Microsoft's Threat Model of Web Applications

These categories represent common vulnerability areas to Web applications. The categories have been derived by security experts who have examined and analyzed the top security issues across many Web applications. They have been refined with input from Microsoft consultants, product support engineers, customers, and Microsoft partners.

Category Description
Input and Data Validation How do you know that the input that your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing.
Authentication Who are you? Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a user name and password.
Authorization What can you do? Authorization is how your application provides access controls for resources and operations.
Configuration Management Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues.
Sensitive Data How does your application handle sensitive data? Sensitive data refers to how your application handles any data that must be protected either in memory, over the network, or in persistent stores.
Session Management How does your application handle and protect user sessions? A session refers to a series of related interactions between a user and your Web application.
Cryptography How are you keeping secrets (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity.
Parameter Manipulation How does your application manipulate parameter values? Form fields, query string arguments, and cookie values are frequently used as parameters for an application. Parameter manipulation refers to both how your application safeguards tampering of these values and how your application processes input parameters.
Exception Management When a method call in your application fails, what does your application do? How much do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?
Auditing and Logging Who did what and when? Auditing and logging refer to how your application records security-related events.

Source: MSDN


Input and Data Validation

Input attack occurs when an attacker discovers that the application makes unfounded assumptions about the type, length, format, or range of input data.

void SomeFunction( char *pszInput )
char szBuffer[10];
// Input is copied straight into the buffer when no type checking is performed
strcpy(szBuffer, pszInput);
. . .

An attacker can exploit a buffer overflow vulnerability to inject code. With this attack, a malicious user exploits an unchecked buffer in a process by supplying a carefully constructed input value that overwrites the program's stack and alters a function's return address. This causes execution to jump to the attacker's injected code.

SELECT * FROM Users WHERE UserName ='" + txtuid.Text + "'

Attackers can inject SQL by terminating the intended SQL statement with the single quote character followed by a semicolon character to begin a new command, and then executing the command of their choice. Consider the following character string entered into the txtuid field.

'; DROP TABLE Customers '

This results in the following statement being submitted to the database for execution:

SELECT * FROM Users WHERE UserName=''; DROP TABLE Customers--'


The authentication mechanism can expose vulnerabilities that attackers can exploit to gain access to your system.


Based on user identity and role membership, authorization to a particular resource or service is either allowed or denied.

Configuration Management

Many applications support configuration management interfaces and functionality to allow operators and administrators to change configuration parameters, update Web site content, and to perform routine maintenance.


Most applications use cryptography to protect data and to ensure it remains private and unaltered.

Parameter Manipulation

Parameter manipulation attacks are a class of attack that relies on the modification of the parameter data sent between the client and Web application.

Exception Management

Exceptions that are allowed to propagate to the client can reveal internal implementation details that make no sense to the end user but are useful to attackers. Applications that do not use exception handling or implement it poorly are also subject to denial of service attacks.

Auditing and Logging

Auditing and logging functions and stores are subject to be attacked.