{
  "version": "3.0",
  "description": "CTF Web 漏洞分类体系 - 整合通用漏洞与语言特性",
  
  "categories": {
    "注入类漏洞": {
      "SQL注入": {
        "id": "SQL",
        "languages": ["PHP", "Python", "Java", "Node.js", "Go", "Ruby", ".NET"],
        "keywords": ["sql injection", "union select", "sqlmap", "blind sql", "time-based", "error-based", "' or '", "order by", "group by", "having", "sleep(", "benchmark("]
      },
      "NoSQL注入": {
        "id": "NOSQL",
        "languages": ["Node.js", "Python", "PHP"],
        "keywords": ["nosql", "mongodb", "$gt", "$ne", "$regex", "$where", "$or", "mongoose"]
      },
      "命令注入": {
        "id": "CMDI",
        "languages": ["PHP", "Python", "Node.js", "Ruby", "Go"],
        "keywords": ["command injection", "os command", "rce", "shell injection", "; cat", "| cat", "`id`", "$("],
        "lang_specific": {
          "PHP": ["system(", "exec(", "shell_exec(", "passthru(", "popen(", "proc_open(", "pcntl_exec("],
          "Python": ["os.system(", "subprocess", "os.popen(", "commands.getoutput("],
          "Node.js": ["child_process", "exec(", "spawn(", "execSync("],
          "Ruby": ["system(", "exec(", "`", "IO.popen(", "Kernel.open(", "Open3"],
          "Go": ["exec.Command(", "os/exec"]
        }
      },
      "代码注入": {
        "id": "CODEI",
        "languages": ["PHP", "Python", "JavaScript", "Ruby"],
        "keywords": ["code injection", "eval injection", "dynamic code execution"],
        "lang_specific": {
          "PHP": ["eval(", "assert(", "preg_replace /e", "create_function(", "call_user_func(", "array_map("],
          "Python": ["eval(", "exec(", "compile(", "__import__(", "importlib"],
          "JavaScript": ["eval(", "Function(", "setTimeout(", "setInterval("],
          "Ruby": ["eval(", "instance_eval(", "class_eval(", "module_eval("]
        }
      },
      "LDAP注入": {
        "id": "LDAP",
        "languages": ["PHP", "Java", "Python"],
        "keywords": ["ldap injection", "ldap_search", "ldap_bind", "(cn=", "(uid=", "(objectClass="]
      },
      "XPath注入": {
        "id": "XPATH",
        "languages": ["PHP", "Java", "Python"],
        "keywords": ["xpath injection", "xpath", "xml query", "SimpleXMLElement", "DOMXPath"]
      },
      "表达式注入": {
        "id": "EL",
        "languages": ["Java"],
        "keywords": ["expression injection", "el injection", "T(java.lang.Runtime)"],
        "lang_specific": {
          "Java": ["ognl", "spel", "juel", "mvel", "${}", "#{}", "javax.el"]
        }
      }
    },

    "模板注入": {
      "服务端模板注入SSTI": {
        "id": "SSTI",
        "languages": ["Python", "Java", "PHP", "Ruby", "Node.js", "Go"],
        "keywords": ["ssti", "server-side template injection", "template injection", "{{", "}}", "${"],
        "lang_specific": {
          "Python": ["jinja2", "mako", "tornado", "django template", "__class__", "__mro__", "__subclasses__", "__globals__", "__builtins__"],
          "Java": ["freemarker", "velocity", "thymeleaf", "pebble", "T(java.lang.Runtime)"],
          "PHP": ["twig", "smarty", "blade", "{php}"],
          "Ruby": ["erb", "slim", "haml", "<%= %>"],
          "Node.js": ["ejs", "pug", "jade", "nunjucks", "handlebars", "mustache", "doT"],
          "Go": ["text/template", "html/template", "{{.}}"]
        }
      },
      "客户端模板注入CSTI": {
        "id": "CSTI",
        "languages": ["JavaScript"],
        "keywords": ["csti", "client-side template", "angularjs", "vue", "ng-app", "$eval", "{{constructor.constructor}}"]
      }
    },

    "跨站攻击": {
      "XSS跨站脚本": {
        "id": "XSS",
        "languages": ["JavaScript"],
        "keywords": ["xss", "cross-site scripting", "reflected xss", "stored xss", "dom xss", "<script>", "alert(", "document.cookie", "onerror=", "onload=", "innerHTML", "document.write"]
      },
      "CSRF跨站请求伪造": {
        "id": "CSRF",
        "languages": ["通用"],
        "keywords": ["csrf", "cross-site request forgery", "xsrf", "csrf_token", "same-site cookie"]
      }
    },

