juice-shop
/
threat-model.json
1070 строк · 31.1 Кб
1{2"summary": {3"title": "OWASP Juice Shop",4"owner": "Björn Kimminich",5"description": "OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!"6},7"detail": {8"contributors": [],9"diagrams": [10{11"title": "High Level Data Flow",12"thumbnail": "./public/content/images/thumbnail.stride.jpg",13"diagramType": "STRIDE",14"id": 0,15"$$hashKey": "object:59",16"diagramJson": {17"cells": [18{19"type": "tm.Actor",20"size": {21"width": 160,22"height": 8023},24"position": {25"x": 64,26"y": 17327},28"angle": 0,29"id": "5c682ec9-c352-442e-b61c-2de8ed53ea22",30"z": 1,31"hasOpenThreats": false,32"attrs": {33".element-shape": {34"class": "element-shape hasNoOpenThreats isInScope"35},36"text": {37"text": "B2C Customer (Browser)"38},39".element-text": {40"class": "element-text hasNoOpenThreats isInScope"41}42}43},44{45"type": "tm.Actor",46"size": {47"width": 160,48"height": 8049},50"position": {51"x": 68,52"y": 5253},54"angle": 0,55"id": "d02fa030-ca19-47ad-8920-0980cd87a351",56"z": 2,57"hasOpenThreats": false,58"outOfScope": true,59"attrs": {60".element-shape": {61"class": "element-shape hasNoOpenThreats isOutOfScope"62},63"text": {64"text": "Google"65},66".element-text": {67"class": "element-text hasNoOpenThreats isInScope"68}69}70},71{72"type": "tm.Process",73"size": {74"width": 100,75"height": 10076},77"position": {78"x": 455,79"y": 180},81"angle": 0,82"id": "064304c2-9672-44f2-9e08-982d58145bc0",83"z": 3,84"hasOpenThreats": false,85"attrs": {86".element-shape": {87"class": "element-shape hasNoOpenThreats isInScope"88},89"text": {90"text": "Angular\nFrontend"91},92".element-text": {93"class": "element-text hasNoOpenThreats isInScope"94}95}96},97{98"type": "tm.Process",99"size": {100"width": 100,101"height": 100102},103"position": {104"x": 468,105"y": 228106},107"angle": 0,108"id": "edced7d1-6206-43bc-94ab-aa515977042a",109"z": 4,110"hasOpenThreats": false,111"description": "Node.js / Express",112"attrs": {113".element-shape": {114"class": "element-shape hasNoOpenThreats isInScope"115},116"text": {117"text": "Application\nServer"118},119".element-text": {120"class": "element-text hasNoOpenThreats isInScope"121}122}123},124{125"type": "tm.Store",126"size": {127"width": 160,128"height": 80129},130"position": {131"x": 830,132"y": 393133},134"angle": 0,135"id": "673196a0-0797-4c56-974b-b169ec27accb",136"z": 5,137"hasOpenThreats": false,138"description": "",139"attrs": {140".element-shape": {141"class": "element-shape hasNoOpenThreats isInScope"142},143"text": {144"text": "SQLite Database"145},146".element-text": {147"class": "element-text hasNoOpenThreats isInScope"148}149}150},151{152"type": "tm.Store",153"size": {154"width": 160,155"height": 80156},157"position": {158"x": 568,159"y": 396160},161"angle": 0,162"id": "38c5137f-1570-446a-9978-a98f84fe1c59",163"z": 6,164"hasOpenThreats": false,165"attrs": {166".element-shape": {167"class": "element-shape hasNoOpenThreats isInScope"168},169"text": {170"text": "MarsDB NoSQL DB"171},172".element-text": {173"class": "element-text hasNoOpenThreats isInScope"174}175}176},177{178"type": "tm.Store",179"size": {180"width": 160,181"height": 80182},183"position": {184"x": 828,185"y": 255186},187"angle": 0,188"id": "00ae7380-5510-4772-8f98-d83df41035b6",189"z": 7,190"hasOpenThreats": false,191"attrs": {192".element-shape": {193"class": "element-shape hasNoOpenThreats isInScope"194},195"text": {196"text": "Local File