OWASP Automated Threat: Automated Web Application Threats
The OWASP Automated Threat Handbook methodology provides information on how to protect web applications from automated threats. These threats are associated with the use of automated tools, refusal of service, violation of the application logic, "abandoned baskets", incomplete transactions, etc.
In addition to the classic risks of vulnerabilities in web vulnerabilities presented in OWASP TOP 10, there are numerous opportunities for attackers to destabilize the operation of a web application , or manipulate application functionality to disrupt its operation. An example of such a manipulation could be the creation of multiple "incomplete" orders, which can exhaust the reserved items of goods in the online store, which will not give the opportunity to place an order to legitimate users.
Also, these threats include so-called. bot or automated attacks aimed at:
- user identification;
- aggregation;
- click fraud;
- spam comments;
- content parsing
Excessive abuse of functionality can be interpreted as a denial of service (DoS), although in fact DoS is a side effect.
Automated Threats
Threats are distributed over several types and uses in alphabetical order. For understanding, I will use the native OAT title and adapted description of the threat.
| Oat | Description |
|---|---|
| OAT-020 Account Aggregation | Using multiple accounts and interacting on their behalf in an intermediate application. |
| OAT-019 Account Creation | Creating multi-accounts for later use. |
| OAT-003 Ad Fraud | Advertising fraud. Generate fraudulent ad impressions and click aggregation. |
| OAT-009 CAPTCHA Defeat | Bypass captcha tests. |
| OAT-001 Carding | Checks the validity of stolen payment card data by making purchases. |
| OAT-010 Card Cracking | Checking the validity of the validity period of a stolen payment card, as well as its CVV code by iterating. |
| OAT-012 Cashing Out | Purchase of goods or cash withdrawals using verified data of stolen payment cards. |
| OAT-007 Credential Cracking | Identification of valid user accounts of the system, using tools for selecting usernames / passwords. |
| OAT-008 Credential Stuffing | Mass login attempts used to validate stolen pairs as a username and password. |
| OAT-021 Denial of Inventory | Exhaustion of inventory balances of goods through multiple "abandoned" or fake orders. |
| OAT-015 Denial of Service | Exhaustion of server / DBMS resources - for example, when generating multiple reports or “heavy” requests to the DBMS. |
| OAT-006 Expediting | Acceleration of performance usually slow, tiresome or labor-consuming actions. |
| OAT-004 Fingerprinting | Identify information about the components of a web server. |
| OAT-018 Footprinting | Identify information about the components of a web application. |
| OAT-005 Scalping | Gaining access to limited goods / services by manipulating the logic of the web application. |
| OAT-011 Scraping | Web application parsing / data collection for use in third-party applications. |
| OAT-016 Skewing | Repeated requests for forms, clicks, etc. to change indicators. |
| OAT-013 Sniping | Manipulating the logic of the application to create the "last winning bid". |
| OAT-017 Spamming | Malicious or spam information in open or closed (DBMS) access, messages. |
| OAT-002 Token Cracking | Detection of predictive values of tokens, coupons, discount codes by enumeration. |
| OAT-014 Vulnerability Scanning | Automated scanning and fuzzing of a web application to identify potential vulnerabilities. |
This type of threat is superimposed on the WASC Threat Classification and Miter CAPEC matrix :
The area of focus on the events of the threats included in this list should include both individual events and multi-stage and iterative interaction with the web application.
Most of these threats are similar to the actions of legitimate users and only a comprehensive in-depth analysis can help identify those or other abuses and manipulations that depend on both the iteration time of certain actions and the scale of events. Events related to automatic threats can affect not only the web application, but can also be associated with third-party services.
Some of these threats can be identified and eliminated using the tools for analyzing anomalies, machine learning and artificial intelligence, creating legitimate models of user behavior, etc.
Project Page: OWASP Automated Threats
')
Source: https://habr.com/ru/post/349700/
All Articles