secure-software-engineering/Exercise/Writeup/metaverse.json

809 lines
25 KiB
JSON
Raw Permalink Normal View History

{
"summary": {
"title": "Metaverse Model"
},
"detail": {
"contributors": [],
"diagrams": [
{
"title": "Wallet Server",
"thumbnail": "./public/content/images/thumbnail.stride.jpg",
"diagramType": "STRIDE",
"id": 0,
"$$hashKey": "object:50",
"diagramJson": {
"cells": [
{
"type": "tm.Actor",
"size": {
"width": 160,
"height": 80
},
"position": {
"x": 440,
"y": 30
},
"angle": 0,
"id": "27e3391f-ee25-4632-96c1-e0434e4a998e",
"z": 1,
"hasOpenThreats": false,
"outOfScope": false,
"attrs": {
".element-shape": {
"class": "element-shape hasNoOpenThreats isInScope"
},
"text": {
"text": "Wallet Web Server"
},
".element-text": {
"class": "element-text hasNoOpenThreats isInScope"
}
}
},
{
"type": "tm.Actor",
"size": {
"width": 160,
"height": 80
},
"position": {
"x": 130,
"y": 30
},
"angle": 0,
"id": "1e4c445f-6fbf-4735-9fb2-bd49336196ff",
"z": 2,
"hasOpenThreats": true,
"description": "Any unauthenticated origin",
"threats": [
{
"status": "Open",
"severity": "Medium",
"modelType": "STRIDE",
"type": "Spoofing",
"title": "Customer Authenticity",
"description": "Customer might try to impersonate another customer and do transactions in his name.",
"threatId": "f2c183a5-4800-4599-8672-742cbb4c9f0f",
"$$hashKey": "object:219"
},
{
"status": "Open",
"severity": "Medium",
"modelType": "STRIDE",
"type": "Repudiation",
"title": "Payment Authorization",
"description": "Customer states that he did not commit the transaction.",
"threatId": "7524a6ad-931e-4626-b10b-0d33cb548c6b",
"$$hashKey": "object:233"
}
],
"attrs": {
".element-shape": {
"class": "element-shape hasOpenThreats isInScope"
},
"text": {
"text": "Customer"
},
".element-text": {
"class": "element-text hasOpenThreats isInScope"
}
}
},
{
"type": "tm.Actor",
"size": {
"width": 160,
"height": 80
},
"position": {
"x": 440,
"y": 170
},
"angle": 0,
"id": "e7267fe0-2972-4bfa-ab9b-f2ce15c52244",
"z": 3,
"hasOpenThreats": false,
"description": "Sensitive",
"attrs": {
".element-shape": {
"class": "element-shape hasNoOpenThreats isInScope"
},
"text": {
"text": "Wallet API Server"
},
".element-text": {
"class": "element-text hasNoOpenThreats isInScope"
}
}
},
{
"type": "tm.Store",
"size": {
"width": 160,
"height": 80
},
"position": {
"x": 130,
"y": 370
},
"angle": 0,
"id": "fbd79e5b-816d-4707-aad4-a28a7dad7ad6",
"z": 4,
"hasOpenThreats": false,
"isALog": false,
"storesInventory": false,
"attrs": {
".element-shape": {
"class": "element-shape hasNoOpenThreats isInScope"
},
"text": {
"text": "Transaction Store"
},
".element-text": {
"class": "element-text hasNoOpenThreats isInScope"
}
}
},
{
"type": "tm.Actor",
"size": {
"width": 160,
"height": 80
},
"position": {
"x": 440,
"y": 370
},
"angle": 0,
"id": "bc43adcf-3ae0-432c-bf1b-7fc7ff3b38f7",
"z": 5,
"hasOpenThreats": false,
"attrs": {
".element-shape": {
"class": "element-shape hasNoOpenThreats isInScope"
},
"text": {
"text": "Transaction\nManagement"
},
".element-text": {
"class": "element-text hasNoOpenThreats isInScope"
}
}
},
{
"type": "tm.Flow",
"size": {
"width": 10,
"height": 10
},
"smooth": true,
"source": {
"id": "bc43adcf-3ae0-432c-bf1b-7fc7ff3b38f7"
},
"target": {
"id": "fbd79e5b-816d-4707-aad4-a28a7dad7ad6"
},
"vertices": [],
"id": "49f01dfc-3423-4452-b563-f71fe4603f3c",
"labels": [
{
