Threat Modelling and Analysis of Web Application Attacks

Abstract

There has been a rapid growth in the use of the Internet over the years with billions of businesses using it as a means of communication. The World Wide Web has served as the major tool for disseminating information which has resulted into the development of an architecture used in information sharing between remotely connected clients. A web application is a computer program that operates on web technologies and browsers to carry out assignments over the Internet. In designing a secured web application, it is essential to assess and model the viable threats. Threat Modelling is a process used to improve on the application security by pointing out threats and vulnerabilities, outlining mitigation measures to prevent or eliminate the effect of threats in a system. With the constant increase in the number of attacks on web applications, it has become essential to constantly improve on the existing threat models to increase the level of security posture of web applications for proactiveness and strategic goals in operational and application security. In this thesis, three different threat models; STRIDE, Kill Chain and Attack Tree were simulated and analyzed for SQL injection and Cross Site Scripting attacks using the Microsoft SDL threat modelling tool, Trike modelling tool and SeaMonster modelling tool respectively. This study would be useful for future research in developing a new and more efficient threat model based on the existing ones, it would also help organizations determine which of the models used in this research is best suited for the business’ security framework. The objective of this thesis is to analyze the three commonly used models, examining the strengths and weaknesses discovered during the simulation and compare the performances.