Threats

From Guidance Share

(Difference between revisions)
Jump to: navigation, search
Revision as of 00:10, 30 October 2006 (edit)
Admin (Talk | contribs)

← Previous diff
Revision as of 06:33, 30 October 2006 (edit)
Admin (Talk | contribs)

Next diff →
Line 1: Line 1:
 +A threat is an undesired event. A potential occurrence, often best described as an effect that might damage or compromise an asset or objective. It may or may not be malicious in nature.
 +
==Input/Data Validation== ==Input/Data Validation==
* Buffer overflows * Buffer overflows

Revision as of 06:33, 30 October 2006

A threat is an undesired event. A potential occurrence, often best described as an effect that might damage or compromise an asset or objective. It may or may not be malicious in nature.

Contents

Input/Data Validation

  • Buffer overflows
  • Cross-site scripting
  • SQL injection
  • Canonicalization
  • Query string manipulation
  • Form field manipulation
  • Cookie manipulation
  • HTTP header manipulation

Authentication

  • Network eavesdropping
  • Brute force attacks
  • Dictionary attacks
  • Cookie replay attacks
  • Credential theft

Authorization

  • Elevation of privilege
  • Disclosure of confidential data
  • Data tampering
  • Luring attacks

Audting and Logging

  • User denies performing an operation
  • Attackers exploit an application without leaving a trace
  • Attackers cover their tracks

Configuration Management

  • Unauthorized access to administration interfaces
  • Unauthorized access to configuration stores
  • Retrieval of plaintext configuration secrets
  • Lack of individual accountability
  • Over-privileged process and service accounts

Cryptography

  • Poor key generation or key management
  • Weak or custom encryption
  • Checksum spoofing

Exception Management

  • Attacker reveals implementation details
  • Denial of service
  • Sensitive Data
  • Access to sensitive data in storage
  • Network eavesdropping
  • Data tampering

Session Management

  • Session hijacking
  • Session replay
  • Man in the middle
Personal tools