Threat CC.AuD.CCCSCCS-i.3

URI: CC.AuD.CCCSCCS-i.3

Package: ProcessComms

< prev | next >

Description: Confused deputy as Client via Service: if service Service has access to a back-end service Process that is not normally available to Client, an untrustworthy client may send a malicious request to Service that to gain inappropriate access to Process.

Threat Type: Primary Threat

Matching Pattern:

CC.AuD.CCCSCCS-i.3
MP-CCCSCCS-i

Finds a client accessing a service that uses another service, via the associated client channels, where indirect access by the client is not authenticated by the second service.

        (empty)

        (empty)

        (empty)

CSG-AutoSuspendUntrustworthyClientAccess

Access to service Service by client Client may be automatically disabled to prevent authenticated attacks by compromised clients, at the cost of some reduction in availability. This strategy represents a contingency plan, which can be used to reduce risk from some threats but it also triggers other threats representing possible side effects, depending on how likely it is that the contingency plan will need to be activated.

CSG-AutoSuspendUntrustworthyClientAccess-Implementation-Runtime

Access to service Service by client Client has been automatically disabled to prevent authenticated attacks by compromised clients. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. Activation at runtime requires Service to be managed by a suitable adaptation framework. The Disable Client Access control should be deselected if and when access by Client to Service has been enabled once again.

CSG-IgnoreConfusedDeputyAttack

Signifies that Service can be considered immune to a confused deputy attack that does not involve exploitation of a software vulnerability. This should be used when Service is programmed in such a way that it can only access a back-end service for specific clients. Do not use this if access to back-end services require OIDC- or OAuth-style tokens issued to the client - in that case add the OIDC/OAuth service along with the appropriate relationships from the client and to the back-end service(s).

CSG-SuspendUntrustworthyClientAccess

Access to service Service by client Client may be temporarily disabled by the process manager ServiceManager to prevent authenticated attacks by compromised or impersonated clients, at the cost of some reduction in availability. This strategy represents a contingency plan, which can be used to reduce risk from some threats. However, it also triggers other threats representing side effects of the policy change, based on how likely it is that the contingency plan will need to be activated.

CSG-SuspendUntrustworthyClientAccess-Implementation-Runtime

Access to service Service by client Client is disabled by the process manager ServiceManager to prevent authenticated attacks by compromised clients. This strategy represents activation of a contingency plan at runtime, and can be selected to discover what effect this would have on risk levels, allowing this to be used for decision support calculations. To activate it at runtime, signal the process manager ServiceManager. The Disable Client Access control should be deselected if and when access by Client to Service has been enabled once again.