OWASP Automated Threat (OAT- 016) Skewing

Skewing – Repeated link clicks, page requests or form submissions intended to alter some metric.

What is Skewing?

It is an automated repeated clicking or requesting or submitting content, affecting application-based metrics such as counts and measures of frequency and/or rate. The metric or measurement may be visible to users (e.g., betting odds, likes, market/dynamic pricing, visitor count, poll results, and reviews) or hidden (e.g., application usage statistics, business performance indicators). Metrics may affect individuals as well as the application owner, e.g., user reputation, influence others, gain fame, or undermine someone else's reputation.

Skewing is also known by the terms such as biasing KPIs, hit count fraud, metric and statistic skewing, page impression fraud, poll fraud, poll skewing and rating/review skewing.

The Symptoms of Skewing

OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, notes that there are several possible symptoms of skewing. These include,

  1. Decreased click/impression to outcome ratio (e.g., check out, conversion)

  2. Unexpected or unexplained changes a metric

  3. Metric significantly different to accepted sector norms

  4. Increased costs/awards that are determined from an application metric or metrics

Sectors Targeted by Skewing

According to the Automated Threat Handbook published by OWASP, skewing is aimed at companies in industries including education, entertainment, government, financial, healthcare, retail, technology and social networking.

OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, says data commonly misused in scraping incidents include authentication credentials, payment cardholder data and other financial data, medical and other personal data, intellectual property and other business data and public information.

The handbook notes that some skewing might use compromised accounts, or the information might be accessible without authentication. The scraper might attempt to read all accessible paths and parameter values for web pages and APIs, collecting the responses and extracting data from them. Scraping can occur in real-time or be more periodic.

Ways to Prevent Skewing Security Threat

OWASP suggests several possible countermeasures for organizations to address the threat of skewing. These include,

  1. Identify all metrics and methods they could be manipulated by different types of users, defining logging requirements that capture sufficient information for thorough analysis of application activity contributing to each metric.

  2. Defining test cases for skewing that confirm an application will detect and/or prevent users attempting to skew metrics.

  3. Consider randomizing the content and URLs of metric related content, linking these changes to the individual user’s sessions, verifying the changes at each request, and restricting any identified automated usage.

  4. OWASP suggests, identifying and restricting automated usage by fingerprinting and/or using the information to reject related contributions, identifying and limiting automated usage by reputation methods, requiring identity authentication, re-authentication or some other increased authentication assurance for access to areas where metric data are collected and limiting the rate at which activity of a session, IP address, account/user or device contributes to each metric.

These are the primary security checks against skewing attacks, but few dedicated fraudsters will go beyond the lengths to straighten their skewing effort often operating through privacy browsers, VPN, proxy servers to blur their online identity. Above mentioned are the few security measures that help fight back against malicious users such as skewing, without causing harm to your legitimate users.

Online businesses can also opt for a bot mitigation solution that prevents skewing and even other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots. Bot mitigation solution can block all automated ways to expedite actions on websites by bots.

By having these security measures in place, your website will be able to defend against the online security threats such as skewing and other OWASP automated threats in real-time.