ShopFast β€” Online Retail Platform

Generated: 2026-07-04 15:10 UTC Methodologies: STRIDE, OWASP, LINDDUN LLM-enhanced: No

System Description

Customer-facing e-commerce platform: browser and mobile clients talk to an API gateway, which fans out to an auth service, an orders service backed by PostgreSQL, and an external payment provider. An internal admin portal manages catalog and refunds.

Severity Overview

39
Critical
115
High
34
Medium
3
Low
0
Info
191 total threats β€” 191 rule-based, 0 LLM-enhanced, 25 cross-boundary.

Data Flow Diagram

πŸ›‘ InternetπŸ›‘ DMZ (public-facing)πŸ›‘ Application tierπŸ›‘ Data tier [HTTPS]πŸ”’ [HTTPS]πŸ”’ [HTTPS]πŸ”’ [HTTPS]πŸ”’ [HTTP]⚠ [TCP]⚠ [HTTPS]πŸ”’ [HTTPS]πŸ”’Customer BrowseruserMobile AppuserWeb FrontendwebappAPI GatewayapiAuth ServiceserviceOrders ServiceserviceOrders DB (Postgres)databasePayment ProviderexternalAdmin Portalwebapp
Solid lines = encrypted flows Β· Dashed red lines = unencrypted or boundary-crossing Β· πŸ”’ / ⚠ indicate encryption status. Dashes drift to indicate active flows.

🚧 Untrusted-Input Boundary Crossings

Flows where untrusted (or less-trusted) input crosses into an internal trust zone. These are the highest-priority validation points in the system β€” every byte that enters here must be treated as hostile until proven otherwise.

No untrusted-input boundary crossings detected. Either there are no internal zones defined, or no flows enter them from less-trusted zones.

Trust Boundary Analysis

πŸ›‘ Internet

2 components 0 ingress flows 2 egress flows 0 cross-boundary threats
Contains: Customer Browser (user), Mobile App (user)
⬆ Egress (data leaving this zone):
  • Customer Browser β†’ Web Frontend (β€”) β€” HTTPS, auth: none, encrypted
  • Mobile App β†’ API Gateway (β€”) β€” HTTPS, auth: none, encrypted

πŸ›‘ DMZ (public-facing)

3 components 2 ingress flows 2 egress flows 10 cross-boundary threats
Contains: Web Frontend (webapp), API Gateway (api), Admin Portal (webapp)
⬇ Ingress (data entering this zone):
  • Customer Browser β†’ Web Frontend (β€”) β€” HTTPS, auth: none, encrypted
  • Mobile App β†’ API Gateway (β€”) β€” HTTPS, auth: none, encrypted
⬆ Egress (data leaving this zone):
  • API Gateway β†’ Auth Service (β€”) β€” HTTPS, auth: none, encrypted
  • API Gateway β†’ Orders Service (β€”) β€” HTTP, auth: none, UNENCRYPTED

πŸ›‘ Application tier

3 components 2 ingress flows 1 egress flow 10 cross-boundary threats
Contains: Auth Service (service), Orders Service (service), Payment Provider (external)
⬇ Ingress (data entering this zone):
  • API Gateway β†’ Auth Service (β€”) β€” HTTPS, auth: none, encrypted
  • API Gateway β†’ Orders Service (β€”) β€” HTTP, auth: none, UNENCRYPTED
⬆ Egress (data leaving this zone):
  • Orders Service β†’ Orders DB (Postgres) (β€”) β€” TCP, auth: none, UNENCRYPTED

πŸ›‘ Data tier

1 component 1 ingress flow 0 egress flows 5 cross-boundary threats
Contains: Orders DB (Postgres) (database)
⬇ Ingress (data entering this zone):
  • Orders Service β†’ Orders DB (Postgres) (β€”) β€” TCP, auth: none, UNENCRYPTED

Threats (191)

All STRIDEOWASPLINDDUN Off
Broken access control / missing authz check
Critical STRIDE Β· Elevation of Privilege Β· API Gateway (api) CWE-269
β–Ό
CVSS 3.1 8.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0 6.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Endpoints fail to verify the caller has permission for the action.

βš”οΈAttack scenario

  1. Attacker authenticates to API Gateway as a low-privilege user, or reaches an unauthenticated entry point.
  2. Identifies an authorization gap β€” a function that doesn't re-check the caller's role, an IDOR-style URL, an admin endpoint with weak gating.
  3. Issues requests to that gap, gaining access to data or actions reserved for higher-privilege roles.
  4. Now operating with elevated privilege, attacker can pivot to other components, exfiltrate data, or persist access.

πŸ›‘How to mitigate

preventive
Re-authorize on every action, not just at session start
Every privileged endpoint checks the current principal's roles/permissions for the specific resource being acted on. No 'logged in = allowed'.
preventive
Apply least-privilege to service identities
The IAM/role attached to API Gateway should grant only the actions it actually performs. Audit IAM grants quarterly.
detective
Detect anomalous privilege use
Alert when a principal performs an action they have not performed in the trailing 90 days, or when admin-tier actions originate from non-admin networks.
Container / process escape
Critical STRIDE Β· Elevation of Privilege Β· API Gateway (api) CWE-269
β–Ό
CVSS 3.1 8.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0 6.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Attacker breaks out of a sandbox to gain host privileges.

βš”οΈAttack scenario

  1. Attacker authenticates to API Gateway as a low-privilege user, or reaches an unauthenticated entry point.
  2. Identifies an authorization gap β€” a function that doesn't re-check the caller's role, an IDOR-style URL, an admin endpoint with weak gating.
  3. Issues requests to that gap, gaining access to data or actions reserved for higher-privilege roles.
  4. Now operating with elevated privilege, attacker can pivot to other components, exfiltrate data, or persist access.

πŸ›‘How to mitigate

preventive
Re-authorize on every action, not just at session start
Every privileged endpoint checks the current principal's roles/permissions for the specific resource being acted on. No 'logged in = allowed'.
preventive
Apply least-privilege to service identities
The IAM/role attached to API Gateway should grant only the actions it actually performs. Audit IAM grants quarterly.
detective
Detect anomalous privilege use
Alert when a principal performs an action they have not performed in the trailing 90 days, or when admin-tier actions originate from non-admin networks.
Privilege transit across boundary: Mobile App β†’ API Gateway
Critical STRIDE · Elevation of Privilege · API Gateway (api) CWE-441 ⚑ cross-zone
β–Ό
CVSS 3.1 9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CVSS 4.0 7.4
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
DREAD: D=9, R=8, E=9, A=10, D=10 Β· 46/50
Boundary crossing: Internet β†’ DMZ (public-facing)

πŸ“Where the threat exists

On the data flow Mobile App β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is API Gateway (api).

πŸ“Description

If the receiver in 'DMZ (public-facing)' acts on behalf of the caller, attackers compromising 'Internet' may inherit the receiver's privileges (confused-deputy).

βš”οΈAttack scenario

  1. Attacker compromises a low-privilege component in zone `Internet`.
  2. Issues requests to API Gateway that get re-executed with the receiver's higher privileges (classic confused-deputy).
  3. Because authorization is checked once at request entry but not per-action against the originating caller, the attacker effectively becomes a privileged actor in `DMZ (public-facing)`.
  4. Attacker performs actions far beyond the original principal's permissions.

πŸ›‘How to mitigate

preventive
Use scoped, short-lived delegation tokens
When API Gateway acts on behalf of a caller, attach a delegation token with the caller's identity, scope (action allow-list), and ≀ 5-min TTL.
preventive
Authorize per-action against the originating caller
Don't rely on ambient authority of the receiver. Each action checks: (a) the delegation token is valid, (b) the original caller has permission for this specific action, (c) the action is within scope.
detective
Audit each privilege transit
Log: original caller β†’ delegating component β†’ action performed. Make this queryable for incident response.
Broken access control / missing authz check
Critical STRIDE Β· Elevation of Privilege Β· Admin Portal (webapp) CWE-269
β–Ό
CVSS 3.1 8.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0 6.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Endpoints fail to verify the caller has permission for the action.

βš”οΈAttack scenario

  1. Attacker authenticates to Admin Portal as a low-privilege user, or reaches an unauthenticated entry point.
  2. Identifies an authorization gap β€” a function that doesn't re-check the caller's role, an IDOR-style URL, an admin endpoint with weak gating.
  3. Issues requests to that gap, gaining access to data or actions reserved for higher-privilege roles.
  4. Now operating with elevated privilege, attacker can pivot to other components, exfiltrate data, or persist access.

πŸ›‘How to mitigate

preventive
Re-authorize on every action, not just at session start
Every privileged endpoint checks the current principal's roles/permissions for the specific resource being acted on. No 'logged in = allowed'.
preventive
Apply least-privilege to service identities
The IAM/role attached to Admin Portal should grant only the actions it actually performs. Audit IAM grants quarterly.
detective
Detect anomalous privilege use
Alert when a principal performs an action they have not performed in the trailing 90 days, or when admin-tier actions originate from non-admin networks.
Container / process escape
Critical STRIDE Β· Elevation of Privilege Β· Admin Portal (webapp) CWE-269
β–Ό
CVSS 3.1 8.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0 6.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Attacker breaks out of a sandbox to gain host privileges.

βš”οΈAttack scenario

  1. Attacker authenticates to Admin Portal as a low-privilege user, or reaches an unauthenticated entry point.
  2. Identifies an authorization gap β€” a function that doesn't re-check the caller's role, an IDOR-style URL, an admin endpoint with weak gating.
  3. Issues requests to that gap, gaining access to data or actions reserved for higher-privilege roles.
  4. Now operating with elevated privilege, attacker can pivot to other components, exfiltrate data, or persist access.

πŸ›‘How to mitigate

preventive
Re-authorize on every action, not just at session start
Every privileged endpoint checks the current principal's roles/permissions for the specific resource being acted on. No 'logged in = allowed'.
preventive
Apply least-privilege to service identities
The IAM/role attached to Admin Portal should grant only the actions it actually performs. Audit IAM grants quarterly.
detective
Detect anomalous privilege use
Alert when a principal performs an action they have not performed in the trailing 90 days, or when admin-tier actions originate from non-admin networks.
Privilege transit across boundary: API Gateway β†’ Auth Service
Critical STRIDE · Elevation of Privilege · Auth Service (service) CWE-441 ⚑ cross-zone
β–Ό
CVSS 3.1 9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CVSS 4.0 7.4
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
DREAD: D=9, R=8, E=9, A=9, D=10 Β· 45/50
Boundary crossing: DMZ (public-facing) β†’ Application tier

πŸ“Where the threat exists

On the data flow API Gateway β†’ Auth Service (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Auth Service (service).

πŸ“Description

If the receiver in 'Application tier' acts on behalf of the caller, attackers compromising 'DMZ (public-facing)' may inherit the receiver's privileges (confused-deputy).

βš”οΈAttack scenario

  1. Attacker compromises a low-privilege component in zone `DMZ (public-facing)`.
  2. Issues requests to Auth Service that get re-executed with the receiver's higher privileges (classic confused-deputy).
  3. Because authorization is checked once at request entry but not per-action against the originating caller, the attacker effectively becomes a privileged actor in `Application tier`.
  4. Attacker performs actions far beyond the original principal's permissions.

πŸ›‘How to mitigate

preventive
Use scoped, short-lived delegation tokens
When Auth Service acts on behalf of a caller, attach a delegation token with the caller's identity, scope (action allow-list), and ≀ 5-min TTL.
preventive
Authorize per-action against the originating caller
Don't rely on ambient authority of the receiver. Each action checks: (a) the delegation token is valid, (b) the original caller has permission for this specific action, (c) the action is within scope.
detective
Audit each privilege transit
Log: original caller β†’ delegating component β†’ action performed. Make this queryable for incident response.
Stored data tampering via injection
Critical STRIDE Β· Tampering Β· Orders DB (Postgres) (database) CWE-345
β–Ό
CVSS 3.1 7.3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

SQL/NoSQL/command injection alters records or schema.

βš”οΈAttack scenario

  1. Attacker reaches an input vector exposed by Orders DB (Postgres) (request body, query string, message queue payload, persisted state).
  2. Submits malformed input designed to alter the program's logic or stored data (injection, parameter tampering, deserialization gadgets).
  3. Orders DB (Postgres) processes the input without strict validation, and the malicious change takes effect.
  4. Tampered data is persisted, executed, or relayed downstream β€” corrupting integrity beyond the original entry point.

πŸ›‘How to mitigate

preventive
Schema-validate and parameterize all inputs
JSON Schema / OpenAPI validation at API edges; parameterized queries / prepared statements for SQL; ORM-level validators on persisted models.
preventive
Sign and verify integrity-critical messages
For commands or state mutations, attach an HMAC or signature so downstream consumers can detect tampering in transit or at rest.
detective
Use append-only / write-once stores for audit-critical data
Where data must not be silently changed, write to an append-only log (e.g., immutable S3 bucket, CloudTrail-like store) and reconcile against the mutable copy.
Broken access control / missing authz check
Critical STRIDE Β· Elevation of Privilege Β· Orders DB (Postgres) (database) CWE-269
β–Ό
CVSS 3.1 7.6
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0 6.3
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Endpoints fail to verify the caller has permission for the action.

βš”οΈAttack scenario

  1. Attacker authenticates to Orders DB (Postgres) as a low-privilege user, or reaches an unauthenticated entry point.
  2. Identifies an authorization gap β€” a function that doesn't re-check the caller's role, an IDOR-style URL, an admin endpoint with weak gating.
  3. Issues requests to that gap, gaining access to data or actions reserved for higher-privilege roles.
  4. Now operating with elevated privilege, attacker can pivot to other components, exfiltrate data, or persist access.

πŸ›‘How to mitigate

preventive
Re-authorize on every action, not just at session start
Every privileged endpoint checks the current principal's roles/permissions for the specific resource being acted on. No 'logged in = allowed'.
preventive
Apply least-privilege to service identities
The IAM/role attached to Orders DB (Postgres) should grant only the actions it actually performs. Audit IAM grants quarterly.
detective
Detect anomalous privilege use
Alert when a principal performs an action they have not performed in the trailing 90 days, or when admin-tier actions originate from non-admin networks.
Container / process escape
Critical STRIDE Β· Elevation of Privilege Β· Orders DB (Postgres) (database) CWE-269
β–Ό
CVSS 3.1 7.6
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0 6.3
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Attacker breaks out of a sandbox to gain host privileges.

βš”οΈAttack scenario

  1. Attacker authenticates to Orders DB (Postgres) as a low-privilege user, or reaches an unauthenticated entry point.
  2. Identifies an authorization gap β€” a function that doesn't re-check the caller's role, an IDOR-style URL, an admin endpoint with weak gating.
  3. Issues requests to that gap, gaining access to data or actions reserved for higher-privilege roles.
  4. Now operating with elevated privilege, attacker can pivot to other components, exfiltrate data, or persist access.

πŸ›‘How to mitigate

preventive
Re-authorize on every action, not just at session start
Every privileged endpoint checks the current principal's roles/permissions for the specific resource being acted on. No 'logged in = allowed'.
preventive
Apply least-privilege to service identities
The IAM/role attached to Orders DB (Postgres) should grant only the actions it actually performs. Audit IAM grants quarterly.
detective
Detect anomalous privilege use
Alert when a principal performs an action they have not performed in the trailing 90 days, or when admin-tier actions originate from non-admin networks.
Privilege transit across boundary: Orders Service β†’ Orders DB (Postgres)
Critical STRIDE · Elevation of Privilege · Orders DB (Postgres) (database) CWE-441 ⚑ cross-zone
β–Ό
CVSS 3.1 8.9
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CVSS 4.0 7.4
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
DREAD: D=9, R=8, E=10, A=10, D=10 Β· 47/50
Boundary crossing: Application tier β†’ Data tier

πŸ“Where the threat exists

On the data flow Orders Service β†’ Orders DB (Postgres) (label: *β€”*, protocol: TCP, auth: none, encrypted: no), crossing the trust boundary from Application tier into Data tier. The receiving component is Orders DB (Postgres) (database).

πŸ“Description

If the receiver in 'Data tier' acts on behalf of the caller, attackers compromising 'Application tier' may inherit the receiver's privileges (confused-deputy).

βš”οΈAttack scenario

  1. Attacker compromises a low-privilege component in zone `Application tier`.
  2. Issues requests to Orders DB (Postgres) that get re-executed with the receiver's higher privileges (classic confused-deputy).
  3. Because authorization is checked once at request entry but not per-action against the originating caller, the attacker effectively becomes a privileged actor in `Data tier`.
  4. Attacker performs actions far beyond the original principal's permissions.

