Cheat Sheet: Web Application Security Frame

Article
07/14/2010

Retired Content
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Threat Modeling Web Applications

J.D. Meier, Alex Mackman, Blaine Wastell

Microsoft Corporation

May 2005

Home Page for Threat Modeling Web Applications

Summary: Use this cheat sheet to help create threat models for Web applications. The Web Application Security Frame uses categories to organize common security vulnerabilities. If you use these categories when you review your application design to create a threat model, you can systematically reveal the threats and vulnerabilities specific to your application architecture.

Web Application Security Frame
Vulnerabilities Organized by Web Application Security Frame
Threats and Attacks Organized by Web Application Security Frame
Countermeasures Organized by Web Application Security Frame

The Web Application Security Frame uses categories to organize common security vulnerabilities. If you use these categories when you review your application design to create a threat model, you can systematically reveal the threats and vulnerabilities specific to your application architecture.

Web Application Security Frame

Table 1 lists and explains the categories for the Web Application Security Frame.

Table 1: Web Application Security Frame Categories

Category	Description
Input and Data Validation	How do you know that the input your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing. Consider constraining input through entry points and encoding output through exit points. Do you trust data from sources such as databases and file shares?
Authentication	Who are you? Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.
Authorization	What can you do? Authorization is how your application provides access controls for resources and operations.
Configuration Management	Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues.
Sensitive Data	How does your application handle sensitive data? Sensitive data refers to how your application handles any data that must be protected either in memory, over the network, or in persistent stores.
Session Management	How does your application handle and protect user sessions? A session refers to a series of related interactions between a user and your Web application.
Cryptography	How are you keeping secrets (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity.
Exception Management	When a method call in your application fails, what does your application do? How much do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?
Auditing and Logging	Who did what and when? Auditing and logging refer to how your application records security-related events.

Vulnerabilities Organized by Web Application Security Frame

Table 2 lists vulnerabilities for each Web Application Security Frame category.

Table 2: Web Application Security Frame Vulnerabilities

Category	Vulnerability
Input/Data Validation	Using non-validated input in the Hypertext Markup Language (HTML) output stream Using non-validated input used to generate SQL queries Relying on client-side validation Using input file names, URLs, or user names for security decisions Using application-only filters for malicious input Looking for known bad patterns of input Trusting data read from databases, file shares, and other network resources Failing to validate input from all sources including cookies, query string parameters, HTTP headers, databases, and network resources
Authentication	Using weak passwords Storing clear text credentials in configuration files Passing clear text credentials over the network Permitting over-privileged accounts Permitting prolonged session lifetime Mixing personalization with authentication
Authorization	Relying on a single gatekeeper Failing to lock down system resources against application identities Failing to limit database access to specified stored procedures Using inadequate separation of privileges
Configuration Management	Using insecure administration interfaces Using insecure configuration stores Storing clear text configuration data Having too many administrators Using over-privileged process accounts and service accounts
Sensitive Data	Storing secrets when you do not need to Storing secrets in code Storing secrets in clear text Passing sensitive data in clear text over networks
Session Management	Passing session identifiers over unencrypted channels Permitting prolonged session lifetime Having insecure session state stores Placing session identifiers in query strings
Cryptography	Using custom cryptography Using the wrong algorithm or a key size that is too small Failing to secure encryption keys Using the same key for a prolonged period of time Distributing keys in an insecure manner
Exception Management	Failing to use structured exception handling Revealing too much information to the client
Auditing and Logging	Failing to audit failed logons Failing to secure audit files Failing to audit across application tiers

Threats and Attacks Organized by Web Application Security Frame

Table 3 lists threats and attacks for each Web Application Security Frame category.

Table 3: Web Application Security Frame Threats and Attacks

Category	Threats or Attacks
Input/Data Validation	Buffer overflows Cross-site scripting SQL injection Canonicalization attacks Query string manipulation Form field manipulation Cookie manipulation HTTP header manipulation
Authentication	Network eavesdropping Brute force attacks Dictionary attacks Cookie replay attacks Credential theft
Authorization	Elevation of privilege Disclosure of confidential data Data tampering Luring attacks
Configuration Management	Unauthorized access to administration interfaces Unauthorized access to configuration stores Retrieval of clear text configuration secrets Lack of individual accountability
Sensitive Data	Accessing sensitive data in storage Accessing sensitive data in memory (including process dumps) Network eavesdropping Information disclosure
Session Management	Session hijacking Session replay Man-in-the-middle attacks
Cryptography	Loss of decryption keys Encryption cracking
Exception Management	Revealing sensitive system or application details Denial of service attacks
Auditing and Logging	User denies performing an operation Attacker exploits an application without trace Attacker covers his tracks

Countermeasures Organized By Web Application Security Frame

Table 4 lists the countermeasures for each Web Application Security Frame category.

Table 4: Web Application Security Frame Countermeasures

Category	Countermeasures
Input/Data Validation	Do not trust input Validate input: length, range, format, and type Constrain, reject, and sanitize input Encode output
Authentication	Use strong password policies Do not store credentials Use authentication mechanisms that do not require clear text credentials to be passed over the network Encrypt communication channels to secure authentication tokens Use HTTPS only with forms authentication cookies Separate anonymous from authenticated pages
Authorization	Use least privilege accounts Consider granularity of access Enforce separation of privileges Use multiple gatekeepers Secure system resources against system identities
Configuration Management	Use least privileged service accounts Do not store credentials in clear text Use strong authentication and authorization on administrative interfaces Do not use the Local Security Authority (LSA) Avoid storing sensitive information in the Web space Use only local administration
Sensitive Data	Do not store secrets in software Encrypt sensitive data over the network Secure the channel
Session Management	Partition site by anonymous, identified, and authenticated users Reduce session timeouts Avoid storing sensitive data in session stores Secure the channel to the session store Authenticate and authorize access to the session store
Cryptography	Do not develop and use proprietary algorithms (XOR is not encryption. Use platform-provided cryptography) Use the RNGCryptoServiceProvider method to generate random numbers Avoid key management. Use the Windows Data Protection API (DPAPI) where appropriate Periodically change your keys
Exception Management	Use structured exception handling (by using try/catch blocks) Catch and wrap exceptions only if the operation adds value/information Do not reveal sensitive system or application information Do not log private data such as passwords
Auditing and Logging	Identify malicious behavior Know your baseline (know what good traffic looks like) Use application instrumentation to expose behavior that can be monitored

Start | Previous | Next

Retired Content
This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.