en:cs:web_applications_threats_modeling

# Différences

Ci-dessous, les différences entre deux révisions de la page.

 en:cs:web_applications_threats_modeling [2017/01/27 14:45]fraggle [Threats class: A1 injection] en:cs:web_applications_threats_modeling [2021/12/27 18:25] Ligne 1: Ligne 1: - ====== Introduction ====== - - The whole purpose of this draft is to propose an assessment model for each threat class.\\ - We will follow the OWASP top ten list. - - ====== Threats ====== - - ===== Threats class: A1 injection ===== - - Each web applications has a finite set of input parameters being in forms, URL parameters, ... called $\mathcal{I} = \{i_{1},\dots,i_{n}\}, \, n \in \mathbb{N}$.\\ - All input parameters are typed: $i_{1} \, {\longmapsto} \, t_{3}; \dots ; \, i_{n} \, {\longmapsto} \, t_{7}, \, t_{i}$ being chosen in a finite set of type called - - $\mathcal{T} = - \left \{ - \begin{array}{r c l} - t_{1} & = & integer \\ - t_{2} & = & string \\ - \vdots & & \vdots \\ - t_{k} & = & type_{k} - \end{array} - \right . \quad k \in \mathbb{N}.$ - - We will consider the cartesian product $\mathcal{I}\times\matchcal{T}$ in the future. - - __Question:__ Does it matter if it's a form input or an URL parameter or ... ? - - Let's describe the processus to assess A1 threats in a web application. - - * Phase one: determine $\mathcal{I}\times\matchcal{T}$ - - It will be depend on the approach chosen.\\ - If it's a black box testing, it will be based on URLs scanning, pages content scanning, ....\\ - If it's static code analysis, it will be based on detection of code pattern.\\ - Each inputs' type shall be inferred. - - We might also consider the location of each input.\\ - __Question__: When the location information of inputs will be useful ?\\ - (If it's useful, it will bring in a new finite set $\mathcal{L}$ which will contain $\{l_{1},\dots,l_{p}\}, \, p \in \mathbb{N}$ where $l_{i}$ is the location of $i_{i}$ which might not be unique !) - - * Phase two: determine data pattern to inject - - It will of course not be a blind and random data building like fuzzing, data should be intelligently crafted depending on the inputs type and probably location. The building of the set of data patterns is challenging.\\ - For now, we only know it is finite. - - One way to build it is to start with an alphabet and some syntactic rules to combine each element in the alphabet in a meaningful fashion for security. - - * Phase three: inject sensibly the data patterns in all inputs - - Inject. - - - - -
• en/cs/web_applications_threats_modeling.txt
• Dernière modification: 2021/12/27 18:25
• (modification externe)