πŸ›‘How to mitigate

preventive
Use scoped, short-lived delegation tokens
When Orders DB (Postgres) acts on behalf of a caller, attach a delegation token with the caller's identity, scope (action allow-list), and ≀ 5-min TTL.
preventive
Authorize per-action against the originating caller
Don't rely on ambient authority of the receiver. Each action checks: (a) the delegation token is valid, (b) the original caller has permission for this specific action, (c) the action is within scope.
detective
Audit each privilege transit
Log: original caller β†’ delegating component β†’ action performed. Make this queryable for incident response.
Privilege transit across boundary: API Gateway β†’ Orders Service
Critical STRIDE · Elevation of Privilege · Orders Service (service) CWE-441 ⚑ cross-zone
β–Ό
CVSS 3.1 9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CVSS 4.0 7.4
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
DREAD: D=9, R=8, E=10, A=9, D=10 Β· 46/50
Boundary crossing: DMZ (public-facing) β†’ Application tier

πŸ“Where the threat exists

On the data flow API Gateway β†’ Orders Service (label: *β€”*, protocol: HTTP, auth: none, encrypted: no), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Orders Service (service).

πŸ“Description

If the receiver in 'Application tier' acts on behalf of the caller, attackers compromising 'DMZ (public-facing)' may inherit the receiver's privileges (confused-deputy).

βš”οΈAttack scenario

  1. Attacker compromises a low-privilege component in zone `DMZ (public-facing)`.
  2. Issues requests to Orders Service that get re-executed with the receiver's higher privileges (classic confused-deputy).
  3. Because authorization is checked once at request entry but not per-action against the originating caller, the attacker effectively becomes a privileged actor in `Application tier`.
  4. Attacker performs actions far beyond the original principal's permissions.

πŸ›‘How to mitigate

preventive
Use scoped, short-lived delegation tokens
When Orders Service acts on behalf of a caller, attach a delegation token with the caller's identity, scope (action allow-list), and ≀ 5-min TTL.
preventive
Authorize per-action against the originating caller
Don't rely on ambient authority of the receiver. Each action checks: (a) the delegation token is valid, (b) the original caller has permission for this specific action, (c) the action is within scope.
detective
Audit each privilege transit
Log: original caller β†’ delegating component β†’ action performed. Make this queryable for incident response.
Broken access control / missing authz check
Critical STRIDE Β· Elevation of Privilege Β· Web Frontend (webapp) CWE-269
β–Ό
CVSS 3.1 8.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0 6.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Endpoints fail to verify the caller has permission for the action.

βš”οΈAttack scenario

  1. Attacker authenticates to Web Frontend as a low-privilege user, or reaches an unauthenticated entry point.
  2. Identifies an authorization gap β€” a function that doesn't re-check the caller's role, an IDOR-style URL, an admin endpoint with weak gating.
  3. Issues requests to that gap, gaining access to data or actions reserved for higher-privilege roles.
  4. Now operating with elevated privilege, attacker can pivot to other components, exfiltrate data, or persist access.

πŸ›‘How to mitigate

preventive
Re-authorize on every action, not just at session start
Every privileged endpoint checks the current principal's roles/permissions for the specific resource being acted on. No 'logged in = allowed'.
preventive
Apply least-privilege to service identities
The IAM/role attached to Web Frontend should grant only the actions it actually performs. Audit IAM grants quarterly.
detective
Detect anomalous privilege use
Alert when a principal performs an action they have not performed in the trailing 90 days, or when admin-tier actions originate from non-admin networks.
Container / process escape
Critical STRIDE Β· Elevation of Privilege Β· Web Frontend (webapp) CWE-269
β–Ό
CVSS 3.1 8.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0 6.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Attacker breaks out of a sandbox to gain host privileges.

βš”οΈAttack scenario

  1. Attacker authenticates to Web Frontend as a low-privilege user, or reaches an unauthenticated entry point.
  2. Identifies an authorization gap β€” a function that doesn't re-check the caller's role, an IDOR-style URL, an admin endpoint with weak gating.
  3. Issues requests to that gap, gaining access to data or actions reserved for higher-privilege roles.
  4. Now operating with elevated privilege, attacker can pivot to other components, exfiltrate data, or persist access.

πŸ›‘How to mitigate

preventive
Re-authorize on every action, not just at session start
Every privileged endpoint checks the current principal's roles/permissions for the specific resource being acted on. No 'logged in = allowed'.
preventive
Apply least-privilege to service identities
The IAM/role attached to Web Frontend should grant only the actions it actually performs. Audit IAM grants quarterly.
detective
Detect anomalous privilege use
Alert when a principal performs an action they have not performed in the trailing 90 days, or when admin-tier actions originate from non-admin networks.
Privilege transit across boundary: Customer Browser β†’ Web Frontend
Critical STRIDE · Elevation of Privilege · Web Frontend (webapp) CWE-441 ⚑ cross-zone
β–Ό
CVSS 3.1 9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CVSS 4.0 7.4
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
DREAD: D=9, R=8, E=9, A=10, D=10 Β· 46/50
Boundary crossing: Internet β†’ DMZ (public-facing)

πŸ“Where the threat exists

On the data flow Customer Browser β†’ Web Frontend (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is Web Frontend (webapp).

πŸ“Description

If the receiver in 'DMZ (public-facing)' acts on behalf of the caller, attackers compromising 'Internet' may inherit the receiver's privileges (confused-deputy).

βš”οΈAttack scenario

  1. Attacker compromises a low-privilege component in zone `Internet`.
  2. Issues requests to Web Frontend that get re-executed with the receiver's higher privileges (classic confused-deputy).
  3. Because authorization is checked once at request entry but not per-action against the originating caller, the attacker effectively becomes a privileged actor in `DMZ (public-facing)`.
  4. Attacker performs actions far beyond the original principal's permissions.

πŸ›‘How to mitigate

preventive
Use scoped, short-lived delegation tokens
When Web Frontend acts on behalf of a caller, attach a delegation token with the caller's identity, scope (action allow-list), and ≀ 5-min TTL.
preventive
Authorize per-action against the originating caller
Don't rely on ambient authority of the receiver. Each action checks: (a) the delegation token is valid, (b) the original caller has permission for this specific action, (c) the action is within scope.
detective
Audit each privilege transit
Log: original caller β†’ delegating component β†’ action performed. Make this queryable for incident response.
Authentication bypass via credential stuffing
High STRIDE Β· Spoofing Β· API Gateway (api) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Attackers reuse leaked credentials to impersonate legitimate users.

βš”οΈAttack scenario

  1. Attacker locates API Gateway's identity claim mechanism (token format, header name, signing key handling).
  2. Forges or replays a token to assert another principal's identity.
  3. API Gateway accepts the claim because verification is missing or weak (e.g., signature not checked, expired tokens accepted, no audience validation).
  4. Attacker acts as the spoofed principal β€” reading data, triggering workflows, or pivoting to internal services.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
Session token hijacking
High STRIDE Β· Spoofing Β· API Gateway (api) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Attacker steals or predicts a session token to impersonate a user.

βš”οΈAttack scenario

  1. Attacker locates API Gateway's identity claim mechanism (token format, header name, signing key handling).
  2. Forges or replays a token to assert another principal's identity.
  3. API Gateway accepts the claim because verification is missing or weak (e.g., signature not checked, expired tokens accepted, no audience validation).
  4. Attacker acts as the spoofed principal β€” reading data, triggering workflows, or pivoting to internal services.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
API key / service identity spoofing
High STRIDE Β· Spoofing Β· API Gateway (api) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

An attacker obtains or forges an API key to act as a trusted service.

βš”οΈAttack scenario

  1. Attacker locates API Gateway's identity claim mechanism (token format, header name, signing key handling).
  2. Forges or replays a token to assert another principal's identity.
  3. API Gateway accepts the claim because verification is missing or weak (e.g., signature not checked, expired tokens accepted, no audience validation).
  4. Attacker acts as the spoofed principal β€” reading data, triggering workflows, or pivoting to internal services.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
Log tampering
High STRIDE Β· Repudiation Β· API Gateway (api) CWE-778
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

An attacker with access modifies or deletes audit trails.

βš”οΈAttack scenario

  1. User performs a sensitive action through API Gateway (a transfer, a permission change, a deletion).
  2. Audit logs are absent, incomplete, or modifiable by the same principal who performed the action.
  3. User later denies having performed the action, or an attacker covers their tracks.
  4. Without tamper-evident logs, neither responsible party can be identified β€” leading to fraud, dispute, or regulatory exposure.

πŸ›‘How to mitigate

detective
Emit tamper-evident audit logs
Sign log entries (HMAC chain, hash-linked) so insertion or deletion is detectable. Forward to a separate, append-only system the action's principal cannot administer.
detective
Capture sufficient detail per audit event
Who (authenticated principal, not just session ID), what (specific action and target), when (UTC, monotonic-clock-corroborated), where (source IP, request ID), why (correlated to the upstream business event).
detective
Periodic log integrity verification
Schedule daily integrity checks on the audit log chain. Alert on any gap.
Sensitive data exposure in transit
High STRIDE Β· Information Disclosure Β· API Gateway (api) CWE-319
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

PII, secrets, or tokens transmitted over unencrypted channels.

βš”οΈAttack scenario

  1. Attacker reaches API Gateway via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For api, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Sensitive data exposure at rest
High STRIDE Β· Information Disclosure Β· API Gateway (api) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Stored PII / secrets accessible without proper authorization.

βš”οΈAttack scenario

  1. Attacker reaches API Gateway via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For api, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Insecure direct object reference (IDOR)
High STRIDE Β· Information Disclosure Β· API Gateway (api) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

User can access another user's resources by guessing IDs.

βš”οΈAttack scenario

  1. Attacker reaches API Gateway via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For api, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Application-layer DDoS
High STRIDE Β· Denial of Service Β· API Gateway (api) CWE-400
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Attacker floods expensive endpoints (e.g., search, login).

βš”οΈAttack scenario

  1. Attacker identifies a costly operation in API Gateway (regex matching, file generation, expensive query, large allocation).
  2. Issues many concurrent requests targeting that operation, or a single request with pathological input.
  3. API Gateway's resources (CPU, memory, connections, disk) saturate or exhaust.
  4. Legitimate users can no longer reach API Gateway; cascading failure may take down dependents.

πŸ›‘How to mitigate

preventive
Apply input limits at the edge
Maximum request size, body depth, array length, and string length. Reject early β€” before parsing or business logic runs.
preventive
Rate-limit per principal and per resource
Token bucket per authenticated user AND per costly endpoint. Adaptive throttling on saturation.
corrective
Set hard timeouts on outbound calls
No call (DB, downstream service, third-party API) should be able to hang the request handler indefinitely. Use circuit breakers and bulkheads.
Privilege escalation via mass assignment
High STRIDE Β· Elevation of Privilege Β· API Gateway (api) CWE-269
β–Ό
CVSS 3.1 8.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0 6.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

User submits extra fields (e.g., role=admin) and they bind to the model.

βš”οΈAttack scenario

  1. Attacker authenticates to API Gateway as a low-privilege user, or reaches an unauthenticated entry point.
  2. Identifies an authorization gap β€” a function that doesn't re-check the caller's role, an IDOR-style URL, an admin endpoint with weak gating.
  3. Issues requests to that gap, gaining access to data or actions reserved for higher-privilege roles.
  4. Now operating with elevated privilege, attacker can pivot to other components, exfiltrate data, or persist access.

πŸ›‘How to mitigate

preventive
Re-authorize on every action, not just at session start
Every privileged endpoint checks the current principal's roles/permissions for the specific resource being acted on. No 'logged in = allowed'.
preventive
Apply least-privilege to service identities
The IAM/role attached to API Gateway should grant only the actions it actually performs. Audit IAM grants quarterly.
detective
Detect anomalous privilege use
Alert when a principal performs an action they have not performed in the trailing 90 days, or when admin-tier actions originate from non-admin networks.
Unauthenticated flow: Mobile App β†’ API Gateway
High STRIDE Β· Spoofing Β· API Gateway (api) CWE-306
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

On the data flow Mobile App β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at API Gateway (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. API Gateway processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Unauthenticated flow: Web Frontend β†’ API Gateway
High STRIDE Β· Spoofing Β· API Gateway (api) CWE-306
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

On the data flow Web Frontend β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at API Gateway (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. API Gateway processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Unauthenticated flow: Admin Portal β†’ API Gateway
High STRIDE Β· Spoofing Β· API Gateway (api) CWE-306
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

On the data flow Admin Portal β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at API Gateway (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. API Gateway processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Trust-boundary crossing without strong authn: Mobile App β†’ API Gateway
High STRIDE · Spoofing · API Gateway (api) CWE-287 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=7, A=9, D=8 Β· 37/50
Boundary crossing: Internet β†’ DMZ (public-facing)

πŸ“Where the threat exists

On the data flow Mobile App β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is API Gateway (api).

πŸ“Description

Flow '' crosses trust boundary 'Internet' β†’ 'DMZ (public-facing)'. Caller identity must be re-verified at the boundary; existing trust does not transit.

βš”οΈAttack scenario

  1. Attacker positions themselves on the network path between source and destination, or compromises an upstream component in the source zone.
  2. Crafts requests with forged or replayed identity claims (cookies, tokens, IP-based trust).
  3. API Gateway accepts the request because identity is not re-verified at the boundary, treating the upstream zone as trusted.
  4. Attacker can now perform actions as the impersonated principal across the boundary.

πŸ›‘How to mitigate

preventive
Re-authenticate at the boundary
Require a fresh, audience-bound credential at the receiver. Do not infer identity from network position, source IP, or upstream session.
preventive
Use mutual TLS or signed tokens with audience claims
For service-to-service calls into API Gateway, terminate mTLS at the boundary and reject any caller without a valid client cert. For human-driven flows, use OAuth2 / OIDC with audience and issuer validation.
detective
Log every cross-boundary auth decision
Emit an authentication event (success and failure) tagged with both source and destination zone. Forward to SIEM with retention β‰₯ 90 days.
Cross-boundary input not validated: Mobile App β†’ API Gateway
High STRIDE · Tampering · API Gateway (api) CWE-20 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N
DREAD: D=7, R=6, E=7, A=9, D=8 Β· 37/50
Boundary crossing: Internet β†’ DMZ (public-facing)

πŸ“Where the threat exists

On the data flow Mobile App β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is API Gateway (api).

πŸ“Description

Data crossing the trust boundary into 'DMZ (public-facing)' must be treated as untrusted, even if the source is internal. Implicit trust is the most common cause of injection / SSRF / deserialization bugs.

βš”οΈAttack scenario

  1. Attacker compromises a less-trusted upstream zone or directly sends malformed input to API Gateway.
  2. Sends payloads with unexpected types, lengths, or special characters (e.g. SQL meta-chars, NUL bytes, control sequences).
  3. API Gateway processes the input under the assumption that the upstream zone has already validated it β€” but the boundary changes the security context.
  4. Injection, deserialization flaws, or buffer issues trigger; attacker pivots into API Gateway or the zone behind it.

πŸ›‘How to mitigate

preventive
Validate against an allow-list schema at the boundary
Define an explicit schema (JSON Schema, Protobuf, OpenAPI) for every accepted message at this boundary. Reject anything that doesn't match β€” type, length, charset, enum values, nested depth.
preventive
Canonicalize before validation
Decode URL-encoding, Unicode normalization (NFC), trim whitespace, and resolve relative paths before validating. Avoid double-decoding bypasses.
preventive
Apply context-specific output encoding
Whatever API Gateway does with the input β€” SQL: parameterized queries, HTML: contextual escaping, OS commands: avoid shell, use exec arrays, LDAP: escape filter chars.
Cross-boundary data exposure risk: Mobile App β†’ API Gateway
High STRIDE · Information Disclosure · API Gateway (api) CWE-200 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=7, A=9, D=8 Β· 37/50
Boundary crossing: Internet β†’ DMZ (public-facing)

πŸ“Where the threat exists

On the data flow Mobile App β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is API Gateway (api).

πŸ“Description

Information leaving 'Internet' into 'DMZ (public-facing)' may include data the receiving zone is not authorized to see. Cross-boundary egress is a common data-leak surface.

βš”οΈAttack scenario

  1. Attacker observes traffic leaving the source zone, or compromises a component in the destination zone.
  2. The destination zone receives more data than it strictly needs (over-fetching, verbose error responses, full record dumps).
  3. Attacker harvests sensitive fields (PII, secrets, internal IDs) that should never have left the source zone.
  4. Data is exfiltrated, sold, or used to plan a deeper attack on the originating zone.

πŸ›‘How to mitigate

preventive
Enforce minimum-data-needed at the egress point
Whitelist exactly which fields leave the source zone. Strip everything else server-side before serialization.
preventive
Tokenize or redact sensitive fields
Replace PII / PCI / PHI fields with reversible tokens or one-way hashes when the destination zone doesn't need the cleartext value.
detective
Log cross-boundary data flows for review
Sample-log the field set crossing this boundary (not the values) so DLP and privacy reviews can audit what's egressing.
Authentication bypass via credential stuffing
High STRIDE Β· Spoofing Β· Admin Portal (webapp) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Attackers reuse leaked credentials to impersonate legitimate users.

