{card?.suitName}
+{card?.desc}
+diff --git a/copi.owasp.org/lib/copi/migrations/card_migration.ex b/copi.owasp.org/lib/copi/migrations/card_migration.ex index dbf92b9f0..9f36b9abd 100644 --- a/copi.owasp.org/lib/copi/migrations/card_migration.ex +++ b/copi.owasp.org/lib/copi/migrations/card_migration.ex @@ -46,6 +46,29 @@ defmodule Copi.CardMigration do end + def update_card_urls(path) do + case YamlElixir.read_from_file(path) do + {:ok, cards} -> + edition = cards["meta"]["edition"] + language = cards["meta"]["language"] + version = cards["meta"]["version"] + for suit <- cards["suits"] do + for card <- suit["cards"] do + if Map.has_key?(card, "url") do + value = to_string(card["value"]) + existing_card = Repo.get_by(Card, category: suit["name"], value: value, edition: edition, language: language, version: version) + + if existing_card do + existing_card + |> Ecto.Changeset.change(url: card["url"]) + |> Repo.update!() + end + end + end + end + end + end + defp map_cards(path) do case YamlElixir.read_from_file(path) do {:ok, cards} -> diff --git a/copi.owasp.org/lib/copi_web/controllers/card_html/show.html.heex b/copi.owasp.org/lib/copi_web/controllers/card_html/show.html.heex index 6b97ba818..66a464744 100644 --- a/copi.owasp.org/lib/copi_web/controllers/card_html/show.html.heex +++ b/copi.owasp.org/lib/copi_web/controllers/card_html/show.html.heex @@ -28,6 +28,9 @@
<%= @card.category %>
<%= @card.description %>
+ <%= if @card.url != nil and @card.url != "" do %> + + <% end %> <%= if @card.value in ["J", "Q", "K"] do %> diff --git a/copi.owasp.org/priv/repo/cornucopia/eop-cards-5.0-en.yaml b/copi.owasp.org/priv/repo/cornucopia/eop-cards-5.0-en.yaml index 0474630b8..64ea79636 100644 --- a/copi.owasp.org/priv/repo/cornucopia/eop-cards-5.0-en.yaml +++ b/copi.owasp.org/priv/repo/cornucopia/eop-cards-5.0-en.yaml @@ -12,54 +12,67 @@ suits: - id: "SP2" value: "2" + url: "https://cornucopia.owasp.org/cards/SP2" desc: "An attacker could take over the port or socket that the server normally uses" - id: "SP3" value: "3" + url: "https://cornucopia.owasp.org/cards/SP3" desc: "An attacker could try one credential after another and there's nothing to slow them down (online or offline)" - id: "SP4" value: "4" + url: "https://cornucopia.owasp.org/cards/SP4" desc: "An attacker can anonymously connect, because we expect authentication to be done at a higher level" - id: "SP5" value: "5" + url: "https://cornucopia.owasp.org/cards/SP5" desc: "An attacker can confuse a client because there are too many ways to identify a server" - id: "SP6" value: "6" + url: "https://cornucopia.owasp.org/cards/SP6" desc: "An attacker can spoof a server because identifiers aren't stored on the client and checked for consistency on re-connection (that is, there's no key persistence)" - id: "SP7" value: "7" + url: "https://cornucopia.owasp.org/cards/SP7" desc: "An attacker can connect to a server or peer over a link that isn't authenticated (and encrypted)" - id: "SP8" value: "8" + url: "https://cornucopia.owasp.org/cards/SP8" desc: "An attacker could steal credentials stored on the server and reuse them (for example, a key is stored in a world readable file)" - id: "SP9" value: "9" + url: "https://cornucopia.owasp.org/cards/SP9" desc: "An attacker who gets a password can reuse it (Use stronger authenticators)" - id: "SPX" value: "X" + url: "https://cornucopia.owasp.org/cards/SPX" desc: "An attacker can choose to use weaker or no authentication" - id: "SPJ" value: "J" + url: "https://cornucopia.owasp.org/cards/SPJ" desc: "An attacker could steal credentials stored on the client and reuse them" - id: "SPQ" value: "Q" + url: "https://cornucopia.owasp.org/cards/SPQ" desc: "An attacker could go after the way credentials are updated or recovered (account recovery doesn't require disclosing the old password)" - id: "SPK" value: "K" + url: "https://cornucopia.owasp.org/cards/SPK" desc: "Your system ships with a default admin password, and doesn't force a change" - id: "SPA" value: "A" + url: "https://cornucopia.owasp.org/cards/SPA" desc: "You've invented a new Spoofing attack" misc: "Read more about this topic ..." - @@ -69,54 +82,67 @@ suits: - id: "TA2" value: "2" + url: "https://cornucopia.owasp.org/cards/TA2" desc: "An attacker