:::success # AS LAB 1 Threat Modeling **Name: Ruslan Muravev** ::: ## 1. Decompose the application :::info ### 1. Describe entry points, assets and trust levels in form of tables. ::: #### Entry points: | ID | Name | Description | Trust Levels | | ----- | --------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | | 1 | HTTPS port | Application servers can be accessed only via TLS. | (1)Anonymous Web User<br />(2)User with Invalid Login Credentials<br />(3)User with Valid Login Credentials <br /> | | 1.1 | Main page | Entry point for all users. Display recommended public videos. | (1)Anonymous Web User<br />(2)User with Invalid Login Credentials<br />(3)User with Valid Login Credentials <br /> | | 1.2 | Login page | Users must log in to the website to access additional functionality. | (1)Anonymous Web User<br />(2)User with Invalid Login Credentials<br />(3)User with Valid Login Credentials <br /> | | 1.2.1 | Login function | The login function authorizes and authenticates users after providing credentials matching to the database data. | (2)User with Invalid Login Credentials<br />(3)User with Valid Login Credentials <br /> | | 1.3 | User page | Display publicly available user information. Display public videos uploaded by the user. | (1)Anonymous Web User<br />(2)User with Invalid Login Credentials<br />(3)User with Valid Login Credentials <br /> | | 1.4 | Video page | Display video and comments for that video. | If video is non-private:<br />(1)Anonymous Web User<br />(2)User with Invalid Login Credentials<br />(3)User with Valid Login Credentials <br /><br />If video is private:<br />(3.1)Owner<br />(3.2)User with Private Access<br /> | | 1.4.1 | Comment function | The comment function provide interface for creating comments and deleting own comments. | If video is non-private:<br />(3)User with Valid Login Credentials <br /><br />If video is private:<br />(3.1)Owner<br />(3.2)User with Private Access<br /> | | 1.5 | Video management page | Webpage for uploading videos, deleting own videos, and changing the access level (public/hidden/private) for own videos. | (3)User with Valid Login Credentials <br /> | | 1.6 | Search video page | Webpage for searching public videos. Functionality of the page includes filtering and sorting by some attributes. | (1)Anonymous Web User<br />(2)User with Invalid Login Credentials<br />(3)User with Valid Login Credentials <br /> | | 1.7 | History page | Display the own view history. | (3)User with Valid Login Credentials <br /> | | 1.8 | Registration page | Webpage for creating new account. | (1)Anonymous Web User<br />(2)User with Invalid Login Credentials<br />(3)User with Valid Login Credentials <br /> | #### Assets: | ID | Name | Description | Trust Levels | | ----- | ----------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | | **1** | **Users** | **Assets relating to users.** | | | 1.1 | User login details | The login credentials that user will use to log into the website. | (3)User with Valid Login Credentials <br /> | | 1.2 | User own upload history | Information about all videos uploaded by the user. | (3)User with Valid Login Credentials <br /> | | 1.3 | User own view history | Information about videos recently watched by the user. | (3)User with Valid Login Credentials <br /> | | 1.4 | User personal data | Personal information about the user. It includes the user's name, description, and statistics. | (3)User with Valid Login Credentials <br /> | | **2** | **Video** | **Assets relating to video.** | | | 2.1 | Video access level | Information about whether video is public, hidden or private. | (3.1)Owner<br /> | | 2.2 | Video metadata | Information about the video. It includes the video title, description, and number of views. | If video is non-private: <br />(1)Anonymous Web User<br />(2)User with Invalid Login Credentials<br />(3)User with Valid Login Credentials <br /> <br />If video is private: (3.1)Owner<br /> (3.2)User with Private Access<br /> | | 2.3 | Video object | Video itself. | If video is non-private: <br />(1)Anonymous Web User<br />(2)User with Invalid Login Credentials<br />(3)User with Valid Login Credentials <br /> <br />If video is private: (3.1)Owner<br /> (3.2)User with Private Access<br /> | | 2.4 | Video comments | List of comments and information about them. That information includes link to comment creator profile and the comment itself. | If video is non-private: <br />(1)Anonymous Web User<br />(2)User with Invalid Login Credentials<br />(3)User with Valid Login Credentials <br /> <br />If video is private: (3.1)Owner<br />(3.2)User with Private Access<br /> | | **3** | **Website** | **Assets relating to the website.** | | | 3.1 | Login session data | The login session data includes refresh token and authentication token. Refresh token is used to update authentication token when it expires. Authentication token is used for user authentication. | (3)User with Valid Login Credentials <br /> | #### Trust levels: | ID | Name | Description | | ---- | ----------------------------------- | ------------------------------------------------------------ | | 1 | Anonymous Web User | A user who has connected to the website but has not provided valid credentials. | | 2 | User with Invalid Login Credentials | A user who has connected to the website and is attempting to log in using invalid login credentials. | | 3 | User with Valid Login Credentials | A user who has connected to the website and has logged in using valid login credentials. | | 3.1 | Owner | In context of some video, a specific "User with Valid Login Credentials" who uploaded that video. | | 3.2 | User with Private Access | In context of private video, a specific "User with Valid Login Credentials" who has access to that video. | :::info ### 2. Select at least 3 use cases that you think are the most interesting and prepare Data Flow Diagrams (DFD) for them. ::: #### Log in: ![](https://i.imgur.com/zGRlOiw.png) #### Uploading video object (without metadata): ![](https://i.imgur.com/Cq1jGyP.png) #### Commenting private video: ![](https://i.imgur.com/yzgUbae.png) ## 2. Determine threats | Asssets | Category | Threat | Vulnerability | Score | Countermeasure | | --------------------------------- | ---------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | --------------- | ------------------------------------------------------------ | | 1.1 <br />User login details | Information disclosure | User credentials are exposed and obtained by attacker | Password can be brute forced | 7.1<br />High | 1) Limit amount of authorization requests that can be sent from one device<br />2) Implement security checks that ensures high complexity of password during account registration | | 1.2 <br />User own upload history | Information disclosure | Attacker can view list of hidden and private videos | Attacker can visit user upload history webpage by providing user public information | 4.2<br />Medium | Implement authorization algorithm | | 1.3 <br />User own view history | Information disclosure | Attacker can view list of recently watched videos | Attacker can visit user view history webpage by providing user public information | 2.6<br />Low | Implement authorization algorithm | | 1.4 <br />User personal data | Tampering | Attacker can change user personal data | Lack of data validation and user autentication | 3.5<br />Low | Implement authentication and authorization algorithm | | 2.1 <br />Video access level | Tampering & Information disclosure | Attacker can change video access level, so that video can be viewed by all users | Lack of data validation and user autentication | 6.4<br />Medium | Implement authentication and authorization algorithm<br />Implement additional checks for authentication | | 2.2 <br />Video metadata | Tampering | Attacker can change description and title of the video | Lack of user auth | 4.3<br />Medium | Implement user auth | | 2.3<br />Video object | Tampering | Attacker can change the video | Lack of user auth | 6.4<br />Medium | Implement user auth | | 2.3<br />Video object | Information disclosure | Attacker can publish the private or hidden video | Lack of user auth | 7.3<br />High | Implement user auth<br /> | | 2.4<br />Video comments | Tampering | Attacker can change comments that he or she or it does not own | Lack of user auth | 6.6<br />Medium | Implement user auth<br />Check user device<br /> | | 3.1<br />Login session data | Information disclosure | Attacker can get auth token of the user | User token is saved in cache and can be view by attacker when user is not present in front of computer | 5.3<br />Medium | Link token with device information, so that token cannot be used on other devices.<br />Invalidate token if user does not perform action for a prolonged period of time. | ## Clarifying information Public videos are videos that are not hidden nor private. Video streams are not mentioned in the tables because there is no difference between videos and video streams regarding current report. As (3) trust level is superset of (3.1) and (3.2), I did not include (3.1) and (3.2) where (3) is present. **Assumptions:** Owner of private video can access the video. Comments can be created only by users that are logged in. All other devices besides app server cannot be accessed by an attacker.