Scribd
Upload
72 views81 pages

OWASP CORNUCOPIA Playing Cards v1.20-EN

OWASP CORNUCOPIA Playing Cards v1.20-EN

Uploaded by

Splycho Goran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
72 views81 pages

OWASP CORNUCOPIA Playing Cards v1.20-EN

OWASP CORNUCOPIA Playing Cards v1.20-EN

Uploaded by

Splycho Goran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 81

A

DATA VALIDATION & ENCODING

You have invented a new attack


against Data Validation and Encoding

Read more about this topic


in OWASP’s free Cheat Sheets
on Input Validation, XSS
Prevention, DOM-based XSS
Prevention, SQL Injection
Prevention, and Query
Parameterization
2
DATA VALIDATION & ENCODING

Brian can gather information about the


underlying configurations, schemas,
logic, code, software, services and
infrastructure due to the content of
error messages, or poor configuration,
or the presence of default installation
files or old, test, backup or copies of
resources, or exposure of source code

OWASP SCP
69, 107-109, 136, 137, 153, 156, 158, 162
OWASP ASVS
1.10, 4.5, 8.1, 11.5, 19.1, 19.5
OWASP AppSensor
HT1-3
CAPEC
54, 541
SAFECODE
4, 23
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
3
DATA VALIDATION & ENCODING

Robert can input malicious data


because the allowed protocol format
is not being checked, or duplicates
are accepted, or the structure is not
being verified, or the individual data
elements are not being validated
for format, type, range, length and
a whitelist of allowed characters or
formats

OWASP SCP
8, 9, 11-14, 16, 159, 190, 191
OWASP ASVS
5.1, 5.16, 5.17, 5.18, 5.19, 5.20, 11.1, 11.2
OWASP AppSensor
RE7-8, AE4-7, IE2-3,CIE1,CIE3-4,HT1-3
CAPEC
28,48,126,165,213,220,221,261,262,271,272
SAFECODE
3, 16, 24, 35
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
4
DATA VALIDATION & ENCODING

Dave can input malicious field names


or data because it is not being checked
within the context of the current user
and process

OWASP SCP
8, 10, 183
OWASP ASVS
4.16, 5.16, 5.17, 15.1
OWASP AppSensor
RE3-6,AE8-11,SE1,3-6,IE2-4,HT1-3
CAPEC
28, 31, 48, 126, 162, 165, 213, 220, 221,261
SAFECODE
24, 35
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
5
DATA VALIDATION & ENCODING

Jee can bypass the centralized


encoding routines since they are not
being used everywhere, or the wrong
encodings are being used

OWASP SCP
3, 15, 18-22 168
OWASP ASVS
1.7, 5.15, 5.21, 5.22, 5.23
OWASP AppSensor
-
CAPEC
28, 31, 152, 160, 468
SAFECODE
2, 17
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
6
DATA VALIDATION & ENCODING

Jason can bypass the centralized


validation routines since they are not
being used on all inputs

OWASP SCP
3, 168
OWASP ASVS
1.7, 5.6, 5.19
OWASP AppSensor
IE2-3
CAPEC
28
SAFECODE
3, 16, 24
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
7
DATA VALIDATION & ENCODING

Jan can craft special payloads to foil


input validation because the character
set is not specified/enforced, or the
data is encoded multiple times, or
the data is not fully converted into
the same format the application uses
(e.g. canonicalization) before being
validated, or variables are not strongly
typed

OWASP SCP
4, 5, 7, 150
OWASP ASVS
5.6, 11.8
OWASP AppSensor
IE2-3, EE1-2
CAPEC
28, 153, 165
SAFECODE
3, 16, 24
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
8
DATA VALIDATION & ENCODING

Sarah can bypass the centralized


sanitization routines since they are not
being used comprehensively

OWASP SCP
15, 169
OWASP ASVS
1.7, 5.21, 5.23
OWASP AppSensor
-
CAPEC
28, 31, 152, 160, 468
SAFECODE
2, 17
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
9
DATA VALIDATION & ENCODING

Shamun can bypass input validation


or output validation checks because
validation failures are not rejected
and/or sanitized

