Zerocopter: vulnerability listing

When I report a vulnerability, I like to be able to see all the vulnerabilities accepted by the platform in a simply way to identify the category and type of the vulnerability. Due to this, I have collected all the vulnerabilities from Zerocopter’s platform in a list so that, if you report vulnerabilities in that platform, it may help you find what you are looking for in a faster way.

Application-Level Denial-of-Service (DoS)

App Crash – Malformed Android Intents
High Impact and/or Medium Difficulty
App Crash – Malformed iOS URL Schemes
Critical Impact and/or Easy Difficulty

Automotive Security Misconfiguration

RF Hub – Relay
RF Hub – Replay
Infotainment – PII Leakage
CAN – Injection (Basic Safety Message)
Battery Management System – Firmware Dump
Infotainment – Code Execution (CAN Bus Pivot)
Battery Management System – Fraudulent Interface
GNSS / GPS – Spoofing
Infotainment – Code Execution (No CAN Bus Pivot)
Infotainment – Source Code Dump
Immobilizer – Engine Start
Automatic Braking System (ABS) – Unintended Acceleration / Brake
Infotainment – Denial of Service (DoS / Brick)
RF Hub – CAN Injection / Interaction
RF Hub – Unauthorized Access / Turn On
Roadside Unit (RSU) – Sybil Attack
RF Hub – Key Fob Cloning
Infotainment, Radio Head Unit – Source Code Dump
CAN – Injection (Sensors)
CAN – Injection (Headlights)
CAN – Injection (Pyrotechnical Device Deployment Tool)
CAN – Injection (Steering Control)
CAN – Injection (Battery Management System)
Infotainment, Radio Head Unit – Default Credentials
Infotainment, Radio Head Unit – Denial of Service (DoS / Brick)
Infotainment, Radio Head Unit – Unauthorized Access to Services (API / Endpoints)
Infotainment, Radio Head Unit – Code Execution (CAN Bus Pivot)
Infotainment, Radio Head Unit – Code Execution (No CAN Bus Pivot)
Infotainment, Radio Head Unit – OTA Firmware Manipulation
Infotainment, Radio Head Unit – PII Leakage
RF Hub – Roll Jam
CAN – Injection (Vehicle Anti-theft Systems)
Infotainment – Unauthorized Access to Services (API / Endpoints)
CAN – Injection (Powertrain)
Infotainment – Default Credentials
RF Hub – Data Leakage / Pull Encryption Mechanism
CAN – Injection (DoS)
CAN – Injection (Disallowed Messages)

Broken Access Control (BAC)

Server-Side Request Forgery (SSRF) – External
Username/Email Enumeration – Non-Brute Force
Server-Side Request Forgery (SSRF) – DNS Query Only
Server-Side Request Forgery (SSRF) – Internal Scan and/or Medium Impact
Exposed Sensitive iOS URL Scheme
Server-Side Request Forgery (SSRF) – Internal High Impact
Exposed Sensitive Android Intent
Insecure Direct Object References (IDOR)

Broken Authentication and Session Management

Weak Login Function – Other Plaintext Protocol with no Secure Alternative
Failure to Invalidate Session – On Logout (Client and Server-Side)
Session Fixation – Remote Attack Vector
Privilege Escalation
Failure to Invalidate Session – On Email Change
Weak Login Function – LAN Only
Failure to Invalidate Session – On Logout (Server-Side Only)
Failure to Invalidate Session – On Password Reset and/or Change
Second Factor Authentication (2FA) Bypass
Concurrent Logins
Weak Login Function – Not Operational or Intended Public Access
Weak Registration Implementation – Over HTTP
Session Fixation – Local Attack Vector
Failure to Invalidate Session – Long Timeout
Weak Login Function – Over HTTP
Failure to Invalidate Session – On 2FA Activation/Change
Cleartext Transmission of Session Token
Weak Login Function – HTTP and HTTPS Available
Failure to Invalidate Session – Concurrent Sessions On Logout
Weak Login Function – HTTPS not Available or HTTP by Default
Authentication Bypass

Broken Cryptography

Cryptographic Flaw – Incorrect Usage

Client-Side Injection

Binary Planting – Non-Default Folder Privilege Escalation
Binary Planting – No Privilege Escalation
Binary Planting – Default Folder Privilege Escalation

Cross-Site Request Forgery (CSRF)

Action-Specific – Unauthenticated Action
Flash-Based – Low Impact
Action-Specific – Logout
Flash-Based – High Impact
Flash-Based
CSRF Token Not Unique Per Request
Action-Specific – Authenticated Action
Application-Wide

Cross-Site Scripting (XSS)

Referer
Stored – CSRF/URL-Based
Reflected – Non-Self
Stored – Privileged User to No Privilege Elevation
Universal (UXSS)
Stored – Privileged User to Privilege Elevation
Stored – Non-Privileged User to Anyone
IE-Only – IE11
IE-Only – XSS Filter Disabled
IE-Only – Older Version (< IE11)
TRACE Method
Reflected – Self
Off-Domain – Data URI
Flash-Based
Stored – Self
Cookie-Based

External Behavior

Browser Feature – Autocomplete Enabled
Browser Feature – Autocorrect Enabled
Browser Feature – Aggressive Offline Caching
CSV Injection
User Password Persisted in Memory
Captcha Bypass – Crowdsourcing
Browser Feature – Save Password
Browser Feature – Plaintext Password Field
System Clipboard Leak – Shared Links

Indicators of Compromise

Indicators of Compromise

Insecure Data Storage

Sensitive Application Data Stored Unencrypted – On External Storage
Non-Sensitive Application Data Stored Unencrypted
Screen Caching Enabled
Server-Side Credentials Storage – Plaintext
Sensitive Application Data Stored Unencrypted – On Internal Storage

Insecure Data Transport

Cleartext Transmission of Sensitive Data
Executable Download – Secure Integrity Check
Executable Download – No Secure Integrity Check

Insecure OS/Firmware

Hardcoded Password – Privileged User
Command Injection
Hardcoded Password – Non-Privileged User

Insufficient Security Configurability

Weak Password Reset Implementation – Token Has Long Timed Expiry
Weak 2FA Implementation – 2FA Secret Remains Obtainable After 2FA is Enabled
Weak 2FA Implementation – Missing Failsafe
Weak 2FA Implementation – 2FA Secret Cannot be Rotated
Lack of Notification Email
Weak Registration Implementation – Allows Disposable Email Addresses
Weak Password Policy
Verification of Contact Method not Required
Weak Password Reset Implementation – Token is Not Invalidated After Use
Weak 2FA Implementation – 2FA Code is Not Updated After New Code is Requested
Weak 2FA Implementation – Old 2FA Code is Not Invalidated After New Code is Generated
Password Policy Bypass
Weak Password Reset Implementation – Token is Not Invalidated After New Token is Requested
No Password Policy
Weak Password Reset Implementation – Token is Not Invalidated After Login
Weak Password Reset Implementation – Token is Not Invalidated After Password Change
Lack of Verification Email
Weak Password Reset Implementation – Token is Not Invalidated After Email Change

Lack of Binary Hardening

Runtime Instrumentation-Based
Lack of Jailbreak Detection
Lack of Exploit Mitigations
Lack of Obfuscation

Mobile Security Misconfiguration

Tapjacking
Clipboard Enabled
SSL Certificate Pinning – Defeatable
SSL Certificate Pinning – Absent
Auto Backup Allowed by Default

Network Security Misconfiguration

Telnet Enabled

Privacy Concerns

Unnecessary Data Collection – WiFi SSID+Password

Sensitive Data Exposure

Token Leakage via Referer – Untrusted 3rd Party
Sensitive Data Hardcoded – OAuth Secret
Non-Sensitive Token in URL
Disclosure of Known Public Information
Disclosure of Secrets – Non-Corporate User
Sensitive Token in URL – On Password Reset
Weak Password Reset Implementation – Password Reset Token Sent Over HTTP
Weak Password Reset Implementation – Token Leakage via Host Header Poisoning
Visible Detailed Error/Debug Page – Descriptive Stack Trace
Disclosure of Secrets – Intentionally Public, Sample or Invalid
Cross Site Script Inclusion (XSSI)
JSON Hijacking
Via localStorage/sessionStorage – Non-Sensitive Token
EXIF Geolocation Data Not Stripped From Uploaded Images – Manual User Enumeration
Disclosure of Secrets – Data/Traffic Spam
Sensitive Token in URL – User Facing
Sensitive Token in URL – In the Background
Token Leakage via Referer – Over HTTP
Visible Detailed Error/Debug Page – Full Path Disclosure
Via localStorage/sessionStorage – Sensitive Token
Token Leakage via Referer – Trusted 3rd Party
Mixed Content (HTTPS Sourcing HTTP)
Sensitive Data Hardcoded – File Paths
Disclosure of Secrets – For Internal Asset
Disclosure of Secrets – Pay-Per-Use Abuse
Disclosure of Secrets – For Publicly Accessible Asset
EXIF Geolocation Data Not Stripped From Uploaded Images – Automatic User Enumeration
Internal IP Disclosure
Visible Detailed Error/Debug Page – Detailed Server Configuration

