Skip to content

Latest commit

 

History

History
138 lines (116 loc) · 8.42 KB

attack-tree.md

File metadata and controls

138 lines (116 loc) · 8.42 KB

Attack Tree Analysis for php-fig/container

Objective: Gain unauthorized code execution or data access via PSR-11 container.

Attack Tree Visualization

Goal: Gain unauthorized code execution or data access via PSR-11 container.
├── 1. Dependency Confusion/Substitution [HR]
│   ├── 1.1. Public Package Name Squatting [HR]
│   │   ├── 1.1.1.  Identify a commonly used, but unregistered, service name.
│   │   ├── 1.1.2.  Register a malicious package with that name on a public repository.
│   │   ├── 1.1.3.  Application installs the malicious package instead of the intended one.
│   │   └── 1.1.4.  Malicious package executes arbitrary code when instantiated or used. [CN]
│   ├── 1.2.  Private Package Name Collision
│   │   ├── 1.2.3.  Misconfigured composer.json prioritizes the public repository over the private one. [CN]
│   └── 1.3.  Compromised Private Repository
│       ├── 1.3.1.  Attacker gains access to the private package repository. [CN]
├── 2.  Vulnerabilities in Container Implementation
│   └── 2.2.  Unsafe Deserialization in `get()` (if container supports serialization) [HR]
│       ├── 2.2.1.  Container implementation deserializes service definitions or instances from untrusted sources. [CN]
│       └── 2.2.3.  Deserialization triggers execution of malicious code within the object's `__wakeup()` or other magic methods. [CN]
└── 3.  Misconfiguration/Misuse of the Container [HR]
    ├── 3.1.  Overly Permissive Service Definitions
    │   └── 3.1.1.  Services are configured with excessive privileges or access to sensitive resources. [CN]
    ├── 3.2.  Exposure of Container Instance
    │   └── 3.2.1.  The container instance itself is made globally accessible or exposed to untrusted code. [CN]
    └── 3.3.  Using Untrusted Input as Service IDs [HR]
        └── 3.3.1.  Application uses user-supplied input directly as the service ID in `container->get()`. [CN]

Attack Tree Path: 1. Dependency Confusion/Substitution [HR]

  • Description: This attack vector exploits the way package managers resolve dependencies. The attacker aims to trick the application into installing a malicious package instead of the intended one.

Attack Tree Path: 1.1. Public Package Name Squatting [HR]

  • Description: The attacker registers a malicious package on a public repository (like Packagist) with a name similar to a popular, but unregistered, service name or a common typo of a legitimate package.
    • 1.1.1. Identify a commonly used, but unregistered, service name:
      • Likelihood: Medium
      • Impact: N/A
      • Effort: Low
      • Skill Level: Intermediate
      • Detection Difficulty: Medium
    • 1.1.2. Register a malicious package:
      • Likelihood: Medium
      • Impact: N/A
      • Effort: Low
      • Skill Level: Intermediate
      • Detection Difficulty: Medium
    • 1.1.3. Application installs the malicious package:
      • Likelihood: Medium
      • Impact: N/A
      • Effort: Low
      • Skill Level: Novice
      • Detection Difficulty: Medium
    • 1.1.4. Malicious package executes arbitrary code [CN]:
      • Likelihood: High
      • Impact: Very High
      • Effort: Low
      • Skill Level: Intermediate
      • Detection Difficulty: Hard
      • Explanation: This is the critical point where the attacker achieves code execution. The malicious package, once installed, can run arbitrary code in the context of the application.

Attack Tree Path: 1.2. Private Package Name Collision (Relevant Critical Node)

  • 1.2.3. Misconfigured composer.json [CN]: * Likelihood: Low * Impact: N/A * Effort: Low * Skill Level: Novice * Detection Difficulty: Medium * Explanation: This is a critical configuration error. If the composer.json file is misconfigured to prioritize public repositories over private ones, the attacker can register a malicious package with the same name as a private package, and the application will install the malicious version.

Attack Tree Path: 1.3. Compromised Private Repository (Relevant Critical Node)

  • 1.3.1. Attacker gains access to the private package repository [CN]: * Likelihood: Low * Impact: N/A * Effort: Very High * Skill Level: Expert * Detection Difficulty: Very Hard * Explanation: This is a critical node because it gives the attacker complete control over the supply chain. They can modify any package within the repository.

Attack Tree Path: 2. Vulnerabilities in Container Implementation

  • 2.2. Unsafe Deserialization in get() [HR]
    • Description: This attack exploits vulnerabilities in how the container implementation handles deserialization of objects, potentially leading to arbitrary code execution.
    • 2.2.1. Container implementation deserializes from untrusted sources [CN]:
      • Likelihood: Low
      • Impact: N/A
      • Effort: N/A
      • Skill Level: N/A
      • Detection Difficulty: Medium
      • Explanation: This is the critical vulnerability. If the container deserializes data from user input or other untrusted sources without proper validation, it opens the door to attack.
    • 2.2.3. Deserialization triggers execution of malicious code [CN]:
      • Likelihood: High
      • Impact: Very High
      • Effort: Low
      • Skill Level: Advanced
      • Detection Difficulty: Very Hard
      • Explanation: This is the critical point of exploitation. The attacker's crafted serialized object triggers malicious code execution during the deserialization process (often through magic methods like __wakeup()).

Attack Tree Path: 3. Misconfiguration/Misuse of the Container [HR]

  • Description: These attacks stem from improper configuration or usage of the container, even if the container implementation itself is secure.

Attack Tree Path: 3.1. Overly Permissive Service Definitions (Relevant Critical Node)

  • 3.1.1. Services configured with excessive privileges [CN]: * Likelihood: Medium * Impact: N/A * Effort: Low * Skill Level: Novice * Detection Difficulty: Medium * Explanation: This is a critical configuration error. If services are granted more permissions than they need, a compromised service can be used to escalate privileges.

Attack Tree Path: 3.2. Exposure of Container Instance (Relevant Critical Node)

  • 3.2.1. Container instance made globally accessible [CN]: * Likelihood: Low * Impact: N/A * Effort: Low * Skill Level: Novice * Detection Difficulty: Medium * Explanation: This is a critical design flaw. Exposing the container allows any part of the application (or potentially external attackers) to request any service, bypassing intended access controls.

Attack Tree Path: 3.3. Using Untrusted Input as Service IDs [HR]

  • Description: This attack involves directly using user-supplied data to determine which service to retrieve from the container.
    • 3.3.1. Application uses user-supplied input as service ID [CN]:
      • Likelihood: Medium
      • Impact: N/A
      • Effort: Low
      • Skill Level: Novice
      • Detection Difficulty: Medium
      • Explanation: This is the critical vulnerability. It allows the attacker to request arbitrary services, potentially including those with sensitive functionality or those that are vulnerable to other attacks. This is a form of injection attack.