OWASP Automated Threats to Web Applications

This OWASP project focuses on identifying automated threats that target web applications and recommending security controls and best practices to mitigate their risks.

The goal of the OWASP (Open Worldwide Application Security Project) Automated Threats to Web Applications Project is to provide a comprehensive and standardized understanding of the various automated threats that web applications commonly face. These automated attacks increasingly target mobile apps and APIs. The project brings together research and analysis of real-world automated attacks against web applications to produce documentation to help operators defend against these threats. 

What Are Automated Threats?

Automated threats refer to malicious attacks performed by bots, scripts, or hacker toolkits rather than by humans who manually interact with the web application. These threats can exploit inherent vulnerabilities in web applications and APIs, leading to security breaches, data theft, account takeover, fraud, and other harmful consequences.

While it is not a vulnerability to have a shopping cart in your application, the business logic to facilitate adding items to a shopping cart can also be targeted and manipulated by automations, resulting in inventory hoarding

The project has created a catalog or taxonomy of different automated threats targeting web applications. By identifying and categorizing these threats, developers, security professionals, and organizations can gain a deeper understanding of the risks they face and the potential impact on their systems. For each automated threat, the project also recommends effective countermeasures and best practices to mitigate the risks. By raising awareness of these threats, OWASP aims to encourage proactive security measures and improve the overall security posture of web applications.

Because many automated threats rely on bots, it is useful to distinguish between bot management and bot mitigation. Bot management refers to the strategies and practices used to handle bots that interact with web applications. The goal of bot management is not solely to block or mitigate bots but also to differentiate between legitimate bot traffic (for instance, search engine crawlers) and malicious bots. Bot mitigation specifically focuses on the process of reducing or eliminating the impact of malicious bots on web applications. It involves implementing defensive measures to prevent bots from successfully performing harmful actions or attacks that can lead to account takeover (ATO) and fraud.

The OWASP List of Automated Threats to Web Applications

Here is the list of automated threats identified and compiled by the OWASP Automated Threats to Web Application Project.   

