Spoofing
An attacker could take over the port or socket that the server normally uses
2
We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
2
3
Spoofing
An attacker could try one credential after another and there's nothing to slow them down (online or offline)
3
4
Spoofing
An attacker can anonymously connect, because we expect authentication to be done at a higher level
4
5
Spoofing
An attacker can confuse a client because there are too many ways to identify a server
5
6
Spoofing
An attacker can spoof a server because identifiers aren't stored on the client and checked for consistency on re-connection (that is, there's no key persistence)
6
7
Spoofing
An attacker can connect to a server or peer over a link that isn't authenticated (and encrypted)
7
8
Spoofing
An attacker could steal credentials stored on the server and reuse them (for example, a key is stored in a world readable file)
8
9
Spoofing
An attacker who gets a password can reuse it (Use stronger authenticators)
9
X
Spoofing
An attacker can choose to use weaker or no authentication
X
J
Spoofing
An attacker could steal credentials stored on the client and reuse them
Q
Spoofing
An attacker could go after the way credentials are updated or recovered (account recovery doesn't require disclosing the old password)
K
Spoofing
Your system ships with a default admin password, and doesn't force a change
A
Spoofing
You've invented a new Spoofing attack
A
2
Tampering
An attacker can take advantage of your custom key exchange or integrity control which you built instead of using standard crypto
2
3
Tampering
An attacker can modify your build system and produce signed builds of your software
3
4
Tampering
Your code makes access control decisions all over the place, rather than with a security kernel
4
5
Tampering
An attacker can replay data without detection because your code doesn't provide timestamps or sequence numbers
5
6
Tampering
An attacker can write to a data store your code relies on
6
7
Tampering
An attacker can bypass permissions because you don't make names canonical before checking access permissions
7
8
Tampering
An attacker can manipulate data because there's no integrity protection for data on the network
8
9
Tampering
An attacker can provide or control state information
9
X
Tampering
An attacker can alter information in a data store because it has weak/open permissions or includes a group which is equivalent to everyone ("anyone with a Facebook account")
X
J
Tampering
An attacker can write to some resource because permissions are granted to the world or there are no ACLs
Q
Tampering
An attacker can change parameters over a trust boundary and after validation (for example, important parameters in a hidden field in HTML, or passing a pointer to critical memory)
K
Tampering
An attacker can load code inside your process via an extension point
A
Tampering
You've invented a new Tampering attack
A
2
Repudiation
An attacker can pass data through the log to attack a log reader, and there's no documentation of what sorts of validation are done
2
3
Repudiation
A low privilege attacker can read interesting security information in the logs
3
4
Repudiation
An attacker can alter digital signatures because the digital signature system you're implementing is weak, or uses MACs where it should use a signature
4
5
Repudiation
An attacker can alter log messages on a network because they lack strong integrity controls
5
6
Repudiation
An attacker can create a log entry without a timestamp (or no log entry is timestamped)
6
7
Repudiation
An attacker can make the logs wrap around and lose data
7
8
Repudiation
An attacker can make a log lose or confuse security information
8
9
Repudiation
An attacker can use a shared key to authenticate as different principals, confusing the information in the logs
9
X
Repudiation
An attacker can get arbitrary data into logs from unauthenticated (or weakly authenticated) outsiders without validation
X
J
Repudiation
An attacker can edit logs and there's no way to tell (perhaps because there's no heartbeat option for the logging system)
Q
Repudiation
An attacker can say "I didn't do that," and you'd have no way to prove them wrong
K
Repudiation
The system has no logs
A
Repudiation
You've invented a new Repudiation attack
A
2
Information Disclosure
An attacker can brute-force file encryption because there's no defense in place (example defense, password stretching)
2
3
Information Disclosure
An attacker can see error messages with security sensitive content
3
4
Information Disclosure
An attacker can read content because messages (say, an email or HTTP cookie) aren't encrypted even if the channel is encrypted
4
5
Information Disclosure
An attacker may be able to read a document or data because it's encrypted with a non-standard algorithm
5
6
Information Disclosure
An attacker can read data because it's hidden or occluded (for undo or change tracking) and the user might forget that it's there
6
7
Information Disclosure
An attacker can act as a 'man in the middle' because you don't authenticate endpoints of a network connection
7
8
Information Disclosure
An attacker can access information through a search indexer, logger, or other such mechanism
8
9
Information Disclosure
An attacker can read sensitive information in a file with permissive permissions
9
X
Information Disclosure
An attacker can read information in files or databases with no access controls
X
J
Information Disclosure
An attacker can discover the fixed key being used to encrypt
Q
Information Disclosure
An attacker can read the entire channel because the channel (say, HTTP or SMTP) isn't encrypted
K
Information Disclosure
An attacker can read network information because there's no cryptography used
A
Information Disclosure
You've invented a new Information Disclosure attack
A
2
Denial of Service
An attacker can make your authentication system unusable or unavailable
2
3
Denial of Service
An attacker can drain our easily replacable battery
3
4
Denial of Service
An attacker can drain a battery that's hard to replace (sealed in a phone, an implanted medical device, or in a hard to reach location)
4
5
Denial of Service
An attacker can spend our cloud budget
5
6
Denial of Service
An attacker can make a server unavailable or unusable without ever authenticating but the problem goes away when the attacker stops
6
7
Denial of Service
An attacker can make a client unavailable or unusable and the problem persists after the attacker goes away
7
8
Denial of Service
An attacker can make a server unavailable or unusable and the problem persists after the attacker goes away
8
9
Denial of Service
An attacker can make a client unavailable or unusable without ever authenticating and the problem persists after the attacker goes away
9
X
Denial of Service
An attacker can make a server unavailable or unusable without ever authenticating and the problem persists after the attacker goes away
X
J
Denial of Service
An attacker can cause the logging subsystem to stop working
Q
Denial of Service
An attacker can amplify a Denial of Service attack through this component with amplification on the order of 10 to 1
K
Denial of Service
An attacker can amplify a Denial of Service attack through this component with amplification on the order of 100 to 1
A
Denial of Service
You've invented a new Denial of Service attack
A
2
Elevation of Privilege
An attacker has compromised a key technology supplier
2
3
Elevation of Privilege
An attacker can access the cloud service which manages your devices
3
4
Elevation of Privilege
An attacker can escape from a container or other sandbox