βš”οΈAttack scenario

  1. Attacker locates Admin Portal's identity claim mechanism (token format, header name, signing key handling).
  2. Forges or replays a token to assert another principal's identity.
  3. Admin Portal accepts the claim because verification is missing or weak (e.g., signature not checked, expired tokens accepted, no audience validation).
  4. Attacker acts as the spoofed principal β€” reading data, triggering workflows, or pivoting to internal services.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
Session token hijacking
High STRIDE Β· Spoofing Β· Admin Portal (webapp) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Attacker steals or predicts a session token to impersonate a user.

βš”οΈAttack scenario

  1. Attacker locates Admin Portal's identity claim mechanism (token format, header name, signing key handling).
  2. Forges or replays a token to assert another principal's identity.
  3. Admin Portal accepts the claim because verification is missing or weak (e.g., signature not checked, expired tokens accepted, no audience validation).
  4. Attacker acts as the spoofed principal β€” reading data, triggering workflows, or pivoting to internal services.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
API key / service identity spoofing
High STRIDE Β· Spoofing Β· Admin Portal (webapp) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

An attacker obtains or forges an API key to act as a trusted service.

βš”οΈAttack scenario

  1. Attacker locates Admin Portal's identity claim mechanism (token format, header name, signing key handling).
  2. Forges or replays a token to assert another principal's identity.
  3. Admin Portal accepts the claim because verification is missing or weak (e.g., signature not checked, expired tokens accepted, no audience validation).
  4. Attacker acts as the spoofed principal β€” reading data, triggering workflows, or pivoting to internal services.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
Log tampering
High STRIDE Β· Repudiation Β· Admin Portal (webapp) CWE-778
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

An attacker with access modifies or deletes audit trails.

βš”οΈAttack scenario

  1. User performs a sensitive action through Admin Portal (a transfer, a permission change, a deletion).
  2. Audit logs are absent, incomplete, or modifiable by the same principal who performed the action.
  3. User later denies having performed the action, or an attacker covers their tracks.
  4. Without tamper-evident logs, neither responsible party can be identified β€” leading to fraud, dispute, or regulatory exposure.

πŸ›‘How to mitigate

detective
Emit tamper-evident audit logs
Sign log entries (HMAC chain, hash-linked) so insertion or deletion is detectable. Forward to a separate, append-only system the action's principal cannot administer.
detective
Capture sufficient detail per audit event
Who (authenticated principal, not just session ID), what (specific action and target), when (UTC, monotonic-clock-corroborated), where (source IP, request ID), why (correlated to the upstream business event).
detective
Periodic log integrity verification
Schedule daily integrity checks on the audit log chain. Alert on any gap.
Sensitive data exposure in transit
High STRIDE Β· Information Disclosure Β· Admin Portal (webapp) CWE-319
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

PII, secrets, or tokens transmitted over unencrypted channels.

βš”οΈAttack scenario

  1. Attacker reaches Admin Portal via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For webapp, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Sensitive data exposure at rest
High STRIDE Β· Information Disclosure Β· Admin Portal (webapp) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Stored PII / secrets accessible without proper authorization.

βš”οΈAttack scenario

  1. Attacker reaches Admin Portal via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For webapp, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Insecure direct object reference (IDOR)
High STRIDE Β· Information Disclosure Β· Admin Portal (webapp) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

User can access another user's resources by guessing IDs.

βš”οΈAttack scenario

  1. Attacker reaches Admin Portal via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For webapp, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Application-layer DDoS
High STRIDE Β· Denial of Service Β· Admin Portal (webapp) CWE-400
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Attacker floods expensive endpoints (e.g., search, login).

βš”οΈAttack scenario

  1. Attacker identifies a costly operation in Admin Portal (regex matching, file generation, expensive query, large allocation).
  2. Issues many concurrent requests targeting that operation, or a single request with pathological input.
  3. Admin Portal's resources (CPU, memory, connections, disk) saturate or exhaust.
  4. Legitimate users can no longer reach Admin Portal; cascading failure may take down dependents.

πŸ›‘How to mitigate

preventive
Apply input limits at the edge
Maximum request size, body depth, array length, and string length. Reject early β€” before parsing or business logic runs.
preventive
Rate-limit per principal and per resource
Token bucket per authenticated user AND per costly endpoint. Adaptive throttling on saturation.
corrective
Set hard timeouts on outbound calls
No call (DB, downstream service, third-party API) should be able to hang the request handler indefinitely. Use circuit breakers and bulkheads.
Privilege escalation via mass assignment
High STRIDE Β· Elevation of Privilege Β· Admin Portal (webapp) CWE-269
β–Ό
CVSS 3.1 8.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0 6.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

User submits extra fields (e.g., role=admin) and they bind to the model.

βš”οΈAttack scenario

  1. Attacker authenticates to Admin Portal as a low-privilege user, or reaches an unauthenticated entry point.
  2. Identifies an authorization gap β€” a function that doesn't re-check the caller's role, an IDOR-style URL, an admin endpoint with weak gating.
  3. Issues requests to that gap, gaining access to data or actions reserved for higher-privilege roles.
  4. Now operating with elevated privilege, attacker can pivot to other components, exfiltrate data, or persist access.

πŸ›‘How to mitigate

preventive
Re-authorize on every action, not just at session start
Every privileged endpoint checks the current principal's roles/permissions for the specific resource being acted on. No 'logged in = allowed'.
preventive
Apply least-privilege to service identities
The IAM/role attached to Admin Portal should grant only the actions it actually performs. Audit IAM grants quarterly.
detective
Detect anomalous privilege use
Alert when a principal performs an action they have not performed in the trailing 90 days, or when admin-tier actions originate from non-admin networks.
Unauthenticated flow: API Gateway β†’ Auth Service
High STRIDE Β· Spoofing Β· Auth Service (service) CWE-306
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

On the data flow API Gateway β†’ Auth Service (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Auth Service (service).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Auth Service (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Auth Service processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Trust-boundary crossing without strong authn: API Gateway β†’ Auth Service
High STRIDE · Spoofing · Auth Service (service) CWE-287 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=7, A=7, D=8 Β· 35/50
Boundary crossing: DMZ (public-facing) β†’ Application tier

πŸ“Where the threat exists

On the data flow API Gateway β†’ Auth Service (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Auth Service (service).

πŸ“Description

Flow '' crosses trust boundary 'DMZ (public-facing)' β†’ 'Application tier'. Caller identity must be re-verified at the boundary; existing trust does not transit.

βš”οΈAttack scenario

  1. Attacker positions themselves on the network path between source and destination, or compromises an upstream component in the source zone.
  2. Crafts requests with forged or replayed identity claims (cookies, tokens, IP-based trust).
  3. Auth Service accepts the request because identity is not re-verified at the boundary, treating the upstream zone as trusted.
  4. Attacker can now perform actions as the impersonated principal across the boundary.

πŸ›‘How to mitigate

preventive
Re-authenticate at the boundary
Require a fresh, audience-bound credential at the receiver. Do not infer identity from network position, source IP, or upstream session.
preventive
Use mutual TLS or signed tokens with audience claims
For service-to-service calls into Auth Service, terminate mTLS at the boundary and reject any caller without a valid client cert. For human-driven flows, use OAuth2 / OIDC with audience and issuer validation.
detective
Log every cross-boundary auth decision
Emit an authentication event (success and failure) tagged with both source and destination zone. Forward to SIEM with retention β‰₯ 90 days.
Cross-boundary input not validated: API Gateway β†’ Auth Service
High STRIDE · Tampering · Auth Service (service) CWE-20 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N
DREAD: D=7, R=6, E=7, A=7, D=8 Β· 35/50
Boundary crossing: DMZ (public-facing) β†’ Application tier

πŸ“Where the threat exists

On the data flow API Gateway β†’ Auth Service (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Auth Service (service).

πŸ“Description

Data crossing the trust boundary into 'Application tier' must be treated as untrusted, even if the source is internal. Implicit trust is the most common cause of injection / SSRF / deserialization bugs.

βš”οΈAttack scenario

  1. Attacker compromises a less-trusted upstream zone or directly sends malformed input to Auth Service.
  2. Sends payloads with unexpected types, lengths, or special characters (e.g. SQL meta-chars, NUL bytes, control sequences).
  3. Auth Service processes the input under the assumption that the upstream zone has already validated it β€” but the boundary changes the security context.
  4. Injection, deserialization flaws, or buffer issues trigger; attacker pivots into Auth Service or the zone behind it.

πŸ›‘How to mitigate

preventive
Validate against an allow-list schema at the boundary
Define an explicit schema (JSON Schema, Protobuf, OpenAPI) for every accepted message at this boundary. Reject anything that doesn't match β€” type, length, charset, enum values, nested depth.
preventive
Canonicalize before validation
Decode URL-encoding, Unicode normalization (NFC), trim whitespace, and resolve relative paths before validating. Avoid double-decoding bypasses.
preventive
Apply context-specific output encoding
Whatever Auth Service does with the input β€” SQL: parameterized queries, HTML: contextual escaping, OS commands: avoid shell, use exec arrays, LDAP: escape filter chars.
Cross-boundary data exposure risk: API Gateway β†’ Auth Service
High STRIDE · Information Disclosure · Auth Service (service) CWE-200 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=7, A=7, D=8 Β· 35/50
Boundary crossing: DMZ (public-facing) β†’ Application tier

πŸ“Where the threat exists

On the data flow API Gateway β†’ Auth Service (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Auth Service (service).

πŸ“Description

Information leaving 'DMZ (public-facing)' into 'Application tier' may include data the receiving zone is not authorized to see. Cross-boundary egress is a common data-leak surface.

βš”οΈAttack scenario

  1. Attacker observes traffic leaving the source zone, or compromises a component in the destination zone.
  2. The destination zone receives more data than it strictly needs (over-fetching, verbose error responses, full record dumps).
  3. Attacker harvests sensitive fields (PII, secrets, internal IDs) that should never have left the source zone.
  4. Data is exfiltrated, sold, or used to plan a deeper attack on the originating zone.

πŸ›‘How to mitigate

preventive
Enforce minimum-data-needed at the egress point
Whitelist exactly which fields leave the source zone. Strip everything else server-side before serialization.
preventive
Tokenize or redact sensitive fields
Replace PII / PCI / PHI fields with reversible tokens or one-way hashes when the destination zone doesn't need the cleartext value.
detective
Log cross-boundary data flows for review
Sample-log the field set crossing this boundary (not the values) so DLP and privacy reviews can audit what's egressing.
Authentication bypass via credential stuffing
High STRIDE Β· Spoofing Β· Customer Browser (user) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

Within component Customer Browser (user).

πŸ“Description

Attackers reuse leaked credentials to impersonate legitimate users.

βš”οΈAttack scenario

  1. Attacker obtains valid credentials via phishing, credential stuffing, or a third-party breach.
  2. Logs in as the legitimate user/entity at Customer Browser.
  3. Performs actions indistinguishable from the real user (auth events look normal).
  4. Damage scales with the impersonated user's permissions; admin accounts cause the most harm.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
Session token hijacking
High STRIDE Β· Spoofing Β· Customer Browser (user) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

Within component Customer Browser (user).

πŸ“Description

Attacker steals or predicts a session token to impersonate a user.

βš”οΈAttack scenario

  1. Attacker obtains valid credentials via phishing, credential stuffing, or a third-party breach.
  2. Logs in as the legitimate user/entity at Customer Browser.
  3. Performs actions indistinguishable from the real user (auth events look normal).
  4. Damage scales with the impersonated user's permissions; admin accounts cause the most harm.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
API key / service identity spoofing
High STRIDE Β· Spoofing Β· Customer Browser (user) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

Within component Customer Browser (user).

πŸ“Description

An attacker obtains or forges an API key to act as a trusted service.

βš”οΈAttack scenario

  1. Attacker obtains valid credentials via phishing, credential stuffing, or a third-party breach.
  2. Logs in as the legitimate user/entity at Customer Browser.
  3. Performs actions indistinguishable from the real user (auth events look normal).
  4. Damage scales with the impersonated user's permissions; admin accounts cause the most harm.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
Authentication bypass via credential stuffing
High STRIDE Β· Spoofing Β· Mobile App (user) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

Within component Mobile App (user).

πŸ“Description

Attackers reuse leaked credentials to impersonate legitimate users.

βš”οΈAttack scenario

  1. Attacker obtains valid credentials via phishing, credential stuffing, or a third-party breach.
  2. Logs in as the legitimate user/entity at Mobile App.
  3. Performs actions indistinguishable from the real user (auth events look normal).
  4. Damage scales with the impersonated user's permissions; admin accounts cause the most harm.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
Session token hijacking
High STRIDE Β· Spoofing Β· Mobile App (user) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

Within component Mobile App (user).

πŸ“Description

Attacker steals or predicts a session token to impersonate a user.

βš”οΈAttack scenario

  1. Attacker obtains valid credentials via phishing, credential stuffing, or a third-party breach.
  2. Logs in as the legitimate user/entity at Mobile App.
  3. Performs actions indistinguishable from the real user (auth events look normal).
  4. Damage scales with the impersonated user's permissions; admin accounts cause the most harm.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
API key / service identity spoofing
High STRIDE Β· Spoofing Β· Mobile App (user) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

Within component Mobile App (user).

πŸ“Description

An attacker obtains or forges an API key to act as a trusted service.

βš”οΈAttack scenario

  1. Attacker obtains valid credentials via phishing, credential stuffing, or a third-party breach.
  2. Logs in as the legitimate user/entity at Mobile App.
  3. Performs actions indistinguishable from the real user (auth events look normal).
  4. Damage scales with the impersonated user's permissions; admin accounts cause the most harm.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
Data-in-transit modification
High STRIDE Β· Tampering Β· Orders DB (Postgres) (database) CWE-345
β–Ό
CVSS 3.1 7.3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Attacker on the network path alters request/response payloads.

βš”οΈAttack scenario

  1. Attacker reaches an input vector exposed by Orders DB (Postgres) (request body, query string, message queue payload, persisted state).
  2. Submits malformed input designed to alter the program's logic or stored data (injection, parameter tampering, deserialization gadgets).
  3. Orders DB (Postgres) processes the input without strict validation, and the malicious change takes effect.
  4. Tampered data is persisted, executed, or relayed downstream β€” corrupting integrity beyond the original entry point.

πŸ›‘How to mitigate

preventive
Schema-validate and parameterize all inputs
JSON Schema / OpenAPI validation at API edges; parameterized queries / prepared statements for SQL; ORM-level validators on persisted models.
preventive
Sign and verify integrity-critical messages
For commands or state mutations, attach an HMAC or signature so downstream consumers can detect tampering in transit or at rest.
detective
Use append-only / write-once stores for audit-critical data
Where data must not be silently changed, write to an append-only log (e.g., immutable S3 bucket, CloudTrail-like store) and reconcile against the mutable copy.
Config / secret tampering
High STRIDE Β· Tampering Β· Orders DB (Postgres) (database) CWE-345
β–Ό
CVSS 3.1 7.3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Unauthorized changes to runtime config alter security behavior.

βš”οΈAttack scenario

  1. Attacker reaches an input vector exposed by Orders DB (Postgres) (request body, query string, message queue payload, persisted state).
  2. Submits malformed input designed to alter the program's logic or stored data (injection, parameter tampering, deserialization gadgets).
  3. Orders DB (Postgres) processes the input without strict validation, and the malicious change takes effect.
  4. Tampered data is persisted, executed, or relayed downstream β€” corrupting integrity beyond the original entry point.

πŸ›‘How to mitigate

preventive
Schema-validate and parameterize all inputs
JSON Schema / OpenAPI validation at API edges; parameterized queries / prepared statements for SQL; ORM-level validators on persisted models.
preventive
Sign and verify integrity-critical messages
For commands or state mutations, attach an HMAC or signature so downstream consumers can detect tampering in transit or at rest.
detective
Use append-only / write-once stores for audit-critical data
Where data must not be silently changed, write to an append-only log (e.g., immutable S3 bucket, CloudTrail-like store) and reconcile against the mutable copy.
Log tampering
High STRIDE Β· Repudiation Β· Orders DB (Postgres) (database) CWE-778
β–Ό
CVSS 3.1 7.3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

An attacker with access modifies or deletes audit trails.

βš”οΈAttack scenario

  1. User performs a sensitive action through Orders DB (Postgres) (a transfer, a permission change, a deletion).
  2. Audit logs are absent, incomplete, or modifiable by the same principal who performed the action.
  3. User later denies having performed the action, or an attacker covers their tracks.
  4. Without tamper-evident logs, neither responsible party can be identified β€” leading to fraud, dispute, or regulatory exposure.

