OWASP - User contributions [en]

OWASP Snakes and Ladders

2019-03-22T09:45:59Z

Clerkendweller: Added note about missing mailing list

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Snakes_and_ladders-header.png|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Snakes and Ladders==

Snakes and Ladders is an educational project. It uses gamification to promote awareness of application security controls and risks, and in particular knowledge of other OWASP documents and tools.

== Editions==

''Web Applications''

In the board game for {{#switchtablink:Web Applications Edition|web applications}}, the virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2018) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013-2017). See also a [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Top_Ten_Mapping mapping between these two lists].

''Mobile Apps''

The identical board game for {{#switchtablink:Mobile Apps Edition|mobile apps}} uses mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) as the virtuous behaviours and mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014 from the same project) as the vices.

== Background ==

This board game was created to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, we use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

The game is quite lightweight, and does not have the same rigour or depth as the card game Cornucopia, but it is meant to be just some fun with some learning attached.

Print-ready PDFs have been published - these are poster sized A2 (international ISO 216 [https://en.wikipedia.org/wiki/Paper_size paper size] 420×594mm, approximately 16.5×23.4in, with 3mm bleed and printers' marks). But the original files are in Adobe Illustrator, so these are also available for anyone to use and improve upon. We recommend playing using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

We hope it may be of use in any upcoming office party, celebration, festival, seasonal event, application security awareness or training exercise. Or just to help spread the word about controls and risks at work, at college or at school. If you are training anyone about the OWASP Top Ten, OWASP Proactive Controls or the OWASP Mobile projects, please consider giving each attendee a printed copy of the game as a take away.

==Licensing==

OWASP Snakes and Ladders is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia], [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game], [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is This? ==

Snakes and Ladders is a popular board game, with [http://en.wikipedia.org/wiki/Snakes_and_Ladders ancient provenance] imported into [http://sandradodd.com/game/snakesandladders Great Britain from Asia] in the 19th century. The original game showed the effects of good and evil, or virtues and vices. This OWASP game is a poster-sized ''print-your-own'' paper sheet with the game board on it. Just get some players together with a die and counters. The virtues are application security controls, and the vices are risks.

==How to Play==

* The game is for 2-6 players.
* Firstly print the sheet out.
* Give each player a coloured counter (marker). To begin, each player should throw the die to determine who plays first; the highest can lead.
* Put all the players' counters onto the first square labelled “Start 1”.
* In turn, each player rolls the die and moves their counter by the number of squares indicated on the die. At the end of the move, if a player’s counter is at the bottom end of a ladder, the counter must be moved up the ladder to the square at its higher end. Conversely, if the player’s counter is located at the mouth of a snake, the counter must be moved down to the end of the snake’s tail.
* ''As a better alternative to enhance learning, either require the participants to discuss the risk/control when a player reaches each square, or only allow players to climb up a ladder after a quest about the control (e.g. simply describing the control, explain the risk (one example) the named control addresses and how the control (one example) could help prevent the named it''
*The first player to reach “100” at the top left wins. Give a prize.

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Katyanton Katy Anton] [mailto:katy.anton@owasp.org @]

== Related Projects ==

* [[OWASP Proactive Controls]]
* [[:Category:OWASP Top Ten Project|OWASP Top Ten]]
* [[OWASP Mobile Security Project|OWASP Mobile Security]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* Web Applications v1.0/v1.1
** [[media:OWASP-SnakesAndLadders-WebApplications-BR.pdf|BR]], [[media:OWASP-SnakesAndLadders-WebApplications-DE.pdf|DE]], [[media:OWASP-SnakesAndLadders-WebApplications-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-WebApplications-ES.pdf|ES]], [[media:OWASP-SnakesAndLadders-WebApplications-FR.pdf|FR]], [[media:OWASP-SnakesAndLadders-WebApplications-JA.pdf|JA]], [[media:OWASP-SnakesAndLadders-WebApplications-TR.pdf|TR]], [[media:OWASP-SnakesAndLadders-WebApplications-ZH.pdf|ZH]]
** {{#switchtablink:Web Applications Edition|More options...}}

* Mobile Apps v1.0
** [[media:OWASP-SnakesAndLadders-MobileApps-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-MobileApps-JA.pdf|JA]]
** {{#switchtablink:Mobile Apps Edition|More options...}}

== News and Events ==
* [09 May 2018] Web Applications v1.20 released in EN
* [12 May 2017] Web Applications TR
* [30 Jun 2016] Free copies at OWASP AppSec EU Rome 2017
* [05 Jun 2016] Web Applications v1.10 released in EN
* [30 Dec 2015] Katy Anton becomes project co-leader
* [01 Dec 2015] Free copies at PHP North West user group
* [24 Nov 2015] Free copies at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [12 Oct 2015] Free copies at PHP Hampshire user group
* [29 Sep 2015] Web Application v1.0 released in PT-BR
* [19 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Dutch translation
* [11 May 2015] Lightning talk at the [http://tickets.digitalshoreditch.com/make/#session-53 Digital Shoreditch Festival]
* [04 Dec 2014] Free copies at [https://www.owasp.org/index.php/London OWASP London]
* [02 Dec 2014] Free copies at [https://www.owasp.org/index.php/Cambridge OWASP Cambridge]
* [02 Dec 2014] Mobile Apps JA
* [25 Nov 2014] Web Applications FR, JA and ZH
* [31 Oct 2014] Web Applications v1.0 released in DE, EN and ES
* [31 Oct 2014] Mobile Apps v1.0 released in EN

== Twitter ==

[[File:OWASPSnakesWeb-profile-small.jpg|link=]]
Follow two mock games running on Twitter:
* [https://twitter.com/OWASPSnakesWeb @OWASPSnakesWeb]
* [https://twitter.com/OWASPSnakesMob @OWASPSnakesMob]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Web Applications Edition =

== OWASP Snakes and Ladders - Web Applications ==

This was the first edition created. The objective is to raise awareness of the security controls that every web application should have, but link that with the much more widely known Top Ten Risks. The virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2018) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013-2017).

<div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-web-de.jpg|link=]]</div>

== Current Release ==

{|
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-BR.pdf BR: Português Brasileiro]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-DE.pdf DE: Deutsch]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-EN.pdf EN: English]
|-
| align="center" valign="top" | [[Image:Osn-webapp-BR.png|link=File:OWASP-SnakesAndLadders-WebApplications-BR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-DE.png|link=File:OWASP-SnakesAndLadders-WebApplications-DE.pdf]]
| align="center" valign="top" |[[Image:Osn-webapp-EN.png|link=File:OWASP-SnakesAndLadders-WebApplications-EN.pdf]]
|-
| align="center" valign="top" width="250" | Serpentes e Escadas<br>Aplicativos da Web
| align="center" valign="top" width="250" | Schlangen und Leitern<br>Web Anwendungen
| align="center" valign="top" width="250" | Snakes and Ladders<br>Web Applications
|-
| <br><br>
| <br><br>
| <br><br>
|-
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ES.pdf ES: Español]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-FR.pdf FR: Français]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語]
|-
| align="center" valign="top" | [[Image:Osn-webapp-ES.png|link=File:OWASP-SnakesAndLadders-WebApplications-ES.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-FR.png|link=File:OWASP-SnakesAndLadders-WebApplications-FR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-JA.png|link=File:OWASP-SnakesAndLadders-WebApplications-JA.pdf]]
|-
| align="center" valign="top" width="250" | Serpientes y Escaleras<br>Aplicaciones Web
| align="center" valign="top" width="250" | Serpents et Échelles<br>Application Web
| align="center" valign="top" width="250" | 蛇とはしご<br>ウェブアプリケーション
|-
| <br><br>
| <br><br>
| <br><br>
|-
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-TR.pdf TR: Türkçe]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf ZH: 中文]
| align="center" valign="top" |
|-
| align="center" valign="top" | [[Image:Osn-webapp-TR.png|link=File:OWASP-SnakesAndLadders-WebApplications-TR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-ZH.png|link=File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf]]
| align="center" valign="top" |
|-
| align="center" valign="top" width="250" | Yılanlar ve Merdivenler<br>Web Uygulamaları
| align="center" valign="top" width="250" | 蛇梯棋<br>WEB应用程序
| align="center" valign="top" width="250" |
|}

Note that some languages choose not to change the EN text for risk and control names.

([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-Illustrator.zip Source Adobe Illustrator file])

== Release History ==

* [09 May 2018] 1.2 - EN version updated
* [12 May 2017] 1.11 - TR version release
* [15 Jun 2016] 1.1 - EN version updated
* [29 Sep 2015] 1.0.2 - BR version release
* [25 Nov 2014] 1.0.2 - Additional contributors added, FR, JA and ZH versions released
* [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; PDFs regenerated
* [31 Oct 2014] 1.0 - First release

== Colour Scheme 'Classic' ==

This edition uses simple primary colours, like [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 many versions] that can be seen in pictures of Snakes and Ladders games. The colours used in 'Classic' are:

* Green
* Yellow
* White
* Red
* Blue

<div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_webapp-mini-banner.png|link=]]</div>

The start square (1) is yellow and the final square (100) is red.

