Difference between revisions of "Attack template"

From OWASP
Jump to: navigation, search
(New page: ==Description== ==Examples == ===Example 1=== ===Example n=== == Likelihood of exploitation == ==Related Attacks== ==References== ==Related Threats Agents== ==Related Vulnera...)
 
(References)
 
(13 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
Every '''[[Attack]]''' should follow this template.
 +
 +
{{Template:Attack}}
 +
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
 
==Description==
 
==Description==
  
==Examples ==
+
An attack is an action taken by a threat agent to exploit a vulnerability. Be sure you don't put [threat agents] or [vulnerabilities] in this category.
  
===Example 1===
+
# Start with a one-sentence description of the attack
 +
# How is the attack is launched?
 +
# Who are the likely threat agents?
 +
# What vulnerability does this attack target?
  
  
===Example n===
+
==Risk Factors==
  
 +
* Talk about the [[OWASP Risk Rating Methodology|factors]] that make this attack likely or unlikely to actually happen
 +
* You can mention the likely technical impact of an attack
 +
* The [business impact] of an attack is probably conjecture, leave it out unless you're sure
  
== Likelihood of exploitation ==
 
  
 +
==Examples==
  
==Related Attacks==
+
===Short example name===
 +
: A short example description, small picture, or sample code with [http://www.site.com links]
 +
 
 +
===Short example name===
 +
: A short example description, small picture, or sample code with [http://www.site.com links]
 +
 
 +
 
 +
==Related [[Threat Agents]]==
 +
 
 +
* [[Threat Agent 1]]
 +
* [[Threat Agent 2]]
 +
 
 +
 
 +
==Related [[Attacks]]==
 +
 
 +
* [[Attack 1]]
 +
* [[Attack 2]]
 +
 
 +
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
 +
 
 +
Note: the contents of "Related Problems" sections should be placed here
 +
 
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* [[Control 1]]
 +
* [[Control 2]]
 +
 
 +
Note: contents of "Avoidance and Mitigation" and "Countermeasure" Sections should be placed here
  
  
 
==References==
 
==References==
  
 +
'''Note1:''' A reference to related [http://cwe.mitre.org/ CWE] or [http://capec.mitre.org/ CAPEC] article should be added when exists. Eg:
 +
 +
* [http://cwe.mitre.org/data/definitions/79.html CWE 79].
 +
* http://www.link1.com
 +
* [http://www.link2.com Title for the link2]
 +
 +
'''Note2:'''One should classify Attacks subcategories by adding eg. <nowiki>[Category:Data Structure Attacks]]</nowiki> based on the following:
 +
 +
Abuse of Functionality
 +
 +
Data Structure Attacks
 +
 +
Embedded Malicious Code
 +
 +
Exploitation of Authentication
 +
 +
Injection
  
==Related Threats Agents==
+
Path Traversal Attack
  
 +
Probabilistic Techniques
  
==Related Vulnerabilities==
+
Protocol Manipulation
  
 +
Resource Depletion
  
==Related Countermeasures==
+
Resource Manipulation
  
 +
Sniffing Attacks
  
<nowiki>[[Category:XYZ]]</nowiki>
+
Spoofing
<nowiki>[[Category:XPTO]]</nowiki>
+
__NOTOC__

Latest revision as of 15:26, 6 May 2008

Every Attack should follow this template.

This is an Attack. To view all attacks, please see the Attack Category page.


Last revision (mm/dd/yy): 05/6/2008

Description

An attack is an action taken by a threat agent to exploit a vulnerability. Be sure you don't put [threat agents] or [vulnerabilities] in this category.

  1. Start with a one-sentence description of the attack
  2. How is the attack is launched?
  3. Who are the likely threat agents?
  4. What vulnerability does this attack target?


Risk Factors

  • Talk about the factors that make this attack likely or unlikely to actually happen
  • You can mention the likely technical impact of an attack
  • The [business impact] of an attack is probably conjecture, leave it out unless you're sure


Examples

Short example name

A short example description, small picture, or sample code with links

Short example name

A short example description, small picture, or sample code with links


Related Threat Agents


Related Attacks


Related Vulnerabilities

Note: the contents of "Related Problems" sections should be placed here


Related Controls

Note: contents of "Avoidance and Mitigation" and "Countermeasure" Sections should be placed here


References

Note1: A reference to related CWE or CAPEC article should be added when exists. Eg:

Note2:One should classify Attacks subcategories by adding eg. [Category:Data Structure Attacks]] based on the following:

Abuse of Functionality

Data Structure Attacks

Embedded Malicious Code

Exploitation of Authentication

Injection

Path Traversal Attack

Probabilistic Techniques

Protocol Manipulation

Resource Depletion

Resource Manipulation

Sniffing Attacks

Spoofing