├── Attack Tree
├── BLANK.plantuml
├── BLANK.plantuml.svg
├── README.md
├── cryptowallet.plantuml
├── cryptowallet.plantuml.svg
├── generic-cms.plantuml
├── generic-cms.plantuml.svg
├── iot-device
│ ├── iot-device.part1.plantuml
│ ├── iot-device.part1.plantuml.svg
│ ├── iot-device.part2.plantuml
│ └── iot-device.part2.plantuml.svg
├── jetscout
│ └── jetscout.jpg
├── online-battleroyale-game
│ ├── onlinegame.jpg
│ ├── onlinegame.plantuml
│ └── onlinegame.plantuml.svg
├── payment
│ ├── payment-online.plantuml
│ └── payment-online.plantuml.svg
├── physicalsafe.plantuml
├── physicalsafe.plantuml.svg
├── rentingcar.plantuml
├── rentingcar.plantuml.svg
├── scouter
│ └── scouter.jpg
└── sokify
│ ├── sokify.jpg
│ ├── sokify.plantuml
│ ├── sokify.plantuml.png
│ └── sokify.plantuml.svg
├── Flow Diagram
├── BLANK
│ ├── BLANK.py
│ ├── BLANK.py.dot
│ ├── BLANK.py.pdf
│ ├── BLANK.py.png
│ └── BLANK.py.svg
├── README.md
├── app-y-ness
│ ├── alt1-app-y-ness.py
│ ├── alt1-app-y-ness.py.png
│ ├── alt1-app-y-ness.py.svg
│ ├── app-y-ness.jpg
│ ├── app-y-ness.py
│ ├── app-y-ness.py.pdf
│ ├── app-y-ness.py.png
│ └── app-y-ness.py.svg
├── cryptocurrency-wallet
│ ├── cryptowallet.vsdx
│ ├── cryptowallet.vsdx.dwg
│ ├── cryptowallet.vsdx.pdf
│ ├── cryptowallet.vsdx.png
│ └── cryptowallet.vsdx.svg
├── generic-cms
│ ├── generic-cms.py
│ ├── generic-cms.py.dot
│ ├── generic-cms.py.pdf
│ └── generic-cms.py.svg
├── iot-device
│ ├── iot-device.vsdx
│ ├── iot-device.vsdx.dwg
│ ├── iot-device.vsdx.pdf
│ ├── iot-device.vsdx.png
│ └── iot-device.vsdx.svg
├── jetscout
│ ├── alt0-jetscout.jpg
│ ├── alt1-jetscout.jpg
│ ├── alt10-jetscout.jpg
│ ├── alt11-jetscout.jpg
│ ├── alt2-jetscout.jpg
│ ├── alt3-jetscout.jpg
│ ├── alt4-jetscout.jpg
│ ├── alt5-jetscout.jpg
│ ├── alt6-jetscout.jpg
│ ├── alt7-jetscout.jpg
│ ├── alt8-jetscout.jpg
│ ├── alt9-jetscout.jpg
│ └── jetscout.jpg
├── online-battleroyale-game
│ ├── onlinegame.jpg
│ ├── onlinegame.py
│ ├── onlinegame.py.dot
│ ├── onlinegame.py.pdf
│ ├── onlinegame.py.png
│ └── onlinegame.py.svg
├── payment
│ ├── payment-online.py
│ └── payment-online.py.png
├── renting-car-startup
│ ├── alt1-rentingcar.py.png
│ ├── alt2-rentingcar.jpg
│ ├── rentingcar.jpg
│ ├── rentingcar.py
│ ├── rentingcar.py.dot
│ ├── rentingcar.py.pdf
│ ├── rentingcar.py.png
│ └── rentingcar.py.svg
├── scouter
│ └── scouter.jpg
├── sokify
│ ├── alt1-sokify.json
│ ├── alt1-sokify.json.pdf
│ ├── alt1-sokify.json.png
│ └── sokify.jpg
└── webapp-threat-dragon
│ ├── webapp-threat-dragon.json
│ ├── webapp-threat-dragon.json.pdf
│ └── webapp-threat-dragon.json.png
├── INDEX.md
├── IriusRisk
├── 3-Tier-Web-App
│ ├── 3 Tier Web App - Threat Model and Risk Report.pdf
│ ├── Countermeasure-as-jira-ticket- Example.png
│ ├── Dataflow Diagram.png
│ ├── README.md
│ ├── Table of Countermeasures_3-tier-web-app.xls
│ └── Table of Threats_3-tier-web-app.xls
└── README.md
├── LICENSE.md
├── README.md
└── Template
├── BLANK
├── BLANK-draw.io.onepager.xml
├── BLANK-draw.io.onepager.xml.pdf
└── BLANK-draw.io.onepager.xml.svg
└── README.md
/Attack Tree/BLANK.plantuml:
--------------------------------------------------------------------------------
1 | @startuml
2 | skinparam monochrome true
3 | skinparam defaultTextAlignment center
4 |
5 | ' Root nodes
6 | agent "Goal" as goal
7 | agent "What attackers want" as what
8 |
9 | agent "Sub-goal" as subgoal
10 | goal --> subgoal
11 |
12 | agent "Sub-goal 2" as subgoal2
13 | goal --> subgoal2
14 |
15 | agent "Ways to get to goal" as subgoal3
16 | what --> subgoal3
17 |
18 | agent "Sub-sub goal" as subsubgoal
19 | agent "Sub-sub goal 2" as subsubgoal2
20 | agent "Sub-sub goal 3" as subsubgoal3
21 | subgoal3 ---> subsubgoal
22 | subgoal3 ---> subsubgoal2
23 | subgoal3 ---> subsubgoal3
24 |
25 | ' Abstraction (not going to model that)
26 | cloud "**···**" as another
27 | subgoal ---> another
28 | subgoal2 ---> subsubgoal
29 |
30 | ' Leaf nodes
31 | agent "exploit" as exploit
32 | agent "ways to get in" as ways
33 | agent "weakness" as weakness
34 |
35 | subsubgoal ---> exploit
36 |
37 | ' Chaining of exploits required to get to sub-sub goal
38 | interface "and" as and
39 | subsubgoal3 --> and
40 | and --> weakness
41 | and --> ways
42 |
43 | @enduml
--------------------------------------------------------------------------------
/Attack Tree/BLANK.plantuml.svg:
--------------------------------------------------------------------------------
1 | Goal What attackers want Sub-goal Sub-goal 2 Ways to get to goal Sub-sub goal Sub-sub goal 2 Sub-sub goal 3 ··· exploit ways to get in weakness and Steal confidential data Recon for other attacks Gain privileged access Gather users data Compromise end users XSS Find user password Brute force Find in password dump Mass mining Mass scan DDoS Control many devices (Botnet) Use legit command Exploit device flaws Obtain device access Get WiFi LAN access Get Physical access Place Factory Backdoor Hack cloud server Make my life miserable Randomware Invade my privacy Mess with the lights View my habits Spy me live Steal cloud data Sniff network Hack cloud server Hack system Hack account Hack API Hack server RCE SQLi Open Safe Pick Lock Learn Combo Cut Open Safe Find Written Combo Get Combo from Target Extortion Evesdrop Bribe and Listen to Conversation Target Says Combo ··· financial Gain stalk steal customers information view public data search for leak view instagram compromised marketing laptop Hack all the fax ... ... hack web api domain name takeover intercept incoming traffic impersonate user registration jacking mitm find vuln and user connecting to public wifi clear text protocol >;
27 | ]
28 |
29 | bfecadfeecdeafdaedadecf [
30 | shape = circle
31 | color = black
32 | label = <>;
33 | ]
34 | fcbdafdbbdcfcbbbefdee [
35 | shape = circle
36 | color = black
37 | label = <>;
38 | ]
39 | ffaddaddffcafad [
40 | shape = none;
41 | color = black;
42 | label = <>;
43 | ]
44 | deddbeacafbddfdccbcbccbbf [
45 | shape = doublecircle;
46 | color = black;
47 |
48 | label = <>;
49 | ]
50 |
51 | }
52 |
53 | dcecfdcdcbadffbc [
54 | shape = square;
55 | label = <>;
56 | ]
57 | dcecfdcdcbadffbc -> bfecadfeecdeafdaedadecf [
58 | color = black;
59 | label = <>;
60 | ]
61 | bfecadfeecdeafdaedadecf -> fcbdafdbbdcfcbbbefdee [
62 | color = black;
63 | label = <>;
64 | ]
65 | fcbdafdbbdcfcbbbefdee -> ffaddaddffcafad [
66 | color = black;
67 | label = <>;
68 | ]
69 | bfecadfeecdeafdaedadecf -> deddbeacafbddfdccbcbccbbf [
70 | color = black;
71 | label = <>;
72 | ]
73 | }
74 |
--------------------------------------------------------------------------------
/Flow Diagram/BLANK/BLANK.py.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/BLANK/BLANK.py.pdf
--------------------------------------------------------------------------------
/Flow Diagram/BLANK/BLANK.py.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/BLANK/BLANK.py.png
--------------------------------------------------------------------------------
/Flow Diagram/BLANK/BLANK.py.svg:
--------------------------------------------------------------------------------
1 |
2 |
4 |
6 |
7 |
9 |
10 | tm
11 | cluster_cacebafcaebeabfbbacecaba
13 |
15 | bfecadfeecdeafdaedadecf
18 | Process
20 | fcbdafdbbdcfcbbbefdee
23 | Another
25 | Process
26 | bfecadfeecdeafdaedadecf->fcbdafdbbdcfcbbbefdee
29 | HTTP
32 | deddbeacafbddfdccbcbccbbf
35 | Multiples
38 | Process
39 | bfecadfeecdeafdaedadecf->deddbeacafbddfdccbcbccbbf
42 | ?