System"197},198".element-text": {199"class": "element-text hasNoOpenThreats isInScope"200}201}202},203{204"type": "tm.Flow",205"size": {206"width": 10,207"height": 10208},209"smooth": true,210"source": {211"id": "5c682ec9-c352-442e-b61c-2de8ed53ea22"212},213"target": {214"id": "064304c2-9672-44f2-9e08-982d58145bc0"215},216"vertices": [217{218"x": 355,219"y": 146220}221],222"id": "cb17d350-86bc-4f06-8858-668093987b57",223"labels": [224{225"position": 0.5,226"attrs": {227"text": {228"text": "",229"font-weight": "400",230"font-size": "small"231}232}233}234],235"z": 8,236"hasOpenThreats": false,237"isPublicNetwork": true,238"attrs": {239".marker-target": {240"class": "marker-target hasNoOpenThreats isInScope"241},242".connection": {243"class": "connection hasNoOpenThreats isInScope"244}245}246},247{248"type": "tm.Flow",249"size": {250"width": 10,251"height": 10252},253"smooth": true,254"source": {255"id": "064304c2-9672-44f2-9e08-982d58145bc0"256},257"target": {258"id": "d02fa030-ca19-47ad-8920-0980cd87a351"259},260"vertices": [261{262"x": 337,263"y": 35264}265],266"id": "2d66f056-75e8-4436-bc99-a0817b3f1c19",267"labels": [268{269"position": 0.5,270"attrs": {271"text": {272"text": "OAuth2",273"font-weight": "400",274"font-size": "small"275}276}277}278],279"z": 9,280"hasOpenThreats": false,281"isPublicNetwork": true,282"isEncrypted": true,283"protocol": "",284"outOfScope": true,285"attrs": {286".marker-target": {287"class": "marker-target hasNoOpenThreats isInScope"288},289".connection": {290"class": "connection hasNoOpenThreats isOutOfScope"291}292}293},294{295"type": "tm.Flow",296"size": {297"width": 10,298"height": 10299},300"smooth": true,301"source": {302"id": "064304c2-9672-44f2-9e08-982d58145bc0"303},304"target": {305"id": "edced7d1-6206-43bc-94ab-aa515977042a"306},307"vertices": [308{309"x": 419,310"y": 204311}312],313"id": "46d76eab-2862-414b-bce6-c0d8fe79cf79",314"labels": [315{316"position": 0.5,317"attrs": {318"text": {319"text": "API Requests",320"font-weight": "400",321"font-size": "small"322}323}324}325],326"z": 10,327"hasOpenThreats": false,328"attrs": {329".marker-target": {330"class": "marker-target hasNoOpenThreats isInScope"331},332".connection": {333"class": "connection hasNoOpenThreats isInScope"334}335}336},337{338"type": "tm.Flow",339"size": {340"width": 10,341"height": 10342},343"smooth": true,344"source": {345"id": "edced7d1-6206-43bc-94ab-aa515977042a"346},347"target": {348"id": "064304c2-9672-44f2-9e08-982d58145bc0"349},350"vertices": [351{352"x": 514,353"y": 150354}355],356"id": "dc9ff0b8-2bae-4839-97f1-181f47282846",357"labels": [358{359"position": 0.5,360"attrs": {361"text": {362"text": "API Responses",363"font-weight": "400",364"font-size": "small"365}366}367}368],369"z": 11,370"hasOpenThreats": false,371"attrs": {372".marker-target": {373"class": "marker-target hasNoOpenThreats isInScope"374},375".connection": {376"class": "connection hasNoOpenThreats isInScope"377}378}379},380{381"type": "tm.Flow",382"size": {383"width": 10,384"height": 10385},386"smooth": true,387"source": {388"id": "edced7d1-6206-43bc-94ab-aa515977042a"389},390"target": {391"id": "00ae7380-5510-4772-8f98-d83df41035b6"392},393"vertices": [394{395"x": 683,396"y": 236397}398],399"id": "028ce073-348f-498d-ab6e-7d98e4d7ae77",400"labels": [401{402"position": {403"distance": 0.4545744602063211,404"offset": -14.064892638757218405},406"attrs": {407"text": {408"text": "Invoices",409"font-weight": "400",410"font-size": "small"411}412}413}414],415"z": 