Misbehaviour LossOfClientTW

URI: LossOfClientTW

Description: A malicious actor is able to access the related service and authenticate as the related client. This means the attacker is able to send requests to the service, and either the attacker has access to client credentials or the service fails to authenticate before allowing access.

This misbehaviour affects the trustworthiness attribute ClientTW

AuthChannel

Represents a trust relationship between a Client and a Service. Exists where the two exchange authorization tokens but not necessarily other credentials.

CC.R.CACvsCCS.1

Authenticated access as Client to service Service: anyone who has access to Service and can authenticate as Client can gain authenticated access to Service as Client.

CC.R.CCCS-i.1

CC.R.HuoStCCCS.1

Malicious action by insider Human using Client to access Service: if user Human of client process Client is malicious, they can abuse the right of Client to access service Service.

CC.R.HuStCCCS.1

Malicious action by employee of Employer using Client to access Service: user Human of client process Client may be persuaded by their employer Employer to abuse the right of Client to access service Service.

CC.R.CDBSC.4

Query injection at Service into back end DB: an attacker having exploited a bug in Service when connected to DB, is able to send arbitrary queries to DB. This is modelled as an adverse behaviour in the inferred client channel representing their trust relationship, fulfilling the precondition for further threats using injected queries to access or alter data stored by DB.

(empty)

CC.AuC.CACSScS.1

Possible access to Process by compromised or impersonated client Client of Service: if service Process redirects clients to service Service for authentication, an attacker able to access Service as Client will be able to obtain credentials from Service allowing them to authenticate to Process as Client. Note that this does not necessarily mean they can access service Process, only that the client credentials are compromised.

CC.AuD.CCCSCCS-i.3

Confused deputy as Client via Service: if service Service has access to a back-end service Process that is not normally available to Client, an untrustworthy client may send a malicious request to Service that to gain inappropriate access to Process.

CC.AuP.CCCPCCS-i.3

Access by Client to Process via reverse proxy Service: if client Client has access to service Process via reverse proxy Service, and Client is an untrustworthy client (due to impersonation or compromise), then so (in a more limited sense) is Service.

CC.AX.CCCS.6.3

Disabling access by untrustworthy client Client to Service affects availability: access by client Client to service Service may be disabled to prevent access by a malicious or compromised client, but this affects the availability of client-service connections.

DF.A.CCDFSC.6.3

Flow of data Data from FlowsFrom to FlowsTo via untrustworthy process Client disabled: if the system operates a policy to disable the flow of data Data from FlowsFrom if there is a perceived loss of trustworthiness in the recipient Client, then there will also be a loss of availability if Client is untrustworthy.

DF.Auth.AC-iDF-VCS.3.2

Compromised or impersonated client Client injects fake content into the flow of data Data from FlowsFrom to FlowsTo between Client and Service: if an attacker can compromise or impersonate client Client, they can inject fake data in messages to Service.

DF.Auth.AC-iDFVFC.3.6

Compromised client Client injects fake content into the encrypted flow of Data to/via Service: if an attacker can compromise client Client, they can access its cryptographic key and alter data Data flowing between Client and FlowsTo.

DF.Auth.AC-iDF-VFC.3.6

DF.Auth.CCCSDF-VCCS-i.3

Flow of data from/via Process forged by compromised client Client via confused deputy Service: if client Client does not send data Data to its service Service, it is still possible to inject false content into the data flow via service Service using a confused deputy attack. The attack itself is responsible for the upstream loss of DeputyUserTW (see threat causes).

DF.Auth.CCCSPDF-VCCS-i.3

Flow of data from/via Process forged by compromised client Client via confused deputy Proxy: if client Client is compromised or impersonated, and does not send data Data via its service Proxy, it is still possible to get the data indirectly using a confused deputy attack via Proxy and Service. The attack itself is responsible for the upstream loss of DeputyUserTW (see threat causes), in this case propagated by at least one reverse proxy.

DF.C.AC-iDF-VSC.3.2

Compromised or impersonated client Client reads data Data flowing from FlowsFrom to FlowsTo when sent from Service: if an attacker can compromise or impersonate Client, they can read Data sent by FlowsFrom to FlowsTo in messages from Service.

