Home

Threat Modeling: E-Commerce Case Study

A storefront with cart, checkout, and a third-party payment gateway—mapped with STRIDE categories, DREAD-style scoring, and a PASTA-style staged analysis.

Scenario

Customers browse products (SPA), place orders via a BFF API, and complete payment through a PCI-scoped gateway integration. Admin users manage catalog and refunds through a separate console.

STRIDE — payment gateway threats

Spoofing: Attacker replays stolen session tokens at checkout.
Tampering: Man-in-the-middle modifies payment amount or merchant ID in API calls.
Repudiation: Customer denies placing order; missing signed audit on payment intent.
Information disclosure: Logs capture full PAN or CVV from misconfigured debug.
Denial of service: Flood checkout endpoint during flash sale.
Elevation of privilege: Support agent API allows refund without role check.

DREAD — scoring (example)

Each dimension 1–10; total shown as sum / 50 for quick comparison (teams often average instead—pick one method and stay consistent).

Token replay at checkout       D10 R9 A8 E7 D6  → 40/50
MITM on payment callback       D9  R6 A5 E8 D5  → 33/50
Verbose logging of card data   D10 R7 A6 E9 D4  → 36/50
Checkout flooding              D6  R8 A4 E3 D9  → 30/50

PASTA — 7 stages (e-commerce walkthrough)

Define objectives — Protect customer PII, maintain payment integrity, 99.9% checkout availability during campaigns.
Define technical scope — SPA, BFF, order service, payment adapter, gateway webhooks, admin console, data stores.
Application decomposition — DFDs for browse → cart → pay; trust boundaries at CDN, API gateway, and webhook ingress.
Threat analysis — STRIDE per component; abuse cases for coupons, refunds, and webhook replay.
Vulnerability analysis — Weak auth on admin paths, SSRF on webhook validator, dependency CVEs in BFF.
Attack modeling — Kill chains: phish → token theft → fraudulent orders; insider misuse of refund API.
Risk & countermeasures — Prioritize fixes; tie to secure SDLC gates and monitoring use cases.

Interactive threat matrix

Check threats your team has explicitly mitigated in design review. Use “Highlight unmitigated” to focus residual risk.

STRIDE	Threat	Mitigated?
S	Session token theft → fraudulent checkout	Reviewed
T	Webhook payload tampering (amount, order ID)	Reviewed
I	Secrets or PAN in application logs	Reviewed
D	Inventory hoarding / checkout bots	Reviewed
E	Horizontal privilege: view another user’s orders	Reviewed

Countermeasures

Threat	Countermeasure	Notes
Token replay	Short-lived tokens, binding to device / step-up for pay	Pair with anomaly detection on velocity
Webhook tamper	HMAC signatures, idempotency keys, clock skew limits	Rotate signing secrets; replay window tests
Data leakage	Log scrubbing, PCI logging standards, secret scanning	Break-glass access audited
Checkout DoS	Rate limits, bot management, queue/token for flash sales	Autoscale + WAF tuning
IDOR on orders	Server-side authorization on every read; UUID + ownership check	Integration tests for cross-tenant cases