Skip to content

threats.md

Latest commit

 

History

History
219 lines (156 loc) · 14.1 KB

threats.md

File metadata and controls

219 lines (156 loc) · 14.1 KB

Threat Model Report

---
schema_version: "1.3"
date: "2026-04-10"
input_format: "ascii"
classification: "confidential"
---

1. System Overview

Parsed summary of the ASCII architecture input depicting a web API with authentication. The system consists of an external user interacting with an API gateway that routes requests to an authentication service backed by a PostgreSQL database. All internal components reside within a single internal trust zone.

Components

Component Type MAESTRO Layer Description
External User External Entity L7 — Agent Ecosystem Browser or application sending HTTPS requests to the API
API Gateway Process L4 — Deployment Infrastructure NGINX/Kong reverse proxy handling request routing and TLS termination
Auth Service Process L6 — Security and Compliance Node.js authentication service validating credentials and issuing JWT tokens
User Database Data Store L2 — Data Operations PostgreSQL database storing user credentials and profile data

Data Flows

Source Destination Data Protocol
External User API Gateway Login credentials (username, password) HTTPS
External User API Gateway API requests with JWT bearer token HTTPS
API Gateway Auth Service JWT token for validation HTTP
Auth Service User Database Credential lookup queries (username, password hash) SQL over TLS
Auth Service API Gateway Authentication result (success/failure, user claims) HTTP
API Gateway User Database Data queries and mutations SQL over TLS
API Gateway External User API responses HTTPS

Technologies

Category Technology Version (if known)
Reverse Proxy NGINX/Kong unknown
Runtime Node.js unknown
Database PostgreSQL unknown
Authentication JWT (bearer tokens) RFC 7519
Transport TLS (HTTPS) unknown
Query Language SQL unknown

2. Trust Boundaries

Trust Zones

Zone Trust Level Components
External Zone Untrusted External User
Internal Zone Trusted API Gateway, Auth Service, User Database

Boundary Crossings

Crossing From Zone To Zone Components Controls
Client-to-Gateway External Zone Internal Zone External User -> API Gateway TLS termination, HTTPS enforcement
Gateway-to-Client Internal Zone External Zone API Gateway -> External User HTTPS encrypted responses

3. STRIDE Tables

Risk level computation (OWASP 3x3 matrix):

LOW Likelihood MEDIUM Likelihood HIGH Likelihood
HIGH Impact Medium High Critical
MEDIUM Impact Low Medium High
LOW Impact Note Low Medium

3.1 Spoofing (S)

Threats where an attacker pretends to be something or someone else.

ID Component MAESTRO Layer Threat Likelihood Impact Risk Level Mitigation
S-1 API Gateway L4 — Deployment Infrastructure Attacker forges JWT tokens using a weak or compromised signing key to impersonate authenticated users, bypassing authentication entirely MEDIUM HIGH High Enforce asymmetric signing (RS256 or ES256) with key rotation every 90 days; reject tokens signed with symmetric algorithms (HS256); validate issuer and audience claims on every request
S-2 External User L7 — Agent Ecosystem Attacker performs credential stuffing using breached username/password pairs to take over legitimate user accounts HIGH HIGH Critical Enforce multi-factor authentication; implement progressive login delays and account lockout after 5 failed attempts; monitor for anomalous login patterns across IP ranges

3.2 Tampering (T)

Threats where an attacker modifies data or code without authorization.

ID Component MAESTRO Layer Threat Likelihood Impact Risk Level Mitigation
T-1 User Database L2 — Data Operations Attacker performs SQL injection through unsanitized input fields routed via the API Gateway, modifying user records or extracting credential data MEDIUM HIGH High Use parameterized queries exclusively in both Auth Service and API Gateway database access layers; apply input validation and sanitization at the API Gateway before forwarding requests
T-2 Auth Service L6 — Security and Compliance Attacker manipulates JWT payload claims (e.g., role, user ID) in transit between API Gateway and Auth Service over unencrypted internal HTTP, altering authorization context LOW HIGH Medium Enforce mutual TLS or signed JWTs with integrity verification between API Gateway and Auth Service; validate token signature server-side before trusting any claims

3.3 Repudiation (R)

Threats where an attacker denies having performed an action without the system being able to prove otherwise.

ID Component MAESTRO Layer Threat Likelihood Impact Risk Level Mitigation
R-1 Auth Service L6 — Security and Compliance User denies performing privileged account actions (password changes, role modifications) because the Auth Service does not maintain tamper-evident audit logs with sufficient session context MEDIUM MEDIUM Medium Implement immutable, append-only audit logging for all authentication events and account modifications; include session ID, source IP, user agent, timestamp, and action type in every log entry
R-2 API Gateway L4 — Deployment Infrastructure Attacker denies initiating malicious API requests because NGINX/Kong access logs lack correlation IDs linking requests to authenticated user sessions MEDIUM LOW Low Configure the API Gateway to log authenticated user identity, correlation ID, and request fingerprint alongside standard access log fields; forward logs to a centralized SIEM with tamper protection

3.4 Information Disclosure (I)

Threats where sensitive data is exposed to unauthorized parties.

ID Component MAESTRO Layer Threat Likelihood Impact Risk Level Mitigation
I-1 User Database L2 — Data Operations Database connection strings or SQL error details containing credentials are exposed in API error responses returned to the External User when queries fail MEDIUM HIGH High Implement structured error handling that returns generic error codes to clients; log detailed error context (stack traces, query details) server-side only; never include database internals in HTTP responses
I-2 Auth Service L6 — Security and Compliance Verbose authentication error messages distinguish between "user not found" and "wrong password," enabling user enumeration attacks against the User Database HIGH MEDIUM High Return a single generic error message ("Invalid credentials") for all authentication failures regardless of cause; implement consistent response timing to prevent timing-based enumeration

3.5 Denial of Service (D)

Threats where an attacker degrades or prevents legitimate access to the system.

