Description
Each vulnerability in OopsSec Store maps to well-known security classification standards (CWE and OWASP Top 10), but this information is not stored in the database or displayed in the UI. Adding these identifiers would improve the educational value of the platform by helping players learn industry-standard vulnerability taxonomy.
Context
Currently, the Flag model in prisma/schema.prisma has an optional cve field that is displayed in the UI when present. We want to follow the same pattern for two new fields:
CWE (Common Weakness Enumeration) — e.g. CWE-89, CWE-79
OWASP (OWASP Top 10 2021 category) — e.g. A03:2021, A01:2021
Reference mapping:
| Flag slug |
CWE |
OWASP |
| public-env-variable |
CWE-200 |
A05:2021 |
| cross-site-scripting-xss |
CWE-79 |
A03:2021 |
| insecure-direct-object-reference |
CWE-639 |
A01:2021 |
| information-disclosure-api-error |
CWE-209 |
A05:2021 |
| weak-jwt-secret |
CWE-347 |
A02:2021 |
| weak-md5-hashing |
CWE-328 |
A02:2021 |
| mass-assignment |
CWE-915 |
A04:2021 |
| client-side-price-manipulation |
CWE-602 |
A04:2021 |
| sql-injection |
CWE-89 |
A03:2021 |
| product-search-sql-injection |
CWE-89 |
A03:2021 |
| cross-site-request-forgery |
CWE-352 |
A01:2021 |
| server-side-request-forgery |
CWE-918 |
A10:2021 |
| path-traversal |
CWE-22 |
A01:2021 |
| session-fixation-weak-session-management |
CWE-384 |
A07:2021 |
| brute-force-no-rate-limiting |
CWE-307 |
A07:2021 |
| broken-object-level-authorization |
CWE-639 |
A01:2021 |
| prompt-injection-ai-assistant |
CWE-77 |
A03:2021 |
| plaintext-password-in-logs |
CWE-532 |
A09:2021 |
| second-order-sql-injection |
CWE-89 |
A03:2021 |
| x-forwarded-for-sql-injection |
CWE-89 |
A03:2021 |
| malicious-file-upload |
CWE-434 |
A04:2021 |
| xxe-supplier-order-import |
CWE-611 |
A05:2021 |
| react2shell |
CWE-502 |
A08:2021 |
Steps
Schema — Add two optional String? fields to the Flag model in prisma/schema.prisma:
- cwe (e.g. "CWE-89")
- owasp (e.g. "A03:2021")
Seed — Add cwe and owasp values to each flag entry in prisma/seed.ts using the mapping table above.
Frontend — Display the new fields alongside the existing cve badge. Look at how cve is currently rendered (search for cve in the app/ folder) and follow the same pattern.
Migration — Run npm run db:migrate to generate the migration, then npm run db:seed to verify.
Acceptance criteria
Description
Each vulnerability in OopsSec Store maps to well-known security classification standards (CWE and OWASP Top 10), but this information is not stored in the database or displayed in the UI. Adding these identifiers would improve the educational value of the platform by helping players learn industry-standard vulnerability taxonomy.
Context
Currently, the Flag model in
prisma/schema.prismahas an optional cve field that is displayed in the UI when present. We want to follow the same pattern for two new fields:CWE (Common Weakness Enumeration) — e.g. CWE-89, CWE-79
OWASP (OWASP Top 10 2021 category) — e.g. A03:2021, A01:2021
Reference mapping:
Steps
Schema — Add two optional String? fields to the Flag model in prisma/schema.prisma:
Seed — Add cwe and owasp values to each flag entry in
prisma/seed.tsusing the mapping table above.Frontend — Display the new fields alongside the existing cve badge. Look at how cve is currently rendered (search for cve in the app/ folder) and follow the same pattern.
Migration — Run
npm run db:migrateto generate the migration, thennpm run db:seedto verify.Acceptance criteria