= Mobile Apps Edition =

== OWASP Snakes and Ladders - Mobile Apps ==

The edition for Mobile Apps was created after working out the idea and design for the web application version of the board game. It seemed easy to replicate the idea since the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Project] lists both security controls and risks. The virtuous behaviours (ladders) are mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) and the vices (snakes) are mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014).

<div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-mob-ja.jpg|link=]]</div>

== Current Release ==

{|
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-EN.pdf EN: English]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語]
|-
| align="center" valign="top" | [[Image:Osn-mobapp-EN.png|link=File:OWASP-SnakesAndLadders-MobileApps-EN.pdf]]
| align="center" valign="top" | [[Image:Osn-mobapp-JA.png|link=File:OWASP-SnakesAndLadders-MobileApps-JA.pdf]]
|-
| align="center" valign="top" width="250" | Snakes and Ladders<br>Mobile Apps
| align="center" valign="top" width="250" | 蛇とはしご<br> モバイルアプリ版
|}

([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-Illustrator.zip Source Adobe Illustrator file])

== Release History ==

* [02 Dec 2014] 1.0.2 - Additional contributor added, JA version released
* [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; EN PDF regenerated
* [31 Oct 2014] 1.0 - First release

== Colour Scheme 'Farringdon' ==

Other people's versions of Snakes and Ladders [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 use a wide variety of designs and colour schemes]. Thus to make a complete contrast to the edition for web applications, the colours used are the designatory colours of the underground and mainline train services that run through Colin Watson's local station at Farringdon in Clerkenwell, London EC1. The colours in 'Farringdon' are:

* Purple (future <strike>Crossrail</strike> Elizabeth)
* Yellow (Circle)
* White (Thameslink)
* Maroon (Metropolitan)
* Pink (Hammersmith & City)

<div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_mobapp-mini-banner.png|link=]]</div>

You can see these colours on [https://www.tfl.gov.uk/assets/downloads/standard-tube-map.pdf tube maps] and station signage. The start square (1) is yellow and the final square (100) is maroon.

=FAQs=

[[File:Snakesandladders-mockup.jpg|right|link=]]

==Why Snakes & Ladders? ==

The OWASP Top 10 is the most well known document, but OWASP has many other resources which provide better approaches for secure application development. In particular, there are some "top 10 controls" lists, and I wanted to highlight those. Creating a board game that features both risks and controls is a simple way to compare and contrast these aspects.

Players do not need to know either the risks or controls on the lists, since they are just the decoration to what is otherwise standard Snakes & Ladders. But as players land on assigned squares, this can be used to discuss the risks and controls they are labelled with.

Also, after undertaking some due diligence, it was noted that since Snakes & Ladders is such an ancient game it is not anyone's intellectual property and many others have already created thousands of different designs and versions. Other games would not meet this requirement.

==How was the game created?==
By hard work! Each list of risks and controls contains ten items, so the rough layout of snakes and ladder starting and end points was sketched out on paper, as shown for web applications on the right. Instructional text was written.

The concept was then converted into a layered Adobe Illustrator file, and the text and graphics added. This design went through a number of iterations to ensure it was legible and appealing. The PDF was exported and both the PDF and AI files added to the project page. When translations were provided, these were added as separate text layers in the source Illustrator file, and then new files uploaded again to the project.

Once Web Applications Snakes & Ladders was complete, the file was duplicated and edited for Mobile Apps. This has different risks, controls and arrangement of snakes and ladders. It also has its own colour scheme.

==How can I participate in your project?==
All you have to do is make the Project Leader aware of your available time to contribute to the project. It is also important to let the Leader know how you would like to contribute and pitch in to help the project meet its goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. Please see the {{#switchtablink:Road Map_and Getting Involved|road map and getting involved section}}

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for users, translators and people to promote the project.

= Acknowledgements =

==Volunteers==
Snakes and Ladders is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Ziyahan Albeniz
* Kembolle Amilkar
* Katy Anton
* Manuel Lopez Arredondo
* Fabio Cerullo
* Álan Carlos B. Eufrázio
* Tobias Gondrom
* Martin Haslinger
* Yongliang He
* Manfred Hofmeier
* Cédric Messeguer
* Takanori Nakanowatari
* Marcos Vinícius Nunes de Arruda
* Riotaro Okada
* Gabriel Pedro S. Peres
* Alison S. Ribeiro
* Ivy Zhang
* Colin Watson

==Others==
* The project leaders and contributors to the referenced controls and risks:
** [[OWASP Proactive Controls]]
** [[:Category:OWASP Top Ten Project|OWASP Top Ten]]
** [[OWASP Mobile Security Project|OWASP Mobile Security]]
* OWASP staff for helping to set up the project and support its ongoing activities.

= Road Map and Getting Involved =

Recently completed:
* Update web applications edition to Proactive Controls 2018 [EN recently completed]
* Translate into other languages [TR recently completed]
* Handouts at events

As of May 2018, the priorities are:
* Update as other referenced projects updated (e.g. Top Ten)

Other ideas are:

* Promote use of Snakes and Ladders
* Develop other boards

Involvement in the development and promotion of Snakes and Ladders is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help are listed below.

==Localization==
Are you fluent in another language? Can you help translate Snakes and Ladders into that language?

The project is on [https://crowdin.com/project/owasp-snakes-and-ladders Crowdin]

==Use and Promote the Board Game==
Please help raise awareness of Snakes and Ladders:
* Use the game with your colleagues, friends, families, students and children
* Create video about how to play the game
* Develop a multi-user mobile app or web application to play the game

==Feedback==
'''22 Mar 2019 - awaiting setup of mailing list replacement'''

Please use the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders project mailing list] for feedback:
* How did you use it?
* What is people's reaction?
* What do like?
* What don't you like?
* What doesn't make sense?
* How could the guidance be improved?
* What other boards would you like to see?

==Create a Board==
Do you have an idea for your own application security Snakes and Ladders board? Please contribute your ideas via the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders mailing list].


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-EG-1]]

OWASP Automated Threats to Web Applications

2019-03-11T21:36:52Z

Clerkendweller: Mailing list

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Automated-threats-header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Automated Threats to Web Applications==

The OWASP Automated Threats to Web Applications Project has completed a review of reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify, name and classify these scenarios – automated by software causing a divergence from accepted behavior producing one or more undesirable effects on a web application, but excluding tool-based exploitation of single-issue vulnerabilities. The initial objective was to produce an ontology providing a common language for developers, architects, operators, business owners, security engineers, purchasers and suppliers/ vendors, to facilitate clear communication and help tackle the issues.
The project also identifies symptoms, mitigations and controls in this problem area. Like all OWASP outputs, everything is free and published using an open source license.

[https://www.owasp.org/index.php/File:Automation-project-briefing.pdf Two page summary project briefing as a PDF].

== Description==

Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.

== Automated Threats ==

The list of threat events, defined more fully in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| width="300" align="left" valign="top" |

* [[OAT-020 Account Aggregation]]
* [[OAT-019 Account Creation]]
* [[OAT-003 Ad Fraud]]
* [[OAT-009 CAPTCHA Defeat]]
* [[OAT-010 Card Cracking]]
* [[OAT-001 Carding]]
* [[OAT-012 Cashing Out]]
* [[OAT-007 Credential Cracking]]
* [[OAT-008 Credential Stuffing]]
* [[OAT-021 Denial of Inventory]]
* [[OAT-015 Denial of Service]]

| width="300" align="left" valign="top" |

* [[OAT-006 Expediting]]
* [[OAT-004 Fingerprinting]]
* [[OAT-018 Footprinting]]
* [[OAT-005 Scalping]]
* [[OAT-011 Scraping]]
* [[OAT-016 Skewing]]
* [[OAT-013 Sniping]]
* [[OAT-017 Spamming]]
* [[OAT-002 Token Cracking]]
* [[OAT-014 Vulnerability Scanning]]

|}

Not sure which is which? Use the [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] in conjunction with the full [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook].

==Licensing==

All the materials are free to use. They are licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What Is This? ==

Information and resources to help web application owners defend against [[:Category:Automated Threat|automated threats]]

== What Isn't It? ==

* Not another vulnerability list
* Not an OWASP Top N List
* Not threat modelling
* Not attack trees
* Not non web
* Not non application

==Project Objective==

This project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available.

