...
| Attack Vector | Description | Risk Level (1 - 5) | Impact Level (1 - 5) | Countermeasure | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Attacks concerning general web applications | ||||||||||||
| Session hijacking | Attacker uses a man-in-the-middle attack while victim has an open connection to the internal infrastructure. Requires the attacker to break the given encryption of the SSH connection which is very unlikely. | 1 | 5 | Keep informed about issues concerning secure connections (e.g. OpenSSL vulnerability CVE-2016-6304). | ||||||||
| Cross-site request forgery (XSRF, CSRF) | Victim has an open VPN session and runs a malicious script downloaded from an attacker's server. | 1 | 4 | Use Nonce tokens. | ||||||||
| Session fixation | Attacker provides a URL with a pre-defined session ID to the Victim. As soon as the Victim logs into the system the attacker can use the same session ID for his own requests. Very unlikely as the internal infrastructure is only accessible by a secure connection. | 1 | 3 | Inform end-users about the risk. Verify provided URLs wherever they are manipulated. | ||||||||
| Cross-site scripting (XSS) | Victim/Docker container uploads malicious script which is executed while visualizing data by a web service. | 1 | 24 | HTML Use character escaping. | ||||||||
| Open redirection | Victim/Attacker sends a request with a manipulated URL provided as query parameter, e.g. forcing a redirection. This may be a problem with oAuth2 and the 'Token' response type. Not trivial as oAuth2 validates the redirection URL. | 1 | 2 | HTML Use character escaping. | ||||||||
| Cross-site script inclusion (XSSI) | Victim has an open VPN session and forwards JSON responses due a malicious script downloaded from an attacker's server. Possible but harmless, as all available resources are non-confidential. | 0 | 0 | - | ||||||||
| Header injection (response splitting) | Victim/Attacker sends a request with a manipulated header field provided as query parameter which is then used within the response header. There is no route which allows to set the sesponse's header information | 0 | 0 | - | ||||||||
| Mixed content | Due the mix of resources partly available by HTTP and partly by HTTPS e.g. a man-in-the-middle attack is possible. Harmless, due the secured connection to the internal infrastructure. | 0 | 0 | - | ||||||||
| Referer leakage | Victim calls an external link from a sensitive URL which is then published within the 'referer' header field of the request to the external site. There is no link to an external site. (anyway harmless) | 0 | 0 | - | ||||||||
| Specific to the design of web applications | ||||||||||||
| Cache poisoning | Victim's browser cache or proxy gets poisoned with a malicious version of the targed web application, e.g. due 'header injection' or a DDoS attack. | 3 | 1 | Clickjacking | Attacker missuses the Flarecast service interfaces. | 2 | This may results in a XSS where the script's origin is equal to the targed's web application. | 2 | 4 | Keep informed about proxy/caching issues. However, cache poisoning is very hard to detect! | ||
| Clickjacking | The targed web application is overlayed with a transparent site provided by the attacker. Victim's interaction are undesirably send to the attackers site. | 1 | 1 | Use "frame-breaker" script. | ||||||||
| Content and character set sniffing | Possible in combination with The victims browser tries to 'correctly interpret' inconsistent content or character sets. E.g., an UTF-7 coded script may be interpreted as valid code also the website's charset is UTF-8. This may bypass the (UTF-8) character escaping on the server-side and allows XSS. | 1 | 4 | Check encoding of uploaded data. | ||||||||
| Cookie forcing (cookie injection) | Possible; harmless due VPN encryption | 0 | Attacker injects a cookie into the context of a web application, e.g. using a man-in-the-midle attack, which could be used with session fixation. Requires the attacker to break the given encryption of the SSH connection which is very unlikely. | 1 | 1 | None! | ||||||
| Denial-of-service (DoS) attacks | Attacker disrupt service by flooding it with requests. | 4 | 4 | Framebusting | No frames availableUse dedicated DDoS mitigation appliance. | |||||||
| Framebusting | Attacker encloses the victims framed web applcation inside his own frame. Hereby, if the web application e.g. uses the javascript object parent.location it access the attackers frame instead of it's own the top-level document. | 0 | 0 | - | ||||||||
| HTTP downgradePossible; harmless due VPN encryption | Attacker forces victim, e.g. by DDoS, to use HTTP instead of HTTPS for connecting to a web application. Harmless, due the secured connection to the internal infrastructure. | 0 | 0 | - | ||||||||
| ||||||||||||
| Specific to the server-side code | ||||||||||||
| Command injection (SQL, shell, PHP, …) | Given URL parameters are unintentially processed as statements due insufficient input filtering. E.g. a malicious script from XSS could produce a HTTP request for a recource which ID filter parameter is a masked SQL statements. | 2 | 4 | Use character escaping. | ||||||||
| Directory traversal | An attacker or script travers systematically a web application's paths searching for files at arbitrary locations. Harmless, as the flarecast infrastructure do not provide sensitive files. | 0 | 0 | - | ||||||||
| Parameter Tampering | An attacker or script manipulates systematically an URL's parameter to access arbitrary resources. E.g. incrementing the URL's filter ID on a page to view a specific resource. Harmless, as the flarecast infrastructure do not provide sensitive resources. | 0 | 0 | - | ||||||||
| File inclusion | An attacker or script specifies a remote file to read from within a HTML request. E.g. a web application expects a language, e.g. 'en', as parameter which is used to load a local translation file but gets a URL. | 0 | 0 | - | ||||||||
| Buffer overflow | Attacker or script provoke a buffer overflow on client-side, e.g. to crash the web application. This could be done by HTTP request using a | |||||||||||
To cover
The above attack vectors are barely addressed at the moment due the following reasons:
...