4
5
Elevation of Privilege
An attacker can force data through different validation paths which give different results
5
6
Elevation of Privilege
An attacker could take advantage of permissions you set, but don't use
6
7
Elevation of Privilege
An attacker can provide a pointer across a trust boundary, rather than data which can be validated
7
8
Elevation of Privilege
An attacker can enter data that is checked while still under their control and used later on the other side of a trust boundary
8
9
Elevation of Privilege
There's no reasonable way for a caller to figure out what validation of tainted data you perform before passing it to them
9
X
Elevation of Privilege
There's no reasonable way for a caller to figure out what security assumptions you make
X
J
Elevation of Privilege
An attacker can reflect input back to a user, like cross site scripting
Q
Elevation of Privilege
You include user-generated content within your page, possibly including the content of random URLs
K
Elevation of Privilege
An attacker can inject a command that the system will run at a higher privilege level
A
Elevation of Privilege
You've invented a new Elevation of Privilege attack
A
2
Brian can gather information about the underlying configurations, schemas, logic, code, software, services and infrastructure due to the content of error messages, or poor configuration, or the presence of default installation files or old, test, backup or copies of resources, or exposure of source code
- OWASP SCP
- 69, 107, 108, 109, 136, 137, 153, 156, 158, 162
- OWASP ASVS
- 1.6.4, 2.10.4, 4.3.2, 7.1.1, 10.2.3, 14.1.1, 14.2.2, 14.3.3
- OWASP AppSensor
- HT1, HT2, HT3
- CAPEC
- 54, 541
- SAFECODE
- 4, 23
3
Robert can input malicious data because the allowed protocol format is not being checked, or duplicates are accepted, or the structure is not being verified, or the individual data elements are not being validated for format, type, range, length and a whitelist of allowed characters or formats
- OWASP SCP
- 8, 9, 11, 12, 13, 14, 16, 159, 190, 191
- OWASP ASVS
- 1.5.3, 5.1.1, 5.1.2, 5.1.3, 13.2.1, 14.1.2, 14.4.1
- OWASP AppSensor
- RE7, RE8, AE4, AE5, AE6, AE7, IE2, IE3, CIE1, CIE3, CIE4, HT1, HT2, HT3
- CAPEC
- 28, 48, 126, 165, 213, 220, 221, 261, 262, 271, 272
- SAFECODE
- 3, 16, 24, 35
4
Dave can input malicious field names or data because it is not being checked within the context of the current user and process
- OWASP SCP
- 8, 10, 183
- OWASP ASVS
- 4.2.1, 5.1.1, 5.1.2, 11.1.1, 11.1.2
- OWASP AppSensor
- RE3, RE4, RE5, RE6, AE8, AE9, AE10, AE11, SE1, SE3, SE4, SE5, SE6, IE2, IE3, IE4, HT1, HT1, HT2, HT3
- CAPEC
- 28, 31, 48, 126, 162, 165, 213, 220, 221, 261
- SAFECODE
- 24, 35
5
Jee can bypass the centralized encoding routines since they are not being used everywhere, or the wrong encodings are being used
- OWASP SCP
- 3, 15, 18, 19, 20, 21, 22, 168
- OWASP ASVS
- 1.1.6, 5.3.3, 5.2.1, 5.2.2, 5.2.5
- OWASP AppSensor
- -
- CAPEC
- 28, 31, 152, 160, 468
- SAFECODE
- 2, 17
6
Jason can bypass the centralized validation routines since they are not being used on all inputs
- OWASP SCP
- 3, 168
- OWASP ASVS
- 1.1.6, 1.5.3, 5.1.3, 13.2.2, 13.2.5
- OWASP AppSensor
- IE2, IE3
- CAPEC
- 28
- SAFECODE
- 3, 16, 24
7
Jan can craft special payloads to foil input validation because the character set is not specified/enforced, or the data is encoded multiple times, or the data is not fully converted into the same format the application uses (e.g. canonicalization) before being validated, or variables are not strongly typed
- OWASP SCP
- 4, 5, 7, 150
- OWASP ASVS
- 1.5.3, 13.2.2, 13.2.5
- OWASP AppSensor
- IE2, IE3, EE1, EE2
- CAPEC
- 28, 153, 165
- SAFECODE
- 3, 16, 24
8
Oana can bypass the centralized sanitization routines since they are not being used comprehensively
- OWASP SCP
- 15, 169
- OWASP ASVS
- 1.1.6, 5.2.2, 5.2.5
- OWASP AppSensor
- -
- CAPEC
- 28, 31, 152, 160, 468
- SAFECODE
- 2, 17
9
Shamun can bypass input validation or output validation checks because validation failures are not rejected and/or sanitized
- OWASP SCP
- 6, 21, 22, 168
- OWASP ASVS
- 7.1.3
- OWASP AppSensor
- IE2, IE3
- CAPEC
- 28
- SAFECODE
- 3, 16, 24
10
Darío can exploit the trust the application places in a source of data (e.g. user-definable data, manipulation of locally stored data, alteration to state data on a client device, lack of verification of identity during data validation such as Darío can pretend to be Colin)
- OWASP SCP
- 2, 19, 92, 95, 180
- OWASP ASVS
- 1.12.2, 5.1.3, 9.2.3, 12.2.1, 12.3.1, 12.3.2, 12.3.3, 12.4.2, 12.5.2, 14.5.3
- OWASP AppSensor
- IE4, IE5
- CAPEC
- 12, 51, 57, 90, 111, 145, 194, 195, 202, 218, 463
- SAFECODE
- 14
J
Toby has control over input validation, output validation or output encoding code or routines so they can be bypassed
- OWASP SCP
- 1, 17
- OWASP ASVS
- 1.5.3
- OWASP AppSensor
- RE3, RE4
- CAPEC
- 87, 207, 554
- SAFECODE
- 2, 17
Q
Xavier can inject data into a client or device side interpreter because a parameterised interface is not being used, or has not been implemented correctly, or the data has not been encoded correctly for the context, or there is no restrictive policy on code or data includes
- OWASP SCP
- 10, 15, 16, 19, 20
- OWASP ASVS
- 5.2.1, 5.2.5, 5.3.3, 5.5.4
- OWASP AppSensor
- IE1, RP3
- CAPEC
- 28, 31, 152, 160, 468
- SAFECODE
- 2, 17
K
Gabe can inject data into an server-side interpreter (e.g. SQL, OS commands, Xpath, Server JavaScript, SMTP) because a strongly typed parameterised interface is not being used or has not been implemented correctly
- OWASP SCP
- 15, 19, 20, 21, 22, 167, 180, 204, 211, 212
- OWASP ASVS
- 5.2.1, 5.2.2, 5.3.4, 5.3.7, 5.3.8, 5.3.9, 5.3.10
- OWASP AppSensor
- CIE1, CIE2
- CAPEC
- 23, 28, 76, 152, 160, 261
- SAFECODE
- 2, 19, 20
A
You have invented a new attack against Data Validation and Encoding
Read more about this topic in OWASP's free Cheat Sheets on Input Validation, XSS Prevention, DOM-based XSS Prevention, SQL Injection Prevention, and Query Parameterization
2
James can undertake authentication functions without the real user ever being aware this has occurred (e.g. attempt to log in, log in with stolen credentials, reset the password)
- OWASP SCP
- 47, 52
- OWASP ASVS
- 2.5.2, 7.1.2, 7.1.4, 7.2.1, 8.2.1, 8.2.2, 8.2.3, 8.3.6
- OWASP AppSensor
- UT1
- CAPEC
- -
- SAFECODE
- 28
3
Muhammad can obtain a user's password or other secrets such as security questions, by observation during entry, or from a local cache, or from memory, or in transit, or by reading it from some unprotected location, or because it is widely known, or because it never expires, or because the user cannot change her own password
- OWASP SCP
- 36, 37, 40, 43, 48, 51, 119, 139, 140, 146
- OWASP ASVS
- 2.5.2, 2.5.3
- OWASP AppSensor
- -
- CAPEC
- 37, 546
- SAFECODE
- 28
4
Sebastien can easily identify user names or can enumerate them
- OWASP SCP
- 33, 53
- OWASP ASVS
- 2.2.1, 4.1.5
- OWASP AppSensor
- AE1
- CAPEC
- 383
- SAFECODE
- 28
5
Javier can use default, test or easily guessable credentials to authenticate, or can use an old account or an account not necessary for the application
- OWASP SCP
- 54, 175, 178
- OWASP ASVS
- 4.1.5
- OWASP AppSensor
- AE12, HT3
- CAPEC
- 70
- SAFECODE
- 28
6
Sven can reuse a temporary password because the user does not have to change it on first use, or it has too long or no expiry, or it does not use an out-of-band delivery method (e.g. post, mobile app, SMS)
- OWASP SCP
- 37, 45, 46, 178
- OWASP ASVS
- 2.5.6
- OWASP AppSensor
- -
- CAPEC
- 50
- SAFECODE
- 28
7