DF.C.AC-iDFVTC.3.6

Compromised client Client reads the encrypted flow of Data from/via Service: if an attacker can compromise client Client, they can they can access its cryptographic key and read data Data flowing to Client from FlowsFrom.

DF.C.AC-iDF-VTC.3.6

DF.C.CCCSCCSDF-Vi.3

Flow of data from/via Process leaked to compromised client Client via confused deputy Service: if service Service does not send data Data to its client Client , it is still possible for the client to request the data flow using a confused deputy attack against Service. The attack itself is responsible for the upstream loss of DeputyUserTW (see threat causes).

DF.C.CCCSPCCSDF-Vi.3

Flow of data from/via Process leaked to compromised client Client via confused deputy Proxy: if client Client is compromised or impersonated, and does not receive data Data from its service Proxy, it is still possible to get the data indirectly using a confused deputy attack via Proxy and Service. The attack itself is responsible for the upstream loss of DeputyUserTW (see threat causes), in this case propagated by at least one reverse proxy.

DF.O.CCDFSFC.3

Compromised client Client sends excessive data Data to/via Service: if Client is the source of a flow of data Data which is sent to or via service Service, then if an attacker or malicious user can access Service as Client, they can send too much data, aiming to overload the data flow destination FlowsTo.

DF.O.CCDFSTC.3

Compromised client Client requests excessive data Data from/via Service: if Client is the destination of a flow of data Data which is sent from or via service Service, then if an attacker or malicious user can access Service as Client, they can request too much data, aiming to overload the data flow source FlowsFrom.

DS.A.CDBSCDSF.4

Malicious query from Client via database Service deletes data Data: an attacker having the ability to send arbitrary queries to Service from or via Client injects a query to delete data Data. In this scenario, an update/deletion query on Data could be expected to come via Client, so the attack cannot be prevented using database access controls at Service.

DS.A.CDBSC-DSF.4

Malicious query from Client via database Service deletes data Data : an attacker having the ability to send arbitrary queries to Service from or via Client injects a query to delete data Data. In this scenario, an update/deletion query on Data would not be expected to come via Client, so the attack can be prevented using database access controls at Service.

DS.Auth.CDBSC-DSF.4

Malicious query from Client via database Service alters data Data : an attacker having the ability to send arbitrary queries to Service from or via Client injects a query to alter data Data. In this scenario, an update query on Data would not be expected to come via Client, so the attack can be prevented using database access controls at Service.

DS.Auth.HPsACdDSCCV.1

Use of Process to access Data stored on Host: someone with the rights of Process on its host device Host, and able to obtain a key from Vault can exploit the rights of Process to alter the locally stored copy of Data.

DS.C.CDBSC-DST.4

Malicious query from Client via database Service leaks data Data : an attacker having the ability to send arbitrary queries to Service from or via Client injects a query to retrieve data Data. In this scenario, a selection query for Data would not be expected to come via Client, so the attack can be prevented using database access controls at Service.

DS.C.HPsACrDSCCV.1

LS.L.HLSISC.1

Access to LogicalSubnet as CHost via EAP authenticator process Service: an attacker who can authenticate with process Service can connect to subnet LogicalSubnet.

P.L.CCCLnSAC.1

Compromise or impersonation of Client allows access to SHost via Service: if anyone can access Service as Client, then because Service is a remote access service, they can access SHost.

P.L.CCCSAC.3

Remote control of Service using a back door from Client: if a back door has previously been installed in service Service, an attacker with control of client Client can exploit the back door to gain access to the rights of Service on its host SHost.

DF.Auth.AC-iDFVFC.2.6

Client Client on stolen host CHost injects fake content into the encrypted flow of Data via Service: if an attacker has possession of host CHost and can access client Client, they can access its cryptographic key and inject malicious content into the flow of Data from Client to FlowsTo.

DF.Auth.AC-iDF-VFC.2.6

DF.C.AC-iDFVTC.2.6

Client Client on stolen host CHost reads the encrypted flow of Data from/via Service: if an attacker has possession of host CHost and can access client Client, they can they can access its cryptographic key and read data Data flowing to Client from FlowsFrom.