can take advantage of your custom key exchange or integrity control which you built instead of using standard crypto" - id: "TA3" value: "3" + url: "https://cornucopia.owasp.org/cards/TA3" desc: "An attacker can modify your build system and produce signed builds of your software" - id: "TA4" value: "4" + url: "https://cornucopia.owasp.org/cards/TA4" desc: "Your code makes access control decisions all over the place, rather than with a security kernel" - id: "TA5" value: "5" + url: "https://cornucopia.owasp.org/cards/TA5" desc: "An attacker can replay data without detection because your code doesn't provide timestamps or sequence numbers" - id: "TA6" value: "6" + url: "https://cornucopia.owasp.org/cards/TA6" desc: "An attacker can write to a data store your code relies on" - id: "TA7" value: "7" + url: "https://cornucopia.owasp.org/cards/TA7" desc: "An attacker can bypass permissions because you don't make names canonical before checking access permissions" - id: "TA8" value: "8" + url: "https://cornucopia.owasp.org/cards/TA8" desc: "An attacker can manipulate data because there's no integrity protection for data on the network" - id: "TA9" value: "9" + url: "https://cornucopia.owasp.org/cards/TA9" desc: "An attacker can provide or control state information" - id: "TAX" value: "X" + url: "https://cornucopia.owasp.org/cards/TAX" desc: "An attacker can alter information in a data store because it has weak/open permissions or includes a group which is equivalent to everyone (\"anyone with a Facebook account\")" - id: "TAJ" value: "J" + url: "https://cornucopia.owasp.org/cards/TAJ" desc: "An attacker can write to some resource because permissions are granted to the world or there are no ACLs" - id: "TAQ" value: "Q" + url: "https://cornucopia.owasp.org/cards/TAQ" desc: "An attacker can change parameters over a trust boundary and after validation (for example, important parameters in a hidden field in HTML, or passing a pointer to critical memory)" - id: "TAK" value: "K" + url: "https://cornucopia.owasp.org/cards/TAK" desc: "An attacker can load code inside your process via an extension point" - id: "TAA" value: "A" + url: "https://cornucopia.owasp.org/cards/TAA" desc: "You've invented a new Tampering attack" misc: "Read more about this topic ..." - @@ -126,54 +152,67 @@ suits: - id: "RE2" value: "2" + url: "https://cornucopia.owasp.org/cards/RE2" desc: "An attacker can pass data through the log to attack a log reader, and there's no documentation of what sorts of validation are done" - id: "RE3" value: "3" + url: "https://cornucopia.owasp.org/cards/RE3" desc: "A low privilege attacker can read interesting security information in the logs" - id: "RE4" value: "4" + url: "https://cornucopia.owasp.org/cards/RE4" desc: "An attacker can alter digital signatures because the digital signature system you're implementing is weak, or uses MACs where it should use a signature" - id: "RE5" value: "5" + url: "https://cornucopia.owasp.org/cards/RE5" desc: "An attacker can alter log messages on a network because they lack strong integrity controls" - id: "RE6" value: "6" + url: "https://cornucopia.owasp.org/cards/RE6" desc: "An attacker can create a log entry without a timestamp (or no log entry is timestamped)" - id: "RE7" value: "7" + url: "https://cornucopia.owasp.org/cards/RE7" desc: "An attacker can make the logs wrap around and lose data" - id: "RE8" value: "8" + url: "https://cornucopia.owasp.org/cards/RE8" desc: "An attacker can make a log lose or confuse security information" - id: "RE9" value: "9" + url: "https://cornucopia.owasp.org/cards/RE9" desc: "An attacker can use a shared key to authenticate as different principals, confusing the information in the logs" - id: "REX" value: "X" + url: "https://cornucopia.owasp.org/cards/REX" desc: "An attacker can get arbitrary data into logs from unauthenticated (or weakly authenticated) outsiders without validation" - id: "REJ" value: "J" + url: "https://cornucopia.owasp.org/cards/REJ" desc: "An attacker can edit logs and there's no way to tell (perhaps because there's no heartbeat option for the logging system)" - id: "REQ" value: "Q" + url: "https://cornucopia.owasp.org/cards/REQ" desc: "An attacker can say \"I didn't do that,\" and you'd have no