This OWASP project focuses on identifying automated threats that target web applications and recommending security controls and best practices to mitigate their risks.
The goal of the OWASP (Open Worldwide Application Security Project) Automated Threats to Web Applications Project is to provide a comprehensive and standardized understanding of the various automated threats that web applications commonly face. These automated attacks increasingly target mobile apps and APIs. The project brings together research and analysis of real-world automated attacks against web applications to produce documentation to help operators defend against these threats.
Automated threats refer to malicious attacks performed by bots, scripts, or hacker toolkits rather than by humans who manually interact with the web application. These threats can exploit inherent vulnerabilities in web applications and APIs, leading to security breaches, data theft, account takeover, fraud, and other harmful consequences.
While it is not a vulnerability to have a shopping cart in your application, the business logic to facilitate adding items to a shopping cart can also be targeted and manipulated by automations, resulting in inventory hoarding.
The project has created a catalog or taxonomy of different automated threats targeting web applications. By identifying and categorizing these threats, developers, security professionals, and organizations can gain a deeper understanding of the risks they face and the potential impact on their systems. For each automated threat, the project also recommends effective countermeasures and best practices to mitigate the risks. By raising awareness of these threats, OWASP aims to encourage proactive security measures and improve the overall security posture of web applications.
Because many automated threats rely on bots, it is useful to distinguish between bot management and bot mitigation. Bot management refers to the strategies and practices used to handle bots that interact with web applications. The goal of bot management is not solely to block or mitigate bots but also to differentiate between legitimate bot traffic (for instance, search engine crawlers) and malicious bots. Bot mitigation specifically focuses on the process of reducing or eliminating the impact of malicious bots on web applications. It involves implementing defensive measures to prevent bots from successfully performing harmful actions or attacks that can lead to account takeover (ATO) and fraud.
Here is the list of automated threats identified and compiled by the OWASP Automated Threats to Web Application Project.
F5 supports the OWASP Foundation and its dedication to improving software security and raising awareness of web application security risks and vulnerabilities at multiple levels. Indeed, there are security risks common to both web apps and APIs that bear consideration when implementing security solutions. For example:
F5 offers solutions to address the risks outlined in OWASP’s Automated Threats to Web Applications Project. F5 Distributed Cloud Bot Defense prevents fraud and abuse that can bypass existing bot management solutions and provides real-time monitoring and intelligence as well as ML-based retrospective analysis to protect organizations from automated attacks, without inserting user friction or disrupting the customer experience. Distributed Cloud Bot Defense maintains effectiveness regardless of how attackers retool, whether the attacks pivot from web apps to APIs or attempt to bypass anti-automation defenses by spoofing telemetry or using human CAPTCHA solvers. F5 Bot Management solutions provide flexible insertion points from application proxies, platforms, and Content Delivery Networks (CDNs).
F5 Web Application Firewall solutions also block and mitigate a broad spectrum of risks identified by OWASP Top 10, a widely recognized list of the most critical web application security risks. F5 WAF solutions combines signature and behavioral protections, including threat intelligence from F5 Labs and ML-based security, to keep pace with emerging threats. It eases the burden and complexity of consistently securing applications across clouds, on-premises, and edge environments, while simplifying management via a centralized SaaS infrastructure. F5 WAFs also streamline app security by integrating protections into development frameworks and CI/CD pipelines with core security functionality, centralized orchestration, and oversight via a single dashboard with a 360-degree view of app performance and security events across distributed applications. A WAF integrated with specialized bot defense provides a robust solution for mitigating top security risks including vulnerability exploits and automated threats.
F5 addresses the risks identified in the OWASP API Security Top 10 with solutions that protect the growing attack surface and emerging threats as apps evolve and API deployments increase. F5 Web Application and API Protection (WAAP) solutions defend the entirety of the modern app attack surface with comprehensive protections that include WAF, API Security, L3-L7 DDoS mitigation, and bot defense against automated threats and resulting fraud. The distributed platform makes it simple to deploy consistent policies and scale security across your entire estate of apps and APIs regardless of where they’re hosted, and integrates protections into the API lifecycle and broader security ecosystems.
F5 also offers multi-tiered DDoS protection for advanced online security as a managed, cloud-delivered mitigation service that detects and mitigates large-scale network, protocol, and application-targeted attacks in real time; the same protections are available as on-premises hardware, software, and hybrid solutions as well. F5 Distributed Cloud DDoS Mitigation defends against volumetric and application-specific layer 3-4 and advanced layer 7 attacks before they reach your network infrastructure and applications.
Bot Management Solutions ›