxonomy/lib/tests/test_vrt.py", line 55, in test_all_vrt_ids_have_all_mappings
    self.all_vrt_ids_have_mapping(mapping['filename'], mapping['name'])
  File "/Users/user/projects/vulnerability-rating-taxonomy/lib/tests/test_vrt.py", line 50, in all_vrt_ids_have_mapping
    self.assertTrue(utils.has_mapping(keyed_mapping, vrt_id_list, key),
AssertionError: False is not true : no cvss_v3 mapping for server_security_misconfiguration.server_side_request_forgery_ssrf.dns_query_only

----------------------------------------------------------------------
Ran 8 tests in 1.136s

FAILED (failures=1, skipped=1)

We might encounter this issue again during reclassification of entries in the future, so I'll document the cause and resolution for future reference.

When SSRF was nested under Broken Access Control, this error didn't occur. The reason is straightforward but not immediately intuitive: the all_vrt_ids_have_mapping() test uses a function called has_mapping(), which recursively verifies the existence of a CVSS V3 mapping for each category, starting from the parent category. While Broken Access Control has a default CVSS mapping, Server Security Misconfiguration does not. The absence of this mapping was the cause of the AssertionError. To resolve this, a specific CVSS mapping was added for dns_query_only under server_side_request_forgery_ssrf in the server_security_misconfiguration category.

Summary of the changes in this PR:

• Recategorized Server-Side Request Forgery (SSRF) from Broken Access Control to Server Security Misconfiguration.
• Split the External SSRF variant into external_get_request_only and dns_query_only.
• Added a specific CVSS v3 mapping for dns_query_only under server_side_request_forgery_ssrf in the server_security_misconfiguration category in the cvss_v3.json file.
• Updated the corresponding mappings in mappings/cvss_v3/cvss_v3.json, mappings/cwe/cwe.json, and mappings/remediation_advice/remediation_advice.json files.

[amalmurali47]

This should fix #339 and #354. If the changes look good, we can merge this.

@vortexau @trimkadriu Please review when you have a chance. Thanks!

[vortexau]

Minor updates to be made around the P5s before approval can be provided.

[TimmyBugcrowd]

As per discussion, I've made changes and this is how it looks now:
P2 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact
P3 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact
P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - Low Impact
P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - DNS Query Only

[TimmyBugcrowd]

merged to the intermediate branch.

[amalmurali47]

@TimmyBugcrowd The agreed option was slightly different. External - Low Impact already covers External - DNS Query Only as well, so we can remove P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - DNS Query Only entirely.

It should look like:

• P2 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal High Impact
• P3 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - Internal Scan and/or Medium Impact
• P5 - Server Security Misconfiguration - Server-Side Request Forgery (SSRF) - External - Low Impact