Security Threats

Type of attack Threat Description Impacted assets Entry points Attack Tehniques Countermeasures
Spoofing Spoofed requests 1.Web service functionality
2.Credentials
Web method request Attacker spoofs a request from a legitimate client Strong authentication
Spoofed responses Credentials
Data
Client socket – Web method response Attacker spoofs a response from the server Strong authentication
Tampering Man-in-the-middle attack Credentials
Data
Network Attacker inserts themselves into the communication path between
communicating parties and impersonates each to the other
Strong authentication
Injection attack Data
System access
Endpoint socket – Web method request Attacker supplies malicious input that is directly used in calls to an external
or underlying system
Input validation and sanitisation
Insertion of malicious software System access
Network resources
Endpoint socket – Web method request Attacker manages to execute or place malicious software on the system Input validation and sanitisation
Repudiation Denying a web service transaction Credentials
Data
Log files
Client socket
Endpoint socket
Attacker exploits inadequate logging to deny the occurrence of a
transaction
Robust logging controls
Consistent identity management
Replay attack Web service functionality
Data
Endpoint socket – Web method request Attacker captures and replays a valid web method request to the server Mechanism for detecting duplication
Information Disclosure Eavesdropping on communication paths Data
System information
Credentials
Network An attacker on the communication path captures passing network traffic Strong encryption
Information leaked by verbose error messages System information Endpoint socket – Web method request Attacker induces error conditions to extract platform and implementation
details
Consistent exception handling that presents generic error messages
Unauthorised access to services or data Web service functionality
Data
Credentials
Endpoint socket – Web method request Attacker bypasses access control mechanisms or uses a service that was
not meant to be running
Strong authorisation and access controls
Denial of Service Deplete computer or network resources Network resources
Web service availability
Endpoint socket Attacker floods the system with junk traffic or valid requests to overwhelm
computers, routers, capacity etc.
Detection and filtering of malicious traffic
Business continuity and disaster recovery planning
Exploit a programming or implementation flaw Web service functionality
Web service availability
Endpoint socket – Web method request Attacker finds and exploits a flaw in implementation that causes the system
to hang or crash
Code review
Comprehensive testing
Corruption of data to prevent normal operation of the web service Data
Web service availability
Endpoint socket An attacker corrupts application data by exploiting a vulnerability or using
unauthorised functionality
Strong authorisation and access controls
Input validation and sanitisation
Elevation of Privilege Remote execution of code or software System access Endpoint socket – Web method request An attacker exploits a buffer overflow vulnerability to access or execute
commands on the target host with higher privileges than authorised
Input validation and sanitisation
Lowest privilege execution
Administrative interfaces or functions available Web service functionality
System access
Web service functionality
System access
Attacker is able to access administrative interfaces or functions by
bypassing access control mechanisms
Strong authorisation and access control
Out-of-band administration interfaces

Leave a comment