Skip to content

Latest commit

 

History

History
141 lines (127 loc) · 6.37 KB

attack-tree.md

File metadata and controls

141 lines (127 loc) · 6.37 KB

Attack Tree Analysis for denoland/deno

Objective: To achieve Remote Code Execution (RCE) on the server running the Deno application, or to exfiltrate sensitive data accessible to the Deno process.

Attack Tree Visualization

                                      +-------------------------------------+
                                      |  Attacker's Goal: RCE or Data      |
                                      |  Exfiltration on Deno Application  |
                                      +-------------------------------------+
                                                  |
         +----------------------------------+----------------------------------+
         |                                  |
+---------------------+        +---------------------+
|  Exploit Deno      |        |  Exploit Deno      |
|  Permissions       |        |  Standard Library  |
|  Model             |        |  or Dependencies   |
+---------------------+        +---------------------+
         |                                  |
+--------+--------+           +--------+--------+
|        |        |           |        |        |
| Overly | Insecure|           | Vuln.  | Supply |
| Perm.  | Use of  |           | in 3rd | Chain  |
| Env    | --allow |           | Party  | Attack |
| Vars   | -all    |           | Deps   | on Deps|
+--------+--------+           +--------+--------+
         |        |                     |
         |        |                     |
         | +------+------+             |
         | |      |      |             |
         | | Net  | Run  |             |
         | |[CRIT]| [CRIT]|             |
         | +------+------+             |
         |        |        |             |
         |  Leak  |  RCE   |             |
         |  Keys  |  via   |             |
         |  via   |  Shell |             |
         |  Env   |  Cmds  |             |
         +--------+--------+             |
                  |                     |
                  |                     |
                  +---------------------+
                  | [HIGH RISK]         |
                  +---------------------+

Attack Tree Path: 1. Exploit Deno Permissions Model (High-Risk Path):

  • Overly Permissive Environment Variables:

    • Description: Sensitive data (API keys, database credentials) are stored in environment variables accessible to the Deno process. An attacker gaining even limited code execution can read these.
    • Likelihood: Medium
    • Impact: Medium to High
    • Effort: Very Low
    • Skill Level: Novice
    • Detection Difficulty: Easy/Hard (depending on monitoring)
    • Mitigation:
      • Use a secrets manager.
      • Minimize exposed environment variables.
      • Sanitize the environment before launching Deno.

  • Insecure Use of --allow-all:

    • Description: Granting all permissions, providing an attacker with unrestricted access.
    • Likelihood: Low (should be avoided in production)
    • Impact: Very High
    • Effort: Very Low
    • Skill Level: Novice
    • Detection Difficulty: Very Easy
    • Mitigation:
      • Never use --allow-all in production.
      • Use specific permission flags.
      • Enforce code reviews and automated checks.

  • --allow-net [CRITICAL]:

    • Description: Allows the Deno process to make arbitrary network connections.
    • Likelihood: Medium (many applications need network access)
    • Impact: Medium to High (data exfiltration, C2 communication)
    • Effort: Low
    • Skill Level: Intermediate
    • Detection Difficulty: Medium
    • Mitigation:
      • Restrict network access to specific hosts and ports.
      • Implement network monitoring.

  • --allow-run [CRITICAL]:

    • Description: Allows the Deno process to execute arbitrary subprocesses.
    • Likelihood: Low (should be avoided if possible)
    • Impact: Very High (direct path to RCE)
    • Effort: Low
    • Skill Level: Intermediate to Advanced
    • Detection Difficulty: Medium to Hard
    • Mitigation:
      • Avoid --allow-run if possible.
      • Whitelist specific commands and arguments.
      • Thoroughly sanitize input.

  • Leak Keys via Env (High Risk):

    • Description: A specific consequence of overly permissive environment variables, focusing on the high impact of leaking sensitive keys.
    • Likelihood: Medium
    • Impact: High
    • Effort: Very Low
    • Skill Level: Novice
    • Detection Difficulty: Easy/Hard (depending on monitoring)
    • Mitigation: Same as "Overly Permissive Environment Variables".

  • RCE via Shell Cmds (High Risk):

    • Description: A specific consequence of using --allow-run, focusing on achieving RCE through shell command execution.
    • Likelihood: Low (if --allow-run is used)
    • Impact: Very High
    • Effort: Low
    • Skill Level: Intermediate to Advanced
    • Mitigation: Same as "--allow-run".

Attack Tree Path: 2. Exploit Deno Standard Library or Dependencies (High-Risk Path):

  • Vulnerability in 3rd Party Dependencies:

    • Description: A security flaw in a third-party module imported into the Deno application.
    • Likelihood: Medium
    • Impact: Medium to High
    • Effort: Low to Medium
    • Skill Level: Intermediate to Advanced
    • Detection Difficulty: Medium
    • Mitigation:
      • Use dependency management tools.
      • Perform vulnerability scanning.
      • Regularly update dependencies.
      • Audit dependencies before adding them.

  • Supply Chain Attack on Dependencies:

    • Description: An attacker compromises a dependency's repository or distribution, injecting malicious code.
    • Likelihood: Low
    • Impact: Very High
    • Effort: High to Very High
    • Skill Level: Advanced to Expert
    • Detection Difficulty: Hard
    • Mitigation:
      • Use lock files (deno.lock).
      • Utilize integrity checking.
      • Consider vendoring dependencies.
      • Use a private module registry.