Cecilia can use brute force and dictionary attacks against one or many accounts without limit, or these attacks are simplified due to insufficient complexity, length, expiration and re-use requirements for passwords
- OWASP SCP
- 33, 38, 39, 41, 50, 53
- OWASP ASVS
- 2.1.2, 2.1.7, 2.1.10, 2.2.1
- OWASP AppSensor
- AE2, AE3
- CAPEC
- 2, 16
- SAFECODE
- 27
8
Kate can bypass authentication because it does not fail secure (i.e. it defaults to allowing unauthenticated access)
- OWASP SCP
- 28
- OWASP ASVS
- 4.1.5
- OWASP AppSensor
- -
- CAPEC
- 115
- SAFECODE
- 28
9
Claudia can undertake more critical functions because authentication requirements are too weak (e.g. do not use strong authentication such as two factor), or there is no requirement to re-authenticate for these
- OWASP SCP
- 55, 56
- OWASP ASVS
- 1.4.5, 2.1.6, 2.2.4, 4.1.3, 4.3.3
- OWASP AppSensor
- -
- CAPEC
- 21
- SAFECODE
- 14, 28
10
Pravin can bypass authentication controls because a centralized standard, tested, proven and approved authentication module/framework/service, separate to the resource being requested, is not being used
- OWASP SCP
- 25, 26, 27
- OWASP ASVS
- 1.1.6, 1.4.4
- OWASP AppSensor
- -
- CAPEC
- 90, 115
- SAFECODE
- 14, 28
J
Mark can access resources or services because there is no authentication requirement, or it was mistakenly assumed authentication would be undertaken by some other system or performed in some previous action
- OWASP SCP
- 23, 32, 34
- OWASP ASVS
- 1.4.5, 4.3.1
- OWASP AppSensor
- -
- CAPEC
- 115
- SAFECODE
- 14, 28
Q
Johan can bypass authentication because it is not enforced with equal rigor for all types of authentication functionality (e.g. register, password change, password recovery, log out, administration) or across all versions/channels (e.g. mobile website, mobile app, full website, API, call centre)
- OWASP SCP
- 23, 29, 42, 49
- OWASP ASVS
- 1.4.5, 2.5.6, 2.5.7, 4.3.1
- OWASP AppSensor
- -
- CAPEC
- 36, 50, 115, 121, 179
- SAFECODE
- 14, 28
K
Olga can influence or alter authentication code/routines so they can be bypassed
- OWASP SCP
- 24
- OWASP ASVS
- 4.1.1, 10.2.3, 10.2.4, 10.2.5, 10.2.6
- OWASP AppSensor
- -
- CAPEC
- 115, 207, 554
- SAFECODE
- 14, 28
A
You have invented a new attack against Authentication
Read more about this topic in OWASP's free Authentication Cheat Sheet
2
William has control over the generation of session identifiers
- OWASP SCP
- 58, 59
- OWASP ASVS
- 3.7.1
- OWASP AppSensor
- SE2
- CAPEC
- 31, 60, 61
- SAFECODE
- 28
3
Ryan can use a single account in parallel since concurrent sessions are allowed
- OWASP SCP
- 68
- OWASP ASVS
- 3.3.3, 3.3.4
- OWASP AppSensor
- -
- CAPEC
- -
- SAFECODE
- 28
4
Alison can set session identification cookies on another web application because the domain and path are not restricted sufficiently
- OWASP SCP
- 59, 61
- OWASP ASVS
- 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5
- OWASP AppSensor
- SE2
- CAPEC
- 31, 61
- SAFECODE
- 28
5
John can predict or guess session identifiers because they are not changed when the user's role alters (e.g. pre and post authentication) and when switching between non-encrypted and encrypted communications, or are not sufficiently long and random, or are not changed periodically
- OWASP SCP
- 60, 62, 66, 67, 71, 72
- OWASP ASVS
- 3.2.1, 3.2.2, 3.2.4, 3.3.1
- OWASP AppSensor
- SE4, SE5, SE6
- CAPEC
- 31
- SAFECODE
- 28
6
Gary can take over a user's session because there is a long or no inactivity timeout, or a long or no overall session time limit, or the same session can be used from more than one device/location
- OWASP SCP
- 64, 65
- OWASP ASVS
- 3.3.2, 3.3.3, 3.3.4
- OWASP AppSensor
- SE5, SE6
- CAPEC
- 21
- SAFECODE
- 28
7
Graham can utilize Adam's session after he has finished, because there is no log out function, or he cannot easily log out, or log out does not properly terminate the session
- OWASP SCP
- 62, 63
- OWASP ASVS
- 3.3.1, 3.3.4
- OWASP AppSensor
- -
- CAPEC
- 21
- SAFECODE
- 28
8
Matt can abuse long sessions because the application does not require periodic re-authentication to check if privileges have changed
- OWASP SCP
- 96
- OWASP ASVS
- 3.3.2, 3.6.1
- OWASP AppSensor
- -
- CAPEC
- 21
- SAFECODE
- 28
9
Ivan can steal session identifiers because they are sent over insecure channels, or are logged, or are revealed in error messages, or are included in URLs, or are accessible un-necessarily by code which the attacker can influence or alter
- OWASP SCP
- 69, 75, 76, 119, 138
- OWASP ASVS
- 1.9.1, 3.1.1, 7.1.1, 7.1.2, 7.2.1, 9.1.3, 9.2.2
- OWASP AppSensor
- SE4, SE5, SE6
- CAPEC
- 31, 60
- SAFECODE
- 28
10
Marce can forge requests because per-session, or per-request for more critical actions, strong random tokens (i.e. anti-CSRF tokens) or similar are not being used for actions that change state
- OWASP SCP
- 73, 74
- OWASP ASVS
- 4.2.2
- OWASP AppSensor
- IE4
- CAPEC
- 62, 111
- SAFECODE
- 18
J
Jeff can resend an identical repeat interaction (e.g. HTTP request, signal, button press) and it is accepted, not rejected
- OWASP SCP
- -
- OWASP ASVS
- 11.1.1, 11.1.2, 11.1.3
- OWASP AppSensor
- IE5
- CAPEC
- 60
- SAFECODE
- 12, 14
Q
Salim can bypass session management because it is not applied comprehensively and consistently across the application
- OWASP SCP
- 58
- OWASP ASVS
- 1.1.6, 3.7.1
- OWASP AppSensor
- -
- CAPEC
- 21
- SAFECODE
- 14, 28
K
Peter can bypass the session management controls because they have been self-built and/or are weak, instead of using a standard framework or approved tested module
- OWASP SCP
- 58, 60
- OWASP ASVS
- 1.1.6
- OWASP AppSensor
- -
- CAPEC
- 21
- SAFECODE
- 14, 28
A
You have invented a new attack against Session Management
Read more about this topic in OWASP's free Cheat Sheets on Session Management, and Cross Site Request Forgery (CSRF) Prevention
2
Kyun can access data because it has been obfuscated rather than using an approved cryptographic function
- OWASP SCP
- 105, 133, 135
- OWASP ASVS
- 6.2.2
- OWASP AppSensor
- -
- CAPEC
- -
- SAFECODE
- 21, 29
3
Axel can modify transient or permanent data (stored or in transit), or source code, or updates/patches, or configuration data, because it is not subject to integrity checking
- OWASP SCP
- 92, 205, 212
- OWASP ASVS
- 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.3.1, 10.3.2, 14.1.1, 14.1.4, 14.1.5
- OWASP AppSensor
- SE1, IE4
- CAPEC
- 31, 39, 68, 75, 133, 145, 162, 203, 438, 439, 442
- SAFECODE
- 12, 14
4
Paulo can access data in transit that is not encrypted, even though the channel is encrypted
- OWASP SCP
- 37, 88, 143, 214
- OWASP ASVS
- 8.3.4, 9.1.1
- OWASP AppSensor
- -
- CAPEC
- 185, 186, 187
- SAFECODE
- 14, 29, 30
5
Kyle can bypass cryptographic controls because they do not fail securely (i.e. they default to unprotected)
- OWASP SCP
- 103, 145
- OWASP ASVS
- 1.9.1, 6.2.1, 9.1.3, 9.2.2
- OWASP AppSensor
- -
- CAPEC
- -
- SAFECODE
- 21, 29
6
Romain can read and modify unencrypted data in memory or in transit (e.g. cryptographic secrets, credentials, session identifiers, personal and commercially-sensitive data), in use or in communications within the application, or between the application and users, or between the application and external systems
- OWASP SCP
- 36, 37, 143, 146, 147
- OWASP ASVS
- 1.9.1, 2.2.5, 2.5.1, 8.3.4, 8.3.6, 9.1.3, 9.2.2
- OWASP AppSensor
- -
- CAPEC
- 31, 57, 102, 157, 158, 384, 466, 546
- SAFECODE
- 29
7
Gunter can intercept or modify encrypted data in transit because the protocol is poorly deployed, or weakly configured, or certificates are invalid, or certificates are not trusted, or the connection can be degraded to a weaker or un-encrypted communication
- OWASP SCP