45 | ffaddaddffcafad
48 | Datastore
49 | fcbdafdbbdcfcbbbefdee->ffaddaddffcafad
54 |
57 | dcecfdcdcbadffbc
60 | Actor
62 | (user)
63 | dcecfdcdcbadffbc->bfecadfeecdeafdaedadecf
66 | HTTPS
69 |
71 |
72 |
--------------------------------------------------------------------------------
/Flow Diagram/README.md:
--------------------------------------------------------------------------------
1 | Examples of flow diagrams using different tools to create them.
2 |
3 | Can be of various sub-types such as
4 | * Data Flow Diagram
5 | * Connection Flow Diagram
6 | * Process Flow Diagram
7 |
8 | Tool | File match |
9 | :--- | :---
10 | | [pytm](https://github.com/izar/pytm/): A Pythonic framework for threat modeling | `*.py` |
11 | | [Threat Dragon](https://owasp.org/www-project-threat-dragon/): The OWASP threat modelling tool | `*.json` |
12 | | [Graphviz](https://graphviz.gitlab.io/) DOT | `*.dot` |
13 | | Microsoft Visio | `*.vsdx` |
14 | | Physical whiteboard or paper | `*.jpg` |
15 |
16 | Currently pytm is generating the dot and then Graphviz is used to create outputs.
17 |
18 | Threat Dragon is an OWASP project. It is both an online threat modelling web application and a desktop application. It includes system diagramming as well as a rule engine to auto-generate threats.
19 |
20 | Files starting with `altN-` are alternate version of the same system being modeled by a different person.
21 |
--------------------------------------------------------------------------------
/Flow Diagram/app-y-ness/alt1-app-y-ness.py:
--------------------------------------------------------------------------------
1 | from pytm.pytm import TM, Boundary, Server, Actor, Datastore, Dataflow, SetOfProcesses
2 |
3 | tm = TM("App-y-ness")
4 | tm.description = "This is a sample threat model for the Threat Modeling Workshop."
5 |
6 | internet = Boundary("Internet")
7 |
8 | user = Actor("App-y-tenant")
9 |
10 | app = Server("Mobile App")
11 |
12 | buyApi = Server("Buy
3 |
4 | tm
5 |
7 | cluster_bfaefefcfbeeafeefac
8 | Internet
10 |
11 |
12 |
13 | aeedbbaaddfaabcd
14 | Buy
16 | API-y
17 |
18 |
19 |
20 | dcffabefabccccaedbd
21 | Market-y
24 |
25 |
26 |
27 | aeedbbaaddfaabcd->dcffabefabccccaedbd
28 |
31 |
32 |
33 |
34 | abafcafdbfecaeffabaacdaa
35 | Oracle Table B
36 |
39 |
40 |
41 | aeedbbaaddfaabcd->abafcafdbfecaeffabaacdaa
42 |
45 |
46 |
47 |
48 | cddeffdbddceaedacfabfcfdfba
49 | Oracle Table T
50 |
53 |
54 |
55 | aeedbbaaddfaabcd->cddeffdbddceaedacfabfcfdfba
56 |
59 |
60 |
61 |
62 | dabeeeacccddebefbfcaa
63 | Phone
65 | Provider
66 | Cloud
67 |
68 |
69 |
70 | aeedbbaaddfaabcd->dabeeeacccddebefbfcaa
71 |
74 |
75 |
76 |
77 | bbdeaebdefcdfcdeddcce
78 | Rent
80 | API-y
81 |
82 |
83 |
84 | bbdeaebdefcdfcdeddcce->dcffabefabccccaedbd
85 |
88 |
89 |
90 |
91 | faeedeffeeccfefdabd
92 | Oracle Table R
93 |
96 |
97 |
98 | bbdeaebdefcdfcdeddcce->faeedeffeeccfefdabd
99 |
102 |
103 |
104 |
105 | cfafcafbfdeeffbfdffcfbf
106 | Alert
108 | API-y
109 |
110 |
111 |
112 | cfafcafbfdeeffbfdffcfbf->dabeeeacccddebefbfcaa
113 | push
116 |
117 |
118 |
119 | dfcdfbbdbaaeabcecedfdde
120 | Fire n' Surf .gov
122 |
123 |
124 |
125 | cfafcafbfdeeffbfdffcfbf->dfcdfbbdbaaeabcecedfdde
126 | Kafka
129 | HTTPS
130 |
131 |
132 |
133 | eaddecbacbcbcc
134 | Auth
136 | API-y
137 |
138 |
139 |
140 | eaddecbacbcbcc->cddeffdbddceaedacfabfcfdfba
141 | Token-y
144 |
145 |
146 |
147 | beddcffdabbedfadacb
148 | All Auth
150 |
151 |
152 |
153 | beddcffdabbedfadacb->cddeffdbddceaedacfabfcfdfba
154 |
157 |
158 |
159 |
160 | bbafbeacfeeacbedbcbeb
161 | App-y-tenant
163 |
164 |
165 |
166 | fdedecdffddacddebbac
167 | Mobile App
169 |
170 |
171 |
172 | bbafbeacfeeacbedbcbeb->fdedecdffddacddebbac
173 | use
176 |
177 |
178 |
179 | fdedecdffddacddebbac->aeedbbaaddfaabcd
180 | HTTPS
183 | JSON
184 |
185 |
186 |
187 | fdedecdffddacddebbac->bbdeaebdefcdfcdeddcce
188 | HTTPS
191 | JSON
192 |
193 |
194 |
195 | fdedecdffddacddebbac->eaddecbacbcbcc
196 | HTTPS
199 | JSON
200 |
201 |
202 |
203 | fdedecdffddacddebbac->dabeeeacccddebefbfcaa
204 |
207 |
208 |
209 |
210 | dfcdfbbdbaaeabcecedfdde->cfafcafbfdeeffbfdffcfbf
211 | push
214 |
215 |
216 |
--------------------------------------------------------------------------------
/Flow Diagram/app-y-ness/app-y-ness.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/app-y-ness/app-y-ness.jpg
--------------------------------------------------------------------------------
/Flow Diagram/app-y-ness/app-y-ness.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | from pytm.pytm import TM, Server, Datastore, Dataflow, Boundary, Actor, Lambda
4 |
5 | tm = TM("my test tm")
6 | tm.description = "another test tm"
7 |
8 | Web = Boundary("Internal Web")
9 | external_web = Boundary("External Web")
10 |
11 | user = Actor("App-y-Tenant")
12 |
13 | app = Server("Mobile App")
14 |
15 | buy_api = Server("Buy
9 |
10 | tm
11 |
13 | cluster_edcdfcbdfdceaedef
14 | Internal Web
16 |
17 |
18 | cluster_dcceffcefaafdbcebcbfc
19 | External Web
21 |
22 |
23 |
24 | befcfdefafeaaadfd
25 | Buy
27 | API-y
28 |
29 |
30 |
31 | dbdadadcabeafdeddbf
32 | Oracle Table B
33 |
36 |
37 |
38 | befcfdefafeaaadfd->dbdadadcabeafdeddbf
39 |
42 |
43 |
44 |
45 | abdeeeafebabefacdf
46 | Oracle Table Tenants
47 |
50 |
51 |
52 | befcfdefafeaaadfd->abdeeeafebabefacdf
53 |
56 |
57 |
58 |
59 | bdeaedabecfeeffced
60 | Phone Provider Cloud
62 |
63 |
64 |
65 | befcfdefafeaaadfd->bdeaedabecfeeffced
66 |
69 |
70 |
71 |
72 | cbacaafdbbdea
73 | Rent
75 | API-y
76 |
77 |
78 |
79 | edcacdffccbcdae
80 | Oracle Table R
81 |
84 |
85 |
86 | cbacaafdbbdea->edcacdffccbcdae
87 |
90 |
91 |
92 |
93 | cbacaafdbbdea->abdeeeafebabefacdf
94 |
97 |
98 |
99 |
100 | cbfdfcdafcbfdbd
101 | Alert
103 | API-y
104 |
105 |
106 |
107 | cbfdfcdafcbfdbd->abdeeeafebabefacdf
108 |
111 |
112 |
113 |
114 | cbfdfcdafcbfdbd->bdeaedabecfeeffced
115 | push
118 |
119 |
120 |
121 | ceebfeddceaeffcedebbbdfd
122 | Fire 'n' Stuff .gov
124 |
125 |
126 |
127 | cbfdfcdafcbfdbd->ceebfeddceaeffcedebbbdfd
128 | https
131 |
132 |
133 |
134 | fffcaaaaadddccccecebeeff
135 | Auth
137 | API-y
138 |
139 |
140 |
141 | fffcaaaaadddccccecebeeff->abdeeeafebabefacdf
142 | auth
145 |
146 |
147 |
148 | deaacefbafdecabbebcfddccdeaacaaff
149 | Mobile App
151 |
152 |
153 |
154 | bdeaedabecfeeffced->deaacefbafdecabbebcfddccdeaacaaff
155 |
158 |
159 |
160 |
161 | ceebfeddceaeffcedebbbdfd->cbfdfcdafcbfdbd
162 | callback
165 |
166 |
167 |
168 | beffadbafbaeeceacefdaac
169 | App-y-Tenant
171 |
172 |
173 |
174 | beffadbafbaeeceacefdaac->deaacefbafdecabbebcfddccdeaacaaff
175 | use
178 |
179 |
180 |
181 | deaacefbafdecabbebcfddccdeaacaaff->befcfdefafeaaadfd
182 | https
185 |
186 |
187 |
188 | deaacefbafdecabbebcfddccdeaacaaff->cbacaafdbbdea
189 | https
192 |
193 |
194 |
195 | deaacefbafdecabbebcfddccdeaacaaff->fffcaaaaadddccccecebeeff
196 | https
199 |
200 |
201 |
202 | cdaabdfabceaffff
203 | Operator
205 | Employee
206 |
207 |
208 |
209 | cdaabdfabceaffff->abdeeeafebabefacdf
210 | admin
213 |
214 |
215 |
216 |
--------------------------------------------------------------------------------
/Flow Diagram/cryptocurrency-wallet/cryptowallet.vsdx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/cryptocurrency-wallet/cryptowallet.vsdx
--------------------------------------------------------------------------------
/Flow Diagram/cryptocurrency-wallet/cryptowallet.vsdx.dwg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/cryptocurrency-wallet/cryptowallet.vsdx.dwg
