STRIDE threat modeling can be used to great effect to understand potential threats that may impact your application, system, IT landscape, or business process. Before you look at the STRIDE threat examples below, make sure you read the basics of STRIDE threats and what is threat modeling (only if you’re new to threat modeling).
Why are STRIDE threat examples helpful? These examples can help inspire you about the typical threats so that you can better think about potential threats that may impact your application, system, IT landscape, or business process.
Would You Like to Connect with Nick (The Author)?
Click below to go to Nick’s LinkedIn page!
Spoofing Threat Examples
Spoofing consists of pretending to be someone or something else. An attacker would use the ability to ‘be someone or something else’ to perform malicious actions that they should not be capable of, or as a stepping stone for further attack.
Spoofing | STRIDE threat examples:
- Sending an Email as another person or user
An attacker sends Emails as someone else in the context of an application, or as part of a business process. The Email contains a request to perform an action that the recipient may carry out.
- This threat is possible because there are insufficient checks to determine the identity of the user sending the Email.
- Recreating transactions and modifying transaction details
In a financial web application, an attacker can execute transactions on behalf of another user. The attacker is not able to control the entire transaction flow but can replay existing transactions and make minor changes.
- This threat is possible because not all transaction requests coming from the user of the web application are checked properly to determine whether the user has control of specified accounts.
- Interception of a username and password on the network
Application data is sent in clear text across an internal network, which includes username and password information when a user logs in. An attacker can intercept internal network data and thus also username and password information. An attacker can use this information to maliciously log in to the application and perform actions such as the attacked user account.
- This threat is possible because confidential username and password information is sent in cleartext rather than in encrypted format (i.e., using HTTPS instead of HTTP).
- Fake web login form to harvest usernames and passwords
An attacker creates a fake web login form that looks exactly like a target application. Subsequently, the attacker tricks application users to go to the fake web login form to harvest usernames and passwords (as they enter their details).
- This threat is possible because the attacker is able to trick users into going to a fake web login form instead of the legitimate application login form.
Tampering Threat Examples:
Tampering consists of tampering with (or modifying) data when this should not be possible. This impacts the integrity of data.
Tampering | STRIDE threat examples:
- Direct access to a database through a management interface
An attacker gains access to a database through an exposed database management interface that uses default administrator credentials. The attacker uses the access to update data directly in the database. Applications using the database will therefore use tampered data.
- This threat is possible because a) a management interface is unnecessarily exposed and b) default administrator credentials are used.
- Updating data of other users in a health application
Users are able to change their own private data in a health application. But by manipulating the requests sent to the application, an attacker is also able to change the data of other users within the application. Thus, the data of users in the health application is tampered with.
- This threat is possible to due a lack of checks of requests from the user, and whether the user is updating their own data, or the data of other users.
- Tampering with a client onboarding business process
Within a client onboarding business process, a web Excel file is used to track the progress of the onboarding status including which security steps have been successfully completed, and which are still pending. The web Excel file is shared company-wide without restricting to only required employees. An internal employee (an internal attacker) could access the file and update entries – indicating that security steps have been completed whereas this is not the case.
- This threat is possible because the web Excel file is available to all employees instead of only required employees (which is a small group of authorized individuals).
- Payment details available to all employees
Within a payments business process, payment details are stored in an openly accessible shared directory. The payment details are contained in various files, invoices, and Excel sheets. Finance employees perform limited checks on payment details. An internal employee (an internal attacker) could tamper with the files and change payment details.
- This threat is possible because the payment details are available to all employees instead of only required employees. Further, the finance employees do not perform adequate checks of the data prior to processing.
Repudiation Threat Examples
Repudiation consists of the ability to deny whether an action did or did not take place by somebody (such as a user in an application, or an employee in a business process).
Repudiation | STRIDE threat examples:
- Not able to verify who created a transaction in a mobile banking app
In a mobile banking app, a user (and potentially an abuser or attacker) creates a transaction and sends money from one account to another. Afterward, the user claims that they did not create the transaction and that the money must have been sent by someone else. The owners of the app cannot prove which user created the transaction but can see the transaction itself.
- This threat is possible because the app does not register which user created the application and because no additional authentication is required upon creating the transaction.
- Unable to verify senders of messages in a Business to Business (B2B) social media application
In a Business to Business (B2B) social media application, it is possible to send messages between users and between businesses. An attacker sends many messages to lots of users and businesses with spam content, and without including their name or username details. The goal of the attacker is to confuse users of the B2B social media application. The application owners cannot determine who is sending the messages, and the attacker could deny they are the one sending the messages.