- 75, 144, 145, 148
- OWASP ASVS
- 1.9.2, 6.2.7, 9.1.1, 9.2.1, 9.2.4, 14.4.5
- OWASP AppSensor
- IE4
- CAPEC
- 31, 216
- SAFECODE
- 14, 29, 30
8
Eoin can access stored business data (e.g. passwords, session identifiers, PII, cardholder data) because it is not securely encrypted or securely hashed
- OWASP SCP
- 30, 31, 70, 133, 135
- OWASP ASVS
- 2.4.1, 6.2.2, 6.2.3, 8.3.4
- OWASP AppSensor
- -
- CAPEC
- 31, 37, 55
- SAFECODE
- 21, 29, 31
9
Andy can bypass random number generation, random GUID generation, hashing and encryption functions because they have been self-built and/or are weak
- OWASP SCP
- 60, 104, 105
- OWASP ASVS
- 6.2.2, 6.2.3, 6.3.1, 6.3.3
- OWASP AppSensor
- -
- CAPEC
- 97
- SAFECODE
- 14, 21, 29, 32, 33
10
Susanna can break the cryptography in use because it is not strong enough for the degree of protection required, or it is not strong enough for the amount of effort the attacker is willing to make
- OWASP SCP
- 104, 105
- OWASP ASVS
- 6.3.3
- OWASP AppSensor
- -
- CAPEC
- 97, 463
- SAFECODE
- 14, 21, 29, 31, 32, 33
J
Justin can read credentials for accessing internal or external resources, services and others systems because they are stored in an unencrypted format, or saved in the source code
- OWASP SCP
- 35, 90, 171, 172
- OWASP ASVS
- 1.6.1, 1.6.2, 1.6.4, 2.10.4, 6.4.1, 6.4.2
- OWASP AppSensor
- -
- CAPEC
- 116
- SAFECODE
- 21, 29
Q
Artim can access or predict the master cryptographic secrets
- OWASP SCP
- 35, 102
- OWASP ASVS
- 1.6.1, 1.6.2, 1.6.3, 6.2.3, 8.3.6
- OWASP AppSensor
- -
- CAPEC
- 116, 117
- SAFECODE
- 21, 29
K
Dan can influence or alter cryptography code/routines (encryption, hashing, digital signatures, random number and GUID generation) and can therefore bypass them
- OWASP SCP
- 31, 101
- OWASP ASVS
- 1.6.2, 6.2.5, 6.2.6, 6.2.7, 6.2.8
- OWASP AppSensor
- -
- CAPEC
- 207, 554
- SAFECODE
- 14, 21, 29
A
You have invented a new attack against Cryptography
Read more about this topic in OWASP's free Cheat Sheets on Cryptographic Storage, and Transport Layer Protection
2
Lee can bypass application controls because dangerous/risky programming language functions have been used instead of safer alternatives, or there are type conversion errors, or because the application is unreliable when an external resource is unavailable, or there are race conditions, or there are resource initialization or allocation issues, or overflows can occur
- OWASP SCP
- 194, 195, 196, 197, 198, 199, 200, 201, 202, 205, 206, 207, 208, 209
- OWASP ASVS
- 14.1.2
- OWASP AppSensor
- -
- CAPEC
- 25, 26, 29, 96, 123, 124, 128, 129, 264, 265
- SAFECODE
- 3, 5, 6, 7, 9, 22, 25, 26, 34
3
Andrew can access source code, or decompile, or otherwise access business logic to understand how the application works and any secrets contained
- OWASP SCP
- 134
- OWASP ASVS
- 14.1.1
- OWASP AppSensor
- -
- CAPEC
- 189, 207
- SAFECODE
- -
4
Keith can perform an action and it is not possible to attribute it to him
- OWASP SCP
- 23, 32, 34, 42, 51, 181
- OWASP ASVS
- 7.2.1, 7.2.2
- OWASP AppSensor
- -
- CAPEC
- -
- SAFECODE
- -
5
Larry can influence the trust other parties including users have in the application, or abuse that trust elsewhere (e.g. in another application)
- OWASP SCP
- -
- OWASP ASVS
- 1.9.2, 5.1.5, 9.1.1, 9.2.1, 9.2.4
- OWASP AppSensor
- -
- CAPEC
- 89, 103, 181, 459
- SAFECODE
- -
6
Aaron can bypass controls because error/exception handling is missing, or is implemented inconsistently or partially, or does not deny access by default (i.e. errors should terminate access/execution), or relies on handling by some other service or system
- OWASP SCP
- 109, 110, 111, 112, 155
- OWASP ASVS
- 4.1.5, 7.1.4
- OWASP AppSensor
- -
- CAPEC
- 54, 98, 164
- SAFECODE
- 4, 11, 23
7
Mwengu's actions cannot be investigated because there is not an adequate accurately time-stamped record of security events, or there is not a full audit trail, or these can be altered or deleted by Mwengu, or there is no centralized logging service
- OWASP SCP
- 113, 114, 115, 117, 118, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130
- OWASP ASVS
- 7.1.2, 7.1.4, 7.2.1, 7.2.2, 7.3.1, 7.3.3, 8.3.5, 9.2.5
- OWASP AppSensor
- -
- CAPEC
- 93
- SAFECODE
- 4
8
David can bypass the application to gain access to data because the network and host infrastructure, and supporting services/applications, have not been securely configured, the configuration rechecked periodically and security patches applied, or the data is stored locally, or the data is not physically protected
- OWASP SCP
- 151, 152, 156, 160, 161, 173, 174, 175, 176, 177
- OWASP ASVS
- 1.4.5, 10.3.1, 10.3.2, 14.1.4, 14.1.5, 14.2.1, 14.2.2
- OWASP AppSensor
- RE1, RE2
- CAPEC
- 37, 220, 310, 436, 536
- SAFECODE
- -
9
Michael can bypass the application to gain access to data because administrative tools or administrative interfaces are not secured adequately
- OWASP SCP
- 23, 29, 56, 81, 82, 84, 85, 86, 87, 88, 89, 90
- OWASP ASVS
- 1.4.5, 4.3.1
- OWASP AppSensor
- -
- CAPEC
- 122, 233
- SAFECODE
- -
10
Spyros can circumvent the application's controls because code frameworks, libraries and components contain malicious code or vulnerabilities (e.g. in-house, commercial off the shelf, outsourced, open source, externally-located)
- OWASP SCP
- 57, 151, 152, 204, 205, 213, 214
- OWASP ASVS
- 1.14.3, 10.1.1, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 14.2.1
- OWASP AppSensor
- -
- CAPEC
- 68, 438, 439, 442, 524, 538
- SAFECODE
- 15
J
Roman can exploit the application because it was compiled using out-of-date tools, or its configuration is not secure by default, or security information was not documented and passed on to operational teams
- OWASP SCP
- 90, 137, 148, 151, 152, 153, 154, 175, 176, 177, 178, 179, 186, 192
- OWASP ASVS
- 1.14.3, 14.1.1, 14.1.2, 14.1.3, 14.1.4, 14.1.5, 14.2.1
- OWASP AppSensor
- -
- CAPEC
- -
- SAFECODE
- 4
Q
Jim can undertake malicious, non-normal, actions without real-time detection and response by the application
- OWASP SCP
- -
- OWASP ASVS
- 8.1.4, 11.1.1, 11.1.2, 11.1.3, 11.1.4
- OWASP AppSensor
- (All)
- CAPEC
- -
- SAFECODE
- 1, 27
K
Grant can utilize the application to deny service to some or all of its users
- OWASP SCP
- 41, 55
- OWASP ASVS
- 2.2.1, 11.1.3, 11.1.4
- OWASP AppSensor
- UT1, UT2, UT3, UT4, STE3
- CAPEC
- 2, 25, 119, 125
- SAFECODE
- 1
A
You have invented a new attack of any type
Read more about application security in OWASP's free Guides on Requirements, Development, Code Review and Testing, the Cheat Sheet series, and the Open Software Assurance Maturity Model
A
Alice can utilize the application to attack users' systems and data
Have you thought about becoming an individual OWASP member? All tools, guidance and local meetings are free for everyone, but individual membership helps support OWASP's work
B
Bob can influence, alter or affect the application so that it no longer complies with legal, regulatory, contractual or other organizational mandates
- OWASP SCP
- –
- OWASP ASVS
- –
- OWASP AppSensor
- –
- CAPEC
- –
- SAFECODE
- –
2
Andrew can expose sensitive data through the app's auto-generated screenshots when the app moves to the background
- OWASP MASVS
- PLATFORM-3
- OWASP MASTG
- TEST-0010, TEST-0059
- CAPEC
- 37, 155, 498, 648
- SAFECODE
- -
3
Harold can spy sensitive data being entered through the user interface because the data is excessive, not properly masked or cleaned up after use
- OWASP MASVS
- PLATFORM-3
- OWASP MASTG
- TEST-0008, TEST-0037, TEST-0057
- CAPEC
- 508
- SAFECODE
- -
4