--------------------------------------------------------------------------------
/Flow Diagram/cryptocurrency-wallet/cryptowallet.vsdx.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/cryptocurrency-wallet/cryptowallet.vsdx.pdf
--------------------------------------------------------------------------------
/Flow Diagram/cryptocurrency-wallet/cryptowallet.vsdx.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/cryptocurrency-wallet/cryptowallet.vsdx.png
--------------------------------------------------------------------------------
/Flow Diagram/generic-cms/generic-cms.py:
--------------------------------------------------------------------------------
1 | from pytm.pytm import TM, Boundary, Server, Actor, Datastore, Dataflow, SetOfProcesses
2 |
3 | tm = TM("Generic CMS example")
4 | tm.description = "This is a sample threat model for the Threat Model Cookbook."
5 |
6 | internet = Boundary("Internet")
7 |
8 | user = Actor("Generic/Privilege User")
9 |
10 | webserver = Server("Web Server")
11 | webserver.inBoundary = internet
12 |
13 | user_to_webserver = Dataflow(user, webserver, "HTTPS")
14 |
15 | db = Datastore("db")
16 | db.inBoundary = internet
17 | db_to_webserver = Dataflow(webserver, db, " ")
18 |
19 | adminuser = Actor(" admin ")
20 | admin_to_webserver = Dataflow(adminuser, db, "unsecureInternet >;
27 | ]
28 |
29 | aaedcfceefeffbdc [
30 | shape = circle
31 | color = black
32 | label = <>;
33 | ]
34 | acbfeaddadeceddbbbbca [
35 | shape = none;
36 | color = black;
37 | label = <>;
38 | ]
39 |
40 | }
41 |
42 | abbfadcbfacaebcdefda [
43 | shape = square;
44 | label = <>;
45 | ]
46 | abbfadcbfacaebcdefda -> aaedcfceefeffbdc [
47 | color = black;
48 | label = <>;
49 | ]
50 | aaedcfceefeffbdc -> acbfeaddadeceddbbbbca [
51 | color = black;
52 | label = <>;
53 | ]
54 | cafbfbfeedbdeecbccebfdf [
55 | shape = square;
56 | label = <>;
57 | ]
58 | cafbfbfeedbdeecbccebfdf -> acbfeaddadeceddbbbbca [
59 | color = black;
60 | label = <>;
61 | ]
62 | bebdddeabdfbacdceded [
63 | shape = doublecircle;
64 | color = black;
65 |
66 | label = <>;
67 | ]
68 | abbfadcbfacaebcdefda -> bebdddeabdfbacdceded [
69 | color = black;
70 | label = <>;
71 | ]
72 | aaedcfceefeffbdc -> bebdddeabdfbacdceded [
73 | color = black;
74 | label = <>;
75 | ]
76 | }
77 |
--------------------------------------------------------------------------------
/Flow Diagram/generic-cms/generic-cms.py.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/generic-cms/generic-cms.py.pdf
--------------------------------------------------------------------------------
/Flow Diagram/generic-cms/generic-cms.py.svg:
--------------------------------------------------------------------------------
1 |
2 |
4 |
6 |
7 |
9 |
10 | tm
11 | cluster_bfaefefcfbeeafeefac
13 | Internet
15 | aaedcfceefeffbdc
18 | Web Server
20 | acbfeaddadeceddbbbbca
23 | db
24 | aaedcfceefeffbdc->acbfeaddadeceddbbbbca
29 |
32 | bebdddeabdfbacdceded
35 | CDN network
38 | aaedcfceefeffbdc->bebdddeabdfbacdceded
41 | Push to Bucket
44 | abbfadcbfacaebcdefda
47 | Generic/Privilege User
49 | abbfadcbfacaebcdefda->aaedcfceefeffbdc
52 | HTTPS
55 | abbfadcbfacaebcdefda->bebdddeabdfbacdceded
58 | HTTP
61 | cafbfbfeedbdeecbccebfdf
64 | admin
66 | cafbfbfeedbdeecbccebfdf->acbfeaddadeceddbbbbca
69 | unsecure
72 | mysql
73 | connection
74 |
76 |
77 |
--------------------------------------------------------------------------------
/Flow Diagram/iot-device/iot-device.vsdx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/iot-device/iot-device.vsdx
--------------------------------------------------------------------------------
/Flow Diagram/iot-device/iot-device.vsdx.dwg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/iot-device/iot-device.vsdx.dwg
--------------------------------------------------------------------------------
/Flow Diagram/iot-device/iot-device.vsdx.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/iot-device/iot-device.vsdx.pdf
--------------------------------------------------------------------------------
/Flow Diagram/iot-device/iot-device.vsdx.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/iot-device/iot-device.vsdx.png
--------------------------------------------------------------------------------
/Flow Diagram/jetscout/alt0-jetscout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/jetscout/alt0-jetscout.jpg
--------------------------------------------------------------------------------
/Flow Diagram/jetscout/alt1-jetscout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/jetscout/alt1-jetscout.jpg
--------------------------------------------------------------------------------
/Flow Diagram/jetscout/alt10-jetscout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/jetscout/alt10-jetscout.jpg
--------------------------------------------------------------------------------
/Flow Diagram/jetscout/alt11-jetscout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/jetscout/alt11-jetscout.jpg
--------------------------------------------------------------------------------
/Flow Diagram/jetscout/alt2-jetscout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/jetscout/alt2-jetscout.jpg
--------------------------------------------------------------------------------
/Flow Diagram/jetscout/alt3-jetscout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/jetscout/alt3-jetscout.jpg
--------------------------------------------------------------------------------
/Flow Diagram/jetscout/alt4-jetscout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/jetscout/alt4-jetscout.jpg
--------------------------------------------------------------------------------
/Flow Diagram/jetscout/alt5-jetscout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/jetscout/alt5-jetscout.jpg
--------------------------------------------------------------------------------
/Flow Diagram/jetscout/alt6-jetscout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/jetscout/alt6-jetscout.jpg
--------------------------------------------------------------------------------
/Flow Diagram/jetscout/alt7-jetscout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/jetscout/alt7-jetscout.jpg
--------------------------------------------------------------------------------
/Flow Diagram/jetscout/alt8-jetscout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/jetscout/alt8-jetscout.jpg
--------------------------------------------------------------------------------
/Flow Diagram/jetscout/alt9-jetscout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/jetscout/alt9-jetscout.jpg
--------------------------------------------------------------------------------
/Flow Diagram/jetscout/jetscout.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/jetscout/jetscout.jpg
--------------------------------------------------------------------------------
/Flow Diagram/online-battleroyale-game/onlinegame.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/online-battleroyale-game/onlinegame.jpg
--------------------------------------------------------------------------------
/Flow Diagram/online-battleroyale-game/onlinegame.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | from pytm import *
4 |
5 | tm = TM("Battle Royale Game Flow Diagram")
6 | tm.description = "This is a threat model made in the Threat Modeling Workshop."