    "服务端请求伪造": {
      "SSRF": {
        "id": "SSRF",
        "languages": ["PHP", "Python", "Java", "Node.js", "Go"],
        "keywords": ["ssrf", "server-side request forgery", "localhost", "127.0.0.1", "internal", "169.254.169.254", "metadata"],
        "lang_specific": {
          "PHP": ["file_get_contents(", "curl", "fsockopen(", "fopen("],
          "Python": ["requests", "urllib", "httplib", "http.client"],
          "Java": ["URL(", "HttpURLConnection", "HttpClient", "RestTemplate"],
          "Node.js": ["axios", "fetch", "request", "http.get"],
          "通用协议": ["gopher://", "dict://", "file://", "ftp://", "ldap://"]
        }
      },
      "XXE外部实体注入": {
        "id": "XXE",
        "languages": ["PHP", "Java", "Python", ".NET"],
        "keywords": ["xxe", "xml external entity", "<!DOCTYPE", "<!ENTITY", "SYSTEM", "dtd", "xml injection"],
        "lang_specific": {
          "PHP": ["simplexml_load_string", "DOMDocument", "libxml"],
          "Java": ["DocumentBuilder", "SAXParser", "XMLReader", "Unmarshaller"],
          "Python": ["lxml", "xml.etree", "xml.sax"]
        }
      },
      "DNS重绑定": {
        "id": "DNSREBIND",
        "languages": ["通用"],
        "keywords": ["dns rebinding", "dns rebind", "rebind", "ttl"]
      }
    },

    "文件操作漏洞": {
      "文件包含": {
        "id": "FI",
        "languages": ["PHP", "Java", "Python", "Node.js"],
        "keywords": ["file inclusion", "lfi", "rfi", "local file inclusion", "remote file inclusion"],
        "lang_specific": {
          "PHP": ["include(", "require(", "include_once(", "require_once(", "php://filter", "php://input", "data://", "phar://", "zip://", "compress.zlib://", "convert.base64-encode"],
          "Java": ["jsp:include", "c:import", "ClassLoader"],
          "Python": ["__import__", "importlib", "exec(open("],
          "Node.js": ["require(", "fs.readFile", "res.render("]
        }
      },
      "路径穿越": {
        "id": "PT",
        "languages": ["通用"],
        "keywords": ["path traversal", "directory traversal", "arbitrary file read", "../", "..\\", "%2e%2e%2f", "....//"],
        "lang_specific": {
          "PHP": ["file_get_contents(", "readfile(", "fopen(", "file("],
          "Python": ["os.path.join", "open(", "tarfile", "zipfile", "extractall"],
          "Node.js": ["path.join", "path.resolve", "fs.readFile", "express.static"],
          "Java": ["FileInputStream", "Files.readAllBytes", "new File("],
          "Go": ["filepath.Join", "filepath.Clean", "os.Open"]
        }
      },
      "文件上传": {
        "id": "UPLOAD",
        "languages": ["PHP", "Java", "Python", "Node.js", ".NET"],
        "keywords": ["file upload", "unrestricted upload", "webshell", "shell upload", "multipart", "content-type bypass", "extension bypass", "double extension", "null byte"],
        "lang_specific": {
          "PHP": [".php", ".phtml", ".php5", ".phar", "move_uploaded_file("],
          "Java": [".jsp", ".jspx", ".war"],
          "Python": [".py", "werkzeug"],
          ".NET": [".aspx", ".ashx", ".asmx"]
        }
      }
    },

    "反序列化漏洞": {
      "反序列化": {
        "id": "DESER",
        "languages": ["PHP", "Java", "Python", "Node.js", "Ruby"],
        "keywords": ["deserialization", "deserialize", "unserialize", "gadget chain", "pop chain"],
        "lang_specific": {
          "PHP": ["unserialize(", "phar://", "__wakeup", "__destruct", "__toString", "__call", "O:", "a:", "s:"],
          "Java": ["ObjectInputStream", "readObject", "ysoserial", "commons-collections", "rO0AB", "Serializable"],
          "Python": ["pickle", "unpickle", "__reduce__", "cPickle", "marshal", "shelve", "yaml.load", "yaml.unsafe_load"],
          "Node.js": ["node-serialize", "funcster", "_$$ND_FUNC$$_", "serialize-javascript"],
          "Ruby": ["Marshal.load", "YAML.load", "erb"]
        }
      }
    },