"position": 0.5,
"attrs": {
"text": {
"text": "Manages",
"font-weight": "400",
"font-size": "small"
}
}
}
],
"z": 6,
"hasOpenThreats": false,
"attrs": {
".marker-target": {
"class": "marker-target hasNoOpenThreats isInScope"
},
".connection": {
"class": "connection hasNoOpenThreats isInScope"
}
}
},
{
"type": "tm.Flow",
"size": {
"width": 10,
"height": 10
},
"smooth": true,
"source": {
"id": "e7267fe0-2972-4bfa-ab9b-f2ce15c52244"
},
"target": {
"id": "bc43adcf-3ae0-432c-bf1b-7fc7ff3b38f7"
},
"vertices": [],
"id": "ba27f640-4a39-4eba-97db-e799a48950bb",
"labels": [
{
"position": 0.5,
"attrs": {
"text": {
"text": "Uses",
"font-weight": "400",
"font-size": "small"
}
}
}
],
"z": 7,
"hasOpenThreats": false,
"attrs": {
".marker-target": {
"class": "marker-target hasNoOpenThreats isInScope"
},
".connection": {
"class": "connection hasNoOpenThreats isInScope"
}
}
},
{
"type": "tm.Flow",
"size": {
"width": 10,
"height": 10
},
"smooth": true,
"source": {
"id": "27e3391f-ee25-4632-96c1-e0434e4a998e"
},
"target": {
"id": "e7267fe0-2972-4bfa-ab9b-f2ce15c52244"
},
"vertices": [],
"id": "0452105d-bb9e-4e22-aa20-6d3915e7d63d",
"labels": [
{
"position": 0.5,
"attrs": {
"text": {
"text": "Uses",
"font-weight": "400",
"font-size": "small"
}
}
}
],
"z": 8,
"hasOpenThreats": false,
"attrs": {
".marker-target": {
"class": "marker-target hasNoOpenThreats isInScope"
},
".connection": {
"class": "connection hasNoOpenThreats isInScope"
}
}
},
{
"type": "tm.Flow",
"size": {
"width": 10,
"height": 10
},
"smooth": true,
"source": {
"id": "1e4c445f-6fbf-4735-9fb2-bd49336196ff"
},
"target": {
"id": "27e3391f-ee25-4632-96c1-e0434e4a998e"
},
"vertices": [],
"id": "9a420ba9-fd87-419c-b8b2-f89c60450d54",
"labels": [
{
"position": 0.5,
"attrs": {
"text": {
"text": "Accesses",
"font-weight": "400",
"font-size": "small"
}
}
}
],
"z": 9,
"hasOpenThreats": false,
"isPublicNetwork": true,
"isEncrypted": true,
"protocol": "HTTPS",
"attrs": {
".marker-target": {
"class": "marker-target hasNoOpenThreats isInScope"
},
".connection": {
"class": "connection hasNoOpenThreats isInScope"
}
}
},
{
"type": "tm.Actor",
"size": {
"width": 160,
"height": 80
},
"position": {
"x": 130,
"y": 170
},
"angle": 0,
"id": "7a783726-6739-478e-9755-264abf6bfe82",
"z": 10,
"hasOpenThreats": false,
"attrs": {
".element-shape": {
"class": "element-shape hasNoOpenThreats isInScope"
},
"text": {
"text": "Mobile App"
},
".element-text": {
"class": "element-text hasNoOpenThreats isInScope"
}
}
},
{
"type": "tm.Flow",
"size": {
"width": 10,
"height": 10
},
"smooth": true,
"source": {
"id": "7a783726-6739-478e-9755-264abf6bfe82"
},
"target": {
"id": "e7267fe0-2972-4bfa-ab9b-f2ce15c52244"
},
"vertices": [],
"id": "345d8594-d2f4-4842-96db-cbb37df95057",
"labels": [
{
"position": 0.5,
"attrs": {
"text": {
"text": "Accesses",
"font-weight": "400",
"font-size": "small"
}
}
}
],
"z": 11,
"hasOpenThreats": false,
"isEncrypted": true,
"isPublicNetwork": true,
"protocol": "REST",
"attrs": {
".marker-target": {
"class": "marker-target hasNoOpenThreats isInScope"
},
".connection": {
"class": "connection hasNoOpenThreats isInScope"
}
}
},
{
"type": "tm.Boundary",
"size": {
"width": 10,
"height": 10
},
"smooth": true,
"source": {
"x": 630,
"y": 280
},
"target": {
"x": 400,
"y": 280
},
"vertices": [],
"id": "3a058aef-0280-4609-b265-9e3a0adec3a7",
"z": 12,
"labels": [
{
"position": 0.5,
