2

Spoofing

An attacker could take over the port or socket that the server normally uses

2

3

Spoofing

An attacker could try one credential after another and there's nothing to slow them down (online or offline)

3

4

Spoofing

An attacker can anonymously connect, because we expect authentication to be done at a higher level

4

5

Spoofing

An attacker can confuse a client because there are too many ways to identify a server

5

6

Spoofing

An attacker can spoof a server because identifiers aren't stored on the client and checked for consistency on re-connection (that is, there's no key persistence)

6

7

Spoofing

An attacker can connect to a server or peer over a link that isn't authenticated (and encrypted)

7

8

Spoofing

An attacker could steal credentials stored on the server and reuse them (for example, a key is stored in a world readable file)

8

9

Spoofing

An attacker who gets a password can reuse it (Use stronger authenticators)

9

X

Spoofing

An attacker can choose to use weaker or no authentication

X

J

Spoofing

An attacker could steal credentials stored on the client and reuse them

Q

Spoofing

An attacker could go after the way credentials are updated or recovered (account recovery doesn't require disclosing the old password)

K

Spoofing

Your system ships with a default admin password, and doesn't force a change

A

Spoofing

You've invented a new Spoofing attack

A

2

Tampering

An attacker can take advantage of your custom key exchange or integrity control which you built instead of using standard crypto

2

3

Tampering

An attacker can modify your build system and produce signed builds of your software

3

4

Tampering

Your code makes access control decisions all over the place, rather than with a security kernel

4

5

Tampering

An attacker can replay data without detection because your code doesn't provide timestamps or sequence numbers

5

6

Tampering

An attacker can write to a data store your code relies on

6

7

Tampering

An attacker can bypass permissions because you don't make names canonical before checking access permissions

7

8

Tampering

An attacker can manipulate data because there's no integrity protection for data on the network

8

9

Tampering

An attacker can provide or control state information

9

X

Tampering

An attacker can alter information in a data store because it has weak/open permissions or includes a group which is equivalent to everyone ("anyone with a Facebook account")

X

J

Tampering

An attacker can write to some resource because permissions are granted to the world or there are no ACLs

Q

Tampering

An attacker can change parameters over a trust boundary and after validation (for example, important parameters in a hidden field in HTML, or passing a pointer to critical memory)

K

Tampering

An attacker can load code inside your process via an extension point

A

Tampering

You've invented a new Tampering attack

A

2

Repudiation

An attacker can pass data through the log to attack a log reader, and there's no documentation of what sorts of validation are done

2

3

Repudiation

A low privilege attacker can read interesting security information in the logs

3

4

Repudiation

An attacker can alter digital signatures because the digital signature system you're implementing is weak, or uses MACs where it should use a signature

4

5

Repudiation

An attacker can alter log messages on a network because they lack strong integrity controls

5

6

Repudiation

An attacker can create a log entry without a timestamp (or no log entry is timestamped)

6

7

Repudiation

An attacker can make the logs wrap around and lose data

7

8

Repudiation

An attacker can make a log lose or confuse security information

8

9

Repudiation

An attacker can use a shared key to authenticate as different principals, confusing the information in the logs

9

X

Repudiation

An attacker can get arbitrary data into logs from unauthenticated (or weakly authenticated) outsiders without validation

X

J

Repudiation

An attacker can edit logs and there's no way to tell (perhaps because there's no heartbeat option for the logging system)

Q

Repudiation

An attacker can say "I didn't do that," and you'd have no way to prove them wrong

K

Repudiation

The system has no logs

A

Repudiation

You've invented a new Repudiation attack

A

2

Information Disclosure

An attacker can brute-force file encryption because there's no defense in place (example defense, password stretching)

2

3

Information Disclosure

An attacker can see error messages with security sensitive content

3

4

Information Disclosure

An attacker can read content because messages (say, an email or HTTP cookie) aren't encrypted even if the channel is encrypted

4

5

Information Disclosure

An attacker may be able to read a document or data because it's encrypted with a non-standard algorithm

5

6

Information Disclosure

An attacker can read data because it's hidden or occluded (for undo or change tracking) and the user might forget that it's there

6

7

Information Disclosure

An attacker can act as a 'man in the middle' because you don't authenticate endpoints of a network connection

7

8

Information Disclosure

An attacker can access information through a search indexer, logger, or other such mechanism

8

9

Information Disclosure

An attacker can read sensitive information in a file with permissive permissions

9

X

Information Disclosure

An attacker can read information in files or databases with no access controls

X

J

Information Disclosure

An attacker can discover the fixed key being used to encrypt

Q

Information Disclosure

An attacker can read the entire channel because the channel (say, HTTP or SMTP) isn't encrypted

K

Information Disclosure

An attacker can read network information because there's no cryptography used

A

Information Disclosure

You've invented a new Information Disclosure attack

A

2

Denial of Service

An attacker can make your authentication system unusable or unavailable

2

3

Denial of Service

An attacker can drain our easily replacable battery

3

4

Denial of Service

An attacker can drain a battery that's hard to replace (sealed in a phone, an implanted medical device, or in a hard to reach location)

4

5

Denial of Service

An attacker can spend our cloud budget

5

6

Denial of Service

An attacker can make a server unavailable or unusable without ever authenticating but the problem goes away when the attacker stops

6

7

Denial of Service

An attacker can make a client unavailable or unusable and the problem persists after the attacker goes away

7

8

Denial of Service

An attacker can make a server unavailable or unusable and the problem persists after the attacker goes away

8

9

Denial of Service

An attacker can make a client unavailable or unusable without ever authenticating and the problem persists after the attacker goes away

9

X

Denial of Service

An attacker can make a server unavailable or unusable without ever authenticating and the problem persists after the attacker goes away

X

J

Denial of Service

An attacker can cause the logging subsystem to stop working

Q

Denial of Service

An attacker can amplify a Denial of Service attack through this component with amplification on the order of 10 to 1

K

Denial of Service

An attacker can amplify a Denial of Service attack through this component with amplification on the order of 100 to 1

A

Denial of Service

You've invented a new Denial of Service attack

A

2

Elevation of Privilege

An attacker has compromised a key technology supplier

2

3

Elevation of Privilege

An attacker can access the cloud service which manages your devices

3

4

Elevation of Privilege

An attacker can escape from a container or other sandbox

4

5

Elevation of Privilege

An attacker can force data through different validation paths which give different results

5

6

Elevation of Privilege

An attacker could take advantage of permissions you set, but don't use

6

7

Elevation of Privilege

An attacker can provide a pointer across a trust boundary, rather than data which can be validated

7

8

Elevation of Privilege

An attacker can enter data that is checked while still under their control and used later on the other side of a trust boundary

8

9

Elevation of Privilege

There's no reasonable way for a caller to figure out what validation of tainted data you perform before passing it to them

9

X

Elevation of Privilege

There's no reasonable way for a caller to figure out what security assumptions you make

X

J

Elevation of Privilege

An attacker can reflect input back to a user, like cross site scripting

Q

Elevation of Privilege

You include user-generated content within your page, possibly including the content of random URLs

K

Elevation of Privilege

An attacker can inject a command that the system will run at a higher privilege level

A

Elevation of Privilege

You've invented a new Elevation of Privilege attack

A

DATA VALIDATION & ENCODING

2

Brian can gather information about the underlying configurations, schemas, logic, code, software, services and infrastructure due to the content of error messages, or poor configuration, or the presence of default installation files or old, test, backup or copies of resources, or exposure of source code

OWASP SCP
69, 107, 108, 109, 136, 137, 153, 156, 158, 162
OWASP ASVS
1.6.4, 2.10.4, 4.3.2, 7.1.1, 10.2.3, 14.1.1, 14.2.2, 14.3.3
OWASP AppSensor
HT1, HT2, HT3
CAPEC
54, 541
SAFECODE
4, 23
DATA VALIDATION & ENCODING

3

Robert can input malicious data because the allowed protocol format is not being checked, or duplicates are accepted, or the structure is not being verified, or the individual data elements are not being validated for format, type, range, length and a whitelist of allowed characters or formats

OWASP SCP
8, 9, 11, 12, 13, 14, 16, 159, 190, 191
OWASP ASVS
1.5.3, 5.1.1, 5.1.2, 5.1.3, 13.2.1, 14.1.2, 14.4.1
OWASP AppSensor
RE7, RE8, AE4, AE5, AE6, AE7, IE2, IE3, CIE1, CIE3, CIE4, HT1, HT2, HT3
CAPEC
28, 48, 126, 165, 213, 220, 221, 261, 262, 271, 272
SAFECODE
3, 16, 24, 35
DATA VALIDATION & ENCODING

4

Dave can input malicious field names or data because it is not being checked within the context of the current user and process