- This threat is possible because the application does not log which user sends messages.
Information Disclosure Threat Examples
Information Disclosure consists of gaining access to confidential information when this should not be possible.
Information Disclosure | STRIDE threat examples:
- Local government application has a well-known trick to view confidential information about private citizens
In a local government application, lots of confidential information about private citizens from the area is managed in a web application. The application is accessible to most local government officials, but there are controls to prevent accessing the most confidential information. However, there’s a well-known trick to seeing all information about private citizens without having the required access rights.
- This threat is possible because the application does not effectively restrict access based on having a specific role (which is only provided if there is a business need).
- Gaining administrator access
A hacker has infiltrated a company network by exploiting various weaknesses and is able to gain administrator privileges via Active Directory. As a result, the hacker is able to gain access to a wide variety of applications, databases, and file shares. The hacker has access to confidential business information and may share it with other (cyber) criminals.
- This threat is possible because the hacker was able to gain administrator access to the company network, through a series of weaknesses and vulnerabilities.
- Misconfigured S3 bucket exposes customer information
A company has recently set up an S3 bucket to host confidential business documents from their customers. However, the bucket has been misconfigured and is accessible from the internet without authentication and without having the right privileges. An attacker can view the S3 bucket files easily, just by knowing the bucket name.
- This threat is possible because the S3 bucket has been misconfigured. It should be configured to only be accessible by company applications.
Denial of Service Threat Examples
Denial of Service consists of disabling a system from working and thus making it unavailable to legitimate users.
Denial of Service | STRIDE threat examples:
- Configuration page accessible online
An online web application that is accessible from the internet has a high availability requirement. Meaning it must be available at all times for users, otherwise, the business will suffer. An attacker finds a configuration page online and can change the application’s settings. Changing some of the settings leads to the application crashing. Thus, the application is made unavailable to its users.
- This threat is possible because the application has a configuration page accessible from the internet that can be used to change critical configuration settings.
- Chatbot abused with fake questions
A company has set up a helpdesk for its customers to call in case of issues with their service. The helpdesk also manages questions and queries from online chatbots. Attackers decide to send thousands of fake questions through automated scripts aimed at online chatbots. As a result, the helpdesk employees waste precious time sifting through the fake questions instead of answering real questions from real customers.
- This threat is possible because there is no check on the online chatbot to determine whether the user is a customer.
- AI feature abused with fake requests
A startup has created a new feature using AI. They’ve spent a great deal of money on launching and marketing the new feature. On launch day, everything seems to be going well because the new feature is being utilized heavily. Things are going too well because the service is no longer available to send new requests. On closer inspection, it seems that the requests are all the same and come from an automated script using the same IP address.
- This threat is possible because the new AI feature uses a lot of computation power per request. There is purposefully no check to determine whether a request comes from a legitimate customer. This was decided upon to try and make the new feature open to everyone for marketing purposes.
Elevation of Privilege Threat Examples
Elevation of privilege consists of gaining (higher) access privileges and using those privileges to perform unauthorized actions.
Elevation of privilege | STRIDE threat examples:
- Ability to assign administrator access
In an internal business application, used to monitor various internal business processes, users have a profile page where they can view and update their profile information and user-related parameters. One of the users notices that it’s possible to alter their user access rights to that of an administrator. With the administrator role, the user can perform many actions that are not possible with normal user access rights.
- This threat is possible because there is no limit on which users can alter the access rights of users within the application. Such an action should be reserved for privileged users (such as administrators).
- Gaining local administrator privileges on Windows
A company has many laptops with Windows installed on each laptop. Users are only given normal user privileges and not (local) administrator privileges. One of the company users reads about a way of exploiting Windows to gain local administrator privileges. That will allow the user to install more software that is currently not allowed.
- This threat is possible because of a vulnerability in Windows. The vulnerability is widely known and described on the internet. The company is slow to update its systems, so this vulnerability has not been patched.
STRIDE Threat Examples Conclusion
In this article, I provided lots of STRIDE threat examples that can help you in your STRIDE threat modeling activities.
Many non-security people (like developers, testers, Product Owners, etc.), struggle to think of relevant threats that could impact their application or IT. Having a list of STRIDE threat examples helps these people to get into the right mindset.