OWASP SCP
6, 21, 22, 168
OWASP ASVS
5.3
OWASP AppSensor
IE2-3
CAPEC
28
SAFECODE
3, 16, 24
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
10
DATA VALIDATION & ENCODING

Darío can exploit the trust the


application places in a source of data
(e.g. user-definable data, manipulation
of locally stored data, alteration to
state data on a client device, lack of
verification of identity during data
validation such as Darío can pretend
to be Colin)

OWASP SCP
2, 19, 92, 95, 180
OWASP ASVS
5.19, 10.6, 16.2, 16.3, 16.4, 16.5, 16.8
OWASP AppSensor
IE4, IE5
CAPEC
12, 51, 57, 90,111,145,194,195,202,218,463
SAFECODE
14
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
J
DATA VALIDATION & ENCODING

Dennis has control over input


validation, output validation or output
encoding code or routines so they can
be bypassed

OWASP SCP
1, 17
OWASP ASVS
5.5, 5.18
OWASP AppSensor
RE3, RE4
CAPEC
87, 207, 554
SAFECODE
2, 17
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
Q
DATA VALIDATION & ENCODING

Geoff can inject data into a client or


device side interpreter because a
parameterised interface is not being
used, or has not been implemented
correctly, or the data has not been
encoded correctly for the context, or
there is no restrictive policy on code or
data includes

OWASP SCP
10, 15, 16, 19, 20
OWASP ASVS
5.15, 5.22, 5.23, 5.24, 5.25
OWASP AppSensor
IE1, RP3
CAPEC
28, 31, 152, 160, 468
SAFECODE
2, 17
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
K
DATA VALIDATION & ENCODING

Gabe can inject data into an


server-side interpreter (e.g. SQL, OS
commands, Xpath, Server JavaScript,
SMTP) because a strongly typed
parameterised interface is not being
used or has not been implemented
correctly

OWASP SCP
15, 19-22, 167, 180, 204, 211, 212
OWASP ASVS
5.10, 5.11, 5.12, 5.13, 5.14, 5.16, 5.21
OWASP AppSensor
CIE1-2
CAPEC
23, 28, 76, 152, 160, 261
SAFECODE
2, 19, 20
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
A
AUTHENTICATION

You have invented a new attack


against Authentication

Read more about this topic in


OWASP’s free Authentication
Cheat Sheet
2
AUTHENTICATION

James can undertake authentication


functions without the real user ever
being aware this has occurred (e.g.
attempt to log in, log in with stolen
credentials, reset the password)

OWASP SCP
47, 52
OWASP ASVS
2.12, 8.4, 8.10
OWASP AppSensor
UT1
CAPEC
-
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
3
AUTHENTICATION

Muhammad can obtain a user’s


password or other secrets such as
security questions, by observation
during entry, or from a local cache,
or from memory, or in transit, or by
reading it from some unprotected
location, or because it is widely known,
or because it never expires, or because
the user cannot change her own
password

OWASP SCP
36-7, 40, 43, 48, 51, 119, 139-40, 146
OWASP ASVS
2.2, 2.17, 2.24, 8.7, 9.1, 9.4, 9.5, 9.9, 9.11
OWASP AppSensor
-
CAPEC
37, 546
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
4
AUTHENTICATION

Sebastien can easily identify user


names or can enumerate them

OWASP SCP
33, 53
OWASP ASVS
2.18, 2.28
OWASP AppSensor
AE1
CAPEC
383
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
5
AUTHENTICATION

Javier can use default, test or easily


guessable credentials to authenticate,
or can use an old account or an
account not necessary for the
application

OWASP SCP
54, 175, 178
OWASP ASVS
2.19
OWASP AppSensor
AE12, HT3
CAPEC
70
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
6
AUTHENTICATION

Sven can reuse a temporary password


because the user does not have to
change it on first use, or it has too long
or no expiry, or it does not use an out-
of-band delivery method (e.g. post,
mobile app, SMS)

OWASP SCP
37, 45, 46, 178
OWASP ASVS
2.22
OWASP AppSensor
-
CAPEC
50
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
7
AUTHENTICATION

Cecilia can use brute force and


dictionary attacks against one or
many accounts without limit, or
these attacks are simplified due
to insufficient complexity, length,
expiration and re-use requirements for
passwords

