Skip to main content

Arc XP Risk Assessment Methodology

Cybersecurity is a critical concern for the Arc XP team. With the increase in the number and complexity of cyber attacks, it is essential to have a comprehensive understanding of the risks and vulnerabilities associated with systems and applications. This document outlines the DREAD.2 methodology that the Arc XP security team uses for assessing the likelihood and impact of potential risks, providing a framework for prioritizing and mitigating those risks.

As a customer of Arc XP, you can use the same to ensure a structured and systematic approach to risk assessment that helps you to identify and address potential vulnerabilities in your code and services running on the Arc XP platform. This methodology can help you to better understand the risks associated with your Arc XP powered websites and to take proactive measures to minimize those risks.

Methodology Details

DREAD.2, an evolution of the original DREAD concept.

Impact is composed of the following factors: 

  • Confidentiality: What data can an attacker access? 

  • Integrity: What data can an attacker add, modify, or delete? 

  • Availability: What data or services can an attacker deny access to? 

  • Exposure: Does this vulnerability allow the application to be more easily exploited by other attacks? 

  • Affected Users: What user types or user groups does this vulnerability impact? 

Likelihood is composed of the following factors: 

  • Skill: How skillful must the attacker be to exploit this vulnerability? 

  • Complexity: What conditions are required? Does it require linking vulnerabilities? Do you need to be authenticated? 

  • Discoverability: How easy is it to discover the vulnerability?

  • Reproducibility: How consistently will this exploit work? 

When ranking a risk, each of these factors should have a written description and then can be rated High, Medium, or Low. To get an overall Severity, you can combine the ratings for Impact and Likelihood like this: 

Impact/Likelihood

High

Medium

Low

High

Severity: Critical

Severity: High

Severity: Medium

Medium

Severity: High

Severity: Medium

Severity: Low

Low

Severity: Medium

Severity: Low

Severity: Minimal

No need for a formula. This table makes it easy to cross-reference the two DREAD.2 categories and come up with overall Severity of the risk. Not only is it simple, but the results are also intuitively satisfying. 

Examples

EXAMPLE #1. Missing Content Type No-sniff Header

Description: The application does not employ the X-Content-Type-Options header. This header is used to prevent browser MIME type sniffing and protect users from XSS and drive-by download attacks. 

IMPACT: LOW 

  • Confidentiality: There is no data lost due to this vulnerability. 

  • Integrity: There is no loss of data integrity due to this vulnerability. 

  • Availability: There is no loss of availability due to this vulnerability. 

  • Exposure: The application has an increased risk of a successful XSS attack through a browser content type mismatch 

  • Affected Users: This affects all users that receive responses from the application. 

LIKELIHOOD: LOW 

  • Skill: Because a potential attacker would require another chained exploit, the required skill level is high. 

  • Complexity: This would not be easy to exploit given the requirement that it be chained with another exploit. 

  • Discoverability: This is easily discovered by any users of the application.

  • Reproducibility: This is 100% reproducible and recurring. 

OVERALL RATING: MINIMAL

EXAMPLE #2. Cross-Site Request Forgery 

Description: It is possible for an attacker to create a Portfolio, a Product, and an association between a Category and Product using Cross-Site Request Forgery (CSRF) attacks under certain conditions. An attacker can also delete a Category or Product with similar requests vulnerable to CSRF. This attack relies on a few conditions as well as some knowledge of resource identifiers and account IDs ahead of time, so the exploitability is lower than a typical CSRF attack. This attack is hitting a JSON endpoint, so the attack is additionally restricted to older browsers that don’t support CORS

IMPACT: HIGH 

  • Confidentiality: No data can be accessed through a CSRF attack.

  • Integrity: Categories, Products, and the links between them can be deleted.

  • Availability: Categories, Products, and the links between them can be deleted.

  • Exposure: This exposes the application and its users to the risk of CSRF attacks.

  • Affected Users: This affects all users of the system, but only the admin can be attacked. 

LIKELIHOOD: LOW 

  • Skill: The attacker would need to be moderately skilled to perform the attack. They would need to be able to discover the attack, know the conditions for exploitation, and be able to trick the admin into browsing to their attack site. 

  • Complexity: Difficult to exploit because it requires an old browser version or old Flash version. 

  • Discoverability: Moderately difficult to discover and required manual assessment of the application. 

  • Reproducibility: Reproducible under the right conditions but was not possible during testing. 

OVERALL RATING: MEDIUM

EXAMPLE #3. Horizontal Authorization Bypass 

Description: The application does not have sufficient authorization controls for sensitive requests and actions. A malicious administrator can make unauthorized direct requests to the console that allow access or modification of resources belonging to another administrator, even though these requests do not fall within the scope of permissions belonging to the malicious administrator. This vulnerability is caused by the failure to verify whether the user associated with a request is authorized to access or modify such information. 

IMPACT: HIGH 

  • Confidentiality: Arbitrary Folder User lists are exposed.

  • Integrity: An attacker can arbitrarily modify Product Template Constraints.

  • Availability: There is no loss of availability due to this vulnerability. 

  • Exposure: Does not directly affect the availability of the application, though Product Template Constraints could be modified and those could affect the launching of products. 

  • Affected Users: Affects the application administrators, which in turn set policies for all users. 

LIKELIHOOD: MEDIUM 

  • Skill: The attacker does not need to be particularly skilled to perform this attack. 

  • Complexity: The exploit to modify the product template constraint templates requires knowledge of the product and template resource numbers. The exploit to read Folder users requires knowledge of the Folder ID. These identifiers are not considered to be private and may be obtainable elsewhere. 

  • Discoverability: Moderately difficult to discover and requires manual testing along with knowledge of another Folder ID or template resource number. 

  • Reproducibility: This issue is easily reproducible. 

OVERALL RATING: HIGH 

EXAMPLE #4. SQL Injection 

Description: The application has an SQL injection vulnerability in the web interface. This allows authenticated users to submit arbitrary SQL commands directly to the database to view, modify, delete, or add any data it contains and potentially to steal the entire contents of the database, including administrative usernames, passwords, and other sensitive information relevant to the application.

IMPACT: HIGH 

  • Confidentiality: Allows for a full system compromise and all of the data in the database can be exfiltrated. 

  • Integrity: Any data in the database can be inserted, modified, or deleted meaning there is a total loss of data integrity. 

  • Availability: The database can be deleted thereby denying access to its information and creating a total loss of availability. 

  • Exposure: This vulnerability increases the applications exposure to SQL injection attacks.

  • Affected Users: This affects all users of the application. 

LIKELIHOOD: HIGH 

  • Skill: This requires a simple to moderately skilled attacker in order to exploit. Tools can be used to reduce the level of skill required. 

  • Complexity: Credentials are required to access the vulnerability functionality. Data is returned as a result of the queries which makes this exploit easier. 

  • Discoverability: This was a simple exploit to discover. Credentials are required for access to the functionality. 

  • Reproducibility: This is 100% reproducible and recurring. 

OVERALL RATING: CRITICAL 

In this section: