Threat Modeling Flashcards

1
Q

Purpose

A

Defuse conflict and reduce risk risk.

Earlier in the process is better because dependencies have not yet been established.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Summary (Explicit)

A
  1. ) What are we working on?
  2. ) What could go wrong?
  3. ) What are we going to do about it?
  4. ) How did we do?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Summary (implicit)

A

Unjustified analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

OWASP Application Checklist

A

Application Testing Workflow

A typical application security testing strategy is based on a collection of several common steps:

Gathering comprehensive information of the application and its platform to assess related technologies and vulnerabilities

Exploiting the system to test the severity of discovered vulnerabilities

Ranking vulnerabilities based on the outcome of exploits and risk

Using vulnerability risk data to re-assess application security posture

Successful exploitations to be escalated for required mitigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

1.) Information Gathering
A successful web application security strategy fundamentally begins with an understanding of the interactions between the web server, users, and applications. While application deployment platforms vary, key vulnerabilities in infrastructure configuration act as a common weak link for threat actors to initiate an attack.

A

▢ Manual site exploration

▢ Crawling for hidden content

▢ Checking for files that store and expose content

▢ Scanning caches on search engines of public sites

▢ Web application fingerprinting

▢ Identification of user roles

▢ Identification of application entry points

▢ Identifying related applications

▢ Identifying ports and hostnames

▢ Identifying third-party hosted content

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

2.) Configuration Deployment and Management
A web server ecosystem is intrinsically complex with highly connected, heterogeneous services and components working together. Reviewing and managing the configuration of the server is, as a result, a very crucial aspect for maintaining robust security across multiple layers of an application.

A

▢ Checking for commonly used URLs

▢ Testing network infrastructure configuration

▢ Enumerating administrator interfaces

▢ Checking supported HTTP methods and Cross-Site Tracing (XST)

▢ Reviewing old unreferenced and backup files for sensitive information

▢ Testing for Strict-Transport-Security

▢ Testing file permissions

▢ Testing for non-production data in live environments, and production data in dev/test environments

▢ Testing for content security

▢ Evaluating subdomain takeover

▢ Analyzing client-side code for sensitive data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

3.) Identity and Access Management (IAM)
Securing organizational data involves defining appropriate access privileges and roles of the application’s users/administrators. Each individual (user, app, or device) gets a single digital identity (also referred as tokens) that can be monitored, maintained, and modified throughout their data access sessions. Assessing the robustness of IAM for application security typically involves testing the following:

A

▢ Role definitions

▢ User registration processes

▢ Account provisioning processes

▢ Account enumeration and guessable user accounts

▢ Weak or unenforced username policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

4.) Authentication Testing
Authentication enforces application security by enabling the web server to verify that a network entity is who they claim to be. As attackers tend to develop unique techniques to bypass authentication schemes, not every authentication method guarantees effective security controls, and requires a continuous assessment process. Assessing authentication security involves the regular testing of:

A

▢ Default credentials

▢ Vulnerabilities of the “Remember Password” feature

▢ Browser cache vulnerabilities

▢ Weak password policies

▢ Credentials transported over an unencrypted channel

Testing for sensitive information sent via unencrypted channels involves checking whether credentials are encrypted or encoded, and sent as HTTP headers using a curl command of the form:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

5.) Session Management
Once a user is authenticated, their interaction with the server is managed within a session. Improperly managed sessions open doors for attackers to compromise access mechanisms by assuming those to be identities of legitimate users. More so, such compromised accesses are often taken advantage of by attack vectors that escalate privileges and penetrate deeper into the system. To avoid vulnerabilities within a session, the following processes are recommended to be tested as a best practice:

A

▢ Analyzing session tokens for cookie flags

▢ Checking session cookie durations

▢ Examining termination after a relative timeout

▢ Testing for the possibility of single-user multiple sessions

▢ Testing for consistent session management

▢ Testing cookies for randomness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

6.) Cryptography ensures the secure exchange of information by using algorithms that transform human-readable data into a ciphertext-encrypted output. While doing so, the process establishes trust between the web server and network entities using security keys, making it an important mechanism for maintaining application security. Testing cryptography for maintaining application security involves:

A

▢ Checking for sensitive, unencrypted data

▢ Testing for the usage of wrong algorithms

▢ Testing algorithm strength

▢ Analyzing functions for randomness

▢ Checking for the appropriate usage of salting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

7.) Client-Side Testing
Since full-blown attacks carried out on the perimeter are usually challenged by effective organizational security efforts, threat actors tend to favor smaller, repeated attacks to gain initial access to web servers. To mitigate such approaches, client-side or internal testing involves examining vulnerabilities on applications installed on an endpoint that communicates with the web server. Client-side testing reveals weak points that can be exploited using the access rights of authorized users, and includes testing the following:

A

▢ Cross-Site Scripting (XSS)

▢ JavaScript execution

▢ Client-side URL redirects

▢ Cross-Site Flashing (XSF)

▢ Web sockets and web messaging

▢ Cross-Site Script Inclusion (XSSI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

8.) Error Handling
OWASP encourages developers to include error handling mechanisms and messages that enable them to fix issues of user access. Improper error handling can expose sensitive information such as database dumps, error codes, and stack traces that can be exploited by attack vectors to gain access.

A

Testing error handling mechanisms can be done through:

▢ Testing server behavior for resource requests that are unavailable

▢ Testing HTTP RFC for breaking ambush requests

▢ Observing server behavior when requested for files/folders that do not exist

▢ Identifying the application’s data entry points

▢ Listing and understanding the services configured to respond with error messages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

9.) Data Validation
Any information entering a web server’s network edge should be tested and verified to ensure that it is in an acceptable format. Data validation testing includes:

A

▢ Examining special files

▢ Testing file upload validation mechanisms

▢ Testing for rich user content validation

▢ Assessing content security policy

▢ Evaluating the list of regular expressions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

10.) Business Logic
Hackers mostly leverage an application’s original programmed flow to orchestrate breaches and penetration attacks. As a result, it is recommended to assess the business and application’s configuration to identify vulnerabilities in code or business logic that could be used for potential exploits.

A

Business logic testing includes:

▢ Testing for feature misuse

▢ Testing for non-repudiation

▢ Testing trust relationships

▢ Testing data integrity

▢ Testing for duty segregation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

STRIDE

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Spoofing on the Local Machine

A
17
Q

Spoofing Over a Network

A
18
Q

Tampering with a File

A
19
Q

Tampering with Memory

A
20
Q

Tampering with a Network

A
21
Q

Repudiation

A
22
Q

Repudiation Attacks on Logs

A
23
Q

Information Disclosures (Processes)

A
24
Q

Information Disclosures (Data Stores)

A
25
Q

Information Disclosure (Data Flow)

A
26
Q

Denial of Service

A
27
Q

Elevation of Privilege

A