OWASP Automated Threat (OAT- 018) Footprinting

Footprinting – Probe and explore application to identify its constituents and properties.

What is Footprinting?

Footprinting is an online security threat that involves gathering information with the objective of learning as much as possible about the composition, configuration and security mechanisms of the application. Unlike scraping, footprinting is an enumeration of the application itself, rather than the data. Footprinting is used to identify all the URL paths, values, parameters, ad process sequences. As the application is explored, additional paths will be identified which in turn need to be examined.

Footprinting can also include brute force, dictionary, and guessing of file and dictionary names. Fuzzing may also be used to identify further application resources and capabilities. However, it does not include attempts to exploit weaknesses.

Footprinting is also known by terms such as application analysis, API discovery, application enumeration, automated scanning, CGI scanning, forced browsing, micro service discovery, spidering and WSDL scanning.

The Symptoms of Footprinting

OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, notes that there are several possible symptoms of footprinting. These include,

1. Increase in system and application error codes, such as HTTP status codes 404 and 503, in the same user session


2. Users that exercise the functionality of the entire application in a manner that diverges from typical user behavior

Sectors Targeted by Footprinting

The major sectors targeted by footprinting security threat include education, entertainment, financial, government, health, retail, technology and social networking industries.

According to the Automated Threat Handbook for Web Applications published by OWASP, these attacks result in misuse of various types of data. That includes authentication credentials, payment cardholder data and other financial data; medical and other personal data; intellectual property and other business data; and public information.

Ways to Prevent Footprinting Security Threat

OWASP suggests several possible countermeasures to address the threat of footprinting. These include,

1. Entirely outsourcing all payment aspects to an appropriate payment service provider that has its countermeasures in place for footprinting, increasing the minimum checkout value, and removing payment by card entirely if alternatives are available. But these security checks are only the start of a larger, more formidable protection against fraudsters hunting down valid credit card numbers.


2. Consider randomizing the content and URL’s of payment submission pages and payment forms, linking these changes to the individual user’s session, verifying the changes at each payment step and restricting any identified automated usage.


3. Organizations can consider monitoring and limit the rate of card authorization attempts per session, user, IP address, device, and fingerprint. Due to this, automation attempts and malicious users are blocked as soon as they have reached a set number of failed attempts while testing different card numbers.


4. Identify and restrict automated usage by reputation methods. In particular, businesses can use geolocation and/or IP address block lists to prevent access to payment parts of the application. They can also use address and card reputation services and add delays in the checkout steps for new and rare customers.


5. OWASP also recommends organizations to participate in ecommerce threat intelligence exchanges and contributing any relevant attack data to sector-wide sharing systems.

All of the above proactive measures fight back against malicious users, without causing harm to the legitimate users. But some dedicated fraudsters will go beyond the lengths to straighten their footprinting effort.

Online businesses can also opt for a bot mitigation solution that prevents footprinting and other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots.

By having these security measures in place, your website will be able to defend against the online security threats such as OWASP automated threats in real-time.