OWASP SCP
8, 10, 183
OWASP ASVS
4.2.1, 5.1.1, 5.1.2, 11.1.1, 11.1.2
OWASP AppSensor
RE3, RE4, RE5, RE6, AE8, AE9, AE10, AE11, SE1, SE3, SE4, SE5, SE6, IE2, IE3, IE4, HT1, HT1, HT2, HT3
CAPEC
28, 31, 48, 126, 162, 165, 213, 220, 221, 261
SAFECODE
24, 35
DATA VALIDATION & ENCODING

5

Jee can bypass the centralized encoding routines since they are not being used everywhere, or the wrong encodings are being used

OWASP SCP
3, 15, 18, 19, 20, 21, 22, 168
OWASP ASVS
1.1.6, 5.3.3, 5.2.1, 5.2.2, 5.2.5
OWASP AppSensor
-
CAPEC
28, 31, 152, 160, 468
SAFECODE
2, 17
DATA VALIDATION & ENCODING

6

Jason can bypass the centralized validation routines since they are not being used on all inputs

OWASP SCP
3, 168
OWASP ASVS
1.1.6, 1.5.3, 5.1.3, 13.2.2, 13.2.5
OWASP AppSensor
IE2, IE3
CAPEC
28
SAFECODE
3, 16, 24
DATA VALIDATION & ENCODING

7

Jan can craft special payloads to foil input validation because the character set is not specified/enforced, or the data is encoded multiple times, or the data is not fully converted into the same format the application uses (e.g. canonicalization) before being validated, or variables are not strongly typed

OWASP SCP
4, 5, 7, 150
OWASP ASVS
1.5.3, 13.2.2, 13.2.5
OWASP AppSensor
IE2, IE3, EE1, EE2
CAPEC
28, 153, 165
SAFECODE
3, 16, 24
DATA VALIDATION & ENCODING

8

Oana can bypass the centralized sanitization routines since they are not being used comprehensively

OWASP SCP
15, 169
OWASP ASVS
1.1.6, 5.2.2, 5.2.5
OWASP AppSensor
-
CAPEC
28, 31, 152, 160, 468
SAFECODE
2, 17
DATA VALIDATION & ENCODING

9

Shamun can bypass input validation or output validation checks because validation failures are not rejected and/or sanitized

OWASP SCP
6, 21, 22, 168
OWASP ASVS
7.1.3
OWASP AppSensor
IE2, IE3
CAPEC
28
SAFECODE
3, 16, 24
DATA VALIDATION & ENCODING

10

Darío can exploit the trust the application places in a source of data (e.g. user-definable data, manipulation of locally stored data, alteration to state data on a client device, lack of verification of identity during data validation such as Darío can pretend to be Colin)

OWASP SCP
2, 19, 92, 95, 180
OWASP ASVS
1.12.2, 5.1.3, 9.2.3, 12.2.1, 12.3.1, 12.3.2, 12.3.3, 12.4.2, 12.5.2, 14.5.3
OWASP AppSensor
IE4, IE5
CAPEC
12, 51, 57, 90, 111, 145, 194, 195, 202, 218, 463
SAFECODE
14
DATA VALIDATION & ENCODING

J

Toby has control over input validation, output validation or output encoding code or routines so they can be bypassed

OWASP SCP
1, 17
OWASP ASVS
1.5.3
OWASP AppSensor
RE3, RE4
CAPEC
87, 207, 554
SAFECODE
2, 17
DATA VALIDATION & ENCODING

Q

Xavier can inject data into a client or device side interpreter because a parameterised interface is not being used, or has not been implemented correctly, or the data has not been encoded correctly for the context, or there is no restrictive policy on code or data includes

OWASP SCP
10, 15, 16, 19, 20
OWASP ASVS
5.2.1, 5.2.5, 5.3.3, 5.5.4
OWASP AppSensor
IE1, RP3
CAPEC
28, 31, 152, 160, 468
SAFECODE
2, 17
DATA VALIDATION & ENCODING

K

Gabe can inject data into an server-side interpreter (e.g. SQL, OS commands, Xpath, Server JavaScript, SMTP) because a strongly typed parameterised interface is not being used or has not been implemented correctly

OWASP SCP
15, 19, 20, 21, 22, 167, 180, 204, 211, 212
OWASP ASVS
5.2.1, 5.2.2, 5.3.4, 5.3.7, 5.3.8, 5.3.9, 5.3.10
OWASP AppSensor
CIE1, CIE2
CAPEC
23, 28, 76, 152, 160, 261
SAFECODE
2, 19, 20
DATA VALIDATION & ENCODING

A

You have invented a new attack against Data Validation and Encoding

Read more about this topic in OWASP's free Cheat Sheets on Input Validation, XSS Prevention, DOM-based XSS Prevention, SQL Injection Prevention, and Query Parameterization

AUTHENTICATION

2

James can undertake authentication functions without the real user ever being aware this has occurred (e.g. attempt to log in, log in with stolen credentials, reset the password)

OWASP SCP
47, 52
OWASP ASVS
2.5.2, 7.1.2, 7.1.4, 7.2.1, 8.2.1, 8.2.2, 8.2.3, 8.3.6
OWASP AppSensor
UT1
CAPEC
-
SAFECODE
28
AUTHENTICATION

3

Muhammad can obtain a user's password or other secrets such as security questions, by observation during entry, or from a local cache, or from memory, or in transit, or by reading it from some unprotected location, or because it is widely known, or because it never expires, or because the user cannot change her own password

OWASP SCP
36, 37, 40, 43, 48, 51, 119, 139, 140, 146
OWASP ASVS
2.5.2, 2.5.3
OWASP AppSensor
-
CAPEC
37, 546
SAFECODE
28
AUTHENTICATION

4

Sebastien can easily identify user names or can enumerate them

OWASP SCP
33, 53
OWASP ASVS
2.2.1, 4.1.5
OWASP AppSensor
AE1
CAPEC
383
SAFECODE
28
AUTHENTICATION

5

Javier can use default, test or easily guessable credentials to authenticate, or can use an old account or an account not necessary for the application

OWASP SCP
54, 175, 178
OWASP ASVS
4.1.5
OWASP AppSensor
AE12, HT3
CAPEC
70
SAFECODE
28
AUTHENTICATION

6

Sven can reuse a temporary password because the user does not have to change it on first use, or it has too long or no expiry, or it does not use an out-of-band delivery method (e.g. post, mobile app, SMS)

OWASP SCP
37, 45, 46, 178
OWASP ASVS
2.5.6
OWASP AppSensor
-
CAPEC
50
SAFECODE
28
AUTHENTICATION

7

Cecilia can use brute force and dictionary attacks against one or many accounts without limit, or these attacks are simplified due to insufficient complexity, length, expiration and re-use requirements for passwords

OWASP SCP
33, 38, 39, 41, 50, 53
OWASP ASVS
2.1.2, 2.1.7, 2.1.10, 2.2.1
OWASP AppSensor
AE2, AE3
CAPEC
2, 16
SAFECODE
27
AUTHENTICATION

8

Kate can bypass authentication because it does not fail secure (i.e. it defaults to allowing unauthenticated access)

OWASP SCP
28
OWASP ASVS
4.1.5
OWASP AppSensor
-
CAPEC
115
SAFECODE
28
AUTHENTICATION

9

Claudia can undertake more critical functions because authentication requirements are too weak (e.g. do not use strong authentication such as two factor), or there is no requirement to re-authenticate for these

OWASP SCP
55, 56
OWASP ASVS
1.4.5, 2.1.6, 2.2.4, 4.1.3, 4.3.3
OWASP AppSensor
-
CAPEC
21
SAFECODE
14, 28
AUTHENTICATION

10

Pravin can bypass authentication controls because a centralized standard, tested, proven and approved authentication module/framework/service, separate to the resource being requested, is not being used

OWASP SCP
25, 26, 27
OWASP ASVS
1.1.6, 1.4.4
OWASP AppSensor
-
CAPEC
90, 115
SAFECODE
14, 28
AUTHENTICATION

J

Mark can access resources or services because there is no authentication requirement, or it was mistakenly assumed authentication would be undertaken by some other system or performed in some previous action

OWASP SCP
23, 32, 34
OWASP ASVS
1.4.5, 4.3.1
OWASP AppSensor
-
CAPEC
115
SAFECODE
14, 28
AUTHENTICATION

Q

Johan can bypass authentication because it is not enforced with equal rigor for all types of authentication functionality (e.g. register, password change, password recovery, log out, administration) or across all versions/channels (e.g. mobile website, mobile app, full website, API, call centre)

OWASP SCP
23, 29, 42, 49
OWASP ASVS
1.4.5, 2.5.6, 2.5.7, 4.3.1
OWASP AppSensor
-
CAPEC
36, 50, 115, 121, 179
SAFECODE
14, 28
AUTHENTICATION