OWASP SCP
33, 38, 39, 41, 50, 53
OWASP ASVS
2.7, 2.20, 2.23, 2.25, 2.27
OWASP AppSensor
AE2, AE3
CAPEC
2, 16
SAFECODE
27
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
8
AUTHENTICATION

Kate can bypass authentication


because it does not fail secure (i.e. it
defaults to allowing unauthenticated
access)

OWASP SCP
28
OWASP ASVS
2.6
OWASP AppSensor
-
CAPEC
115
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
9
AUTHENTICATION

Claudia can undertake more critical


functions because authentication
requirements are too weak (e.g. do not
use strong authentication such as two
factor), or there is no requirement to
re-authenticate for these

OWASP SCP
55, 56
OWASP ASVS
2.1, 2.9, 2.26, 2.31, 4.15
OWASP AppSensor
-
CAPEC
21
SAFECODE
14, 28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
10
AUTHENTICATION

Pravin can bypass authentication


controls because a centralized
standard, tested, proven and approved
authentication module/framework/
service, separate to the resource being
requested, is not being used

OWASP SCP
25, 26, 27
OWASP ASVS
1.7, 2.30
OWASP AppSensor
-
CAPEC
90, 115
SAFECODE
14, 28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
J
AUTHENTICATION

Mark can access resources or services


because there is no authentication
requirement, or it was mistakenly
assumed authentication would be
undertaken by some other system or
performed in some previous action

OWASP SCP
23, 32, 34
OWASP ASVS
2.1
OWASP AppSensor
-
CAPEC
115
SAFECODE
14, 28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
Q
AUTHENTICATION

Jaime can bypass authentication


because it is not enforced with equal
rigor for all types of authentication
functionality (e.g. register, password
change, password recovery, log out,
administration) or across all versions/
channels (e.g. mobile website, mobile
app, full website, API, call centre)

OWASP SCP
23, 29, 42, 49
OWASP ASVS
2.1, 2.8
OWASP AppSensor
-
CAPEC
36, 50, 115, 121, 179
SAFECODE
14, 28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
K
AUTHENTICATION

Olga can influence or alter


authentication code/routines so they
can be bypassed

OWASP SCP
24
OWASP ASVS
2.4, 13.2
OWASP AppSensor
-
CAPEC
115, 207, 554
SAFECODE
14, 28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
A
SESSION MANAGEMENT

You have invented a new attack


against Session Management

Read more about this topic


in OWASP’s free Cheat Sheets
on Session Management, and
Cross Site Request Forgery
(CSRF) Prevention
2
SESSION MANAGEMENT

William has control over the


generation of session identifiers

OWASP SCP
58, 59
OWASP ASVS
3.10
OWASP AppSensor
SE2
CAPEC
31, 60, 61
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
3
SESSION MANAGEMENT

Ryan can use a single account in


parallel since concurrent sessions are
allowed

OWASP SCP
68
OWASP ASVS
3.16, 3.17, 3.18
OWASP AppSensor
-
CAPEC
-
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
4
SESSION MANAGEMENT

Alison can set session identification


cookies on another web application
because the domain and path are not
restricted sufficiently

OWASP SCP
59, 61
OWASP ASVS
3.12
OWASP AppSensor
SE2
CAPEC
31, 61
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
5
SESSION MANAGEMENT

John can predict or guess session


identifiers because they are not
changed when the user’s role alters
(e.g. pre and post authentication)
and when switching between
non-encrypted and encrypted
communications, or are not sufficiently
long and random, or are not changed
periodically

OWASP SCP
60, 62, 66, 67, 71, 72
OWASP ASVS
3.2, 3.7, 3.11
OWASP AppSensor
SE4-6
CAPEC
31
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
6
SESSION MANAGEMENT

Gary can take over a user’s session


because there is a long or no inactivity
timeout, or a long or no overall session
time limit, or the same session can
be used from more than one device/
location

OWASP SCP
64, 65
OWASP ASVS
3.3, 3.4, 3.16, 3.17, 3.18
OWASP AppSensor
SE5, SE6
CAPEC
21
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
7
SESSION MANAGEMENT

Casey can utilize Adam’s session after


he has finished, because there is no
log out function, or he cannot easily
log out, or log out does not properly
terminate the session

