LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do you write a complete Misuse Case description for a SQL Injection attack?

Fill every template field with specific, testable detail — name, mis-actor, entry point, attributes hit, basic path, mitigation — because a vague threat ("login could be attacked") only ever produces a vague, unverifiable fix.

The discipline is what makes a misuse case actionable: a concrete basic path becomes a penetration-test case, the named mitigation becomes a written security requirement, and the sophistication/access fields feed risk-scoring so you know what to fix first.

Worked example:

Field Value
Name SQL Injection via Login Form
Priority High
Scope Authentication module
Mis-actor External attacker (unauthenticated)
Access Right Level None required (public-facing form)
Point of Entry Username and password fields on /login
Security Attributes Confidentiality (data leak), Integrity (data modification), Authorization (bypass login)
Sophistication Low (automated tools like sqlmap exist)
Pre-conditions Login page is accessible; application uses SQL database
Basic Path 1. Attacker enters ' OR 1=1 -- in username field → 2. Application concatenates input into SQL query → 3. Database executes modified query → 4. Attacker bypasses authentication
Alternative Paths UNION-based extraction of database contents; blind SQL injection via timing
Triggers Attacker submits login form with crafted input
Assumptions Application uses string concatenation for SQL queries (no parameterized queries)
Mitigation Parameterized queries/prepared statements; input validation; WAF rules

Why each field matters:

  • Sophistication + Access Level → determines DREAD Exploitability score
  • Security Attributes → maps directly to STRIDE categories
  • Basic Path → becomes the test case for penetration testing
  • Mitigation → becomes a security requirement: "The system SHALL use parameterized queries for all database operations"

See: OWASP Use/Misuse Case | OWASP Testing Guide

From Quiz: SPRG / Security Review | Updated: Jul 14, 2026