== Presentation ==

[[File:Automatedthreats-presentation-small.jpg|link=media:Bots-AppSecUSA2017-Project-Summit.pptx]]

== Project Leaders ==

* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

== Related Projects ==

* [[OWASP WASC Web Hacking Incidents Database Project|OWASP WASC Web Hacking Incidents Database Project]]
* [[OWASP AppSensor Project|OWASP AppSensor Project]]
* [[OWASP ModSecurity Core Rule Set Project|OWASP ModSecurity Core Rule Set Project]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Download the free handbook as a PDF]

== News and Events ==

* [16 Feb 2018] OAT wiki pages created
* [15 Feb 2018] v1.2 Handbook published
* [25 Sep 2017] Promoted to Labs status
* [19-20 Sep 2017] Working session at the AppSecUSA 2017 Project Summit
* [15 May 2017] Draft feedback on Top Ten A7 shared
* [17 Apr 2017] [https://www.owasp.org/index.php/File:BadBots_OWASP_AppSec_CA_2017.pptx Slides] from AppSec California (2017)
* [20 Dec 2016] Threat identification chart [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf published]
* [03 Nov 2016] Presentation at [http://lascon.org/ LASCON 2016]
* [03 Nov 2016] v1.1 Handbook published
* [11-12 Oct 2016] Working session at the [https://docs.google.com/presentation/d/1iMQHTc-h5qcP7gBBRcPHGmVaTWqx3dpMwNMVlA--rqs/edit#slide=id.p3 AppSecUSA 2017 Project Summit]
* [04 Aug 2016] Project Q&A at Blackhat USA 2-5pm in the OWASP booth
* [26 Oct 2015] [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf v1.01 handbook] published
* [24 Sep 2015] [https://www.owasp.org/index.php/File:Colinwatson-a-new-ontology-of-unwanted-automation.pptx Presentation] at [https://2015.appsecusa.org/c/?page_id=896#a AppSec USA 2015]

==In Print==

[[File:AutomatedThreatHandbook_small.jpg|link=http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html]]

The [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-23540699.html Automated Threat Handbook] can be purchased at cost as a print on demand book.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]

|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Scope and Definitions =

==Scope==

The aim was to create a listing of vendor-neutral and technology agnostic terms that describe real-world automated threats to web applications, at a level of abstraction that application owners can relate to. These terms are threat events to web applications undertaken using automated actions.

The focus is on abuse of functionality - misuse of inherent functionality and related design flaws, some of which are also referred to as business logic flaws. There is almost no focus on implementation bugs. It is not that the latter are not the target for attacks, but there is much more knowledge published in that area with a greater agreement on terminology. All the scenarios identified must require the web to exist for the threat to be materialised. Many of the scenarios have impacts upon the organisation that owns or operates web applications, but some scenarios have impacts more focused on individuals or other bodies. An attack that can be achieved without the web is out of scope.

==Definitions ==

=== Automated Threats to Web Applications ===

Threat events to web applications undertaken using automated actions.

An attack that can be achieved without the web is out of scope.

== Glossary ==

;Action
: An act taken against an asset by a threat agent. Requires first that contact occurs between the asset and threat agent (Ref 1)

; Application
: Software that performs a business process i.e. not system software
: A software program hosted by an information system (Ref 2)

; Application layer
: "Layer 7” in the OSI model (Ref 3) and “application layer” in the TCP/IP model (Ref 4)

;Threat
: Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures (Ref 1)

;Threat Agent
: Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm (Ref 1)

;Threat Event
: Occurs when a threat agent acts against an asset (Ref 1)

; Web
: The World Wide Web (WWW, or simply Web) is an information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI) (Ref 5)
: The first three specifications for Web technologies defined URLs, HTTP, and HTML (Ref 6)

; Web application
: An application delivered over the web

Glossary references:
# [http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf Risk Taxonomy, Technical Standard, The Open Group, 2009]
# [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2, NIST]
# [http://en.wikipedia.org/wiki/OSI_model OSI model, Wikipedia]
# [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP model, Wikipedia]
# [http://www.w3.org/TR/webarch/ Architecture of the World Wide Web, Volume One, W3C]
# [http://www.w3.org/Help/ Help and FAQ, W3C]

=Use Case Scanarios=

The following scenarios and organisation names are completely fictitious.

==Defining application development security requirements==

Cinnaminta SpA intends to build and launch a new multi-lingual and multi-currency ecommerce website. The development will be outsourced and Cinnaminta has been working on the functional design document. Among many other requirements, the application security specification requires that the website must not include any vulnerabilities identified in PCI DSS v3.1 Requirement 6.5, nor any other vulnerabilities that could affect the protection of payment cardholder data. Cinnaminta specifies that the website's payment functions must not be susceptible to the threat events '''OAT-001 Carding''' or '''OAT-010 Card Cracking''' as defined in the '''OWASP Automated Threat Handbook'''. In addition, the application must interact with the company's existing fraud detection system to counter '''OAT-012 Cashing Out'''. The requirements are specified in terms of these threat events, rather than particular product or service categories. Development houses responding to the call for bids use the ontology to focus their answers to these aspects appropriately.

== Sharing intelligence within a sector==

Unlimited Innovations Inc develops and supports patient-facing software solutions to a range of healthcare providers, many of which participate in the National Health Service Cyber Intelligence Sharing Center (NHS-CISC). Unlimited Innovations already builds continuous monitoring capabilities into its software and decides to provide an optional enhancement so that customers could choose to share their misuse event data with each other, to benefit from the combined threat intelligence. Rather than sharing large quantities of low-level data, Unlimited Innovations aggregates information and broadcasts validated and categorised threat data amongst the participating organisations. Automation attacks are classified according to the threat events defined in the '''OWASP Automated Threat Handbook''' so that each receiving party understands the nature of the threat. Even organisations that do not want to take part in this information sharing can benefit, since their own categorised information is made available to internal business management in the form of an easy-to-comprehend monitoring dashboard. The information gathered can also be fed into their other business information management systems to help improve patient service.

== Exchanging threat data between CERTs==

National Computer Emergency Response Teams (CERTs) recognise that sharing of local information can contribute to worldwide prevention of cyber attacks. Despite advances in cooperation between CERTs, anything to increase continuity and interoperability, such as standards for data exchange, is encouraged. CERT Zog is concerned about the sparsity of application-specific data it receives, and also the classification of that data. It has a particular concern about attacks and breaches that affect sectors defined in Zog's 2015 national cyber security strategy. CERT Zog and its neighbour CERT Tarset agree to tag threat events using the '''OWASP Automated Threat Handbook''' in order to add greater context to existing solutions being used for threat data exchange between them. The programme also collects sector metadata, so that all organisations within these can benefit from the centralised intelligence.

== Enhancing application penetration test findings==

Specialist application security penetration testing firm Cherak Industries Pte Ltd works primarily for financial services companies in the banking and insurance sectors, and is looking to expand its business throughout Asia. Cherak has some innovative pen test result reporting systems which integrate with client software fault and vulnerability tracking systems, and it actively looks for methods to provide additional value to its clients. Cherak has identified that pen test clients would benefit from help to in understanding the effects of combinations of vulnerabilities, especially design flaws, and has decided to utilise the '''OWASP Automated Threat Handbook''' to define and explain the automation-related threats. The individual vulnerabilities were scored as normal using CVSSv2 and v3, the matching CWEs identified, and mitigations in place documented. In addition, Cherak uses the threat events defined in the '''OWASP Automated Threat Handbook''' to help create a new section in the executive summary that explains how combinations of the issues found could lead to automation threats and the possible technical and business impacts. For example, an assessment for one client had identified weaknesses in authentication so that there is a risk of '''OAT-008 Credential Stuffing'''. The defined identifier was provided to the client, so its technical staff could refer to additional information on the OWASP website.

== Specifying service acquisition needs==

Falstone Paradise Inc is concerned about malicious use of their portfolio of hotel and resort websites. The majority of the websites use a shared application platform, but there are some unique applications and a large number of other micro-sites, some of which use generic content management systems such as Wordpress and Drupal. Falstone Paradise has identified that its IT operations team are spending too much time dealing with the effects of automated misuse, such as cleaning up data, resetting customer accounts and providing extra capacity during attacks. Furthermore, the unwanted automation is also causing some instabilities leading to negative feedback from customers. Therefore Falstone Paradise decides to go out to the security marketplace to identify, assess and select products or services that might help address these automation issues for all its websites. Their buying team works with their information technology colleagues to write the detailed requirements in an Invitation to Tender (ITT) document. This describes the types of attacks its web applications are receiving, their frequency of occurrence and their magnitudes. These are defined according to the '''OWASP Automated Threat Handbook''', so that vendors do not misunderstand the requirements, and each vendor's offering can be assessed against the particular automation threat events of concern.

== Characterising vendor services ==

Better Best Ltd has developed an innovative technology to help gaming companies defend against a range of automated threats that can otherwise permit cheating and distortion of the game, leading to disruption for normal players. The solution can be deployed on premises, but is also available in the cloud as a service. But Better Best is finding difficulty explaining its solution in the market place, especially since it does not fit into any conventional product category. Better Best decide to use the terminology and threat events listed in the '''OWASP Automated Threat Handbook''' to define their product's capabilities. They hope this will provide some clarity about their offering, and also demonstrate how their product can be used to replace more than one other conventional security device. Additionally, Better Best writes a white paper describing how their product has been successfully used by one of their reference customers Hollybush Challenge Games to protect against '''OAT-006 Expediting''', '''OAT-005 Scalping''', '''OAT-016 Skewing''' and '''OAT-013 Sniping'''.

