OWASP Top 21 Automated Threats to Web & APIs

The pace at which online bots are taking up the internet, it is not a surprise that bot traffic constitutes more than 50% of the entire web traffic.

There are good bots out there that help online businesses rise in search engine rankings and improve customer experience, according to a report by Lincoln Labs. Then there are bad bots that have evolved so much that traditional security solutions like a WAF or CAPTCHA solutions are proving to be mostly ineffective against detecting such advanced bots.

From web scraping, bypassing CAPTCHA challenges to engaging in nefarious activities like spamming, account takeover, credential stuffing, sniping and carding, automated bots are the most preferred tool. Bad actors behind these fraudulent activities keep improving the automated programs to create even more advanced persistent bots that can accurately mimic human behavior to evade detection.

The rise in automated bot attacks on web applications has even moved the Open Web Application Security Project (OWASP), the online community focused on improving the security of software in the field of automated threats. To stay updated to the latest online security threats, OWASP released the first Automated Threat Handbook in late 2015, specifically to help organizations better understand and respond to the notable worldwide increase of automated threats from bots. The handbook breaks down the Top 21 automated threats into four main categories – Account Credentials, Payment Cardholder Data, Vulnerability Identification, and Other Automated Threats. Today, major online businesses look to OWASP for online security preparedness and to be aware of the latest automated threats to web applications and APIs. Here is the list and description of OWASP Top 21 Automated Threats:

  • Account Credentials

Today’s sophisticated bots can practically steal enough user credentials to create a severe web security breach with consequences ranging from financial losses and stolen data to scams and identity theft.

  • Account Aggregation – Account Aggregation collects multiple account credentials and other information into a single system. Such an application can be used to combine account information from across multiple applications or data from multiple accounts on a single application.Some of the most evident signs of account aggregation activity can be suspicious account information access behavior patterns (e.g., geolocation, time zones) that do not match the user profile or a lack of end-user engagement with the service provider.
  • Account Creation – Account Creation allows a user to create multiple accounts on an application, by adopting the application’s native account sign-up processes. This threat event can artificially hike a website’s reputation, skew SEO, or generate bulk content spam.Some of the most common symptoms of account creation can be a higher than average account creation rate compared to average rate over time or accounts with incomplete information relative to the typical account holders.
  • Credential Cracking – Automated programs or bots are also used to identify valid login credentials by trying different values for usernames and passwords.Some of the signs of credential cracking activity can be a rise in the number of failed login attempt and account lock rate or many web requests containing variations on the account name and password.
  • Credential Stuffing – Credential Stuffing is a threat event in which stolen authentication credentials from elsewhere are used against another application to see whether the victim has recycled the same login credentials.Some of the most common symptoms of credential stuffing can be consecutive login attempts with different credentials from the same HTTP client or a high number of failed login attempts.
  • Payment Cardholder Data

When bad bots can extract account credential information, then it becomes even more accessible for such actors behind bad bots to steal payment cardholder data.

  • Carding – Carding is used to weed out invalid credit card/debit card information and identify valuable data. Carding is done by testing a group of complete sets of cardholder information against a merchant’s payment process.Some of the most evident signs of carding activity can be a rise in basket abandonment, reduction in average basket price, a higher proportion of failed payment authorizations, disproportionate use of the payment step or an increase in chargebacks.
  • Card Cracking – Automated attacks are made to identify missing start/expiry dates and security codes for stolen payment card data by trying various values.Some of the most common symptoms of card cracking threat can be a rise in basket abandonment, a high proportion of failed payment authorizations, disproportionate use of the payment step, reduction in average basket price or an increase in chargebacks.
  • Cashing Out – Bots can be programmed to acquire goods or obtain cash utilizing validated stolen payment card or other user account data. Theoretically, if a well-deployed bad bot setup targets a web application, it could quickly gather cardholder data, steal allowance and resell personal account information before you get the chance even to notice it or react.Some of the most evident signs of cashing out activity can be an increase in chargebacks, increase in usage of interlinked accounts (e.g. same phone number, same password, identical or similar email address), increase in demand for higher-value goods or services or an increase in demand for a single supplier’s products or services.
  • Vulnerability Identification

According to Open web application security project (OWASP), there are hundreds of issues that could influence the security of a web application, and it only takes the detection of one to allow a hacker an access path to the valuable customer or business information. The process of discovering potential targets is ideally suited to automation and automated attacks.