12,416"hasOpenThreats": false,417"attrs": {418".marker-target": {419"class": "marker-target hasNoOpenThreats isInScope"420},421".connection": {422"class": "connection hasNoOpenThreats isInScope"423}424}425},426{427"type": "tm.Actor",428"size": {429"width": 160,430"height": 80431},432"position": {433"x": 66,434"y": 296435},436"angle": 0,437"id": "82095edc-bdca-448b-8c28-ed1aaba2e9e9",438"z": 13,439"hasOpenThreats": false,440"attrs": {441".element-shape": {442"class": "element-shape hasNoOpenThreats isInScope"443},444"text": {445"text": "B2B Customer (Browser)"446},447".element-text": {448"class": "element-text hasNoOpenThreats isInScope"449}450}451},452{453"type": "tm.Process",454"size": {455"width": 100,456"height": 100457},458"position": {459"x": 307,460"y": 338461},462"angle": 0,463"id": "2f427832-3419-4b43-ae77-338f8636ca2b",464"z": 14,465"hasOpenThreats": false,466"attrs": {467".element-shape": {468"class": "element-shape hasNoOpenThreats isInScope"469},470"text": {471"text": "B2B API"472},473".element-text": {474"class": "element-text hasNoOpenThreats isInScope"475}476}477},478{479"type": "tm.Flow",480"size": {481"width": 10,482"height": 10483},484"smooth": true,485"source": {486"id": "82095edc-bdca-448b-8c28-ed1aaba2e9e9"487},488"target": {489"id": "2f427832-3419-4b43-ae77-338f8636ca2b"490},491"vertices": [],492"id": "f9d73d1a-e79a-4a57-bba8-c7cbc02fa348",493"labels": [494{495"position": 0.5,496"attrs": {497"text": {498"text": "",499"font-weight": "400",500"font-size": "small"501}502}503}504],505"z": 15,506"hasOpenThreats": false,507"isPublicNetwork": true,508"attrs": {509".marker-target": {510"class": "marker-target hasNoOpenThreats isInScope"511},512".connection": {513"class": "connection hasNoOpenThreats isInScope"514}515}516},517{518"type": "tm.Flow",519"size": {520"width": 10,521"height": 10522},523"smooth": true,524"source": {525"id": "2f427832-3419-4b43-ae77-338f8636ca2b"526},527"target": {528"id": "edced7d1-6206-43bc-94ab-aa515977042a"529},530"vertices": [],531"id": "1515ba33-e41b-4940-b92c-139179c14709",532"labels": [533{534"position": 0.5,535"attrs": {536"text": {537"text": "Orders",538"font-weight": "400",539"font-size": "small"540}541}542}543],544"z": 16,545"hasOpenThreats": false,546"attrs": {547".marker-target": {548"class": "marker-target hasNoOpenThreats isInScope"549},550".connection": {551"class": "connection hasNoOpenThreats isInScope"552}553}554},555{556"type": "tm.Actor",557"size": {558"width": 160,559"height": 80560},561"position": {562"x": 844,563"y": 1564},565"angle": 0,566"id": "0191343a-8439-45d7-b9e4-6b052f91415d",567"z": 17,568"hasOpenThreats": false,569"attrs": {570".element-shape": {571"class": "element-shape hasNoOpenThreats isInScope"572},573"text": {574"text": "Admin (Browser)"575},576".element-text": {577"class": "element-text hasNoOpenThreats isInScope"578}579}580},581{582"type": "tm.Actor",583"size": {584"width": 160,585"height": 80586},587"position": {588"x": 847,589"y": 107590},591"angle": 0,592"id": "12bf3793-217c-4863-b430-718182257f1a",593"z": 18,594"hasOpenThreats": false,595"attrs": {596".element-shape": {597"class": "element-shape hasNoOpenThreats isInScope"598},599"text": {600"text": "Accounting (Browser)"601},602".element-text": {603"class": "element-text hasNoOpenThreats isInScope"604}605}606},607{608"type": "tm.Flow",609"size": {610"width": 10,611"height": 