πŸ›‘How to mitigate

detective
Emit tamper-evident audit logs
Sign log entries (HMAC chain, hash-linked) so insertion or deletion is detectable. Forward to a separate, append-only system the action's principal cannot administer.
detective
Capture sufficient detail per audit event
Who (authenticated principal, not just session ID), what (specific action and target), when (UTC, monotonic-clock-corroborated), where (source IP, request ID), why (correlated to the upstream business event).
detective
Periodic log integrity verification
Schedule daily integrity checks on the audit log chain. Alert on any gap.
Sensitive data exposure in transit
High STRIDE Β· Information Disclosure Β· Orders DB (Postgres) (database) CWE-200
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

PII, secrets, or tokens transmitted over unencrypted channels.

βš”οΈAttack scenario

  1. Attacker reaches Orders DB (Postgres) via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For database, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Sensitive data exposure at rest
High STRIDE Β· Information Disclosure Β· Orders DB (Postgres) (database) CWE-200
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Stored PII / secrets accessible without proper authorization.

βš”οΈAttack scenario

  1. Attacker reaches Orders DB (Postgres) via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For database, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Insecure direct object reference (IDOR)
High STRIDE Β· Information Disclosure Β· Orders DB (Postgres) (database) CWE-200
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

User can access another user's resources by guessing IDs.

βš”οΈAttack scenario

  1. Attacker reaches Orders DB (Postgres) via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For database, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Application-layer DDoS
High STRIDE Β· Denial of Service Β· Orders DB (Postgres) (database) CWE-400
β–Ό
CVSS 3.1 7.3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Attacker floods expensive endpoints (e.g., search, login).

βš”οΈAttack scenario

  1. Attacker identifies a costly operation in Orders DB (Postgres) (regex matching, file generation, expensive query, large allocation).
  2. Issues many concurrent requests targeting that operation, or a single request with pathological input.
  3. Orders DB (Postgres)'s resources (CPU, memory, connections, disk) saturate or exhaust.
  4. Legitimate users can no longer reach Orders DB (Postgres); cascading failure may take down dependents.

πŸ›‘How to mitigate

preventive
Apply input limits at the edge
Maximum request size, body depth, array length, and string length. Reject early β€” before parsing or business logic runs.
preventive
Rate-limit per principal and per resource
Token bucket per authenticated user AND per costly endpoint. Adaptive throttling on saturation.
corrective
Set hard timeouts on outbound calls
No call (DB, downstream service, third-party API) should be able to hang the request handler indefinitely. Use circuit breakers and bulkheads.
Privilege escalation via mass assignment
High STRIDE Β· Elevation of Privilege Β· Orders DB (Postgres) (database) CWE-269
β–Ό
CVSS 3.1 7.6
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0 6.3
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

User submits extra fields (e.g., role=admin) and they bind to the model.

βš”οΈAttack scenario

  1. Attacker authenticates to Orders DB (Postgres) as a low-privilege user, or reaches an unauthenticated entry point.
  2. Identifies an authorization gap β€” a function that doesn't re-check the caller's role, an IDOR-style URL, an admin endpoint with weak gating.
  3. Issues requests to that gap, gaining access to data or actions reserved for higher-privilege roles.
  4. Now operating with elevated privilege, attacker can pivot to other components, exfiltrate data, or persist access.

πŸ›‘How to mitigate

preventive
Re-authorize on every action, not just at session start
Every privileged endpoint checks the current principal's roles/permissions for the specific resource being acted on. No 'logged in = allowed'.
preventive
Apply least-privilege to service identities
The IAM/role attached to Orders DB (Postgres) should grant only the actions it actually performs. Audit IAM grants quarterly.
detective
Detect anomalous privilege use
Alert when a principal performs an action they have not performed in the trailing 90 days, or when admin-tier actions originate from non-admin networks.
Unencrypted flow: Orders Service β†’ Orders DB (Postgres)
High STRIDE Β· Information Disclosure Β· Orders DB (Postgres) (database) CWE-319
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=8, A=7, D=8 Β· 36/50

πŸ“Where the threat exists

On the data flow Orders Service β†’ Orders DB (Postgres) (label: *β€”*, protocol: TCP, auth: none, encrypted: no). The receiving component is Orders DB (Postgres) (database).

πŸ“Description

Data flow '' uses TCP without encryption.

βš”οΈAttack scenario

  1. Attacker gains read access to the network path (sniffing on shared LAN, compromised router, hostile cloud tenant, malicious admin).
  2. Captures cleartext traffic on the TCP channel.
  3. Extracts credentials, session tokens, PII, or business secrets from packet captures.
  4. Uses the credentials to impersonate Orders DB (Postgres) or the calling component, or sells/leaks the captured data.

πŸ›‘How to mitigate

preventive
Enable TLS 1.3 (or 1.2 with strong ciphers) on the flow
Replace plain TCP with its TLS variant. For databases use TLS-enabled drivers; for queues like AMQP/Kafka, configure broker certs and require client TLS.
preventive
Enforce certificate validation
Verify hostname, validate the chain to a known CA, pin certificates or use a private CA for internal services. Disable cipher fallbacks to NULL/EXPORT/RC4.
detective
Scan for cleartext fallbacks
Add a network-policy / NetworkPolicy / security-group rule that drops any traffic on the cleartext port. Alert if it ever fires.
Unauthenticated flow: Orders Service β†’ Orders DB (Postgres)
High STRIDE Β· Spoofing Β· Orders DB (Postgres) (database) CWE-306
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=8, A=7, D=8 Β· 36/50

πŸ“Where the threat exists

On the data flow Orders Service β†’ Orders DB (Postgres) (label: *β€”*, protocol: TCP, auth: none, encrypted: no). The receiving component is Orders DB (Postgres) (database).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Orders DB (Postgres) (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Orders DB (Postgres) processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Trust-boundary crossing without strong authn: Orders Service β†’ Orders DB (Postgres)
High STRIDE · Spoofing · Orders DB (Postgres) (database) CWE-287 ⚑ cross-zone
β–Ό
CVSS 3.1 6.8
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 5.8
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=8, A=9, D=9 Β· 39/50
Boundary crossing: Application tier β†’ Data tier

πŸ“Where the threat exists

On the data flow Orders Service β†’ Orders DB (Postgres) (label: *β€”*, protocol: TCP, auth: none, encrypted: no), crossing the trust boundary from Application tier into Data tier. The receiving component is Orders DB (Postgres) (database).

πŸ“Description

Flow '' crosses trust boundary 'Application tier' β†’ 'Data tier'. Caller identity must be re-verified at the boundary; existing trust does not transit.

βš”οΈAttack scenario

  1. Attacker positions themselves on the network path between source and destination, or compromises an upstream component in the source zone.
  2. Crafts requests with forged or replayed identity claims (cookies, tokens, IP-based trust).
  3. Orders DB (Postgres) accepts the request because identity is not re-verified at the boundary, treating the upstream zone as trusted.
  4. Attacker can now perform actions as the impersonated principal across the boundary.

πŸ›‘How to mitigate

preventive
Re-authenticate at the boundary
Require a fresh, audience-bound credential at the receiver. Do not infer identity from network position, source IP, or upstream session.
preventive
Use mutual TLS or signed tokens with audience claims
For service-to-service calls into Orders DB (Postgres), terminate mTLS at the boundary and reject any caller without a valid client cert. For human-driven flows, use OAuth2 / OIDC with audience and issuer validation.
detective
Log every cross-boundary auth decision
Emit an authentication event (success and failure) tagged with both source and destination zone. Forward to SIEM with retention β‰₯ 90 days.
Cross-boundary input not validated: Orders Service β†’ Orders DB (Postgres)
High STRIDE · Tampering · Orders DB (Postgres) (database) CWE-20 ⚑ cross-zone
β–Ό
CVSS 3.1 8.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVSS 4.0 5.8
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N
DREAD: D=7, R=6, E=8, A=9, D=9 Β· 39/50
Boundary crossing: Application tier β†’ Data tier

πŸ“Where the threat exists

On the data flow Orders Service β†’ Orders DB (Postgres) (label: *β€”*, protocol: TCP, auth: none, encrypted: no), crossing the trust boundary from Application tier into Data tier. The receiving component is Orders DB (Postgres) (database).

πŸ“Description

Data crossing the trust boundary into 'Data tier' must be treated as untrusted, even if the source is internal. Implicit trust is the most common cause of injection / SSRF / deserialization bugs.

βš”οΈAttack scenario

  1. Attacker compromises a less-trusted upstream zone or directly sends malformed input to Orders DB (Postgres).
  2. Sends payloads with unexpected types, lengths, or special characters (e.g. SQL meta-chars, NUL bytes, control sequences).
  3. Orders DB (Postgres) processes the input under the assumption that the upstream zone has already validated it β€” but the boundary changes the security context.
  4. Injection, deserialization flaws, or buffer issues trigger; attacker pivots into Orders DB (Postgres) or the zone behind it.

πŸ›‘How to mitigate

preventive
Validate against an allow-list schema at the boundary
Define an explicit schema (JSON Schema, Protobuf, OpenAPI) for every accepted message at this boundary. Reject anything that doesn't match β€” type, length, charset, enum values, nested depth.
preventive
Canonicalize before validation
Decode URL-encoding, Unicode normalization (NFC), trim whitespace, and resolve relative paths before validating. Avoid double-decoding bypasses.
preventive
Apply context-specific output encoding
Whatever Orders DB (Postgres) does with the input β€” SQL: parameterized queries, HTML: contextual escaping, OS commands: avoid shell, use exec arrays, LDAP: escape filter chars.
Cross-boundary data exposure risk: Orders Service β†’ Orders DB (Postgres)
High STRIDE · Information Disclosure · Orders DB (Postgres) (database) CWE-200 ⚑ cross-zone
β–Ό
CVSS 3.1 6.8
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 5.8
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=8, A=9, D=9 Β· 39/50
Boundary crossing: Application tier β†’ Data tier

πŸ“Where the threat exists

On the data flow Orders Service β†’ Orders DB (Postgres) (label: *β€”*, protocol: TCP, auth: none, encrypted: no), crossing the trust boundary from Application tier into Data tier. The receiving component is Orders DB (Postgres) (database).

πŸ“Description

Information leaving 'Application tier' into 'Data tier' may include data the receiving zone is not authorized to see. Cross-boundary egress is a common data-leak surface.

βš”οΈAttack scenario

  1. Attacker observes traffic leaving the source zone, or compromises a component in the destination zone.
  2. The destination zone receives more data than it strictly needs (over-fetching, verbose error responses, full record dumps).
  3. Attacker harvests sensitive fields (PII, secrets, internal IDs) that should never have left the source zone.
  4. Data is exfiltrated, sold, or used to plan a deeper attack on the originating zone.

πŸ›‘How to mitigate

preventive
Enforce minimum-data-needed at the egress point
Whitelist exactly which fields leave the source zone. Strip everything else server-side before serialization.
preventive
Tokenize or redact sensitive fields
Replace PII / PCI / PHI fields with reversible tokens or one-way hashes when the destination zone doesn't need the cleartext value.
detective
Log cross-boundary data flows for review
Sample-log the field set crossing this boundary (not the values) so DLP and privacy reviews can audit what's egressing.
Unencrypted flow: API Gateway β†’ Orders Service
High STRIDE Β· Information Disclosure Β· Orders Service (service) CWE-319
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=8, A=5, D=8 Β· 34/50

πŸ“Where the threat exists

On the data flow API Gateway β†’ Orders Service (label: *β€”*, protocol: HTTP, auth: none, encrypted: no). The receiving component is Orders Service (service).

πŸ“Description

Data flow '' uses HTTP without encryption.

βš”οΈAttack scenario

  1. Attacker gains read access to the network path (sniffing on shared LAN, compromised router, hostile cloud tenant, malicious admin).
  2. Captures cleartext traffic on the HTTP channel.
  3. Extracts credentials, session tokens, PII, or business secrets from packet captures.
  4. Uses the credentials to impersonate Orders Service or the calling component, or sells/leaks the captured data.

πŸ›‘How to mitigate

preventive
Enable TLS 1.3 (or 1.2 with strong ciphers) on the flow
Replace plain HTTP with its TLS variant. For databases use TLS-enabled drivers; for queues like AMQP/Kafka, configure broker certs and require client TLS.
preventive
Enforce certificate validation
Verify hostname, validate the chain to a known CA, pin certificates or use a private CA for internal services. Disable cipher fallbacks to NULL/EXPORT/RC4.
detective
Scan for cleartext fallbacks
Add a network-policy / NetworkPolicy / security-group rule that drops any traffic on the cleartext port. Alert if it ever fires.
Unauthenticated flow: API Gateway β†’ Orders Service
High STRIDE Β· Spoofing Β· Orders Service (service) CWE-306
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=8, A=5, D=8 Β· 34/50

πŸ“Where the threat exists

On the data flow API Gateway β†’ Orders Service (label: *β€”*, protocol: HTTP, auth: none, encrypted: no). The receiving component is Orders Service (service).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Orders Service (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Orders Service processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Trust-boundary crossing without strong authn: API Gateway β†’ Orders Service
High STRIDE · Spoofing · Orders Service (service) CWE-287 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=8, A=7, D=9 Β· 37/50
Boundary crossing: DMZ (public-facing) β†’ Application tier

πŸ“Where the threat exists

On the data flow API Gateway β†’ Orders Service (label: *β€”*, protocol: HTTP, auth: none, encrypted: no), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Orders Service (service).

πŸ“Description

Flow '' crosses trust boundary 'DMZ (public-facing)' β†’ 'Application tier'. Caller identity must be re-verified at the boundary; existing trust does not transit.

βš”οΈAttack scenario

  1. Attacker positions themselves on the network path between source and destination, or compromises an upstream component in the source zone.
  2. Crafts requests with forged or replayed identity claims (cookies, tokens, IP-based trust).
  3. Orders Service accepts the request because identity is not re-verified at the boundary, treating the upstream zone as trusted.
  4. Attacker can now perform actions as the impersonated principal across the boundary.

πŸ›‘How to mitigate

preventive
Re-authenticate at the boundary
Require a fresh, audience-bound credential at the receiver. Do not infer identity from network position, source IP, or upstream session.
preventive
Use mutual TLS or signed tokens with audience claims
For service-to-service calls into Orders Service, terminate mTLS at the boundary and reject any caller without a valid client cert. For human-driven flows, use OAuth2 / OIDC with audience and issuer validation.
detective
Log every cross-boundary auth decision
Emit an authentication event (success and failure) tagged with both source and destination zone. Forward to SIEM with retention β‰₯ 90 days.
Cross-boundary input not validated: API Gateway β†’ Orders Service
High STRIDE · Tampering · Orders Service (service) CWE-20 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N
DREAD: D=7, R=6, E=8, A=7, D=9 Β· 37/50
Boundary crossing: DMZ (public-facing) β†’ Application tier

πŸ“Where the threat exists

On the data flow API Gateway β†’ Orders Service (label: *β€”*, protocol: HTTP, auth: none, encrypted: no), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Orders Service (service).

πŸ“Description

Data crossing the trust boundary into 'Application tier' must be treated as untrusted, even if the source is internal. Implicit trust is the most common cause of injection / SSRF / deserialization bugs.

βš”οΈAttack scenario

  1. Attacker compromises a less-trusted upstream zone or directly sends malformed input to Orders Service.
  2. Sends payloads with unexpected types, lengths, or special characters (e.g. SQL meta-chars, NUL bytes, control sequences).
  3. Orders Service processes the input under the assumption that the upstream zone has already validated it β€” but the boundary changes the security context.
  4. Injection, deserialization flaws, or buffer issues trigger; attacker pivots into Orders Service or the zone behind it.

πŸ›‘How to mitigate

preventive
Validate against an allow-list schema at the boundary
Define an explicit schema (JSON Schema, Protobuf, OpenAPI) for every accepted message at this boundary. Reject anything that doesn't match β€” type, length, charset, enum values, nested depth.
preventive
Canonicalize before validation
Decode URL-encoding, Unicode normalization (NFC), trim whitespace, and resolve relative paths before validating. Avoid double-decoding bypasses.
preventive
Apply context-specific output encoding
Whatever Orders Service does with the input β€” SQL: parameterized queries, HTML: contextual escaping, OS commands: avoid shell, use exec arrays, LDAP: escape filter chars.
Cross-boundary data exposure risk: API Gateway β†’ Orders Service
High STRIDE · Information Disclosure · Orders Service (service) CWE-200 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=8, A=7, D=9 Β· 37/50
Boundary crossing: DMZ (public-facing) β†’ Application tier

πŸ“Where the threat exists

On the data flow API Gateway β†’ Orders Service (label: *β€”*, protocol: HTTP, auth: none, encrypted: no), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Orders Service (service).

πŸ“Description

Information leaving 'DMZ (public-facing)' into 'Application tier' may include data the receiving zone is not authorized to see. Cross-boundary egress is a common data-leak surface.

