Section 05
Attack Surface Analysis
A TRA is only as good as the attack surface you map. Modern systems present attack surfaces across network, cloud control planes, APIs, supply chains, identity providers, and third-party integrations. This section provides systematic approaches to discovering and cataloguing every exposure point.
Related Tools
Use the Attack Tree Builder to model how threats exploit attack surface elements.
Combine attack surface findings with threat modeling from Section 04.
Attack Surface Categories
Modern Attack Surface Taxonomy
mindmap
root((Attack Surface))
Network
External Perimeter
Internal Segments
Wireless/RF
VPN Endpoints
Cloud
Control Plane
Data Plane
Management Plane
Identity Plane
Application
Web UI
APIs (REST/GraphQL/gRPC)
WebSockets
File Upload/Download
Supply Chain
Dependencies (SBOMs)
CI/CD Pipelines
Artifact Registries
Build Systems
Identity
IdP Configuration
OAuth/OIDC Flows
Federation Trusts
MFA Implementation
Third-Party
SaaS Integrations
Webhooks
API Keys/Secrets
Data Sharing
Traditional Attack Surfaces
Network Surface
- • Public-facing IPs and ports
- • DNS records (A, CNAME, MX, TXT, SRV)
- • TLS/SSL certificate inventory
- • VPN and remote access endpoints
- • Network segmentation boundaries
- • Wireless access points
- • Load balancers and CDN edges
Application Surface
- • Web application entry points
- • Authentication mechanisms
- • Input validation points
- • File upload/download handlers
- • Session management
- • Error handling and debug endpoints
- • Admin panels and dashboards
Physical Surface
- • Server room / data center access
- • USB / removable media ports
- • Physical console access
- • Badge / biometric systems
- • Visitor access protocols
- • Printer/MFP with network access
- • IoT/OT devices on network
Cloud Attack Surfaces
Cloud environments present four distinct attack planes, each requiring separate analysis.
Control Plane
APIs that manage cloud resources (e.g., AWS IAM, Azure ARM, GCP Resource Manager).
Key risks: Overprivileged IAM roles, misconfigured resource policies, cross-account access,
exposed service account keys, missing MFA on privileged accounts.
Data Plane
Where data is stored and processed (S3, RDS, Cosmos DB, BigQuery).
Key risks: Public storage buckets, unencrypted databases, excessive data retention,
cross-region replication without controls, backup exposure.
Management Plane
Cloud provider consoles, CLI tools, infrastructure-as-code pipelines.
Key risks: Shared admin credentials, unaudited console access, Terraform state file exposure,
CloudFormation drift, CI/CD secrets in environment variables.
Identity Plane
Identity providers, federation, SSO, and workload identity.
Key risks: Token theft/replay, SAML assertion manipulation, OAuth misconfiguration (implicit flow),
workload identity privilege escalation, federation trust abuse.
API Attack Surfaces
APIs are the primary attack surface for modern applications. Each API paradigm introduces different exposure points.
| API Type | Enumeration Technique | Key Attack Vectors | Common Misconfigs |
|---|---|---|---|
| REST | OpenAPI/Swagger spec, path fuzzing, verb tampering | BOLA, mass assignment, excessive data exposure | Missing rate limits, CORS wildcards, debug endpoints |
| GraphQL | Introspection queries, field suggestion, schema extraction | Nested query DoS, authorization bypass, batching abuse | Introspection enabled in production, no depth limiting |
| gRPC | Server reflection, .proto file analysis, traffic capture | Message manipulation, metadata injection, stream abuse | Reflection enabled, unauthenticated services, no TLS |
| WebSocket | Upgrade header analysis, subprotocol enumeration | CSWSH, message injection, origin bypass | Missing origin validation, no message-level authz |
Supply Chain Attack Surface
Supply chain attacks target the components your system depends on rather than the system itself. See Section 08 for detailed supply chain risk assessment.
Software Dependencies
- • Direct and transitive dependencies (npm, PyPI, Maven, NuGet)
- • Known vulnerable versions (CVE databases)
- • Typosquatting / dependency confusion packages
- • Abandoned or single-maintainer projects
- • License compliance risks
Build & Deploy Pipeline
- • CI/CD runner compromise (GitHub Actions, GitLab CI, Jenkins)
- • Artifact registry poisoning (Docker Hub, ECR, ACR)
- • Build environment tampering
- • Secret exposure in build logs
- • Unsigned / unverified artifacts
Identity Attack Surface
IdP Configuration Risks
Entra ID / Okta / Auth0:
- • App registration misconfigurations
- • Excessive API permissions (delegated and app-level)
- • Stale service principals
- • Weak conditional access policies
OAuth/OIDC Flows:
- • Implicit flow usage (token in URL fragment)
- • Missing PKCE on public clients
- • Overly broad redirect URI patterns
- • JWT algorithm confusion (alg:none)
Federation & Trust Chains
SAML assertion crafting, federated identity trust abuse, cross-tenant access, B2B partner federation gaps, workload identity federation misconfiguration. See Kerberos Attack Paths for Active Directory-specific identity attacks.
