WebApplication

Purpose

The WebApplication object is used to represent a network service provided by a web server. Since a web application partly is run on the web server and partly may be run on the client side, by a web browser, the WebApplication object represents both these parts. Worth mentioning is that this approach will let a web browser, modelled as a Client object, only concerns the piece of software installed on the client host, not the programs or routines it will download and run on behalf of the WebApplication visited.

Connections

Object

Connection

Description

Function

Service

Web Service Execution

Web Service Execution & Specifies which Service is hosting/running the WebApplication.

A connection to a Service is needed for Web Application to function properly.

WebApplication Firewall

Firewall Execution

A firewall functionality is available and running to handle requests to the WebApplication. Such a functionality is often provided as part of the web server software running the WebApplication, but since it has major impact on the WebApplication, it is modeled explicitly.

A missing Web Application Firewall increases the risk of BypassWAF

Datastore

WebApplication

Shows what data a user can access by using the WebApplication.

A connected Datastore can cause Read and Write access through SQLinjections.

Keystore

Keystore Execution

Shows that the WebApplication is providing access to a Keystore.

A missing connection to a Keystore prevents Read access on a Keystore through WebApplications.

Attack Steps and Defenses

Attack Step

Description

Leads to

BypassWAFViaCI

The possibility for an attack step to trick or pass undiscovered by the web application firewall using Command Injection.

WebApplication: ExploitCI

BypassWAFViaRFI

The possibility for an attack step to trick or pass undiscovered by the web application firewall using Remote File Inclusion.

WebApplication: ExploitRFI

BypassWAFViaSQLInjection

The possibility for an attack step to trick or pass undiscovered by the web application firewall using SQL Injection.

WebApplication: ExploitSQLi

BypassWAFViaXSS

The possibility for an attack step to trick or pass undiscovered by the web application firewall using Cross Site Scripting.

WebApplication: ExploitXSS

Compromise

The possibility to fully control the WebApplication.

Service: Compromise, Datastore Read/Write/Delete, Keystore: Read/Delete

DiscoverNewVulnerability

The possibility to discover a new vulnerability in the WebApplication.

WebApplication: BypassWAFViaCI
WebApplication: BypassWAFViaRFI
WebApplication: BypassWAFViaSQLInjection
WebApplication: BypassWAFViaXSS

ExploitCommandInjection

The possibility to send commands or pieces of commands to the web server, via the web application, making it do unintended operations.

Service(root): Host.Compromise
Service(non-root): Host.UserAccess

ExploitRFI

The possibility to send a file containing some kind of malware to the web server, via the web application, to make it perform unintended operations.

Service(root): Host.Compromise
Service(non-root): Host.UserAccess

ExploitSQLInjection

The possibility to send an unintended SQL statement to the web application to read, alter or delete data.

The possibility to send an unintended SQL statement to the web application to read, alter or delete data.

ExploitXSS

The possibility to, via input fields or variables, inject a malicious script which will be visible and runnable by other users of the web application.

Service: Dataflow.Client.UserAccess

Defense

Description

Impact

Default

BlackBoxTesting

Black box testing denotes the process of automated testing through scanners or fuzzers without access to the source code. Which should decrease the number of false positives as well as false negatives . The aim of black box testing is to find and remove vulnerabilities before deployment.

Reduces the risk of Discover Vulnerability.

Off

NoPublicCI Vulnerabilities

Command injection (CI attacks aims to execute arbitrary code on system level. This defense denotes the presence of public command injection vulnerabilities (on e.g. Exploit DB or PacketStorm) in the application.

Reduces the risk of Exploit CommandInjection.

Off

NoPublicRFI Vulnerabilities

Remote file inclusion (RFI) attacks aims to include files remotely to a web application to execute code in the context of the server. This defense denotes the presence of public command injection vulnerabilities (on e.g. Exploit DB or PacketStorm) in the application.

Reduces the risk of ExploitRFI.

Off

NoPublicSQLI Vulnerabilities

SQL injection (SQLi) attacks aims to alter SQL queries sent to a server. If the injection is successful, the injection can alter e.g. database tables and data and execute commands. This defense denotes the presence of public SQL injection vulnerabilities (on e.g. Exploit DB or PacketStorm) in the application.

Reduces the risk of Exploit SQL Injection.

Off

NoPublicXSS Vulnerabilities

Cross site scripting (XSS) attacks aims to inject client-side scripts that are executed by other users visiting the web service. This defense denotes the presence of public SQL injection vulnerabilities (on e.g. Exploit DB or PacketStorm) in the application.

Reduces the risk of ExploitXSS.

Off

ScurityAwareDevelopers

A security aware developer can recognize proper use of input and output sanitizing and implement effective countermeasures.

Reduces the risk of Discover Vulnerability.

Off

StaticCodeAnalysis

Static code analysis is the analysis of software source code without executing the program. Static code analysis tools can automatically look for specific patterns to find vulnerabilities and bugs.

Reduces the risk of Discover Vulnerability.

On

TypeSafeAPI

Type Safe APIs specifies a rule set which describes exactly what kind of data that is transferred between different parts of the application. This leads to more secure and reliable environments.

Reduces the risk of Discover Vulnerability.

On