Threat Model Name:
Owner:
Reviewer:
Contributors:
Description:
Assumptions:
External Dependencies:
| Not Started | 73 |
| Not Applicable | 0 |
| Needs Investigation | 0 |
| Mitigation Implemented | 12 |
| Total | 85 |
| Total Migrated | 0 |
| Not Started | 73 |
| Not Applicable | 0 |
| Needs Investigation | 0 |
| Mitigation Implemented | 12 |
| Total | 85 |
| Total Migrated | 0 |
| Category: | Spoofing |
| Description: | Agent may be spoofed by an attacker and this may lead to unauthorized access to Web Server. Consider using a standard authentication mechanism to identify the external entity. |
| Justification: | Mitigacion: Implementar autenticación estándar para validar la identidad del agente externo. |
| Category: | Tampering |
| Description: | The web server 'Web Server' could be a subject to a cross-site scripting attack because it does not sanitize untrusted input. |
| Justification: | Mitigacion: Sanitizar todas las entradas de los usuarios para evitar la ejecución de scripts maliciosos. |
| Category: | Repudiation |
| Description: | Web Server claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | Mitigacion: Implementar registros de auditoría que registren las solicitudes y respuestas para garantizar la trazabilidad. |
| Category: | Denial Of Service |
| Description: | Web Server crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | Mitigacion: Implementar mecanismos de prevención de DoS, como filtrado de tráfico y control de acceso. |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | Mitigacion: Implementar mecanismos para detectar y mitigar interrupciones en el flujo de datos, como monitoreo de redes y protección contra ataques DoS. |
| Category: | Elevation Of Privilege |
| Description: | Web Server may be able to impersonate the context of Agent in order to gain additional privilege. |
| Justification: | Mitigacion: Implementar controles de acceso y autenticación más estrictos para evitar la suplantación de identidad. |
| Category: | Elevation Of Privilege |
| Description: | Agent may be able to remotely execute code for Web Server. |
| Justification: | Mitigacion: Implementar parches y controles para prevenir la ejecución remota de código. |
| Category: | Elevation Of Privilege |
| Description: | An attacker may pass data into Web Server in order to change the flow of program execution within Web Server to the attacker's choosing. |
| Justification: | Mitigacion: Validar todos los datos de entrada y asegurar el flujo de ejecución del servidor. |
| Category: | Spoofing |
| Description: | Agent may be spoofed by an attacker and this may lead to data being sent to the attacker's target instead of Agent. Consider using a standard authentication mechanism to identify the external entity. |
| Justification: | Mitigacion: Implementar autenticación estándar para asegurar la identidad de las entidades externas. |
| Category: | Spoofing |
| Description: | SQL Database Credentials & products may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of SQL Database Credentials & products. Consider using a standard authentication mechanism to identify the destination data store. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. |
| Justification: | Mitigacion: revisar procedimientos que construyen consultas SQL y utilizar consultas parametrizadas. |
| Category: | Tampering |
| Description: | SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | SQL Database Credentials & products may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of SQL Database Credentials & products. Consider using a standard authentication mechanism to identify the destination data store. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | Cloud Storage may be spoofed by an attacker and this may lead to incorrect data delivered to SQL Database Credentials & products. Consider using a standard authentication mechanism to identify the source data store. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | SQL Database Credentials & products may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of SQL Database Credentials & products. Consider using a standard authentication mechanism to identify the destination data store. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | SQL Database Credentials & products claims that it did not write data received from an entity on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent prevents access to a data store on the other side of the trust boundary. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | SQL Database Credentials & products may be spoofed by an attacker and this may lead to incorrect data delivered to Cloud Storage. Consider using a standard authentication mechanism to identify the source data store. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | Cloud Storage may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of Cloud Storage. Consider using a standard authentication mechanism to identify the destination data store. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | Cloud Storage claims that it did not write data received from an entity on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent prevents access to a data store on the other side of the trust boundary. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | Authorization Provider may be spoofed by an attacker and this may lead to unauthorized access to Web Server. Consider using a standard authentication mechanism to identify the external entity. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | The web server 'Web Server' could be a subject to a cross-site scripting attack because it does not sanitize untrusted input. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | Web Server claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | Web Server crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | Web Server may be able to impersonate the context of Authorization Provider in order to gain additional privilege. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | Authorization Provider may be able to remotely execute code for Web Server. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | An attacker may pass data into Web Server in order to change the flow of program execution within Web Server to the attacker's choosing. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | Authorization Provider may be spoofed by an attacker and this may lead to data being sent to the attacker's target instead of Authorization Provider. Consider using a standard authentication mechanism to identify the external entity. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | Authorization Provider claims that it did not receive data from a process on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | Common SSO implementations such as OAUTH2 and OAUTH Wrap are vulnerable to MitM attacks. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | Web Server may be spoofed by an attacker and this may lead to unauthorized access to NoSQL logs. Consider using a standard authentication mechanism to identify the source process. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | NoSQL logs may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of NoSQL logs. Consider using a standard authentication mechanism to identify the destination data store. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | Data flowing across Server->Logs may be tampered with by an attacker. This may lead to corruption of NoSQL logs. Ensure the integrity of the data flow to the data store. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | NoSQL logs claims that it did not write data received from an entity on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | Does Web Server or NoSQL logs take explicit steps to control resource consumption? Resource consumption attacks can be hard to deal with, and there are times that it makes sense to let the OS do the job. Be careful that your resource requests don't deadlock, and that they do timeout. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent prevents access to a data store on the other side of the trust boundary. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | Web Server may be spoofed by an attacker and this may lead to unauthorized access to SQL Database Credentials & products. Consider using a standard authentication mechanism to identify the source process. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | SQL Database Credentials & products may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of SQL Database Credentials & products. Consider using a standard authentication mechanism to identify the destination data store. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | Data flowing across Server->SQL may be tampered with by an attacker. This may lead to corruption of SQL Database Credentials & products. Ensure the integrity of the data flow to the data store. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | SQL Database Credentials & products claims that it did not write data received from an entity on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Information Disclosure |
| Description: | Data flowing across Server->SQL may be sniffed by an attacker. Depending on what type of data an attacker can read, it may be used to attack other parts of the system or simply be a disclosure of information leading to compliance violations. Consider encrypting the data flow. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | Does Web Server or SQL Database Credentials & products take explicit steps to control resource consumption? Resource consumption attacks can be hard to deal with, and there are times that it makes sense to let the OS do the job. Be careful that your resource requests don't deadlock, and that they do timeout. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent prevents access to a data store on the other side of the trust boundary. |
| Justification: | <no mitigation provided> |
| Category: | Information Disclosure |
| Description: | Improper data protection of SQL Database Credentials & products can allow an attacker to read information not intended for disclosure. Review authorization settings. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | SQL Database Credentials & products may be spoofed by an attacker and this may lead to incorrect data delivered to Agent. Consider using a standard authentication mechanism to identify the source data store. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | SQL Database Credentials & products may be spoofed by an attacker and this may lead to incorrect data delivered to Admin. Consider using a standard authentication mechanism to identify the source data store. |
| Justification: | Mitigacion: Implementar mecanismos de autenticación estándar para verificar la identidad de la base de datos de origen. |
| Category: | Information Disclosure |
| Description: | Improper data protection of SQL Database Credentials & products can allow an attacker to read information not intended for disclosure. Review authorization settings. |
| Justification: | Mitigacion: Revisar las configuraciones de autorización para garantizar que solo los usuarios autorizados tengan acceso a los datos sensibles. |
| Category: | Spoofing |
