Exercise 1: identifying abuse vectors
In general, you can determine if a feature can be abused by asking these questions:
- Could this be used to hurt someone physically?
- Could this be used to hurt someone emotionally?
- Could this be used to damage someone's reputation?
- Could this be used to communicate with someone without their consent?
- Could this be used to show something (text, images, etc.) to someone without their consent?
- Could this be used to learn something about a person who hasn't consented to revealing this information?
For our first exercise, we're going to take about 15 minutes to look at some examples of (fictitious) web applications and try to identify as many abuse vectors as we can.
Pick out one of the Use Cases sections and try to think of as many abuse vectors as you can for the features described. If you can, also try to think of what circumstances would motivate someone to exploit this abuse vector.
Don't worry if you're not very familiar with these applications. You can make as many assumptions as you want to about parts of their functionality that are unclear to you.