Chapter 3- Vulnerabilities and threat models P a g e | 53
3.5.5 Denial of service:
one of the main threats is related to affecting the availability of the service itself so it is about bringing the( site, application or service down). This threat realizes by simply consuming application available resources by heavy requests for big files, Queries or searches or even depending on the generation of big number of requests if the application does not provide facet to run individual heavy requests.
3.5.6 Elevation of privileges:
in an application each user will have a specific role with specific privileges. The malicious acts for a user to elevate his / her privileges considered to be one of the big threats as it will give potential attackers the ability sometimes to totally control and takeover the application.
3.6 Threats and vulnerabilities models- DREAD
Another effective method commonly used to classify threat is to depend on finding a quantitative value that represents the risk. The risk value is calculated based on the estimated values of the following factors:
Damage potential: refers to the level of caused damage if the threat was exploited. Level is estimated as follow:
Level |
No Damage |
User Data is compromised or affected |
Complete destruction of Data or System |
Value |
0 |
5 |
10 |
Reproducibility: This factor is related to how easy is to reproduce the threat exploit:
Level |
Very hard to reproduce |
One or two steps to reproduce |
Easy to reproduce |
Value |
0 |
5 |
10 |
Exploitability: needed tools, knowledge, techniques for the threat exploit.
Level |
Advance Knowledge and advanced tools |
Available tool and easy to perform |
Very simple tool
( only browser)
|
Value |
0 |
5 |
10 |
Affected user: refers to users that are affected by the threat.
Level |
None |
Some users |
All Users |
Value |
0 |
5 |
10 |