K

Olga can influence or alter authentication code/routines so they can be bypassed

OWASP SCP
24
OWASP ASVS
4.1.1, 10.2.3, 10.2.4, 10.2.5, 10.2.6
OWASP AppSensor
-
CAPEC
115, 207, 554
SAFECODE
14, 28
AUTHENTICATION

A

You have invented a new attack against Authentication

Read more about this topic in OWASP's free Authentication Cheat Sheet

SESSION MANAGEMENT

2

William has control over the generation of session identifiers

OWASP SCP
58, 59
OWASP ASVS
3.7.1
OWASP AppSensor
SE2
CAPEC
31, 60, 61
SAFECODE
28
SESSION MANAGEMENT

3

Ryan can use a single account in parallel since concurrent sessions are allowed

OWASP SCP
68
OWASP ASVS
3.3.3, 3.3.4
OWASP AppSensor
-
CAPEC
-
SAFECODE
28
SESSION MANAGEMENT

4

Alison can set session identification cookies on another web application because the domain and path are not restricted sufficiently

OWASP SCP
59, 61
OWASP ASVS
3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5
OWASP AppSensor
SE2
CAPEC
31, 61
SAFECODE
28
SESSION MANAGEMENT

5

John can predict or guess session identifiers because they are not changed when the user's role alters (e.g. pre and post authentication) and when switching between non-encrypted and encrypted communications, or are not sufficiently long and random, or are not changed periodically

OWASP SCP
60, 62, 66, 67, 71, 72
OWASP ASVS
3.2.1, 3.2.2, 3.2.4, 3.3.1
OWASP AppSensor
SE4, SE5, SE6
CAPEC
31
SAFECODE
28
SESSION MANAGEMENT

6

Gary can take over a user's session because there is a long or no inactivity timeout, or a long or no overall session time limit, or the same session can be used from more than one device/location

OWASP SCP
64, 65
OWASP ASVS
3.3.2, 3.3.3, 3.3.4
OWASP AppSensor
SE5, SE6
CAPEC
21
SAFECODE
28
SESSION MANAGEMENT

7

Graham can utilize Adam's session after he has finished, because there is no log out function, or he cannot easily log out, or log out does not properly terminate the session

OWASP SCP
62, 63
OWASP ASVS
3.3.1, 3.3.4
OWASP AppSensor
-
CAPEC
21
SAFECODE
28
SESSION MANAGEMENT

8

Matt can abuse long sessions because the application does not require periodic re-authentication to check if privileges have changed

OWASP SCP
96
OWASP ASVS
3.3.2, 3.6.1
OWASP AppSensor
-
CAPEC
21
SAFECODE
28
SESSION MANAGEMENT

9

Ivan can steal session identifiers because they are sent over insecure channels, or are logged, or are revealed in error messages, or are included in URLs, or are accessible un-necessarily by code which the attacker can influence or alter

OWASP SCP
69, 75, 76, 119, 138
OWASP ASVS
1.9.1, 3.1.1, 7.1.1, 7.1.2, 7.2.1, 9.1.3, 9.2.2
OWASP AppSensor
SE4, SE5, SE6
CAPEC
31, 60
SAFECODE
28
SESSION MANAGEMENT

10

Marce can forge requests because per-session, or per-request for more critical actions, strong random tokens (i.e. anti-CSRF tokens) or similar are not being used for actions that change state

OWASP SCP
73, 74
OWASP ASVS
4.2.2
OWASP AppSensor
IE4
CAPEC
62, 111
SAFECODE
18
SESSION MANAGEMENT

J

Jeff can resend an identical repeat interaction (e.g. HTTP request, signal, button press) and it is accepted, not rejected

OWASP SCP
-
OWASP ASVS
11.1.1, 11.1.2, 11.1.3
OWASP AppSensor
IE5
CAPEC
60
SAFECODE
12, 14
SESSION MANAGEMENT

Q

Salim can bypass session management because it is not applied comprehensively and consistently across the application

OWASP SCP
58
OWASP ASVS
1.1.6, 3.7.1
OWASP AppSensor
-
CAPEC
21
SAFECODE
14, 28
SESSION MANAGEMENT

K

Peter can bypass the session management controls because they have been self-built and/or are weak, instead of using a standard framework or approved tested module

OWASP SCP
58, 60
OWASP ASVS
1.1.6
OWASP AppSensor
-
CAPEC
21
SAFECODE
14, 28
SESSION MANAGEMENT

A

You have invented a new attack against Session Management

Read more about this topic in OWASP's free Cheat Sheets on Session Management, and Cross Site Request Forgery (CSRF) Prevention

AUTHORIZATION

2

Tim can influence where data is sent or forwarded to

OWASP SCP
44
OWASP ASVS
4.1.3, 4.2.1, 5.1.5
OWASP AppSensor
-
CAPEC
153
SAFECODE
8, 10, 11
AUTHORIZATION

3

Christian can access information, which he should not have permission to, through another mechanism that does have permission (e.g. search indexer, logger, reporting), or because it is cached, or kept for longer than necessary, or through other information leakage

OWASP SCP
51, 100, 135, 139, 140, 141, 150
OWASP ASVS
4.1.3, 4.1.5, 8.1.2, 8.2.1, 8.3.1, 8.3.4, 8.3.6, 8.3.8, 12.4.1
OWASP AppSensor
-
CAPEC
69, 213
SAFECODE
8, 10, 11
AUTHORIZATION

4

Kelly can bypass authorization controls because they do not fail securely (i.e. they default to allowing access)

OWASP SCP
79, 80
OWASP ASVS
4.1.5
OWASP AppSensor
-
CAPEC
122
SAFECODE
8, 10, 11
AUTHORIZATION

5

Chad can access resources (including services, processes, AJAX, Flash, video, images, documents, temporary files, session data, system properties, configuration data, registry settings, logs) he should not be able to due to missing authorization, or due to excessive privileges (e.g. not using the principle of least privilege)

OWASP SCP
70, 81, 83, 84, 87, 88, 89, 99, 117, 131, 132, 142, 154, 170, 179
OWASP ASVS
1.2.2, 4.1.1, 4.1.3, 4.2.1
OWASP AppSensor
ACE1, ACE2, ACE3, ACE4, HT2
CAPEC
75, 87, 95, 126, 149, 155, 203, 213, 264, 265
SAFECODE
8, 10, 11, 13
AUTHORIZATION

6

Eduardo can access data he does not have permission to, even though he has permission to the form/page/URL/entry point

OWASP SCP
81, 88, 131
OWASP ASVS
4.1.3, 4.2.1
OWASP AppSensor
ACE1, ACE2, ACE3, ACE4
CAPEC
122
SAFECODE
8, 10, 11
AUTHORIZATION

7

Yuanjing can access application functions, objects, or properties he is not authorized to access

OWASP SCP
81, 85, 86, 131
OWASP ASVS
4.1.3, 4.2.1
OWASP AppSensor
ACE1, ACE2, ACE3, ACE4
CAPEC
122
SAFECODE
8, 10, 11
AUTHORIZATION

8

Tom can bypass business rules by altering the usual process sequence or flow, or by undertaking the process in the incorrect order, or by manipulating date and time values used by the application, or by using valid features for unintended purposes, or by otherwise manipulating control data

OWASP SCP
10, 32, 93, 94, 189
OWASP ASVS
4.1.2, 4.2.1, 4.3.3, 7.3.4, 11.1.1, 11.1.2
OWASP AppSensor
ACE3
CAPEC
25, 39, 74, 162, 166, 207
SAFECODE
8, 10, 11, 12
AUTHORIZATION

9

Mike can misuse an application by using a valid feature too fast, or too frequently, or other way that is not intended, or consumes the application's resources, or causes race conditions, or over-utilizes a feature

OWASP SCP
94
OWASP ASVS
11.1.3, 11.1.4
OWASP AppSensor
AE3, FIO1, FIO2, UT2, UT3, UT4, STE1, STE2, STE3
CAPEC
26, 29, 119, 261
SAFECODE
1, 35
AUTHORIZATION

10

Richard can bypass the centralized authorization controls since they are not being used comprehensively on all interactions

OWASP SCP
78, 91
OWASP ASVS
1.1.6, 4.1.1
OWASP AppSensor
ACE1, ACE2, ACE3, ACE4
CAPEC
36, 95, 121, 179
SAFECODE
8, 10, 11
AUTHORIZATION

J

Dinis can access security configuration information, or access control lists

OWASP SCP
89, 90
OWASP ASVS
4.1.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6
OWASP AppSensor
-
CAPEC
75, 133, 203
SAFECODE
8, 10, 11
AUTHORIZATION

Q

Christopher can inject a command that the application will run at a higher privilege level

