Objective: [[Attacker's Goal: Degrade Performance, Cause DoS, or Leak Sensitive Information via Zap]]
[[Attacker's Goal: Degrade Performance, Cause DoS, or Leak Sensitive Information via Zap]]
|
=================================================================================================
|| ||
[[1. Denial of Service / Performance Degradation]] [[2. Information Disclosure (Sensitive Data Leakage)]]
|| ||
================================================= =================================================
|| || || ||
[[1.1 Excessive [[1.3 Resource [[2.1 Insecure
Logging]] Exhaustion]] Configuration]]
|| || ||
======== ======== ========
|| || || || || ||
[[1.1.1]] [[1.1.2]] [[1.3.1]] [[2.1.1]] [[2.1.2]]
High Misconfig. Disk Logging Console/
Volume of Debug/ Space Sensitive Network
Logging Verbose Exhaust. Data to Logging
Logging Console (e.g.,
PII,
Credentials)
Attack Tree Path: 1. Denial of Service / Performance Degradation
- Description: Attacks in this category aim to make the application unusable or significantly slow it down by exploiting how Zap is used or configured.
- High-Risk Paths:
Attack Tree Path: 1.1 Excessive Logging
- [[1.1 Excessive Logging]]: This is a common and easily achievable attack vector.
Attack Tree Path: 1.1.1 High Volume Logging
* **[[1.1.1 High Volume Logging]]**:
* **Description:** The application is configured to log at an extremely high volume, even in production. This generates massive amounts of log data.
* **Likelihood:** Medium
* **Impact:** Medium
* **Effort:** Very Low
* **Skill Level:** Novice
* **Detection Difficulty:** Easy
Attack Tree Path: 1.1.2 Misconfiguration of Debug/Verbose Logging
* **[[1.1.2 Misconfiguration of Debug/Verbose Logging]]**:
* **Description:** Debug or verbose logging is accidentally enabled in a production environment.
* **Likelihood:** Medium
* **Impact:** Medium
* **Effort:** Very Low
* **Skill Level:** Novice
* **Detection Difficulty:** Easy
Attack Tree Path: 1.3 Resource Exhaustion
- [[1.3 Resource Exhaustion]]: Focuses on exhausting system resources through logging.
Attack Tree Path: 1.3.1 Disk Space Exhaustion
* **[[1.3.1 Disk Space Exhaustion]]**:
* **Description:** Excessive logging, combined with inadequate or absent log rotation, fills up the available disk space.
* **Likelihood:** Medium
* **Impact:** High
* **Effort:** Very Low
* **Skill Level:** Novice
* **Detection Difficulty:** Easy
Attack Tree Path: 2. Information Disclosure (Sensitive Data Leakage)
- Description: This category encompasses attacks that aim to reveal sensitive information through the application's logs. This is a critical threat.
- High-Risk Paths:
Attack Tree Path: 2.1 Insecure Configuration
- [[2.1 Insecure Configuration]]: The primary cause of information disclosure via logging.
Attack Tree Path: 2.1.1 Logging Sensitive Data to Console/Network
* **[[2.1.1 Logging Sensitive Data to Console/Network]]**:
* **Description:** The application is configured to log sensitive information (PII, credentials, API keys, etc.) directly to the console or send it unencrypted over the network.
* **Likelihood:** High
* **Impact:** Very High
* **Effort:** Very Low
* **Skill Level:** Novice
* **Detection Difficulty:** Easy (if monitored)
Attack Tree Path: 2.1.2 Console/Network Logging (e.g., PII, Credentials)
* **[[2.1.2 Console/Network Logging (e.g., PII, Credentials)]]**:
* **Description:** This is a more specific instance of 2.1.1, explicitly listing examples of sensitive data that might be logged.
* **Likelihood:** High
* **Impact:** Very High
* **Effort:** Very Low
* **Skill Level:** Novice
* **Detection Difficulty:** Easy (if monitored)