=Ontology=

==Introduction==

The A-Z list of [[:Category:Automated Threat|automated threat events]] and summary descriptions, defined in full in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| align="left" valign="top" |
[[OAT-020 Account Aggregation]]
| align="left" valign="top" |
Use by an intermediary application that collects together multiple accounts and interacts on their behalf.
|-
| align="left" valign="top" |
[[OAT-019 Account Creation]]
| align="left" valign="top" |
Create multiple accounts for subsequent misuse.
|-
| align="left" valign="top" |
[[OAT-003 Ad Fraud]]
| align="left" valign="top" |
False clicks and fraudulent display of web-placed advertisements.
|-
| align="left" valign="top" |
[[OAT-009 CAPTCHA Defeat]]
| align="left" valign="top" |
Solve anti-automation tests.
|-
| align="left" valign="top" |
[[OAT-010 Card Cracking]]
| align="left" valign="top" |
Identify missing start/expiry dates and security codes for stolen payment card data by trying different values.
|-
| align="left" valign="top" |
[[OAT-001 Carding]]
| align="left" valign="top" |
Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.
|-
| align="left" valign="top" |
[[OAT-012 Cashing Out]]
| align="left" valign="top" |
Buy goods or obtain cash utilising validated stolen payment card or other user account data.
|-
| align="left" valign="top" |
[[OAT-007 Credential Cracking]]
| align="left" valign="top" |
Identify valid login credentials by trying different values for usernames and/or passwords.
|-
| align="left" valign="top" |
[[OAT-008 Credential Stuffing]]
| align="left" valign="top" |
Mass log in attempts used to verify the validity of stolen username/password pairs.
|-
| align="left" valign="top" |
[[OAT-021 Denial of Inventory]]
| align="left" valign="top" |
Deplete goods or services stock without ever completing the purchase or committing to the transaction.
|-
| align="left" valign="top" |
[[OAT-015 Denial of Service]]
| align="left" valign="top" |
Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS).
|-
| align="left" valign="top" |
[[OAT-006 Expediting]]
| align="left" valign="top" |
Perform actions to hasten progress of usually slow, tedious or time-consuming actions.
|-
| align="left" valign="top" |
[[OAT-004 Fingerprinting]]
| align="left" valign="top" |
Elicit information about the supporting software and framework types and versions.
|-
| align="left" valign="top" |
[[OAT-018 Footprinting]]
| align="left" valign="top" |
Probe and explore application to identify its constituents and properties.
|-
| align="left" valign="top" |
[[OAT-005 Scalping]]
| align="left" valign="top" |
Obtain limited-availability and/or preferred goods/services by unfair methods.
|-
| align="left" valign="top" |
[[OAT-011 Scraping]]
| align="left" valign="top" |
Collect application content and/or other data for use elsewhere.
|-
| align="left" valign="top" |
[[OAT-016 Skewing]]
| align="left" valign="top" |
Repeated link clicks, page requests or form submissions intended to alter some metric.
|-
| align="left" valign="top" |
[[OAT-013 Sniping]]
| align="left" valign="top" |
Last minute bid or offer for goods or services.
|-
| align="left" valign="top" |
[[OAT-017 Spamming]]
| align="left" valign="top" |
Malicious or questionable information addition that appears in public or private content, databases or user messages.
|-
| align="left" valign="top" |
[[OAT-002 Token Cracking]]
| align="left" valign="top" |
Mass enumeration of coupon numbers, voucher codes, discount tokens, etc.
|-
| align="left" valign="top" |
[[OAT-014 Vulnerability Scanning]]
| align="left" valign="top" |
Crawl and fuzz application to identify weaknesses and possible vulnerabilities.
|}

==Comparison with other dictionaries, taxonomies and lists==

===[https://capec.mitre.org/ Common Attack Pattern Enumeration and Classification] (CAPEC)===

[[File:Ontology-chart-capec-wiki.png|link=]]

CAPEC is a dictionary and classification taxonomy of known attacks on software. Its primary classification structures are:

* [https://capec.mitre.org/data/definitions/3000.html Domains of attack] (3000) - Social Engineering (403), [https://capec.mitre.org/data/definitions/437.html Supply Chain] (437), Communications (512), [https://capec.mitre.org/data/definitions/513.html Software] (513), Physical Security (514), Hardware (515)
* Mechanism of Attack (1000) - Gather Information (118), Deplete Resources (119), Injection (152), Deceptive Interactions (156), Manipulate Timing and State (172), Abuse of Functionality (210), Probabilistic Techniques (223), Exploitation of Authentication (225), Exploitation of Authorization (232), Manipulate Data Structures (255), Manipulate Resources (262), Analyze Target (281), Gain Physical Access (436), Malicious Code Execution (525), Alter System Components (526), Manipulate System Users (527)

===[http://projects.webappsec.org/w/page/13246978/Threat%20Classification WASC Threat Classification]===

[[File:Ontology-chart-wasc-wiki.png|link=]]

The WASC Threat Classification classifies weaknesses and attacks that can lead to the compromise of a website, its data, or its users.

===[[OWASP WASC Web Hacking Incidents Database Project]] (WHID)===

WHID [https://www.google.com/fusiontables/DataSource?snapid=S1536501YnLo classifies] publicly known incidents using:

* attack methods e.g. ARP spoofing, abuse of functionality, account compromise, administration error, automation, backdoor, banking trojan, brute force, clickjacking, code injection, content injection, content spoofing, credential/session prediction, cross site request forgery (CSRF), cross-site scripting (XSS), denial of service, directory traversal, domain hijacking, DNS hijacking, forceful browsing, HTTP response splitting, hidden parameter manipulation, hosting malicious code, information leakage, insufficient authentication, known vulnerability, local file inclusion (LFI), malvertising, malware, malware injection, mass assignment, misconfiguration, OS commanding, parameter manipulation, path traversal, phishing, predictable resource location, process automation, redirection, remote file inclusion (RFI), rogue 3rd party app, scaping, search engine poisoning, shell injection, social engineering, stolen credentials, SQL injection, unintentional information disclosure, weak password recovery validation, worm
* weakness e.g. abuse of functionality, application misconfiguration, directory indexing, improper filesystem permissions, improper input handling, improper output handling, information leakage, insecure indexing, insufficient anti-automation, insufficient authentication, insufficient authorization, insufficient entropy, insufficient password recovery, insufficient process validation, insufficient session expiration, insufficient transport layer protection, misconfiguration, predictable resource location, weak password
* outcome account hijacking, account takeover, botnet participation, chaos, credit card leakage, data loss, defacement, DDoS attacks, DNS hijacking, DNS redirection, disinformation, disclosure only, downtime, extortion, fraud, information warfare, leakage of information, link spam, loss of sales, malware distribution, monetary loss, phishing, planting of malware, service disruption, session hijacking, spam, spam links, stolen credentials, worm

Plus other/various/unknown.

= Bibliography =

The following academic, open source, commercial and news sources were used in the research on automated threats to web applications. OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. We operate under a vendor neutral policy and we do not endorse products or services.

* 10 years of Application Security, Denyall http://www.denyall.com/resources/whitepapers/?aliId=3438442
* 2012 Payment Card Threat Report https://www.securitymetrics.com/static/resources/orange/2012%20Payment%20Card%20Threat%20Report%20copy.pdf
* 2014 Bot Traffic Report: Just the Droids You were Looking for http://www.incapsula.com/blog/bot-traffic-report-2014.html
* 3 Types of ‘Return Fraud’ to Monitor this Holiday Season http://www.practicalecommerce.com/articles/3168-3-Types-of-%E2%80%98Return-Fraud-to-Monitor-this-Holiday-Season
* 7 Ways Bots Hurt Your Website, Distil Networks http://www.distilnetworks.com/7-ways-bots-hurt-website-whitepaper/
* Abusing HTML 5 Structured Client-side Storage 2008 http://packetstorm.wowhacker.com/papers/general/html5whitepaper.pdf
* Acquiring Experience with Ontology and Vocabularies, Walt Melo, Risa Mayan and Jean Stanford, 2011 http://www.omg.org/news/meetings/workshops/SOA-HC/presentations-2011/13_SC-6_Melo_Stanford_Mayan.pdf
* An Anatomy of a SQL Injection Attack Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf
* The Anatomy of Clickbot.A https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/daswani/daswani.pdf
* Anatomy of comment spam Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Anatomy_of_Comment_Spam.pdf
* Anti-Automation Monitoring and Prevention 2015 https://www.clerkendweller.uk/2015/1/29/AntiAutomation-Monitoring-and-Prevention
* Anti-DDoS Solution for Internet Corporation http://www.nsfocus.com/uploadfile/Solution/NSFOCUS%20Anti-DDoS%20Solution%20for%20Internet%20Corporation.pdf
* Anti-Fraud Principles and Proposed Taxonomy Sep 2014 http://www.iab.net/media/file/IAB_Anti_Fraud_Principles_and_Taxonomy.pdf
* Apache Security Ivan Ristic
* Application Security Desk Reference, OWASP https://www.owasp.org/index.php/Category:OWASP_ASDR_Project
* Application Security Guide For CISOs, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf
* AppSensor, OWASP https://www.owasp.org/index.php/OWASP_AppSensor_Project
* Attack & Defense Labs http://www.andlabs.org/html5.html
* Attack categories OWASP https://www.owasp.org/index.php/Category:Attack
* Attack Trees, Schneier, Dr. Dobb's Journal, December 1999 https://www.schneier.com/paper-attacktrees-ddj-ft.html
* Attacking with HTML5 2010 https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-wp.pdf
* Automated attacks Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Automation_of_Attacks.pdf
* Avoiding the Top 10 Software Security Design Flaws http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* Bad Bots On The Rise Dec 2014 http://www.darkreading.com/informationweek-home/bad-bots-on-the-rise/d/d-id/1318276
* Banking Botnets Persist Despite Takedowns, Dell SecureWorks, 2015 http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets-persist-despite-takedowns/
* The Barracuda Web Application Firewall: XML Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_XML_Firewall.pdf
* Blocking Brute Force Attacks http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php
* Bot Traffic Growing Problem for Digital Oct 2014 http://www.netnewscheck.com/article/36537/bot-traffic-growing-problem-for-digital
* BotoPedia Incapsula http://www.botopedia.org/
* Boy in the Browser Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser
* Business Logic Attacks - Bots and BATs, Eldad Chai, 2009 http://www.owasp.org/images/9/96/AppSecEU09_BusinessLogicAttacks_EldadChai.ppt
* Bypassing Client Application Protection Techniques http://www.securiteam.com/securityreviews/6S0030ABPE.html
* A CAPTCHA in the Rye Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_a_CAPTCHA_in_the_Rye.pdf
* Characterizing Large Scale Click fraud http://cseweb.ucsd.edu/~voelker/pubs/za-ccs14.pdf
* Charter Addition Proposal: "Trusted Code" for the Web https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0150.html
* A cheesy Apache / IIS DoS vuln (+a question) http://www.securityfocus.com/archive/1/456339/30/0/threaded
* China's Man-on-the-Side Attack on GitHub http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub
* The CISO Survey and Report, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-report-2013-1.0.pdf
* Common Attack Pattern Enumeration and Classification (CAPEC), Mitre https://capec.mitre.org/
* Common Cyber Attacks: Reducing the Impact CERT-UK https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf
* Corporate espionage – the internet’s new growth industry http://www.itproportal.com/2015/03/19/corporate-espionage-internets-new-growth-industry/
* CSA Top Threats to Cloud Computing https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
* CSRF vulnerability in GMail service http://seclists.org/fulldisclosure/2009/Mar/29
* CWE/SANS Top 25 Most Dangerous Software Errors, 2011 http://cwe.mitre.org/top25/
* Cyber Fraud - Tactics Techniques and Procedures http://www.crcpress.com/product/isbn/9781420091274
* Cybercrime Report: Q1 2015, ThreatMetrix, 2015 http://info.threatmetrix.com/WP-2015Q1CybercrimeReport_WP-LP.html
* Data Breach Investigations Report (DBIR), 2014 http://www.verizonenterprise.com/DBIR/2014/
* Data Breach Investigations Report (DBIR), 2015 http://www.verizonenterprise.com/DBIR/2015/
* Data Breaches Fuel Login Attacks Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2014-state-of-the-internet-threat-advisory-public-data-breaches-fuel-login-attacks.pdf
* Data Scraping Wikipedia http://en.wikipedia.org/wiki/Data_scraping
* DDoS Quick Guide https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
* DDoS Threat Landscape Report, 2013-2014 http://lp.incapsula.com/rs/incapsulainc/images/2013-14_ddos_threat_landscape.pdf
* Defending Against an Internet-based Attack on the Physical World http://avirubin.com/scripted.attacks.pdf
* Defending Against Application-Based DDoS Attacks with the Barracuda Web Application Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_Defending%20_Against_%20Application-Based_%20DDoS_%20Attacks.pdf
* Demystifying HTML 5 Attacks http://resources.infosecinstitute.com/demystifying-html-5-attacks/
* Denial of Service Attacks: A Comprehensive Guide to Trends Techniques and Technologies Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf
* Detecting and Blocking Site Scraping Attacks Imperva http://www.imperva.com/docs/WP_Detecting_and_Blocking_Site_Scraping_Attacks.pdf
* Detecting Automation of Twitter Accounts: Are you a human cyborg or a bot? http://www.cs.wm.edu/~hnw/paper/tdsc12b.pdf
* Detecting Malice Robert "RSnake" Hansen 2009 http://www.detectmalice.com/
* Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1414072277428&uri=CELEX:32002L0058
* Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046
* Distributed Denial-of-Service (DDoS) Cyber-Attacks Risk Mitigation and Additional Resources Federal Financial Institutions Examination Council http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf
* Do Evil - The Business of Social Media Bots Forbes http://www.forbes.com/sites/lutzfinger/2015/02/17/do-evil-the-business-of-social-media-bots/
* DoS and DDoS Glossary of Terms prolexic http://www.prolexic.com/knowledge-center-dos-and-ddos-glossary.html#layer-7-ddos-attack
* E-commerce Malware Trustwave https://gsr.trustwave.com/topics/placeholder-topic/e-commerce-malware/
* Exploiting Software, G. Hoglund and G. McGraw, Addison-Wesley, 2004
* Five Trends to Track in E-Commerce Fraud, ThreatMetrix, 2013 http://info.threatmetrix.com/rs/threatmetrix/images/Five_Trends_eCommerce_Fraud_WP.pdf
* Hacker builds cheatbot for hit app Trivia Crack http://www.theregister.co.uk/2015/03/26/hacker_builds_trivia_crack_cheat_app/
* Has Walmart opened itself up to “Denial of inventory” attacks? https://arstechnica.com/business/2012/05/has-walmart-opened-itself-up-to-denial-of-inventory-attacks/
* How Hoarder Bots Steal sales from Online Retailers https://www.internetretailer.com/mobile/2016/12/16/how-hoarder-bots-steal-sales-online-retailers
* How to Defend Against DDoS Attacks - Strategies for the Network Transport and Application Layers Prolexic http://www.prolexic.com/kcresources/white-paper/strategies-for-the-network-transport-and-application-layers-412/Strategies_for_the_Network_Transport_and_Application_Layers_Prolexic_White_Paper_A4_082412.pdf
* How to Defend Online Travel Websites in the Era of Site Scraping, Distil Networks http://www.distilnetworks.com/defend-online-travel-websites-era-site-scraping-download/
* How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
* HTML5 Overview A look at HTML5 Attack Scenarios Trend Micro 2011 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf
* HTML5 Top 10 Threats Stealth Attacks and Silent Exploits 2012 https://media.blackhat.com/bh-eu-12/shah/bh-eu-12-Shah_HTML5_Top_10-WP.pdf
* HTML5 web security 2011 http://media.hacking-lab.com/hlnews/HTML5_Web_Security_v1.0.pdf
* HTTPPOST - Slow POST Wong Onn Chee OWASP AppSec DC 2010 https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
* If you've got @British_Airways account may make sense to change your password. Just had all my Avios cleared out! https://twitter.com/suttonnick/status/581556027948195840/photo/1
* Internet Security Threat Report, Volume 19, 2014 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
* An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks http://www.springer.com/gb/book/9788132202769
* Is Your Data Center Ready for Today’s DDoS Threats? DDoS attack types protection methods and testing your detection and mitigation defenses http://www.fortinet.com/sites/default/files/whitepapers/WP-DDoS-Testing.pdf
* Joomla Reflection DDoS-for-Hire Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2015-state-of-the-internet-threat-advisory-joomla-reflection-attack-ddos-for-hire.pdf
* Layer 7 DDOS – Blocking HTTP Flood Attacks http://blog.sucuri.net/2014/02/layer-7-ddos-blocking-http-flood-attacks.html