Kelly can expose sensitive data by taking advantage of the app's excessive permissions connected to the app's use of location, camera, microphone, storage, etc
- OWASP MASVS
- PLATFORM-1
- OWASP MASTG
- TEST-0024, TEST-0069
- CAPEC
- 634, 651
- SAFECODE
- 11
5
Jason can provoke memory leak or corruption because the app has cyclic dependencies, manages pointers inadequately, keeps an incorrect reference count, does not release shared resources or apply stack protection
- OWASP MASVS
- CODE-4
- OWASP MASTG
- TEST-0043, TEST-0044, TEST-0086
- CAPEC
- 14, 24, 44, 45, 46, 47, 92, 100, 124, 128, 129, 131, 679
- SAFECODE
- 7, 9, 34, 36
6
Dawn can expose and intercept sensitive functionality through interprocess communication because permissions for broadcast and sharing are not set, not narrow enough or because sensitive functionality isn't appropriately excluded when sharing
- OWASP MASVS
- PLATFORM-1
- OWASP MASTG
- TEST-0029, TEST-0030, TEST-0071
- CAPEC
- 94, 117, 499, 502, 504
- SAFECODE
- 8, 10, 11
7
Lauren can traverse or modify otherwise protected files through access to the underlying file system by exploiting weaknesses in file system-based content providers, resolvers or its configuration
- OWASP MASVS
- PLATFORM-1
- OWASP MASTG
- TEST-0007, TEST-0056
- CAPEC
- 126, 127, 139, 597, 643
- SAFECODE
- 16, 33
8
Colin can expose sensitive data through the app's interprocess communication because the content provider's query methods are not properly parameterized and arguments sanitized
- OWASP MASVS
- PLATFORM-1
- OWASP MASTG
- TEST-0007, TEST-0056
- CAPEC
- 137, 499, 502, 586
- SAFECODE
- -
9
Toby can modify or expose data by injection because the response from implicit intents is not properly validated
- OWASP MASVS
- CODE-4
- OWASP MASTG
- TEST-0026
- CAPEC
- 497, 499, 502
- SAFECODE
- 17
10
Max can modify or expose data because input validation and sanitation are not properly applied to interprocess communication or because extensions are not properly restricted
- OWASP MASVS
- CODE-4
- OWASP MASTG
- TEST-0025, TEST-0072
- CAPEC
- 137, 499, 502, 586
- SAFECODE
- -
J
Johan can modify or expose sensitive data by exploiting weaknesses in the SDK or third party libraries because updates to the app and platform are not enforced or do not patch known software vulnerabilities
- OWASP MASVS
- CODE-1, CODE-2, CODE-3
- OWASP MASTG
- TEST-0036, TEST-0042, TEST-0080, TEST-0085
- CAPEC
- 310, 538, 691
- SAFECODE
- -
Q
Xavier can inject scripts into the web view because it allows embedding content using deep linking without proper authorization and validation of the host, schema and path of the target as these can be changed by the user or because safe browsing is disabled
- OWASP MASVS
- PLATFORM-1, PLATFORM-2
- OWASP MASTG
- TEST-0027, TEST-0028, TEST-0031, TEST-0070, TEST-0076, TEST-0077
- CAPEC
- 175, 240, 242, 500, 591, 592
- SAFECODE
- 17
K
Grant can modify or expose data by influencing or altering JavaScript bridges, extensions or interprocess communication (e.g. shared memory, message passing, pipes, sockets)
- OWASP MASVS
- PLATFORM-1, PLATFORM-2
- OWASP MASTG
- TEST-0007, TEST-0030, TEST-0033, TEST-0056, TEST-0072, TEST-0078
- CAPEC
- 137, 138, 499, 502, 586
- SAFECODE
- -
A
You have invented a new attack against “Platform and Code”
Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Code Quality” in the “Mobile Application Security Testing Guide” on the OWASP MAS website
2
Matt can inspect sensitive application log data because logging statements have not been removed or reviewed as safe before the production release
- OWASP MASVS
- STORAGE-2
- OWASP MASTG
- TEST-0003, TEST-0053
- CAPEC
- 155
- SAFECODE
- 11, 23, 29
3
Bil can access sensitive data for sensitive fields from the pasteboard/clipboard or keyboard cache because the pasteboard/clipboard is not timely cleared, disabled or restricted for sensitive fields, or the keyboard cache is not disabled
- OWASP MASVS
- STORAGE-2
- OWASP MASTG
- TEST-0006, TEST-0055, TEST-0073
- CAPEC
- 204, 637, 679
- SAFECODE
- -
4
Ricardo can extract data stored by the app on a stolen or decommissioned device because it does not enforce device access security policies (e.g. PIN protected locking, app-/os-version, USB debug deactivation, device encryption and rooting)
- OWASP MASVS
- STORAGE-1
- OWASP MASTG
- TEST-0012
- CAPEC
- 406, 675
- SAFECODE
- -
5
Kevin can read sensitive data mapped to user accounts or sessions by extracting data sent through third-party libraries and/or notifications sent between the app and embedded services (e.g. logs, notifications, backups, cache, local db)
- OWASP MASVS
- STORAGE-2
- OWASP MASTG
- TEST-0004, TEST-0005, TEST-0054
- CAPEC
- 155, 161, 204, 220, 639, 643
- SAFECODE
- 11, 23, 29
6
Sam can dump sensitive data from memory because the data is not stored as primitive data types and overwritten with random data after use or because the app's input fields use insecure SDKs to store the data in RAM
- OWASP MASVS
- STORAGE-2
- OWASP MASTG
- TEST-0011, TEST-0060
- CAPEC
- 679
- SAFECODE
- -
7
Steve can access sensitive data by reading backups and/or local, internal/external storage
- OWASP MASVS
- STORAGE-1, STORAGE-2
- OWASP MASTG
- TEST-0001, TEST-0003, TEST-0009, TEST-0052, TEST-0053, TEST-0058
- CAPEC
- 37, 155, 204, 639, 643
- SAFECODE
- 11, 23, 29
8
Martin can modify or expose sensitive data through unsafe reflection when reading data from public data storage (e.g. shared preferences) because the data is not validated before being read by the app
- OWASP MASVS
- STORAGE-1, CODE-4
- OWASP MASTG
- TEST-0002
- CAPEC
- 176
- SAFECODE
- -
9
Adrian can compromise the app communication through a proxy because the app does not make use of certificate pinning or implements it incorrectly
- OWASP MASVS
- NETWORK-2
- OWASP MASTG
- TEST-0022, TEST-0068
- CAPEC
- 57, 94, 156, 465, 466, 479, 701
- SAFECODE
- 14, 30
10
Maarten can compromise the communication between the app and the external services because the app does not verify TLS certificates and -chains, trust insecure sources, lack hostname verification or ignore TLS verification issues
- OWASP MASVS
- NETWORK-1
- OWASP MASTG
- TEST-0019, TEST-0021, TEST-0065, TEST-0067
- CAPEC
- 57, 94, 156, 465, 466, 479, 701
- SAFECODE
- 14, 29, 30
J
Nihel can compromise the communication as it may fall back to an insecure or unencrypted channel, because encryption is optional, or because of client-server protocol or security provider weaknesses
- OWASP MASVS
- NETWORK-1
- OWASP MASTG
- TEST-0020, TEST-0023, TEST-0066
- CAPEC
- 57, 94, 156, 220, 459, 465, 466
- SAFECODE
- 12, 14, 29, 30
Q
Ahmed can read and modify data in transit because the communication is transmitted over an unencrypted channel
- OWASP MASVS
- NETWORK-1
- OWASP MASTG
- TEST-0019, TEST-0065
- CAPEC
- 31, 36, 57, 102, 157, 158, 384, 466
- SAFECODE
- 29, 30
K
Taher can intercept, extract or modify sensitive data at rest or in transit by influencing or altering methods for transferring or storing data at rest or in transit
- OWASP MASVS
- STORAGE-1
- OWASP MASTG
- TEST-0001, TEST-0052
- CAPEC
- 75, 76, 113, 153, 161, 165, 176, 190, 207, 210, 554, 562
- SAFECODE
- 12, 19
A
You have invented a new attack against “Network & Storage”
Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Network Communication” in the “Mobile Application Security Testing Guide” on the OWASP MAS website
2
Sebastien can disclose sensitive data because the application is set up to log debug information at runtime
- OWASP MASVS
- RESILIENCE-3
- OWASP MASTG
- TEST-0041, TEST-0084
- CAPEC
- 37, 167, 191
- SAFECODE
- -
3
Tobias can disclose sensitive data by dumping debug symbols while the application is running