OWASP SCP
62, 63
OWASP ASVS
3.2, 3.5
OWASP AppSensor
-
CAPEC
21
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
8
SESSION MANAGEMENT

Matt can abuse long sessions because


the application does not require
periodic re-authentication to check if
privileges have changed

OWASP SCP
96
OWASP ASVS
-
OWASP AppSensor
-
CAPEC
21
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
9
SESSION MANAGEMENT

Ivan can steal session identifiers


because they are sent over insecure
channels, or are logged, or are
revealed in error messages, or are
included in URLs, or are accessible un-
necessarily by code which the attacker
can influence or alter

OWASP SCP
69, 75, 76, 119, 138
OWASP ASVS
3.6, 8.7, 10.3
OWASP AppSensor
SE4-6
CAPEC
31, 60
SAFECODE
28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
10
SESSION MANAGEMENT

Marce can forge requests because


per-session, or per-request for more
critical actions, strong random tokens
(i.e. anti-CSRF tokens) or similar are
not being used for actions that change
state

OWASP SCP
73, 74
OWASP ASVS
4.13
OWASP AppSensor
IE4
CAPEC
62, 111
SAFECODE
18
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
J
SESSION MANAGEMENT

Jeff can resend an identical repeat


interaction (e.g. HTTP request, signal,
button press) and it is accepted, not
rejected

OWASP SCP
-
OWASP ASVS
15.1, 15.2
OWASP AppSensor
IE5
CAPEC
60
SAFECODE
12, 14
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
Q
SESSION MANAGEMENT

Salim can bypass session


management because it is not applied
comprehensively and consistently
across the application

OWASP SCP
58
OWASP ASVS
3.1
OWASP AppSensor
-
CAPEC
21
SAFECODE
14, 28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
K
SESSION MANAGEMENT

Peter can bypass the session


management controls because they
have been self-built and/or are weak,
instead of using a standard framework
or approved tested module

OWASP SCP
58, 60
OWASP ASVS
1.7
OWASP AppSensor
-
CAPEC
21
SAFECODE
14, 28
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
A
AUTHORIZATION

You have invented a new attack


against Authorization

Read more about this topic in


OWASP’s Development and
Testing Guides
2
AUTHORIZATION

Tim can influence where data is sent or


forwarded to

OWASP SCP
44
OWASP ASVS
4.1, 4.16, 16.1
OWASP AppSensor
-
CAPEC
153
SAFECODE
8, 10, 11
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
3
AUTHORIZATION

Christian can access information,


which they should not have
permission to, through another
mechanism that does have permission
(e.g. search indexer, logger, reporting),
or because it is cached, or kept for
longer than necessary, or other
information leakage

OWASP SCP
51, 100, 135, 139, 140, 141, 150
OWASP ASVS
4.1, 8.2, 9.1-9.6, 9.11, 16.6, 16.7
OWASP AppSensor
-
CAPEC
69, 213
SAFECODE
8, 10, 11
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
4
AUTHORIZATION

Kelly can bypass authorization controls


because they do not fail securely (i.e.
they default to allowing access)

OWASP SCP
79, 80
OWASP ASVS
4.8
OWASP AppSensor
-
CAPEC
122
SAFECODE
8, 10, 11
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
5
AUTHORIZATION

Chad can access resources (including


services, processes, AJAX, Flash,
video, images, documents, temporary
files, session data, system properties,
configuration data, registry settings,
logs) he should not be able to due
to missing authorization, or due to
excessive privileges (e.g. not using the
principle of least privilege)

OWASP SCP 70,81,83-4,87-9, 99,117,


131-2,142,154,170,179
OWASP ASVS
4.1, 4.4, 4.9,, 19.3
OWASP AppSensor
ACE1-4, HT2
CAPEC
75, 87, 95, 126, 149, 155, 203, 213, 264-5
SAFECODE
8, 10, 11, 13
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
6
AUTHORIZATION

Eduardo can access data he does not


have permission to, even though he
has permission to the form/page/URL/
entry point

OWASP SCP
81, 88, 131
OWASP ASVS
4.1, 4.4
OWASP AppSensor
ACE1-4
CAPEC
122
SAFECODE
8, 10, 11
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
7
AUTHORIZATION

