Threat Classification
...
| Threat Description | Attacker obtains authentication credentials by monitoring the network |
|---|---|
| Threat target | Web application user authentication process |
| Risk rating | High |
| Attack techniques | Use of network monitoring software |
| Countermeasures | Use SSL to provide encrypted channel |
DREAD (OWASP version)
| Rating | High (10) | Medium (5) | Low (0) | |
|---|---|---|---|---|
| D | Damage potential | Complete system or data destruction | Individual user data is compromised or affected. | Nothing |
| R | Reproducibility | Just a web browser and the address bar is sufficient, without authentication. | One or two steps required, may need to be an authorized user. | Very hard or impossible, even for administrators of the application. |
| E | Exploitability | Just a web browser | Malware exists on the Internet, or an exploit is easily performed, using available attack tools. | Advanced programming and networking knowledge, with custom or advanced attack tools. |
| A | Affected users | All users | Some users, but not all | None |
| D | Discoverability | The information is visible in the web browser address bar or in a form. | Can figure it out by guessing or by monitoring network traces. | Very hard to impossible; requires source code or administrative access. |
Table 3.7 shows an example DREAD rating for both threats:
Table 3.7 DREAD rating
| Threat | D | R | E | A | D | Total | Rating |
|---|---|---|---|---|---|---|---|
| Attacker obtains authentication credentials by monitoring the network. | 10 | 10 | 5 | 5 | 5 | (10+10+5+5+5)/5 = 7 | High |
| SQL commands injected into application. | 10 | 10 | 10 | 10 | 5 | (10+10+10+10+5)/5 = 9 | High |