This project is read-only.

Threats and Attacks

Category Threats/Attacks
Auditing and Logging * Repudiation
* Denial of Service (DoS)
* Disclosure of confidential information
Authentication * Dictionary Attacks
* Replay Attacks
* Credential Theft
* Network Eavesdropping
* Brute Force Attacks
* Azure Storage - Eavesdropping: Access to storage account endpoints (blob, table, and queue) over insecure communication channel (HTTP)
* Azure Blobs - Anonymous(public) access to Container/Blob
* Azure Blobs - Replay attack: shared access signature (SAS)
* SQL Azure - Unauthorized access to SQL login credentials
* SQL Azure - Brute forcing login credentials
* SQL Azure - Connection re-authentication is not immediate if login password is reset
Authorization * Elevation of privilege
* Disclosure of confidential data
* Data tampering
* Luring attacks
* Token stealing
* SQL Azure - Using over privileged account (Admin account similar to SA) to connect to SQL Azure
Configuration Management * Unauthorized access to configuration stores
* Retrieval of clear text configuration secrets
* Unauthorized access to storage account key
Cryptography * Encryption cracking
* Loss of decryption keys
Exception Management * Revealing sensitive system or application details
* Denial of Service attacks
Input and Data Validation * HTTP Forgery (CSRF)
* Cookie manipulation
* Query string manipulation
* HTTP header manipulation
* Cross-site Scripting (XSS)
* Buffer overflows
* SQL Injection
* Form field manipulation
* SQL Azure - Man-in-the-middle attack lack of SQL Azure certificate validation)
Sensitive Data * Accessing sensitive data in storage
* Network eavesdropping
* Information disclosure
Session Management * Session hijacking
* Session replay
* Man-in-the-middle attacks

Last edited May 25, 2010 at 7:38 PM by paulenfield, version 3


No comments yet.