  1. Account aggregation. The goal of these attacks is to harvest user account credentials from multiple sites or platforms, often for malicious purposes such as identity theft, financial fraud, or unauthorized access to sensitive information. Account aggregation attacks are performed using automated bots or scripts that mimic human interactions with various web services or applications. 
  2. Account creation. These attacks involve malicious actors using automated scripts or bots to create large numbers of fake user accounts on a platform or website. Attackers can use these fake accounts to flood the platform with spam content, advertisements, or malicious links, causing disruption and annoyance to legitimate users. Fake accounts can also be used to manipulate public sentiment and reviews/ratings on a website or application or impersonate real users or public figures to spread misinformation or cause reputational damage.  This threat can also result in new account opening fraud, also referred to as first-party fraud, and has ramifications across the entire digital world.
  3. Ad fraud. Also known as click fraud, this threat involves deceptive activities to falsify the number of interactions with online advertisements, such as clicks or impressions. These fraudulent actions are typically performed through automated bots or scripts and aim to generate revenue for the fraudsters or manipulate advertising performance metrics. 
  4. CAPTCHA defeat. This threat uses automated techniques to bypass or circumvent CAPTCHA challenges and is a significant concern for web application security, as it allows malicious actors to bypass a common defense against bots. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security control used to distinguish between human users and automated bots or scripts. Attackers can use image recognition software to solve visual CAPTCHAs and deploy machine learning algorithms to solve aural and puzzle CAPTCHAs. In some cases, attackers employ human CAPTCHA solvers who manually solve CAPTCHAs in real-time. While a commonly used security control, CAPTCHA can be bypassed and inserts friction into the customer experience for legitimate users, which can lead to transaction and revenue abandonment.   
  5. Card cracking. This is an automated type of cybercrime that involves guessing or cracking the security features of a payment card, such as the card number, expiration date, and security code (CVV/CVC). Card cracking typically employs brute-force attacks, where automated bots or scripts systematically try numerous combinations of card details until they find a combination that matches a valid card. Once valid card details are identified, they can be used for various illegal activities, such as making unauthorized purchases or committing financial fraud. The attacker may grab a few unloaded physical gift cards from a physical store to see if the gift card issuer relied on sequential numbering patterns. 
  6. Carding. This form of automated cybercrime involves the unauthorized use of stolen payment card information to make fraudulent transactions or purchases. Criminals use automated bots or scripts to test the stolen credit or debit card details on various websites or applications to identify those that accept the stolen information. Once the automated bots identify vulnerable targets, they use the stolen card information to make fraudulent purchases, often for high-value goods or digital services, or transfer the available value to other accounts.  
  7. Cashing out. This refers to the conversion of illiquid assets or virtual currency into real-world funds or tangible goods. This threat often follows successful attacks that result in the theft of valuable assets from online platforms or accounts. When attackers take control of user accounts on web applications or online platforms, they may use these accounts to cash out the account owner's assets, such as gift cards, loyalty points, or virtual currency. Bots are often used to facilitate cashing out as they allow cybercriminals to perform these fraudulent activities at scale and with efficiency. 
  8. Credential cracking. This threat is a type of brute force attack that targets the login mechanisms of web applications, such as login pages, user account portals, or authentication APIs. The attacker uses automation to systematically try common combinations of usernames and passwords until they find one that works to grant unauthorized access to user accounts. This allows the attacker to carry out malicious activities, such as identity theft, financial fraud, or other unauthorized actions.  
  9. Credential Stuffing. One of the most common forms of web application threats, credential stuffing results when cybercriminals obtain lists of username/password pairs, often purchased on the dark web, and attempt to use the credential pair to gain access to other login-protected accounts. Because many people reuse usernames and passwords, these attacks (also called account takeover) can be remarkably effective, allowing criminals to take control of user accounts to steal assets or commit third-party fraud.  
  10. Denial of inventory. This attack results when attackers take e-commerce merchandise out of circulation by using bots to add large numbers of items to a shopping cart, without proceeding to checkout to purchase them. This situation prevents other shoppers from buying the merchandise because the system registers a stock-out condition, and also denies the vendor the sale because the purchase is never completed. A variation of this automated threat results when bots are used to make reservations or place holds for hotel rooms, restaurant tables, or airline seats without completing the payment. 
  11. Denial of Service (DoS) and Distributed Denial of Service (DDoS). These attacks are malicious attempts to disrupt the normal functioning of a target system or network, making it unavailable to legitimate users. In a DDoS attack, the attacker overwhelms the target with a massive volume of traffic or resource requests, causing server overloads and rendering the service inaccessible. These attacks can be carried out using various methods, such as flooding the target with packets or sending specially crafted requests. DoS and DDoS attacks are similar, but with DDoS, the attack involves multiple sources, usually coordinated through botnets, which are a network of compromised computers or devices under the control of the attacker. The attacker coordinates these multiple sources to simultaneously launch the attack against the target. By leveraging the combined resources of the botnet, the attacker can generate a massive amount of traffic or requests, overwhelming the target system’s capacity and causing a denial of service. These attacks can overwhelm firewall state tables, CPU resources, and infrastructure bandwidth. A DoS attack can be executed with a single, well-crafted request to a web application, for example, a complex SQL query that results in high CPU and performance degradation.
  12. Expediting. This threat involves using automated bots or scripts to rapidly complete a series of application processes, bypassing normal restrictions or checks in place. By automating processes, attackers or malicious users can gain an unfair advantage over other legitimate users. This activity is often associated with deceit and can result in losses for other parties.  
  13. Fingerprinting. Threat actors use fingerprinting as an information-gathering technique to collect and analyze unique characteristics or attributes of a user’s web browser or device to create a distinctive “fingerprint.” This allows threat actors to identify and track individual users across different websites and online platforms, or to profile and subsequently attack an application. 
  14. Footprinting. This is not an automated threat in and of itself, but rather a preliminary phase of a hacking process or reconnaissance. Footprinting involves using bots or scripts to gather information about a target web application’ s composition, configuration, and security mechanisms, allowing attackers to better plan subsequent attacks, such as launching targeted exploits to gain unauthorized access or exploit specific vulnerabilities. 
  15. Scalping or inventory hoarding. This is a form of purchase automation in which attackers use bots to purchase large quantities of limited-inventory goods or services the moment they go on sale online (think concert tickets and limited-edition sneakers). By completing the checkout process instantaneously, criminals gain mass control of valuable inventory, which is usually resold on secondary markets at a significant mark-up, leading to artificial scarcity, denial of inventory, and consumer frustration.  
  16. Scraping. Although not inherently malicious, scraping is the automated process of extracting data from websites or web applications. Scraping becomes an automated threat when used for unauthorized or malicious purposes, such as when bots are used to collect content from a target website to analyze, reuse, or engage in price manipulation, especially in competitive markets. Scraping also can impact site performance and prevent legitimate users from accessing a site. 
  17. Skewing. This results when malicious actors repetitively click, request, or submit content on a web application, intentionally affecting application-based metrics such as counts, likes, impressions, poll results, frequency, or rates. Skewing can be carried out using automated bots that mimic human behavior to generate artificial interactions with the web application. The goal of skewing is to manipulate and distort the data generated by application-based metrics, leading to inaccurate or misleading results. 
  18. Sniping. This is a type of malicious activity that involves using automated bots or scripts to gain a competitive advantage in online auctions, sales, or reservation systems. The term “sniping” is commonly used in the context of timed events or limited availability items where speed and precise timing play a crucial role, leaving insufficient time for another user to bid or make an offer. Sniping allows attackers to gain a competitive advantage over human users who are manually participating in the event, as bots can execute actions faster and with more accuracy. 
  19. Spamming. This refers to malicious content or questionable information distributed by bots that appears in public or private content, databases, or user messages on web applications. The malicious content can include malware, IFRAME popups, photographs, videos, advertisements, and tracking/surveillance code. Attackers also use spamming to add phony comments to forums and other messaging apps to falsify information or distribute malware. 
  20. Token Cracking. This automated attack is the result of criminals performing mass enumeration of coupon numbers, voucher codes, and discount tokens. The benefit received may be a discount, a cash alternative, a credit, or access to a special offer.
  21. Vulnerability Scanning. This threat refers to using automated tools or scripts to identify and exploit vulnerabilities in web applications. Unlike legitimate vulnerability scanning, which aims to identify weaknesses for the purpose of improving security, vulnerability scanning as an automated threat is carried out with malicious intent to compromise the application’s security. Criminals use automated scanning tools or scripts to systematically scan applications exposed on the Internet, typically immediately after a vulnerability is disclosed. Once vulnerabilities are identified, criminals attempt to exploit them to gain unauthorized access to the application, sensitive data, or the underlying server infrastructure. 

