You can use following frameworks, individually or as combinations, to structure the IMPACT section of the vulnerability write-ups:
2 - STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege)
3 - STRIDE-LM (STRIDE + Lateral Movement)
4 - Privacy violation
5 - LINDDUN (Linking, Identifying, Non-repudiation, Detecting, Data-disclosure, Unawareness and uninterruptability, Non-compliance)
Example #1 CIA
Confidentiality -
SQL injection can compromise the confidentiality of the data by allowing the attacker to access, read, or disclose sensitive or personal information stored in the database, such as usernames, passwords, credit card numbers, or health records. This can lead to identity theft, fraud, blackmail, or legal issues for the victims.
Integrity -
SQL injection can compromise the integrity of the data by allowing the attacker to modify, delete, or insert data into the database, such as changing prices, orders, balances, or grades¹². This can result in data loss, data corruption, or data inconsistency for the web application and its users.
Availability -
SQL injection can compromise the availability of the system by allowing the attacker to disrupt or degrade the performance or functionality of the web application or its components, such as servers, databases, frameworks, or libraries. This can result in denial-of-service attacks, system damage, or system downtime for the web application and its users.
Example #2 STRIDE
Following table will help you to think of STRIDE impacts easily:| Problem | Solution |
|---|---|
| Spoofing | Authentication |
| Tampering | Integrity |
| Repudiation | Accountability |
| Information Disclosure | Confidentiality |
| Denial of Service | Avaialbility |
| Elevation of Privilege | Authorization |
Authentication - An attacker can capture the credentials or session tokens of legitimate users and impersonate them or access their accounts.
Integrity - An attacker can alter the data in transit, such as injecting malicious scripts, adverts, or commands, and compromise the functionality or security of the web-server or its clients.
Accountability - An attacker can erase or tamper with the logs or audit trails of the web-server, making it difficult to trace the source or impact of an attack.
Confidentiality - An attacker can access the personal or confidential information of the users or the web-server, such as names, addresses, passwords, credit card numbers, etc., and use them for malicious purposes or leak them to others.
Availability - An attacker can disrupt the normal operation of the web-server by flooding it with requests, redirecting the traffic to other sites, or deleting or corrupting the data.
Privilege-escalation - An attacker can exploit the unencrypted communication to gain unauthorized access to higher-privileged accounts or resources on the web-server or its clients, and perform actions that are beyond their intended scope.
Example #3 STRIDE-LM
Use all the text from STRIDE.
Lateral movement - An attacker can interact with other ssytems in the network using the compromised-machine as a proxy and gain access beyond the initial point of compromise.
Example #4 Privacy violation
Privacy - Anyone who has access to the network traffic can read the user-data such as passwords, credit card numbers, phone numbers, physical addresses, email address, blood-group, existing medical conditions, etc.
Example #5 LINDDUN
Coming soon.
Golden Rules
- Try to use sentences (NOT two words, NOT paragraphs)
- Use a simple language. Refer title
- Reduce the length of sentences
- Stick strictly to IMPACT.
- Use spell-check and grammar-check