Finding Spoofing Issues

Although the application you are testing might not use Caller ID, many of the spoofing issues are similar. To find spoofing issues that affect the products security, you can apply the following approach:

1. Identify places where the application uses data to make decisions or presents the user with data so the user can make a decision that affects security. In the Caller ID example, the call recipient used the phone number displayed by the Caller ID feature to make decisions that affected security. Threat models and data flow diagrams prove useful in this step.

2. Determine whether the data used to make the decision or displayed to the user can be controlled by the attacker. The information in Chapter 3, Finding Entry Points, is useful in this step. The phone number in the Caller ID example was controllable by the attacker.

3. Become the attacker. Think maliciously about how data supplied by the attacker can be used to cause spoofing issues. Modify (spoof) the attacker-controllable data in an attempt to change the outcome of the security decision.

This approach can help you find general spoofing issues as well as a special class of spoofing bugs known as user interface spoofing (discussed later in this chapter).