OWASP Automated Threat (OAT – 008) Credential Stuffing

Credential stuffing – Bulk login attempts used to verify the validity of stolen username and/or password pairs. It is another way that attackers use (along with Credential Cracking (OAT – 007)) online bots to compromise your website security.

What is Credential Stuffing?

Credential stuffing is an online security threat in which stolen authentication credentials from elsewhere are used against another application to check if the victim has recycled the same login credentials. This is done with an intention of taking over a large set of accounts altogether.

Unlike Credential cracking, it does not involve any brute force or guessing of values, instead stolen credentials are used in other applications are being tested for validity.

Credential stuffing is also known by the terms such as account checker attack, account checking, account takeover, account takeover attack, login stuffing, password list attack, password reuse, stolen credentials, use of stolen credentials.

The Symptoms of Credential Stuffing

OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, notes that there are several possible symptoms of credential stuffing. These include,

1. Sequential login attempts with different credentials from the same HTTP client (based on IP, User-agent, device, fingerprint, patterns in HTTP headers, etc.)


2. A high number of failed login attempts


3. Increased customer complaints of account hijacking through help center or social media outlets.

Sectors Targeted by Credential Stuffing

The major sectors targeted by credential stuffing security threat include financial services, government, healthcare, education, entertainment, retail and social networking industries.

OWASP says data commonly misused as a part of credential stuffing include authentication credentials, payment cardholder data, financial data, medical data, personal data, intellectual property and other business information and public data.

Credential stuffing threat mechanism involves large-scale automated attacks test lists of stolen credentials to check for reuse of login credentials. Username and password pairs are tested against website and mobile application authentication mechanisms.

Ways to Prevent Credential Stuffing Security Threat

OWASP suggests several possible countermeasures to address the threat of credential stuffing. These include,

1. Guiding users about how to choose stronger and unique passwords and also on the importance of protecting relevant password recovery mechanisms.


2. Defining test cases for credential stuffing that confirm an application will detect and prevent users attempting to use account credentials in bulk.


3. Randomizing the content and the URL’s of authentication form pages, linking these changes to the individual user’s session and verifying the changes at each authentication step.


4. Identifying and restricting automated usage by reputation methods, ensuring that users have unique passwords by expiring passwords periodically and avoiding password reuse.


5. Deploying stronger authentication with solutions such as CAPTCHA, Recaptcha, adding application-specific challenge questions and two-factor authentication methods.

Online businesses can also opt for a bot mitigation solution that prevents credential stuffing and other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots.

Having these security measures in place, your website will be able to defend against all automated web threats in real-time.