OWASP SCP
209
OWASP ASVS
5.3.8
OWASP AppSensor
-
CAPEC
17, 30, 69, 234
SAFECODE
8, 10, 11
AUTHORIZATION

K

Ryan can influence or alter authorization controls and permissions, and can therefore bypass them

OWASP SCP
77, 89, 91
OWASP ASVS
4.1.1, 4.1.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6
OWASP AppSensor
-
CAPEC
207, 554
SAFECODE
8, 10, 11
AUTHORIZATION

A

You have invented a new attack against Authorization

Read more about this topic in OWASP's Development and Testing Guides

CRYPTOGRAPHY

2

Kyun can access data because it has been obfuscated rather than using an approved cryptographic function

OWASP SCP
105, 133, 135
OWASP ASVS
6.2.2
OWASP AppSensor
-
CAPEC
-
SAFECODE
21, 29
CRYPTOGRAPHY

3

Axel can modify transient or permanent data (stored or in transit), or source code, or updates/patches, or configuration data, because it is not subject to integrity checking

OWASP SCP
92, 205, 212
OWASP ASVS
10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.3.1, 10.3.2, 14.1.1, 14.1.4, 14.1.5
OWASP AppSensor
SE1, IE4
CAPEC
31, 39, 68, 75, 133, 145, 162, 203, 438, 439, 442
SAFECODE
12, 14
CRYPTOGRAPHY

4

Paulo can access data in transit that is not encrypted, even though the channel is encrypted

OWASP SCP
37, 88, 143, 214
OWASP ASVS
8.3.4, 9.1.1
OWASP AppSensor
-
CAPEC
185, 186, 187
SAFECODE
14, 29, 30
CRYPTOGRAPHY

5

Kyle can bypass cryptographic controls because they do not fail securely (i.e. they default to unprotected)

OWASP SCP
103, 145
OWASP ASVS
1.9.1, 6.2.1, 9.1.3, 9.2.2
OWASP AppSensor
-
CAPEC
-
SAFECODE
21, 29
CRYPTOGRAPHY

6

Romain can read and modify unencrypted data in memory or in transit (e.g. cryptographic secrets, credentials, session identifiers, personal and commercially-sensitive data), in use or in communications within the application, or between the application and users, or between the application and external systems

OWASP SCP
36, 37, 143, 146, 147
OWASP ASVS
1.9.1, 2.2.5, 2.5.1, 8.3.4, 8.3.6, 9.1.3, 9.2.2
OWASP AppSensor
-
CAPEC
31, 57, 102, 157, 158, 384, 466, 546
SAFECODE
29
CRYPTOGRAPHY

7

Gunter can intercept or modify encrypted data in transit because the protocol is poorly deployed, or weakly configured, or certificates are invalid, or certificates are not trusted, or the connection can be degraded to a weaker or un-encrypted communication

OWASP SCP
75, 144, 145, 148
OWASP ASVS
1.9.2, 6.2.7, 9.1.1, 9.2.1, 9.2.4, 14.4.5
OWASP AppSensor
IE4
CAPEC
31, 216
SAFECODE
14, 29, 30
CRYPTOGRAPHY

8

Eoin can access stored business data (e.g. passwords, session identifiers, PII, cardholder data) because it is not securely encrypted or securely hashed

OWASP SCP
30, 31, 70, 133, 135
OWASP ASVS
2.4.1, 6.2.2, 6.2.3, 8.3.4
OWASP AppSensor
-
CAPEC
31, 37, 55
SAFECODE
21, 29, 31
CRYPTOGRAPHY

9

Andy can bypass random number generation, random GUID generation, hashing and encryption functions because they have been self-built and/or are weak

OWASP SCP
60, 104, 105
OWASP ASVS
6.2.2, 6.2.3, 6.3.1, 6.3.3
OWASP AppSensor
-
CAPEC
97
SAFECODE
14, 21, 29, 32, 33
CRYPTOGRAPHY

10

Susanna can break the cryptography in use because it is not strong enough for the degree of protection required, or it is not strong enough for the amount of effort the attacker is willing to make

OWASP SCP
104, 105
OWASP ASVS
6.3.3
OWASP AppSensor
-
CAPEC
97, 463
SAFECODE
14, 21, 29, 31, 32, 33
CRYPTOGRAPHY

J

Justin can read credentials for accessing internal or external resources, services and others systems because they are stored in an unencrypted format, or saved in the source code

OWASP SCP
35, 90, 171, 172
OWASP ASVS
1.6.1, 1.6.2, 1.6.4, 2.10.4, 6.4.1, 6.4.2
OWASP AppSensor
-
CAPEC
116
SAFECODE
21, 29
CRYPTOGRAPHY

Q

Artim can access or predict the master cryptographic secrets

OWASP SCP
35, 102
OWASP ASVS
1.6.1, 1.6.2, 1.6.3, 6.2.3, 8.3.6
OWASP AppSensor
-
CAPEC
116, 117
SAFECODE
21, 29
CRYPTOGRAPHY

K

Dan can influence or alter cryptography code/routines (encryption, hashing, digital signatures, random number and GUID generation) and can therefore bypass them

OWASP SCP
31, 101
OWASP ASVS
1.6.2, 6.2.5, 6.2.6, 6.2.7, 6.2.8
OWASP AppSensor
-
CAPEC
207, 554
SAFECODE
14, 21, 29
CRYPTOGRAPHY

A

You have invented a new attack against Cryptography

Read more about this topic in OWASP's free Cheat Sheets on Cryptographic Storage, and Transport Layer Protection

CORNUCOPIA

2

Lee can bypass application controls because dangerous/risky programming language functions have been used instead of safer alternatives, or there are type conversion errors, or because the application is unreliable when an external resource is unavailable, or there are race conditions, or there are resource initialization or allocation issues, or overflows can occur

OWASP SCP
194, 195, 196, 197, 198, 199, 200, 201, 202, 205, 206, 207, 208, 209
OWASP ASVS
14.1.2
OWASP AppSensor
-
CAPEC
25, 26, 29, 96, 123, 124, 128, 129, 264, 265
SAFECODE
3, 5, 6, 7, 9, 22, 25, 26, 34
CORNUCOPIA

3

Andrew can access source code, or decompile, or otherwise access business logic to understand how the application works and any secrets contained

OWASP SCP
134
OWASP ASVS
14.1.1
OWASP AppSensor
-
CAPEC
189, 207
SAFECODE
-
CORNUCOPIA

4

Keith can perform an action and it is not possible to attribute it to him

OWASP SCP
23, 32, 34, 42, 51, 181
OWASP ASVS
7.2.1, 7.2.2
OWASP AppSensor
-
CAPEC
-
SAFECODE
-
CORNUCOPIA

5

Larry can influence the trust other parties including users have in the application, or abuse that trust elsewhere (e.g. in another application)

OWASP SCP
-
OWASP ASVS
1.9.2, 5.1.5, 9.1.1, 9.2.1, 9.2.4
OWASP AppSensor
-
CAPEC
89, 103, 181, 459
SAFECODE
-
CORNUCOPIA

6

Aaron can bypass controls because error/exception handling is missing, or is implemented inconsistently or partially, or does not deny access by default (i.e. errors should terminate access/execution), or relies on handling by some other service or system

OWASP SCP
109, 110, 111, 112, 155
OWASP ASVS
4.1.5, 7.1.4
OWASP AppSensor
-
CAPEC
54, 98, 164
SAFECODE
4, 11, 23
CORNUCOPIA

7

Mwengu's actions cannot be investigated because there is not an adequate accurately time-stamped record of security events, or there is not a full audit trail, or these can be altered or deleted by Mwengu, or there is no centralized logging service

OWASP SCP
113, 114, 115, 117, 118, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130
OWASP ASVS
7.1.2, 7.1.4, 7.2.1, 7.2.2, 7.3.1, 7.3.3, 8.3.5, 9.2.5
OWASP AppSensor
-
CAPEC
93
SAFECODE
4
CORNUCOPIA

8

David can bypass the application to gain access to data because the network and host infrastructure, and supporting services/applications, have not been securely configured, the configuration rechecked periodically and security patches applied, or the data is stored locally, or the data is not physically protected

OWASP SCP
151, 152, 156, 160, 161, 173, 174, 175, 176, 177
OWASP ASVS
1.4.5, 10.3.1, 10.3.2, 14.1.4, 14.1.5, 14.2.1, 14.2.2
OWASP AppSensor
RE1, RE2
CAPEC
37, 220, 310, 436, 536
SAFECODE
-
CORNUCOPIA

9

Michael can bypass the application to gain access to data because administrative tools or administrative interfaces are not secured adequately

OWASP SCP
23, 29, 56, 81, 82, 84, 85, 86, 87, 88, 89, 90
OWASP ASVS
1.4.5, 4.3.1
OWASP AppSensor
-
CAPEC
122, 233
SAFECODE
-
CORNUCOPIA