Yuanjing can access application


functions, objects, or properties he is
not authorized to access

OWASP SCP
81, 85, 86, 131
OWASP ASVS
4.1, 4.4
OWASP AppSensor
ACE1-4
CAPEC
122
SAFECODE
8, 10, 11
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
8
AUTHORIZATION

Tom can bypass business rules by


altering the usual process sequence or
flow, or by undertaking the process in
the incorrect order, or by manipulating
date and time values used by the
application, or by using valid features
for unintended purposes, or by
otherwise manipulating control data

OWASP SCP
10, 32, 93, 94, 189
OWASP ASVS
4.10, 4.15, 4.16, 8.13, 15.1
OWASP AppSensor
ACE3
CAPEC
25, 39, 74, 162, 166, 207
SAFECODE
8, 10, 11, 12
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
9
AUTHORIZATION

Mike can misuse an application by


using a valid feature too fast, or
too frequently, or other way that
is not intended, or consumes the
application’s resources, or causes race
conditions, or over-utilizes a feature

OWASP SCP
94
OWASP ASVS
4.14, 15.2
OWASP AppSensor
AE3, FIO1-2, UT2-4, STE1-3
CAPEC
26, 29, 119, 261
SAFECODE
1, 35
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
10
AUTHORIZATION

Richard can bypass the centralized


authorization controls since they are
not being used comprehensively on all
interactions

OWASP SCP
78, 91
OWASP ASVS
1.7, 4.11
OWASP AppSensor
ACE1-4
CAPEC
36, 95, 121, 179
SAFECODE
8, 10, 11
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
J
AUTHORIZATION

Dinis can access security configuration


information, or access control lists

OWASP SCP
89, 90
OWASP ASVS
4.10, 13.2
OWASP AppSensor
-
CAPEC
75, 133, 203
SAFECODE
8, 10, 11
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
Q
AUTHORIZATION

Christopher can inject a command


that the application will run at a higher
privilege level

OWASP SCP
209
OWASP ASVS
5.12
OWASP AppSensor
-
CAPEC
17, 30, 69, 234
SAFECODE
8, 10, 11
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
K
AUTHORIZATION

Ryan can influence or alter


authorization controls and
permissions, and can therefore bypass
them

OWASP SCP
77, 89, 91
OWASP ASVS
4.9, 4.10, 13.2
OWASP AppSensor
-
CAPEC
207, 554
SAFECODE
8, 10, 11
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
A
CRYPTOGRAPHY

You have invented a new attack


against Cryptography

Read more about this topic in


OWASP’s free Cheat Sheets on
Cryptographic Storage, and
Transport Layer Protection
2
CRYPTOGRAPHY

Kyun can access data because it has


been obfuscated rather than using an
approved cryptographic function

OWASP SCP
105, 133, 135
OWASP ASVS
-
OWASP AppSensor
-
CAPEC
-
SAFECODE
21, 29
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
3
CRYPTOGRAPHY

Axel can modify transient or


permanent data (stored or in transit),
or source code, or updates/patches, or
configuration data, because it is not
subject to integrity checking

OWASP SCP
92, 205, 212
OWASP ASVS
8.11, 11.7, 13.2, 19.5, 19.6, 19.7, 19.8
OWASP AppSensor
SE1, IE4
CAPEC
31, 39, 68, 75, 133, 145, 162, 203,438-9,442
SAFECODE
12, 14
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
4
CRYPTOGRAPHY

Paulo can access data in transit that


is not encrypted, even though the
channel is encrypted

OWASP SCP
37, 88, 143, 214
OWASP ASVS
7.12, 9.2
OWASP AppSensor
-
CAPEC
185, 186, 187
SAFECODE
14, 29, 30
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
5
CRYPTOGRAPHY

Kyle can bypass cryptographic controls


because they do not fail securely (i.e.
they default to unprotected)

OWASP SCP
103, 145
OWASP ASVS
7.2, 10.3
OWASP AppSensor
-
CAPEC
-
SAFECODE
21, 29
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
6
CRYPTOGRAPHY

Romain can read and modify


unencrypted data in memory or in
transit (e.g. cryptographic secrets,
credentials, session identifiers,
personal and commercially-sensitive
data), in use or in communications
within the application, or between the
application and users, or between the
application and external systems

