Objective: [Attacker's Goal: Disrupt Service, Exfiltrate Data, or Execute Arbitrary Code via Socket.IO]
[Attacker's Goal] | --------------------------------------------------- | | [1. Denial of Service (DoS/DDoS)] [2. Unauthorized Access/Data Exfiltration] [3. Code Execution/Manipulation] | | | ----------------------------------- ----------------------------------- ----------------------------------- | | | | | | [1.2 Flood] - [2.2 Eavesdrop] - [3.1 Server-Side] [3.2 Client-Side] | | | | --------------------- --------------- --------------- --------------- | | | | | [1.2.1] [1.2.2] [2.2.1] [3.1.1] [3.2.1] Connection Event Unencrypted Unvalidated Client-Side Flood Flood Data Input Script Injection Transmission (XSS)
Attack Tree Path: Path 1
=== [1.2 Flood] ===> === [1.2.1 Connection Flood] ===
Attack Tree Path: Path 2
=== [1.2 Flood] ===> === [1.2.2 Event Flood] ===
Attack Tree Path: Path 3
=== [2. Unauthorized Access/Data Exfiltration] ===> === [2.2 Eavesdrop] ===> === [2.2.1 Unencrypted Data Transmission] ===
Attack Tree Path: Path 4
=== [3. Code Execution/Manipulation] ===> === [3.1 Server-Side] ===> ===[3.1.1 Unvalidated Input in Event Handlers] ===
Attack Tree Path: Path 5
=== [3. Code Execution/Manipulation] ===> === [3.2 Client-Side] ===> ===[3.2.1 Client-Side Script Injection (XSS)] ===