* Lenovo Superfish put smut on my system' – class-action lawsuit The Register http://www.theregister.co.uk/2015/02/23/lenovo_superfish_class_action_lawsuit/
* List of Attack Vectors Relative Vulnerability Rating TECAPI http://www.tecapi.com/public/relative-vulnerability-rating-gui.jsp#
* Man in the Browser http://scisweb.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf
* Man in the Browser Attack https://www.owasp.org/index.php/Man-in-the-browser_attack
* Mapping and Measuring Cybercrime, Oxford Internet Institute http://www.oii.ox.ac.uk/publications/FD18.pdf
* Massive Changes in the Criminal Landscape Europol 2015 https://www.europol.europa.eu/content/massive-changes-criminal-landscape
* Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs http://collaboration.csc.ncsu.edu/laurie/Papers/ICSE_Final_MCG_LW.pdf
* Mitigating DDoS Attacks with F5 Technology F5 https://f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology
* Mitigating the DoS/DDosS Threat, Radware, 2012 http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452061
* Modern Web Attacks, Sophos, 2007 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/modern-web-attacks.aspx
* ModSecurity Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-ModSecurity-Advanced-Topic-of-the-Week--Mitigating-Slow-HTTP-DoS-Attacks/
* Most common attacks on web applications https://ipsec.pl/web-application-security/most-common-attacks-web-applications.html
* Multi-dimensional Vulnerability Hierarchies Daniel Miessler https://danielmiessler.com/study/multi-dimensional-vulnerability-hierarchies/
* New Wave of DDoS Attacks Launched BankInfoSecurity.com Mar 2013 http://www.bankinfosecurity.com/new-wave-ddos-attacks-launched-a-5584/op-1
* NOMAD: Toward Non-Invasive Moving Target Defense Against Web Bots http://faculty.cs.tamu.edu/guofei/paper/NOMAD_CNS13.pdf
* Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year Sep 2014 http://www.darkreading.com/analytics/threat-intelligence/online-ad-fraud-exposed-advertisers-losing-$63-billion-to-$10-billion-per-year/d/d-id/1317979
* Online Data Companies versus Bots: The Fight is on for Control of Online Data, Distil Networks http://www.distilnetworks.com/online-data-companies-vs-bots-download/
* Optimal Airline Ticket Purchasing Using Automated User-Guided Feature Selection http://ijcai.org/papers13/Papers/IJCAI13-032.pdf
* Payment Checkout Flaws and Bugs 2014 https://www.clerkendweller.uk/2014/11/4/Payment-Checkout-Flaws-and-Bugs
* PCI Compliance Report 2015 Verizon http://www.verizonenterprise.com/pcireport/2015/
* Pixel Perfect Timing Attacks with HTML5 2013 http://www.contextis.com/services/research/white-papers/pixel-perfect-timing-attacks-html5/
* Polymorphism as a Defense for Automated Attack of Websites http://link.springer.com/chapter/10.1007%2F978-3-319-07536-5_30
* Preventing Web Scraping: Best Practice https://creativedigitalideas.files.wordpress.com/2014/11/best-practice-to-prevent-web-scraping.pdf
* Profile: Automated Credit Card Fraud http://old.honeynet.org/papers/profiles/cc-fraud.pdf
* Protecting Against Web Floods, Radware http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452968
* Q4 2014 State of the Internet Security Report prolexic http://www.stateoftheinternet.com/downloads/pdfs/2014-internet-security-report-q4.pdf
* Reflection injection http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* A Report on taxonomy and evaluation of existing inventories, ENISAhttp://ecrime-project.eu/wp-content/uploads/2015/02/E-Crime-Deliverable-2-1-20141128_FINAL.pdf
* Reporting Intellectual Property Crime: A Guide for Victims of Copyright Infringement, Trademark Counterfeiting, and Trade Secret Theft, Dept of Justice http://www.justice.gov/criminal/cybercrime/docs/ip-victim-guide-and-checklist-march-2013.pdf
* SANS Top 20 Critical Controls https://www.sans.org/critical-security-controls/
* Securing Websites, Sophos, 2011 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/securing-websites.aspx
* Security Insights: Defending Against Automated Threats http://www.securityweek.com/security-insights-defending-against-automated-threats
* Server side DDoS Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/DDOS_Attack_Method_Payload_05182010
* Slow Read Denial of Service attack https://code.google.com/p/slowhttptest/wiki/SlowReadTest
* Slow-Read DoS Attack https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Mitigation-of--Slow-Read--Denial-of-Service-Attack/
* Slowloris HTTP DoS http://ha.ckers.org/slowloris/
* So what are the "most critical" application flaws? On new OWASP Top 10 https://ipsec.pl/application-security/2013/so-what-are-most-critical-application-flaws-new-owasp-top-10.html
* Social Media Bots Offer Phony Friends and Real Profit NY Times http://www.nytimes.com/2014/11/20/fashion/social-media-bots-offer-phony-friends-and-real-profit.html?_r=1
* Software Vulnerability Analysis, Krsul, 1998 http://www.krsul.org/ivan/articles/main.pdf
* Sophos Security Threat Report http://blogs.sophos.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/
* SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/#.VSuiEhPSngM
* State of Software Security Report, Volume 5, Veracode, 2013 https://info.veracode.com/state-of-software-security-report-volume5.html
* Stopping Automated Attack Tools http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html
* Taxonomy on Online Game Security http://www.math.snu.ac.kr/~jhcheon/publications/2004/Taxonomy%20on%20online%20game%20security_EL.pdf
* A Taxonomy of Computer Program Security Flaws, with Examples, Landwehr https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
* A Taxonomy of Security Faults in the UNIX Operating System, Aslam, 1995 https://cwe.mitre.org/documents/sources/ATaxonomyofSecurityFaultsintheUNIXOperatingSystem%5BAslam95%5D.pdf
* Testing Guide, v4, OWASP, 2014 https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
* The Bot Baseline: Fraud in Digital Advertising https://s3.amazonaws.com/whiteops-public/WO-ANA-Baseline-Study-of-Bot-Fraud.pdf
* The Internet Organised Crime Threat Assessment (iOCTA) 2014 https://www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta
* The Notorious Nine Cloud Computing Top Threats in 2013 CSA https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
* The Risks of Content Management Systems, IBM, 2015 https://portal.sec.ibm.com/mss/html/en_US/support_resources/pdf/CMS_Threats_MSS_Threat_Report.pdf
* The Spy in the Sandbox – Practical Cache Attacks in Javascript http://iss.oy.ne.ro/SpyInTheSandbox.pdf
* Thousands of Hacked Uber Accounts Selling on Dark Web for $1 http://thehackernews.com/2015/03/thousands-of-hacked-uber-accounts_30.html?m=1
* Threat Intelligence Quarterly, IBM, 1Q 2015 https://www.ibm.com/services/forms/signup.do?source=swg-WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101
* Threat Modeling: Designing for Security, Adam Shostack, Wiley, April 2014 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118809998.html
* Threats and Mitigations: A Guide to Multi-Layered Web Security - eBook Prolexic http://www.prolexic.com/knowledge-center/prolexic-download/guide-multi-layered-web-security-ebook.pdf
* Trapping Unknown Malware in a Context Web, Sophos http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/HuqSzabo-VB2013.pdf?la=en.pdf
* Trustwave Global Security Report 2014 https://www2.trustwave.com/GSR2014.html?utm_source=redirect&utm_medium=web&utm_campaign=GSR2014
* TurboTax’s Anti-Fraud Efforts Under Scrutiny http://krebsonsecurity.com/2015/02/turbotaxs-anti-fraud-efforts-under-scrutiny/
* Two Security Vulnerabilities in the Spring Framework’s MVC pdf (from 2008) http://blog.diniscruz.com/2011/07/two-security-vulnerabilities-in-spring.html
* The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns http://static.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf
* Understanding Web Bots and How They Hurt Your Business Encapsula http://www.slideshare.net/Incapsula/understanding-web-bots-and-how-they-hurt-your-business
* Use of A Taxonomy of Security Faults, Taimur Aslam, Ivan Krsul and Eugene H Spafford, 1996 http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=2304&context=cstech
* The WASC Threat Classification v2.0 http://projects.webappsec.org/w/page/13246978/Threat%20Classification
* Warhol Worms: The Potential for Very Fast Internet Plagues http://www.iwar.org.uk/comsec/resources/worms/warhol-worm.htm
* Web Application Attack Report #5 Imperva http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed5.pdf
* Web Application Defender's Cookbook: Battling Hackers and Protecting Users, Ryan Barnett, Wiley, December 2012 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html
* Web Attacks in the Wild Corsaire https://www.owasp.org/images/a/a7/Web_attacks_in_the_wild_-_ap.pdf
* Web Automation Friend or Foe? https://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf
* Web Spambot Detection Based on Web Navigation Behaviour http://pedramhayati.com/papers/Web_Spambot_Detection_Based_on_Web_Usage_Behaviour.pdf
* Website Security Statistics Report, 2014 http://info.whitehatsec.com/rs/whitehatsecurity/images/statsreport2014-20140410.pdf
* What is Zeus? http://www.sophos.com/medialibrary/pdfs/technical%20papers/sophos%20what%20is%20zeus%20tp.pdf
* When Web 2.0 Attacks! Understanding Ajax Flash and other highly interactive web technologies… https://www.owasp.org/images/f/fc/When_Web_2.0_Attacks_-_Understanding_Security_Implications_of_Highly_Interactive_Technologies-Rafal_Los.pdf
* Where have all of our Passwords Gone? Gartner 2015 http://blogs.gartner.com/avivah-litan/2015/01/22/where-have-all-our-passwords-gone/
* WS-Attacks.org http://www.ws-attacks.org/index.php/Main_Page

