EoP Threat Suits - E (Elevation of Privilege)
Elevation of Privilege (E) is the sixth suit of threats in the STRIDE threat enumeration.
Elevation of Privilege describes any threat that allows an attacker (or accidentally causes a user) to have access to data or functionality which the application should not allow them to. Accordingly, the characters on the cards are ponies, hearts and crowns, all ways by which you can persuade someone that you’re more important than they should really think you are.
Elevation of Privilege threats are generally countered through quality implementations of Authentication and Authorisation.
Another successful way to mitigate Elevation of Privilege is to not care about access control - this only works if you are able to allow attackers to entirely control your application (some Wikis – but not this Wiki – are an example of what happens in this model!). Ignoring access control and hoping that attackers will not use greater rights than they deserve is not a valid mitigation strategy.
The cards in the Elevation of Privilege suit are as follows (NOTE: the cards in this suit have already elevated their privilege such that the lowest privilege card is a 5, not a 2)
Elevation of Privilege Suit |
||
Value |
Threat |
Example / Mitigation |
5 |
An attacker can force data through different validation paths which give different results |
Example: Mitigation: |
6 |
An attacker could take advantage of .NET permissions you ask for, but don’t use |
Example: Mitigation: |
7 |
An attacker can provide a pointer across a trust boundary, rather than data which can be validated |
Example: Mitigation: |
8 |
An attacker can enter data that is checked while still under their control and used later on the other side of a trust boundary |
Example: Mitigation: |
9 |
There’s no reasonable way for a caller to figure out what validation of tainted data you perform before passing it to them |
Example: Mitigation: |
10 |
There’s no reasonable way for a caller to figure out what security assumptions you make |
Example: Mitigation: |
J |
An attacker can reflect input back to a user, like cross site scripting |
Example: Mitigation: |
Q |
You include user-generated content within your page, possibly including the content of random URLs |
Example: Mitigation: |
K |
An attacker can inject a command that the system will run at a higher privilege level |
Example: Mitigation: |
A |
You’ve invented a new Elevation of Privilege attack |
Example: Mitigation: |
[When completed, each card description above will link to a copy of the card, along with examples of the threat and some specific mitigation steps. Point to Patterns & Practices documents, excerpts from Writing Secure Code, etc, where possible. Emphasise that the information is already out there, so that dev teams widen their horizons.]