- OWASP MASVS
- RESILIENCE-3
- OWASP MASTG
- TEST-0040, TEST-0083
- CAPEC
- 37, 167, 191
- SAFECODE
- -
4
Timur can change the code of the production release because the code of the application has not been properly signed using a valid production certificate
- OWASP MASVS
- RESILIENCE-2
- OWASP MASTG
- TEST-0038, TEST-0081
- CAPEC
- 68, 167, 206, 476
- SAFECODE
- 14
5
Matteo can bypass access controls and trigger functionality because debugging is left enabled in the production build
- OWASP MASVS
- RESILIENCE-4
- OWASP MASTG
- TEST-0039, TEST-0082
- CAPEC
- 115, 167, 554
- SAFECODE
- -
6
Joren can bypass access controls because the anti-debugging controls aren't strong enough according to what is recommended or the perceived effort of a potential attacker
- OWASP MASVS
- RESILIENCE-4
- OWASP MASTG
- TEST-0046, TEST-0089
- CAPEC
- 115, 167, 554
- SAFECODE
- -
7
Erlend can compromise the app by running it in an emulator because the prevention against emulators are not strong enough according to what is recommended or the perceived effort of a potential attacker
- OWASP MASVS
- RESILIENCE-1
- OWASP MASTG
- TEST-0049, TEST-0092
- CAPEC
- 189, 554
- SAFECODE
- -
8
Carlos can reverse engineer the app because the anti-reverse engineering controls aren't strong enough according to what is recommended or the perceived effort of a potential attacker
- OWASP MASVS
- RESILIENCE-4
- OWASP MASTG
- TEST-0048, TEST-0091
- CAPEC
- 167, 554
- SAFECODE
- -
9
Sean can reverse engineer the app because the code obfuscation isn't strong enough according to what is recommended or the perceived effort of a potential attacker
- OWASP MASVS
- RESILIENCE-3
- OWASP MASTG
- TEST-0051, TEST-0093
- CAPEC
- 167, 554
- SAFECODE
- -
10
Juan can bypass jailbreak and root detection and execute administrative functions to bypass integrity checks and access controls and trigger app functionality
- OWASP MASVS
- RESILIENCE-1
- OWASP MASTG
- TEST-0045, TEST-0088
- CAPEC
- 167, 660, 661
- SAFECODE
- -
J
Pekka can compromise the integrity of the storage because the file integrity checks aren't strong enough according to what is recommended or the perceived effort of a potential attacker
- OWASP MASVS
- RESILIENCE-2
- OWASP MASTG
- TEST-0047, TEST-0090
- CAPEC
- 23, 165, 167
- SAFECODE
- -
Q
Titus can patch out critical functionality because the runtime integrity checks are not strong enough according to what is recommended or the perceived effort of a potential attacker
- OWASP MASVS
- RESILIENCE-4
- OWASP MASTG
- TEST-0050
- CAPEC
- 167, 554
- SAFECODE
- -
K
Sherif can influence or alter controls against reverse engineering and runtime protection and can therefore bypass them
- OWASP MASVS
- RESILIENCE-4
- OWASP MASTG
- TEST-0046, TEST-0089
- CAPEC
- 167, 554
- SAFECODE
- -
A
You have invented a new attack against “Resilience”
Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Tampering and Reverse Engineering” in the “Mobile Application Security Testing Guide” on the OWASP MAS website
2
Lesego can compromise cryptographic operations and resources because keys are reused for multiple purposes, or not used according to the purpose for which they were created
- OWASP MASVS
- CRYPTO-2
- OWASP MASTG
- TEST-0015, TEST-0062
- CAPEC
- 97, 116, 117
- SAFECODE
- 14, 29
3
Emery can access data because it has been obfuscated rather than using an approved cryptographic function
- OWASP MASVS
- CRYPTO-1
- OWASP MASTG
- TEST-0014, TEST-0061
- CAPEC
- 37, 204
- SAFECODE
- 21, 29
4
Enselme can modify sensitive data (stored or in transit) because it is not subject to integrity checking
- OWASP MASVS
- CRYPTO-1, CODE-4
- OWASP MASTG
- TEST-0002
- CAPEC
- 68, 75, 145, 438, 439, 442
- SAFECODE
- 12, 14
5
Orace can predict the seed value used for generating cryptographic keys thereby compromising the cryptographic key
- OWASP MASVS
- CRYPTO-1
- OWASP MASTG
- TEST-0016, TEST-0063
- CAPEC
- 20, 112, 485
- SAFECODE
- 29, 33
6
Kouti can extract sensitive data because the cryptographic key, used, is hard-coded or stored insecurely such as in local, internal/external storage
- OWASP MASVS
- STORAGE-1, CRYPTO-1, CRYPTO-2
- OWASP MASTG
- TEST-0001, TEST-0013, TEST-0052, TEST-0062
- CAPEC
- 37, 117, 155, 191, 204
- SAFECODE
- 21, 29
7
Ramsey can access stored sensitive data because it is not securely encrypted
- OWASP MASVS
- STORAGE-1, CRYPTO-2
- OWASP MASTG
- TEST-0001, TEST-0013, TEST-0052, TEST-0062
- CAPEC
- 37, 117, 155, 191, 204
- SAFECODE
- 21, 29, 31
8
Adel can predict and use the app's cryptographic keys because they are insufficiently long and random, can be enumerated, or derived from known values
- OWASP MASVS
- CRYPTO-1
- OWASP MASTG
- TEST-0013, TEST-0016, TEST-0063
- CAPEC
- 20, 55, 112, 485
- SAFECODE
- 21, 29, 32, 33
9
Fady can bypass cryptographic controls because they do not fail securely (i.e. they default to unprotected)
- OWASP MASVS
- CRYPTO-1
- OWASP MASTG
- TEST-0014
- CAPEC
- 97, 620
- SAFECODE
- 21, 29
10
Ash can break the cryptography because it is not strong enough according to what is recommended or the perceived effort of a potential attacker
- OWASP MASVS
- CRYPTO-1
- OWASP MASTG
- TEST-0014, TEST-0061
- CAPEC
- 20, 116, 117, 97, 112, 485
- SAFECODE
- 14, 23, 29, 31, 32, 33
J
Hassan can extract or modify sensitive data because functions for storage and/or encryption are weak, deprecated or used incorrectly
- OWASP MASVS
- CRYPTO-1, STORAGE-1
- OWASP MASTG
- TEST-0001, TEST-0014, TEST-0052, TEST-0061
- CAPEC
- 210, 212
- SAFECODE
- 15
Q
Simon can bypass hashing and encryption functions because they are custom and/or inadequately implemented
- OWASP MASVS
- CRYPTO-1
- OWASP MASTG
- TEST-0014, TEST-0061
- CAPEC
- 20, 116, 117, 97, 112, 485
- SAFECODE
- 14, 21, 29, 32, 33
K
Tarik can influence or alter cryptographic operations and can therefore bypass them
- OWASP MASVS
- CRYPTO-1, CRYPTO-2
- OWASP MASTG
- TEST-0014, TEST-0061, TEST-0062
- CAPEC
- 54, 97, 116, 117, 220
- SAFECODE
- 14, 21, 29
A
You have invented a new attack against “Cryptography”
Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App Cryptography” in the “Mobile Application Security Testing Guide” on the OWASP MAS website
2
Garth can reduce app users' privacy because the app is not transparent about the app's data collection and usage in a concise, easily accessible and understandable way
- OWASP MASVS
- PRIVACY-3
- OWASP MASTG
- -
- CAPEC
- 410
- SAFECODE
- -
3
Elsa can reduce app users' privacy because the app does not allow for the user to easily manage, delete and modify their data, change privacy settings and re-prompt for consent when more data is required
- OWASP MASVS
- PRIVACY-4
- OWASP MASTG
- -
- CAPEC
- 410
- SAFECODE
- -
4
Elizabeth can reduce app users' privacy because the app sends too much personal data without the user's consent to downstream services that are outside the user's control
- OWASP MASVS
- PRIVACY-1
- OWASP MASTG
- -
- CAPEC
- 410
- SAFECODE
- -
5
Debarghaya can reduce app users' privacy because the app repurpose personal information (e.g. device IDs, IP addresses, behavioral patterns) collected for security concerns in order to cater for commercial interests without consent
- OWASP MASVS
- PRIVACY-4
- OWASP MASTG
- -
- CAPEC
- 410
- SAFECODE
- -
6
Kim can reduce app users' privacy because the app repurpose biometric information (e.g. fingerprints, facial recognition data, etc.) collected for security concerns in order to cater for commercial interests
- OWASP MASVS
- PRIVACY-2
- OWASP MASTG
- -
- CAPEC
- 410
- SAFECODE
- -
7
Gastón can execute malicious actions through intent redirection because the intent is not properly sanitized and immutable
