README.md, section Currently Supported Threats, needs a legend

[noloader]

Hi Everyone,

We are trying to add some threats to the Pytm sources. We are trying to figure out which categories to use for the threats. The categories are causing use trouble.

Here are some examples:

• INP - seems to be data oriented Input Buffer Overflows (INP01, INP01), but then Server Side Injection (INP03) is code?
• AA - may be Authentication Abuse (AA01), or may be it is Authentication and Authorization?
• DE - may be Double Encoding (DE02), but then... what is Interception (DE01)?
• AC - Shared Data Manipulation (AC02), but what is AC? Shouldn't it be INT for Integrity?
• HA - Path Traversal, but what is HA? Shouldn't it be an untrusted input (INP)?

The table for Currently Supported Threats needs a legend. Or README.md needs a section discussing the Categories.

It would be very helpful if the project documented the legend for the naming scheme.

[izar]

Hi - the legend is not written in stone - we were looking for unique identifiers with at least a semblance of separation between them. The categorization was never too strict simply because the issue never came up, and the identifiers are mostly used for allow-listing known issues.

It is great you want to add threats! If you're not comfortable with adding them to the existing label scheme, feel free to create your own. It would be great if it followed the ??[0-9][0-9]* format, though.

[raphaelahrens]

The grouping of the threats is a little bit over the place and sometimes it just unclear to me as well what the letters are supposed to mean.

But a threat is a threat and it does not matter if it is a denial of service or an information disclosure as long as it is a valid threat to the system. So I agree with izar that it does not matter what letters you put in front of your threats as long as these are valid threats.

That being said here is my understanding of the first letters of all the threats. Maybe this can be used to start a guide on creating new threats.

AA deals with AuthN ( no idea what the second A is for, maybe this was once AuthN and AuthZ) AC with access control (AuthZ) issues API are all threats with a condition that includes .implementsAPI. CR is possibly credentials, crypto, and something with XML routing (CR07) DE is all over the place could be dataflow encryption(DE01, DE03) or encoding (DE02) and I don't know how DE04 fits in. DO is "Denial Of" anything, so threats regarding availability. DR no idea. DS is probably data side-channel. HA is HA01 "Path traversal", HA02 "White Box Reverse Engineering", HA03 "Web Application Fingerprinting", and HA04 "Reverse Engineering". No idea what all of them have in common. INP is most likely dealing with missing input validation/restrictions. LB has only LB01 "API Manipulation" no clue what LB stand for. SC deals with XSS and and JS threats only SC05 is a bit of an outlier in this group since it is dealing with server code.

[noloader]

Hey folks,

Is the mailing list used anymore? The mailing list is advertised as https://groups.google.com/g/pytm-users.

If not, can you email me so we can have an offline conversation? My email address is noloader, gmail account.

[raphaelahrens]

Actually I don't now if the mailing list was ever used. I am on that list for over a year and cannot remember a conversation there. But I'm also only an occasional contributor.

[izar]

@noloader perhaps the slack is the best place for an off-github discussion.

[raphaelahrens]

There is a slack?

[izar]

Ping me on the owasp slack and l will send you an invitation.

On Mon, Apr 1, 2024, 17:54 Raphael Ahrens @.***> wrote:

There is a slack?

— Reply to this email directly, view it on GitHub https://github.com/izar/pytm/issues/233#issuecomment-2030629705, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC2BAJ6MVZJJBCKWGMZNDTY3HJP3AVCNFSM6AAAAABENENEYCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZQGYZDSNZQGU . You are receiving this because you commented.Message ID: @.***>