Server Security Misconfiguration

Misconfigured DNS – Basic Subdomain Takeover
Lack of Password Confirmation – Change Email Address
Cookie Scoped to Parent Domain
Mail Server Misconfiguration – Email Spoofing to Spam Folder
Unsafe File Upload – No Size Limit
Missing Secure or HTTPOnly Cookie Flag – Non-Session Cookie
Lack of Password Confirmation – Manage 2FA
Mail Server Misconfiguration – Email Spoofing on Non-Email Domain
SSL Attack (BREACH, POODLE etc.)
Directory Listing Enabled – Sensitive Data Exposure
Misconfigured DNS – Zone Transfer
Unsafe File Upload – No Antivirus
Database Management System (DBMS) Misconfiguration – Excessively Privileged User / DBA
Misconfigured DNS – High Impact Subdomain Takeover
Using Default Credentials
Directory Listing Enabled – Non-Sensitive Data Exposure
Lack of Password Confirmation – Delete Account
Mail Server Misconfiguration – Email Spoofing to Inbox due to Missing or Misconfigured DMARC on Email Domain
No Rate Limiting on Form – Registration
Mail Server Misconfiguration – No Spoofing Protection on Email Domain
No Rate Limiting on Form – Email-Triggering
Clickjacking – Non-Sensitive Action
No Rate Limiting on Form – Change Password
No Rate Limiting on Form – Login
OAuth Misconfiguration – Account Squatting
No Rate Limiting on Form – SMS-Triggering
Insecure SSL – Certificate Error
Insecure SSL – Insecure Cipher Suite
Exposed Admin Portal – To Internet
Lack of Security Headers – X-XSS-Protection
Lack of Security Headers – X-Content-Type-Options
Potentially Unsafe HTTP Method Enabled – OPTIONS
Potentially Unsafe HTTP Method Enabled – TRACE
Lack of Security Headers – Cache-Control for a Sensitive Page
Lack of Security Headers – X-Frame-Options
Race Condition
Lack of Security Headers – Strict-Transport-Security
OAuth Misconfiguration – Account Takeover
Bitsquatting
Lack of Security Headers – Content-Security-Policy
Lack of Security Headers – X-Webkit-CSP
Lack of Security Headers – Public-Key-Pins
Lack of Security Headers – Cache-Control for a Non-Sensitive Page
Reflected File Download (RFD)
Insecure SSL – Lack of Forward Secrecy
Missing DNSSEC
CAPTCHA – Brute Force
OAuth Misconfiguration – Insecure Redirect URI
OAuth Misconfiguration – Missing/Broken State Parameter
Lack of Security Headers – X-Content-Security-Policy
CAPTCHA – Missing
Mail Server Misconfiguration – Missing or Misconfigured SPF and/or DKIM
Lack of Security Headers – Content-Security-Policy-Report-Only
Username/Email Enumeration – Brute Force
Clickjacking – Sensitive Click-Based Action
Path Traversal
Same-Site Scripting
Unsafe Cross-Origin Resource Sharing
Fingerprinting/Banner Disclosure
Missing Secure or HTTPOnly Cookie Flag – Session Token
Web Application Firewall (WAF) Bypass – Direct Server Access
Clickjacking – Form Input
Unsafe File Upload – File Extension Filter Bypass
Misconfigured DNS – Missing Certification Authority Authorization (CAA) Record
Cache Poisoning
CAPTCHA – Implementation Vulnerability
Lack of Password Confirmation – Change Password

Server-Side Injection

HTTP Response Manipulation – Response Splitting (CRLF)
XML External Entity Injection (XXE)
Server-Side Template Injection (SSTI) – Basic
Content Spoofing – Impersonation via Broken Link Hijacking
Server-Side Template Injection (SSTI) – Custom
Content Spoofing – Right-to-Left Override (RTLO)
Content Spoofing – iframe Injection
Content Spoofing – Flash Based External Authentication Injection
SQL Injection
Content Spoofing – Homograph/IDN-Based
Content Spoofing – External Authentication Injection
Content Spoofing – Email Hyperlink Injection Based on Email Provider
Content Spoofing – Email HTML Injection
Remote Code Execution (RCE)
Content Spoofing – Text Injection
Parameter Pollution – Social Media Sharing Buttons
File Inclusion – Local

Unvalidated Redirects and Forwards

Open Redirect – POST-Based
Lack of Security Speed Bump Page
Open Redirect – GET-Based
Open Redirect – Flash-Based
Open Redirect – Header-Based

Using Components with Known Vulnerabilities

Rosetta Flash
Outdated Software Version
Captcha Bypass – OCR (Optical Character Recognition)

(Main image from Gerd Altmann in Pixabay)

Deja una respuesta

Tu dirección de correo electrónico no será publicada.