ID Component MAESTRO Layer Threat Likelihood Impact Risk Level Mitigation
D-1 API Gateway L4 — Deployment Infrastructure Volumetric HTTP flood overwhelms NGINX/Kong connection pool and upstream buffers, blocking legitimate traffic from reaching internal services HIGH HIGH Critical Enforce per-IP and per-user rate limiting at the API Gateway (e.g., 100 requests/minute); deploy upstream DDoS mitigation (CDN or cloud-native WAF); configure connection timeouts and circuit breaker patterns
D-2 User Database L2 — Data Operations Attacker triggers resource-exhaustive SQL queries through crafted API requests, consuming PostgreSQL connection pool and CPU, causing query timeouts for legitimate users MEDIUM MEDIUM Medium Set query execution time limits in PostgreSQL (statement_timeout); limit maximum concurrent connections per application user; implement query complexity analysis or pagination enforcement at the API Gateway

3.6 Elevation of Privilege (E)

Threats where an attacker gains higher access rights than authorized.

ID Component MAESTRO Layer Threat Likelihood Impact Risk Level Mitigation
E-1 Auth Service L6 — Security and Compliance Attacker exploits insecure direct object references (IDOR) by manipulating user ID or role claims in the JWT payload to access admin-level endpoints or other users' data MEDIUM HIGH High Validate all authorization claims server-side against the authoritative User Database on every request; never trust client-supplied role or ID values from the JWT without re-verification; implement role-based access control (RBAC) with least-privilege defaults

4. AI Threat Tables

4.1 Agentic Threats (AG)

No agentic or LLM components detected in this architecture. The system consists of traditional web API components (reverse proxy, authentication service, relational database) with no autonomous agent behavior.

ID Component MAESTRO Layer Threat OWASP Reference Likelihood Impact Risk Level Mitigation
- - - No findings - - - - -

Findings: 0

4.2 LLM Threats (LLM)

No LLM components detected in this architecture. The system does not incorporate large language models, prompt-based interfaces, or AI-generated content pipelines.

ID Component MAESTRO Layer Threat OWASP Reference Likelihood Impact Risk Level Mitigation
- - - No findings - - - - -

Findings: 0

5. Coverage Matrix

Component S T R I D E AG LLM Total
External User 1 - 1
API Gateway 1 - 1 - 1 - 3
Auth Service - 1 1 1 - 1 4
User Database 1 1 1 3
Total 2 2 2 2 2 1 0 0 11

6. Risk Summary

OWASP 3x3 risk matrix reference:

LOW Likelihood MEDIUM Likelihood HIGH Likelihood
HIGH Impact Medium High Critical
MEDIUM Impact Low Medium High
LOW Impact Note Low Medium
Risk Level Count Percentage
Critical 2 18.2%
High 5 45.5%
Medium 3 27.3%
Low 1 9.1%
Note 0 0.0%
Total 11 100%

Risk by MAESTRO Layer

MAESTRO Layer Finding Count Highest Severity
L4 — Deployment Infrastructure 3 Critical
L7 — Agent Ecosystem 1 Critical
L6 — Security and Compliance 4 High
L2 — Data Operations 3 High

7. Recommended Actions

All findings sorted by risk level descending. Critical and High findings should be addressed before deployment. Medium findings should be addressed within the current development cycle. Low findings should be tracked for future consideration.

Finding ID Status Component Threat Risk Level Mitigation
S-2 NEW External User Credential stuffing using breached username/password pairs Critical Enforce multi-factor authentication; implement progressive login delays and account lockout after 5 failed attempts; monitor for anomalous login patterns
D-1 NEW API Gateway Volumetric HTTP flood exhausting connection pool Critical Per-IP and per-user rate limiting (100 req/min); upstream DDoS mitigation; connection timeouts and circuit breaker patterns
S-1 NEW API Gateway Forged JWT tokens via weak or compromised signing key High Enforce RS256/ES256 signing with 90-day key rotation; reject HS256 tokens; validate issuer and audience claims
T-1 NEW User Database SQL injection through unsanitized input fields High Parameterized queries exclusively; input validation and sanitization at API Gateway
I-1 NEW User Database Database credentials exposed in API error responses High Structured error handling with generic client responses; server-side detailed logging only
I-2 NEW Auth Service User enumeration via verbose authentication error messages High Single generic error message for all auth failures; consistent response timing
E-1 NEW Auth Service IDOR exploiting JWT role claims for privilege escalation High Server-side role validation against authoritative store on every request; RBAC with least-privilege defaults
R-1 NEW Auth Service Insufficient audit logging for privileged account actions Medium Immutable audit log with session ID, IP, user agent, timestamp for all authentication events
T-2 NEW Auth Service JWT payload tampering over unencrypted internal HTTP Medium Mutual TLS or signed JWTs with integrity verification between Gateway and Auth Service
D-2 NEW User Database Resource-exhaustive SQL queries consuming connection pool Medium PostgreSQL statement_timeout; connection limits per user; query complexity analysis
R-2 NEW API Gateway Missing correlation IDs in access logs preventing attribution Low Log authenticated user identity and correlation ID; centralized SIEM with tamper protection