Skip to content

Latest commit

 

History

History
102 lines (89 loc) · 7.61 KB

threat-modeling.md

File metadata and controls

102 lines (89 loc) · 7.61 KB

Threat Model Analysis for ory/kratos

Threat: Kratos Flow Configuration Bypass

  • Threat: Kratos Flow Configuration Bypass

    • Description: An attacker manipulates the parameters of a Kratos flow (e.g., registration, login) to bypass security checks within Kratos itself. This is due to misconfiguration of Kratos, not just the application using it. Examples include:
      • Skipping required flow steps by directly accessing later stages via URL manipulation, exploiting a lack of server-side state enforcement in Kratos.
      • Providing invalid data that bypasses schema validation due to a Kratos configuration error.
      • Exploiting misconfigured redirect_to parameters within the Kratos configuration to redirect to a malicious site.
      • Abusing misconfigured after hooks within Kratos to gain unauthorized access.
    • Impact:
      • Unauthorized account creation.
      • Account takeover.
      • Access to sensitive data.
      • Bypass of multi-factor authentication (MFA) configured within Kratos.
      • Phishing attacks via malicious redirects (if Kratos is misconfigured to allow it).
    • Affected Kratos Component:
      • Flow configuration (JSON configuration files).
      • Flow handlers (e.g., registration, login, settings, recovery, verification).
      • selfservice API endpoints.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Strict Flow Validation: Enforce strict validation of all flow parameters and state transitions within Kratos's configuration. Do not rely solely on client-side validation or application-level checks.
      • Configuration Review: Thoroughly review and test all Kratos flow configurations, paying close attention to redirect_to, after hooks, and schema validation settings within Kratos.
      • Least Privilege: Configure Kratos flows with the minimum necessary privileges.
      • Input Sanitization: Ensure Kratos's schema validation is robust and correctly configured to prevent malicious input.
      • Regular Audits: Regularly audit Kratos flow configurations for changes and potential vulnerabilities.
      • Configuration-as-Code: Use a configuration-as-code approach to manage Kratos configurations.

Threat: Kratos Service Compromise

  • Threat: Kratos Service Compromise

    • Description: An attacker gains unauthorized access to the server running the Kratos service itself. This is a direct attack on Kratos's infrastructure. This could be through:
      • Exploiting a vulnerability in Kratos itself (rare, but possible).
      • Exploiting a vulnerability in the operating system or other software on the server hosting Kratos.
      • Gaining access through stolen credentials (e.g., SSH keys, database passwords) used by Kratos.
    • Impact:
      • Complete control over the identity and access management system (Kratos).
      • Ability to create, modify, or delete user accounts.
      • Ability to issue valid session tokens for any user.
      • Access to all user data stored within Kratos.
      • Potential for lateral movement to other systems.
    • Affected Kratos Component:
      • Entire Kratos service.
      • Underlying database used by Kratos.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Keep Kratos Updated: Regularly update Kratos to the latest stable version to patch any known vulnerabilities in Kratos.
      • Server Hardening: Follow best practices for server hardening of the machine hosting Kratos, including:
        • Using a minimal operating system installation.
        • Disabling unnecessary services.
        • Configuring a firewall.
        • Regularly applying security patches.
      • Secure Credentials: Use strong, unique passwords and API keys for Kratos and its database. These are Kratos's credentials, not the application's.
      • Network Segmentation: Isolate the Kratos server from other systems using network segmentation.
      • Intrusion Detection: Implement intrusion detection and prevention systems monitoring the Kratos server.
      • Regular Security Audits: Perform regular security audits and penetration testing of the Kratos deployment.

Threat: Denial of Service (DoS) against Kratos API

  • Threat: Denial of Service (DoS) against Kratos API

    • Description: An attacker floods the Kratos API with requests, overwhelming the service and preventing legitimate users from authenticating or managing their accounts. This directly impacts Kratos's availability. This could target specific Kratos endpoints, like:
      • /self-service/login/browser
      • /self-service/registration/browser
      • /sessions/whoami
    • Impact:
      • Inability for users to log in or register (through Kratos).
      • Disruption of service relying on Kratos.
      • Potential for resource exhaustion on the Kratos server.
    • Affected Kratos Component:
      • Kratos API endpoints.
      • Kratos server resources (CPU, memory, network).
    • Risk Severity: High
    • Mitigation Strategies:
      • Rate Limiting: Configure Kratos's built-in rate limiting features to limit the number of requests from a single IP address or user.
      • Web Application Firewall (WAF): Deploy a WAF in front of Kratos to filter out malicious traffic.
      • Load Balancing: Use a load balancer to distribute traffic across multiple Kratos instances.
      • Resource Monitoring: Monitor Kratos's resource usage and performance to detect and respond to DoS attacks.
      • DDoS Protection Service: Consider using a dedicated DDoS protection service for the Kratos deployment.

Threat: Weak Credentials for Connected Services Used by Kratos

  • Threat: Weak Credentials for Connected Services Used by Kratos

    • Description: Kratos connects to external services like databases and email providers. If Kratos's connections to these services use weak credentials (e.g., default passwords, easily guessable passwords), an attacker could compromise these services and then potentially gain access to Kratos or the data it manages. This is about the security of Kratos's dependencies.
    • Impact:
      • Database compromise (the database used by Kratos).
      • Email account compromise (the account used by Kratos for notifications).
      • Potential for lateral movement to Kratos itself.
    • Affected Kratos Component:
      • Kratos configuration (connection strings, API keys used by Kratos).
      • External services (database, email provider) connected to Kratos.
    • Risk Severity: High
    • Mitigation Strategies:
      • Strong, Unique Passwords: Use strong, unique passwords for all services connected to Kratos.
      • Password Management: Use a password manager to generate and store strong passwords for Kratos's dependencies.
      • Regular Password Rotation: Regularly rotate passwords for all services connected to Kratos.
      • Multi-Factor Authentication (MFA): If possible, enable MFA for access to services connected to Kratos (e.g., the database administrator account).