7 |
8 | playerlocal = Boundary("player's local machine")
9 | corp = Boundary("corp network")
10 | prod = Boundary("prod network")
11 |
12 | player = Actor("Player")
13 | anon = Actor("Anonymousplayer's local machine >;
27 | ]
28 |
29 | fbcaeddddeefdddddaa [
30 | shape = square;
31 | label = <>;
32 | ]
33 | bbdaeeabfbcadceebcadaebc [
34 | shape = square;
35 | label = <>;
36 | ]
37 | eeacbebacadfdaeabacaddc [
38 | shape = circle
39 | color = black
40 | label = <>;
41 | ]
42 | bdddedacabacdfeddffdaadd [
43 | shape = circle
44 | color = black
45 | label = <>;
46 | ]
47 |
48 | }
49 |
50 | subgraph cluster_fbacafbcbcedbcdfdbaffce {
51 | graph [
52 | fontsize = 10;
53 | fontcolor = firebrick2;
54 | style = dashed;
55 | color = firebrick2;
56 | label = <corp network >;
57 | ]
58 |
59 | eabceadefdfcedfdedbf [
60 | shape = square;
61 | label = <>;
62 | ]
63 |
64 | }
65 |
66 | subgraph cluster_ebadbbacbbbedfbcbfaabfe {
67 | graph [
68 | fontsize = 10;
69 | fontcolor = firebrick2;
70 | style = dashed;
71 | color = firebrick2;
72 | label = <prod network >;
73 | ]
74 |
75 | aaadadabaedafcbfbfcaf [
76 | shape = circle
77 | color = black
78 | label = <>;
79 | ]
80 | abadddfbbebffeabdaecdddcdefedb [
81 | shape = circle
82 | color = black
83 | label = <>;
84 | ]
85 | caecbddedafabcdeefbbfacddfefd [
86 | shape = doublecircle;
87 | color = black;
88 |
89 | label = <>;
90 | ]
91 | fdedbaafbdebedfaaceeadebccb [
92 | shape = circle
93 | color = black
94 | label = <>;
95 | ]
96 | cafbafcaeebacedecccaccfa [
97 | shape = circle
98 | color = black
99 | label = <>;
100 | ]
101 | eaafdccecbcfaabcc [
102 | shape = none;
103 | color = black;
104 | label = <>;
105 | ]
106 | aefaafefabdabbbfefa [
107 | shape = none;
108 | color = black;
109 | label = <>;
110 | ]
111 |
112 | }
113 |
114 | fbcaeddddeefdddddaa -> eeacbebacadfdaeabacaddc [
115 | color = black;
116 | label = <>;
117 | ]
118 | fbcaeddddeefdddddaa -> bdddedacabacdfeddffdaadd [
119 | color = black;
120 | label = <>;
121 | ]
122 | bbdaeeabfbcadceebcadaebc -> aaadadabaedafcbfbfcaf [
123 | color = black;
124 | label = <>;
125 | ]
126 | bdddedacabacdfeddffdaadd -> aaadadabaedafcbfbfcaf [
127 | color = black;
128 | label = <>;
129 | ]
130 | aaadadabaedafcbfbfcaf -> cafbafcaeebacedecccaccfa [
131 | color = black;
132 | label = <>;
133 | ]
134 | aaadadabaedafcbfbfcaf -> eaafdccecbcfaabcc [
135 | color = black;
136 | label = <>;
137 | ]
138 | eeacbebacadfdaeabacaddc -> abadddfbbebffeabdaecdddcdefedb [
139 | color = black;
140 | label = <>;
141 | ]
142 | eeacbebacadfdaeabacaddc -> caecbddedafabcdeefbbfacddfefd [
143 | color = black;
144 | label = <>;
145 | ]
146 | abadddfbbebffeabdaecdddcdefedb -> caecbddedafabcdeefbbfacddfefd [
147 | color = black;
148 | label = <>;
149 | ]
150 | abadddfbbebffeabdaecdddcdefedb -> eaafdccecbcfaabcc [
151 | color = black;
152 | label = <>;
153 | ]
154 | abadddfbbebffeabdaecdddcdefedb -> cafbafcaeebacedecccaccfa [
155 | color = black;
156 | label = <>;
157 | ]
158 | fdedbaafbdebedfaaceeadebccb -> eaafdccecbcfaabcc [
159 | color = black;
160 | label = <>;
161 | ]
162 | eabceadefdfcedfdedbf -> fdedbaafbdebedfaaceeadebccb [
163 | color = black;
164 | label = <>;
165 | ]
166 | caecbddedafabcdeefbbfacddfefd -> aefaafefabdabbbfefa [
167 | color = black;
168 | label = <>;
169 | ]
170 | caecbddedafabcdeefbbfacddfefd -> eaafdccecbcfaabcc [
171 | color = black;
172 | label = <>;
173 | ]
174 | cafbafcaeebacedecccaccfa -> aefaafefabdabbbfefa [
175 | color = black;
176 | label = <>;
177 | ]
178 | cafbafcaeebacedecccaccfa -> eaafdccecbcfaabcc [
179 | color = black;
180 | label = <>;
181 | ]
182 | }
183 |
--------------------------------------------------------------------------------
/Flow Diagram/online-battleroyale-game/onlinegame.py.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/online-battleroyale-game/onlinegame.py.pdf
--------------------------------------------------------------------------------
/Flow Diagram/online-battleroyale-game/onlinegame.py.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/online-battleroyale-game/onlinegame.py.png
--------------------------------------------------------------------------------
/Flow Diagram/online-battleroyale-game/onlinegame.py.svg:
--------------------------------------------------------------------------------
1 |
2 |
4 |
6 |
7 |
9 |
10 | tm
11 | cluster_fbeabbaffbddabbabcfedb
13 | player's local machine
15 | cluster_ebadbbacbbbedfbcbfaabfe
17 | prod network
19 | cluster_fbacafbcbcedbcdfdbaffce
21 | corp network
23 | fbcaeddddeefdddddaa
26 | Player
28 | eeacbebacadfdaeabacaddc
31 | Game
33 | Client
34 | fbcaeddddeefdddddaa->eeacbebacadfdaeabacaddc
37 | Uses/Launch
40 | bdddedacabacdfeddffdaadd
43 | Browser
45 | fbcaeddddeefdddddaa->bdddedacabacdfeddffdaadd
48 | Uses/Launch
51 | bbdaeeabfbcadceebcadaebc
54 | Anonymous
56 | WWW User-Agent
57 | aaadadabaedafcbfbfcaf
60 | Website
62 | Stats
63 | bbdaeeabfbcadceebcadaebc->aaadadabaedafcbfbfcaf
66 |
69 | abadddfbbebffeabdaecdddcdefedb
72 | Lobby
74 | eeacbebacadfdaeabacaddc->abadddfbbebffeabdaecdddcdefedb
77 | TCP 1234
80 | caecbddedafabcdeefbbfacddfefd
83 | Game
86 | Servers
87 | eeacbebacadfdaeabacaddc->caecbddedafabcdeefbbfacddfefd
90 | TCP 1235
93 | bdddedacabacdfeddffdaadd->aaadadabaedafcbfbfcaf
96 | HTTPS
99 | eabceadefdfcedfdedbf
102 | Customer Support
104 | fdedbaafbdebedfaaceeadebccb
107 | Moderation
109 | Website
110 | eabceadefdfcedfdedbf->fdedbaafbdebedfaaceeadebccb
113 |
116 | cafbafcaeebacedecccaccfa
119 | API REST
121 | aaadadabaedafcbfbfcaf->cafbafcaeebacedecccaccfa
124 |
127 | eaafdccecbcfaabcc
130 | Player Database
131 | aaadadabaedafcbfbfcaf->eaafdccecbcfaabcc
136 |
139 | abadddfbbebffeabdaecdddcdefedb->caecbddedafabcdeefbbfacddfefd
142 |
