From Guidance Share

Revision as of 06:33, 30 October 2006; Admin (Talk | contribs)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
Jump to: navigation, search

A threat is an undesired event. A potential occurrence, often best described as an effect that might damage or compromise an asset or objective. It may or may not be malicious in nature.


Input/Data Validation

  • Buffer overflows
  • Cross-site scripting
  • SQL injection
  • Canonicalization
  • Query string manipulation
  • Form field manipulation
  • Cookie manipulation
  • HTTP header manipulation


  • Network eavesdropping
  • Brute force attacks
  • Dictionary attacks
  • Cookie replay attacks
  • Credential theft


  • Elevation of privilege
  • Disclosure of confidential data
  • Data tampering
  • Luring attacks

Audting and Logging

  • User denies performing an operation
  • Attackers exploit an application without leaving a trace
  • Attackers cover their tracks

Configuration Management

  • Unauthorized access to administration interfaces
  • Unauthorized access to configuration stores
  • Retrieval of plaintext configuration secrets
  • Lack of individual accountability
  • Over-privileged process and service accounts


  • Poor key generation or key management
  • Weak or custom encryption
  • Checksum spoofing

Exception Management

  • Attacker reveals implementation details
  • Denial of service
  • Sensitive Data
  • Access to sensitive data in storage
  • Network eavesdropping
  • Data tampering

Session Management

  • Session hijacking
  • Session replay
  • Man in the middle
Personal tools