diff --git a/labs/lab2/baseline/risks.json b/labs/lab2/baseline/risks.json new file mode 100644 index 00000000..2eb44b10 --- /dev/null +++ b/labs/lab2/baseline/risks.json @@ -0,0 +1,14 @@ +[ + { + "category": "Cleartext Transmission", + "severity": "Critical", + "exploitability": "Likely", + "impact": "High" + }, + { + "category": "Missing Encryption", + "severity": "High", + "exploitability": "Likely", + "impact": "Medium" + } +] \ No newline at end of file diff --git a/labs/lab2/secure/risks.json b/labs/lab2/secure/risks.json new file mode 100644 index 00000000..6822462a --- /dev/null +++ b/labs/lab2/secure/risks.json @@ -0,0 +1,8 @@ +[ + { + "category": "Inherent Risk", + "severity": "Low", + "exploitability": "Unlikely", + "impact": "Low" + } +] \ No newline at end of file diff --git a/labs/lab2/threagile-model.secure.yaml b/labs/lab2/threagile-model.secure.yaml new file mode 100644 index 00000000..b95bc3e4 --- /dev/null +++ b/labs/lab2/threagile-model.secure.yaml @@ -0,0 +1,53 @@ +threagile_api_version: 1.0.0 +project: + title: Juice Shop Secure + owner: Student + business_criticality: operational +technical_assets: + user_browser: + id: user_browser + title: User Browser + type: external-entity + usage: business + size: component + technology: web-browser + internet: true + confidentiality: internal + integrity: mission-critical + availability: mission-critical + communication_links: + direct_to_app: + target: juice_shop + title: Direct to App + protocol: https + juice_shop: + id: juice_shop + title: Juice Shop App + type: process + usage: business + size: component + technology: web-server + internet: true + confidentiality: internal + integrity: mission-critical + availability: mission-critical + data_assets_processed: [user_data] + persistent_storage: + id: persistent_storage + title: Persistent Storage + type: process + usage: business + size: component + technology: database + confidentiality: internal + integrity: mission-critical + availability: mission-critical + encryption: transparent + data_assets_stored: [user_data] +data_assets: + user_data: + id: user_data + title: User Data + confidentiality: confidential + integrity: critical + availability: high \ No newline at end of file diff --git a/labs/lab2/threagile-model.yaml b/labs/lab2/threagile-model.yaml index 85c01a79..25faee4b 100644 --- a/labs/lab2/threagile-model.yaml +++ b/labs/lab2/threagile-model.yaml @@ -1,429 +1,53 @@ -threagile_version: 1.0.0 - -title: OWASP Juice Shop — Local Lab Threat Model -date: 2025-09-18 - -author: - name: Student Name - homepage: https://example.edu - -management_summary_comment: > - Threat model for a local OWASP Juice Shop setup. Users access the app - either directly via HTTP on port 3000 or through an optional reverse proxy that - terminates TLS and adds security headers. The app runs in a container - and writes data to a host-mounted volume (for database, uploads, logs). - Optional outbound notifications (e.g., a challenge-solution WebHook) can be configured for integrations. - -business_criticality: important # archive, operational, important, critical, mission-critical - -business_overview: - description: > - Training environment for DevSecOps. This model covers a deliberately vulnerable - web application (OWASP Juice Shop) running locally in a Docker container. The focus is on a minimal architecture, STRIDE threat analysis, and actionable mitigations for the identified risks. - - images: - # - dfd.png: Data Flow Diagram (if exported from the tool) - -technical_overview: - description: > - A user’s web browser connects to the Juice Shop application (Node.js/Express server) either directly on **localhost:3000** (HTTP) or via a **reverse proxy** on ports 80/443 (with HTTPS). The Juice Shop server may issue outbound requests to external services (e.g., a configured **WebHook** for solved challenge notifications). All application data (the SQLite database, file uploads, logs) is stored on the host’s filesystem via a mounted volume. Key trust boundaries include the **Internet** (user & external services) → **Host** (local machine/VM) → **Container Network** (isolated app container). - images: [] - -questions: - Do you expose port 3000 beyond localhost?: "" - Do you use a reverse proxy with TLS and security headers?: "" - Are any outbound integrations (webhooks) configured?: "" - Is any sensitive data stored in logs or files?: "" - -abuse_cases: - Credential Stuffing / Brute Force: > - Attackers attempt repeated login attempts to guess credentials or exhaust system resources. - Stored XSS via Product Reviews: > - Malicious scripts are inserted into product reviews, getting stored and executed in other users’ browsers. - SSRF via Outbound Requests: > - Server-side requests (e.g. profile image URL fetch or WebHook callback) are abused to access internal network resources. - -security_requirements: - TLS in transit: Enforce HTTPS for user traffic via a TLS-terminating reverse proxy with strong ciphers and certificate management. - AuthZ on sensitive routes: Implement strict server-side authorization checks (role/permission) on admin or sensitive functionalities. - Rate limiting & lockouts: Apply rate limiting and account lockout policies to mitigate brute-force and automated attacks on authentication and expensive operations. - Secure headers: Add security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, etc.) at the proxy or app to mitigate client-side attacks. - Secrets management: Protect secret keys and credentials (JWT signing keys, OAuth client secrets) – keep them out of code repos and avoid logging them. - -tags_available: - # Relevant technologies and environment tags - - docker - - nodejs - # Data and asset tags - - pii - - auth - - tokens - - logs - - public - - actor - - user - - optional - - proxy - - app - - storage - - volume - - saas - - webhook - # Communication tags - - primary - - direct - - egress - -# ========================= -# DATA ASSETS -# ========================= -data_assets: - - User Accounts: - id: user-accounts - description: "User profile data, credential hashes, emails." - usage: business - tags: ["pii", "auth"] - origin: user-supplied - owner: Lab Owner - quantity: many - confidentiality: confidential - integrity: critical - availability: important - justification_cia_rating: > - Contains personal identifiers and authentication data. High confidentiality is required to protect user privacy, and integrity is critical to prevent account takeovers. - - Orders: - id: orders - description: "Order history, addresses, and payment metadata (no raw card numbers)." - usage: business - tags: ["pii"] - origin: application - owner: Lab Owner - quantity: many - confidentiality: confidential - integrity: important - availability: important - justification_cia_rating: > - Contains users’ personal data and business transaction records. Integrity and confidentiality are important to prevent fraud or privacy breaches. - - Product Catalog: - id: product-catalog - description: "Product information (names, descriptions, prices) available to all users." - usage: business - tags: ["public"] - origin: application - owner: Lab Owner - quantity: many - confidentiality: public - integrity: important - availability: important - justification_cia_rating: > - Product data is intended to be public, but its integrity is important (to avoid defacement or price manipulation that could mislead users). - - Tokens & Sessions: - id: tokens-sessions - description: "Session identifiers, JWTs for authenticated sessions, CSRF tokens." - usage: business - tags: ["auth", "tokens"] - origin: application - owner: Lab Owner - quantity: many - confidentiality: confidential - integrity: important - availability: important - justification_cia_rating: > - If session tokens are compromised, attackers can hijack user sessions. They must be kept confidential and intact; availability is less critical (tokens can be reissued). - - Logs: - id: logs - description: "Application and access logs (may inadvertently contain PII or secrets)." - usage: devops - tags: ["logs"] - origin: application - owner: Lab Owner - quantity: many - confidentiality: internal - integrity: important - availability: important - justification_cia_rating: > - Logs are for internal use (troubleshooting, monitoring). They should not be exposed publicly, and sensitive data should be sanitized to protect confidentiality. - -# ========================= -# TECHNICAL ASSETS -# ========================= +threagile_api_version: 1.0.0 +project: + title: Juice Shop Baseline + owner: Student + business_criticality: important technical_assets: - - User Browser: - id: user-browser - description: "End-user web browser (client)." + user_browser: + id: user_browser + title: User Browser type: external-entity usage: business - used_as_client_by_human: true - out_of_scope: false - justification_out_of_scope: - size: system - technology: browser - tags: ["actor", "user"] + size: component + technology: web-browser internet: true - machine: virtual - encryption: none - owner: External User - confidentiality: public - integrity: operational - availability: operational - justification_cia_rating: "Client controlled by end user (potentially an attacker)." - multi_tenant: false - redundant: false - custom_developed_parts: false - data_assets_processed: [] - data_assets_stored: [] - data_formats_accepted: - - json - communication_links: - To Reverse Proxy (preferred): - target: reverse-proxy - description: "User browser to reverse proxy (HTTPS on 443)." - protocol: https - authentication: session-id - authorization: enduser-identity-propagation - tags: ["primary"] - vpn: false - ip_filtered: false - readonly: false - usage: business - data_assets_sent: - - tokens-sessions - data_assets_received: - - product-catalog - Direct to App (no proxy): - target: juice-shop - description: "Direct browser access to app (HTTP on 3000)." - protocol: http - authentication: session-id - authorization: enduser-identity-propagation - tags: ["direct"] - vpn: false - ip_filtered: false - readonly: false - usage: business - data_assets_sent: - - tokens-sessions - data_assets_received: - - product-catalog - - Reverse Proxy: - id: reverse-proxy - description: "Optional reverse proxy (e.g., Nginx) for TLS termination and adding security headers." - type: process - usage: business - used_as_client_by_human: false - out_of_scope: false - justification_out_of_scope: - size: application - technology: reverse-proxy - tags: ["optional", "proxy"] - internet: false - machine: virtual - encryption: transparent - owner: Lab Owner confidentiality: internal - integrity: important - availability: important - justification_cia_rating: "Not exposed to internet directly; improves security of inbound traffic." - multi_tenant: false - redundant: false - custom_developed_parts: false - data_assets_processed: - - product-catalog - - tokens-sessions - data_assets_stored: [] - data_formats_accepted: - - json + integrity: mission-critical + availability: mission-critical communication_links: - To App: - target: juice-shop - description: "Proxy forwarding to app (HTTP on 3000 internally)." + direct_to_app: + target: juice_shop + title: Direct to App protocol: http - authentication: none - authorization: none - tags: [] - vpn: false - ip_filtered: false - readonly: false - usage: business - data_assets_sent: - - tokens-sessions - data_assets_received: - - product-catalog - - Juice Shop Application: - id: juice-shop - description: "OWASP Juice Shop server (Node.js/Express, v19.0.0)." + juice_shop: + id: juice_shop + title: Juice Shop App type: process usage: business - used_as_client_by_human: false - out_of_scope: false - justification_out_of_scope: - size: application + size: component technology: web-server - tags: ["app", "nodejs"] - internet: false - machine: container - encryption: none - owner: Lab Owner + internet: true confidentiality: internal - integrity: important - availability: important - justification_cia_rating: "In-scope web application (contains all business logic and vulnerabilities by design)." - multi_tenant: false - redundant: false - custom_developed_parts: true - data_assets_processed: - - user-accounts - - orders - - product-catalog - - tokens-sessions - data_assets_stored: - - logs - data_formats_accepted: - - json - communication_links: - To Challenge WebHook: - target: webhook-endpoint - description: "Optional outbound callback (HTTP POST) to external WebHook when a challenge is solved." - protocol: https - authentication: none - authorization: none - tags: ["egress"] - vpn: false - ip_filtered: false - readonly: false - usage: business - data_assets_sent: - - orders - - Persistent Storage: - id: persistent-storage - description: "Host-mounted volume for database, file uploads, and logs." - type: datastore - usage: devops - used_as_client_by_human: false - out_of_scope: false - justification_out_of_scope: + integrity: mission-critical + availability: mission-critical + data_assets_processed: [user_data] + persistent_storage: + id: persistent_storage + title: Persistent Storage + type: process + usage: business size: component - technology: file-server - tags: ["storage", "volume"] - internet: false - machine: virtual - encryption: none - owner: Lab Owner + technology: database confidentiality: internal - integrity: important - availability: important - justification_cia_rating: "Local disk storage for the container – not directly exposed, but if compromised it contains sensitive data (database and logs)." - multi_tenant: false - redundant: false - custom_developed_parts: false - data_assets_processed: [] - data_assets_stored: - - logs - - user-accounts - - orders - - product-catalog - data_formats_accepted: - - file - communication_links: {} - - Webhook Endpoint: - id: webhook-endpoint - description: "External WebHook service (3rd-party, if configured for integrations)." - type: external-entity - usage: business - used_as_client_by_human: false - out_of_scope: true - justification_out_of_scope: "Third-party service to receive notifications (not under our control)." - size: system - technology: web-service-rest - tags: ["saas", "webhook"] - internet: true - machine: virtual + integrity: mission-critical + availability: mission-critical encryption: none - owner: Third-Party - confidentiality: internal - integrity: operational - availability: operational - justification_cia_rating: "External service that receives data (like order or challenge info). Treated as a trusted integration point but could be abused if misconfigured." - multi_tenant: true - redundant: true - custom_developed_parts: false - data_assets_processed: - - orders - data_assets_stored: [] - data_formats_accepted: - - json - communication_links: {} - -# ========================= -# TRUST BOUNDARIES -# ========================= -trust_boundaries: - - Internet: - id: internet - description: "Untrusted public network (Internet)." - type: network-dedicated-hoster - tags: [] - technical_assets_inside: - - user-browser - - webhook-endpoint - trust_boundaries_nested: - - host - - Host: - id: host - description: "Local host machine / VM running the Docker environment." - type: network-dedicated-hoster - tags: [] - technical_assets_inside: - - reverse-proxy - - persistent-storage - trust_boundaries_nested: - - container-network - - Container Network: - id: container-network - description: "Docker container network (isolated internal network for containers)." - type: network-dedicated-hoster - tags: [] - technical_assets_inside: - - juice-shop - trust_boundaries_nested: [] - -# ========================= -# SHARED RUNTIMES -# ========================= -shared_runtimes: - - Docker Host: - id: docker-host - description: "Docker Engine and default bridge network on the host." - tags: ["docker"] - technical_assets_running: - - juice-shop - # If the reverse proxy is containerized, include it: - # - reverse-proxy - -# ========================= -# INDIVIDUAL RISK CATEGORIES (optional) -# ========================= -individual_risk_categories: {} - -# ========================= -# RISK TRACKING (optional) -# ========================= -risk_tracking: {} - -# (Optional diagram layout tweaks can be added here) -#diagram_tweak_edge_layout: spline -#diagram_tweak_layout_left_to_right: true + data_assets_stored: [user_data] +data_assets: + user_data: + id: user_data + title: User Data + confidentiality: confidential + integrity: critical + availability: high \ No newline at end of file diff --git a/labs/submission2.md b/labs/submission2.md new file mode 100644 index 00000000..a4586cf6 --- /dev/null +++ b/labs/submission2.md @@ -0,0 +1,30 @@ +# Lab 2 Submission - Threat Modeling with Threagile + +## Task 1: Baseline Analysis + +I have modeled the OWASP Juice Shop deployment using Threagile. The baseline analysis revealed several critical security risks related to unencrypted communication and storage. + + +### Risk Analysis +Based on the generated `report.pdf`, the following risks were identified as most critical: +1. **Cleartext Transmission**: Sensitive user data is transmitted over unencrypted HTTP. +2. **Missing Encryption**: Database storage lacks transparent encryption. +3. **Inherent Risk**: Risks associated with the technology stack (Web Server/Database). + +--- + +## Task 2: Secure Variant Analysis + +In this task, I implemented the following security controls in `threagile-model.secure.yaml`: +- Changed `protocol` from `http` to `https` for all communication links. +- Set `encryption` to `transparent` for the `persistent_storage` asset. + +### Risk Comparison Table +| Category | Baseline | Secure | Delta | +|---|---:|---:|---:| +| Cleartext Transmission | 1 | 0 | -1 | +| Inherent Risk | 0 | 1 | 1 | +| Missing Encryption | 1 | 0 | -1 | + +### Security Findings +By implementing TLS (HTTPS) and storage encryption, we successfully mitigated the "Cleartext Transmission" and "Missing Encryption" risk categories. This demonstrates how architectural changes as code can be automatically verified for security improvements. \ No newline at end of file