βš”οΈAttack scenario

  1. Attacker observes traffic leaving the source zone, or compromises a component in the destination zone.
  2. The destination zone receives more data than it strictly needs (over-fetching, verbose error responses, full record dumps).
  3. Attacker harvests sensitive fields (PII, secrets, internal IDs) that should never have left the source zone.
  4. Data is exfiltrated, sold, or used to plan a deeper attack on the originating zone.

πŸ›‘How to mitigate

preventive
Enforce minimum-data-needed at the egress point
Whitelist exactly which fields leave the source zone. Strip everything else server-side before serialization.
preventive
Tokenize or redact sensitive fields
Replace PII / PCI / PHI fields with reversible tokens or one-way hashes when the destination zone doesn't need the cleartext value.
detective
Log cross-boundary data flows for review
Sample-log the field set crossing this boundary (not the values) so DLP and privacy reviews can audit what's egressing.
Unauthenticated flow: Orders Service β†’ Payment Provider
High STRIDE Β· Spoofing Β· Payment Provider (external) CWE-306
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

On the data flow Orders Service β†’ Payment Provider (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Payment Provider (external).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Payment Provider (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Payment Provider processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Authentication bypass via credential stuffing
High STRIDE Β· Spoofing Β· Web Frontend (webapp) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Attackers reuse leaked credentials to impersonate legitimate users.

βš”οΈAttack scenario

  1. Attacker locates Web Frontend's identity claim mechanism (token format, header name, signing key handling).
  2. Forges or replays a token to assert another principal's identity.
  3. Web Frontend accepts the claim because verification is missing or weak (e.g., signature not checked, expired tokens accepted, no audience validation).
  4. Attacker acts as the spoofed principal β€” reading data, triggering workflows, or pivoting to internal services.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
Session token hijacking
High STRIDE Β· Spoofing Β· Web Frontend (webapp) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Attacker steals or predicts a session token to impersonate a user.

βš”οΈAttack scenario

  1. Attacker locates Web Frontend's identity claim mechanism (token format, header name, signing key handling).
  2. Forges or replays a token to assert another principal's identity.
  3. Web Frontend accepts the claim because verification is missing or weak (e.g., signature not checked, expired tokens accepted, no audience validation).
  4. Attacker acts as the spoofed principal β€” reading data, triggering workflows, or pivoting to internal services.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
API key / service identity spoofing
High STRIDE Β· Spoofing Β· Web Frontend (webapp) CWE-287
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

An attacker obtains or forges an API key to act as a trusted service.

βš”οΈAttack scenario

  1. Attacker locates Web Frontend's identity claim mechanism (token format, header name, signing key handling).
  2. Forges or replays a token to assert another principal's identity.
  3. Web Frontend accepts the claim because verification is missing or weak (e.g., signature not checked, expired tokens accepted, no audience validation).
  4. Attacker acts as the spoofed principal β€” reading data, triggering workflows, or pivoting to internal services.

πŸ›‘How to mitigate

preventive
Validate token signatures with explicit algorithm allow-listing
Reject 'alg: none', reject HS256 when expecting RS256. Use a vetted JWT library; never hand-roll verification.
preventive
Enforce audience and issuer claims
Every token must declare which service it's intended for. Reject tokens whose audience doesn't match this component.
preventive
Bind tokens to a session or device
Use mTLS-bound tokens, DPoP, or token binding to prevent replay if a token is captured.
Log tampering
High STRIDE Β· Repudiation Β· Web Frontend (webapp) CWE-778
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

An attacker with access modifies or deletes audit trails.

βš”οΈAttack scenario

  1. User performs a sensitive action through Web Frontend (a transfer, a permission change, a deletion).
  2. Audit logs are absent, incomplete, or modifiable by the same principal who performed the action.
  3. User later denies having performed the action, or an attacker covers their tracks.
  4. Without tamper-evident logs, neither responsible party can be identified β€” leading to fraud, dispute, or regulatory exposure.

πŸ›‘How to mitigate

detective
Emit tamper-evident audit logs
Sign log entries (HMAC chain, hash-linked) so insertion or deletion is detectable. Forward to a separate, append-only system the action's principal cannot administer.
detective
Capture sufficient detail per audit event
Who (authenticated principal, not just session ID), what (specific action and target), when (UTC, monotonic-clock-corroborated), where (source IP, request ID), why (correlated to the upstream business event).
detective
Periodic log integrity verification
Schedule daily integrity checks on the audit log chain. Alert on any gap.
Sensitive data exposure in transit
High STRIDE Β· Information Disclosure Β· Web Frontend (webapp) CWE-319
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

PII, secrets, or tokens transmitted over unencrypted channels.

βš”οΈAttack scenario

  1. Attacker reaches Web Frontend via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For webapp, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Sensitive data exposure at rest
High STRIDE Β· Information Disclosure Β· Web Frontend (webapp) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Stored PII / secrets accessible without proper authorization.

βš”οΈAttack scenario

  1. Attacker reaches Web Frontend via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For webapp, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Insecure direct object reference (IDOR)
High STRIDE Β· Information Disclosure Β· Web Frontend (webapp) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

User can access another user's resources by guessing IDs.

βš”οΈAttack scenario

  1. Attacker reaches Web Frontend via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For webapp, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Application-layer DDoS
High STRIDE Β· Denial of Service Β· Web Frontend (webapp) CWE-400
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Attacker floods expensive endpoints (e.g., search, login).

βš”οΈAttack scenario

  1. Attacker identifies a costly operation in Web Frontend (regex matching, file generation, expensive query, large allocation).
  2. Issues many concurrent requests targeting that operation, or a single request with pathological input.
  3. Web Frontend's resources (CPU, memory, connections, disk) saturate or exhaust.
  4. Legitimate users can no longer reach Web Frontend; cascading failure may take down dependents.

πŸ›‘How to mitigate

preventive
Apply input limits at the edge
Maximum request size, body depth, array length, and string length. Reject early β€” before parsing or business logic runs.
preventive
Rate-limit per principal and per resource
Token bucket per authenticated user AND per costly endpoint. Adaptive throttling on saturation.
corrective
Set hard timeouts on outbound calls
No call (DB, downstream service, third-party API) should be able to hang the request handler indefinitely. Use circuit breakers and bulkheads.
Privilege escalation via mass assignment
High STRIDE Β· Elevation of Privilege Β· Web Frontend (webapp) CWE-269
β–Ό
CVSS 3.1 8.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CVSS 4.0 6.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

User submits extra fields (e.g., role=admin) and they bind to the model.

βš”οΈAttack scenario

  1. Attacker authenticates to Web Frontend as a low-privilege user, or reaches an unauthenticated entry point.
  2. Identifies an authorization gap β€” a function that doesn't re-check the caller's role, an IDOR-style URL, an admin endpoint with weak gating.
  3. Issues requests to that gap, gaining access to data or actions reserved for higher-privilege roles.
  4. Now operating with elevated privilege, attacker can pivot to other components, exfiltrate data, or persist access.

πŸ›‘How to mitigate

preventive
Re-authorize on every action, not just at session start
Every privileged endpoint checks the current principal's roles/permissions for the specific resource being acted on. No 'logged in = allowed'.
preventive
Apply least-privilege to service identities
The IAM/role attached to Web Frontend should grant only the actions it actually performs. Audit IAM grants quarterly.
detective
Detect anomalous privilege use
Alert when a principal performs an action they have not performed in the trailing 90 days, or when admin-tier actions originate from non-admin networks.
Unauthenticated flow: Customer Browser β†’ Web Frontend
High STRIDE Β· Spoofing Β· Web Frontend (webapp) CWE-306
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

On the data flow Customer Browser β†’ Web Frontend (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Web Frontend (webapp).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Web Frontend (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Web Frontend processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Trust-boundary crossing without strong authn: Customer Browser β†’ Web Frontend
High STRIDE · Spoofing · Web Frontend (webapp) CWE-287 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=7, A=9, D=8 Β· 37/50
Boundary crossing: Internet β†’ DMZ (public-facing)

πŸ“Where the threat exists

On the data flow Customer Browser β†’ Web Frontend (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is Web Frontend (webapp).

πŸ“Description

Flow '' crosses trust boundary 'Internet' β†’ 'DMZ (public-facing)'. Caller identity must be re-verified at the boundary; existing trust does not transit.

βš”οΈAttack scenario

  1. Attacker positions themselves on the network path between source and destination, or compromises an upstream component in the source zone.
  2. Crafts requests with forged or replayed identity claims (cookies, tokens, IP-based trust).
  3. Web Frontend accepts the request because identity is not re-verified at the boundary, treating the upstream zone as trusted.
  4. Attacker can now perform actions as the impersonated principal across the boundary.

πŸ›‘How to mitigate

preventive
Re-authenticate at the boundary
Require a fresh, audience-bound credential at the receiver. Do not infer identity from network position, source IP, or upstream session.
preventive
Use mutual TLS or signed tokens with audience claims
For service-to-service calls into Web Frontend, terminate mTLS at the boundary and reject any caller without a valid client cert. For human-driven flows, use OAuth2 / OIDC with audience and issuer validation.
detective
Log every cross-boundary auth decision
Emit an authentication event (success and failure) tagged with both source and destination zone. Forward to SIEM with retention β‰₯ 90 days.
Cross-boundary input not validated: Customer Browser β†’ Web Frontend
High STRIDE · Tampering · Web Frontend (webapp) CWE-20 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N
DREAD: D=7, R=6, E=7, A=9, D=8 Β· 37/50
Boundary crossing: Internet β†’ DMZ (public-facing)

πŸ“Where the threat exists

On the data flow Customer Browser β†’ Web Frontend (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is Web Frontend (webapp).

πŸ“Description

Data crossing the trust boundary into 'DMZ (public-facing)' must be treated as untrusted, even if the source is internal. Implicit trust is the most common cause of injection / SSRF / deserialization bugs.

βš”οΈAttack scenario

  1. Attacker compromises a less-trusted upstream zone or directly sends malformed input to Web Frontend.
  2. Sends payloads with unexpected types, lengths, or special characters (e.g. SQL meta-chars, NUL bytes, control sequences).
  3. Web Frontend processes the input under the assumption that the upstream zone has already validated it β€” but the boundary changes the security context.
  4. Injection, deserialization flaws, or buffer issues trigger; attacker pivots into Web Frontend or the zone behind it.

πŸ›‘How to mitigate

preventive
Validate against an allow-list schema at the boundary
Define an explicit schema (JSON Schema, Protobuf, OpenAPI) for every accepted message at this boundary. Reject anything that doesn't match β€” type, length, charset, enum values, nested depth.
preventive
Canonicalize before validation
Decode URL-encoding, Unicode normalization (NFC), trim whitespace, and resolve relative paths before validating. Avoid double-decoding bypasses.
preventive
Apply context-specific output encoding
Whatever Web Frontend does with the input β€” SQL: parameterized queries, HTML: contextual escaping, OS commands: avoid shell, use exec arrays, LDAP: escape filter chars.
Cross-boundary data exposure risk: Customer Browser β†’ Web Frontend
High STRIDE · Information Disclosure · Web Frontend (webapp) CWE-200 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=7, A=9, D=8 Β· 37/50
Boundary crossing: Internet β†’ DMZ (public-facing)

πŸ“Where the threat exists

On the data flow Customer Browser β†’ Web Frontend (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is Web Frontend (webapp).

πŸ“Description

Information leaving 'Internet' into 'DMZ (public-facing)' may include data the receiving zone is not authorized to see. Cross-boundary egress is a common data-leak surface.

βš”οΈAttack scenario

  1. Attacker observes traffic leaving the source zone, or compromises a component in the destination zone.
  2. The destination zone receives more data than it strictly needs (over-fetching, verbose error responses, full record dumps).
  3. Attacker harvests sensitive fields (PII, secrets, internal IDs) that should never have left the source zone.
  4. Data is exfiltrated, sold, or used to plan a deeper attack on the originating zone.

πŸ›‘How to mitigate

preventive
Enforce minimum-data-needed at the egress point
Whitelist exactly which fields leave the source zone. Strip everything else server-side before serialization.
preventive
Tokenize or redact sensitive fields
Replace PII / PCI / PHI fields with reversible tokens or one-way hashes when the destination zone doesn't need the cleartext value.
detective
Log cross-boundary data flows for review
Sample-log the field set crossing this boundary (not the values) so DLP and privacy reviews can audit what's egressing.
Insufficient audit logging
Medium STRIDE Β· Repudiation Β· API Gateway (api) CWE-778
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Critical user actions cannot be reliably attributed after the fact.

βš”οΈAttack scenario

  1. User performs a sensitive action through API Gateway (a transfer, a permission change, a deletion).
  2. Audit logs are absent, incomplete, or modifiable by the same principal who performed the action.
  3. User later denies having performed the action, or an attacker covers their tracks.
  4. Without tamper-evident logs, neither responsible party can be identified β€” leading to fraud, dispute, or regulatory exposure.

πŸ›‘How to mitigate

detective
Emit tamper-evident audit logs
Sign log entries (HMAC chain, hash-linked) so insertion or deletion is detectable. Forward to a separate, append-only system the action's principal cannot administer.
detective
Capture sufficient detail per audit event
Who (authenticated principal, not just session ID), what (specific action and target), when (UTC, monotonic-clock-corroborated), where (source IP, request ID), why (correlated to the upstream business event).
detective
Periodic log integrity verification
Schedule daily integrity checks on the audit log chain. Alert on any gap.
Verbose error messages / stack traces
Medium STRIDE Β· Information Disclosure Β· API Gateway (api) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Error responses leak implementation details to attackers.

βš”οΈAttack scenario

  1. Attacker reaches API Gateway via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For api, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Resource exhaustion via unbounded input
Medium STRIDE Β· Denial of Service Β· API Gateway (api) CWE-400
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Large payloads or unbounded loops exhaust CPU/memory.

βš”οΈAttack scenario

  1. Attacker identifies a costly operation in API Gateway (regex matching, file generation, expensive query, large allocation).
  2. Issues many concurrent requests targeting that operation, or a single request with pathological input.
  3. API Gateway's resources (CPU, memory, connections, disk) saturate or exhaust.
  4. Legitimate users can no longer reach API Gateway; cascading failure may take down dependents.

πŸ›‘How to mitigate

preventive
Apply input limits at the edge
Maximum request size, body depth, array length, and string length. Reject early β€” before parsing or business logic runs.
preventive
Rate-limit per principal and per resource
Token bucket per authenticated user AND per costly endpoint. Adaptive throttling on saturation.
corrective
Set hard timeouts on outbound calls
No call (DB, downstream service, third-party API) should be able to hang the request handler indefinitely. Use circuit breakers and bulkheads.
Algorithmic complexity attack
Medium STRIDE Β· Denial of Service Β· API Gateway (api) CWE-400
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Crafted inputs trigger worst-case algorithm behavior (e.g., regex DoS).

βš”οΈAttack scenario

  1. Attacker identifies a costly operation in API Gateway (regex matching, file generation, expensive query, large allocation).
  2. Issues many concurrent requests targeting that operation, or a single request with pathological input.
  3. API Gateway's resources (CPU, memory, connections, disk) saturate or exhaust.
  4. Legitimate users can no longer reach API Gateway; cascading failure may take down dependents.

πŸ›‘How to mitigate

preventive
Apply input limits at the edge
Maximum request size, body depth, array length, and string length. Reject early β€” before parsing or business logic runs.
preventive
Rate-limit per principal and per resource
Token bucket per authenticated user AND per costly endpoint. Adaptive throttling on saturation.
corrective
Set hard timeouts on outbound calls
No call (DB, downstream service, third-party API) should be able to hang the request handler indefinitely. Use circuit breakers and bulkheads.
Insufficient audit logging
Medium STRIDE Β· Repudiation Β· Admin Portal (webapp) CWE-778
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Critical user actions cannot be reliably attributed after the fact.

βš”οΈAttack scenario

  1. User performs a sensitive action through Admin Portal (a transfer, a permission change, a deletion).
  2. Audit logs are absent, incomplete, or modifiable by the same principal who performed the action.
  3. User later denies having performed the action, or an attacker covers their tracks.
  4. Without tamper-evident logs, neither responsible party can be identified β€” leading to fraud, dispute, or regulatory exposure.

πŸ›‘How to mitigate

detective
Emit tamper-evident audit logs
Sign log entries (HMAC chain, hash-linked) so insertion or deletion is detectable. Forward to a separate, append-only system the action's principal cannot administer.
detective
Capture sufficient detail per audit event
Who (authenticated principal, not just session ID), what (specific action and target), when (UTC, monotonic-clock-corroborated), where (source IP, request ID), why (correlated to the upstream business event).
detective
Periodic log integrity verification
Schedule daily integrity checks on the audit log chain. Alert on any gap.
Verbose error messages / stack traces
Medium STRIDE Β· Information Disclosure Β· Admin Portal (webapp) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Error responses leak implementation details to attackers.