"attrs": {
"text": {
"text": "Trust Boundary",
"font-weight": "400",
"font-size": "small"
}
}
}
],
"attrs": {}
}
]
},
"size": {
"height": 590,
"width": 1022
}
},
{
"title": "User Management",
"thumbnail": "./public/content/images/thumbnail.stride.jpg",
"diagramType": "STRIDE",
"id": 1,
"$$hashKey": "object:505",
"diagramJson": {
"cells": [
{
"type": "tm.Actor",
"size": {
"width": 160,
"height": 80
},
"position": {
"x": 80,
"y": 140
},
"angle": 0,
"id": "c78ef2f5-cfa1-4ce7-ade0-e408de07dd5f",
"z": 1,
"hasOpenThreats": true,
"threats": [
{
"ruleId": "b2a6d40d-d3f8-4750-8e4d-c02cc84b13dc",
"title": "Generic spoofing threat",
"type": "Spoofing",
"modelType": "STRIDE",
"status": "Open",
"severity": "Medium",
"description": "A generic spoofing threat",
"mitigation": "Mitigation or prevention for the threat",
"threatId": "df909f03-effd-40db-b39c-52a00223cf80",
"$$hashKey": "object:722"
},
{
"ruleId": "87bc37e2-798e-4d68-bb96-feb1da26da48",
"title": "Generic repudiation threat",
"type": "Repudiation",
"modelType": "STRIDE",
"status": "Open",
"severity": "Medium",
"description": "A generic repudiation threat",
"mitigation": "Mitigation or prevention for the threat",
"threatId": "a27dd4a9-418f-4b9b-8936-9cf2cacc5b4b",
"$$hashKey": "object:731"
}
],
"attrs": {
".element-shape": {
"class": "element-shape hasOpenThreats isInScope"
},
"text": {
"text": "User"
},
".element-text": {
"class": "element-text hasOpenThreats isInScope"
}
}
},
{
"type": "tm.Process",
"size": {
"width": 100,
"height": 100
},
"position": {
"x": 390,
"y": 110
},
"angle": 0,
"id": "611d23c0-9fab-41bb-a90f-ae3710272951",
"z": 2,
"hasOpenThreats": true,
"threats": [
{
"ruleId": "ce2fe37e-0742-4278-8915-40dc2226150e",
"title": "Denial of Service",
"type": "Elevation of privilege",
"modelType": "STRIDE",
"status": "Open",
"severity": "Medium",
"description": "See OWASP Automated Threat #15:\nUsage may resemble legitimate application usage but leads to exhaustion of resources",
"mitigation": "Mitigation or prevention such as providing backoff, resource management and avoiding forced deadlock",
"threatId": "a32e00b3-abc9-4ae5-8bfb-ed366cebd712",
"$$hashKey": "object:639"
}
],
"attrs": {
".element-shape": {
"class": "element-shape hasOpenThreats isInScope"
},
"text": {
"text": "Login"
},
".element-text": {
"class": "element-text hasOpenThreats isInScope"
}
}
},
{
"type": "tm.Store",
"size": {
"width": 160,
"height": 80
},
"position": {
"x": 660,
"y": 140
},
"angle": 0,
"id": "6a56fba7-8702-40fa-a77e-6706743f2ed6",
"z": 3,
"hasOpenThreats": true,
"storesCredentials": true,
"isEncrypted": true,
"threats": [
{
"ruleId": "13000296-b17d-4b72-9cc4-f5cc33f80e4c",
"title": "Generic information disclosure threat",
"type": "Information disclosure",
"modelType": "STRIDE",
"status": "Open",
"severity": "Medium",
"description": "A generic information disclosure threat",
"mitigation": "Mitigation or prevention for the threat",
"threatId": "7328e250-80f9-40a8-9894-3b2b8b8d446a",
"$$hashKey": "object:669"
}
],
"attrs": {
".element-shape": {
"class": "element-shape hasOpenThreats isInScope"
},
"text": {
"text": "User Database"
},
".element-text": {
"class": "element-text hasOpenThreats isInScope"
}
}
},
{
"type": "tm.Flow",
"size": {
"width": 10,
"height": 10
},
"smooth": true,
"source": {
"id": "611d23c0-9fab-41bb-a90f-ae3710272951"
},
"target": {