    "认证与授权": {
      "JWT安全": {
        "id": "JWT",
        "languages": ["通用"],
        "keywords": ["jwt", "json web token", "alg:none", "algorithm confusion", "jwt secret", "HS256", "RS256", "eyJ", "jwt_tool", "kid injection"]
      },
      "Session安全": {
        "id": "SESSION",
        "languages": ["通用"],
        "keywords": ["session fixation", "session hijacking", "session prediction"],
        "lang_specific": {
          "PHP": ["PHPSESSID", "session_start", "session.upload_progress", "/tmp/sess_", "session.serialize_handler"],
          "Java": ["JSESSIONID"],
          "Node.js": ["connect.sid", "express-session"],
          "Python": ["flask session", "django session"]
        }
      },
      "认证绕过": {
        "id": "AUTHBYPASS",
        "languages": ["通用"],
        "keywords": ["authentication bypass", "auth bypass", "login bypass", "2fa bypass", "otp bypass"]
      },
      "越权访问": {
        "id": "IDOR",
        "languages": ["通用"],
        "keywords": ["idor", "insecure direct object reference", "privilege escalation", "horizontal privilege", "vertical privilege", "access control", "broken access control"]
      },
      "OAuth安全": {
        "id": "OAUTH",
        "languages": ["通用"],
        "keywords": ["oauth", "oauth2", "openid", "redirect_uri", "state parameter", "authorization code", "token theft", "open redirect"]
      }
    },

    "前端安全": {
      "原型链污染": {
        "id": "PROTOTYPE",
        "languages": ["Node.js", "JavaScript"],
        "keywords": ["prototype pollution", "__proto__", "constructor.prototype", "Object.prototype"],
        "lang_specific": {
          "Node.js": ["lodash.merge", "lodash.set", "deepMerge", "object-path", "flat"],
          "利用方式": ["isAdmin", "shell", "env", "NODE_OPTIONS", "ejs rce"]
        }
      },
      "DOM Clobbering": {
        "id": "DOMCLOB",
        "languages": ["JavaScript"],
        "keywords": ["dom clobbering", "id=", "name=", "document.getElementById", "window.", "HTMLCollection"]
      },
      "PostMessage安全": {
        "id": "POSTMSG",
        "languages": ["JavaScript"],
        "keywords": ["postmessage", "message event", "event.origin", "cross-origin messaging", "targetOrigin"]
      },
      "CSP绕过": {
        "id": "CSPBYPASS",
        "languages": ["JavaScript"],
        "keywords": ["csp bypass", "content security policy", "script-src", "unsafe-inline", "unsafe-eval", "nonce", "base-uri", "jsonp", "angular csp"]
      },
      "CORS配置错误": {
        "id": "CORS",
        "languages": ["通用"],
        "keywords": ["cors", "cross-origin", "access-control-allow-origin", "cors misconfiguration", "null origin", "wildcard origin"]
      }
    },

    "逻辑漏洞": {
      "竞态条件": {
        "id": "RACE",
        "languages": ["通用"],
        "keywords": ["race condition", "toctou", "time of check", "concurrent", "parallel", "double spending"]
      },
      "业务逻辑缺陷": {
        "id": "BIZLOGIC",
        "languages": ["通用"],
        "keywords": ["business logic", "logic flaw", "payment bypass", "price manipulation", "workflow bypass", "negative value", "integer overflow"]
      },
      "类型混淆": {
        "id": "TYPEJUGGLE",
        "languages": ["PHP", "JavaScript"],
        "keywords": ["type juggling", "loose comparison", "type confusion"],
        "lang_specific": {
          "PHP": ["==", "0e", "strcmp", "md5 collision", "magic hash", "in_array", "array_search", "switch", "is_numeric"],
          "JavaScript": ["==", "type coercion", "toString", "valueOf"]
        }
      }
    },

    "信息泄露": {
      "源码泄露": {
        "id": "SRCLEAK",
        "languages": ["通用"],
        "keywords": ["source code leak", ".git", ".svn", ".DS_Store", "backup", ".bak", ".swp", "~", "git dump", "GitHack", ".idea", ".vscode"]
      },
      "敏感信息泄露": {
        "id": "INFOLEAK",
        "languages": ["通用"],
        "keywords": ["information disclosure", "sensitive data", "api key", "credentials", "config leak", ".env", "debug mode", "stack trace", "error message"]
      }
    },