=FAQs=

; What do you mean by "web", "application" and "automated threat"?
: See the definitions in the project's {{#switchtablink:Project Scope and Definitions|glossary}}.

; What is an "ontology"?
: An ontology is a set of types, properties, and relationship. These together define a subject description language. This particular ontology is meant to represent what automated threats real world owners observe affecting their web applications in usual operations.

; Isn't this another bug (vulnerability) list?
: No, none of the named automated threat events are implementation bugs - they relate to abuse of functionality using automated means.

; But is it an OWASP Top N List?
: Again no, it's an ontology which currently contains 21 items but there may be more identified in the future. Also it is not an ordered list (like OWASP Top N lists) - the OAT identification numbers were randomly assigned, so the list is often written in alphabetical order to emphasize this.

; I thought "so and so" already did that?
: We found that it did not exist. While many threats are mentioned in the sources researched, there was no overall list or definitions. We found the automated threat events tended to all be in a small number of definied items from Mitre CAPEC and WASC Threat Classification. If you know of other automated threat lists/taxonomies/ontologies, please share them.

; What is an "oat"?
: It is our abbreviation for OWASP Automated Threat (OAT).

; I am confused and don't know which OAT my problem is - how do I identify it?
: In 2017 we created a [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] to help identify the correct OAT, which can then be confirmed by reading the full description in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook]. The short summaries are important explanations of each OAT name.

; How can I help?
: Please join our mailing list, send ideas, contribute clarifications, corrections and improvement, and let other people know about the project and its handbook.

= Acknowledgements and Sponsors =

==Contributors==

* Sumit Agarwal
* Jason Chan
* Mark Hall
* Omri Iluz
* Andrew van der Stock
* Roland Weber
* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

Additionally other professional colleagues and website owners and operators who provided feedback.

==Reviewers==

* Igor Andriushchenko
* Gabriel Mendez Justiniano
* Matt Tesauro

== Sponsors ==

All OWASP Projects are run and developed by volunteers and rely on personal donations and sponsorship to continue their development. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. This project has received the sponsorship part of their Corporate OWASP membership fees from Verizon Digital Media Services in 2016 and Distil Networks in 2017, which has already contributed to the v1.2 production design costs, and will also be utilised to help promote knowledge of the project.

[[file:Verizon_Digital_Medial_Logo.jpg|size=150x45px|link=https://www.verizondigitalmedia.com]]

[[File:Distil-flat-logo-2.png|link=https://www.distilnetworks.com]]

= Road Map and Getting Involved =

Can you help? The project is looking for information on the prevalence and types of automated threats seen by web application owners in the real world. This will be used to refine and organise the information gathered from research papers, whitepapers, security reports and industry news. Please use the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:

* [https://groups.google.com/a/owasp.org/forum/#!forum/automated-threats-project Mailing list]

To share information confidentially, you can email the project leaders directly: [mailto:tin.zaw@owasp.org Tin Zaw] and [mailto:colin.watson@owasp.org Colin Watson].

== Completed Outputs==

* {{#switchtablink:Scope and Definitions|Glossary}}
* {{#switchtablink:Bibliography|Bibligraphy of information sources}}
* A [https://www.owasp.org/index.php/File:Automated-threats.pdf summary chart] has been published summarising the information gathered and work to date
* Identifying automated threats to web applications, and determining the primary name used. This first part of the project intends to produce a consistent vocabulary for discussing the threats before moving onto other aspects
* The primary terms have now been defined and described for the ontology
* A [https://www.owasp.org/index.php/File:Automation-briefing.pdf briefing document] was produced in May 2015
* Release [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Automated Threat Handbook] July 2015 [https://www.owasp.org/index.php/File:Owasp-automated-threat-handbook-source-files.zip source files], updated in November 2016
* Release [https://www.owasp.org/index.php/File:Automation-project-briefing.pdf project overview flyer] July 2015
* Release [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] December 2016

== Roadmap==

The project's roadmap was updated in October 2017.

===Q1 2015===
* <strike>Feb 2015: Define scope and terminology</strike> Done
* <strike>Mar 2015: Research prior work and reports about automated threats to web applications to create bibliography</strike> Done

===Q2 2015===
* <strike>Apr 2015: Assess threats/attacks and create ontology</strike> Done
* <strike>Apr 2015: Application owner interviews and creation of initial project outputs, to refine model</strike> Done
* <strike>May 2015: Publication of outputs and request for review/data</strike> Done
* <strike>May 2015: Summit session and survey at AppSec EU</strike> Done
* <strike>Jun 2015 Review</strike> Done
* <strike>Jun 2015 Write ontology document</strike> Done
* <strike>Jun Write 2-page project briefing</strike> Done
* <strike>Jun Publish project briefing</strike> Done
* <strike>Jul 2015: Publish v1.0 ontology</strike> Done

===Q3 2016===
* <strike>Jul-Sep 2016: Gathering of additional contributions and update handbook</strike> Done

===Q4 2016===
* <strike>Nov 2016: Release updated handbook</strike> Done
* <strike>Dec 2016: Threat identification chart</strike> Done

=== Q1 2017 ===
* <strike>Dec-Mar 2017: Further review and update to handbook</strike> Done
* <strike>Check against changes to CAPEC v2.9</strike> Done

=== Q2 2017 ===
* <strike>Apr-Jun 2017: Further review and update to handbook</strike> Done
* <strike>Project summit at AppSecEU</strike> Done

=== Q3 2017 ===
* <strike>Chase up ongoing project review</strike> Done
* <strike>Project summit at AppSecUS</strike> Done

=== Q4 2017 ===
* <strike>Release v1.2 </strike> Done

=== Q1 2018 ===
* <strike>Create OAT wiki pages</strike> Done

=== Future ===
* Write executive summary
* Release executive summary document


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-SR-2]] [[Category:SAMM-TA-1]] [[Category:SAMM-EG-2]]

OWASP Cornucopia

2019-03-11T21:34:45Z

Clerkendweller: /* Feedback */ Mailing list

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP. Full [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]].

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [26 Jun 2018] v1.20 FR released
* [14 May 2018] Printed deck purchase details updated
* [13 Jan 2018 v1.20 PT-BR released
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.2 (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN DOC] | [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR DOC] | [https://github.com/wagnerfusca/OWASP-Cornucopia-Translate-Cards---PT PT-BR DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN PDF]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.1 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be printed using the following methods:
# Download the free Adobe Illustrator files ([https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ EN]) and get them professionally printed
# Download and self-print the free document word-processing ([https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN], [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR]) or PDF ([https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN])
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

See Márk Vinkovits leading a threat modelling [https://www.youtube.com/watch?v=9dVDqeO6y3A talk and group session] playing Cornucopia in the OWASP track @hacktivityconf 1510.

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2018 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Thomas Berson
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* Martin Haslinger
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Franck Lacosta
* Mathias Lemaire
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Wagner Voltz
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of July 2018, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* <strike>Translate into French</strike> done
* Translate into French (completed), German (in progress), Japanese, Portuguese (in progress), Spanish (in progress) and other languages (help needed please)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in non-EN languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://groups.google.com/a/owasp.org/forum/#!forum/cornucopia-project friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?

==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

OWASP Cornucopia

2018-07-27T09:55:13Z

Clerkendweller: /* Primary method */ Link to Márk Vinkovits video

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP. Full [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]].

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [26 Jun 2018] v1.20 FR released
* [14 May 2018] Printed deck purchase details updated
* [13 Jan 2018 v1.20 PT-BR released
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.2 (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN DOC] | [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR DOC] | [https://github.com/wagnerfusca/OWASP-Cornucopia-Translate-Cards---PT PT-BR DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN PDF]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.1 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be printed using the following methods:
# Download the free Adobe Illustrator files ([https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ EN]) and get them professionally printed
# Download and self-print the free document word-processing ([https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN], [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR]) or PDF ([https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN])
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

See Márk Vinkovits leading a threat modelling [https://www.youtube.com/watch?v=9dVDqeO6y3A talk and group session] playing Cornucopia in the OWASP track @hacktivityconf 1510.

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2018 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Thomas Berson
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* Martin Haslinger
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Franck Lacosta
* Mathias Lemaire
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Wagner Voltz
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of July 2018, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* <strike>Translate into French</strike> done
* Translate into French (completed), German (in progress), Japanese, Portuguese (in progress), Spanish (in progress) and other languages (help needed please)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in non-EN languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?
==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

File:OWASP-Cornucopia-Ecommerce Website.docx

2018-07-13T11:08:33Z

Clerkendweller: Clerkendweller uploaded a new version of File:OWASP-Cornucopia-Ecommerce Website.docx

OWASP Cornucopia - Ecommerce Website Edition

OWASP Cornucopia

2018-07-13T11:01:05Z

Clerkendweller: /* Volunteers */ Added Martin Haslinger

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP. Full [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]].