βš”οΈAttack scenario

  1. Attacker reaches Admin Portal via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For webapp, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Resource exhaustion via unbounded input
Medium STRIDE Β· Denial of Service Β· Admin Portal (webapp) CWE-400
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Large payloads or unbounded loops exhaust CPU/memory.

βš”οΈAttack scenario

  1. Attacker identifies a costly operation in Admin Portal (regex matching, file generation, expensive query, large allocation).
  2. Issues many concurrent requests targeting that operation, or a single request with pathological input.
  3. Admin Portal's resources (CPU, memory, connections, disk) saturate or exhaust.
  4. Legitimate users can no longer reach Admin Portal; cascading failure may take down dependents.

πŸ›‘How to mitigate

preventive
Apply input limits at the edge
Maximum request size, body depth, array length, and string length. Reject early β€” before parsing or business logic runs.
preventive
Rate-limit per principal and per resource
Token bucket per authenticated user AND per costly endpoint. Adaptive throttling on saturation.
corrective
Set hard timeouts on outbound calls
No call (DB, downstream service, third-party API) should be able to hang the request handler indefinitely. Use circuit breakers and bulkheads.
Algorithmic complexity attack
Medium STRIDE Β· Denial of Service Β· Admin Portal (webapp) CWE-400
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Crafted inputs trigger worst-case algorithm behavior (e.g., regex DoS).

βš”οΈAttack scenario

  1. Attacker identifies a costly operation in Admin Portal (regex matching, file generation, expensive query, large allocation).
  2. Issues many concurrent requests targeting that operation, or a single request with pathological input.
  3. Admin Portal's resources (CPU, memory, connections, disk) saturate or exhaust.
  4. Legitimate users can no longer reach Admin Portal; cascading failure may take down dependents.

πŸ›‘How to mitigate

preventive
Apply input limits at the edge
Maximum request size, body depth, array length, and string length. Reject early β€” before parsing or business logic runs.
preventive
Rate-limit per principal and per resource
Token bucket per authenticated user AND per costly endpoint. Adaptive throttling on saturation.
corrective
Set hard timeouts on outbound calls
No call (DB, downstream service, third-party API) should be able to hang the request handler indefinitely. Use circuit breakers and bulkheads.
Insufficient audit logging
Medium STRIDE Β· Repudiation Β· Orders DB (Postgres) (database) CWE-778
β–Ό
CVSS 3.1 7.3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Critical user actions cannot be reliably attributed after the fact.

βš”οΈAttack scenario

  1. User performs a sensitive action through Orders DB (Postgres) (a transfer, a permission change, a deletion).
  2. Audit logs are absent, incomplete, or modifiable by the same principal who performed the action.
  3. User later denies having performed the action, or an attacker covers their tracks.
  4. Without tamper-evident logs, neither responsible party can be identified β€” leading to fraud, dispute, or regulatory exposure.

πŸ›‘How to mitigate

detective
Emit tamper-evident audit logs
Sign log entries (HMAC chain, hash-linked) so insertion or deletion is detectable. Forward to a separate, append-only system the action's principal cannot administer.
detective
Capture sufficient detail per audit event
Who (authenticated principal, not just session ID), what (specific action and target), when (UTC, monotonic-clock-corroborated), where (source IP, request ID), why (correlated to the upstream business event).
detective
Periodic log integrity verification
Schedule daily integrity checks on the audit log chain. Alert on any gap.
Verbose error messages / stack traces
Medium STRIDE Β· Information Disclosure Β· Orders DB (Postgres) (database) CWE-200
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Error responses leak implementation details to attackers.

βš”οΈAttack scenario

  1. Attacker reaches Orders DB (Postgres) via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For database, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Resource exhaustion via unbounded input
Medium STRIDE Β· Denial of Service Β· Orders DB (Postgres) (database) CWE-400
β–Ό
CVSS 3.1 7.3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Large payloads or unbounded loops exhaust CPU/memory.

βš”οΈAttack scenario

  1. Attacker identifies a costly operation in Orders DB (Postgres) (regex matching, file generation, expensive query, large allocation).
  2. Issues many concurrent requests targeting that operation, or a single request with pathological input.
  3. Orders DB (Postgres)'s resources (CPU, memory, connections, disk) saturate or exhaust.
  4. Legitimate users can no longer reach Orders DB (Postgres); cascading failure may take down dependents.

πŸ›‘How to mitigate

preventive
Apply input limits at the edge
Maximum request size, body depth, array length, and string length. Reject early β€” before parsing or business logic runs.
preventive
Rate-limit per principal and per resource
Token bucket per authenticated user AND per costly endpoint. Adaptive throttling on saturation.
corrective
Set hard timeouts on outbound calls
No call (DB, downstream service, third-party API) should be able to hang the request handler indefinitely. Use circuit breakers and bulkheads.
Algorithmic complexity attack
Medium STRIDE Β· Denial of Service Β· Orders DB (Postgres) (database) CWE-400
β–Ό
CVSS 3.1 7.3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Crafted inputs trigger worst-case algorithm behavior (e.g., regex DoS).

βš”οΈAttack scenario

  1. Attacker identifies a costly operation in Orders DB (Postgres) (regex matching, file generation, expensive query, large allocation).
  2. Issues many concurrent requests targeting that operation, or a single request with pathological input.
  3. Orders DB (Postgres)'s resources (CPU, memory, connections, disk) saturate or exhaust.
  4. Legitimate users can no longer reach Orders DB (Postgres); cascading failure may take down dependents.

πŸ›‘How to mitigate

preventive
Apply input limits at the edge
Maximum request size, body depth, array length, and string length. Reject early β€” before parsing or business logic runs.
preventive
Rate-limit per principal and per resource
Token bucket per authenticated user AND per costly endpoint. Adaptive throttling on saturation.
corrective
Set hard timeouts on outbound calls
No call (DB, downstream service, third-party API) should be able to hang the request handler indefinitely. Use circuit breakers and bulkheads.
Insufficient audit logging
Medium STRIDE Β· Repudiation Β· Web Frontend (webapp) CWE-778
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Critical user actions cannot be reliably attributed after the fact.

βš”οΈAttack scenario

  1. User performs a sensitive action through Web Frontend (a transfer, a permission change, a deletion).
  2. Audit logs are absent, incomplete, or modifiable by the same principal who performed the action.
  3. User later denies having performed the action, or an attacker covers their tracks.
  4. Without tamper-evident logs, neither responsible party can be identified β€” leading to fraud, dispute, or regulatory exposure.

πŸ›‘How to mitigate

detective
Emit tamper-evident audit logs
Sign log entries (HMAC chain, hash-linked) so insertion or deletion is detectable. Forward to a separate, append-only system the action's principal cannot administer.
detective
Capture sufficient detail per audit event
Who (authenticated principal, not just session ID), what (specific action and target), when (UTC, monotonic-clock-corroborated), where (source IP, request ID), why (correlated to the upstream business event).
detective
Periodic log integrity verification
Schedule daily integrity checks on the audit log chain. Alert on any gap.
Verbose error messages / stack traces
Medium STRIDE Β· Information Disclosure Β· Web Frontend (webapp) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Error responses leak implementation details to attackers.

βš”οΈAttack scenario

  1. Attacker reaches Web Frontend via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For webapp, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Resource exhaustion via unbounded input
Medium STRIDE Β· Denial of Service Β· Web Frontend (webapp) CWE-400
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Large payloads or unbounded loops exhaust CPU/memory.

βš”οΈAttack scenario

  1. Attacker identifies a costly operation in Web Frontend (regex matching, file generation, expensive query, large allocation).
  2. Issues many concurrent requests targeting that operation, or a single request with pathological input.
  3. Web Frontend's resources (CPU, memory, connections, disk) saturate or exhaust.
  4. Legitimate users can no longer reach Web Frontend; cascading failure may take down dependents.

πŸ›‘How to mitigate

preventive
Apply input limits at the edge
Maximum request size, body depth, array length, and string length. Reject early β€” before parsing or business logic runs.
preventive
Rate-limit per principal and per resource
Token bucket per authenticated user AND per costly endpoint. Adaptive throttling on saturation.
corrective
Set hard timeouts on outbound calls
No call (DB, downstream service, third-party API) should be able to hang the request handler indefinitely. Use circuit breakers and bulkheads.
Algorithmic complexity attack
Medium STRIDE Β· Denial of Service Β· Web Frontend (webapp) CWE-400
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Crafted inputs trigger worst-case algorithm behavior (e.g., regex DoS).

βš”οΈAttack scenario

  1. Attacker identifies a costly operation in Web Frontend (regex matching, file generation, expensive query, large allocation).
  2. Issues many concurrent requests targeting that operation, or a single request with pathological input.
  3. Web Frontend's resources (CPU, memory, connections, disk) saturate or exhaust.
  4. Legitimate users can no longer reach Web Frontend; cascading failure may take down dependents.

πŸ›‘How to mitigate

preventive
Apply input limits at the edge
Maximum request size, body depth, array length, and string length. Reject early β€” before parsing or business logic runs.
preventive
Rate-limit per principal and per resource
Token bucket per authenticated user AND per costly endpoint. Adaptive throttling on saturation.
corrective
Set hard timeouts on outbound calls
No call (DB, downstream service, third-party API) should be able to hang the request handler indefinitely. Use circuit breakers and bulkheads.
Missing function-level access control
Critical OWASP TOP 10 Β· A01 Broken Access Control Β· API Gateway (api) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Admin endpoints accessible to low-privilege users.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (A01 Broken Access Control).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Sensitive data stored in plaintext
Critical OWASP TOP 10 Β· A02 Cryptographic Failures Β· API Gateway (api) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

PII or passwords stored without encryption.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (A02 Cryptographic Failures).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
SQL injection via unsanitised input
Critical OWASP TOP 10 Β· A03 Injection Β· API Gateway (api) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Attacker manipulates SQL queries.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (A03 Injection).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Command injection via shell execution
Critical OWASP TOP 10 Β· A03 Injection Β· API Gateway (api) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

User input passed to OS shell.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (A03 Injection).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Default credentials left on service
Critical OWASP TOP 10 Β· A05 Security Misconfiguration Β· API Gateway (api) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Admin password left at factory default.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (A05 Security Misconfiguration).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Weak or absent MFA on privileged accounts
Critical OWASP TOP 10 Β· A07 Authentication Failures Β· API Gateway (api) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Admin accounts authenticated by password only.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (A07 Authentication Failures).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
SSRF via user-supplied URL parameter
Critical OWASP TOP 10 Β· A10 Server-Side Request Forgery Β· API Gateway (api) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Attacker makes server fetch internal metadata endpoints.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (A10 Server-Side Request Forgery).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Missing function-level access control
Critical OWASP TOP 10 Β· A01 Broken Access Control Β· Admin Portal (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Admin endpoints accessible to low-privilege users.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (A01 Broken Access Control).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Sensitive data stored in plaintext
Critical OWASP TOP 10 Β· A02 Cryptographic Failures Β· Admin Portal (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

PII or passwords stored without encryption.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (A02 Cryptographic Failures).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
SQL injection via unsanitised input
Critical OWASP TOP 10 Β· A03 Injection Β· Admin Portal (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Attacker manipulates SQL queries.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (A03 Injection).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Command injection via shell execution
Critical OWASP TOP 10 Β· A03 Injection Β· Admin Portal (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

User input passed to OS shell.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (A03 Injection).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Default credentials left on service
Critical OWASP TOP 10 Β· A05 Security Misconfiguration Β· Admin Portal (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Admin password left at factory default.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (A05 Security Misconfiguration).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Weak or absent MFA on privileged accounts
Critical OWASP TOP 10 Β· A07 Authentication Failures Β· Admin Portal (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Admin accounts authenticated by password only.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (A07 Authentication Failures).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
SSRF via user-supplied URL parameter
Critical OWASP TOP 10 Β· A10 Server-Side Request Forgery Β· Admin Portal (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Attacker makes server fetch internal metadata endpoints.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (A10 Server-Side Request Forgery).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Sensitive data stored in plaintext
Critical OWASP TOP 10 Β· A02 Cryptographic Failures Β· Orders DB (Postgres) (database) CWE-200
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 2.1
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

PII or passwords stored without encryption.

βš”οΈAttack scenario

  1. Attacker probes Orders DB (Postgres) via reachable inputs.
  2. Identifies the weakness named by this threat (A02 Cryptographic Failures).
  3. Crafts an exploit specific to the affected component type (database).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Orders DB (Postgres). Review applicability of OWASP ASVS controls for database components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
SQL injection via unsanitised input
Critical OWASP TOP 10 Β· A03 Injection Β· Orders DB (Postgres) (database) CWE-200
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 2.1
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Attacker manipulates SQL queries.

βš”οΈAttack scenario

  1. Attacker probes Orders DB (Postgres) via reachable inputs.
  2. Identifies the weakness named by this threat (A03 Injection).
  3. Crafts an exploit specific to the affected component type (database).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Orders DB (Postgres). Review applicability of OWASP ASVS controls for database components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Command injection via shell execution
Critical OWASP TOP 10 Β· A03 Injection Β· Orders DB (Postgres) (database) CWE-200
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 2.1
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

User input passed to OS shell.

βš”οΈAttack scenario

  1. Attacker probes Orders DB (Postgres) via reachable inputs.
  2. Identifies the weakness named by this threat (A03 Injection).
  3. Crafts an exploit specific to the affected component type (database).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Orders DB (Postgres). Review applicability of OWASP ASVS controls for database components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Default credentials left on service
Critical OWASP TOP 10 Β· A05 Security Misconfiguration Β· Orders DB (Postgres) (database) CWE-200
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 2.1
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Admin password left at factory default.

βš”οΈAttack scenario

  1. Attacker probes Orders DB (Postgres) via reachable inputs.
  2. Identifies the weakness named by this threat (A05 Security Misconfiguration).
  3. Crafts an exploit specific to the affected component type (database).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Orders DB (Postgres). Review applicability of OWASP ASVS controls for database components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Missing function-level access control
Critical OWASP TOP 10 Β· A01 Broken Access Control Β· Web Frontend (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Admin endpoints accessible to low-privilege users.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (A01 Broken Access Control).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Sensitive data stored in plaintext
Critical OWASP TOP 10 Β· A02 Cryptographic Failures Β· Web Frontend (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

PII or passwords stored without encryption.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (A02 Cryptographic Failures).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
SQL injection via unsanitised input
Critical OWASP TOP 10 Β· A03 Injection Β· Web Frontend (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Attacker manipulates SQL queries.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (A03 Injection).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Command injection via shell execution
Critical OWASP TOP 10 Β· A03 Injection Β· Web Frontend (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

User input passed to OS shell.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (A03 Injection).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Default credentials left on service
Critical OWASP TOP 10 Β· A05 Security Misconfiguration Β· Web Frontend (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Admin password left at factory default.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (A05 Security Misconfiguration).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Weak or absent MFA on privileged accounts
Critical OWASP TOP 10 Β· A07 Authentication Failures Β· Web Frontend (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Admin accounts authenticated by password only.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (A07 Authentication Failures).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
SSRF via user-supplied URL parameter
Critical OWASP TOP 10 Β· A10 Server-Side Request Forgery Β· Web Frontend (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=9, R=8, E=9, A=9, D=9 Β· 44/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Attacker makes server fetch internal metadata endpoints.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (A10 Server-Side Request Forgery).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Insecure Direct Object Reference (IDOR)
High OWASP TOP 10 Β· A01 Broken Access Control Β· API Gateway (api) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

User accesses other users data by modifying IDs.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (A01 Broken Access Control).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Cleartext transmission of credentials
High OWASP TOP 10 Β· A02 Cryptographic Failures Β· API Gateway (api) CWE-319
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Passwords transmitted over HTTP.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (A02 Cryptographic Failures).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
No rate limiting on login endpoint
High OWASP TOP 10 Β· A07 Authentication Failures Β· API Gateway (api) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Brute-force and credential stuffing possible.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (A07 Authentication Failures).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Unauthenticated flow: Mobile App β†’ API Gateway
High OWASP TOP 10 Β· Stage 3 β€” Application Decomposition Β· API Gateway (api) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

On the data flow Mobile App β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at API Gateway (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. API Gateway processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Unauthenticated flow: Web Frontend β†’ API Gateway
High OWASP TOP 10 Β· Stage 3 β€” Application Decomposition Β· API Gateway (api) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

On the data flow Web Frontend β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at API Gateway (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. API Gateway processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Unauthenticated flow: Admin Portal β†’ API Gateway
High OWASP TOP 10 Β· Stage 3 β€” Application Decomposition Β· API Gateway (api) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

On the data flow Admin Portal β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at API Gateway (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. API Gateway processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Insecure Direct Object Reference (IDOR)
High OWASP TOP 10 Β· A01 Broken Access Control Β· Admin Portal (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

User accesses other users data by modifying IDs.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (A01 Broken Access Control).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Cleartext transmission of credentials
High OWASP TOP 10 Β· A02 Cryptographic Failures Β· Admin Portal (webapp) CWE-319
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Passwords transmitted over HTTP.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (A02 Cryptographic Failures).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
No rate limiting on login endpoint
High OWASP TOP 10 Β· A07 Authentication Failures Β· Admin Portal (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Brute-force and credential stuffing possible.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (A07 Authentication Failures).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Unauthenticated flow: API Gateway β†’ Auth Service
High OWASP TOP 10 Β· Stage 3 β€” Application Decomposition Β· Auth Service (service) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

On the data flow API Gateway β†’ Auth Service (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Auth Service (service).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Auth Service (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Auth Service processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Cleartext transmission of credentials
High OWASP TOP 10 Β· A02 Cryptographic Failures Β· Orders DB (Postgres) (database) CWE-319
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 2.1
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Passwords transmitted over HTTP.