10

Spyros can circumvent the application's controls because code frameworks, libraries and components contain malicious code or vulnerabilities (e.g. in-house, commercial off the shelf, outsourced, open source, externally-located)

OWASP SCP
57, 151, 152, 204, 205, 213, 214
OWASP ASVS
1.14.3, 10.1.1, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 14.2.1
OWASP AppSensor
-
CAPEC
68, 438, 439, 442, 524, 538
SAFECODE
15
CORNUCOPIA

J

Roman can exploit the application because it was compiled using out-of-date tools, or its configuration is not secure by default, or security information was not documented and passed on to operational teams

OWASP SCP
90, 137, 148, 151, 152, 153, 154, 175, 176, 177, 178, 179, 186, 192
OWASP ASVS
1.14.3, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 14.1.5, 14.2.1
OWASP AppSensor
-
CAPEC
-
SAFECODE
4
CORNUCOPIA

Q

Jim can undertake malicious, non-normal, actions without real-time detection and response by the application

OWASP SCP
-
OWASP ASVS
8.1.4, 11.1.1, 11.1.2, 11.1.3, 11.1.4
OWASP AppSensor
(All)
CAPEC
-
SAFECODE
1, 27
CORNUCOPIA

K

Grant can utilize the application to deny service to some or all of its users

OWASP SCP
41, 55
OWASP ASVS
2.2.1, 11.1.3, 11.1.4
OWASP AppSensor
UT1, UT2, UT3, UT4, STE3
CAPEC
2, 25, 119, 125
SAFECODE
1
CORNUCOPIA

A

You have invented a new attack of any type

Read more about application security in OWASP's free Guides on Requirements, Development, Code Review and Testing, the Cheat Sheet series, and the Open Software Assurance Maturity Model

WILD CARD

A

Alice can utilize the application to attack users' systems and data

Have you thought about becoming an individual OWASP member? All tools, guidance and local meetings are free for everyone, but individual membership helps support OWASP's work

WILD CARD

B

Bob can influence, alter or affect the application so that it no longer complies with legal, regulatory, contractual or other organizational mandates

OWASP SCP
OWASP ASVS
OWASP AppSensor
CAPEC
SAFECODE
Platform & Code

2

Andrew can expose sensitive data through the app's auto-generated screenshots when the app moves to the background

OWASP MASVS
PLATFORM-3
OWASP MASTG
TEST-0010, TEST-0059
CAPEC
37, 155, 498, 648
SAFECODE
-
Platform & Code

3

Harold can spy sensitive data being entered through the user interface because the data is excessive, not properly masked or cleaned up after use

OWASP MASVS
PLATFORM-3
OWASP MASTG
TEST-0008, TEST-0037, TEST-0057
CAPEC
508
SAFECODE
-
Platform & Code

4

Kelly can expose sensitive data by taking advantage of the app's excessive permissions connected to the app's use of location, camera, microphone, storage, etc

OWASP MASVS
PLATFORM-1
OWASP MASTG
TEST-0024, TEST-0069
CAPEC
634, 651
SAFECODE
11
Platform & Code

5

Jason can provoke memory leak or corruption because the app has cyclic dependencies, manages pointers inadequately, keeps an incorrect reference count, does not release shared resources or apply stack protection

OWASP MASVS
CODE-4
OWASP MASTG
TEST-0043, TEST-0044, TEST-0086
CAPEC
14, 24, 44, 45, 46, 47, 92, 100, 124, 128, 129, 131, 679
SAFECODE
7, 9, 34, 36
Platform & Code

6

Dawn can expose and intercept sensitive functionality through interprocess communication because permissions for broadcast and sharing are not set, not narrow enough or because sensitive functionality isn't appropriately excluded when sharing

OWASP MASVS
PLATFORM-1
OWASP MASTG
TEST-0029, TEST-0030, TEST-0071
CAPEC
94, 117, 499, 502, 504
SAFECODE
8, 10, 11
Platform & Code

7

Lauren can traverse or modify otherwise protected files through access to the underlying file system by exploiting weaknesses in file system-based content providers, resolvers or its configuration

OWASP MASVS
PLATFORM-1
OWASP MASTG
TEST-0007, TEST-0056
CAPEC
126, 127, 139, 597, 643
SAFECODE
16, 33
Platform & Code

8

Colin can expose sensitive data through the app's interprocess communication because the content provider's query methods are not properly parameterized and arguments sanitized

OWASP MASVS
PLATFORM-1
OWASP MASTG
TEST-0007, TEST-0056
CAPEC
137, 499, 502, 586
SAFECODE
-
Platform & Code

9

Toby can modify or expose data by injection because the response from implicit intents is not properly validated

OWASP MASVS
CODE-4
OWASP MASTG
TEST-0026
CAPEC
497, 499, 502
SAFECODE
17
Platform & Code

10

Max can modify or expose data because input validation and sanitation are not properly applied to interprocess communication or because extensions are not properly restricted

OWASP MASVS
CODE-4
OWASP MASTG
TEST-0025, TEST-0072
CAPEC
137, 499, 502, 586
SAFECODE
-
Platform & Code

J

Johan can modify or expose sensitive data by exploiting weaknesses in the SDK or third party libraries because updates to the app and platform are not enforced or do not patch known software vulnerabilities

OWASP MASVS
CODE-1, CODE-2, CODE-3
OWASP MASTG
TEST-0036, TEST-0042, TEST-0080, TEST-0085
CAPEC
310, 538, 691
SAFECODE
-
Platform & Code

Q

Xavier can inject scripts into the web view because it allows embedding content using deep linking without proper authorization and validation of the host, schema and path of the target as these can be changed by the user or because safe browsing is disabled

OWASP MASVS
PLATFORM-1, PLATFORM-2
OWASP MASTG
TEST-0027, TEST-0028, TEST-0031, TEST-0070, TEST-0076, TEST-0077
CAPEC
175, 240, 242, 500, 591, 592
SAFECODE
17
Platform & Code

K

Grant can modify or expose data by influencing or altering JavaScript bridges, extensions or interprocess communication (e.g. shared memory, message passing, pipes, sockets)

OWASP MASVS
PLATFORM-1, PLATFORM-2
OWASP MASTG
TEST-0007, TEST-0030, TEST-0033, TEST-0056, TEST-0072, TEST-0078
CAPEC
137, 138, 499, 502, 586
SAFECODE
-
Platform & Code

A

You have invented a new attack against “Platform and Code”

Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Code Quality” in the “Mobile Application Security Testing Guide” on the OWASP MAS website

Authentication & Authorization

2

Jie can use the app to do sensitive operations because the “unlocked key” is not used during the application flow

OWASP MASVS
AUTH-2, AUTH-3
OWASP MASTG
TEST-0017, TEST-0064
CAPEC
115
SAFECODE
28
Authentication & Authorization

3

Choi can access capabilities, objects, resources, or properties they should not be authorized to access because entitlements or permissions are too wide, not properly set or not enforced

OWASP MASVS
AUTH-1, AUTH-3
OWASP MASTG
TEST-0024, TEST-0032, TEST-0069, TEST-0077
CAPEC
122
SAFECODE
8, 10, 11
Authentication & Authorization

4

Vandana can bypass biometric authentication because the authentication is misconfigured or not implemented correctly

OWASP MASVS
AUTH-2
OWASP MASTG
TEST-0018
CAPEC
114, 115, 554
SAFECODE
28
Authentication & Authorization

5

Eiman can bypass the local authentication through patching and/or by instrumentation because the authentication can be patched out or overloaded

OWASP MASVS
AUTH-2
OWASP MASTG
TEST-0017, TEST-0018, TEST-0064
CAPEC
114, 115, 207, 554
SAFECODE
28
Authentication & Authorization

6

Anant can perform sensitive operations without additional authentication because authentication requirements are too weak or missing

OWASP MASVS
AUTH-2, AUTH-3
OWASP MASTG
TEST-0064
CAPEC
20, 49, 50, 55, 115
SAFECODE
28
Authentication & Authorization

7

Abdullah can bypass authentication by altering the usual process sequence or flow, or by undertaking the process in incorrect order, or by manipulating date and time values used by the app, or by using valid features for unintended purposes

OWASP MASVS
AUTH-1
OWASP MASTG
TEST-0034, TEST-0079
CAPEC
39, 74, 162, 166, 207
SAFECODE
8, 10, 11, 12
Authentication & Authorization

8

Pramod can intercept credentials through misdirection because the app is vulnerable to attacks like Tapjacking, StrandHogg and/or URL scheme hijacking

OWASP MASVS
AUTH-1, CODE-4, PLATFORM-1, PLATFORM-3
OWASP MASTG
TEST-0025, TEST-0030, TEST-0035, TEST-0072, TEST-0075
CAPEC
153, 505, 506
SAFECODE
-
Authentication & Authorization