- OWASP MASVS
- CODE-4, PLATFORM-1
- OWASP MASTG
- TEST-0025, TEST-0030, TEST-0072
- CAPEC
- 499, 502
- SAFECODE
- -
8
Roxana can do arbitrary file overwrites and potentially execute malicious code through path traversal because the target path and directory is not appropriately validated
- OWASP MASVS
- STORAGE-2
- OWASP MASTG
- -
- CAPEC
- 126
- SAFECODE
- 16
9
Alessandro can exploit the app by taking advantage of buffer overflows and memory leaks to write foreign code within the mobile code's address space
- OWASP MASVS
- CODE-4
- OWASP MASTG
- TEST-0043, TEST-0086
- CAPEC
- 92, 100
- SAFECODE
- 3, 6, 36
10
Carlos can use the application's notification services to launch phishing campaigns because notifications are not sanitized and validated according to best practices
- OWASP MASVS
- CODE-4
- OWASP MASTG
- TEST-0025, TEST-0072
- CAPEC
- 137, 499, 502, 586
- SAFECODE
- -
J
Luis can influence or alter cryptographic methods to corrupt other users' data because the integrity of the encrypted data is not verified before being shared with external services
- OWASP MASVS
- CRYPTO-1, CODE-4
- OWASP MASTG
- TEST-0002
- CAPEC
- 23, 165, 442
- SAFECODE
- -
Q
Victor can patch the app and use it to distribute malicious code because the runtime integrity checks are not strong enough according to what is recommended or the perceived effort of a potential attacker
- OWASP MASVS
- RESILIENCE-4
- OWASP MASTG
- TEST-0050
- CAPEC
- 167, 202, 554
- SAFECODE
- -
K
Ruben can use the app, without modifications, to spread malicious code because methods for transfer and storage do not perform proper data sanitization and validation
- OWASP MASVS
- RESILIENCE-2
- OWASP MASTG
- TEST-0047, TEST-0090
- CAPEC
- 17, 23, 165, 167, 636
- SAFECODE
- -
A
You have invented a new attack of any type
Read more about this topic in OWASP's free Cheat Sheets on Mobile Application Security, and “Mobile App User Privacy Protection” in the “Mobile Application Security Testing Guide” on the OWASP MAS website
A
Starr can influence, alter or affect the app so that it no longer complies with legal, regulatory, contractual or other mandates
Have you thought about becoming an individual OWASP member? All tools, guidance and local meetings are free for everyone, but individual membership helps support OWASP's work
B
Mallory can use the app installed on Bob's device maliciously to surveil, spy on, eavesdrop, control remotely, track or otherwise monitor Bob, without consent and/or notification
- OWASP MASVS
- –
- OWASP MASTG
- –
- CAPEC
- –
- SAFECODE
- –
2
Model Risk
Catastrophic forgetting
[ eval:5:catastrophic forgetting ]
When a model is filled with too much overlapping information, collisions in the representation space may lead to the model “forgetting” information.
3
Model Risk
Oscillation
[ alg:8:oscillation ]
An ML system may end up oscillating and not properly converging if using gradient descent in a space with a misleading gradient.
4
Model Risk
Randomness
[ alg:4:randomness ]
Setting weights and thresholds with a bad RNG can damage system behavior and lead to subtle security issues.
5
Model Risk
Online system manipulation
[ alg:1:online ]
When an ML system system online keeps learning during operations, clever attackers can nudge the model so that it drifts from its intended operational profile.
6
Model Risk
Overfitting
[ eval:1:overfitting ]
The model learns its training dataset so well that it's no longer able to generalize outside of the training set and will perform poorly.
7
Model Risk
Hyperparameters
[ inference:3:hyperparameters ]
An attacker that can control the hyperparameters can manipulate the future training of the machine learning model
8
Model Risk
Hosting
[ nference:4: hosting ]
The server where the model is hosted is insufficiently protected against unauthorized parties.
9
Model Risk
Hyperparameter sensitivity
[ alg:10:hyperparameter sensitivity ]
Sensitive hyperparameters that have been set experimentally may not be sufficient for the intended problem space, and can lead to overfitting.
10
Model Risk
Model theft
[ model:5:steal the box ]
Stealing ML system knowledge is possible through direct input/output observation, enabling attackers to reverse engineer the model.
J
Model Risk
Training set reveal
[ model:4:training set reveal ]
Most ML algorithms learn a great deal about its data and store a representation internally. This data may be sensitive, and can potentially be extracted from the model.
Q
Model Risk
Trojanized model
[ model:2:Trojan ]
Model transfer leads to the possibility that what is being reused may be a Trojaned (or otherwise damaged) version of the model.
K
Model Risk
Improper re-use of model
[ model:1:improper re-use ]
ML models are re-used in transfer situations, where a pre-trained model is specialized toward a new use case. The model may be transferred into a problem space it's not designed for.
A
Model Risk
You have invented your own risk associated with machine learning models.
2
Input Risk
LLM feedback scores
[ LLM:inference:6:feedback scores ]
Some LLM chat systems allow user feedback as a parameter for tuning their system. This can be abused by attackers that give feedback in a coordinated fashion to nudge the ML system.
3
Input Risk
Open to the public
[ LLM:input:3:open to the public ]
An LLM model is often open to the public, which makes it susceptible to attacks from users.
4
Input Risk
Sponge input
[ LLM:input:5:sponge input ]
A sponge attack provides an LLM system with input that is more costly to process than “normal”. Like a Dos attack, as it seeks to exhaust processing budget.
5
Input Risk
Input ambiguity
[ LLM:input:6:input ambiguity ]
English, the main interface language for LLMs, is an ambiguous interface. Natural language can be misleading, making LLMs susceptible to misinformation.
6
Input Risk
Text encoding
[ raw:7:text encoding ]
An ML system engineered with one text encoding scheme in mind might yield surprising results if presented with a differently encoded text.
7
Input Risk
Denial of service
[ system:10:denial of service ]
Denial of Service attacks can have a massive impact on a critical ML system. When an ML system breaks down, recovery may not be possible.
8
Input Risk
User risk
[ inference:5:user risk ]
A user may expose their personal data and their interests to the owners of an ML system when they interact with the system.
9
Input Risk
Dirty input
[ input:3:dirty input ]
Dirty inputs can be hard to process, and may be leveraged by an attacker adding noise in their prompts or in data sources for future training.
10
Input Risk
Controlled input stream
[ input:2:controlled input stream ]
Outside sources of input may be manipulated by an attacker.
J
Input Risk
Looped input
[ input:4:looped input ]
ML system output to the real world may feed back into training data or input, leading to a feedback loop, termed recursive pollution.
Q
Input Risk
Prompt injection
[ LLM:input:2:prompt injection ]
Input manipulation for LLMs. An attacker manipulates a large language model (LLM} through malicious inputs to override initial instructions given in system prompts.
K
Input Risk
Malicious input
[ input:1:adversarial examples ]
Fool a machine learning system by providing malicious input that causes the ML system to make a false prediction or categorization.
A
Input Risk
You have invented your own risk associated with machine learning input.
2
Output Risk
Cry wolf
[ system:6:cry wolf ]
If an ML model is integrated into a security decision and raises too many alarms, its output may be ignored .