| Description: | SQL Database Credentials & products may be spoofed by an attacker and this may lead to incorrect data delivered to NoSQL logs. Consider using a standard authentication mechanism to identify the source data store. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | NoSQL logs may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of NoSQL logs. Consider using a standard authentication mechanism to identify the destination data store. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | Web Server may be spoofed by an attacker and this may lead to information disclosure by SQL Database Credentials & products. Consider using a standard authentication mechanism to identify the destination process. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | SQL Database Credentials & products may be spoofed by an attacker and this may lead to incorrect data delivered to Web Server. Consider using a standard authentication mechanism to identify the source data store. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | The web server 'Web Server' could be a subject to a cross-site scripting attack because it does not sanitize untrusted input. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | The web server 'Web Server' could be a subject to a persistent cross-site scripting attack because it does not sanitize data store 'SQL Database Credentials & products' inputs and output. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | Web Server claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Information Disclosure |
| Description: | Improper data protection of SQL Database Credentials & products can allow an attacker to read information not intended for disclosure. Review authorization settings. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | Web Server crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent prevents access to a data store on the other side of the trust boundary. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | SQL Database Credentials & products may be able to remotely execute code for Web Server. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | An attacker may pass data into Web Server in order to change the flow of program execution within Web Server to the attacker's choosing. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | Browser Client may be spoofed by an attacker and this may lead to unauthorized access to Web Server. Consider using a standard authentication mechanism to identify the source process. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | The web server 'Web Server' could be a subject to a cross-site scripting attack because it does not sanitize untrusted input. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | Web Server claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | Web Server crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | Web Server may be able to impersonate the context of Browser Client in order to gain additional privilege. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | Browser Client may be able to remotely execute code for Web Server. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | An attacker may pass data into Web Server in order to change the flow of program execution within Web Server to the attacker's choosing. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | Cross-site request forgery (CSRF or XSRF) is a type of attack in which an attacker forces a user's browser to make a forged request to a vulnerable site by exploiting an existing trust relationship between the browser and the vulnerable web site. In a simple scenario, a user is logged in to web site A using a cookie as a credential. The other browses to web site B. Web site B returns a page with a hidden form that posts to web site A. Since the browser will carry the user's cookie to web site A, web site B now can take any action on web site A, for example, adding an admin to an account. The attack can be used to exploit any requests that the browser automatically authenticates, e.g. by session cookie, integrated authentication, IP whitelisting. The attack can be carried out in many ways such as by luring the victim to a site under control of the attacker, getting the user to click a link in a phishing email, or hacking a reputable web site that the victim will visit. The issue can only be resolved on the server side by requiring that all authenticated state-changing requests include an additional piece of secret payload (canary or CSRF token) which is known only to the legitimate web site and the browser and which is protected in transit through SSL/TLS. See the Forgery Protection property on the flow stencil for a list of mitigations. |
| Justification: | <no mitigation provided> |
| Category: | Spoofing |
| Description: | Web Server may be spoofed by an attacker and this may lead to unauthorized access to Browser Client. Consider using a standard authentication mechanism to identify the source process. |
| Justification: | <no mitigation provided> |
| Category: | Tampering |
| Description: | If Web Server is given access to memory, such as shared memory or pointers, or is given the ability to control what Browser Client executes (for example, passing back a function pointer.), then Web Server can tamper with Browser Client. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it. |
| Justification: | <no mitigation provided> |
| Category: | Repudiation |
| Description: | Browser Client claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | Browser Client crashes, halts, stops or runs slowly; in all cases violating an availability metric. |
| Justification: | <no mitigation provided> |
| Category: | Denial Of Service |
| Description: | An external agent interrupts data flowing across a trust boundary in either direction. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | Browser Client may be able to impersonate the context of Web Server in order to gain additional privilege. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | Web Server may be able to remotely execute code for Browser Client. |
| Justification: | <no mitigation provided> |
| Category: | Elevation Of Privilege |
| Description: | An attacker may pass data into Browser Client in order to change the flow of program execution within Browser Client to the attacker's choosing. |
| Justification: | <no mitigation provided> |