Skip to content

Latest commit

 

History

History
136 lines (111 loc) · 11.2 KB

attack-tree.md

File metadata and controls

136 lines (111 loc) · 11.2 KB

Attack Tree Analysis for macrozheng/mall

Objective: Compromise macrozheng/mall Application

Attack Tree Visualization

Attack Goal: Compromise macrozheng/mall Application

└─── AND [Achieve one or more of the following]
    ├─── **[CRITICAL NODE]** Exploit Authentication and Authorization Flaws **[HIGH-RISK PATH]**
    │    ├─── **[CRITICAL NODE]** Exploit Weak Authentication Mechanisms **[HIGH-RISK PATH]**
    │    │    ├─── **[HIGH-RISK PATH]** Brute-force Login Credentials
    │    │    │    ├─── **[CRITICAL NODE]** Target Admin Panel Login **[HIGH-RISK PATH]**
    │    │    │    └─── Target User Account Login **[HIGH-RISK PATH]**
    │    │    ├─── **[HIGH-RISK PATH]** Exploit Weak Password Policies
    │    │    │    ├─── Use Common Passwords **[HIGH-RISK PATH]**
    │    │    │    └─── Use Default Passwords (if any exist in initial setup)
    │    └─── **[CRITICAL NODE]** Exploit Authorization Vulnerabilities **[HIGH-RISK PATH]**
    │         ├─── **[HIGH-RISK PATH]** Bypass Authorization Checks in Backend APIs
    │         │    ├─── **[CRITICAL NODE]** Access Admin APIs without Admin Role **[HIGH-RISK PATH]**
    │         │    └─── **[HIGH-RISK PATH]** Access Other Users' Data (IDOR)
    │         └─── **[HIGH-RISK PATH]** Insecure Direct Object References (IDOR)
    │              ├─── Access Order Details of Other Users **[HIGH-RISK PATH]**
    │              └─── Access User Profiles of Other Users **[HIGH-RISK PATH]**
    │
    ├─── **[CRITICAL NODE]** Exploit Injection Vulnerabilities **[HIGH-RISK PATH]**
    │    ├─── **[CRITICAL NODE]** SQL Injection (via MyBatis) **[HIGH-RISK PATH]**
    │    │    ├─── **[HIGH-RISK PATH]** Parameter Tampering in API Requests
    │    ├─── **[HIGH-RISK PATH]** Cross-Site Scripting (XSS)
    │    │    ├─── **[HIGH-RISK PATH]** Stored XSS
    │    │    │    ├─── Inject Malicious Script in Product Descriptions **[HIGH-RISK PATH]**
    │    │    │    └─── Inject Malicious Script in User Comments/Reviews **[HIGH-RISK PATH]**
    │    │    ├─── **[HIGH-RISK PATH]** Reflected XSS
    │    │    │    └─── Craft Malicious URLs with XSS Payloads **[HIGH-RISK PATH]**
    │
    ├─── **[HIGH-RISK PATH]** API Abuse due to Lack of Rate Limiting
    │    ├─── Brute-force Attacks on Login/Registration APIs **[HIGH-RISK PATH]**
    │    └─── Denial of Service by Flooding APIs **[HIGH-RISK PATH]**
    │
    ├─── **[HIGH-RISK PATH]** Insecure Direct Object References (IDOR) in APIs
    │    ├─── Access/Modify Order Details via API **[HIGH-RISK PATH]**
    │    └─── Access/Modify User Profiles via API **[HIGH-RISK PATH]**
    │
    ├─── Mass Assignment Vulnerabilities in APIs
    │    └─── Modify User Roles via API Parameter Manipulation
    │
    ├─── **[HIGH-RISK PATH]** API Parameter Tampering
    │    ├─── Modify Order Total by Tampering with API Parameters **[HIGH-RISK PATH]**
    │    └─── Modify Product Quantity in Cart via API Parameters **[HIGH-RISK PATH]**
    │
    ├─── **[HIGH-RISK PATH]** Price Manipulation
    │    ├─── Manipulate Prices in Cart/Checkout Process **[HIGH-RISK PATH]**
    │    └─── Exploit Discount/Coupon Logic to Get Items for Free/Cheap **[HIGH-RISK PATH]**
    │
    └─── **[HIGH-RISK PATH]** Exposed Admin Interfaces
         └─── **[CRITICAL NODE]** Access Admin Panel without Proper Authentication **[HIGH-RISK PATH]**
         ├─── **[HIGH-RISK PATH]** DOM-based XSS
         │    └─── Manipulate DOM to Execute Malicious Scripts **[HIGH-RISK PATH]**
         └─── **[HIGH-RISK PATH]** CSRF (Cross-Site Request Forgery)
              └─── Perform Actions on Behalf of Logged-in Users **[HIGH-RISK PATH]**

