Merge pull request #2226 from OWASP/carlify-c9

Clarify C9 after moving it from AZ9

Author: sydseter

cornucopia.owasp.org/data/cards/webapp-cards-2.2-en/authorization/AZ9/explanation.md

@@ -18,11 +18,9 @@ Mike discovers that an online booking system allows rapid repeated bookings and
 
 ### STRIDE
 
-This scenario maps primarily to STRIDE: **Denial of Service** (DoS).
+This scenario maps primarily to STRIDE: **Tampering**.
 
-**Denial of Service** occurs when an attacker causes a system to become unavailable, degrade performance, or otherwise disrupt normal operation.
-Mike exploits a valid feature too quickly or too frequently, consuming server resources and creating race conditions, which affects availability and correctness. This may, as well, give him certain benefits at the expanse of others or the system.
-The attack is focused on resource exhaustion and misuse of intended functionality, which aligns with the DoS category.
+The core exploit involves manipulating the application's intended logic and data integrity through exploiting race conditions and misusing functionality. This makes Mike able to compromise the integrity of the system to produce a state that the system was never designed to allow. By doing so, Mike may be able to impersonate users through brute-force, transcend security boundaries, access sensitive data, elevate his own privileges, or deny service to others (DoS). Depending on the exploit, he might even be able to do so without anyone noticing. While the main STRIDE category is **Tampering**, the impact could span all the other STRIDE categories.
 
 ### What can go wrong?
 

cornucopia.owasp.org/data/cards/webapp-cards-3.0-en/cornucopia/C9/explanation.md

@@ -18,11 +18,9 @@ Mike discovers that an online booking system allows rapid repeated bookings and
 
 ### STRIDE
 
-This scenario maps primarily to STRIDE: **Denial of Service** (DoS).
+This scenario maps primarily to STRIDE: **Tampering**.
 
-**Denial of Service** occurs when an attacker causes a system to become unavailable, degrade performance, or otherwise disrupt normal operation.
-Mike exploits a valid feature too quickly or too frequently, consuming server resources and creating race conditions, which affects availability and correctness. This may, as well, give him certain benefits at the expanse of others or the system.
-The attack is focused on resource exhaustion and misuse of intended functionality, which aligns with the DoS category.
+The core exploit involves manipulating the application's intended logic and data integrity through exploiting race conditions and misusing functionality. This makes Mike able to compromise the integrity of the system to produce a state that the system was never designed to allow. By doing so, Mike may be able to impersonate users through brute-force, transcend security boundaries, access sensitive data, elevate his own privileges, or deny service to others (DoS). Depending on the exploit, he might even be able to do so without anyone noticing. While the main STRIDE category is **Tampering**, the impact could span all the other STRIDE categories.
 
 ### What can go wrong?
 

source/webapp-mappings-2.2.yaml

@@ -776,9 +776,9 @@ suits:
     id: "AZ9"
     value: "9"
     url: "https://cornucopia.owasp.org/cards/AZ9"
-    stride: [ D ]
+    stride: [ T ]
     owasp_scp: [ 94 ]
-    stride_print: [ 'Denial of Service' ]
+    stride_print: [ 'Tampering' ]
     owasp_dev_guide: [ ACM1 ]
     owasp_dev_guide_print: [ ACM1 ]
     owasp_asvs: [ 11.1.3, 11.1.4 ]
@@ -1325,4 +1325,4 @@ suits:
     owasp_asvs: [ "-" ]
     owasp_asvs_print: [ "-" ]
     capec: [ 184, 242, 416, 438, 441, 444, 523, 518, 519, 548, 636, 691 ]
-    safecode: [ "-" ]
+    safecode: [ "-" ]

source/webapp-mappings-3.0.yaml

@@ -1909,8 +1909,8 @@ suits:
     id: "C9"
     value: "9"
     url: "https://cornucopia.owasp.org/cards/C9"
-    stride: [ D ]
-    stride_print: [ 'Denial of Service' ]
+    stride: [ T ]
+    stride_print: [ 'Tampering' ]
     owasp_dev_guide: [ ACM1 ]
     owasp_dev_guide_print: [ ACM1 ]
     owasp_asvs: [ 2.2.1, 2.2.2, 2.3.2, 2.3.4, 2.4.1, 2.4.2, 15.3.3, 15.4.1, 15.4.2, 15.4.3, 15.4.4, 16.3.3 ]