9

Wong can bypass the authentication because it does not fail securely. (i.e. it defaults to allowing unauthenticated access)

OWASP MASVS
AUTH-2
OWASP MASTG
TEST-0017, TEST-0018, TEST-0064
CAPEC
114, 115, 554
SAFECODE
28
Authentication & Authorization

10

Prasad can bypass the centralized authentication and authorization controls since they are not being used comprehensively on all interactions

OWASP MASVS
AUTH-1
OWASP MASTG
TEST-0017, TEST-0064
CAPEC
36, 121
SAFECODE
8, 10, 11
Authentication & Authorization

J

Ade can bypass authentication because it is not enforced using a remote endpoint, or it is not based on a cryptographic primitive protected by keystore/keychain access control flags

OWASP MASVS
AUTH-2
OWASP MASTG
TEST-0017, TEST-0018, TEST-0064
CAPEC
114, 115, 554
SAFECODE
28
Authentication & Authorization

Q

Riotaro can inject and run a command that the application will run at a higher privilege level without being authenticated or authorized to do so

OWASP MASVS
AUTH-1
OWASP MASTG
TEST-0033, TEST-0025, TEST-0078
CAPEC
17, 30, 69, 234
SAFECODE
8, 10, 11
Authentication & Authorization

K

Aatif can influence or alter authentication controls and can therefore bypass them

OWASP MASVS
AUTH-2
OWASP MASTG
TEST-0017, TEST-0018, TEST-0064
CAPEC
114, 115, 207, 554
SAFECODE
8, 10, 11
Authentication & Authorization

A

You have invented a new attack against “Authentication & Authorization”

Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Authentication Architectures” in the “Mobile Application Security Testing Guide” on the OWASP MAS website

Network & Storage

2

Matt can inspect sensitive application log data because logging statements have not been removed or reviewed as safe before the production release

OWASP MASVS
STORAGE-2
OWASP MASTG
TEST-0003, TEST-0053
CAPEC
155
SAFECODE
11, 23, 29
Network & Storage

3

Bil can access sensitive data for sensitive fields from the pasteboard/clipboard or keyboard cache because the pasteboard/clipboard is not timely cleared, disabled or restricted for sensitive fields, or the keyboard cache is not disabled

OWASP MASVS
STORAGE-2
OWASP MASTG
TEST-0006, TEST-0055, TEST-0073
CAPEC
204, 637, 679
SAFECODE
-
Network & Storage

4

Ricardo can extract data stored by the app on a stolen or decommissioned device because it does not enforce device access security policies (e.g. PIN protected locking, app-/os-version, USB debug deactivation, device encryption and rooting)

OWASP MASVS
STORAGE-1
OWASP MASTG
TEST-0012
CAPEC
406, 675
SAFECODE
-
Network & Storage

5

Kevin can read sensitive data mapped to user accounts or sessions by extracting data sent through third-party libraries and/or notifications sent between the app and embedded services (e.g. logs, notifications, backups, cache, local db)

OWASP MASVS
STORAGE-2
OWASP MASTG
TEST-0004, TEST-0005, TEST-0054
CAPEC
155, 161, 204, 220, 639, 643
SAFECODE
11, 23, 29
Network & Storage

6

Sam can dump sensitive data from memory because the data is not stored as primitive data types and overwritten with random data after use or because the app's input fields use insecure SDKs to store the data in RAM

OWASP MASVS
STORAGE-2
OWASP MASTG
TEST-0011, TEST-0060
CAPEC
679
SAFECODE
-
Network & Storage

7

Steve can access sensitive data by reading backups and/or local, internal/external storage

OWASP MASVS
STORAGE-1, STORAGE-2
OWASP MASTG
TEST-0001, TEST-0003, TEST-0009, TEST-0052, TEST-0053, TEST-0058
CAPEC
37, 155, 204, 639, 643
SAFECODE
11, 23, 29
Network & Storage

8

Martin can modify or expose sensitive data through unsafe reflection when reading data from public data storage (e.g. shared preferences) because the data is not validated before being read by the app

OWASP MASVS
STORAGE-1, CODE-4
OWASP MASTG
TEST-0002
CAPEC
176
SAFECODE
-
Network & Storage

9

Adrian can compromise the app communication through a proxy because the app does not make use of certificate pinning or implements it incorrectly

OWASP MASVS
NETWORK-2
OWASP MASTG
TEST-0022, TEST-0068
CAPEC
57, 94, 156, 465, 466, 479, 701
SAFECODE
14, 30
Network & Storage

10

Maarten can compromise the communication between the app and the external services because the app does not verify TLS certificates and -chains, trust insecure sources, lack hostname verification or ignore TLS verification issues

OWASP MASVS
NETWORK-1
OWASP MASTG
TEST-0019, TEST-0021, TEST-0065, TEST-0067
CAPEC
57, 94, 156, 465, 466, 479, 701
SAFECODE
14, 29, 30
Network & Storage

J

Nihel can compromise the communication as it may fall back to an insecure or unencrypted channel, because encryption is optional, or because of client-server protocol or security provider weaknesses

OWASP MASVS
NETWORK-1
OWASP MASTG
TEST-0020, TEST-0023, TEST-0066
CAPEC
57, 94, 156, 220, 459, 465, 466
SAFECODE
12, 14, 29, 30
Network & Storage

Q

Ahmed can read and modify data in transit because the communication is transmitted over an unencrypted channel

OWASP MASVS
NETWORK-1
OWASP MASTG
TEST-0019, TEST-0065
CAPEC
31, 36, 57, 102, 157, 158, 384, 466
SAFECODE
29, 30
Network & Storage

K

Taher can intercept, extract or modify sensitive data at rest or in transit by influencing or altering methods for transferring or storing data at rest or in transit

OWASP MASVS
STORAGE-1
OWASP MASTG
TEST-0001, TEST-0052
CAPEC
75, 76, 113, 153, 161, 165, 176, 190, 207, 210, 554, 562
SAFECODE
12, 19
Network & Storage

A

You have invented a new attack against “Network & Storage”

Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Network Communication” in the “Mobile Application Security Testing Guide” on the OWASP MAS website

Resilience

2

Sebastien can disclose sensitive data because the application is set up to log debug information at runtime

OWASP MASVS
RESILIENCE-3
OWASP MASTG
TEST-0041, TEST-0084
CAPEC
37, 167, 191
SAFECODE
-
Resilience

3

Tobias can disclose sensitive data by dumping debug symbols while the application is running

OWASP MASVS
RESILIENCE-3
OWASP MASTG
TEST-0040, TEST-0083
CAPEC
37, 167, 191
SAFECODE
-
Resilience

4

Timur can change the code of the production release because the code of the application has not been properly signed using a valid production certificate

OWASP MASVS
RESILIENCE-2
OWASP MASTG
TEST-0038, TEST-0081
CAPEC
68, 167, 206, 476
SAFECODE
14
Resilience

5

Matteo can bypass access controls and trigger functionality because debugging is left enabled in the production build

OWASP MASVS
RESILIENCE-4
OWASP MASTG
TEST-0039, TEST-0082
CAPEC
115, 167, 554
SAFECODE
-
Resilience

6

Joren can bypass access controls because the anti-debugging controls aren't strong enough according to what is recommended or the perceived effort of a potential attacker

OWASP MASVS
RESILIENCE-4
OWASP MASTG
TEST-0046, TEST-0089
CAPEC
115, 167, 554
SAFECODE
-
Resilience

7

Erlend can compromise the app by running it in an emulator because the prevention against emulators are not strong enough according to what is recommended or the perceived effort of a potential attacker

OWASP MASVS
RESILIENCE-1
OWASP MASTG
TEST-0049, TEST-0092
CAPEC
189, 554
SAFECODE
-
Resilience

8

Carlos can reverse engineer the app because the anti-reverse engineering controls aren't strong enough according to what is recommended or the perceived effort of a potential attacker

OWASP MASVS
RESILIENCE-4
OWASP MASTG
TEST-0048, TEST-0091
CAPEC
167, 554
SAFECODE
-
Resilience

9

Sean can reverse engineer the app because the code obfuscation isn't strong enough according to what is recommended or the perceived effort of a potential attacker

OWASP MASVS
RESILIENCE-3
OWASP MASTG
TEST-0051, TEST-0093
CAPEC
167, 554
SAFECODE
-
Resilience

10

Juan can bypass jailbreak and root detection and execute administrative functions to bypass integrity checks and access controls and trigger app functionality

OWASP MASVS
RESILIENCE-1
OWASP MASTG
TEST-0045, TEST-0088
CAPEC
167, 660, 661
SAFECODE
-
Resilience

J

Pekka can compromise the integrity of the storage because the file integrity checks aren't strong enough according to what is recommended or the perceived effort of a potential attacker