"id": "6a56fba7-8702-40fa-a77e-6706743f2ed6"
},
"vertices": [
{
"x": 560,
"y": 110
}
],
"id": "f47f4e80-ef73-4dac-b96b-a36f6e3e0e57",
"labels": [
{
"position": {
"distance": 0.46925095247713366,
"offset": -20
},
"attrs": {
"text": {
"text": "Query Database",
"font-weight": "400",
"font-size": "small"
}
}
}
],
"z": 4,
"hasOpenThreats": false,
"attrs": {
".marker-target": {
"class": "marker-target hasNoOpenThreats isInScope"
},
".connection": {
"class": "connection hasNoOpenThreats isInScope"
}
}
},
{
"type": "tm.Flow",
"size": {
"width": 10,
"height": 10
},
"smooth": true,
"source": {
"id": "6a56fba7-8702-40fa-a77e-6706743f2ed6"
},
"target": {
"id": "611d23c0-9fab-41bb-a90f-ae3710272951"
},
"vertices": [
{
"x": 530,
"y": 190
}
],
"id": "5b063982-6998-485e-8ee1-f8d59c0bc757",
"labels": [
{
"position": {
"distance": 0.5416816466170442,
"offset": -30.43621155024044
},
"attrs": {
"text": {
"text": "Query Response",
"font-weight": "400",
"font-size": "small"
}
}
}
],
"z": 5,
"hasOpenThreats": false,
"attrs": {
".marker-target": {
"class": "marker-target hasNoOpenThreats isInScope"
},
".connection": {
"class": "connection hasNoOpenThreats isInScope"
}
}
},
{
"type": "tm.Flow",
"size": {
"width": 10,
"height": 10
},
"smooth": true,
"source": {
"id": "c78ef2f5-cfa1-4ce7-ade0-e408de07dd5f"
},
"target": {
"id": "611d23c0-9fab-41bb-a90f-ae3710272951"
},
"vertices": [
{
"x": 310,
"y": 120
}
],
"id": "d1e6f704-4414-4e6f-8df7-f5b9111314f2",
"labels": [
{
"position": {
"distance": 0.5104252915659918,
"offset": -20.63758485420264
},
"attrs": {
"text": {
"text": "Send Credentials",
"font-weight": "400",
"font-size": "small"
}
}
}
],
"z": 6,
"hasOpenThreats": true,
"isPublicNetwork": true,
"isEncrypted": true,
"protocol": "HTTPS",
"threats": [
{
"ruleId": "ff2fca4d-dedf-46f2-b9ac-aed70055bb4d",
"title": "Vulnerable transport protocol",
"type": "Information disclosure",
"modelType": "STRIDE",
"status": "Open",
"severity": "Medium",
"description": "Older transport protocols are vulnerable and have known vulnerabilities",
"mitigation": "Use up to date cryptography and transport protocols",
"threatId": "c1bf3a73-9898-4189-9ac6-2aff476068c5",
"$$hashKey": "object:692"
}
],
"attrs": {
".marker-target": {
"class": "marker-target hasOpenThreats isInScope"
},
".connection": {
"class": "connection hasOpenThreats isInScope"
}
}
},
{
"type": "tm.Flow",
"size": {
"width": 10,
"height": 10
},
"smooth": true,
"source": {
"id": "611d23c0-9fab-41bb-a90f-ae3710272951"
},
"target": {
"id": "c78ef2f5-cfa1-4ce7-ade0-e408de07dd5f"
},
"vertices": [
{
"x": 290,
"y": 200
}
],
"id": "b5f6781c-ff8a-470d-be6c-12d4175a5483",
"labels": [
{
"position": {
"distance": 0.5720257575195177,
"offset": -21.40240000765164
},
"attrs": {
"text": {
"text": "Confirm Login",
"font-weight": "400",
"font-size": "small"
}
}
}
],
"z": 7,
"hasOpenThreats": false,
"isEncrypted": true,
"isPublicNetwork": true,
"protocol": "HTTPS",
"attrs": {
".marker-target": {
"class": "marker-target hasNoOpenThreats isInScope"
},
".connection": {
"class": "connection hasNoOpenThreats isInScope"
}
}
},
{
"type": "tm.Boundary",
"size": {
"width": 10,
"height": 10
},
"smooth": true,
"source": {
"x": 370,
"y": 50
},
"target": {
"x": 380,
"y": 280
},
"vertices": [],
"id": "878455b4-c0ea-4539-ab85-e61ff9e274d2",
"z": 8,
"attrs": {}
}
]
},
"size": {
"height": 590,
"width": 830
}
}
]
}
}