At it’s core, an Attack Library is a list of all possible attacks against a component of your design. We use it almost like a checklist when Attack Modeling, to determine which attacks are going to be attempted against the application or system.
See if you can guess which application feature this Attack Library is for:
| Attack | Description |
|---|---|
| Malware upload | Attacker uploads file that contains malware, which could compromise the file parser or users who download or execute the file |
| Web shell upload | Attacker uploads web shell, which is exposed by the web server and runs in the service account’s context |
| Server side request forgery (SSRF) | Attacker uploads a file that makes a request to internal resources and exposes them |
| Exploit parser weakness | Attacker uploads a large, malformed or zip-bombed file that causes a denial of service |
| File descriptor exhaustion | Attacker uploads many files, which exhausts the available file descriptors and causes a denial of service |
| Directory traversal | Attacker exploits a path issue to upload malware outside of web root |
| Override web server config | Attacker uploads a web server configuration file that is used instead of the correct file |
| Bypass Content-Type validation | Attacker changes MIME type to bypass filters and upload malware |
| Access plaintext file | Attacker with file system privileges accesses unencrypted, sensitive file |
| Unauthorised access to file | Attacker exploits weak access controls to access another user’s file |
| Stored XSS | Attacker exploits output encoding issue to execute malicious script embedded in the file |
| HTML injection | Attacker exploits output encoding issue to execute HTML embedded in the file |
| Unauthorised upload | Attacker without permissions uploads a file |
| XML External Entity (XXE) injection | Attacker uploads XML file that references and leaks internal files |
| Command injection | Attacker exploits file handling to run system commands on the server |
| SQL injection | Attacker exploits database that the file might be stored in |
If you said File Upload, you’re correct! Did I miss any file upload attacks? Let me know.
Using an Attack Library is one of the things that saves the most time when Attack Modeling, and is the key difference when we compare Attack Modeling to Threat Modeling. Each component of a design has an associated Attack Library.
“Success depends upon previous preparation, and without such preparation, there is sure to be failure.” — Confucius
There are other uses for Attack Libraries too: when pentesting, it’s helpful to have at the front of your mind which types of attacks you might want to try against a components of an app or system. Having an Attack Library handy for the relevant features allows you to rely less on memory and more on preparation.
Once you have an Attack Library that includes each component of your application, network or other system, they are completely reusable for your next project. Feel free to borrow the one in this post for your own file upload feature.
I’m Gene. I use my software engineering and red team experience to drive security uplift initiatives. Most recently I led the offensive …
More
This Attack Model maps potential attack vectors in a typical forgotten password …
STRIDE has not aged well… I’ve seen first-hand the …
A few years ago I was brought in to help with …
Let me tell you a story… A few years ago, I was …
The news of Hezbollah agents being targeted with …