You are conducting threat modeling and developing misuse cases. Which of the following is least likely to be treated as a misuse case?
A. A hacker types in SQL expressions in the login form.
B. A user uses relative paths to navigate between resources.
C. A developer creates a buggy API for system monitoring purposes.
D. A customer goes to a specific page of the product list by typing in the URL.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. A developer creates a buggy API for system monitoring purposes.
A use case describes one or more scenarios that denote how an actor (user, agent, system, or entity) interacts with the system. A use case is best suited for communicating functional requirements or from the user perspective. Use cases can be expressed in the structural text or diagrams. The title of a use case can be written in the pattern of Subject + Verb, e.g., a customer places orders.
On the contrary, misuse cases document threats to functions typically from the malicious or inadvertent user’s perspective. A developer builds functions, while a user uses them. A use or misuse case typically won’t document a developer’s building process or work.
To err is human. It’s not uncommon for a developer to build an API with bugs. It’s a risk that a developer creates a buggy API for system monitoring purposes, but not a misuse case, which describes the actor’s steps to interact with the system (events and responses).
It’s a typical misuse case that a hacker types in SQL expressions in the login form.
Path/Directory Traversal as an attack relies on relative paths very much. It’s a vulnerability or indicator that leads to a misuse case that a user uses relative paths to navigate between resources.
Web Parameter Tampering/Manipulation
It’s a terrible design to allow a customer to go to a specific page of the product list by typing in the URL. What if the user types in an invalid page number? Say -1 or 65535.
- Directory Traversal
- Remote file path traversal attacks for fun and profit
- TRC Tech Talk: Directory Traversal Attack & Defense – Part 1
- The Unix File Structure
- What is a URL?
- Web Parameter Tampering
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.