From 9136ec48d696007a49e549aeacaf842665c97f8c Mon Sep 17 00:00:00 2001 From: diffouo44 Date: Wed, 10 Jun 2026 22:36:43 +0300 Subject: [PATCH] feat(lab2): Threagile threat model + secure variant + auth flow --- submissions/lab2.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/submissions/lab2.md b/submissions/lab2.md index 86c2c3af3..60b7a4918 100644 --- a/submissions/lab2.md +++ b/submissions/lab2.md @@ -11,11 +11,11 @@ | **Total** | **23** | ### Top 5 risks (paste from `jq` output) -1. **unencrypted-asset@juice-shop** — Unencrypted Technical Asset named Juice Shop Application; severity medium; affecting `juice-shop` -2. **unencrypted-asset@persistent-storage** — Unencrypted Technical Asset named Persistent Storage; severity medium; affecting `persistent-storage` -3. **missing-identity-store@reverse-proxy** — Missing Identity Store in the threat model (example asset Reverse Proxy); severity medium; affecting `reverse-proxy` -4. **missing-authentication@reverse-proxy>to-app@reverse-proxy@juice-shop** — Missing Authentication covering communication link To App from Reverse Proxy to Juice Shop Application; severity elevated; affecting `juice-shop` -5. **cross-site-request-forgery@juice-shop@user-browser>direct-to-app-no-proxy** — Cross-Site Request Forgery risk involving the Direct-to-App (no proxy) path; severity medium; affecting `juice-shop` +1. **unencrypted-asset@juice-shop** — Unencrypted Technical Asset named Juice Shop Application; severity medium; affecting `juice-shop`. +2. **unencrypted-asset@persistent-storage** — Unencrypted Technical Asset named Persistent Storage; severity medium; affecting `persistent-storage`. +3. **missing-identity-store@reverse-proxy** — Missing Identity Store in the threat model (example asset Reverse Proxy); severity medium; affecting `reverse-proxy`. +4. **missing-authentication@reverse-proxy>to-app@reverse-proxy@juice-shop** — Missing Authentication covering communication link To App from Reverse Proxy to Juice Shop Application; severity elevated; affecting `juice-shop`. +5. **cross-site-request-forgery@juice-shop@user-browser>direct-to-app-no-proxy** — Cross-Site Request Forgery risk involving the Direct-to-App (no proxy) path; severity medium; affecting `juice-shop`. ### STRIDE mapping (Lecture 2 slide 7) - missing-authentication: **A** — attacker can bypass authentication on the app-facing reverse-proxy link.