145 | abadddfbbebffeabdaecdddcdefedb->cafbafcaeebacedecccaccfa
148 |
151 | abadddfbbebffeabdaecdddcdefedb->eaafdccecbcfaabcc
154 |
157 | caecbddedafabcdeefbbfacddfefd->eaafdccecbcfaabcc
160 |
163 | aefaafefabdabbbfefa
166 | Stats Database
167 | caecbddedafabcdeefbbfacddfefd->aefaafefabdabbbfefa
172 | r/w
175 | fdedbaafbdebedfaaceeadebccb->eaafdccecbcfaabcc
178 |
181 | cafbafcaeebacedecccaccfa->eaafdccecbcfaabcc
184 |
187 | cafbafcaeebacedecccaccfa->aefaafefabdabbbfefa
190 | r/o
193 |
195 |
196 |
--------------------------------------------------------------------------------
/Flow Diagram/payment/payment-online.py:
--------------------------------------------------------------------------------
1 | # https://github.com/izar/pytm
2 | from pytm import (
3 | TM, Server, Dataflow, Boundary, Actor, ExternalEntity, Process
4 | )
5 |
6 | payment_online = TM("stripe")
7 | payment_online.description = "stripe payment"
8 | payment_online.isOrdered = True
9 | payment_online.mergeResponses = True
10 |
11 | Customer_Client_Web = Boundary("Customer/Internet")
12 | Merchant_Web = Boundary("Merchant/Web")
13 | Stripe_API = Boundary("Stripe/Web")
14 |
15 | customer = Actor("Customer")
16 |
17 | customer_client = ExternalEntity("Customer Client")
18 | customer_client.inBoundary = Customer_Client_Web
19 | # user.levels = [2]
20 |
21 | merchant_web = Server("Merchant Web Server")
22 | merchant_web.inBoundary = Merchant_Web
23 | merchant_web.OS = "Ubuntu"
24 | merchant_web.isHardened = True
25 | merchant_web.onAWS = True
26 | # web.levels = [2]
27 |
28 | stripe_api = ExternalEntity("Stripe API service")
29 | stripe_api.inBoundary = Stripe_API
30 | stripe_api.onAWS = False
31 |
32 | stripe_process = Process("Stripe Payment Service")
33 | stripe_process.inBoundary = Stripe_API
34 |
35 | customer_to_customer_client = Dataflow(customer, customer_client, "Customer logs into the merchant site (*)")
36 | customer_to_customer_client.protocol = "HTTPS"
37 | customer_to_customer_client.dstPort = 443
38 | customer_to_customer_client.data = 'OAuth'
39 |
40 | customer_to_customer_client = Dataflow(customer, customer_client, "Customer proceeds to payment page to make a purchase (*)")
41 | customer_to_customer_client.protocol = "HTTPS"
42 | customer_to_customer_client.dstPort = 443
43 |
44 | customer_client_to_merchant_web = Dataflow(customer_client, merchant_web, "Customer Client sends order intent, including order amount (*)")
45 | customer_client_to_merchant_web.protocol = "HTTPS"
46 | customer_client_to_merchant_web.dstPort = 443
47 |
48 | merchant_web_to_stripe_api = Dataflow(merchant_web, stripe_api, "Merchant sends order information inc amount and currency (*)")
49 | merchant_web_to_stripe_api.data = 'POST /v1/payment_intents'
50 |
51 | stripe_api_to_merchant_web = Dataflow(stripe_api, merchant_web, "Return PaymentIntent to the Merchant (*)")
52 | stripe_api_to_merchant_web.data = 'Response'
53 | stripe_api_to_merchant_web.responseTo = merchant_web_to_stripe_api
54 |
55 | merchant_web_to_customer_client = Dataflow( merchant_web, customer_client, "Return PaymentIntent to the Customer Client (*)")
56 | merchant_web_to_customer_client.data = 'merchant_secret'
57 | merchant_web_to_customer_client.responseTo = customer_client_to_merchant_web
58 |
59 | customer_to_customer_client = Dataflow(customer, customer_client, "Customer provides card details and finalizes payment (*)")
60 |
61 | customer_client_to_stripe_api = Dataflow(customer_client, stripe_api, "Customer Client sends stripe.confirmCardPayment() (*)")
62 | customer_client_to_stripe_api.data = "client_secret and card details"
63 |
64 | stripe_api_to_stripe_process = Dataflow(stripe_api, stripe_process, "Attempt payment")
65 | stripe_process_to_stripe_api = Dataflow(stripe_process, stripe_api, "Payment Response")
66 |
67 | stripe_api_to_customer_client = Dataflow(stripe_api, customer_client, "Return the PaymentIntent with status (*)")
68 | stripe_api_to_customer_client.data = "Return the PaymentIntent with status 'succeeded'"
69 |
70 | payment_online.process()
71 |
--------------------------------------------------------------------------------
/Flow Diagram/payment/payment-online.py.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/payment/payment-online.py.png
--------------------------------------------------------------------------------
/Flow Diagram/renting-car-startup/alt1-rentingcar.py.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/renting-car-startup/alt1-rentingcar.py.png
--------------------------------------------------------------------------------
/Flow Diagram/renting-car-startup/alt2-rentingcar.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/renting-car-startup/alt2-rentingcar.jpg
--------------------------------------------------------------------------------
/Flow Diagram/renting-car-startup/rentingcar.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/renting-car-startup/rentingcar.jpg
--------------------------------------------------------------------------------
/Flow Diagram/renting-car-startup/rentingcar.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | from pytm import *
4 |
5 | tm = TM("Renting Car Startup Flow Diagram")
6 | tm.description = "This is a threat model made in the Threat Modeling Workshop."
7 |
8 | owner = Actor("Owner Phone")
9 | customer = Actor("Customer Phone")
10 |
11 | ownz = Server("Ownz Mobile")
12 | cadz = Server("Cadz Mobile")
13 |
14 | apigw = Server("API Gateway")
15 | auth = Server("Auth")
16 | conncar = SetOfProcesses("Connected Car")
17 | abc = Server("ABC")
18 |
19 | api = Server("API")
20 | apiar = Server("API AR")
21 | apiai = Server("API AI")
22 | apiamfm = Server("API AM/FM")
23 |
24 | unsure = Process("?")
25 | # todo change this for a cloud?