Attack Tree Path: Exploit Authentication and Authorization Flaws

  • Attack Vectors:
    • Brute-force Login Credentials:
      • Target Admin Panel Login: Attackers use automated tools to try numerous username/password combinations against the admin login page. If weak or common credentials are used, or if rate limiting is absent, they can gain admin access.
      • Target User Account Login: Similar to admin panel brute-forcing, but targeting regular user accounts. Success can lead to account takeover and access to user data.
    • Exploit Weak Password Policies:
      • Use Common Passwords: Attackers rely on users choosing easily guessable passwords. If the application doesn't enforce strong password policies, common password attempts are more likely to succeed.
      • Use Default Passwords (if any exist in initial setup): In rare cases, default credentials might be present in initial setups or documentation. Attackers check for these.
    • Bypass Authorization Checks in Backend APIs:
      • Access Admin APIs without Admin Role: Attackers attempt to directly access API endpoints intended for administrators (e.g., /admin/users, /admin/products) without proper authentication or by manipulating their user role in requests.
      • Access Other Users' Data (IDOR - Insecure Direct Object References): Attackers manipulate identifiers in API requests (e.g., order IDs, user IDs) to access resources belonging to other users. For example, changing orderId=123 to orderId=124 in an API request to view order details.
    • Insecure Direct Object References (IDOR):
      • Access Order Details of Other Users: Similar to API IDOR, but specifically targeting access to order information of other users, potentially through web interfaces or APIs.
      • Access User Profiles of Other Users: Attackers attempt to view or modify user profile information of other users by manipulating user identifiers in requests.

Attack Tree Path: Exploit Injection Vulnerabilities

  • Attack Vectors:
    • SQL Injection (via MyBatis):
      • Parameter Tampering in API Requests: Attackers inject malicious SQL code into API parameters that are used in database queries. If input is not properly sanitized and parameterized queries are not used, the injected SQL can be executed, potentially allowing data extraction, modification, or deletion.
    • Cross-Site Scripting (XSS):
      • Stored XSS:
        • Inject Malicious Script in Product Descriptions: Attackers inject malicious JavaScript code into product descriptions. When other users view the product page, the script executes in their browsers, potentially stealing session cookies, redirecting to malicious sites, or performing other actions on behalf of the user.
        • Inject Malicious Script in User Comments/Reviews: Similar to product descriptions, but injecting scripts into user-generated content like comments or reviews.
      • Reflected XSS:
        • Craft Malicious URLs with XSS Payloads: Attackers create URLs containing malicious JavaScript code in parameters. When a user clicks on the crafted URL, the server reflects the malicious script back in the response, and it executes in the user's browser.
      • DOM-based XSS: Attackers manipulate the DOM (Document Object Model) of the webpage using JavaScript, often exploiting vulnerabilities in client-side JavaScript code to execute malicious scripts.

Attack Tree Path: API Abuse due to Lack of Rate Limiting

  • Attack Vectors:
    • Brute-force Attacks on Login/Registration APIs: Without rate limiting, attackers can send a high volume of login or registration requests, making brute-force attacks more effective and potentially overwhelming the server.
    • Denial of Service by Flooding APIs: Attackers flood APIs with requests, consuming server resources and potentially causing the application to become unavailable for legitimate users.

Attack Tree Path: Insecure Direct Object References (IDOR) in APIs

  • Attack Vectors:
    • Access/Modify Order Details via API: Attackers manipulate API requests to access or modify order details of other users by changing order identifiers.
    • Access/Modify User Profiles via API: Attackers manipulate API requests to access or modify user profile information of other users by changing user identifiers.

Attack Tree Path: Mass Assignment Vulnerabilities in APIs

  • Attack Vectors:
    • Modify User Roles via API Parameter Manipulation

Attack Tree Path: API Parameter Tampering

  • Attack Vectors:
    • Modify Order Total by Tampering with API Parameters: Attackers manipulate API parameters related to order totals during checkout to reduce the price they pay.
    • Modify Product Quantity in Cart via API Parameters: Attackers manipulate API parameters to change the quantity of items in their shopping cart, potentially getting more items than intended or manipulating pricing logic.

Attack Tree Path: Price Manipulation

  • Attack Vectors:
    • Manipulate Prices in Cart/Checkout Process: Attackers attempt to modify prices directly in the client-side (browser) or by intercepting and modifying requests during the checkout process to reduce the price of items.
    • Exploit Discount/Coupon Logic to Get Items for Free/Cheap: Attackers try to find vulnerabilities in discount or coupon code logic to apply discounts inappropriately, stack discounts, or bypass restrictions to get items for free or at significantly reduced prices.

Attack Tree Path: Exposed Admin Interfaces

  • Attack Vectors:
    • Access Admin Panel without Proper Authentication: If the admin panel is not properly secured (e.g., using default credentials, weak authentication, or misconfigured access controls), attackers can directly access it without authorization.

Attack Tree Path: DOM-based XSS

  • Attack Vectors:
    • Manipulate DOM to Execute Malicious Scripts: Attackers exploit vulnerabilities in client-side JavaScript code to manipulate the DOM and inject malicious scripts that execute in the user's browser.

Attack Tree Path: CSRF (Cross-Site Request Forgery)

  • Attack Vectors:
    • Perform Actions on Behalf of Logged-in Users: Attackers craft malicious web pages or links that, when visited by a logged-in user, trigger unintended actions on the mall application on behalf of that user (e.g., changing profile details, placing orders, transferring funds). This relies on the user already being authenticated to the application.