The Attack Surface of Web Application

The Attack Surface describes all of the different points where an attacker could get into a system, and where they could get data out.

The Attack Surface of an application is:

The sum of all paths for data/commands into and out of the application, and the code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding), and all valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and the code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).

How to Identify and Map the Attack Surface

Review the design and architecture of documents from an attacker's perspective. Read the source code and identify different points of entry/exit:

• User interface (UI) forms and fields
• HTTP headers and cookies
• APIs
• Files
• Databases
• Other local storage
• Email or other kinds of messages
• Run-time arguments
• ...some other points of entry/exit

The total number of different attack points can easily add up into the thousands or more. To make this manageable, break the model into different types based on function, design and technology:

• Login/authentication entry points
• Admin interfaces
• Inquiries and search functions
• Data entry (CRUD) forms
• Business workflows
• Transactional interfaces/APIs
• Operational command and monitoring interfaces/APIs
• Interfaces with other applications/systems

full-width