NCS lab 3 - HackMD

# NCS lab 3 Team * Sergey Makarov (s.makarov@innopolis.university) * Ruslan Israfilov (r.israfilov@innopolis.university) * Daniil Fronts (d.fronts@innopolis.university) Table of content: [TOC] ## Task 1: The definition of object for threat modeling We decided to just find an open source web app with some common vulnerabilities to analyze them then. Here is the link: https://github.com/anxolerd/dvpwa It is a simple web application with python webserver, database and redis for session storage. ## Task 2: Select the tool for threat modeling For the DFD diagram we chose draw.io. ## Task 3: DFD model creation ![](https://i.imgur.com/lzbTiEe.png) ## Task 4: The definition of technologies, assets Technologies, applications, protocols: * Server OS: Any linux * Deployment method: Docker with docker-compose wrapper * Web server back: python 3.8 at alpine docker image * Web server front: Jinja templates served by python web server; Javascript with jQuery * Database: postgres:9.6.15 at alpine docker image * Session storage: Latest alpine docker image of redis * Network Protocols: HTTP, TCP Assets: * Web server: python aiohttp server * PostgreSQL database: PostgreSQl 9.6.15 * Redis database: Redis 6.0.10 ## Task 5: Threat modeling techique We decided to use STRIDE threat modeling technique. ## Task 6: The definition of threats & threats scenario tree Threats: * Spoofing * Tampering * Repudiation * Information disclosure * Denial of service * Elevation of privilege Treats scenario tree: ![](https://i.imgur.com/wP2ZwMe.png) ## Task 7: The potential attacks severity calculation For calculating attacks severity we used [CVSS calculator](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Let's take a look at couple of examples, and then at the full table of attacks severity. 1. Denial of Service for postgresql database. * Its attack vector is remote, since we can do SQL injection, XSS and other attacks directly from web interface. * Attack complexity is low * Privileges required are either none, if we perform DDoS attack, or superadmin, if we do SQL injection. However, escalation of priveledge is also possible on web page, since superadmin's session can be got through stored XSS, so let's assign Low. * Since admin priveledge is required for injecting sql (we do it in new course creation page) we need admin to open some XSS poisoned comment in order to get his session. Thus, user interaction is required. * Scope is changed, since we affect database, but vulnerable component is web server. * If we consider only DoS component of the attack, then it highly affects avalibility and integrity, but not confidentiality. The same attack can be used to affect confidentiality as well, but this part will be counted in other aspects. ![](https://i.imgur.com/EZ5RIjG.png) Here is Elevation of priveledge for Web server: ![](https://i.imgur.com/6FHBVuY.png) Attack complexity is quite low since the project we've picked has some very basic vulnerabilities for demonstrative purposes, that's why scores will be high. Most of vulnerabilities are in web server, so database is asset affected by web server (that is why scores are quite high for it), but not that vulnerable by direct attacks. It has open ports and quite weak password, but no direct way to access it. The same for redis database, but it is inside private docker network so it is nearly impossible to get access to it without getting access to the whole host. The information here is about user sessions, which is quite sensitive. Here is the final table: ![](https://i.imgur.com/BTxBVv0.png) ## Task 8: Countermeasures definition Threat-Asset countermeasures table: ![](https://i.imgur.com/49fFNSF.png) link: [googlesheet](https://docs.google.com/spreadsheets/d/1kMszZbB2JKJF9SJtQOl_QNfi3wWhPeqwH5_0ar_3VZg/edit?usp=sharing) ## Task 9: Threat modeling summarization ![](https://i.imgur.com/LuDzX0e.png) link: https://docs.google.com/spreadsheets/d/1osjYhAudfbhwOi-aIYSjvqhtczL73bSeufo6g1XB72E/edit#gid=1972139111