17: Web app threats and vulnerabilities
Lab-17 Misuse Cases 1-Intro 2 3 4 5


Lab-2.1 JS Intro Lab-2.2 JS Basics Lab-3 JQuery Lab-4.1 Github API Lab-4.2-FoureSquare API Lab-5 Applications Lab-6 Views Lab-7 Sessions Lab-8 Models Lab-9 Validation Lab-10 Deployment Lab-11 Seeding Lab-12 Apis Lab-13 GPG Lab-14 OpenSSL and Certificates Lab-15 TLS Configuration Lab-16 Tdd Lab-17 Misuse Cases Lab-18 Rest Lab-19 Authentication techniques Lab-19 Java Rest Client Lab-Aurelia 1 Lab-Burp-Proxy Regular Expressions XSS tips Lab-Aurelia 2 Lab-Aurelia 3 Aurelia Lab 3 TS Lab-Aurelia 4 Lab-Aurelia 4 TS Lab-Hapi-JWT Lab-Aurelia 5 Lab-Aurelia 5 TS

Objectives

The focus of this lab is this first part of the security assignment, which is broken down into the following steps:

  1. Specify requirements for a web application development scenario
  2. Define normal use cases
  3. Define abuse cases
  4. Augment the requirements and use cases in (a) & (b) to mitigate the threats identified

Threat modelling using misuse cases

Several software vulnerabilities are caused by poor specification of requirements, poor design and/or poor testing rather than specific programming flaws. It is important to consider security at all stages of the software development lifecycle.

For the purpose of the assignment, you are asked to specify and analyse requirements for a software system of your choice. Besides specifying basic functionality, you should concentrate on security requirements and use threat modelling to help put together those requirements. In particular you should specify what are known as misuse cases (also called abuse cases).

Requirements

Specify requirements for a software system of your choice. Make sure that it is simple enough to be specified fully in one or two pages of requirements, but sophisticated enough to be interesting – i.e. there should be at least two different types of user (actors); there should be a variety of functions, some of which are restricted to certain users; some of the functions should be multi-step (for example, a transaction might combine an order function with a payment function). You may think in terms of an application you have developed yourself (perhaps enhanced a bit) or something completely different.

This should be done in text, using bulleted or numbered lists as appropriate.

Some application ideas (but feel free to choose your own!)

  • Online donations
  • Online community (social network)
  • Online shop
  • Sports club (booking facilities)
  • Hotel
  • International student application system
  • Garage (booking a car service)
  • Bank ATM
  • Event ticket sales
  • Microblogging (like Twitter)
  • Online auction
  • Sports event registration (e.g. marathon)
  • Library
  • Courier service (DHL, FedEx, Parcel Motel, etc)
  • Pay per view TV
  • Take away food ordering system
  • Employee timekeeping (clocking in/out etc)
  • Student exam results system
  • Art gallery

Define normal use cases

This requires you to define the (benign) actors and how they interact with the system.

For a good concise description of Use Cases, see this extract from UML Distilled, by Martin Fowler.

Note that use cases are not just diagrams. They require a diagram plus a description (according to a standard template).

You can use any drawing tool you wish for use case diagrams. The following are probably the two best options

draw.io

Visual Paradigm

Define misuse cases

Define a selection of misuse cases using diagrams and supporting text. This will likely involve some new actors. You might wish to consider both external and internal attackers.

Example

Mitigation

Augment the requirements and use cases to mitigate the threats posed by the misuse cases.

Example

Powered by tutors-ts. Unless otherwise stated, this work is licensed under a Creative Commons Attribution 4.0 International License.