OWASP Automated Threat (OAT– 002) Token Cracking

Token cracking – Mass enumeration of coupon numbers, voucher codes, discount tokens, etc.

What is Token Cracking?

Identification of valid token codes providing some form of user benefit within the application. The benefit may be a cash alternative, a non-cash credit, a discount or an opportunity such as access to a limited offer.

Token cracking is also known by the terms such as coupon guessing, voucher, gift card and discount enumeration.

The Symptoms of Token Cracking

OWASP, the organization focused on improving the security of software, notes that there are several possible symptoms of token cracking. These include,

1. Multiple failed token attempts from the same user and/or IP address and/or user agent and/or device ID/fingerprint


2. A high number of failed token attempts

Sectors Targeted by Token Cracking

The major sectors targeted by token cracking include entertainment, financial sectors, and retail industries.

OWASP, the worldwide not-for-profit charitable organization focused on improving the security of software, says token cracking involves mass enumeration of coupon numbers, voucher codes, discount tokens, etc.

OWASP, the worldwide not-for-profit organization focused on improving the security of software, says data commonly misused in such incidents include authentication credentials, payment cardholder data, financial data, medical data, personal data, intellectual property and other business information and public data.

Ways to Prevent Token Cracking Security Threat

OWASP suggests several possible countermeasures for organizations to address the threat of token cracking. These include,

1. Consider randomizing the content and URL’s of authentication form pages, linking these changes to an individual user’s session, verifying the changes at each authentication step and restricting any identified automated usage. This practice minimizes the potential for automated attacks since each route to access an account varies before a bad actor can entirely run through their scripted attack.


2. Defining test cases for token cracking that confirms an application will detect and/or prevent users from attempting to guess usernames and passwords.


3. Identify and restrict automated usage by reputation methods and employ rate limits to the number of failed token submission attempts per session /user / IP address/ device/fingerprint.


4. Identifying and restricting automated usage by fingerprinting before a token cracking attempt can occur, identifying and restricting automated usage by reputation methods. For this practice, organizations should consider using geolocation and IP address blocklists to prevent access to authentication functions.


5. IT security and security management should restrict users from choosing either common or weak passwords, as those passwords are easy and effortless for bad actors to crack. It is a recommendation for companies to perform incremental account lockout to accounts with suspected login attempts.


6. OWASP also recommends organizations to participate in ecommerce threat intelligence exchanges and contributing any relevant attack data to sector-wide sharing systems.

These are the primary security checks against token cracking attempts, but few dedicated fraudsters will go beyond the lengths to straighten their token cracking effort often operating through privacy browsers, VPN, proxy servers to blur their online identity. Above mentioned are the few security measures that help fight back against malicious users such as token cracking, without causing harm to your legitimate users.

Online businesses can also opt for a bot mitigation solution that prevents token cracking attempts and even other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots. Bot mitigation solution can block all automated ways to expedite actions on websites by bots.

By deploying these methods, you build a more robust defense against token cracking and other similar security threats.