The Case for Integrated Security Controls

F5 Addresses OWASP Security Risks

F5 supports the OWASP Foundation and its dedication to improving software security and raising awareness of web application security risks and vulnerabilities at multiple levels. Indeed, there are security risks common to both web apps and APIs that bear consideration when implementing security solutions. For example: 

  • Weak authentication/authorization controls 
  • Misconfiguration 
  • Business logic abuse (credential stuffing, account takeover)  
  • Server-side request forgery (SSRF).

F5 offers solutions to address the risks outlined in OWASP’s Automated Threats to Web Applications Project. F5 Distributed Cloud Bot Defense prevents fraud and abuse that can bypass existing bot management solutions and provides real-time monitoring and intelligence as well as ML-based retrospective analysis to protect organizations from automated attacks, without inserting user friction or disrupting the customer experience. Distributed Cloud Bot Defense maintains effectiveness regardless of how attackers retool, whether the attacks pivot from web apps to APIs or attempt to bypass anti-automation defenses by spoofing telemetry or using human CAPTCHA solvers. F5 Bot Management solutions provide flexible insertion points from application proxies, platforms, and Content Delivery Networks (CDNs).

F5 Web Application Firewall solutions also block and mitigate a broad spectrum of risks identified by OWASP Top 10, a widely recognized list of the most critical web application security risks. F5 WAF solutions combines signature and behavioral protections, including threat intelligence from F5 Labs and ML-based security, to keep pace with emerging threats. It eases the burden and complexity of consistently securing applications across clouds, on-premises, and edge environments, while simplifying management via a centralized SaaS infrastructure. F5 WAFs also streamline app security by integrating protections into development frameworks and CI/CD pipelines with core security functionality, centralized orchestration, and oversight via a single dashboard with a 360-degree view of app performance and security events across distributed applications. A WAF integrated with specialized bot defense provides a robust solution for mitigating top security risks including vulnerability exploits and automated threats.  

F5 addresses the risks identified in the OWASP API Security Top 10 with solutions that protect the growing attack surface and emerging threats as apps evolve and API deployments increase. F5 Web Application and API Protection (WAAP) solutions defend the entirety of the modern app attack surface with comprehensive protections that include WAF, API Security, L3-L7 DDoS mitigation, and bot defense against automated threats and resulting fraud. The distributed platform makes it simple to deploy consistent policies and scale security across your entire estate of apps and APIs regardless of where they’re hosted, and integrates protections into the API lifecycle and broader security ecosystems.

F5 also offers multi-tiered DDoS protection for advanced online security as a managed, cloud-delivered mitigation service that detects and mitigates large-scale network, protocol, and application-targeted attacks in real time; the same protections are available as on-premises hardware, software, and hybrid solutions as well. F5 Distributed Cloud DDoS Mitigation defends against volumetric and application-specific layer 3-4 and advanced layer 7 attacks before they reach your network infrastructure and applications.