1// Threat Model: E-Commerce Checkout API
2// Tool: OWASP Threat Dragon (JSON format)
3// Method: STRIDE per element, DREAD scoring
4
5const threatModel = {
6 summary: {
7 title: "Checkout API — Threat Model v1.2",
8 owner: "security@shop.com",
9 description: "User submits payment, API charges Stripe, updates order DB",
10 reviewer: "Security Team",
11 date: "2026-08-21",
12 },
13
14 // ─── Data Flow Diagram ────────────────────────
15 dataFlowDiagram: {
16 // Trust Boundary 1: Public Internet ↔ API Gateway
17 // Trust Boundary 2: API Gateway ↔ Internal Services
18 elements: [
19 { type: "process", label: "Checkout API", id: "proc-1" },
20 { type: "external", label: "Browser (User)", id: "ext-1" },
21 { type: "external", label: "Stripe API", id: "ext-2" },
22 { type: "store", label: "Orders DB", id: "db-1" },
23 { type: "flow", from: "ext-1", to: "proc-1",
24 label: "POST /checkout (payment data)", crossesTrustBoundary: true },
25 { type: "flow", from: "proc-1", to: "ext-2",
26 label: "Charge card (amount, token)", crossesTrustBoundary: true },
27 { type: "flow", from: "proc-1", to: "db-1",
28 label: "Write order record" },
29 ],
30 },
31
32 // ─── STRIDE Analysis ──────────────────────────
33 threats: [
34 {
35 id: "T-001",
36 element: "POST /checkout (trust boundary crossing)",
37 category: "Spoofing", // S in STRIDE
38 title: "Attacker forges user identity to place orders",
39 description: "Without strong auth, attacker reuses a stolen session token",
40 dread: { damage: 8, reproducibility: 7, exploitability: 7,
41 affectedUsers: 6, discoverability: 5 },
42 score: 6.6, // mean of DREAD values
43 mitigation: "JWT validation with short expiry; Entra ID session tokens; IP binding",
44 status: "mitigated",
45 },
46 {
47 id: "T-002",
48 element: "POST /checkout",
49 category: "Tampering", // T in STRIDE
50 title: "Attacker modifies price in checkout payload",
51 description: "API trusts client-provided price instead of recalculating server-side",
52 dread: { damage: 9, reproducibility: 9, exploitability: 8,
53 affectedUsers: 7, discoverability: 8 },
54 score: 8.2, // HIGH — fix in design
55 mitigation: "Server MUST recalculate price from product DB — never trust client price",
56 status: "open", // ← design fix required before implementation
57 },
58 {
59 id: "T-003",
60 element: "Stripe API call (trust boundary crossing)",
61 category: "Repudiation", // R in STRIDE
62 title: "Customer denies placing order (chargeback fraud)",
63 description: "No immutable audit trail correlating user identity to charge",
64 dread: { damage: 7, reproducibility: 5, exploitability: 4,
65 affectedUsers: 3, discoverability: 4 },
66 score: 4.6,
67 mitigation: "Immutable order log with: userId, IP, deviceId, timestamp, stripe chargeId",
68 status: "mitigated",
69 },
70 ],
71};
72