10612},613"smooth": true,614"source": {615"id": "12bf3793-217c-4863-b430-718182257f1a"616},617"target": {618"id": "064304c2-9672-44f2-9e08-982d58145bc0"619},620"vertices": [],621"id": "16ed975a-3375-47b2-ab23-dac55835961c",622"labels": [623{624"position": 0.5,625"attrs": {626"text": {627"text": "Product Inventory",628"font-weight": "400",629"font-size": "small"630}631}632}633],634"z": 19,635"hasOpenThreats": false,636"attrs": {637".marker-target": {638"class": "marker-target hasNoOpenThreats isInScope"639},640".connection": {641"class": "connection hasNoOpenThreats isInScope"642}643}644},645{646"type": "tm.Flow",647"size": {648"width": 10,649"height": 10650},651"smooth": true,652"source": {653"id": "0191343a-8439-45d7-b9e4-6b052f91415d"654},655"target": {656"id": "064304c2-9672-44f2-9e08-982d58145bc0"657},658"vertices": [659{660"x": 679,661"y": 18662}663],664"id": "8a3a017a-76c0-45fa-9d39-c31311f8b76f",665"labels": [666{667"position": 0.5,668"attrs": {669"text": {670"text": "User Management",671"font-weight": "400",672"font-size": "small"673}674}675}676],677"z": 20,678"hasOpenThreats": false,679"attrs": {680".marker-target": {681"class": "marker-target hasNoOpenThreats isInScope"682},683".connection": {684"class": "connection hasNoOpenThreats isInScope"685}686}687},688{689"type": "tm.Flow",690"size": {691"width": 10,692"height": 10693},694"smooth": true,695"source": {696"id": "edced7d1-6206-43bc-94ab-aa515977042a"697},698"target": {699"id": "673196a0-0797-4c56-974b-b169ec27accb"700},701"vertices": [],702"id": "063a0a1a-352e-45bb-bce9-abee2be89a0d",703"labels": [704{705"position": 0.5,706"attrs": {707"text": {708"text": "all other data",709"font-weight": "400",710"font-size": "small"711}712}713}714],715"z": 21,716"hasOpenThreats": false,717"attrs": {718".marker-target": {719"class": "marker-target hasNoOpenThreats isInScope"720},721".connection": {722"class": "connection hasNoOpenThreats isInScope"723}724}725},726{727"type": "tm.Flow",728"size": {729"width": 10,730"height": 10731},732"smooth": true,733"source": {734"id": "edced7d1-6206-43bc-94ab-aa515977042a"735},736"target": {737"id": "38c5137f-1570-446a-9978-a98f84fe1c59"738},739"vertices": [740{741"x": 509,742"y": 385743}744],745"id": "96dee941-1600-445f-b12f-88fbb0776c16",746"labels": [747{748"position": 0.5,749"attrs": {750"text": {751"text": "Orders",752"font-weight": "400",753"font-size": "small"754}755}756}757],758"z": 22,759"hasOpenThreats": false,760"attrs": {761".marker-target": {762"class": "marker-target hasNoOpenThreats isInScope"763},764".connection": {765"class": "connection hasNoOpenThreats isInScope"766}767}768},769{770"type": "tm.Flow",771"size": {772"width": 10,773"height": 10774},775"smooth": true,776"source": {777"id": "edced7d1-6206-43bc-94ab-aa515977042a"778},779"target": {780"id": "38c5137f-1570-446a-9978-a98f84fe1c59"781},782"vertices": [783{784"x": 565,785"y": 378786}787],788"id": "5581ae64-5e43-4525-94e0-e020793e4136",789"labels": [790{791"position": 0.5,792"attrs": {793"text": {794"text": "Reviews",795"font-weight": "400",796"font-size": "small"797}798}799}800],801"z": 23,802"hasOpenThreats": false,803"attrs": {804".marker-target": {805"class": "marker-target hasNoOpenThreats isInScope"806},807".connection": {808"class": "connection hasNoOpenThreats isInScope"809}810}811},812{813"type": "tm.Flow",814"size": {815"width": 10,816"height": 10817},818"smooth": true,819"source": {820"id": "edced7d1-6206-43bc-94ab-aa515977042a"821},822"target": {823"id": "5c682ec9-c352-442e-b61c-2de8ed53ea22"824},825"vertices": [],826"id": "e9a8981a-2243-4e43-a68b-0bdfd81f1a45",827"labels": [828{829"position": 