Automated Surface Discovery
python
# Cloud Attack Surface Discovery Script (AWS)
# Run during TRA scoping phase to enumerate exposure points
import json
from dataclasses import dataclass, field
@dataclass
class SurfaceFindings:
public_ips: list = field(default_factory=list)
public_s3: list = field(default_factory=list)
open_security_groups: list = field(default_factory=list)
public_apis: list = field(default_factory=list)
iam_findings: list = field(default_factory=list)
def discover_public_ips(ec2_client) -> list:
"""Enumerate all public-facing IP addresses."""
addresses = ec2_client.describe_addresses()
instances = ec2_client.describe_instances(
Filters=[{"Name": "ip-address", "Values": ["*"]}]
)
public_ips = []
for addr in addresses.get("Addresses", []):
public_ips.append({
"ip": addr.get("PublicIp"),
"association": addr.get("AssociationId", "Unassociated"),
"instance": addr.get("InstanceId", "None"),
})
return public_ips
def discover_open_security_groups(ec2_client) -> list:
"""Find security groups with 0.0.0.0/0 ingress rules."""
findings = []
groups = ec2_client.describe_security_groups()
for sg in groups.get("SecurityGroups", []):
for perm in sg.get("IpPermissions", []):
for ip_range in perm.get("IpRanges", []):
if ip_range.get("CidrIp") == "0.0.0.0/0":
findings.append({
"group_id": sg["GroupId"],
"group_name": sg["GroupName"],
"port": perm.get("FromPort", "All"),
"protocol": perm.get("IpProtocol", "All"),
})
return findings
def discover_public_s3(s3_client) -> list:
"""Check S3 buckets for public access."""
findings = []
buckets = s3_client.list_buckets()
for bucket in buckets.get("Buckets", []):
name = bucket["Name"]
try:
acl = s3_client.get_bucket_acl(Bucket=name)
for grant in acl.get("Grants", []):
grantee = grant.get("Grantee", {})
if grantee.get("URI") == "http://acs.amazonaws.com/groups/global/AllUsers":
findings.append({
"bucket": name,
"permission": grant["Permission"],
})
except Exception:
pass # Access denied = not public
return findings
def generate_surface_report(findings: SurfaceFindings) -> dict:
"""Generate attack surface summary for TRA."""
total = (
len(findings.public_ips)
+ len(findings.public_s3)
+ len(findings.open_security_groups)
+ len(findings.public_apis)
+ len(findings.iam_findings)
)
return {
"total_findings": total,
"critical": len(findings.public_s3)
+ len(findings.open_security_groups),
"categories": {
"public_ips": len(findings.public_ips),
"public_storage": len(findings.public_s3),
"open_network": len(findings.open_security_groups),
"public_apis": len(findings.public_apis),
"iam_issues": len(findings.iam_findings),
},
}# Cloud Attack Surface Discovery Script (AWS)
# Run during TRA scoping phase to enumerate exposure points
import json
from dataclasses import dataclass, field
@dataclass
class SurfaceFindings:
public_ips: list = field(default_factory=list)
public_s3: list = field(default_factory=list)
open_security_groups: list = field(default_factory=list)
public_apis: list = field(default_factory=list)
iam_findings: list = field(default_factory=list)
def discover_public_ips(ec2_client) -> list:
"""Enumerate all public-facing IP addresses."""
addresses = ec2_client.describe_addresses()
instances = ec2_client.describe_instances(
Filters=[{"Name": "ip-address", "Values": ["*"]}]
)
public_ips = []
for addr in addresses.get("Addresses", []):
public_ips.append({
"ip": addr.get("PublicIp"),
"association": addr.get("AssociationId", "Unassociated"),
"instance": addr.get("InstanceId", "None"),
})
return public_ips
def discover_open_security_groups(ec2_client) -> list:
"""Find security groups with 0.0.0.0/0 ingress rules."""
findings = []
groups = ec2_client.describe_security_groups()
for sg in groups.get("SecurityGroups", []):
for perm in sg.get("IpPermissions", []):
for ip_range in perm.get("IpRanges", []):
if ip_range.get("CidrIp") == "0.0.0.0/0":
findings.append({
"group_id": sg["GroupId"],
"group_name": sg["GroupName"],
"port": perm.get("FromPort", "All"),
"protocol": perm.get("IpProtocol", "All"),
})
return findings
def discover_public_s3(s3_client) -> list:
"""Check S3 buckets for public access."""