26 | watson = ExternalEntity("Watson")
27 |
28 | flatfile = Datastore("Flatfile radio stations")
29 | carsdb = Datastore("Cars DB")
30 |
31 | insidecar = Boundary("Inside the car")
32 | dmz = Boundary("DMZ")
33 | prod = Boundary(" ")
34 |
35 | for process in [conncar, cadz, abc, customer]:
36 | process.inBoundary = insidecar
37 |
38 | apiai.inBoundary = dmz
39 |
40 | for process in [apigw, api, apiar, apiamfm, auth, flatfile, carsdb, unsure]:
41 | process.inBoundary = prod
42 |
43 | owner2ownz = Dataflow(owner, ownz, "Launch")
44 | customer2cadz = Dataflow(customer, cadz, "Launch")
45 | ownz2apigw = Dataflow(ownz, apigw, "HTTPS")
46 | cadz2apigw = Dataflow(cadz, apigw, "HTTPS")
47 |
48 | apigw2apiai = Dataflow(apigw, apiai, "HTTP")
49 | apigw2apiamfm = Dataflow(apigw, apiamfm, "SSH")
50 | apigw2apiar = Dataflow(apigw, apiar, "HTTP/2")
51 | apigw2api = Dataflow(apigw, api, "HTTP")
52 |
53 | api2carsdb = Dataflow(api, carsdb, " ")
54 | apiaamfm2flatfile = Dataflow(apiamfm, flatfile, " ")
55 | apiai2watson = Dataflow(apiai, watson, " ")
56 | apigw2auth = Dataflow(apigw, auth, "Kerberos")
57 |
58 | apiar2unsure = Dataflow(apiar, unsure, " ")
59 |
60 | conncar2abc = Dataflow(conncar, abc, " ")
61 | abc2carsdb = Dataflow(abc, carsdb, " ")
62 | conncar2cadz = Dataflow(conncar, cadz, "Bluetooth")
63 |
64 |
65 | tm.process()
66 |
--------------------------------------------------------------------------------
/Flow Diagram/renting-car-startup/rentingcar.py.dot:
--------------------------------------------------------------------------------
1 | digraph tm {
2 | graph [
3 | fontname = Arial;
4 | fontsize = 14;
5 | ]
6 | node [
7 | fontname = Arial;
8 | fontsize = 14;
9 | rankdir = lr;
10 | ]
11 | edge [
12 | shape = none;
13 | fontname = Arial;
14 | fontsize = 12;
15 | ]
16 | labelloc = "t";
17 | fontsize = 20;
18 | nodesep = 1;
19 |
20 | subgraph cluster_ebfdeebacddeedccfbbfdceebeddac {
21 | graph [
22 | fontsize = 10;
23 | fontcolor = firebrick2;
24 | style = dashed;
25 | color = firebrick2;
26 | label = <Inside the car >;
27 | ]
28 |
29 | aaafaecedffadddebbefcdbbbd [
30 | shape = square;
31 | label = <>;
32 | ]
33 | cbbaebebaaaddcbbfdfcefdedaacd [
34 | shape = circle
35 | color = black
36 | label = <>;
37 | ]
38 | dcbcdbadccdabbbcfadee [
39 | shape = doublecircle;
40 | color = black;
41 |
42 | label = <>;
43 | ]
44 | cbcfcfeebbebeafaaafad [
45 | shape = circle
46 | color = black
47 | label = <>;
48 | ]
49 |
50 | }
51 |
52 | subgraph cluster_deffadbbecbaffaffcdd {
53 | graph [
54 | fontsize = 10;
55 | fontcolor = firebrick2;
56 | style = dashed;
57 | color = firebrick2;
58 | label = <DMZ >;
59 | ]
60 |
61 | caeacffecebffaadaed [
62 | shape = circle
63 | color = black
64 | label = <>;
65 | ]
66 |
67 | }
68 |
69 | subgraph cluster_cacebafcaebeabfbbacecaba {
70 | graph [
71 | fontsize = 10;
72 | fontcolor = firebrick2;
73 | style = dashed;
74 | color = firebrick2;
75 | label = < >;
76 | ]
77 |
78 | edeefeaeddcfbaeaafbed [
79 | shape = circle
80 | color = black
81 | label = <>;
82 | ]
83 | defcdafddccbccba [
84 | shape = circle
85 | color = black
86 | label = <>;
87 | ]
88 | feddafabacdadcfdfee [
89 | shape = circle
90 | color = black
91 | label = <>;
92 | ]
93 | cebcbadfdcacbfccebb [
94 | shape = circle
95 | color = black
96 | label = <>;
97 | ]
98 | aaedddcebefbebabd [
99 | shape = circle
100 | color = black
101 | label = <>;
102 | ]
103 | adadefacfbffbbffbffa [
104 | shape = circle;
105 | color = black;
106 |
107 | label = <>;
108 | ]
109 | dddabcdbcaeffdbaafc [
110 | shape = none;
111 | color = black;
112 | label = <>;
113 | ]
114 | dcdcdbdeedebdddaeebbbcc [
115 | shape = none;
116 | color = black;
117 | label = <>;
118 | ]
119 |
120 | }
121 |
122 | abfadfcbbcaaafabcfbdfefeda [
123 | shape = square;
124 | label = <>;
125 | ]
126 | cbaffdfcaeeefbada [
127 | shape = circle
128 | color = black
129 | label = <>;
130 | ]
131 | bceeebfabdfbccabedaccde [
132 | shape = square;
133 | label = <>;
134 | ]
135 | abfadfcbbcaaafabcfbdfefeda -> cbaffdfcaeeefbada [
136 | color = black;
137 | label = <>;
138 | ]
139 | aaafaecedffadddebbefcdbbbd -> cbbaebebaaaddcbbfdfcefdedaacd [
140 | color = black;
141 | label = <>;
142 | ]
143 | cbaffdfcaeeefbada -> edeefeaeddcfbaeaafbed [
144 | color = black;
145 | label = <>;
146 | ]
147 | cbbaebebaaaddcbbfdfcefdedaacd -> edeefeaeddcfbaeaafbed [
148 | color = black;
149 | label = <>;
150 | ]
151 | edeefeaeddcfbaeaafbed -> caeacffecebffaadaed [
152 | color = black;
153 | label = <>;
154 | ]
155 | edeefeaeddcfbaeaafbed -> aaedddcebefbebabd [
156 | color = black;
157 | label = <>;
158 | ]
159 | edeefeaeddcfbaeaafbed -> cebcbadfdcacbfccebb [
160 | color = black;
161 | label = <>;
162 | ]
163 | edeefeaeddcfbaeaafbed -> feddafabacdadcfdfee [
164 | color = black;
165 | label = <>;
166 | ]
167 | feddafabacdadcfdfee -> dcdcdbdeedebdddaeebbbcc [
168 | color = black;
169 | label = <>;
170 | ]
171 | aaedddcebefbebabd -> dddabcdbcaeffdbaafc [
172 | color = black;
173 | label = <>;
174 | ]
175 | caeacffecebffaadaed -> bceeebfabdfbccabedaccde [
176 | color = black;
177 | label = <>;
178 | ]
179 | edeefeaeddcfbaeaafbed -> defcdafddccbccba [
180 | color = black;
181 | label = <>;
182 | ]
183 | cebcbadfdcacbfccebb -> adadefacfbffbbffbffa [
184 | color = black;
185 | label = <>;
186 | ]
187 | dcbcdbadccdabbbcfadee -> cbcfcfeebbebeafaaafad [
188 | color = black;
189 | label = <>;
190 | ]
191 | cbcfcfeebbebeafaaafad -> dcdcdbdeedebdddaeebbbcc [
192 | color = black;
193 | label = <>;
194 | ]
195 | dcbcdbadccdabbbcfadee -> cbbaebebaaaddcbbfdfcefdedaacd [
196 | color = black;
197 | label = <>;
198 | ]
199 | }
200 |
--------------------------------------------------------------------------------
/Flow Diagram/renting-car-startup/rentingcar.py.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/renting-car-startup/rentingcar.py.pdf
--------------------------------------------------------------------------------
/Flow Diagram/renting-car-startup/rentingcar.py.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/renting-car-startup/rentingcar.py.png
--------------------------------------------------------------------------------
/Flow Diagram/renting-car-startup/rentingcar.py.svg:
--------------------------------------------------------------------------------
1 |
2 |
4 |
6 |
7 |
9 |
10 | tm
11 | cluster_ebfdeebacddeedccfbbfdceebeddac
13 | Inside the car
15 | cluster_deffadbbecbaffaffcdd
17 | DMZ
19 | cluster_cacebafcaebeabfbbacecaba
21 |
23 | aaafaecedffadddebbefcdbbbd
26 | Customer Phone
28 | cbbaebebaaaddcbbfdfcefdedaacd
31 | Cadz Mobile
33 | aaafaecedffadddebbefcdbbbd->cbbaebebaaaddcbbfdfcefdedaacd
36 | Launch
39 | edeefeaeddcfbaeaafbed
42 | API Gateway
44 | cbbaebebaaaddcbbfdfcefdedaacd->edeefeaeddcfbaeaafbed
47 | HTTPS
50 | dcbcdbadccdabbbcfadee
53 | Connected Car
56 | dcbcdbadccdabbbcfadee->cbbaebebaaaddcbbfdfcefdedaacd
59 | Bluetooth
62 | cbcfcfeebbebeafaaafad
65 | ABC
67 | dcbcdbadccdabbbcfadee->cbcfcfeebbebeafaaafad
70 |
73 | dcdcdbdeedebdddaeebbbcc
76 | Cars DB
77 | cbcfcfeebbebeafaaafad->dcdcdbdeedebdddaeebbbcc
82 |
85 | caeacffecebffaadaed
88 | API AI
90 | bceeebfabdfbccabedaccde
93 | Watson
95 | caeacffecebffaadaed->bceeebfabdfbccabedaccde
98 |
101 | edeefeaeddcfbaeaafbed->caeacffecebffaadaed
104 | HTTP
107 | defcdafddccbccba
110 | Auth
112 | edeefeaeddcfbaeaafbed->defcdafddccbccba
115 | Kerberos
118 | feddafabacdadcfdfee
121 | API
123 | edeefeaeddcfbaeaafbed->feddafabacdadcfdfee
126 | HTTP
129 | cebcbadfdcacbfccebb
132 | API AR
134 | edeefeaeddcfbaeaafbed->cebcbadfdcacbfccebb
137 | HTTP/2
140 | aaedddcebefbebabd
143 | API AM/FM
145 | edeefeaeddcfbaeaafbed->aaedddcebefbebabd
148 | SSH
151 | feddafabacdadcfdfee->dcdcdbdeedebdddaeebbbcc
154 |
157 | adadefacfbffbbffbffa
160 | ?
