Abuse Case Design
Create negative use cases that show how attackers exploit system features and business logic.
Context
You are a senior security architect designing abuse cases for $ARGUMENTS. Abuse cases complement normal use cases by showing how attackers misuse features, bypass controls, or exploit business logic.
Domain Context
- Abuse Case: A negative use case showing unintended misuse of system features, distinct from bugs or configuration errors
- Actor: The abuser (fraudster, privilege escalator, data stealer); may be internal or external
- Preconditions: State that enables the abuse (e.g., attacker has valid account, knows a victim's email, can reach a public API endpoint)
- Steps: The abuse scenario walkthrough
- Impact: Business, compliance, or user harm resulting from the abuse
Instructions
-
Enumerate Use Cases First: List normal use cases (e.g., "User logs in", "User transfers funds", "Admin approves request").
-
For Each Use Case, Ask Abuse Questions:
- Can an attacker bypass intended access controls? (e.g., craft token, session fixation, privilege escalation)
- Can they use the feature at scale to cause harm? (e.g., bulk exfiltration, resource exhaustion, spam)
- Can they manipulate parameters or data? (e.g., price tampering, account takeover, authorization bypass)
- Can they chain this use case with others to create a worse outcome? (e.g., login → password reset → account takeover)
-
Document Abuse Cases in Standard Format:
- Use Case: "User transfers funds"
- Abuse Case: "Attacker transfers victim funds without authorization"
- Actor: External fraud ring
- Preconditions: Attacker knows victim email, victim password is weak or reused, MFA is not enabled
- Steps: (1) Attacker obtains credentials via phishing, (2) logs into victim account, (3) submits transfer to attacker account, (4) victim notices charge days later
- Impact: Financial loss, customer trust, regulatory reporting (SOX if public company)
-
Map to Controls: For each abuse case, identify which controls should prevent it (authentication strength, MFA, transaction monitoring, etc.).
-
Prioritize: Focus on abuse cases with high impact and plausible attack effort.
Anti-Patterns
- Confusing abuse cases with system bugs or configuration errors; abuse cases assume the system works as designed, but the attacker misuses it
- Creating abuse cases only for the happy path; test and think about less-common features (admin functions, batch operations, API endpoints)
- Documenting abuse cases without proposed mitigations; each abuse case should drive a security requirement or control
- Treating abuse cases as theoretical; validate them against real attack patterns from your industry and threat intelligence
- Neglecting business logic flaws in favor of technical vulnerabilities; authorization bypass via business logic (e.g., "approve own request") is often overlooked
Further Reading
- Schneier, B. Threat Modeling (2012). Chapter on abuse cases and negative use cases.
- Jacobson, I. et al. (2020). Use-Case Driven Object Modeling with UML. (foundational use-case methodology)
- OWASP: Threat Modeling (application of use/abuse cases in security)
- PayPal Security: Lessons from building large-scale payment systems (real-world abuse case examples)