OWASP MASVS
RESILIENCE-2
OWASP MASTG
TEST-0047, TEST-0090
CAPEC
23, 165, 167
SAFECODE
-
Resilience

Q

Titus can patch out critical functionality because the runtime integrity checks are not strong enough according to what is recommended or the perceived effort of a potential attacker

OWASP MASVS
RESILIENCE-4
OWASP MASTG
TEST-0050
CAPEC
167, 554
SAFECODE
-
Resilience

K

Sherif can influence or alter controls against reverse engineering and runtime protection and can therefore bypass them

OWASP MASVS
RESILIENCE-4
OWASP MASTG
TEST-0046, TEST-0089
CAPEC
167, 554
SAFECODE
-
Resilience

A

You have invented a new attack against “Resilience”

Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Tampering and Reverse Engineering” in the “Mobile Application Security Testing Guide” on the OWASP MAS website

Cryptography

2

Lesego can compromise cryptographic operations and resources because keys are reused for multiple purposes, or not used according to the purpose for which they were created

OWASP MASVS
CRYPTO-2
OWASP MASTG
TEST-0015, TEST-0062
CAPEC
97, 116, 117
SAFECODE
14, 29
Cryptography

3

Emery can access data because it has been obfuscated rather than using an approved cryptographic function

OWASP MASVS
CRYPTO-1
OWASP MASTG
TEST-0014, TEST-0061
CAPEC
37, 204
SAFECODE
21, 29
Cryptography

4

Enselme can modify sensitive data (stored or in transit) because it is not subject to integrity checking

OWASP MASVS
CRYPTO-1, CODE-4
OWASP MASTG
TEST-0002
CAPEC
68, 75, 145, 438, 439, 442
SAFECODE
12, 14
Cryptography

5

Orace can predict the seed value used for generating cryptographic keys thereby compromising the cryptographic key

OWASP MASVS
CRYPTO-1
OWASP MASTG
TEST-0016, TEST-0063
CAPEC
20, 112, 485
SAFECODE
29, 33
Cryptography

6

Kouti can extract sensitive data because the cryptographic key, used, is hard-coded or stored insecurely such as in local, internal/external storage

OWASP MASVS
STORAGE-1, CRYPTO-1, CRYPTO-2
OWASP MASTG
TEST-0001, TEST-0013, TEST-0052, TEST-0062
CAPEC
37, 117, 155, 191, 204
SAFECODE
21, 29
Cryptography

7

Ramsey can access stored sensitive data because it is not securely encrypted

OWASP MASVS
STORAGE-1, CRYPTO-2
OWASP MASTG
TEST-0001, TEST-0013, TEST-0052, TEST-0062
CAPEC
37, 117, 155, 191, 204
SAFECODE
21, 29, 31
Cryptography

8

Adel can predict and use the app's cryptographic keys because they are insufficiently long and random, can be enumerated, or derived from known values

OWASP MASVS
CRYPTO-1
OWASP MASTG
TEST-0013, TEST-0016, TEST-0063
CAPEC
20, 55, 112, 485
SAFECODE
21, 29, 32, 33
Cryptography

9

Fady can bypass cryptographic controls because they do not fail securely (i.e. they default to unprotected)

OWASP MASVS
CRYPTO-1
OWASP MASTG
TEST-0014
CAPEC
97, 620
SAFECODE
21, 29
Cryptography

10

Ash can break the cryptography because it is not strong enough according to what is recommended or the perceived effort of a potential attacker

OWASP MASVS
CRYPTO-1
OWASP MASTG
TEST-0014, TEST-0061
CAPEC
20, 116, 117, 97, 112, 485
SAFECODE
14, 23, 29, 31, 32, 33
Cryptography

J

Hassan can extract or modify sensitive data because functions for storage and/or encryption are weak, deprecated or used incorrectly

OWASP MASVS
CRYPTO-1, STORAGE-1
OWASP MASTG
TEST-0001, TEST-0014, TEST-0052, TEST-0061
CAPEC
210, 212
SAFECODE
15
Cryptography

Q

Simon can bypass hashing and encryption functions because they are custom and/or inadequately implemented

OWASP MASVS
CRYPTO-1
OWASP MASTG
TEST-0014, TEST-0061
CAPEC
20, 116, 117, 97, 112, 485
SAFECODE
14, 21, 29, 32, 33
Cryptography

K

Tarik can influence or alter cryptographic operations and can therefore bypass them

OWASP MASVS
CRYPTO-1, CRYPTO-2
OWASP MASTG
TEST-0014, TEST-0061, TEST-0062
CAPEC
54, 97, 116, 117, 220
SAFECODE
14, 21, 29
Cryptography

A

You have invented a new attack against “Cryptography”

Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Cryptography” in the “Mobile Application Security Testing Guide” on the OWASP MAS website

Cornucopia

2

Garth can reduce app users' privacy because the app is not transparent about the app's data collection and usage in a concise, easily accessible and understandable way

OWASP MASVS
PRIVACY-3
OWASP MASTG
-
CAPEC
410
SAFECODE
-
Cornucopia

3

Elsa can reduce app users' privacy because the app does not allow for the user to easily manage, delete and modify their data, change privacy settings and re-prompt for consent when more data is required

OWASP MASVS
PRIVACY-4
OWASP MASTG
-
CAPEC
410
SAFECODE
-
Cornucopia

4

Elizabeth can reduce app users' privacy because the app sends too much personal data without the user's consent to downstream services that are outside the user's control

OWASP MASVS
PRIVACY-1
OWASP MASTG
-
CAPEC
410
SAFECODE
-
Cornucopia

5

Debarghaya can reduce app users' privacy because the app repurpose personal information (e.g. device IDs, IP addresses, behavioral patterns) collected for security concerns in order to cater for commercial interests without consent

OWASP MASVS
PRIVACY-4
OWASP MASTG
-
CAPEC
410
SAFECODE
-
Cornucopia

6

Kim can reduce app users' privacy because the app repurpose biometric information (e.g. fingerprints, facial recognition data, etc.) collected for security concerns in order to cater for commercial interests

OWASP MASVS
PRIVACY-2
OWASP MASTG
-
CAPEC
410
SAFECODE
-
Cornucopia

7

Gastón can execute malicious actions through intent redirection because the intent is not properly sanitized and immutable

OWASP MASVS
CODE-4, PLATFORM-1
OWASP MASTG
TEST-0025, TEST-0030, TEST-0072
CAPEC
499, 502
SAFECODE
-
Cornucopia

8

Roxana can do arbitrary file overwrites and potentially execute malicious code through path traversal because the target path and directory is not appropriately validated

OWASP MASVS
STORAGE-2
OWASP MASTG
-
CAPEC
126
SAFECODE
16
Cornucopia

9

Alessandro can exploit the app by taking advantage of buffer overflows and memory leaks to write foreign code within the mobile code's address space

OWASP MASVS
CODE-4
OWASP MASTG
TEST-0043, TEST-0086
CAPEC
92, 100
SAFECODE
3, 6, 36
Cornucopia

10

Carlos can use the application's notification services to launch phishing campaigns because notifications are not sanitized and validated according to best practices

OWASP MASVS
CODE-4
OWASP MASTG
TEST-0025, TEST-0072
CAPEC
137, 499, 502, 586
SAFECODE
-
Cornucopia

J

Luis can influence or alter cryptographic methods to corrupt other users' data because the integrity of the encrypted data is not verified before being shared with external services

OWASP MASVS
CRYPTO-1, CODE-4
OWASP MASTG
TEST-0002
CAPEC
23, 165, 442
SAFECODE
-
Cornucopia

Q

Victor can patch the app and use it to distribute malicious code because the runtime integrity checks are not strong enough according to what is recommended or the perceived effort of a potential attacker

OWASP MASVS
RESILIENCE-4
OWASP MASTG
TEST-0050
CAPEC
167, 202, 554
SAFECODE
-
Cornucopia

K

Ruben can use the app, without modifications, to spread malicious code because methods for transfer and storage do not perform proper data sanitization and validation

OWASP MASVS
RESILIENCE-2
OWASP MASTG
TEST-0047, TEST-0090
CAPEC
17, 23, 165, 167, 636
SAFECODE
-
Cornucopia

A

You have invented a new attack of any type

Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App User Privacy Protection” in the “Mobile Application Security Testing Guide” on the OWASP MAS website

Wild Card

A

Starr can influence, alter or affect the app so that it no longer complies with legal, regulatory, contractual or other mandates

Have you thought about becoming an individual OWASP member? All tools, guidance and local meetings are free for everyone, but individual membership helps support OWASP's work

Wild Card

B

Mallory can use the app installed on Bob's device maliciously to surveil, spy on, eavesdrop, control remotely, track or otherwise monitor Bob, without consent and/or notification

OWASP MASVS
OWASP MASTG
CAPEC
SAFECODE
2

Model Risk

Catastrophic forgetting

[ eval:5:catastrophic forgetting ]

When a model is filled with too much overlapping information, collisions in the representation space may lead to the model “forgetting” information.

