Threat Classification
...
DREAD (OWASP version)
| Rating | High (10) | ... (9) | Medium (5) | Low (0) | |
|---|---|---|---|---|---|
| D | Damage potential | Complete system or data destruction | Individual user data is compromised or affected. | Nothing | |
| R | Reproducibility | Just a web browser and the address bar is sufficient, without authentication. | One or two steps required, may need to be an authorized user. | Very hard or impossible, even for administrators of the application. | |
| E | Exploitability | Just a web browser | Malware exists on the Internet, or an exploit is easily performed, using available attack tools. | Advanced programming and networking knowledge, with custom or advanced attack tools. | |
| A | Affected users | All users | Some users, but not all | None | |
| D | Discoverability | The information is visible in the web browser address bar or in a form. | Details of faults like this are already in the public domain and can be easily discovered using a search engine. | Can figure it out by guessing or by monitoring network traces. | Very hard to impossible; requires source code or administrative access. |
Table 3.7 shows an example DREAD rating for both threats:
...