0.5,830"attrs": {831"text": {832"text": "Invoices",833"font-weight": "400",834"font-size": "small"835}836}837}838],839"z": 24,840"hasOpenThreats": false,841"isPublicNetwork": true,842"attrs": {843".marker-target": {844"class": "marker-target hasNoOpenThreats isInScope"845},846".connection": {847"class": "connection hasNoOpenThreats isInScope"848}849}850},851{852"type": "tm.Boundary",853"size": {854"width": 10,855"height": 10856},857"smooth": true,858"source": {859"x": 93,860"y": 19861},862"target": {863"x": 65,864"y": 146865},866"vertices": [867{868"x": 252,869"y": 54870},871{872"x": 246,873"y": 143874}875],876"id": "e4006eb6-c6da-4056-8cad-6111ffed690a",877"z": 25,878"attrs": {}879},880{881"type": "tm.Boundary",882"size": {883"width": 10,884"height": 10885},886"smooth": true,887"source": {888"x": 183,889"y": 441890},891"target": {892"x": 286,893"y": 124894},895"vertices": [896{897"x": 310,898"y": 320899}900],901"id": "a0bc0999-c102-4390-9c74-355bfea405be",902"z": 26,903"attrs": {}904},905{906"type": "tm.Boundary",907"size": {908"width": 10,909"height": 10910},911"smooth": true,912"source": {913"x": 772,914"y": 161915},916"target": {917"x": 784,918"y": 1919},920"vertices": [921{922"x": 787,923"y": 90924}925],926"id": "b66d28e9-c542-452b-944c-6ea0b95d7421",927"z": 27,928"attrs": {}929},930{931"type": "tm.Boundary",932"size": {933"width": 10,934"height": 10935},936"smooth": true,937"source": {938"x": 417,939"y": 128940},941"target": {942"x": 616,943"y": 156944},945"vertices": [],946"id": "140276bc-f5b6-4199-ac4d-ea1f473c132a",947"z": 28,948"attrs": {}949},950{951"type": "tm.Boundary",952"size": {953"width": 10,954"height": 10955},956"smooth": true,957"source": {958"x": 749,959"y": 492960},961"target": {962"x": 753,963"y": 198964},965"vertices": [966{967"x": 775,968"y": 346969}970],971"id": "161f7ef7-4adf-40e3-81c5-f15979ac1b5c",972"z": 29,973"attrs": {}974},975{976"type": "tm.Flow",977"size": {978"width": 10,979"height": 10980},981"smooth": true,982"source": {983"id": "00ae7380-5510-4772-8f98-d83df41035b6"984},985"target": {986"id": "edced7d1-6206-43bc-94ab-aa515977042a"987},988"vertices": [989{990"x": 663,991"y": 260992}993],994"id": "53b58d93-f3af-4668-989c-c15ce69268e6",995"labels": [996{997"position": 0.5,998"attrs": {999"text": {1000"text": "Configuration",1001"font-weight": "400",1002"font-size": "small"1003}1004}1005}1006],1007"z": 30,1008"hasOpenThreats": false,1009"attrs": {1010".marker-target": {1011"class": "marker-target hasNoOpenThreats isInScope"1012},1013".connection": {1014"class": "connection hasNoOpenThreats isInScope"1015}1016}1017},1018{1019"type": "tm.Flow",1020"size": {1021"width": 10,1022"height": 101023},1024"smooth": true,1025"source": {1026"id": "edced7d1-6206-43bc-94ab-aa515977042a"1027},1028"target": {1029"id": "00ae7380-5510-4772-8f98-d83df41035b6"1030},1031"vertices": [1032{1033"x": 737,1034"y": 3061035}1036],1037"id": "8eae4755-841b-44b2-8826-bd231926a480",1038"labels": [1039{1040"position": 0.5,1041"attrs": {1042"text": {1043"text": "Logging",1044"font-weight": "400",1045"font-size": "small"1046}1047}1048}1049],1050"z": 31,1051"hasOpenThreats": false,1052"attrs": {1053".marker-target": {1054"class": "marker-target hasNoOpenThreats isInScope"1055},1056".connection": {1057"class": "connection hasNoOpenThreats isInScope"1058}1059}1060}1061]1062},1063"size": {1064"height": 590,1065"width": 14251066}1067}1068]1069}1070}