3

Model Risk

Oscillation

[ alg:8:oscillation ]

An ML system may end up oscillating and not properly converging if using gradient descent in a space with a misleading gradient.

4

Model Risk

Randomness

[ alg:4:randomness ]

Setting weights and thresholds with a bad RNG can damage system behavior and lead to subtle security issues.

5

Model Risk

Online system manipulation

[ alg:1:online ]

When an ML system system online keeps learning during operations, clever attackers can nudge the model so that it drifts from its intended operational profile.

6

Model Risk

Overfitting

[ eval:1:overfitting ]

The model learns its training dataset so well that it's no longer able to generalize outside of the training set and will perform poorly.

7

Model Risk

Hyperparameters

[ inference:3:hyperparameters ]

An attacker that can control the hyperparameters can manipulate the future training of the machine learning model

8

Model Risk

Hosting

[ nference:4: hosting ]

The server where the model is hosted is insufficiently protected against unauthorized parties.

9

Model Risk

Hyperparameter sensitivity

[ alg:10:hyperparameter sensitivity ]

Sensitive hyperparameters that have been set experimentally may not be sufficient for the intended problem space, and can lead to overfitting.

10

Model Risk

Model theft

[ model:5:steal the box ]

Stealing ML system knowledge is possible through direct input/output observation, enabling attackers to reverse engineer the model.

J

Model Risk

Training set reveal

[ model:4:training set reveal ]

Most ML algorithms learn a great deal about its data and store a representation internally. This data may be sensitive, and can potentially be extracted from the model.

Q

Model Risk

Trojanized model

[ model:2:Trojan ]

Model transfer leads to the possibility that what is being reused may be a Trojaned (or otherwise damaged) version of the model.

K

Model Risk

Improper re-use of model

[ model:1:improper re-use ]

ML models are re-used in transfer situations, where a pre-trained model is specialized toward a new use case. The model may be transferred into a problem space it's not designed for.

A

Model Risk

 

 

You have invented your own risk associated with machine learning models.

2

Input Risk

LLM feedback scores

[ LLM:inference:6:feedback scores ]

Some LLM chat systems allow user feedback as a parameter for tuning their system. This can be abused by attackers that give feedback in a coordinated fashion to nudge the ML system.

3

Input Risk

Open to the public

[ LLM:input:3:open to the public ]

An LLM model is often open to the public, which makes it susceptible to attacks from users.

4

Input Risk

Sponge input

[ LLM:input:5:sponge input ]

A sponge attack provides an LLM system with input that is more costly to process than “normal”. Like a Dos attack, as it seeks to exhaust processing budget.

5

Input Risk

Input ambiguity

[ LLM:input:6:input ambiguity ]

English, the main interface language for LLMs, is an ambiguous interface. Natural language can be misleading, making LLMs susceptible to misinformation.

6

Input Risk

Text encoding

[ raw:7:text encoding ]

An ML system engineered with one text encoding scheme in mind might yield surprising results if presented with a differently encoded text.

7

Input Risk

Denial of service

[ system:10:denial of service ]

Denial of Service attacks can have a massive impact on a critical ML system. When an ML system breaks down, recovery may not be possible.

8

Input Risk

User risk

[ inference:5:user risk ]

A user may expose their personal data and their interests to the owners of an ML system when they interact with the system.

9

Input Risk

Dirty input

[ input:3:dirty input ]

Dirty inputs can be hard to process, and may be leveraged by an attacker adding noise in their prompts or in data sources for future training.

10

Input Risk

Controlled input stream

[ input:2:controlled input stream ]

Outside sources of input may be manipulated by an attacker.

J

Input Risk

Looped input

[ input:4:looped input ]

ML system output to the real world may feed back into training data or input, leading to a feedback loop, termed recursive pollution.

Q

Input Risk

Prompt injection

[ LLM:input:2:prompt injection ]

Input manipulation for LLMs. An attacker manipulates a large language model (LLM} through malicious inputs to override initial instructions given in system prompts.

K

Input Risk

Malicious input

[ input:1:adversarial examples ]

Fool a machine learning system by providing malicious input that causes the ML system to make a false prediction or categorization.

A

Input Risk

 

 

You have invented your own risk associated with machine learning input.

2

Output Risk

Cry wolf

[ system:6:cry wolf ]

If an ML model is integrated into a security decision and raises too many alarms, its output may be ignored .

3

Output Risk

Black box discrimination

[ system:1:black box discrimination ]

ML systems that operate with high impact decisions based on personal data carry the risk of illegal discrimination based on bias .

4

Output Risk

LLM overreliance

[ OWASP LLM09 ]

Dependence on an LLM without oversight may lead to misinformation and legal concerns. It will also be hard to detect an attack against the LLM system .

5

Output Risk

Inscrutability

[ output:4:inscrutability ]

In far too many cases with ML, nobody is really sure how the trained systems do what they do. This negatively affects trustworthiness .

6

Output Risk

Miscategorization

[ output:3:miscategorization ]

Bad output due to internal bias, malicious input or other attacks may escape into the world .

7

Output Risk

Transparency

[ output:5:transparency ]

It is easier to perform attacks undetected on a black-box system which is not transparent about how it works .

8

Output Risk

Confidence scores

[ inference:3:confidence scores ]

An ML model's confidence scores can help an attacker tweak inputs to make the system misbehave .

9

Output Risk

Wrongness

[ LLM:output:2:wrongness ]

LLMs are stochastic in their nature, and can generate highly convincing misinformation in their attempt to satisfy the prediction of the next tokens from a prompt.

10

Output Risk

Excessive LLM agency

[ OWASP LLM0S ]

An LLM-based system may undertake actions leading to unintended consequences if granted excessive functionality, permissions, or autonomy .

J

Output Risk

Overconfidence

[ system:2:overconfidence ]

An ML model integrated into a system with its output treated as high confidence data may cause a range of unexpected issues .

Q

Output Risk

Error propagation

[ system:5:error propagation ]

When ML output is input to a larger decision process, errors in the ML subsystem may propagate in unforeseen ways .

K

Output Risk

Output manipulation

[ output:1:d i rect ]

An attacker directly manipulates the output stream getting between the ML system and its receiver. This may be hard to detect because models are sometimes opaque .

A

Output Risk

 

 

You have invented your own risk associated with machine learning output .

2

Dataset Risk

Metadata

[ raw:10:metadata ]

Metadata may accidentally degrade generalization since a model learns a feature of the meta data instead of the content itself.

3

Dataset Risk

Data rights

[ LLM:raw:4:data rights ]

Copyrighted, privacy protected or otherwise legally encumbered data are scraped from the internet to train ML models. This can lead to expensive legal entanglements.

4

Dataset Risk

Partitioning

[ assembly:4:partitioning ]

Bad data partitions for training, validation and testing datasets may lead to a misbehaving ML system.

5

Dataset Risk

Normalization

[ assembly:3:normalize ]

Normalization changes the nature of raw data, and may destroy the feature of interest by introducing too much bias.

6

Dataset Risk

Annotation

[ assembly:2:annotation ]

The way data is annotated into features can be directly attacked, introducing attacker bias into a system.

7

Dataset Risk

Encoding integrity

[ assembly:1:encoding integrity ]

Pre-processing and encoding of the data can lead to encoding integrity issues if the data has bias or discrimination in its nature.

8

Dataset Risk

Bad evaluation data

[ eval:2:bad eval data ]

A bad evaluation dataset can give unrealistic projections to how the model will perform when it is shipped to production.

9

Dataset Risk

Storage

[ data:4:storage ]

Data may be stored and managed insecurely. Who has access to the data, and why?

10

Dataset Risk

Recursive pollution

[ LLM:raw:1:recursive pollution] ]

An ML model (LLM or other) generates incorrect content that content finds its way into future training data, which can damage the accuracy and reliability of the model.

J

Dataset Risk

Data integrity

[ system:2:data integrity ]

If distributed datasets do not have proper integrity checks in place, data can be tampered with undetected as it passes between components.

Q

Dataset Risk

Data confidentiality

[ raw:1:data confidentiality ]

Sensitive and confidential data that is used for ML training can be disclosed with extraction attacks.

K

Dataset Risk

Data poisoning

[ data:1:poisoning ]

An attacker intentionally manipulates data to disrupt, introduce bias, control or otherwise influence ML training. On the internet, lots of data are already poisoned “by default”.

A

Dataset Risk

 

 

You have invented your own risk associated with machine learning datasets.