From eb633ad307f9279323bbf7cb7ffdc7a02d3f6973 Mon Sep 17 00:00:00 2001 From: Michael Chen Date: Tue, 31 May 2022 11:08:16 +0200 Subject: [PATCH] Added Metaverse model for OWASP threat dragon --- Exercise/Writeup/metaverse.json | 809 ++++++++++++++++++++++++++++++++ 1 file changed, 809 insertions(+) create mode 100644 Exercise/Writeup/metaverse.json diff --git a/Exercise/Writeup/metaverse.json b/Exercise/Writeup/metaverse.json new file mode 100644 index 0000000..e2ca26e --- /dev/null +++ b/Exercise/Writeup/metaverse.json @@ -0,0 +1,809 @@ +{ + "summary": { + "title": "Metaverse Model" + }, + "detail": { + "contributors": [], + "diagrams": [ + { + "title": "Wallet Server", + "thumbnail": "./public/content/images/thumbnail.stride.jpg", + "diagramType": "STRIDE", + "id": 0, + "$$hashKey": "object:50", + "diagramJson": { + "cells": [ + { + "type": "tm.Actor", + "size": { + "width": 160, + "height": 80 + }, + "position": { + "x": 440, + "y": 30 + }, + "angle": 0, + "id": "27e3391f-ee25-4632-96c1-e0434e4a998e", + "z": 1, + "hasOpenThreats": false, + "outOfScope": false, + "attrs": { + ".element-shape": { + "class": "element-shape hasNoOpenThreats isInScope" + }, + "text": { + "text": "Wallet Web Server" + }, + ".element-text": { + "class": "element-text hasNoOpenThreats isInScope" + } + } + }, + { + "type": "tm.Actor", + "size": { + "width": 160, + "height": 80 + }, + "position": { + "x": 130, + "y": 30 + }, + "angle": 0, + "id": "1e4c445f-6fbf-4735-9fb2-bd49336196ff", + "z": 2, + "hasOpenThreats": true, + "description": "Any unauthenticated origin", + "threats": [ + { + "status": "Open", + "severity": "Medium", + "modelType": "STRIDE", + "type": "Spoofing", + "title": "Customer Authenticity", + "description": "Customer might try to impersonate another customer and do transactions in his name.", + "threatId": "f2c183a5-4800-4599-8672-742cbb4c9f0f", + "$$hashKey": "object:219" + }, + { + "status": "Open", + "severity": "Medium", + "modelType": "STRIDE", + "type": "Repudiation", + "title": "Payment Authorization", + "description": "Customer states that he did not commit the transaction.", + "threatId": "7524a6ad-931e-4626-b10b-0d33cb548c6b", + "$$hashKey": "object:233" + } + ], + "attrs": { + ".element-shape": { + "class": "element-shape hasOpenThreats isInScope" + }, + "text": { + "text": "Customer" + }, + ".element-text": { + "class": "element-text hasOpenThreats isInScope" + } + } + }, + { + "type": "tm.Actor", + "size": { + "width": 160, + "height": 80 + }, + "position": { + "x": 440, + "y": 170 + }, + "angle": 0, + "id": "e7267fe0-2972-4bfa-ab9b-f2ce15c52244", + "z": 3, + "hasOpenThreats": false, + "description": "Sensitive", + "attrs": { + ".element-shape": { + "class": "element-shape hasNoOpenThreats isInScope" + }, + "text": { + "text": "Wallet API Server" + }, + ".element-text": { + "class": "element-text hasNoOpenThreats isInScope" + } + } + }, + { + "type": "tm.Store", + "size": { + "width": 160, + "height": 80 + }, + "position": { + "x": 130, + "y": 370 + }, + "angle": 0, + "id": "fbd79e5b-816d-4707-aad4-a28a7dad7ad6", + "z": 4, + "hasOpenThreats": false, + "isALog": false, + "storesInventory": false, + "attrs": { + ".element-shape": { + "class": "element-shape hasNoOpenThreats isInScope" + }, + "text": { + "text": "Transaction Store" + }, + ".element-text": { + "class": "element-text hasNoOpenThreats isInScope" + } + } + }, + { + "type": "tm.Actor", + "size": { + "width": 160, + "height": 80 + }, + "position": { + "x": 440, + "y": 370 + }, + "angle": 0, + "id": "bc43adcf-3ae0-432c-bf1b-7fc7ff3b38f7", + "z": 5, + "hasOpenThreats": false, + "attrs": { + ".element-shape": { + "class": "element-shape hasNoOpenThreats isInScope" + }, + "text": { + "text": "Transaction\nManagement" + }, + ".element-text": { + "class": "element-text hasNoOpenThreats isInScope" + } + } + }, + { + "type": "tm.Flow", + "size": { + "width": 