You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As I was reading through the two scenarios described in the Tutorial, I had a strong feeling that one important threat model was not covered: Myself as a developer! The threat model goes like this:
I build a website that contains a contact form where submitters can leave their contact information
I store the submitted contact form data in my database
At some point in the future, I do a mysqldump and forget about the resulting *.sql file in a public folder on the server
I also don't have a .htaccess directive to prevent direct access to *.sql files
This is the scenario I find the most likely for many simpler websites. Data theft. Maybe you find this a useful addition to the scenarios? It's not so much about implementation but more about realizing a threat even exists.
The text was updated successfully, but these errors were encountered:
As I was reading through the two scenarios described in the Tutorial, I had a strong feeling that one important threat model was not covered: Myself as a developer! The threat model goes like this:
mysqldumpand forget about the resulting*.sqlfile in a public folder on the server.htaccessdirective to prevent direct access to*.sqlfilesThis is the scenario I find the most likely for many simpler websites. Data theft. Maybe you find this a useful addition to the scenarios? It's not so much about implementation but more about realizing a threat even exists.
The text was updated successfully, but these errors were encountered: