Chapter 3 - Vulnerabilities and threat models P a g e | 53
3.5.5 Denial of service :
one of the main threats is related to affecting the availability of the service itself so it is about bringing the ( site , application or service down ). This threat realizes by simply consuming application available resources by heavy requests for big files , Queries or searches or even depending on the generation of big number of requests if the application does not provide facet to run individual heavy requests .
3.5.6 Elevation of privileges :
in an application each user will have a specific role with specific privileges . The malicious acts for a user to elevate his / her privileges considered to be one of the big threats as it will give potential attackers the ability sometimes to totally control and takeover the application .
3.6 Threats and vulnerabilities models - DREAD
Another effective method commonly used to classify threat is to depend on finding a quantitative value that represents the risk . The risk value is calculated based on the estimated values of the following factors :
Damage potential : refers to the level of caused damage if the threat was exploited . Level is estimated as follow :
Level |
No Damage |
User Data is compromised or affected |
Complete destruction of Data or System |
Value |
0 |
5 |
10 |
Reproducibility : This factor is related to how easy is to reproduce the threat exploit :
Level |
Very hard to reproduce |
One or two steps to reproduce |
Easy to reproduce |
Value |
0 |
5 |
10 |
Exploitability : needed tools , knowledge , techniques for the threat exploit .
Level |
Advance Knowledge and advanced tools |
Available tool and easy to perform |
Very simple tool
( only browser )
|
Value |
0 |
5 |
10 |
Affected user : refers to users that are affected by the threat .
Level |
None |
Some users |
All Users |
Value |
0 |
5 |
10 |