The application contains multiple assets that potentially could be vulnerable:
- API/server (go application)
- Webclient (react.js application, served with nginx)
- Graphana
- Prometheus
- Cadvisor
- Elastic Search
- Kibana
- Filebeat
- MySQL database
- SQL injection on web client
- XSS on web client
- Getting hands on some of our secrets
- DDoS on VPS
- Guessing passwords of the users.
Construct risk scenarios (e.g. Attacker performs SQL injection on web application to download sensitive user data)
- Attacker performs sql injection to download or destroy data from the database
- Attacker inputs javascript in an input field and accesses data of another user
- Attacker is able to socially engineer a group member to expose a secret.
- Attacker uses DDoS crash or halt our server or database.
- Since we have no requirements for passwords, it's possible for the users to create single letter or number passwords. This would make it very easy for the attacker to guess.
Likelihoods: Certain, Likely, Possible, Unlikely, Rare
Severities: Insignificant, Negligible, Marginal, Critical, Catastrophic
- Catastrophic, Unlikely
- Critical, Possible
- Critical, Rare
- Marginal, Possible
- Critical, Certain
- Fix injections and restore backups
- Say sorry to the user and fix injections
- Give the exposed group member a security course and change all secrets
- Restart the server. Put a some DDoS protection in front, like a firewall or a CloudFlare.
- Reset the users password. To mitigate we should implement minimum requirements for the passwords on user creation.
Try to test for vulnerabilities in your project by using wmap, zaproxy, or any of the tools in the list of OWASP vulnerability scanning tools)
We couldn't find any with wmap
Fix at least one vulnerability that you find; ideally one that is high in your prioritization cf. to your risk analysis
We are going to implement minimum password requirements for the user.