162 | cebcbadfdcacbfccebb->adadefacfbffbbffbffa
165 |
168 | dddabcdbcaeffdbaafc
171 | Flatfile radio stations
172 | aaedddcebefbebabd->dddabcdbcaeffdbaafc
177 |
180 | abfadfcbbcaaafabcfbdfefeda
183 | Owner Phone
185 | cbaffdfcaeeefbada
188 | Ownz Mobile
190 | abfadfcbbcaaafabcfbdfefeda->cbaffdfcaeeefbada
193 | Launch
196 | cbaffdfcaeeefbada->edeefeaeddcfbaeaafbed
199 | HTTPS
202 |
204 |
205 |
--------------------------------------------------------------------------------
/Flow Diagram/scouter/scouter.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/scouter/scouter.jpg
--------------------------------------------------------------------------------
/Flow Diagram/sokify/alt1-sokify.json.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/sokify/alt1-sokify.json.pdf
--------------------------------------------------------------------------------
/Flow Diagram/sokify/alt1-sokify.json.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/sokify/alt1-sokify.json.png
--------------------------------------------------------------------------------
/Flow Diagram/sokify/sokify.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/sokify/sokify.jpg
--------------------------------------------------------------------------------
/Flow Diagram/webapp-threat-dragon/webapp-threat-dragon.json.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/webapp-threat-dragon/webapp-threat-dragon.json.pdf
--------------------------------------------------------------------------------
/Flow Diagram/webapp-threat-dragon/webapp-threat-dragon.json.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/Flow Diagram/webapp-threat-dragon/webapp-threat-dragon.json.png
--------------------------------------------------------------------------------
/INDEX.md:
--------------------------------------------------------------------------------
1 | # OWASP Threat Model Cookbook Index
2 |
3 | Global view of example systems, with their overall description, that are represented in this project.
4 |
5 |
6 | ## BLANK
7 | A generic model with generic name that doesn't represent a particular system. Useful to introduce a methodology without leading people into a particular architecture.
8 |
9 | [](./Flow%20Diagram/BLANK)
10 |
11 | [](./Attack%20Tree/BLANK.plantuml)
12 |
13 | [](./Template/BLANK)
14 |
15 |
16 |
17 | ## app-y-ness
18 | A mobile application to manage tenants of an apartment complex and sells various products that the landlord brews and grows. Tenants can use the mobile app to pay rent, buy products and receive fire n' surf alerts.
19 |
20 | [](./Flow%20Diagram/app-y-ness)
21 |
22 |
23 | ## cryptocurrency-wallet
24 | A desktop application based on Electron that handle cryptocurrency operations with the Blockchain. The model also includes related components such as a Cryptocurrency Exchange web site and a trading bot in python.
25 |
26 | [](./Flow%20Diagram/cryptocurrency-wallet)
27 |
28 | [](./Attack%20Tree/cryptowallet.plantuml)
29 |
30 |
31 | ## generic-cms
32 | A simple web content management system with generic name components. Has a web server, a database and a CDN.
33 |
34 | [](./Flow%20Diagram/generic-cms)
35 |
36 | [](./Attack%20Tree/generic-cms.plantuml)
37 |
38 |
39 | ## iot-device
40 | An internet of things device such as a lightbulb that is controlled with a mobile app, a python script or a cloud API. A website provides the cloud integration user interface and the IoT device exposes a local network API.
41 |
42 | [](./Flow%20Diagram/iot-device)
43 |
44 | [](./Attack%20Tree/iot-device)
45 |
46 | [](./Attack%20Tree/iot-device)
47 |
48 |
49 | ## jetscout
50 | A rental scooter equipped with a jet engine and tracking system that relies on IoT smart components. It receives voice commands and has a seat with a smart scale on it to know when the rider is sitting or has felt. It tracks health data from smart sensors and store it into the cloud for insurance purpose (totally not for reselling it). It has also a remote API that can control its jet engine.
51 |
52 | [](./Flow%20Diagram/jetscout)
53 |
54 | [](./Flow%20Diagram/jetscout)
55 |
56 | [](./Attack%20Tree/jetscout)
57 |
58 |
59 | ## online-battleroyale-game
60 | A multiplayer video game client and server that has a lobby for matchmaking and provide statistics about the matches and players. Player accounts are stored in a central database and Customer Support staff can access it for moderation purposes.
61 |
62 | [](./Flow%20Diagram/online-battleroyale-game)
63 |
64 | [](./Attack%20Tree/online-battleroyale-game)
65 |
66 |
67 | ## physicalsafe
68 | A textbook example of a physical safe that a bad actor wants to open.
69 |
70 | [](./Attack%20Tree/physicalsafe.plantuml)
71 |
72 |
73 | ## renting-car-startup
74 | A startup ecosystem based on mobile applications and APIs that manage peer to peer car rentals. A customer can use a mobile app to unlock and start the car. The owner of the car has its own mobile app to manage rentals. It has AI linked to its APIs and supports augmented reality features. The APIs also allows to change radio stations which are stored in the cloud on a flat file for legacy reasons.
75 |
76 | [](./Flow%20Diagram/renting-car-startup)
77 |
78 | [](./Attack%20Tree/rentingcar.plantuml)
79 |
80 |
81 | ## scouter
82 | A shared scooter company (competitor of jetscout) that uses a vending machine to distribute tickets for renting their fleet of shared electric scooters. They use drones to track customers.
83 |
84 | [](./Flow%20Diagram/scouter)
85 |
86 | [](./Attack%20Tree/scouter)
87 |
88 |
89 | ## sokify
90 | An online hipster store platform that allows people to see pictures of socks on social medias and buy them. Its main components are a mobile application and an API, which connect to a legacy inventory management system that still sends fax.
91 |
92 | [](./Flow%20Diagram/sokify)
93 |
94 | [](./Attack%20Tree/sokify)
95 |
96 |
97 | ## webapp-threat-dragon
98 | A sample model of a web application, with a queue-decoupled background process. The OWASP Threat Dragon PDF example contains a report with details about elements with a description of threats and theirs mitigation.
99 |
100 | [](./Flow%20Diagram/webapp-threat-dragon)
101 |
102 |
103 | ## 3-Tier-Web-App
104 | This fictitious application exposes a Web UI on the internet and has a Web API and Database hosted on a public cloud provider. This is a full example using the IriusRisk threat modeling tool from ContinuumSecurity.
105 |
106 | [](./IriusRisk/3-Tier-Web-App)
107 |
108 |
--------------------------------------------------------------------------------
/IriusRisk/3-Tier-Web-App/3 Tier Web App - Threat Model and Risk Report.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/IriusRisk/3-Tier-Web-App/3 Tier Web App - Threat Model and Risk Report.pdf
--------------------------------------------------------------------------------
/IriusRisk/3-Tier-Web-App/Countermeasure-as-jira-ticket- Example.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/IriusRisk/3-Tier-Web-App/Countermeasure-as-jira-ticket- Example.png
--------------------------------------------------------------------------------
/IriusRisk/3-Tier-Web-App/Dataflow Diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/IriusRisk/3-Tier-Web-App/Dataflow Diagram.png
--------------------------------------------------------------------------------
/IriusRisk/3-Tier-Web-App/README.md:
--------------------------------------------------------------------------------
1 | # Example of a Threat Model of a fictitious 3 Tier Web Application
2 |
3 | This fictitious application exposes a Web UI on the internet and has a Web API and Database hosted on a public cloud provider.
4 |
5 | ## Contents
6 | ### What are we building?
7 | - See the Dataflow Diagram.png
8 | - The first few pages of the Threat Model and Risk Report PDF file contain the answers to questions that define how the individual components behave and are configured.
