You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An attacker could inject malicious cause into consumed 3rd party services and Compass Manager is receiving risky payloads from these systems.
We have to ensure that payload of 3rd party services is, even if it's malicious, won't lead to security problems for the. Compass Manager.
AC:
The Compass Manager has to be able to deal with unexpected huge payload properly by adding upload-limits (e.g. max. 2MB per HTTP response)
The payload of responses has to be evaluated and discarded if it's not compliant with the agreed technical contract (e.g. apply data validation via JSONSchema, if JSON is expected discard any other input format etc.)
If data of received payload is used for further processing, a sanity check has to happen for these data (e.g. max-string lengh, check for patterns etc.) and they have to be treated as untrusted data.
Steps to exploit
Attacker injects unexpected payload into the response of a 3rd party system.
Risk assessment
Part of the Threat Modelling workshop from 2023-11-29.
Proposed mitigation
Establish security mechanisms to handle malicious properly.
The text was updated successfully, but these errors were encountered:
tobiscr
changed the title
[Thread Modelling] Ensure risky payload from 3rd party services will be handled properly by the Compass Manager:
[Threat Modelling] Ensure risky payload from 3rd party services will be handled properly by the Compass Manager:
Jan 2, 2024
Description
An attacker could inject malicious cause into consumed 3rd party services and Compass Manager is receiving risky payloads from these systems.
We have to ensure that payload of 3rd party services is, even if it's malicious, won't lead to security problems for the. Compass Manager.
AC:
Steps to exploit
Attacker injects unexpected payload into the response of a 3rd party system.
Risk assessment
Part of the Threat Modelling workshop from 2023-11-29.
Proposed mitigation
Establish security mechanisms to handle malicious properly.
The text was updated successfully, but these errors were encountered: