The Open Web Application Security Project (OWASP) is a free and open community with the aim of providing clarity and unbiased coverage of software security issues, and creating a common space for clear communication about them. To facilitate such discussion, OWASP’s Automated Threats to Web Applications Project has taken on the task of establishing a shared vocabulary of automated threats, which are threat events in which bots misuse web applications, occasionally leading to application denial of service. Its Automated Threat Handbook is a standard reference guide that classifies and lists the following top 20 automated threats, which have grouped into four major categories: Account Credentials, Payment Cardholder Data, Vulnerability Identification, and Other Automated threats.
Top 20 Automated Threats and Descriptions
- Account Aggregation compiles multiple account credentials and information into a single system. Such an application can be used to merge account information from across multiple applications, or information from multiple accounts on a single application.
- Account Creation allows a user to create multiple accounts on an application, by using the application’s native account sign-up processes. This threat event can be used to artificially boost a website’s reputation, skew SEO, or generate bulk content spam.
- Credential Cracking identifies valid login credentials through multiple, brute force guessing attacks.
- Credential Stuffing is a threat event in which stolen authentication credentials from elsewhere are used against another application to see whether the victim has recycled the same login credentials.
- Carding is used to weed out invalid credit card/debit card information and identify valuable data. This is accomplished by testing a group of complete sets of cardholder information against a merchant’s payment process.
- Card Cracking identifies missing payment card information (e.g. card expiration date and CSC) through brute force guessing.
- Cashing Out occurs when stolen card information is used to obtain currency or valuable merchandise.
- Footprinting explores an application to identify all its URL paths, parameters and values, and process sequences, while probing it for vulnerabilities to discover its attack surface area.
- Vulnerability Scanning crawls and fuzzes applications, examining all possible content locations, paths, file names, parameters, in order to find security vulnerabilities. It can also be used to bolster application security.
- Fingerprinting sends requests to an application to gather information and generate a profile of its supporting software and framework types and versions. The probe identifies application components by scanning aspects such as HTTP header names and values, and session identifier names and formats.
- Ad Fraud falsifies the number of times a web advertisement has been clicked on, usually in order to increase the click count.
- CAPTCHA Fraud fools such tests (including visual, aural, and puzzle) using automation to determine the correct answer.
- Denial of Service attacks use bots that imitate legitimate users to exhaust an application’s resources, including its file system, memory, processes, threads, CPU, and human or financial resources.
- Expediting is an automated threat that uses speed to game an application for individual gain, allowing actors to progress quickly through a series of application processes. Examples of expediting include high frequency trading and algorithmic trading in financial contexts, and gold farming in gaming.
- Scalping uses automation to unfairly obtain limited-availability and scarce goods in bulk, depriving other users of access to them. Scalping is frequently used to acquire tickets and resell them at a markup.
- Scraping processes collect application data, including accessible data and output from application processes. Scrapers can use compromised or fake accounts, or collect data from accessible paths and parameter values for web pages and APIs.
- Skewing automates clicks and requests in order to artificially inflate or skew a certain application metric. It can be used to boost a site visitor count, for example.
- Sniping is an automated threat that performs an action at the last possible minute, depriving other users of the opportunity to respond in kind. The most well-known example of this occurs in auctions.
- Spamming transmits malicious or other forms of illegitimate information to databases and user messages, diluting comment threads with questionable content, boosting SEO, or disseminating malware, for example.
- Token Cracking is used to identify token codes such as coupon numbers and voucher codes, sometimes via brute force, in order to gain cash, credit, or discounts, for instance.