-
Notifications
You must be signed in to change notification settings - Fork 67
/
index.html
360 lines (347 loc) · 18.7 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
<!DOCTYPE html>
<html lang="en">
<head>
<!-- METAS -->
<meta charset="utf-8" />
<meta http-equiv="content-type" content="text/html" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<!-- MODIFY -->
<meta name="title" content="OWASP Risk Assessment Calculator" />
<meta name="description" content="New version 2021 of OWASP Risk Assessment Calculator" />
<meta name="author" content="Javier Olmedo" />
<link rel="shortcut icon" href="img/favicon.ico" />
<title>OWASP Risk Assessment Calculator v2021</title>
<!-- CSS -->
<link rel="stylesheet" href="css/bootstrap.min.css" />
<link rel="stylesheet" href="css/style.css" />
</head>
<!-- MAIN -->
<body>
<main>
<section>
<h1>OWASP Risk Assessment Calculator</h1>
<canvas class="riskChart" id="riskChart" height="75"></canvas>
<div class="risk RS">
<h4>0</h4>
</div>
</section>
<!-- FIRST -->
<div class="row">
<!-- THREAT AGENT FACTORS -->
<section>
<h5 class="border-bottom" title="The first set of factors are related to the threat agent involved. The goal here is to estimate the likelihood of a successful attack by this group of threat agents. Use the worst-case threat agent.">Threat Agent Factors</h5>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="How technically skilled is this group of threat agents?">Skill level</div>
<div class="col-8">
<select class="form-control" id="sl" name="sl" onchange="calculate()">
<option value="1">No technical skills (1)</option>
<option value="3">Some technical skills (3)</option>
<option value="5">Advanced computer user (5)</option>
<option value="6">Network and programming skills (6)</option>
<option value="9">Security penetration skills (9)</option>
</select>
</div>
</div>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="How motivated is this group of threat agents to find and exploit this vulnerability?">Motive</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="m" name="m" onchange="calculate()">
<option value="1">Low or no reward (1)</option>
<option value="4">Possible reward (4)</option>
<option value="9">High reward (9)</option>
</select>
</div>
</div>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="What resources and opportunities are required for this group of threat agents to find and exploit this vulnerability?">Opportunity</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="o" name="o" onchange="calculate()">
<option value="0">Full access or expensive resources required (0)</option>
<option value="4">Special access or resources required (4)</option>
<option value="7">Some access or resources required (7)</option>
<option value="9">No access or resources required (9)</option>
</select>
</div>
</div>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="How large is this group of threat agents?">Size</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="s" name="s" onchange="calculate()">
<option value="2">Developers, System administrators (2)</option>
<option value="4">Intranet users (4)</option>
<option value="5">Partners (5)</option>
<option value="6">Authenticated users (6)</option>
<option value="9">Anonymous Internet users (9)</option>
</select>
</div>
</div>
</section>
<!-- TECHNICAL IMPACT FACTORS -->
<section>
<h5 class="border-bottom" title="Technical impact can be broken down into factors aligned with the traditional security areas of concern: confidentiality, integrity, availability, and accountability. The goal is to estimate the magnitude of the impact on the system if the vulnerability were to be exploited. ">Technical Impact Factors</h5>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="How much data could be disclosed and how sensitive is it?">Loss of confidentiality</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="lc" name="lc" onchange="calculate()">
<option value="2">Minimal non-sensitive data disclosed (2)</option>
<option value="6">minimal critical data disclosed (6)</option>
<option value="6">extensive non-sensitive data disclosed (6)</option>
<option value="7">extensive critical data disclosed (7)</option>
<option value="9">all data disclosed (9)</option>
</select>
</div>
</div>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="How much data could be corrupted and how damaged is it?">Loss of integrity</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="li" name="li" onchange="calculate()">