βš”οΈAttack scenario

  1. Attacker probes Orders DB (Postgres) via reachable inputs.
  2. Identifies the weakness named by this threat (A02 Cryptographic Failures).
  3. Crafts an exploit specific to the affected component type (database).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Orders DB (Postgres). Review applicability of OWASP ASVS controls for database components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Unencrypted flow: Orders Service β†’ Orders DB (Postgres)
High OWASP TOP 10 Β· Disclosure of information Β· Orders DB (Postgres) (database) CWE-319
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=8, A=7, D=8 Β· 36/50

πŸ“Where the threat exists

On the data flow Orders Service β†’ Orders DB (Postgres) (label: *β€”*, protocol: TCP, auth: none, encrypted: no). The receiving component is Orders DB (Postgres) (database).

πŸ“Description

Data flow '' uses TCP without encryption.

βš”οΈAttack scenario

  1. Attacker gains read access to the network path (sniffing on shared LAN, compromised router, hostile cloud tenant, malicious admin).
  2. Captures cleartext traffic on the TCP channel.
  3. Extracts credentials, session tokens, PII, or business secrets from packet captures.
  4. Uses the credentials to impersonate Orders DB (Postgres) or the calling component, or sells/leaks the captured data.

πŸ›‘How to mitigate

preventive
Enable TLS 1.3 (or 1.2 with strong ciphers) on the flow
Replace plain TCP with its TLS variant. For databases use TLS-enabled drivers; for queues like AMQP/Kafka, configure broker certs and require client TLS.
preventive
Enforce certificate validation
Verify hostname, validate the chain to a known CA, pin certificates or use a private CA for internal services. Disable cipher fallbacks to NULL/EXPORT/RC4.
detective
Scan for cleartext fallbacks
Add a network-policy / NetworkPolicy / security-group rule that drops any traffic on the cleartext port. Alert if it ever fires.
Unauthenticated flow: Orders Service β†’ Orders DB (Postgres)
High OWASP TOP 10 Β· Stage 3 β€” Application Decomposition Β· Orders DB (Postgres) (database) CWE-306
β–Ό
CVSS 3.1 6.3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CVSS 4.0 2.1
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=8, A=7, D=8 Β· 36/50

πŸ“Where the threat exists

On the data flow Orders Service β†’ Orders DB (Postgres) (label: *β€”*, protocol: TCP, auth: none, encrypted: no). The receiving component is Orders DB (Postgres) (database).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Orders DB (Postgres) (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Orders DB (Postgres) processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Unencrypted flow: API Gateway β†’ Orders Service
High OWASP TOP 10 Β· Disclosure of information Β· Orders Service (service) CWE-319
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=8, A=5, D=8 Β· 34/50

πŸ“Where the threat exists

On the data flow API Gateway β†’ Orders Service (label: *β€”*, protocol: HTTP, auth: none, encrypted: no). The receiving component is Orders Service (service).

πŸ“Description

Data flow '' uses HTTP without encryption.

βš”οΈAttack scenario

  1. Attacker gains read access to the network path (sniffing on shared LAN, compromised router, hostile cloud tenant, malicious admin).
  2. Captures cleartext traffic on the HTTP channel.
  3. Extracts credentials, session tokens, PII, or business secrets from packet captures.
  4. Uses the credentials to impersonate Orders Service or the calling component, or sells/leaks the captured data.

πŸ›‘How to mitigate

preventive
Enable TLS 1.3 (or 1.2 with strong ciphers) on the flow
Replace plain HTTP with its TLS variant. For databases use TLS-enabled drivers; for queues like AMQP/Kafka, configure broker certs and require client TLS.
preventive
Enforce certificate validation
Verify hostname, validate the chain to a known CA, pin certificates or use a private CA for internal services. Disable cipher fallbacks to NULL/EXPORT/RC4.
detective
Scan for cleartext fallbacks
Add a network-policy / NetworkPolicy / security-group rule that drops any traffic on the cleartext port. Alert if it ever fires.
Unauthenticated flow: API Gateway β†’ Orders Service
High OWASP TOP 10 Β· Stage 3 β€” Application Decomposition Β· Orders Service (service) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=8, A=5, D=8 Β· 34/50

πŸ“Where the threat exists

On the data flow API Gateway β†’ Orders Service (label: *β€”*, protocol: HTTP, auth: none, encrypted: no). The receiving component is Orders Service (service).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Orders Service (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Orders Service processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Unauthenticated flow: Orders Service β†’ Payment Provider
High OWASP TOP 10 Β· Stage 3 β€” Application Decomposition Β· Payment Provider (external) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

On the data flow Orders Service β†’ Payment Provider (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Payment Provider (external).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Payment Provider (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Payment Provider processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Insecure Direct Object Reference (IDOR)
High OWASP TOP 10 Β· A01 Broken Access Control Β· Web Frontend (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

User accesses other users data by modifying IDs.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (A01 Broken Access Control).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Cleartext transmission of credentials
High OWASP TOP 10 Β· A02 Cryptographic Failures Β· Web Frontend (webapp) CWE-319
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Passwords transmitted over HTTP.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (A02 Cryptographic Failures).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
No rate limiting on login endpoint
High OWASP TOP 10 Β· A07 Authentication Failures Β· Web Frontend (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Brute-force and credential stuffing possible.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (A07 Authentication Failures).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Unauthenticated flow: Customer Browser β†’ Web Frontend
High OWASP TOP 10 Β· Stage 3 β€” Application Decomposition Β· Web Frontend (webapp) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

On the data flow Customer Browser β†’ Web Frontend (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Web Frontend (webapp).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Web Frontend (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Web Frontend processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Missing security headers
Medium OWASP TOP 10 Β· A05 Security Misconfiguration Β· API Gateway (api) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

CSP, X-Frame-Options, HSTS absent.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (A05 Security Misconfiguration).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Missing security headers
Medium OWASP TOP 10 Β· A05 Security Misconfiguration Β· Admin Portal (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

CSP, X-Frame-Options, HSTS absent.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (A05 Security Misconfiguration).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Missing security headers
Medium OWASP TOP 10 Β· A05 Security Misconfiguration Β· Orders DB (Postgres) (database) CWE-200
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 2.1
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

CSP, X-Frame-Options, HSTS absent.

βš”οΈAttack scenario

  1. Attacker probes Orders DB (Postgres) via reachable inputs.
  2. Identifies the weakness named by this threat (A05 Security Misconfiguration).
  3. Crafts an exploit specific to the affected component type (database).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Orders DB (Postgres). Review applicability of OWASP ASVS controls for database components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Missing security headers
Medium OWASP TOP 10 Β· A05 Security Misconfiguration Β· Web Frontend (webapp) CWE-20
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

CSP, X-Frame-Options, HSTS absent.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (A05 Security Misconfiguration).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Third-party data leakage
High LINDDUN Β· Disclosure of information Β· API Gateway (api) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

PII shared with analytics/ad SDKs without consent.

βš”οΈAttack scenario

  1. Attacker reaches API Gateway via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For api, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
GDPR / CCPA / HIPAA gaps
High LINDDUN Β· Non-compliance Β· API Gateway (api) CWE-778
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Missing DSAR handling, retention policies, or data residency controls.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (Non-compliance).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Unauthenticated flow: Mobile App β†’ API Gateway
High LINDDUN Β· Stage 3 β€” Application Decomposition Β· API Gateway (api) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

On the data flow Mobile App β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at API Gateway (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. API Gateway processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Unauthenticated flow: Web Frontend β†’ API Gateway
High LINDDUN Β· Stage 3 β€” Application Decomposition Β· API Gateway (api) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

On the data flow Web Frontend β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at API Gateway (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. API Gateway processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Unauthenticated flow: Admin Portal β†’ API Gateway
High LINDDUN Β· Stage 3 β€” Application Decomposition Β· API Gateway (api) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

On the data flow Admin Portal β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is API Gateway (api).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at API Gateway (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. API Gateway processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Cross-boundary PII transfer: Mobile App β†’ API Gateway
High LINDDUN · Disclosure of information · API Gateway (api) CWE-200 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=7, A=9, D=8 Β· 37/50
Boundary crossing: Internet β†’ DMZ (public-facing)

πŸ“Where the threat exists

On the data flow Mobile App β†’ API Gateway (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is API Gateway (api).

πŸ“Description

Personal data crossing trust boundaries triggers data-protection obligations (purpose, consent, residency, processor agreements).

βš”οΈAttack scenario

  1. Attacker reaches API Gateway via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For api, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Third-party data leakage
High LINDDUN Β· Disclosure of information Β· Admin Portal (webapp) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

PII shared with analytics/ad SDKs without consent.

βš”οΈAttack scenario

  1. Attacker reaches Admin Portal via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For webapp, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
GDPR / CCPA / HIPAA gaps
High LINDDUN Β· Non-compliance Β· Admin Portal (webapp) CWE-778
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Missing DSAR handling, retention policies, or data residency controls.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (Non-compliance).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
GDPR / CCPA / HIPAA gaps
High LINDDUN Β· Non-compliance Β· Auth Service (service) CWE-778
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

Within component Auth Service (service).

πŸ“Description

Missing DSAR handling, retention policies, or data residency controls.

βš”οΈAttack scenario

  1. Attacker probes Auth Service via reachable inputs.
  2. Identifies the weakness named by this threat (Non-compliance).
  3. Crafts an exploit specific to the affected component type (service).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Auth Service. Review applicability of OWASP ASVS controls for service components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Unauthenticated flow: API Gateway β†’ Auth Service
High LINDDUN Β· Stage 3 β€” Application Decomposition Β· Auth Service (service) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

On the data flow API Gateway β†’ Auth Service (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Auth Service (service).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Auth Service (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Auth Service processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Cross-boundary PII transfer: API Gateway β†’ Auth Service
High LINDDUN · Disclosure of information · Auth Service (service) CWE-200 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=7, A=7, D=8 Β· 35/50
Boundary crossing: DMZ (public-facing) β†’ Application tier

πŸ“Where the threat exists

On the data flow API Gateway β†’ Auth Service (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Auth Service (service).

πŸ“Description

Personal data crossing trust boundaries triggers data-protection obligations (purpose, consent, residency, processor agreements).

βš”οΈAttack scenario

  1. Attacker reaches Auth Service via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For service, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
GDPR / CCPA / HIPAA gaps
High LINDDUN Β· Non-compliance Β· Customer Browser (user) CWE-778
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

Within component Customer Browser (user).

πŸ“Description

Missing DSAR handling, retention policies, or data residency controls.

βš”οΈAttack scenario

  1. Attacker probes Customer Browser via reachable inputs.
  2. Identifies the weakness named by this threat (Non-compliance).
  3. Crafts an exploit specific to the affected component type (user).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Customer Browser. Review applicability of OWASP ASVS controls for user components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
GDPR / CCPA / HIPAA gaps
High LINDDUN Β· Non-compliance Β· Mobile App (user) CWE-778
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

Within component Mobile App (user).

πŸ“Description

Missing DSAR handling, retention policies, or data residency controls.

βš”οΈAttack scenario

  1. Attacker probes Mobile App via reachable inputs.
  2. Identifies the weakness named by this threat (Non-compliance).
  3. Crafts an exploit specific to the affected component type (user).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Mobile App. Review applicability of OWASP ASVS controls for user components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Re-identification of anonymized data
High LINDDUN Β· Identifiability Β· Orders DB (Postgres) (database) CWE-359
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 2.1
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Quasi-identifiers (zip, DOB, gender) re-identify users in 'anonymous' exports.

βš”οΈAttack scenario

  1. Attacker collects records emitted by Orders DB (Postgres) (logs, events, telemetry, public outputs).
  2. Uses quasi-identifiers (timestamps, IPs, device fingerprints, behavioral patterns) to link multiple records to the same individual.
  3. Builds a behavior profile that reveals identity even though no single record contains an explicit identifier.
  4. Privacy violation β€” re-identification, surveillance, or unauthorized profiling.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Orders DB (Postgres). Review applicability of OWASP ASVS controls for database components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Third-party data leakage
High LINDDUN Β· Disclosure of information Β· Orders DB (Postgres) (database) CWE-200
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

PII shared with analytics/ad SDKs without consent.

βš”οΈAttack scenario

  1. Attacker reaches Orders DB (Postgres) via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For database, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
GDPR / CCPA / HIPAA gaps
High LINDDUN Β· Non-compliance Β· Orders DB (Postgres) (database) CWE-778
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 2.1
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Missing DSAR handling, retention policies, or data residency controls.

βš”οΈAttack scenario

  1. Attacker probes Orders DB (Postgres) via reachable inputs.
  2. Identifies the weakness named by this threat (Non-compliance).
  3. Crafts an exploit specific to the affected component type (database).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Orders DB (Postgres). Review applicability of OWASP ASVS controls for database components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Unencrypted flow: Orders Service β†’ Orders DB (Postgres)
High LINDDUN Β· Disclosure of information Β· Orders DB (Postgres) (database) CWE-319
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=8, A=7, D=8 Β· 36/50

πŸ“Where the threat exists

On the data flow Orders Service β†’ Orders DB (Postgres) (label: *β€”*, protocol: TCP, auth: none, encrypted: no). The receiving component is Orders DB (Postgres) (database).

πŸ“Description

Data flow '' uses TCP without encryption.

βš”οΈAttack scenario

  1. Attacker gains read access to the network path (sniffing on shared LAN, compromised router, hostile cloud tenant, malicious admin).
  2. Captures cleartext traffic on the TCP channel.
  3. Extracts credentials, session tokens, PII, or business secrets from packet captures.
  4. Uses the credentials to impersonate Orders DB (Postgres) or the calling component, or sells/leaks the captured data.

πŸ›‘How to mitigate

preventive
Enable TLS 1.3 (or 1.2 with strong ciphers) on the flow
Replace plain TCP with its TLS variant. For databases use TLS-enabled drivers; for queues like AMQP/Kafka, configure broker certs and require client TLS.
preventive
Enforce certificate validation
Verify hostname, validate the chain to a known CA, pin certificates or use a private CA for internal services. Disable cipher fallbacks to NULL/EXPORT/RC4.
detective
Scan for cleartext fallbacks
Add a network-policy / NetworkPolicy / security-group rule that drops any traffic on the cleartext port. Alert if it ever fires.
Unauthenticated flow: Orders Service β†’ Orders DB (Postgres)
High LINDDUN Β· Stage 3 β€” Application Decomposition Β· Orders DB (Postgres) (database) CWE-306
β–Ό
CVSS 3.1 6.3
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CVSS 4.0 2.1
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=8, A=7, D=8 Β· 36/50

πŸ“Where the threat exists

On the data flow Orders Service β†’ Orders DB (Postgres) (label: *β€”*, protocol: TCP, auth: none, encrypted: no). The receiving component is Orders DB (Postgres) (database).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Orders DB (Postgres) (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Orders DB (Postgres) processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Cross-boundary PII transfer: Orders Service β†’ Orders DB (Postgres)
High LINDDUN · Disclosure of information · Orders DB (Postgres) (database) CWE-200 ⚑ cross-zone
β–Ό
CVSS 3.1 6.8
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 5.8
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=8, A=9, D=9 Β· 39/50
Boundary crossing: Application tier β†’ Data tier

πŸ“Where the threat exists

On the data flow Orders Service β†’ Orders DB (Postgres) (label: *β€”*, protocol: TCP, auth: none, encrypted: no), crossing the trust boundary from Application tier into Data tier. The receiving component is Orders DB (Postgres) (database).

πŸ“Description

Personal data crossing trust boundaries triggers data-protection obligations (purpose, consent, residency, processor agreements).

βš”οΈAttack scenario

  1. Attacker reaches Orders DB (Postgres) via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For database, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
GDPR / CCPA / HIPAA gaps
High LINDDUN Β· Non-compliance Β· Orders Service (service) CWE-778
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

Within component Orders Service (service).

πŸ“Description

Missing DSAR handling, retention policies, or data residency controls.