way to prove them wrong" - id: "REK" value: "K" + url: "https://cornucopia.owasp.org/cards/REK" desc: "The system has no logs" - id: "REA" value: "A" + url: "https://cornucopia.owasp.org/cards/REA" desc: "You've invented a new Repudiation attack" misc: "Read more about this topic ..." - @@ -183,54 +222,67 @@ suits: - id: "ID2" value: "2" + url: "https://cornucopia.owasp.org/cards/ID2" desc: "An attacker can brute-force file encryption because there's no defense in place (example defense, password stretching)" - id: "ID3" value: "3" + url: "https://cornucopia.owasp.org/cards/ID3" desc: "An attacker can see error messages with security sensitive content" - id: "ID4" value: "4" + url: "https://cornucopia.owasp.org/cards/ID4" desc: "An attacker can read content because messages (say, an email or HTTP cookie) aren't encrypted even if the channel is encrypted" - id: "ID5" value: "5" + url: "https://cornucopia.owasp.org/cards/ID5" desc: "An attacker may be able to read a document or data because it's encrypted with a non-standard algorithm" - id: "ID6" value: "6" + url: "https://cornucopia.owasp.org/cards/ID6" desc: "An attacker can read data because it's hidden or occluded (for undo or change tracking) and the user might forget that it's there" - id: "ID7" value: "7" + url: "https://cornucopia.owasp.org/cards/ID7" desc: "An attacker can act as a 'man in the middle' because you don't authenticate endpoints of a network connection" - id: "ID8" value: "8" + url: "https://cornucopia.owasp.org/cards/ID8" desc: "An attacker can access information through a search indexer, logger, or other such mechanism" - id: "ID9" value: "9" + url: "https://cornucopia.owasp.org/cards/ID9" desc: "An attacker can read sensitive information in a file with permissive permissions" - id: "IDX" value: "X" + url: "https://cornucopia.owasp.org/cards/IDX" desc: "An attacker can read information in files or databases with no access controls" - id: "IDJ" value: "J" + url: "https://cornucopia.owasp.org/cards/IDJ" desc: "An attacker can discover the fixed key being used to encrypt" - id: "IDQ" value: "Q" + url: "https://cornucopia.owasp.org/cards/IDQ" desc: "An attacker can read the entire channel because the channel (say, HTTP or SMTP) isn't encrypted" - id: "IDK" value: "K" + url: "https://cornucopia.owasp.org/cards/IDK" desc: "An attacker can read network information because there's no cryptography used" - id: "IDA" value: "A" + url: "https://cornucopia.owasp.org/cards/IDA" desc: "You've invented a new Information Disclosure attack" misc: "Read more about this topic ..." - @@ -240,62 +292,75 @@ suits: - id: "DS2" value: "2" + url: "https://cornucopia.owasp.org/cards/DS2" desc: "An attacker can make your authentication system unusable or unavailable" - id: "DS3" value: "3" + url: "https://cornucopia.owasp.org/cards/DS3" desc: "An attacker can drain our easily replacable battery " misc: "(battery, temporary)" - id: "DS4" value: "4" + url: "https://cornucopia.owasp.org/cards/DS4" desc: "An attacker can drain a battery that's hard to replace (sealed in a phone, an implanted medical device, or in a hard to reach location) " misc: "(battery, persist)" - id: "DS5" value: "5" + url: "https://cornucopia.owasp.org/cards/DS5" desc: "An attacker can spend our cloud budget " misc: "(budget, persist)" - id: "DS6" value: "6" + url: "https://cornucopia.owasp.org/cards/DS6" desc: "An attacker can make a server unavailable or unusable without ever authenticating but the problem goes away when the attacker stops " misc: "(server, anonymous, temporary)" - id: "DS7" value: "7" + url: "https://cornucopia.owasp.org/cards/DS7" desc: "An attacker can make a client unavailable or unusable and the problem persists after the attacker goes away " misc: "(client, auth, persist)" - id: "DS8" value: "8" + url: "https://cornucopia.owasp.org/cards/DS8" desc: "An attacker can make a server unavailable or unusable and the problem persists after the attacker goes away " misc: "(server, auth, persist)" - id: "DS9" value: "9" + url: "https://cornucopia.owasp.org/cards/DS9" desc: "An attacker can make a client unavailable or unusable without ever authenticating and the problem persists after the attacker goes away " misc: "(client, anon, persist)" - id: "DSX" value: "X" + url: "https://cornucopia.owasp.org/cards/DSX" desc: "An attacker can make a server unavailable or unusable without ever authenticating and the problem persists after the attacker goes away " misc: "(server, anonymous, persistent)" - id: "DSJ" value: "J" + url: "https://cornucopia.owasp.org/cards/DSJ" desc: "An attacker can cause the logging subsystem to stop working" - id: "DSQ" value: "Q" + url: "https://cornucopia.owasp.org/cards/DSQ" desc: "An attacker can amplify a Denial of Service attack through this component with amplification on the order of 10 to 1" - id: "DSK" value: "K" + url: "https://cornucopia.owasp.org/cards/DSK" desc: "An attacker can amplify a Denial of Service attack through this component with amplification on the order of 100 to 1" - id: "DSA" value: "A" + url: "https://cornucopia.owasp.org/cards/DSA" desc: "You've invented a new Denial of Service attack" misc: "Read more about this topic ..." - @@ -305,54 +370,67 @@ suits: - id: "EP2" value: "2" + url: "https://cornucopia.owasp.org/cards/EP2" desc: "An attacker has compromised a key technology supplier" - id: "EP3" value: "3" + url: "https://cornucopia.owasp.org/cards/EP3" desc: "An attacker can access the cloud service which manages your devices" - id: "EP4" value: "4" + url: "https://cornucopia.owasp.org/cards/EP4" desc: "An attacker can escape from a container or other sandbox" - id: "EP5" value: "5" + url: "https://cornucopia.owasp.org/cards/EP5" desc: "An attacker can force data through different validation paths which give different results" - id: "EP6" value: "6" + url: "https://cornucopia.owasp.org/cards/EP6" desc: "An attacker could take advantage of permissions you set, but don't use" - id: "EP7" value: "7" + url: "https://cornucopia.owasp.org/cards/EP7" desc: "An attacker can provide a pointer across a trust boundary, rather than data which can be validated" - id: "EP8" value: "8" + url: "https://cornucopia.owasp.org/cards/EP8" desc: "An attacker can enter data that is checked while still under their control and used later on the other side of a trust boundary" - id: "EP9" value: "9" + url: "https://cornucopia.owasp.org/cards/EP9" desc: "There's no reasonable way for a caller to figure out what validation of tainted data you perform before passing it to them" - id: "EPX" value: "X" + url: "https://cornucopia.owasp.org/cards/EPX" desc: "There's no reasonable way for a caller to figure out what security assumptions you make" - id: "EPJ" value: "J" + url: "https://cornucopia.owasp.org/cards/EPJ" desc: "An attacker can reflect input back to a user, like cross site scripting" - id: "EPQ" value: "Q" + url: "https://cornucopia.owasp.org/cards/EPQ" desc: "You include user-generated content within your page, possibly including the content of random URLs" - id: "EPK" value: "K" + url: "https://cornucopia.owasp.org/cards/EPK" desc: "An attacker can inject a command that the system will run at a higher privilege level" - id: "EPA" value: "A" + url: "https://cornucopia.owasp.org/cards/EPA" desc: "You've invented a new Elevation of Privilege attack" misc: "Read more about this topic ..." paragraphs: diff --git a/copi.owasp.org/priv/repo/cornucopia/eop-cards-5.1-en.yaml b/copi.owasp.org/priv/repo/cornucopia/eop-cards-5.1-en.yaml index 7144e7877..509e5a69b 100644 --- a/copi.owasp.org/priv/repo/cornucopia/eop-cards-5.1-en.yaml +++ b/copi.owasp.org/priv/repo/cornucopia/eop-cards-5.1-en.yaml @@ -12,54 +12,67 @@ suits: - id: "SP2" value: "2" + url: "https://cornucopia.owasp.org/cards/SP2" desc: "An attacker could take over the port or socket that the server normally uses" - id: "SP3" value: "3" + url: "https://cornucopia.owasp.org/cards/SP3" desc: "An attacker could try one credential after another and there's nothing to slow them down (online or offline)" - id: "SP4" value: "4" + url: "https://cornucopia.owasp.org/cards/SP4" desc: "An attacker can anonymously connect, because we expect authentication to be done at a higher level" - id: "SP5" value: "5" + url: "https://cornucopia.owasp.org/cards/SP5" desc: "An attacker can confuse a client because there are too many ways to identify a server" - id: "SP6" value: "6" + url: "https://cornucopia.owasp.org/cards/SP6" desc: "An attacker can spoof a server because identifiers aren't stored on the client and checked for consistency on re-connection (that is, there's no key persistence)" - id: "SP7" value: "7" + url: "https://cornucopia.owasp.org/cards/SP7" desc: "An attacker can connect to a server or peer over a link that isn't authenticated (and encrypted)" - id: "SP8" value: "8" + url: "https://cornucopia.owasp.org/cards/SP8" desc: "An attacker could steal credentials stored on the server and reuse them (for example, a key is stored in a world readable file)" - id: "SP9" value: "9" + url: "https://cornucopia.owasp.org/cards/SP9" desc: "An attacker who gets a password can reuse it (Use stronger authenticators)" - id: "SPX" value: "X" + url: "https://cornucopia.owasp.org/cards/SPX" desc: "An attacker can choose to use weaker or no authentication" - id: "SPJ" value: "J" + url: "https://cornucopia.owasp.org/cards/SPJ" desc: "An attacker could steal credentials stored on the client and reuse them" - id: "SPQ" value: "Q" + url: "https://cornucopia.owasp.org/cards/SPQ" desc: "An attacker could go after the way credentials are updated or recovered (account recovery doesn't require disclosing the old password)" - id: "SPK" value: "K" + url: "https://cornucopia.owasp.org/cards/SPK" desc: "Your system ships with a default admin password, and doesn't force a change" - id: "SPA" value: "A" + url: "https://cornucopia.owasp.org/cards/SPA" desc: "You've invented a new Spoofing attack" misc: "Read more about this topic ..." - @@ -69,54 +82,67 @@ suits: - id: "TA2" value: "2" + url: "https://cornucopia.owasp.org/cards/TA2" desc: "An attacker can take advantage of your custom key exchange or integrity control which you built instead of using standard crypto" - id: "TA3" value: "3" + url: "https://cornucopia.owasp.org/cards/TA3" desc: "An attacker can modify your build system and produce signed builds of your software" - id: "TA4" value: "4" + url: "https://cornucopia.owasp.org/cards/TA4" desc: "Your code makes access control decisions all over the place, rather than with a security kernel" - id: "TA5" value: "5" + url: "https://cornucopia.owasp.org/cards/TA5" desc: "An attacker can replay data without detection because your code doesn't provide timestamps or sequence numbers" - id: "TA6" value: "6" + url: "https://cornucopia.owasp.org/cards/TA6" desc: "An attacker can write to a data store your code relies on" - id: "TA7" value: "7" + url: "https://cornucopia.owasp.org/cards/TA7" desc: "An attacker can bypass permissions because you don't make names canonical before checking access permissions" - id: "TA8" value: "8" + url: "https://cornucopia.owasp.org/cards/TA8" desc: "An attacker can manipulate data because there's no integrity protection for data on the network" - id: "TA9" value: "9" + url: "https://cornucopia.owasp.org/cards/TA9" desc: "An attacker can provide or control state information" - id: "TAX" value: "X" + url: "https://cornucopia.owasp.org/cards/TAX" desc: "An attacker can alter information in a data store because it has weak/open permissions or includes a group which is equivalent to everyone (\"anyone with a Facebook account\")" - id: "TAJ" value: "J" + url: "https://cornucopia.owasp.org/cards/TAJ" desc: "An attacker can write to some resource because permissions are granted to the world or there are no ACLs" - id: "TAQ" value: "Q" + url: "https://cornucopia.owasp.org/cards/TAQ" desc: "An attacker can change parameters over a trust boundary and after validation (for example, important parameters in a hidden field in HTML, or passing a pointer to critical memory)" - id: "TAK" value: "K" + url: "https://cornucopia.owasp.org/cards/TAK" desc: "An attacker can load code inside your process via an extension point" - id: "TAA" value: "A" + url: "https://cornucopia.owasp.org/cards/TAA" desc: "You've invented a new Tampering attack" misc: "Read more about this topic ..." - @@ -126,54 +152,67 @@ suits: - id: "RE2" value: "2" + url: "https://cornucopia.owasp.org/cards/RE2" desc: "An attacker can pass data through the log to attack a log reader, and there's no documentation of what sorts of validation are done" - id: "RE3" value: "3" + url: "https://cornucopia.owasp.org/cards/RE3" desc: "A low privilege attacker can read interesting security information