<option value="1">Minimal slightly corrupt data (1)</option>
<option value="3">Minimal seriously corrupt data (3)</option>
<option value="5">Extensive slightly corrupt data (5)</option>
<option value="7">Extensive seriously corrupt data (7)</option>
<option value="9">All data totally corrupt (9)</option>
</select>
</div>
</div>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="How much service could be lost and how vital is it?">Loss of availability</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="lav" name="lav" onchange="calculate()">
<option value="1">Minimal secondary services interrupted (1)</option>
<option value="5">Minimal primary services interrupted (5)</option>
<option value="5">Extensive secondary services interrupted (5)</option>
<option value="7">Extensive primary services interrupted (7)</option>
<option value="9">All services completely lost (9)</option>
</select>
</div>
</div>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="Are the threat agents' actions traceable to an individual?">Loss of accountability</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="lac" name="lac" onchange="calculate()">
<option value="1">Fully traceable (1)</option>
<option value="7">Possibly traceable (7)</option>
<option value="9">Completely anonymous (9)</option>
</select>
</div>
</div>
</section>
</div>
<!-- SECOND -->
<div class="row">
<!-- VULNERABILITY FACTORS -->
<section>
<h5 class="border-bottom" title="The next set of factors are related to the vulnerability involved. The goal here is to estimate the likelihood of the particular vulnerability involved being discovered and exploited. Assume the threat agent selected above.">Vulnerability Factors</h5>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="How easy is it for this group of threat agents to discover this vulnerability?">Ease of discovery</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="ed" name="ed" onchange="calculate()">
<option value="1">Practically impossible (1)</option>
<option value="3">Difficult (3)</option>
<option value="7">Easy (7)</option>
<option value="9">Automated tools available (9)</option>
</select>
</div>
</div>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="How easy is it for this group of threat agents to actually exploit this vulnerability?">Ease of exploit</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="ee" name="ee" onchange="calculate()">
<option value="1">Theoretical (1)</option>
<option value="3">Difficult (3)</option>
<option value="5">Easy (5)</option>
<option value="9">Automated tools available (9)</option>
</select>
</div>
</div>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="How well known is this vulnerability to this group of threat agents?">Awareness</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="a" name="a" onchange="calculate()">
<option value="1">Unknown (1)</option>
<option value="4">Hidden (4)</option>
<option value="6">Obvious (6)</option>
<option value="9">Public knowledge (9)</option>
</select>
</div>
</div>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="How likely is an exploit to be detected?">Intrusion detection</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="id" name="id" onchange="calculate()">
<option value="1">Active detection in application (1)</option>
<option value="3">Logged and reviewed (3)</option>
<option value="8">Logged without review (8)</option>
<option value="9">Not logged (9)</option>
</select>
</div>
</div>
</section>
<!-- BUSINESS IMPACT FACTORS -->
<section>
<h5 class="border-bottom" title="The business impact stems from the technical impact, but requires a deep understanding of what is important to the company running the application. In general, you should be aiming to support your risks with business impact, particularly if your audience is executive level. The business risk is what justifies investment in fixing security problems.">Business Impact Factors</h5>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="How much financial damage will result from an exploit?">Financial damage</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="fd" name="fd" onchange="calculate()">
<option value="1">Less than the cost to fix the vulnerability (1)</option>
<option value="3">Minor effect on annual profit (3)</option>
<option value="7">Significant effect on annual profit (7)</option>
<option value="9">Bankruptcy (9)</option>
</select>
</div>
