en:cs:web_applications_threats_modeling

Ceci est une ancienne révision du document !


Introduction

The whole purpose of this draft is to propose an assessment model for each threat class.
We will follow the OWASP top ten list.

Threats

Each web applications has a finite set of input parameters being in forms, URL parameters, … called $ \mathcal{I} = \{i_{1},\dots,i_{n}\}, \, n \in \mathbb{N} $.
All input parameters are typed: $ i_{1} \, {\longmapsto} \, t_{3}; \dots ; \, i_{n} \, {\longmapsto} \, t_{7}, \, t_{i} $ being chosen in a finite set of type called

$ \mathcal{T} =

 \left \{
 \begin{array}{r c l}
    t_{1}  & = & integer \\
    t_{2}  & = & string \\
    \vdots & & \vdots \\
    t_{k}  & = & type_{k}
 \end{array}
 \right . \quad k \in \mathbb{N}. $
 

We will consider the cartesian product $ \mathcal{I}\times\matchcal{T} $ in the future.

Question: Does it matter if it's a form input or an URL parameter or … ?

Let's describe the processus to assess A1 threats in a web application.

  • Phase one: determine $ \mathcal{I}\times\matchcal{T} $

It will be depend on the approach chosen.
If it's a black box testing, it will be based on URLs scanning, pages content scanning, ….
If it's static code analysis, it will be based on detection of code pattern.
Each inputs' type shall be inferred.

We might also consider the location of each input.
Question: When the location information of inputs will be useful ?
(If it's useful, it will bring in a new finite set $ \mathcal{L} $ which will contain $ \{l_{1},\dots,l_{p}\}, \, p \in \mathbb{N} $ where $ l_{i} $ is the location of $ i_{i} $ which might not be unique !)

  • Phase two: determine data pattern to inject

It will of course not be a blind and random data building like fuzzing, data should be intelligently crafted depending on the inputs type and probably location. The building of the set of data patterns is challenging.
For now, we only know it is finite.

One way to build it is to start with an alphabet and some syntactic rules to combine each element in the alphabet in a meaningful fashion for security.

  • Phase three: inject sensibly the data patterns in all inputs

Inject.

  • en/cs/web_applications_threats_modeling.1485524740.txt.gz
  • Dernière modification : 2021/12/27 18:24
  • (modification externe)