Improving Web Application Security: Threats and - CGISecurity

Chapter 3: Threat Modeling 61Note In addition to goals and sub-goals, attack trees include methodologies and requiredconditions.Here is an example of the outline approach in action:Threat #1 Attacker obtains authentication credentials by monitoring the network1.1 Clear text credentials sent over the network AND1.2 Attacker uses network-monitoring tools1.2.1 Attacker recognizes credential dataFor a complete example, see “Sample Attack Trees” in the “Cheat Sheets” section ofthis guide.Attack PatternsAttack patterns are generic representations of commonly occurring attacks thatcan occur in a variety of different contexts. The pattern defines the goal of the attackas well as the conditions that must exist for the attack to occur, the steps that arerequired to perform the attack, and the results of the attack. Attack patterns focuson attack techniques, whereas STRIDE-based approaches focus on the goals of theattacker.An example of an attack pattern is the code-injection attack pattern that is used todescribe code injection attacks in a generic way. Table 3.3 describes the code-injectionattack pattern.Table 3.3 Code Injection Attack PatternPatternCode injection attacksAttack goalsCommand or code executionRequired conditionsWeak input validationCode from the attacker has sufficient privileges on the server.Attack technique1. Identify program on target system with an input validation vulnerability.2. Create code to inject and run using the security context of the targetapplication.3. Construct input value to insert code into the address space of the targetapplication and force a stack corruption that causes applicationexecution to jump to the injected code.Attack resultsCode from the attacker runs and performs malicious action.For more information about attack patterns, see the “Additional References” sectionat the end of this chapter.