en:cs:web_applications_threats_modeling

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

en:cs:web_applications_threats_modeling [2017/01/27 14:45]
fraggle [Threats class: A1 injection]
en:cs:web_applications_threats_modeling [2021/12/27 18:25]
Ligne 1: Ligne 1:
-====== Introduction ====== 
- 
-The whole purpose of this draft is to propose an assessment model for each threat class.\\  
-We will follow the OWASP top ten list.  
- 
-====== Threats ====== 
- 
-===== Threats class: A1 injection ===== 
- 
-Each web applications has a finite set of input parameters being in forms, URL parameters, ... called $ \mathcal{I} = \{i_{1},\dots,i_{n}\}, \, n \in \mathbb{N} $.\\ 
-All input parameters are typed: $ i_{1} \, {\longmapsto} \, t_{3}; \dots ; \, i_{n} \, {\longmapsto} \, t_{7}, \, t_{i} $ being chosen in a finite set of type called  
- 
-$ \mathcal{T} =     
-   \left \{ 
-   \begin{array}{r c l} 
-      t_{1}  & = & integer \\ 
-      t_{2}  & = & string \\ 
-      \vdots & & \vdots \\ 
-      t_{k}  & = & type_{k} 
-   \end{array} 
-   \right . \quad k \in \mathbb{N}. $ 
-    
-We will consider the cartesian product $ \mathcal{I}\times\matchcal{T} $ in the future.  
- 
-__Question:__ Does it matter if it's a form input or an URL parameter or ... ?  
- 
-Let's describe the processus to assess A1 threats in a web application.  
- 
-  * Phase one: determine $ \mathcal{I}\times\matchcal{T} $ 
- 
-It will be depend on the approach chosen.\\ 
-If it's a black box testing, it will be based on URLs scanning, pages content scanning, ....\\ 
-If it's static code analysis, it will be based on detection of code pattern.\\ 
-Each inputs' type shall be inferred.  
- 
-We might also consider the location of each input.\\ 
-__Question__: When the location information of inputs will be useful ?\\   
-(If it's useful, it will bring in a new finite set $ \mathcal{L} $ which will contain $ \{l_{1},\dots,l_{p}\}, \, p \in \mathbb{N} $ where $ l_{i} $ is the location of $ i_{i} $ which might not be unique !) 
- 
-  * Phase two: determine data pattern to inject 
- 
-It will of course not be a blind and random data building like fuzzing, data should be intelligently crafted depending on the inputs type and probably location. The building of the set of data patterns is challenging.\\ 
-For now, we only know it is finite.  
- 
-One way to build it is to start with an alphabet and some syntactic rules to combine each element in the alphabet in a meaningful fashion for security. 
-  
-  * Phase three: inject sensibly the data patterns in all inputs 
- 
-Inject. 
- 
-  
- 
- 
-  
  
  • en/cs/web_applications_threats_modeling.txt
  • Dernière modification: 2021/12/27 18:25
  • (modification externe)