OWASP SCP
36, 37, 143, 146, 147
OWASP ASVS
2.16, 9.2, 9.11, 10.3, 19.2
OWASP AppSensor
-
CAPEC
31, 57, 102, 157, 158, 384, 466, 546
SAFECODE
29
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
7
CRYPTOGRAPHY

Gunter can intercept or modify


encrypted data in transit because
the protocol is poorly deployed, or
weakly configured, or certificates
are invalid, or certificates are not
trusted, or the connection can be
degraded to a weaker or un-encrypted
communication

OWASP SCP
75, 144, 145, 148
OWASP ASVS
10.1, 10.5, 10.10, 10.11, 10.12, 10.13, 10.14
OWASP AppSensor
IE4
CAPEC
31, 216
SAFECODE
14, 29, 30
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
8
CRYPTOGRAPHY

Eoin can access stored business data


(e.g. passwords, session identifiers,
PII, cardholder data) because it is not
securely encrypted or securely hashed

OWASP SCP
30, 31, 70, 133, 135
OWASP ASVS
2.13, 7.7, 7.8, 9.2
OWASP AppSensor
-
CAPEC
31, 37, 55
SAFECODE
21, 29, 31
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
9
CRYPTOGRAPHY

Andy can bypass random number


generation, random GUID generation,
hashing and encryption functions
because they have been self-built and/
or are weak

OWASP SCP
60, 104, 105
OWASP ASVS
7.6, 7.7, 7.8, 7.15
OWASP AppSensor
-
CAPEC
97
SAFECODE
14, 21, 29, 32, 33
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
10
CRYPTOGRAPHY

Susanna can break the cryptography in


use because it is not strong enough for
the degree of protection required, or it
is not strong enough for the amount of
effort the attacker is willing to make

OWASP SCP
104, 105
OWASP ASVS
-
OWASP AppSensor
-
CAPEC
97, 463
SAFECODE
14, 21, 29, 31, 32, 33
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
J
CRYPTOGRAPHY

Justin can read credentials for


accessing internal or external
resources, services and others
systems because they are stored in an
unencrypted format, or saved in the
source code

OWASP SCP
35, 90, 171, 172
OWASP ASVS
2.29
OWASP AppSensor
-
CAPEC
116
SAFECODE
21, 29
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
Q
CRYPTOGRAPHY

Randolph can access or predict the


master cryptographic secrets

OWASP SCP
35, 102
OWASP ASVS
7.8, 7.9, 7.11, 7.13, 7.14
OWASP AppSensor
-
CAPEC
116, 117
SAFECODE
21, 29
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
K
CRYPTOGRAPHY

Dan can influence or alter


cryptography code/routines
(encryption, hashing, digital
signatures, random number and GUID
generation) and can therefore bypass
them

OWASP SCP
31, 101
OWASP ASVS
7.11
OWASP AppSensor
-
CAPEC
207, 554
SAFECODE
14, 21, 29
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
A
CORNUCOPIA

You have invented a new attack of


any type

Read more about application


security in OWASP’s free
Guides on Requirements,
Development, Code Review
and Testing, the Cheat Sheet
series, and the Open Software
Assurance Maturity Model
2
CORNUCOPIA

Lee can bypass application


controls because dangerous/risky
programming language functions
have been used instead of safer
alternatives, or there are type
conversion errors, or because the
application is unreliable when an
external resource is unavailable, or
there are race conditions, or there are
resource initialization or allocation
issues, or overflows can occur

OWASP SCP
194-202, 205-209
OWASP ASVS
5.1
OWASP AppSensor
-
CAPEC
25, 26, 29, 96, 123-4, 128-9, 264-5
SAFECODE
3, 5-7, 9, 22, 25-26, 34
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
3
CORNUCOPIA

Andrew can access source code,


or decompile, or otherwise access
business logic to understand how
the application works and any secrets
contained

OWASP SCP
134
OWASP ASVS
19.5
OWASP AppSensor
-
CAPEC
189, 207
SAFECODE
-
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
4
CORNUCOPIA