</div>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="Would an exploit result in reputation damage that would harm the business?">Reputation damage</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="rd" name="rd" onchange="calculate()">
<option value="1">Minimal damage (1)</option>
<option value="4">Loss of major accounts (4)</option>
<option value="5">Loss of goodwill (5)</option>
<option value="9">Brand damage (9)</option>
</select>
</div>
</div>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="How much exposure does non-compliance introduce?">Non-compliance</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="nc" name="nc" onchange="calculate()">
<option value="2">Minor violation (2)</option>
<option value="5">Clear violation (5)</option>
<option value="7">High profile violation (7)</option>
</select>
</div>
</div>
<div class="row">
<div class="h6 nomargin col-4 d-flex align-items-center" title="How much personally identifiable information could be disclosed?">Privacy violation</div>
<div class="col-8">
<select class="form-control" aria-label=".form-select-sm example" id="pv" name="pv" onchange="calculate()">
<option value="3">One individual (3)</option>
<option value="5">Hundreds of people (5)</option>
<option value="7">Thousands of people (7)</option>
<option value="9">Millions of people (9)</option>
</select>
</div>
</div>
</section>
</div>
<!-- THIRD -->
<div class="row">
<!-- LIKELIHOOD SCORE -->
<section>
<h5 class="border-bottom">Likelihood score</h5>
<h6 class="LS nomargin">0</h6>
</section>
<!-- IMPACT SCORE -->
<section>
<h5 class="border-bottom">Impact score</h5>
<h6 class="IS nomargin">0</h6>
</section>
</div>
<!-- CREDITS -->
<section>
<div>
<b>VECTOR: </b><a id="score" href="https://javierolmedo.github.io/OWASP-Calculator/?vector=(SL:1/M:1/O:0/S:2/ED:1/EE:1/A:1/ID:2/LC:2/LI:1/LAV:1/LAC:1/FD:1/RD:1/NC:2/PV:3)" target="_blank">(SL:1/M:1/O:0/S:2/ED:1/EE:1/A:1/ID:2/LC:2/LI:1/LAV:1/LAC:1/FD:1/RD:1/NC:2/PV:3)</a>
<br>
<a href="#exampleModalCenter" data-toggle="modal">How is Severity Risk caculated?</a>
<br>
2021 OWASP Risk Assessment Calculator | Developed by <a href="https://hackpuntes.com" target="_blank"><span>Javier Olmedo</span></a> | Source Code on <a href="https://github.com/JavierOlmedo/OWASP-Calculator" target="_blank"><span>Github</span></a> repository.
</div>
</section>
</main>
<!-- MODAL -->
<div class="modal fade" id="exampleModalCenter" tabindex="-1" role="dialog" aria-labelledby="exampleModalCenterTitle" aria-hidden="true">
<div class="modal-dialog modal-dialog-centered" role="document">
<div class="modal-content">
<div class="modal-header">
<h5 class="modal-title" id="exampleModalLongTitle">How is Severity Risk caculated?</h5>
<button type="button" class="close" data-dismiss="modal" aria-label="Close">
<span aria-hidden="true">×</span>
</button>
</div>
<div class="modal-body">
<div class="row">
<!-- LIKELIHOOD AND IMPACT LEVELS -->
<section>
<table class="table table-bordered">
<thead>
<tr>
<th scope="col" colspan="2">Likelihood and Impact Levels</th>
</tr>
</thead>
<tbody>
<tr>
<td>0 to < 3</td>
<td class="classNote">LOW</td>
</tr>
<tr>
<td>3 to < 6</td>
<td class="classMedium">MEDIUM</td>
</tr>
<tr>
<td>6 to 9</td>
<td class="classHigh">HIGH</td>
</tr>
</tbody>
</table>
</section>
<!-- OVERALL RISK SEVERITY = LIKELIHOOD X IMPACT -->
<section>
<table class="table table-bordered">
<thead>
<tr>
<th scope="col" colspan="5">Overall Risk Severity = Likelihood x Impact</th>
</tr>
</thead>
<tbody>
<tr>
<td colspan="1" rowspan="4" style="vertical-align: middle; font-weight: bold">Impact</td>
<td>HIGH</td>
<td class="classMedium">Medium</td>
<td class="classHigh">High</td>
<td class="classCritical">Critical</td>
</tr>
<tr>
<td>MEDIUM</td>
<td class="classLow">Low</td>
<td class="classMedium">Medium</td>
<td class="classHigh">High</td>
</tr>
<tr>
<td>LOW</td>
<td class="classNote">Note</td>
<td class="classLow">Low</td>
<td class="classMedium">Medium</td>
</tr>
<tr>
<td></td>
<td>LOW</td>
<td>MEDIUM</td>
<td>HIGH</td>
</tr>
</tbody>
<thead>
<tr>
<th scope="col" colspan="1"></th>
<th scope="col" colspan="4">Likelihood</th>
</tr>
</thead>
</table>
</section>
</div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-primary" data-dismiss="modal">OK!</button>
</div>
</div>
</div>
</div>
<!-- SCRIPTS -->
<script src="js/jquery.min.js"></script>
<script src="js/Chart.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/sweetalert.min.js"></script>
<script src="js/script.js"></script>
</body>
</html>