The Risk of OWASP Automated Threats to Web Applications

Web applications and APIs are often subjected to unwanted automated usage, these events relate to misuse of inherent valid functionality, rather than the attempted misuse of unmitigated vulnerabilities. Automated threat opens many industries including E-commerce, Travel, Online media, Classifieds and Listing websites to the exploitation of business processes including online fraud. These threats are launched via bot attacks on sites. Bots are written scripts which are intended to do some specific tasks on the internet. Competitors, attackers are using these bots relentlessly to cause significant pain to the business owners/operators, and sometimes even the users. Going by numbers, at InfiSecure we have seen almost 54% of global traffic coming from online bots, and the 80% of the bot traffic constitutes advanced persistent bots.

OWASP (The Open Web Application Security Project) was established in 2001 to provide a free, and open, software security community. The main motto of OWASP is to make software security visible so that the businesses can make informed decisions. It provides an unbiased view of software security issues and does not endorse or recommend commercial products or services. One of the projects of OWASP is to release a list of automated threats that online businesses are facing today.

OWASP Automated Threat Handbook to Web Applications

The OWASP Automated Threat Handbook provides actionable information and resources to help defend against automated threats to web applications. This handbook is a standard reference guide that is grouped into four major categories such as Account credentials, payment cardholder data, vulnerability identification and other automated threats.

Account credentials

  • Account Aggregation – It is used by an intermediary or mediator application that collects multiple accounts together and interacts on their behalf.

  • Account Creation – Creating multiple accounts for subsequent misuse, this threat can be used to boost a site's reputation artificially, generate content spam and skew website SEO.

  • Credential Cracking – Finding out valid login credentials by using brute force attacks. (trying different values for username/password sets).

  • Credential Stuffing – Bulk login attempts to verify the validity of stolen username/password sets. It is used against another application to check whether the victim has recycled the same login credentials.

Payment Cardholder Data

  • Carding – Multiple attempts for payment authorization to verify the validity of bulk stolen payment card data.

  • Card Cracking – Identify missing validity (start/expiry) dates and security codes for stolen payment card data through brute force guessing.

  • Cashing Out – Purchase goods or obtain cash using validated stolen payment card or other user account data.

Vulnerability Identification

  • Footprinting – Examine and explore application to find out its constituents and properties.

  • Vulnerability Scanning – Crawl and scan application to identify all possible vulnerabilities and weaknesses. This is also used to support application security.

  • Fingerprinting – Extracting information about the supporting software, framework types and versions by sending requests to an application.

Other Automated Threats

  • Ad Fraud – False clicks and fraudulent display of web places advertisements. This is usually done in order to increase the click count.

  • CAPTCHA Bypass – Successful attempts on anti-automation tests.

  • Denial of Service – Target resources of the application and database servers or individual user accounts to achieve Denial of Service (DoS).

  • Expediting – Perform tasks to hasten the progress of usually slow, tedious or time-consuming actions.

  • Scalping – Check and obtain limited available goods or services by blocking them from the legitimate users. Scalping is frequently used to acquire tickets and resell them at a much higher price.

  • Scraping – Extract application content from a website and refurbish it elsewhere. Scrapers can use fake accounts to gather data from accessible paths and parameter values for web pages and APIs.

  • Skewing – Repeated page requests, link clicks or form submissions to artificially inflate or skew specific metric. It can be used to boost visitors to the website.

  • Sniping – Last-minute bid or offer for goods or services.

  • Spamming – Malicious or unwanted information that appears in public or private content such as forums, blogs, and articles, databases or user messages.

  • Token Cracking – Mass enumeration of coupon codes, voucher codes, and discount tokens via brute force attacks, to gain discounts or cash for instance.

  • Inventory Exhaustion – Sale or allocation of the goods stock and services that are being denied to legitimate users.

InfiSecure is the most accurate bot protection solution to detect and mitigate OWASP Top Automated Threats in real time. InfiSecure blocks bad bot traffic, while ensuring legitimate users continue to access your website.