findings = []
buckets = s3_client.list_buckets()
for bucket in buckets.get("Buckets", []):
name = bucket["Name"]
try:
acl = s3_client.get_bucket_acl(Bucket=name)
for grant in acl.get("Grants", []):
grantee = grant.get("Grantee", {})
if grantee.get("URI") == "http://acs.amazonaws.com/groups/global/AllUsers":
findings.append({
"bucket": name,
"permission": grant["Permission"],
})
except Exception:
pass # Access denied = not public
return findings
def generate_surface_report(findings: SurfaceFindings) -> dict:
"""Generate attack surface summary for TRA."""
total = (
len(findings.public_ips)
+ len(findings.public_s3)
+ len(findings.open_security_groups)
+ len(findings.public_apis)
+ len(findings.iam_findings)
)
return {
"total_findings": total,
"critical": len(findings.public_s3)
+ len(findings.open_security_groups),
"categories": {
"public_ips": len(findings.public_ips),
"public_storage": len(findings.public_s3),
"open_network": len(findings.open_security_groups),
"public_apis": len(findings.public_apis),
"iam_issues": len(findings.iam_findings),
},
}ASM Tooling
Attack Surface Management (ASM) tools provide continuous discovery and monitoring. Integrate ASM outputs into your TRA for a living attack surface inventory.
| Tool | Type | Coverage | Integration |
|---|---|---|---|
| ProjectDiscovery (Nuclei + subfinder) | Open Source | Subdomain, port, vulnerability scanning | CI/CD, YAML templates |
| Shodan / Censys | SaaS | Internet-facing assets, banners, certificates | API, continuous monitoring |
| ScoutSuite / Prowler | Open Source | Cloud posture (AWS/Azure/GCP) | CLI, CI/CD integration |
| Microsoft Defender EASM | Commercial | External attack surface discovery | Azure, Sentinel SIEM |
| OWASP Amass | Open Source | DNS enumeration, asset discovery | CLI, graph database output |
Surface Analysis Checklist
text
Attack Surface Analysis Checklist for TRA
═════════════════════════════════════════
NETWORK SURFACE
□ Enumerate all public IPs and DNS records
□ Map exposed ports and services (Nmap/Masscan)
□ Review firewall rules and network ACLs
□ Identify VPN/remote access endpoints
□ Catalog TLS certificates and versions
CLOUD SURFACE
□ Audit IAM policies for least privilege
□ Check storage bucket/blob access policies
□ Review security group and NSG rules
□ Validate encryption at rest and in transit
□ Audit logging and monitoring coverage
API SURFACE
□ Inventory all API endpoints (REST/GraphQL/gRPC)
□ Test authentication on every endpoint
□ Verify authorization at object level (BOLA)
□ Check rate limiting and throttling
□ Review CORS and CSP policies
SUPPLY CHAIN SURFACE
□ Generate and review SBOM
□ Check dependencies for known CVEs
□ Audit CI/CD pipeline permissions
□ Verify artifact signing and provenance
□ Review third-party integration permissions
IDENTITY SURFACE
□ Audit IdP configuration (Entra/Okta/Auth0)
□ Review OAuth/OIDC flow security
□ Check MFA enforcement and bypass paths
□ Audit service account permissions
□ Review federation trust relationshipsAttack Surface Analysis Checklist for TRA
═════════════════════════════════════════
NETWORK SURFACE
□ Enumerate all public IPs and DNS records
□ Map exposed ports and services (Nmap/Masscan)
□ Review firewall rules and network ACLs
□ Identify VPN/remote access endpoints
□ Catalog TLS certificates and versions
CLOUD SURFACE
□ Audit IAM policies for least privilege
□ Check storage bucket/blob access policies
□ Review security group and NSG rules
□ Validate encryption at rest and in transit
□ Audit logging and monitoring coverage
API SURFACE
□ Inventory all API endpoints (REST/GraphQL/gRPC)
□ Test authentication on every endpoint
□ Verify authorization at object level (BOLA)
□ Check rate limiting and throttling
□ Review CORS and CSP policies
SUPPLY CHAIN SURFACE
□ Generate and review SBOM
□ Check dependencies for known CVEs
□ Audit CI/CD pipeline permissions
□ Verify artifact signing and provenance
□ Review third-party integration permissions
IDENTITY SURFACE
□ Audit IdP configuration (Entra/Okta/Auth0)
□ Review OAuth/OIDC flow security
□ Check MFA enforcement and bypass paths
□ Audit service account permissions
□ Review federation trust relationshipsSection Summary
Key Takeaways
- • Modern attack surfaces span six categories beyond traditional network/app
- • Cloud environments have four distinct attack planes
- • Each API paradigm introduces unique exposure patterns
- • Supply chain and identity surfaces are often underassessed
- • Automated ASM tools enable continuous surface monitoring
Next Steps
- • Section 06: Risk Quantification — quantify the risks you've identified
- • Section 08: Supply Chain Risk — deep-dive on supply chain assessment
- • Attack Tree Builder — model attack paths through your surface