9 |
10 | ### What can go wrong?
11 | - See the Table of Threats
12 | - The last section of the PDF report contains a table of threats, the planned mitigation and the status of the countermeasure progress
13 |
14 | ### What are we going to do about it?
15 | - The last section of the PDF report contains a table that describes how each of the threats are going to be mitigated (if at all).
16 | - In the same PDF report, the "Risks Accepted" table describes risks that are not going to be mitigated.
17 |
18 | ### Did we do a good job?
19 | - This is not answered by an output from this threat modeling tool.
--------------------------------------------------------------------------------
/IriusRisk/3-Tier-Web-App/Table of Countermeasures_3-tier-web-app.xls:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/IriusRisk/3-Tier-Web-App/Table of Countermeasures_3-tier-web-app.xls
--------------------------------------------------------------------------------
/IriusRisk/3-Tier-Web-App/Table of Threats_3-tier-web-app.xls:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/threat-model-cookbook/83f391f4ed6e463030524fc315e7fe3577a377c1/IriusRisk/3-Tier-Web-App/Table of Threats_3-tier-web-app.xls
--------------------------------------------------------------------------------
/IriusRisk/README.md:
--------------------------------------------------------------------------------
1 | Examples using the IriusRisk threat modeling tool from ContinuumSecurity.
2 |
3 | https://continuumsecurity.net/threat-modeling-tool/
4 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # OWASP Threat Model Cookbook Project
2 |
3 | This project is about creating and publishing threat model examples. They can be in the form of code, graphical or textual representations. The models will use diverse technologies, methodologies and techniques.
4 |
5 | You can learn from those models, use them a base to start your own, or contribute to and expand some of the models. Thus making this a collaborative cookbook of threat models.
6 |
7 | https://owasp.org/www-project-threat-model-cookbook/
8 |
9 | https://twitter.com/OWASP_tmcb
10 |
11 | ## Disclaimer
12 | Examples provided in this repository are not representations of secure systems, but rather insecure systems that are easy to model. Most of them are made up systems that don't exist in reality. Any resemblance to real life systems is purely coincidental.
13 |
14 | ## Contributing
15 | We are welcoming PRs containing examples to add to the cookbook. If you want to add new threat models, create more versions based of existing drafts, feel free to directly submit a PR.
16 |
17 | Here's some guidelines on how our file structure works:
18 | * [INDEX.md](INDEX.md) contains all systems that are modeled with embeded pictures and short descriptions.
19 | * Top-level directories are the type of threat models. Example: `Flow Diagram`.
20 | * If your threat model has 1 or 2 files, you can put the files directly in that directory. If they have more, please create a folder with the name of your system to be modeled.
21 | * The name of the system needs to be using dashes and alphanumeric characters only. No spaces.
22 | * A file needs to have a specific extension depending on the format: `system-name.tool` and `system-name.tool.exportfiletype`. As examples, we have the code file `cryptowallet.plantuml` and the output to an image file generated from that code as `cryptowallet.plantuml.svg`. Refer to the README.md in each top-level folder for a list of tools and their file extension matches.
23 | * If you have multiple representation of the same system using the same tool, we suggest you add `altN-` at the start of the file where `N` is a number.
24 |
25 | If this sounds complicated and you just want to contribute, you can still submit a PR and we'll refactor it for you. We might have more automation and outside references in the future so we want to keep a strict file structure.
26 |
27 | If you'd like to discuss about the structure of the project, feel free to join the discussion on [OWASP Slack](https://owasp.slack.com/messages/threatmodel-cookbook/).
28 |
29 | ## Licenses
30 |
31 | All models in form of textual or graphical representations are under CC-BY 4.0
32 |
33 | All models as code are under Apache License 2.0
34 |
35 |
--------------------------------------------------------------------------------
/Template/BLANK/BLANK-draw.io.onepager.xml:
--------------------------------------------------------------------------------
1 | 7Vzfc6O2E/9rPNM+pGMMwcljHCft3cx1OpdM+6yAbOgB4ivIJbm//lawAoHkXwGnzjfygw0rWEn72V9ahCfudfr8Oyd59IWFNJnMpuHzxF1OZjPHcz34EZSXmjL3kbDmcYgXtYS7+AdF4hSpj3FIi86FJWNJGeddYsCyjAZlh0Y4Z0/dy1Ys6faak7XssSXcBSTRqf/EYRkh1fEv24Y/aLyOsOuLmV83PJDg25qzxwz7m8zcVfWpm1MieeFEi4iE7EkhuTcgV84YMBZH6fM1TYRspdjq+243tOK4v5PkEWeyaAdUd1i+yEnKqXCa4TS2M5/JSSrsNaZVV1Tc4UzcxVMUl/QuJ4FofQJdAVpUpgk2N7MXJ+uEFAK2KRwHLI0DPC5Kzr7Ra5YwXnXhTqtP0yIBAtktVnGSKFei6IHOsvKWpHEi9PGeRCwlSEXdc308N/VDknidAY3XgC8ID/A2AdhCl6OEgfKSSptowAWjoSylJX+BS7B1do76gPbioKSfWuW7hKFUtEjRO0/qPOr7uuHc4ggHCOUmWOcarPcRp6QEGpp2D2SYlZCDgqQUUQAyoCC/hZh7DAZ1hQ1pHIbidqNKMLh6lVSaEMF1FG5odUMgsAU/HJUYRMR4/ANoRI5KARgm2VWPjGViOF3tQuIQRCWC6CkUBGeeAUH3fDiCjsHur/I8AfmXMcug4U+SAv1qDyCN8jDITQKe0JXgMB7cErftcAul2Aa3441kmPOdhumYYJX+fZhhXmiw3kG0E5BaLIdjCT6/j6V/NCjRHShQfv70FUCc/sXZv1UKYxE9GFH/Yo+weSREXd3n/k15YY1zHChNxomhcmwofT2tXbBnWH4MTpilPm5LmA9JkdW0uE20xZmaPOvDbGa4NxwX0m6kZbmuns8YvaV0soOMy9Ej3zsRnFTILXI7l6quys2fYxY+TG56mFnewvf0lyUpCfzeCm8wmy5jsuYk/fX/x0/tzP/HAtjtA4znCsCedH+dpdooaQRqk2oX0gpP3jR8Wd1B0XnSVlTbcNHyO2sk6YyGyQ5diLbM1R29tYKdWPb8nAlLxxQfRjEDR69YXBUFtUi+AsmmrrQlYjnG2tMYSJ6/2wyp783eOEM6101gMvMToaph/L0jQP9/j6KcvBC2cIZqLVaelWY3rXC0xt+KS5ETUTnS2SRxRs/khAQf5zfRdY/NTQYzylmcCaOsOcKcaqbdjoBcjVhSrQUfrIkYM7dZsKlINYoFz/WU832m6tIsVak12Z0qNlmrHyQ2uQY4mv0+cGtoW0sUr1CYrp3NDWbmOKj94+c8+ARVUZgvtCRhta47sC4hHxtZ5fuvlK+Fc/+FZ78k85aPIjzDwtNqzIlrzFyqw+aa6vE0RlZrrca8J43xe6nkm2qMaS1oNebEo1KvHvq2PkZfe9yTh0Q+ujkgI5qbHjjUOlIKjmJrF+Oh2NqiqB+IptU1ZcpNu6ibgB9ULtJ1GG+rVtJ4fb3CaeRlaKoHcxawJCF5Ue/tgN1weLbRAsoHBlvy+kTNLErYLDaVKtxyw809h9mX4KUT9S5PdxCWv+X/MfgLoslDCHrtBfcOlEoQE+FRK+Z0tvftt/Wzs2Nv065PGZJ3bfiEdfruDZ8YvQ2Bsok8r6+zXxjqxcZIKQvNg0Llpf70ywY4G+CsA7T8bYCzAc4Yy4wxb+8tAW8d4PZ4kixehMk3ThZfJqr0QH1HZ4gQPB+Zq3tc5Hw7e1w8HO4wIWwu0wpV2PN5rnjA1QnqPZP8oPnC7vLTztAtCXf3Xz8tbxTv07RYn2/5W/6Wv+X/8XLOhl7HapuKbkxF62RPz8J2vMo1UpKl78SwSdYJJllLWgQ8zutXYH2Simdr2UMhfmzmZflb/pa/5W8zL5t5jZF5yfqXvom62bd4hExs8x4zm4mdUCb2Oebi5VNQPpt4Wf6Wv+Vv+dvEyyZeIyZennwr7QglMDht/5GwalP+9tG9+Qk=