Social Engineering Adversary

This adversary knows how to trick users and manipulate people. It is usually out of scope for most technical design but is one of the most commonly found adversaries in the wild.

Assumptions

It has several methods of social engineering and the user follows all displayed or messaged steps. It is familiar with the application logic and knows how to (ab)use features.

Goals

Usually the adversary is trying to gain information or get a foothold on the system where the application is executed.

Capabilities

It can perform any step a legit user of the application is privileged to do. The limitation is only the complexity of passing input to the executing user. Depending on the Input Control it can trick the user to abuse parsing issues.