    "协议与网络": {
      "HTTP请求走私": {
        "id": "SMUGGLE",
        "languages": ["通用"],
        "keywords": ["request smuggling", "http smuggling", "cl.te", "te.cl", "te.te", "Content-Length", "Transfer-Encoding", "chunked"]
      },
      "缓存投毒": {
        "id": "CACHEPOIS",
        "languages": ["通用"],
        "keywords": ["cache poisoning", "web cache", "cache key", "unkeyed header", "X-Forwarded-Host", "cache deception"]
      },
      "Host头注入": {
        "id": "HOSTINJ",
        "languages": ["通用"],
        "keywords": ["host header injection", "host injection", "X-Forwarded-Host", "X-Host", "password reset poisoning"]
      },
      "开放重定向": {
        "id": "OPENREDIR",
        "languages": ["通用"],
        "keywords": ["open redirect", "url redirect", "redirect=", "next=", "return_url", "//attacker.com"]
      },
      "CRLF注入": {
        "id": "CRLF",
        "languages": ["通用"],
        "keywords": ["crlf injection", "http response splitting", "\\r\\n", "%0d%0a", "header injection", "set-cookie injection"]
      }
    },

    "安全机制绕过": {
      "WAF绕过": {
        "id": "WAFBYPASS",
        "languages": ["通用"],
        "keywords": ["waf bypass", "waf evasion", "firewall bypass", "modsecurity", "cloudflare bypass", "encoding bypass", "chunked bypass"]
      },
      "沙箱逃逸": {
        "id": "SANDBOX",
        "languages": ["通用"],
        "keywords": ["sandbox escape", "container escape", "docker escape", "jail break", "chroot escape"],
        "lang_specific": {
          "Python": ["pyjail", "__builtins__", "__subclasses__", "__globals__", "__code__", "audit hook"],
          "Node.js": ["vm", "vm2", "this.constructor", "Function constructor", "process.binding"],
          "PHP": ["disable_functions", "open_basedir", "LD_PRELOAD", "putenv", "mail(", "imap_open", "FFI", "ImageMagick", "GhostScript"]
        }
      },
      "过滤绕过": {
        "id": "FILTERBYPASS",
        "languages": ["通用"],
        "keywords": ["filter bypass", "blacklist bypass", "whitelist bypass", "encoding bypass", "unicode bypass", "double encoding", "null byte"]
      }
    },

    "加密相关": {
      "弱加密与哈希": {
        "id": "WEAKCRYPTO",
        "languages": ["通用"],
        "keywords": ["weak encryption", "weak hash", "md5", "sha1", "des", "ecb mode", "hardcoded key", "predictable iv"]
      },
      "Padding Oracle": {
        "id": "PADORACLE",
        "languages": ["通用"],
        "keywords": ["padding oracle", "cbc", "pkcs7", "pkcs5", "decrypt", "padding error", "bit flipping"]
      },
      "哈希长度扩展": {
        "id": "HASHEXT",
        "languages": ["通用"],
        "keywords": ["hash length extension", "hash extension attack", "secret prefix mac", "hash_extender"]
      }
    },

    "API安全": {
      "GraphQL安全": {
        "id": "GRAPHQL",
        "languages": ["通用"],
        "keywords": ["graphql", "introspection", "__schema", "__type", "batching attack", "query depth", "graphql injection", "alias"]
      },
      "REST API滥用": {
        "id": "RESTAPI",
        "languages": ["通用"],
        "keywords": ["api abuse", "rate limit", "mass assignment", "api enumeration", "broken object level", "bola", "bfla"]
      }
    }
  },

  "quality_scoring": {
    "criteria": {
      "has_vulnerable_code": {"score": 25, "desc": "包含漏洞代码片段"},
      "has_exploit_script": {"score": 20, "desc": "包含完整的 exploit 脚本"},
      "has_payload": {"score": 15, "desc": "包含 payload 示例"},
      "has_step_by_step": {"score": 15, "desc": "有清晰的利用步骤"},
      "has_principle": {"score": 10, "desc": "有漏洞原理说明"},
      "adequate_length": {"score": 10, "desc": "内容长度充足 (>300词)"},
      "has_flag": {"score": 5, "desc": "包含 flag"}
    },
    "grades": {
      "S": {"min": 90, "desc": "优秀"},
      "A": {"min": 70, "desc": "良好"},
      "B": {"min": 50, "desc": "中等"},
      "C": {"min": 30, "desc": "及格"},
      "D": {"min": 0, "desc": "差"}
    }
  },

  "relevance_levels": {
    "core": "该漏洞是 writeup 的核心漏洞",
    "secondary": "该漏洞是利用链的一部分",
    "mention": "writeup 中提到但非关键",
    "irrelevant": "与该漏洞无关"
  }
}