Keith can perform an action and it is


not possible to attribute it to him

OWASP SCP
23, 32, 34, 42, 51, 181
OWASP ASVS
8.10
OWASP AppSensor
-
CAPEC
-
SAFECODE
-
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
5
CORNUCOPIA

Larry can influence the trust other


parties including users have in the
application, or abuse that trust
elsewhere (e.g. in another application)

OWASP SCP
-
OWASP ASVS
-
OWASP AppSensor
-
CAPEC
89, 103, 181, 459
SAFECODE
-
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
6
CORNUCOPIA

Aaron can bypass controls because


error/exception handling is missing,
or is implemented inconsistently or
partially, or does not deny access by
default (i.e. errors should terminate
access/execution), or relies on
handling by some other service or
system

OWASP SCP
109, 110, 111, 112, 155
OWASP ASVS
8.2, 8.4
OWASP AppSensor
-
CAPEC
54, 98, 164
SAFECODE
4, 11, 23
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
7
CORNUCOPIA

Mwengu’s actions cannot be


investigated because there is not an
adequate accurately time-stamped
record of security events, or there is
not a full audit trail, or these can be
altered or deleted by Mwengu, or
there is no centralized logging service

OWASP SCP
113-115, 117, 118, 121-130
OWASP ASVS
2.12, 8.3-8.12, 9.10, 10.4
OWASP AppSensor
-
CAPEC
93
SAFECODE
4
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
8
CORNUCOPIA

David can bypass the application


to gain access to data because the
network and host infrastructure, and
supporting services/applications, have
not been securely configured, the
configuration rechecked periodically
and security patches applied, or the
data is stored locally, or the data is not
physically protected

OWASP SCP
151, 152, 156, 160, 161, 173-177
OWASP ASVS
19.1, 19.4, 19.6, 19.7, 19.8
OWASP AppSensor
RE1, RE2
CAPEC
37, 220, 310, 436, 536
SAFECODE
-
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
9
CORNUCOPIA

Michael can bypass the application


to gain access to data because
administrative tools or administrative
interfaces are not secured adequately

OWASP SCP
23, 29, 56, 81, 82, 84-90
OWASP ASVS
2.1, 2.32
OWASP AppSensor
-
CAPEC
122, 233
SAFECODE
-
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
10
CORNUCOPIA

Xavier can circumvent the application’s


controls because code frameworks,
libraries and components contain
malicious code or vulnerabilities (e.g.
in-house, commercial off the shelf,
outsourced, open source, externally-
located)

OWASP SCP
57, 151, 152, 204, 205, 213, 214
OWASP ASVS
1.11
OWASP AppSensor
-
CAPEC
68, 438, 439, 442, 524, 538
SAFECODE
15
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
J
CORNUCOPIA

Roman can exploit the application


because it was compiled using out-
of-date tools, or its configuration
is not secure by default, or security
information was not documented and
passed on to operational teams

OWASP SCP
90, 137, 148, 151-154, 175-179, 186, 192
OWASP ASVS
19.5, 19.9
OWASP AppSensor
-
CAPEC
-
SAFECODE
4
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
Q
CORNUCOPIA

Jim can undertake malicious, non-


normal, actions without real-time
detection and response by the
application

OWASP SCP
-
OWASP ASVS
4.14, 9.8, 15.1, 15.2
OWASP AppSensor
(All)
CAPEC
-
SAFECODE
1, 27
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
K
CORNUCOPIA

Gareth can utilize the application to


deny service to some or all of its users

OWASP SCP
41, 55
OWASP ASVS
-
OWASP AppSensor
UT1-4, STE3
CAPEC
2, 25, 119, 125
SAFECODE
1
OWASP Cornucopia Ecommerce Website Edition v1.20-EN
Joker
WILD CARD

Alice can utilize the application to


attack users’ systems and data

Have you thought about


becoming an individual
OWASP member? All tools,
guidance and local meetings
are free for everyone, but
individual membership helps
support OWASP’s work
Joker
WILD CARD

Bob can influence, alter or affect


the application so that it no longer
complies with legal, regulatory,
contractual or other organizational
mandates

Examine vulnerabilities and


discover how they can be fixed
using training applications in
the free OWASP Broken Web
Applications VM, or using the
online challenges in the free
Hacking Lab

You might also like