in the logs" - id: "RE4" value: "4" + url: "https://cornucopia.owasp.org/cards/RE4" desc: "An attacker can alter digital signatures because the digital signature system you're implementing is weak, or uses MACs where it should use a signature" - id: "RE5" value: "5" + url: "https://cornucopia.owasp.org/cards/RE5" desc: "An attacker can alter log messages on a network because they lack strong integrity controls" - id: "RE6" value: "6" + url: "https://cornucopia.owasp.org/cards/RE6" desc: "An attacker can create a log entry without a timestamp (or no log entry is timestamped)" - id: "RE7" value: "7" + url: "https://cornucopia.owasp.org/cards/RE7" desc: "An attacker can make the logs wrap around and lose data" - id: "RE8" value: "8" + url: "https://cornucopia.owasp.org/cards/RE8" desc: "An attacker can make a log lose or confuse security information" - id: "RE9" value: "9" + url: "https://cornucopia.owasp.org/cards/RE9" desc: "An attacker can use a shared key to authenticate as different principals, confusing the information in the logs" - id: "REX" value: "X" + url: "https://cornucopia.owasp.org/cards/REX" desc: "An attacker can get arbitrary data into logs from unauthenticated (or weakly authenticated) outsiders without validation" - id: "REJ" value: "J" + url: "https://cornucopia.owasp.org/cards/REJ" desc: "An attacker can edit logs and there's no way to tell (perhaps because there's no heartbeat option for the logging system)" - id: "REQ" value: "Q" + url: "https://cornucopia.owasp.org/cards/REQ" desc: "An attacker can say \"I didn't do that,\" and you'd have no way to prove them wrong" - id: "REK" value: "K" + url: "https://cornucopia.owasp.org/cards/REK" desc: "The system has no logs" - id: "REA" value: "A" + url: "https://cornucopia.owasp.org/cards/REA" desc: "You've invented a new Repudiation attack" misc: "Read more about this topic ..." - @@ -183,54 +222,67 @@ suits: - id: "ID2" value: "2" + url: "https://cornucopia.owasp.org/cards/ID2" desc: "An attacker can brute-force file encryption because there's no defense in place (example defense, password stretching)" - id: "ID3" value: "3" + url: "https://cornucopia.owasp.org/cards/ID3" desc: "An attacker can see error messages with security sensitive content" - id: "ID4" value: "4" + url: "https://cornucopia.owasp.org/cards/ID4" desc: "An attacker can read content because messages (say, an email or HTTP cookie) aren't encrypted even if the channel is encrypted" - id: "ID5" value: "5" + url: "https://cornucopia.owasp.org/cards/ID5" desc: "An attacker may be able to read a document or data because it's encrypted with a non-standard algorithm" - id: "ID6" value: "6" + url: "https://cornucopia.owasp.org/cards/ID6" desc: "An attacker can read data because it's hidden or occluded (for undo or change tracking) and the user might forget that it's there" - id: "ID7" value: "7" + url: "https://cornucopia.owasp.org/cards/ID7" desc: "An attacker can act as a 'man in the middle' because you don't authenticate endpoints of a network connection" - id: "ID8" value: "8" + url: "https://cornucopia.owasp.org/cards/ID8" desc: "An attacker can access information through a search indexer, logger, or other such mechanism" - id: "ID9" value: "9" + url: "https://cornucopia.owasp.org/cards/ID9" desc: "An attacker can read sensitive information in a file with permissive permissions" - id: "IDX" value: "X" + url: "https://cornucopia.owasp.org/cards/IDX" desc: "An attacker can read information in files or databases with no access controls" - id: "IDJ" value: "J" + url: "https://cornucopia.owasp.org/cards/IDJ" desc: "An attacker can discover the fixed key being used to encrypt" - id: "IDQ" value: "Q" + url: "https://cornucopia.owasp.org/cards/IDQ" desc: "An attacker can read the entire channel because the channel (say, HTTP or SMTP) isn't encrypted" - id: "IDK" value: "K" + url: "https://cornucopia.owasp.org/cards/IDK" desc: "An attacker can read network information because there's no cryptography used" - id: "IDA" value: "A" + url: "https://cornucopia.owasp.org/cards/IDA" desc: "You've invented a new Information Disclosure attack" misc: "Read more about this topic ..." - @@ -240,62 +292,75 @@ suits: - id: "DS2" value: "2" + url: "https://cornucopia.owasp.org/cards/DS2" desc: "An attacker can make your authentication system unusable or unavailable" - id: "DS3" value: "3" + url: "https://cornucopia.owasp.org/cards/DS3" desc: "An attacker can drain our easily replacable battery " misc: "(battery, temporary)" - id: "DS4" value: "4" + url: "https://cornucopia.owasp.org/cards/DS4" desc: "An attacker can drain a battery that's hard to replace (sealed in a phone, an implanted medical device, or in a hard to reach location) " misc: "(battery, persist)" - id: "DS5" value: "5" + url: "https://cornucopia.owasp.org/cards/DS5" desc: "An attacker can spend our cloud budget " misc: "(budget, persist)" - id: "DS6" value: "6" + url: "https://cornucopia.owasp.org/cards/DS6" desc: "An attacker can make a server unavailable or unusable without ever authenticating but the problem goes away when the attacker stops " misc: "(server, anonymous, temporary)" - id: "DS7" value: "7" + url: "https://cornucopia.owasp.org/cards/DS7" desc: "An attacker can make a client unavailable or unusable and the problem persists after the attacker goes away " misc: "(client, auth, persist)" - id: "DS8" value: "8" + url: "https://cornucopia.owasp.org/cards/DS8" desc: "An attacker can make a server unavailable or unusable and the problem persists after the attacker goes away " misc: "(server, auth, persist)" - id: "DS9" value: "9" + url: "https://cornucopia.owasp.org/cards/DS9" desc: "An attacker can make a client unavailable or unusable without ever authenticating and the problem persists after the attacker goes away " misc: "(client, anon, persist)" - id: "DSX" value: "X" + url: "https://cornucopia.owasp.org/cards/DSX" desc: "An attacker can make a server unavailable or unusable without ever authenticating and the problem persists after the attacker goes away " misc: "(server, anonymous, persistent)" - id: "DSJ" value: "J" + url: "https://cornucopia.owasp.org/cards/DSJ" desc: "An attacker can cause the logging subsystem to stop working" - id: "DSQ" value: "Q" + url: "https://cornucopia.owasp.org/cards/DSQ" desc: "An attacker can amplify a Denial of Service attack through this component with amplification on the order of 10 to 1" - id: "DSK" value: "K" + url: "https://cornucopia.owasp.org/cards/DSK" desc: "An attacker can amplify a Denial of Service attack through this component with amplification on the order of 100 to 1" - id: "DSA" value: "A" + url: "https://cornucopia.owasp.org/cards/DSA" desc: "You've invented a new Denial of Service attack" misc: "Read more about this topic ..." - @@ -305,54 +370,67 @@ suits: - id: "EP2" value: "2" + url: "https://cornucopia.owasp.org/cards/EP2" desc: "An attacker has compromised a key technology supplier" - id: "EP3" value: "3" + url: "https://cornucopia.owasp.org/cards/EP3" desc: "An attacker can access the cloud service which manages your devices" - id: "EP4" value: "4" + url: "https://cornucopia.owasp.org/cards/EP4" desc: "An attacker can escape from a container or other sandbox" - id: "EP5" value: "5" + url: "https://cornucopia.owasp.org/cards/EP5" desc: "An attacker can force data through different validation paths which give different results" - id: "EP6" value: "6" + url: "https://cornucopia.owasp.org/cards/EP6" desc: "An attacker could take advantage of permissions you set, but don't use" - id: "EP7" value: "7" + url: "https://cornucopia.owasp.org/cards/EP7" desc: "An attacker can provide a pointer across a trust boundary, rather than data which can be validated" - id: "EP8" value: "8" + url: "https://cornucopia.owasp.org/cards/EP8" desc: "An attacker can enter data that is checked while still under their control and used later on the other side of a trust boundary" - id: "EP9" value: "9" + url: "https://cornucopia.owasp.org/cards/EP9" desc: "There's no reasonable way for a caller to figure out what validation of tainted data you perform before passing it to them" - id: "EPX" value: "X" + url: "https://cornucopia.owasp.org/cards/EPX" desc: "There's no reasonable way for a caller to figure out what security assumptions you make" - id: "EPJ" value: "J" + url: "https://cornucopia.owasp.org/cards/EPJ" desc: "An attacker can reflect input back to a user, like cross site scripting" - id: "EPQ" value: "Q" + url: "https://cornucopia.owasp.org/cards/EPQ" desc: "You include user-generated content within your page, possibly including the content of random URLs" - id: "EPK" value: "K" + url: "https://cornucopia.owasp.org/cards/EPK" desc: "An attacker can inject a command that the system will run at a higher privilege level" - id: "EPA" value: "A" + url: "https://cornucopia.owasp.org/cards/EPA" desc: "You've invented a new Elevation of Privilege attack" misc: "Read more about this topic ..." paragraphs: diff --git a/copi.owasp.org/priv/repo/migrations/20260711100557_populate_eop_card_urls.exs b/copi.owasp.org/priv/repo/migrations/20260711100557_populate_eop_card_urls.exs new file mode 100644 index 000000000..4f69e3fc8 --- /dev/null +++ b/copi.owasp.org/priv/repo/migrations/20260711100557_populate_eop_card_urls.exs @@ -0,0 +1,11 @@ +defmodule Copi.Repo.Migrations.PopulateEopCardUrls do + use Ecto.Migration + + import Copi.CardMigration + + + def change do + update_card_urls(Path.join(:code.priv_dir(:copi), "/repo/cornucopia/eop-cards-5.0-en.yaml")) + update_card_urls(Path.join(:code.priv_dir(:copi), "/repo/cornucopia/eop-cards-5.1-en.yaml")) + end +end diff --git a/cornucopia.owasp.org/data/website/phrases/en/cards.json b/cornucopia.owasp.org/data/website/phrases/en/cards.json index 76da6cdf7..a57289308 100644 --- a/cornucopia.owasp.org/data/website/phrases/en/cards.json +++ b/cornucopia.owasp.org/data/website/phrases/en/cards.json @@ -10,16 +10,19 @@ "button": { "1": "Website App version", "2": "Mobile App version", - "3": "Companion version" + "3": "Companion version", + "4": "Elevation of Privilege version" }, "h2": { "1": "Website App version", "2": "Mobile App version", - "3": "Companion version" + "3": "Companion version", + "4": "Elevation of Privilege version" }, "p2": "For the previously called Ecommerce Website Edition. Instead of EoP’s STRIDE suits, the suits were selected based on the structure of the OWASP Secure Coding Practices - Quick Reference Guide (SCP) which have been migrated to the OWASP Developer Guide Web Application Checklist. The content was mainly drawn from the SCP but with additional consideration of sections in the OWASP Application Security Verification Standard, the OWASP Web Security Testing Guide and David Rook's Principles of Secure Development. These provided five suits, and a sixth called “Cornucopia” was created for everything else:", "p3": "The second Cornucopia deck, the “Mobile App Edition”, follows the same principles and game rules as the original OWASP Cornucopia, but has different suits based on the MASVS categories, in addition to the Cornucopia suit that contains threats related to mobile malware and privacy issues:", "p4": "The third Cornucopia deck, the “Companion Edition”, is a companion to the other two decks:", + "p5": "The fourth Cornucopia deck, the “Elevation of Privilege Edition” (EoP), is a threat modeling game developed by Microsoft. Instead of the security concepts featured in the first editions, EoP card suits are structured around the STRIDE threat categories (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege):", "card": { "p1": "Back to overview" }, @@ -55,6 +58,12 @@ "2": "Attacks" } }, + "eopCardTaxonomy": { + "h1": { + "1": "Mappings", + "2": "Attacks" + } + }, "MASVSOverview": { "p1": "No suitable mappings were found." }, diff --git a/cornucopia.owasp.org/src/domain/card/order.ts b/cornucopia.owasp.org/src/domain/card/order.ts index 6e33a81eb..942d80f9a 100644 --- a/cornucopia.owasp.org/src/domain/card/order.ts +++ b/cornucopia.owasp.org/src/domain/card/order.ts @@ -247,6 +247,84 @@ export const cardOrder = new Map{card?.suitName}
+{card?.desc}
+{card?.desc}
- {#if card?.edition == 'mobileapp'} -STRIDE
+{stride}
+ + diff --git a/cornucopia.owasp.org/src/lib/components/eopCardTaxonomy.svelte b/cornucopia.owasp.org/src/lib/components/eopCardTaxonomy.svelte new file mode 100644 index 000000000..0632890fa --- /dev/null +++ b/cornucopia.owasp.org/src/lib/components/eopCardTaxonomy.svelte @@ -0,0 +1,47 @@ + + +{#if mappings} ++ + {@html $t('cards.p5')} +
+ {/if}{enter(suit.name,cards?.get(card)?.id)}}> + ├── {cards?.get(card)?.id} +
+ {/each} + {/if} + {/each} + {/if}+ + {@html $t('cards.p5')} +
+ {#each eopSuits as suit (suit.name)} + + + + {/each} +