  • Footprinting – Footprinting explores an application to identify all its URL paths, parameters and values, and process sequences while probing it for vulnerabilities to discover its attack surface area.Some of the most common symptoms of footprinting activity can be an increase in system and application error codes, such as HTTP status codes 404 and 503, in the same user session or users that exercise the functionality of the entire application in a manner that diverges from typical user behavior.
  • Vulnerability Scanning – Vulnerability Scanning crawls and fuzzes applications, examining all possible content locations, paths, file names, parameters, to discover web security vulnerabilities.Some of the most evident signs of vulnerability scanning can be a highly elevated occurrence of errors (e.g., HTTP status code 404 not found, data validation failures, authorization failures), extremely high application usage from a single IP address, high ratio of GET/POST to HEAD requests for a user/ session/IP address compared to typical users or multiple misuse attempts against application entry points.
  • Fingerprinting – Fingerprinting sends requests to an application to gather information and generate a profile of its supporting software and framework types and versions. The probe identifies application components by scanning aspects such as HTTP header names and values, and session identifier names and formats.Some of the most common symptoms of fingerprinting activity can be single HTTP requests (just one single request and no more from that browser/session/device/fingerprint) or requests for resources that are rarely requested.
  • Other Automated Threats
  • Ad Fraud – Ad fraud refers to falsification of the number of times an item such as an advert is clicked on or the number of times an advertisement is displayed. Ad Fraud is usually to increase the click count.Some of the most evident signs of ad fraud can be low conversion ratios during spikes, unusual peaks in the number of clicks or impressions or high bounce rate during peaks in impressions or clicks.
  • CAPTCHA Bypass – CAPTCHA fraud fools such tests (including visual, aural, and puzzle) using automation to determine the correct answer.Some of the most common symptoms of CAPTCHA Bypass by bots can be a high CAPTCHA solving success rate on fraudulent accounts or suspiciously fast or fixed CAPTCHA solving times.
  • Denial of Service – Denial of Service attacks use bots that imitate legitimate users to exhaust an application’s resources, including its file system, memory, processes, threads, CPU, and human or financial resources.Some of the most evident signs of denial of service can be spikes in CPU, memory and network utilization, unavailability of part or all of the application, a rise in user account lockouts or reduced website performance and service degradation.
  • Expediting – Expediting is an automated threat that uses speed to game an application for individual gain, allowing actors to progress quickly through a series of application processes. Examples of expediting include high-frequency trading and algorithmic trading in financial contexts, and gold farming in gaming.Some of the most common symptoms of Expediting activity can be uncharacteristically fast progress through multi-stage processes.
  • Scalping – Scalping uses automation to unfairly obtain limited-availability and scarce goods in bulk, depriving other users of access to them. Scalping is frequently used to acquire tickets and resell them at a markup.Some of the most evident signs of scalping can be high peaks of traffic for certain limited-availability goods or services or an increase in circulation of limited goods reselling on the secondary market
  • Scraping – Using bots to scrape original content or real-time prices from a website to refurbish the content or prices on other platforms amount to content scraping, web scraping or price scraping. Scraping is done on a large-scale using automated computer scripts that download original content and upload the same on new platforms. Scrapers can use compromised or fake accounts or collect data from accessible paths and parameter values for web pages and APIs.Some of the most common symptoms of scraping can be unusual request activity for selected resources (e.g., high rate, high-number, fixed period), an occurrence of duplicated content from multiple sources in search engine results, decreased search engine ranking or the emergence of new competitors with similar service offerings.
  • Skewing – Skewing automates clicks and requests to inflate or skew a specific application metric artificially. It can also be used to boost a site visitor count.Some of the most evident signs of skewing can be decreased click/impression to outcome ratio (e.g., check out, conversion), unexpected or unexplained changes to a metric or metrics significantly different to accepted industry norms.
  • Sniping – Sniping is an automated threat that allows users to act at the last possible minute, depriving other genuine users of the opportunity to respond in kind. The most well-known example of sniping occurs in auctions.Some of the most common symptoms of sniping can be an increase in complaints from users about being unable to obtain goods/services or some users having higher success rate than expected.
  • Spamming – Spamming transmits malicious or other forms of wrong information to databases and user messages, diluting comment threads with questionable content, boosting SEO, or disseminating malware, for example.Some of the most evident signs of spamming can be an increase in the rejection rate of user-generated content by moderation processes, a high percentage of complaints from users about spam content or high hyperlink density.
  • Token Cracking – Token Cracking is used to identify token codes such as coupon numbers and voucher codes, sometimes via brute force, to gain cash, credit, or discounts, for instance.Some of the most common symptoms of token cracking activity can be multiple failed token attempts from the same user or IP address or user agent or device ID/fingerprint or a high frequency of failed token attempts.
  • Inventory Exhaustion – Automated bots are used to select and hold items from a limited inventory or stock, but which are never actually bought, or paid for, or confirmed, such that other users are unable to purchase/pay/confirm the items themselves.Some of the most evident signs of inventory exhaustion can be a quick reduction in inventory balance, an increase in stock held in baskets or reservations or elevated basket abandonment.

Most companies still have little or no control or even visibility over malicious bot website traffic. Fortunately, OWASP and the massive online community of online web security have kept pace and are now providing improved bot protection knowledge and solutions. At InfiSecure, we take pride in stopping all OWASP Top Automated Threats to Web and APIs.

Melissa Thompson writes about a wide range of topics, revealing interesting things we didn’t know before. She is a freelance USA Today producer, and a Technorati contributor.