3
Output Risk
Black box discrimination
[ system:1:black box discrimination ]
ML systems that operate with high impact decisions based on personal data carry the risk of illegal discrimination based on bias .
4
Output Risk
LLM overreliance
[ OWASP LLM09 ]
Dependence on an LLM without oversight may lead to misinformation and legal concerns. It will also be hard to detect an attack against the LLM system .
5
Output Risk
Inscrutability
[ output:4:inscrutability ]
In far too many cases with ML, nobody is really sure how the trained systems do what they do. This negatively affects trustworthiness .
6
Output Risk
Miscategorization
[ output:3:miscategorization ]
Bad output due to internal bias, malicious input or other attacks may escape into the world .
7
Output Risk
Transparency
[ output:5:transparency ]
It is easier to perform attacks undetected on a black-box system which is not transparent about how it works .
8
Output Risk
Confidence scores
[ inference:3:confidence scores ]
An ML model's confidence scores can help an attacker tweak inputs to make the system misbehave .
9
Output Risk
Wrongness
[ LLM:output:2:wrongness ]
LLMs are stochastic in their nature, and can generate highly convincing misinformation in their attempt to satisfy the prediction of the next tokens from a prompt.
10
Output Risk
Excessive LLM agency
[ OWASP LLM0S ]
An LLM-based system may undertake actions leading to unintended consequences if granted excessive functionality, permissions, or autonomy .
J
Output Risk
Overconfidence
[ system:2:overconfidence ]
An ML model integrated into a system with its output treated as high confidence data may cause a range of unexpected issues .
Q
Output Risk
Error propagation
[ system:5:error propagation ]
When ML output is input to a larger decision process, errors in the ML subsystem may propagate in unforeseen ways .
K
Output Risk
Output manipulation
[ output:1:d i rect ]
An attacker directly manipulates the output stream getting between the ML system and its receiver. This may be hard to detect because models are sometimes opaque .
A
Output Risk
You have invented your own risk associated with machine learning output .
2
Dataset Risk
Metadata
[ raw:10:metadata ]
Metadata may accidentally degrade generalization since a model learns a feature of the meta data instead of the content itself.
3
Dataset Risk
Data rights
[ LLM:raw:4:data rights ]
Copyrighted, privacy protected or otherwise legally encumbered data are scraped from the internet to train ML models. This can lead to expensive legal entanglements.
4
Dataset Risk
Partitioning
[ assembly:4:partitioning ]
Bad data partitions for training, validation and testing datasets may lead to a misbehaving ML system.
5
Dataset Risk
Normalization
[ assembly:3:normalize ]
Normalization changes the nature of raw data, and may destroy the feature of interest by introducing too much bias.
6
Dataset Risk
Annotation
[ assembly:2:annotation ]
The way data is annotated into features can be directly attacked, introducing attacker bias into a system.
7
Dataset Risk
Encoding integrity
[ assembly:1:encoding integrity ]
Pre-processing and encoding of the data can lead to encoding integrity issues if the data has bias or discrimination in its nature.
8
Dataset Risk
Bad evaluation data
[ eval:2:bad eval data ]
A bad evaluation dataset can give unrealistic projections to how the model will perform when it is shipped to production.
9
Dataset Risk
Storage
[ data:4:storage ]
Data may be stored and managed insecurely. Who has access to the data, and why?
10
Dataset Risk
Recursive pollution
[ LLM:raw:1:recursive pollution] ]
An ML model (LLM or other) generates incorrect content that content finds its way into future training data, which can damage the accuracy and reliability of the model.
J
Dataset Risk
Data integrity
[ system:2:data integrity ]
If distributed datasets do not have proper integrity checks in place, data can be tampered with undetected as it passes between components.
Q
Dataset Risk
Data confidentiality
[ raw:1:data confidentiality ]
Sensitive and confidential data that is used for ML training can be disclosed with extraction attacks.
K
Dataset Risk
Data poisoning
[ data:1:poisoning ]
An attacker intentionally manipulates data to disrupt, introduce bias, control or otherwise influence ML training. On the internet, lots of data are already poisoned “by default”.
A
Dataset Risk
You have invented your own risk associated with machine learning datasets.
2
access & secrets
We grant permissions to 3rd parties (e.g. CI/CD systems), but do not review them regularly.
3
access & secrets
Our secrets are long-lived and can be reused when they get leaked.
4
access & secrets
We don't enforce strong passwords for cloud access, so brute-forcing is possible.
5
access & secrets
We (as developers) have access to technical credentials.
6
access & secrets
We don't propagate changes in permissions quickly enough throughout the whole system.
7
access & secrets
We can't trace back whether authenticated users/developers granted themselves additional permissions.
8
access & secrets
We don't restrict permissions (developers, technical users) to the minimum, allowing for a privilege escalation.
9
access & secrets
Our Identity and Access Management lets authenticated users/developers grant themselves additional permissions.
10
access & secrets
We don't enforce MFA for developer access.
J
access & secrets
Our deployment artifacts contain secrets that can be extracted.
Q
access & secrets
Our Identity and Access Management is too complex.
K
access & secrets
We don't use an established solution for credential management.
A
access & secrets
Our source code contains secrets.
2
delivery
We don't know the versions of our dependencies or whether they are up to date.
3
delivery
We include unneeded dependencies when deploying our system (test, build, compile-time dependencies).
4
delivery
We don't know the source repository of our dependencies.
5
delivery
We don't know how a new version of a dependency changes our system.
6
delivery
Our system can be re-deployed by a change in an external dependency.
7
delivery
We don't know whether our dependencies introduce security issues.
8
delivery
We use outdated dependencies of our runtime platform (OS, container image, serverless runtime).
9
delivery
We use untrustworthy dependencies (unmaintained, used by too few people, developed by single developers, ...).
10
delivery
We don't limit ingress or egress when running CI pipelines.
J
delivery
We don't know when someone injects code into our codebase.
Q
delivery
We are not certain which code/artifacts we are deploying.
K
delivery
We won't notice when a deployment is started from a developer account.
A
delivery
We won't notice when someone alters the deploy pipeline.
2
recovery
We do not have (printed) documentation how to restore from backups.
3
recovery
We have backups but do not check regularly whether we can restore them or not.
4
recovery
We have no backups for our infrastructure (IaC and its state).
5
recovery
We have no backups of our application data.
6
recovery
We have no backups for our secrets.
7
recovery
We cannot restore our infrastructure to a previous state.
8
recovery
We cannot restore our application to a previous state.
9
recovery
We cannot restore our complete environment to a previous state.
10
recovery
We don't create backups before deleting important data.
J
recovery
All our backups can be destroyed at once, due to lack of redundancy.
Q
recovery
We can't tell whether our backup has been modified.
K
recovery
We can have the same person deleting resources and their backups.
A
recovery
We have no disaster recovery plan.
4
monitoring
We receive too many alerts, leading to desensitization and the risk of missing critical alerts.
5
monitoring
We don't restrict access to the sensitive parts of our logs.
6
monitoring
We can't easily identify useful information in logs.
7
monitoring
We won't get an alert if an end user generates huge cloud bills for us.
8
monitoring
We don't notice if an authenticated attacker/developer deactivates or manipulates our tools for traceability.
9
monitoring
We don't know if an authenticated attacker/developer accessed the production environment.
10
monitoring
We cannot react to problems in time because our monitoring has blind spots.
J
monitoring
We need too long to figure out what an alert means.
Q
monitoring
We do not know how to react when our monitoring sends alerts.
K
monitoring
We can't access our logs if the production environment goes down.
A
monitoring
We write secrets/personal data to our logs.
4
resources
We can't get contacted by our cloud provider in case of emergency.
5
resources
We don't regularly check compliance with our internal policy for using/configuring cloud resources.
6
resources
We have not configured any rate limits for our services.
7
resources
We have no configured resource limits.
8
resources
We can deploy applications with excessive capabilities.
9
resources
Our whole system can be affected by a single rogue service.
10
resources
We don't control ingress traffic.
J
resources
We don't control egress traffic.
Q
resources
Our production and staging environments are connected, either directly or indirectly (e.g. via CI/CD).
K
resources
Our cloud resources are publicly exposed without any need.
A
resources
We have no clear policy for using/configuring cloud resources.