10, + "height": 10 + }, + "smooth": true, + "source": { + "id": "bc43adcf-3ae0-432c-bf1b-7fc7ff3b38f7" + }, + "target": { + "id": "fbd79e5b-816d-4707-aad4-a28a7dad7ad6" + }, + "vertices": [], + "id": "49f01dfc-3423-4452-b563-f71fe4603f3c", + "labels": [ + { + "position": 0.5, + "attrs": { + "text": { + "text": "Manages", + "font-weight": "400", + "font-size": "small" + } + } + } + ], + "z": 6, + "hasOpenThreats": false, + "attrs": { + ".marker-target": { + "class": "marker-target hasNoOpenThreats isInScope" + }, + ".connection": { + "class": "connection hasNoOpenThreats isInScope" + } + } + }, + { + "type": "tm.Flow", + "size": { + "width": 10, + "height": 10 + }, + "smooth": true, + "source": { + "id": "e7267fe0-2972-4bfa-ab9b-f2ce15c52244" + }, + "target": { + "id": "bc43adcf-3ae0-432c-bf1b-7fc7ff3b38f7" + }, + "vertices": [], + "id": "ba27f640-4a39-4eba-97db-e799a48950bb", + "labels": [ + { + "position": 0.5, + "attrs": { + "text": { + "text": "Uses", + "font-weight": "400", + "font-size": "small" + } + } + } + ], + "z": 7, + "hasOpenThreats": false, + "attrs": { + ".marker-target": { + "class": "marker-target hasNoOpenThreats isInScope" + }, + ".connection": { + "class": "connection hasNoOpenThreats isInScope" + } + } + }, + { + "type": "tm.Flow", + "size": { + "width": 10, + "height": 10 + }, + "smooth": true, + "source": { + "id": "27e3391f-ee25-4632-96c1-e0434e4a998e" + }, + "target": { + "id": "e7267fe0-2972-4bfa-ab9b-f2ce15c52244" + }, + "vertices": [], + "id": "0452105d-bb9e-4e22-aa20-6d3915e7d63d", + "labels": [ + { + "position": 0.5, + "attrs": { + "text": { + "text": "Uses", + "font-weight": "400", + "font-size": "small" + } + } + } + ], + "z": 8, + "hasOpenThreats": false, + "attrs": { + ".marker-target": { + "class": "marker-target hasNoOpenThreats isInScope" + }, + ".connection": { + "class": "connection hasNoOpenThreats isInScope" + } + } + }, + { + "type": "tm.Flow", + "size": { + "width": 10, + "height": 10 + }, + "smooth": true, + "source": { + "id": "1e4c445f-6fbf-4735-9fb2-bd49336196ff" + }, + "target": { + "id": "27e3391f-ee25-4632-96c1-e0434e4a998e" + }, + "vertices": [], + "id": "9a420ba9-fd87-419c-b8b2-f89c60450d54", + "labels": [ + { + "position": 0.5, + "attrs": { + "text": { + "text": "Accesses", + "font-weight": "400", + "font-size": "small" + } + } + } + ], + "z": 9, + "hasOpenThreats": false, + "isPublicNetwork": true, + "isEncrypted": true, + "protocol": "HTTPS", + "attrs": { + ".marker-target": { + "class": "marker-target hasNoOpenThreats isInScope" + }, + ".connection": { + "class": "connection hasNoOpenThreats isInScope" + } + } + }, + { + "type": "tm.Actor", + "size": { + "width": 160, + "height": 80 + }, + "position": { + "x": 130, + "y": 170 + }, + "angle": 0, + "id": "7a783726-6739-478e-9755-264abf6bfe82", + "z": 10, + "hasOpenThreats": false, + "attrs": { + ".element-shape": { + "class": "element-shape hasNoOpenThreats isInScope" + }, + "text": { + "text": "Mobile App" + }, + ".element-text": { + "class": "element-text hasNoOpenThreats isInScope" + } + } + }, + { + "type": "tm.Flow", + "size": { + "width": 10, + "height": 10 + }, + "smooth": true, + "source": { + "id": "7a783726-6739-478e-9755-264abf6bfe82" + }, + "target": { + "id": "e7267fe0-2972-4bfa-ab9b-f2ce15c52244" + }, + "vertices": [], + "id": "345d8594-d2f4-4842-96db-cbb37df95057", + "labels": [ + { + "position": 0.5, + "attrs": { + "text": { + "text": "Accesses", + "font-weight": "400", + "font-size": "small" + } + } + } + ], + "z": 11, + "hasOpenThreats": false, + "isEncrypted": true, + "isPublicNetwork": true, + "protocol": "REST", + "attrs": { + ".marker-target": { + "class": "marker-target hasNoOpenThreats isInScope" + }, + ".connection": { + "class": "connection hasNoOpenThreats isInScope" + } + } + }, + { + "type": "tm.Boundary", + "size": { + "width": 10, + "height": 10 + }, + "smooth": true, + "source": { + "x": 630, + "y": 280 + }, + "target": { + "x": 400, + "y": 280 + }, + "vertices": [], + "id": "3a058aef-0280-4609-b265-9e3a0adec3a7", + "z": 12, + "labels": [ + { + "position": 0.5, + "attrs": { + "text": { + "text": "Trust Boundary", + "font-weight": "400", + "font-size": "small" + } + } + } + ], + "attrs": {} + } + ] + }, + "size": { + "height": 590, + "width": 1022 + } + }, + { + "title": "User Management", + "thumbnail": "./public/content/images/thumbnail.stride.jpg", + "diagramType": "STRIDE", + "id": 1, + "$$hashKey": "object:505", + "diagramJson": { + "cells": [ + { + "type": "tm.Actor", + "size": { + "width": 160, + "height": 80 + }, + "position": { + "x": 80, + "y": 140 + }, + "angle": 0, + "id": "c78ef2f5-cfa1-4ce7-ade0-e408de07dd5f", + "z": 1, + "hasOpenThreats": true, + "threats": [ + { + "ruleId": "b2a6d40d-d3f8-4750-8e4d-c02cc84b13dc", + "title": "Generic spoofing threat", + "type": "Spoofing", + "modelType": "STRIDE", + "status": "Open", + "severity": "Medium", + "description": "A generic spoofing threat", + "mitigation": "Mitigation or prevention for the threat", + "threatId": "df909f03-effd-40db-b39c-52a00223cf80", + "$$hashKey": "object:722" + }, + { + "ruleId": "87bc37e2-798e-4d68-bb96-feb1da26da48", + "title": "Generic repudiation threat", + "type": "Repudiation", + "modelType": "STRIDE", + "status": "Open", + "severity": "Medium", + "description": "A generic repudiation threat", + "mitigation": "Mitigation or prevention for the threat", + "threatId": "a27dd4a9-418f-4b9b-8936-9cf2cacc5b4b", + "$$hashKey": "object:731" + } + ], + "attrs": { + ".element-shape": { + "class": "element-shape hasOpenThreats isInScope" + }, + "text": { + "text": "User" + }, + ".element-text": { + "class": "element-text hasOpenThreats isInScope" + } + } + }, + { + "type": "tm.Process", + "size": { + "width": 100, + "height": 100 + }, + "position": { + "x": 390, + "y": 110 + }, + "angle": 0, + "id": "611d23c0-9fab-41bb-a90f-ae3710272951", + "z": 2, + "hasOpenThreats": true, + "threats": [ + { + "ruleId": "ce2fe37e-0742-4278-8915-40dc2226150e", + "title": "Denial of Service", + "type": "Elevation of privilege", + "modelType": "STRIDE", + "status": "Open", + "severity": "Medium", + "description": "See OWASP Automated Threat #15:\nUsage may resemble legitimate application usage but leads to exhaustion of resources", + "mitigation": "Mitigation or prevention such as providing backoff, resource management and avoiding forced deadlock", + "threatId": "a32e00b3-abc9-4ae5-8bfb-ed366cebd712", + "$$hashKey": "object:639" + } + ], + "attrs": { + ".element-shape": { + "class": "element-shape hasOpenThreats isInScope" + }, + "text": { + "text": "Login" + }, + ".element-text": { + "class": "element-text hasOpenThreats isInScope" + } + } + }, + { + "type": "tm.Store", + "size": { + "width": 160, + "height": 80 + }, + "position": { + "x": 660, + "y": 140 + }, + "angle": 0, + "id": "6a56fba7-8702-40fa-a77e-6706743f2ed6", + "z": 3, + "hasOpenThreats": true, + "storesCredentials": true, + "isEncrypted": true, + "threats": [ + { + "ruleId": "13000296-b17d-4b72-9cc4-f5cc33f80e4c", + "title": "Generic information disclosure threat", + "type": "Information disclosure", + "modelType": "STRIDE", + "status": "Open", + "severity": "Medium", + "description": "A generic information disclosure threat", + "mitigation": "Mitigation or prevention for the threat", + "threatId": "7328e250-80f9-40a8-9894-3b2b8b8d446a", + "$$hashKey": "object:669" + } + ], + "attrs": { + ".element-shape": { + "class": "element-shape hasOpenThreats isInScope" + }, + "text": { + "text": "User Database" + }, + ".element-text": { + "class": "element-text hasOpenThreats isInScope" + } + } + }, + { + "type": "tm.Flow", + "size": { + "width": 10, + "height": 10 + }, + "smooth": true, + "source": { + "id": "611d23c0-9fab-41bb-a90f-ae3710272951" + }, + "target": { + "id": "6a56fba7-8702-40fa-a77e-6706743f2ed6" + }, + "vertices": [ + { + "x": 560, + "y": 110 + } + ], + "id": "f47f4e80-ef73-4dac-b96b-a36f6e3e0e57", + "labels": [ + { + "position": { + "distance": 0.46925095247713366, + "offset": -20 + }, + "attrs": { + "text": { + "text": "Query Database", + "font-weight": "400", + "font-size": "small" + } + } + } + ], + "z": 4, + "hasOpenThreats": false, + "attrs": { + ".marker-target": { + "class": "marker-target hasNoOpenThreats isInScope" + }, + ".connection": { + "class": "connection hasNoOpenThreats isInScope" + } + } + }, + { + "type": "tm.Flow", + "size": { + "width": 10, + "height": 10 + }, + "smooth": true, + "source": { + "id": "6a56fba7-8702-40fa-a77e-6706743f2ed6" + }, + "target": { + "id": "611d23c0-9fab-41bb-a90f-ae3710272951" + }, + "vertices": [ + { + "x": 530, + "y": 190 + } + ], + "id": "5b063982-6998-485e-8ee1-f8d59c0bc757", + "labels": [ + { + "position": { + "distance": 0.5416816466170442, + "offset": -30.43621155024044 + }, + "attrs": { + "text": { + "text": "Query Response", + "font-weight": "400", + "font-size": "small" + } + } + } + ], + "z": 5, + "hasOpenThreats": false, + "attrs": { + ".marker-target": { + "class": "marker-target hasNoOpenThreats isInScope" + }, + ".connection": { + "class": "connection hasNoOpenThreats isInScope" + } + } + }, + { + "type": "tm.Flow", + "size": { + "width": 10, + "height": 10 + }, + "smooth": true, + "source": { + "id": "c78ef2f5-cfa1-4ce7-ade0-e408de07dd5f" + }, + "target": { + "id": "611d23c0-9fab-41bb-a90f-ae3710272951" + }, + "vertices": [ + { + "x": 310, + "y": 120 + } + ], + "id": "d1e6f704-4414-4e6f-8df7-f5b9111314f2", + "labels": [ + { + "position": { + "distance": 0.5104252915659918, + "offset": -20.63758485420264 + }, + "attrs": { + "text": { + "text": "Send Credentials", + "font-weight": "400", + "font-size": "small" + } + } + } + ], + "z": 6, + "hasOpenThreats": true, + "isPublicNetwork": true, + "isEncrypted": true, + "protocol": "HTTPS", + "threats": [ + { + "ruleId": "ff2fca4d-dedf-46f2-b9ac-aed70055bb4d", + "title": "Vulnerable transport protocol", + "type": "Information disclosure", + "modelType": "STRIDE", + "status": "Open", + "severity": "Medium", + "description": "Older transport protocols are vulnerable and have known vulnerabilities", + "mitigation": "Use up to date cryptography and transport protocols", + "threatId": "c1bf3a73-9898-4189-9ac6-2aff476068c5", + "$$hashKey": "object:692" + } + ], + "attrs": { + ".marker-target": { + "class": "marker-target hasOpenThreats isInScope" + }, + ".connection": { + "class": "connection hasOpenThreats isInScope" + } + } + }, + { + "type": "tm.Flow", + "size": { + "width": 10, + "height": 10 + }, + "smooth": true, + "source": { + "id": "611d23c0-9fab-41bb-a90f-ae3710272951" + }, + "target": { + "id": "c78ef2f5-cfa1-4ce7-ade0-e408de07dd5f" + }, + "vertices": [ + { + "x": 290, + "y": 200 + } + ], + "id": "b5f6781c-ff8a-470d-be6c-12d4175a5483", + "labels": [ + { + "position": { + "distance": 0.5720257575195177, + "offset": -21.40240000765164 + }, + "attrs": { + "text": { + "text": "Confirm Login", + "font-weight": "400", + "font-size": "small" + } + } + } + ], + "z": 7, + "hasOpenThreats": false, + "isEncrypted": true, + "isPublicNetwork": true, + "protocol": "HTTPS", + "attrs": { + ".marker-target": { + "class": "marker-target hasNoOpenThreats isInScope" + }, + ".connection": { + "class": "connection hasNoOpenThreats isInScope" + } + } + }, + { + "type": "tm.Boundary", + "size": { + "width": 10, + "height": 10 + }, + "smooth": true, + "source": { + "x": 370, + "y": 50 + }, + "target": { + "x": 380, + "y": 280 + }, + "vertices": [], + "id": "878455b4-c0ea-4539-ab85-e61ff9e274d2", + "z": 8, + "attrs": {} + } + ] + }, + "size": { + "height": 590, + "width": 830 + } + } + ] + } +} \ No newline at end of file