βš”οΈAttack scenario

  1. Attacker probes Orders Service via reachable inputs.
  2. Identifies the weakness named by this threat (Non-compliance).
  3. Crafts an exploit specific to the affected component type (service).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Orders Service. Review applicability of OWASP ASVS controls for service components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Unencrypted flow: API Gateway β†’ Orders Service
High LINDDUN Β· Disclosure of information Β· Orders Service (service) CWE-319
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=8, A=5, D=8 Β· 34/50

πŸ“Where the threat exists

On the data flow API Gateway β†’ Orders Service (label: *β€”*, protocol: HTTP, auth: none, encrypted: no). The receiving component is Orders Service (service).

πŸ“Description

Data flow '' uses HTTP without encryption.

βš”οΈAttack scenario

  1. Attacker gains read access to the network path (sniffing on shared LAN, compromised router, hostile cloud tenant, malicious admin).
  2. Captures cleartext traffic on the HTTP channel.
  3. Extracts credentials, session tokens, PII, or business secrets from packet captures.
  4. Uses the credentials to impersonate Orders Service or the calling component, or sells/leaks the captured data.

πŸ›‘How to mitigate

preventive
Enable TLS 1.3 (or 1.2 with strong ciphers) on the flow
Replace plain HTTP with its TLS variant. For databases use TLS-enabled drivers; for queues like AMQP/Kafka, configure broker certs and require client TLS.
preventive
Enforce certificate validation
Verify hostname, validate the chain to a known CA, pin certificates or use a private CA for internal services. Disable cipher fallbacks to NULL/EXPORT/RC4.
detective
Scan for cleartext fallbacks
Add a network-policy / NetworkPolicy / security-group rule that drops any traffic on the cleartext port. Alert if it ever fires.
Unauthenticated flow: API Gateway β†’ Orders Service
High LINDDUN Β· Stage 3 β€” Application Decomposition Β· Orders Service (service) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=8, A=5, D=8 Β· 34/50

πŸ“Where the threat exists

On the data flow API Gateway β†’ Orders Service (label: *β€”*, protocol: HTTP, auth: none, encrypted: no). The receiving component is Orders Service (service).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Orders Service (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Orders Service processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Cross-boundary PII transfer: API Gateway β†’ Orders Service
High LINDDUN · Disclosure of information · Orders Service (service) CWE-200 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=8, A=7, D=9 Β· 37/50
Boundary crossing: DMZ (public-facing) β†’ Application tier

πŸ“Where the threat exists

On the data flow API Gateway β†’ Orders Service (label: *β€”*, protocol: HTTP, auth: none, encrypted: no), crossing the trust boundary from DMZ (public-facing) into Application tier. The receiving component is Orders Service (service).

πŸ“Description

Personal data crossing trust boundaries triggers data-protection obligations (purpose, consent, residency, processor agreements).

βš”οΈAttack scenario

  1. Attacker reaches Orders Service via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For service, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
GDPR / CCPA / HIPAA gaps
High LINDDUN Β· Non-compliance Β· Payment Provider (external) CWE-778
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

Within component Payment Provider (external).

πŸ“Description

Missing DSAR handling, retention policies, or data residency controls.

βš”οΈAttack scenario

  1. Attacker probes Payment Provider via reachable inputs.
  2. Identifies the weakness named by this threat (Non-compliance).
  3. Crafts an exploit specific to the affected component type (external).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Payment Provider. Review applicability of OWASP ASVS controls for external components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Unauthenticated flow: Orders Service β†’ Payment Provider
High LINDDUN Β· Stage 3 β€” Application Decomposition Β· Payment Provider (external) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=5, D=7 Β· 32/50

πŸ“Where the threat exists

On the data flow Orders Service β†’ Payment Provider (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Payment Provider (external).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Payment Provider (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Payment Provider processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Third-party data leakage
High LINDDUN Β· Disclosure of information Β· Web Frontend (webapp) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

PII shared with analytics/ad SDKs without consent.

βš”οΈAttack scenario

  1. Attacker reaches Web Frontend via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For webapp, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
GDPR / CCPA / HIPAA gaps
High LINDDUN Β· Non-compliance Β· Web Frontend (webapp) CWE-778
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Missing DSAR handling, retention policies, or data residency controls.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (Non-compliance).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Unauthenticated flow: Customer Browser β†’ Web Frontend
High LINDDUN Β· Stage 3 β€” Application Decomposition Β· Web Frontend (webapp) CWE-306
β–Ό
CVSS 3.1 6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=7, R=6, E=7, A=7, D=7 Β· 34/50

πŸ“Where the threat exists

On the data flow Customer Browser β†’ Web Frontend (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes). The receiving component is Web Frontend (webapp).

πŸ“Description

Data flow has no authentication mechanism declared.

βš”οΈAttack scenario

  1. Attacker discovers the endpoint at Web Frontend (port scan, leaked config, error messages, or DNS enumeration).
  2. Sends requests directly without any credentials, since the flow does not require authentication.
  3. Web Frontend processes the request as if it came from a trusted caller and returns data or executes the action.
  4. Attacker enumerates data, modifies records, or chains to other internal services from this entry point.

πŸ›‘How to mitigate

preventive
Require an authentication mechanism on every external-facing flow
Bearer tokens (OAuth2/OIDC) for human-driven calls, mutual TLS or signed JWT for service-to-service. Block requests that arrive without credentials at the gateway, before they reach the application.
preventive
Reject anonymous traffic at the receiver as well
Defense in depth: even if the gateway rule fails, the receiving component should reject any request lacking a valid principal.
detective
Rate-limit unauthenticated probes
Apply a low-tolerance rate limit to requests that lack credentials (5/min per source IP) and alert on sustained failures.
Cross-boundary PII transfer: Customer Browser β†’ Web Frontend
High LINDDUN · Disclosure of information · Web Frontend (webapp) CWE-200 ⚑ cross-zone
β–Ό
CVSS 3.1 8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 8.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N
DREAD: D=7, R=6, E=7, A=9, D=8 Β· 37/50
Boundary crossing: Internet β†’ DMZ (public-facing)

πŸ“Where the threat exists

On the data flow Customer Browser β†’ Web Frontend (label: *β€”*, protocol: HTTPS, auth: none, encrypted: yes), crossing the trust boundary from Internet into DMZ (public-facing). The receiving component is Web Frontend (webapp).

πŸ“Description

Personal data crossing trust boundaries triggers data-protection obligations (purpose, consent, residency, processor agreements).

βš”οΈAttack scenario

  1. Attacker reaches Web Frontend via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For webapp, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Cross-service user linkability
Medium LINDDUN Β· Linkability Β· API Gateway (api) CWE-359
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Identifiers (emails, device IDs) let separate datasets be joined to profile a user.

βš”οΈAttack scenario

  1. Attacker collects records emitted by API Gateway (logs, events, telemetry, public outputs).
  2. Uses quasi-identifiers (timestamps, IPs, device fingerprints, behavioral patterns) to link multiple records to the same individual.
  3. Builds a behavior profile that reveals identity even though no single record contains an explicit identifier.
  4. Privacy violation β€” re-identification, surveillance, or unauthorized profiling.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Account enumeration via differential responses
Medium LINDDUN Β· Detectability Β· API Gateway (api) CWE-359
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Login / signup / password reset reveal whether an account exists.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (Detectability).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Excessive data collection
Medium LINDDUN Β· Disclosure of information Β· API Gateway (api) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

System collects more PII than needed for its purpose.

βš”οΈAttack scenario

  1. Attacker reaches API Gateway via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For api, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Lack of transparent privacy notice
Medium LINDDUN Β· Unawareness Β· API Gateway (api) CWE-359
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

Users don't know what data is collected or for what purpose.

βš”οΈAttack scenario

  1. Attacker probes API Gateway via reachable inputs.
  2. Identifies the weakness named by this threat (Unawareness).
  3. Crafts an exploit specific to the affected component type (api).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around API Gateway. Review applicability of OWASP ASVS controls for api components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Cross-service user linkability
Medium LINDDUN Β· Linkability Β· Admin Portal (webapp) CWE-359
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Identifiers (emails, device IDs) let separate datasets be joined to profile a user.

βš”οΈAttack scenario

  1. Attacker collects records emitted by Admin Portal (logs, events, telemetry, public outputs).
  2. Uses quasi-identifiers (timestamps, IPs, device fingerprints, behavioral patterns) to link multiple records to the same individual.
  3. Builds a behavior profile that reveals identity even though no single record contains an explicit identifier.
  4. Privacy violation β€” re-identification, surveillance, or unauthorized profiling.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Account enumeration via differential responses
Medium LINDDUN Β· Detectability Β· Admin Portal (webapp) CWE-359
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Login / signup / password reset reveal whether an account exists.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (Detectability).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Excessive data collection
Medium LINDDUN Β· Disclosure of information Β· Admin Portal (webapp) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

System collects more PII than needed for its purpose.

βš”οΈAttack scenario

  1. Attacker reaches Admin Portal via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For webapp, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Lack of transparent privacy notice
Medium LINDDUN Β· Unawareness Β· Admin Portal (webapp) CWE-359
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

Users don't know what data is collected or for what purpose.

βš”οΈAttack scenario

  1. Attacker probes Admin Portal via reachable inputs.
  2. Identifies the weakness named by this threat (Unawareness).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Admin Portal. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Cross-service user linkability
Medium LINDDUN Β· Linkability Β· Orders DB (Postgres) (database) CWE-359
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 2.1
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

Identifiers (emails, device IDs) let separate datasets be joined to profile a user.

βš”οΈAttack scenario

  1. Attacker collects records emitted by Orders DB (Postgres) (logs, events, telemetry, public outputs).
  2. Uses quasi-identifiers (timestamps, IPs, device fingerprints, behavioral patterns) to link multiple records to the same individual.
  3. Builds a behavior profile that reveals identity even though no single record contains an explicit identifier.
  4. Privacy violation β€” re-identification, surveillance, or unauthorized profiling.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Orders DB (Postgres). Review applicability of OWASP ASVS controls for database components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Excessive data collection
Medium LINDDUN Β· Disclosure of information Β· Orders DB (Postgres) (database) CWE-200
β–Ό
CVSS 3.1 5.7
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 5.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Orders DB (Postgres) (database).

πŸ“Description

System collects more PII than needed for its purpose.

βš”οΈAttack scenario

  1. Attacker reaches Orders DB (Postgres) via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For database, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Cross-service user linkability
Medium LINDDUN Β· Linkability Β· Web Frontend (webapp) CWE-359
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Identifiers (emails, device IDs) let separate datasets be joined to profile a user.

βš”οΈAttack scenario

  1. Attacker collects records emitted by Web Frontend (logs, events, telemetry, public outputs).
  2. Uses quasi-identifiers (timestamps, IPs, device fingerprints, behavioral patterns) to link multiple records to the same individual.
  3. Builds a behavior profile that reveals identity even though no single record contains an explicit identifier.
  4. Privacy violation β€” re-identification, surveillance, or unauthorized profiling.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Account enumeration via differential responses
Medium LINDDUN Β· Detectability Β· Web Frontend (webapp) CWE-359
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Login / signup / password reset reveal whether an account exists.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (Detectability).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Excessive data collection
Medium LINDDUN Β· Disclosure of information Β· Web Frontend (webapp) CWE-200
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

System collects more PII than needed for its purpose.

βš”οΈAttack scenario

  1. Attacker reaches Web Frontend via a legitimate or guessable channel.
  2. Triggers an error, edge case, or verbose endpoint that returns more information than necessary (stack traces, internal IDs, debug data, full PII fields).
  3. Aggregates leaked information from multiple requests to build a profile of the system or its users.
  4. Uses the harvested information to plan a targeted attack, reset accounts, or commit fraud.

πŸ›‘How to mitigate

preventive
Apply field-level access control on responses
The data layer enforces what the calling principal is allowed to see. Don't rely on the UI to hide fields.
preventive
Strip debug detail from error responses
Production responses return a stable error code and a correlation ID. Stack traces, SQL errors, and internal IDs go to logs only.
preventive
Encrypt data at rest with key separation
For webapp, enable storage-level encryption with a CMK distinct from the encryption-at-rest key for adjacent stores. Rotate annually.
Lack of transparent privacy notice
Medium LINDDUN Β· Unawareness Β· Web Frontend (webapp) CWE-359
β–Ό
CVSS 3.1 0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS 4.0 5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
DREAD: D=5, R=4, E=5, A=5, D=5 Β· 24/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

Users don't know what data is collected or for what purpose.

βš”οΈAttack scenario

  1. Attacker probes Web Frontend via reachable inputs.
  2. Identifies the weakness named by this threat (Unawareness).
  3. Crafts an exploit specific to the affected component type (webapp).
  4. Successful exploitation leads to the impact described β€” loss of confidentiality, integrity, availability, or privacy.

πŸ›‘How to mitigate

preventive
Apply defense-in-depth controls
Layer authentication, authorization, validation, and monitoring around Web Frontend. Review applicability of OWASP ASVS controls for webapp components.
detective
Add monitoring for the threat indicators
Define detection signals for this threat and forward to your SIEM. Set thresholds based on baseline traffic.
Forced attribution of sensitive actions
Low LINDDUN Β· Non-repudiation Β· API Gateway (api) CWE-778
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=3, R=2, E=3, A=3, D=3 Β· 14/50

πŸ“Where the threat exists

Within component API Gateway (api).

πŸ“Description

User cannot deny a sensitive action even when they should have plausible deniability.

βš”οΈAttack scenario

  1. User performs a sensitive action through API Gateway (a transfer, a permission change, a deletion).
  2. Audit logs are absent, incomplete, or modifiable by the same principal who performed the action.
  3. User later denies having performed the action, or an attacker covers their tracks.
  4. Without tamper-evident logs, neither responsible party can be identified β€” leading to fraud, dispute, or regulatory exposure.

πŸ›‘How to mitigate

detective
Emit tamper-evident audit logs
Sign log entries (HMAC chain, hash-linked) so insertion or deletion is detectable. Forward to a separate, append-only system the action's principal cannot administer.
detective
Capture sufficient detail per audit event
Who (authenticated principal, not just session ID), what (specific action and target), when (UTC, monotonic-clock-corroborated), where (source IP, request ID), why (correlated to the upstream business event).
detective
Periodic log integrity verification
Schedule daily integrity checks on the audit log chain. Alert on any gap.
Forced attribution of sensitive actions
Low LINDDUN Β· Non-repudiation Β· Admin Portal (webapp) CWE-778
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=3, R=2, E=3, A=3, D=3 Β· 14/50

πŸ“Where the threat exists

Within component Admin Portal (webapp).

πŸ“Description

User cannot deny a sensitive action even when they should have plausible deniability.

βš”οΈAttack scenario

  1. User performs a sensitive action through Admin Portal (a transfer, a permission change, a deletion).
  2. Audit logs are absent, incomplete, or modifiable by the same principal who performed the action.
  3. User later denies having performed the action, or an attacker covers their tracks.
  4. Without tamper-evident logs, neither responsible party can be identified β€” leading to fraud, dispute, or regulatory exposure.

πŸ›‘How to mitigate

detective
Emit tamper-evident audit logs
Sign log entries (HMAC chain, hash-linked) so insertion or deletion is detectable. Forward to a separate, append-only system the action's principal cannot administer.
detective
Capture sufficient detail per audit event
Who (authenticated principal, not just session ID), what (specific action and target), when (UTC, monotonic-clock-corroborated), where (source IP, request ID), why (correlated to the upstream business event).
detective
Periodic log integrity verification
Schedule daily integrity checks on the audit log chain. Alert on any gap.
Forced attribution of sensitive actions
Low LINDDUN Β· Non-repudiation Β· Web Frontend (webapp) CWE-778
β–Ό
CVSS 3.1 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 4.0 7.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
DREAD: D=3, R=2, E=3, A=3, D=3 Β· 14/50

πŸ“Where the threat exists

Within component Web Frontend (webapp).

πŸ“Description

User cannot deny a sensitive action even when they should have plausible deniability.

βš”οΈAttack scenario

  1. User performs a sensitive action through Web Frontend (a transfer, a permission change, a deletion).
  2. Audit logs are absent, incomplete, or modifiable by the same principal who performed the action.
  3. User later denies having performed the action, or an attacker covers their tracks.
  4. Without tamper-evident logs, neither responsible party can be identified β€” leading to fraud, dispute, or regulatory exposure.

πŸ›‘How to mitigate

detective
Emit tamper-evident audit logs
Sign log entries (HMAC chain, hash-linked) so insertion or deletion is detectable. Forward to a separate, append-only system the action's principal cannot administer.
detective
Capture sufficient detail per audit event
Who (authenticated principal, not just session ID), what (specific action and target), when (UTC, monotonic-clock-corroborated), where (source IP, request ID), why (correlated to the upstream business event).
detective
Periodic log integrity verification
Schedule daily integrity checks on the audit log chain. Alert on any gap.