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [26 Jun 2018] v1.20 FR released
* [14 May 2018] Printed deck purchase details updated
* [13 Jan 2018 v1.20 PT-BR released
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.2 (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN DOC] | [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR DOC] | [https://github.com/wagnerfusca/OWASP-Cornucopia-Translate-Cards---PT PT-BR DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN PDF]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.1 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be printed using the following methods:
# Download the free Adobe Illustrator files ([https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ EN]) and get them professionally printed
# Download and self-print the free document word-processing ([https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN], [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR]) or PDF ([https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN])
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2018 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Thomas Berson
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* Martin Haslinger
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Franck Lacosta
* Mathias Lemaire
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Wagner Voltz
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of July 2018, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* <strike>Translate into French</strike> done
* Translate into French (completed), German (in progress), Japanese, Portuguese (in progress), Spanish (in progress) and other languages (help needed please)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in non-EN languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?
==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

OWASP Cornucopia

2018-07-13T10:26:38Z

Clerkendweller: Updated roadmap

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP. Full [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]].

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [26 Jun 2018] v1.20 FR released
* [14 May 2018] Printed deck purchase details updated
* [13 Jan 2018 v1.20 PT-BR released
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.2 (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN DOC] | [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR DOC] | [https://github.com/wagnerfusca/OWASP-Cornucopia-Translate-Cards---PT PT-BR DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN PDF]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.1 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be printed using the following methods:
# Download the free Adobe Illustrator files ([https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ EN]) and get them professionally printed
# Download and self-print the free document word-processing ([https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN], [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR]) or PDF ([https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN])
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2018 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Thomas Berson
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Franck Lacosta
* Mathias Lemaire
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Wagner Voltz
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of July 2018, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* <strike>Translate into French</strike> done
* Translate into French (completed), German (in progress), Japanese, Portuguese (in progress), Spanish (in progress) and other languages (help needed please)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in non-EN languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?
==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

OWASP Cornucopia

2018-07-13T10:07:42Z

Clerkendweller: /* News and Events */ PT-BR added

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP. Full [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]].

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [26 Jun 2018] v1.20 FR released
* [14 May 2018] Printed deck purchase details updated
* [13 Jan 2018 v1.20 PT-BR released
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.2 (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN DOC] | [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR DOC] | [https://github.com/wagnerfusca/OWASP-Cornucopia-Translate-Cards---PT PT-BR DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN PDF]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.1 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be printed using the following methods:
# Download the free Adobe Illustrator files ([https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ EN]) and get them professionally printed
# Download and self-print the free document word-processing ([https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN], [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR]) or PDF ([https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN])
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2018 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Thomas Berson
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Franck Lacosta
* Mathias Lemaire
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Wagner Voltz
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of May 2016, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* <strike>Translate into French</strike> done
* Translate into Japanese, Spanish (almost complete May 2016) and other languages (help needed please) - German in progress (from June 2014)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in OWASP Merchandise Store to v1.20 in both EN and ES languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?
==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

OWASP Cornucopia

2018-07-13T10:04:10Z

Clerkendweller: /* Source files */ Link to PT-BR version

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP. Full [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]].

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [26 Jun 2018] v1.20 FR released
* [14 May 2018] Printed deck purchase details updated
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.2 (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN DOC] | [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR DOC] | [https://github.com/wagnerfusca/OWASP-Cornucopia-Translate-Cards---PT PT-BR DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN PDF]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.1 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be printed using the following methods:
# Download the free Adobe Illustrator files ([https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ EN]) and get them professionally printed
# Download and self-print the free document word-processing ([https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN], [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR]) or PDF ([https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN])
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2018 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Thomas Berson
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Franck Lacosta
* Mathias Lemaire
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Wagner Voltz
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of May 2016, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* <strike>Translate into French</strike> done
* Translate into Japanese, Spanish (almost complete May 2016) and other languages (help needed please) - German in progress (from June 2014)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in OWASP Merchandise Store to v1.20 in both EN and ES languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?
==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

OWASP Cornucopia

2018-07-13T09:59:45Z

Clerkendweller: /* Volunteers */ Added Wagner Voltz

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP. Full [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]].

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [26 Jun 2018] v1.20 FR released
* [14 May 2018] Printed deck purchase details updated
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.20 (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN DOC] | [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN PDF]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.10 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be printed using the following methods:
# Download the free Adobe Illustrator files ([https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ EN]) and get them professionally printed
# Download and self-print the free document word-processing ([https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN], [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR]) or PDF ([https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN])
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2018 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Thomas Berson
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Franck Lacosta
* Mathias Lemaire
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Wagner Voltz
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of May 2016, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* <strike>Translate into French</strike> done
* Translate into Japanese, Spanish (almost complete May 2016) and other languages (help needed please) - German in progress (from June 2014)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in OWASP Merchandise Store to v1.20 in both EN and ES languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?
==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

OWASP Cornucopia

2018-06-26T15:39:58Z

Clerkendweller: News updated / Roadmap updated

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP. Full [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]].

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [26 Jun 2018] v1.20 FR released
* [14 May 2018] Printed deck purchase details updated
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.20 (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN DOC] | [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN PDF]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.10 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be printed using the following methods:
# Download the free Adobe Illustrator files ([https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ EN]) and get them professionally printed
# Download and self-print the free document word-processing ([https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN], [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR]) or PDF ([https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN])
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2018 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Thomas Berson
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Franck Lacosta
* Mathias Lemaire
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of May 2016, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* <strike>Translate into French</strike> done
* Translate into Japanese, Spanish (almost complete May 2016) and other languages (help needed please) - German in progress (from June 2014)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in OWASP Merchandise Store to v1.20 in both EN and ES languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?
==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

OWASP Cornucopia

2018-06-26T15:35:56Z

Clerkendweller: /* Source files */ Updated current version print instructions

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP. Full [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]].

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [14 May 2018] Printed deck purchase details updated
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.20 (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN DOC] | [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN PDF]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.10 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be printed using the following methods:
# Download the free Adobe Illustrator files ([https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ EN]) and get them professionally printed
# Download and self-print the free document word-processing ([https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN], [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR]) or PDF ([https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN])
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2016 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of May 2016, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* Translate into French (Started in June 2015 by [[User:SebastienGioria]] ) , Japanese, Spanish (almost complete May 2016) and other languages (help needed please) - German in progress (from June 2014)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in OWASP Merchandise Store to v1.20 in both EN and ES languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?
==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

OWASP Cornucopia

2018-06-26T15:29:28Z

Clerkendweller: FR v1.20 added

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP. Full [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]].

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [14 May 2018] Printed deck purchase details updated
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.20 (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx EN DOC] | [https://github.com/grandtom/OWASP-Cornucopia-Translate-Cards---FR FR DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf EN PDF]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.10 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be self-printed using the following methods:
# Download and self-print the free [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx word-processing document] or [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf PDF]
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2016 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of May 2016, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* Translate into French (Started in June 2015 by [[User:SebastienGioria]] ) , Japanese, Spanish (almost complete May 2016) and other languages (help needed please) - German in progress (from June 2014)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in OWASP Merchandise Store to v1.20 in both EN and ES languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?
==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

OWASP Cornucopia

2018-05-14T11:10:44Z

Clerkendweller: /* Source files */ Removed wiki deck bullet from v1.20

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP. Full [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]].

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [14 May 2018] Printed deck purchase details updated
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.20 EN (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf PDF]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.10 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be self-printed using the following methods:
# Download and self-print the free [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx word-processing document] or [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf PDF]
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2016 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of May 2016, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* Translate into French (Started in June 2015 by [[User:SebastienGioria]] ) , Japanese, Spanish (almost complete May 2016) and other languages (help needed please) - German in progress (from June 2014)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in OWASP Merchandise Store to v1.20 in both EN and ES languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?
==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

OWASP Cornucopia

2018-05-14T11:09:49Z

Clerkendweller: /* The Card Decks */ Link to wiki deck

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP. Full [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]].

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [14 May 2018] Printed deck purchase details updated
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.20 EN (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf PDF]
** Wiki Deck - coming soon
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.10 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be self-printed using the following methods:
# Download and self-print the free [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx word-processing document] or [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf PDF]
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2016 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of May 2016, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* Translate into French (Started in June 2015 by [[User:SebastienGioria]] ) , Japanese, Spanish (almost complete May 2016) and other languages (help needed please) - German in progress (from June 2014)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in OWASP Merchandise Store to v1.20 in both EN and ES languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?
==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

OWASP Cornucopia

2018-05-14T11:08:09Z

Clerkendweller: /* News and Events */ Printed decks

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP.

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [14 May 2018] Printed deck purchase details updated
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.20 EN (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf PDF]
** Wiki Deck - coming soon
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.10 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be self-printed using the following methods:
# Download and self-print the free [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx word-processing document] or [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf PDF]
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2016 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of May 2016, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* Translate into French (Started in June 2015 by [[User:SebastienGioria]] ) , Japanese, Spanish (almost complete May 2016) and other languages (help needed please) - German in progress (from June 2014)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in OWASP Merchandise Store to v1.20 in both EN and ES languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?
==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

OWASP Cornucopia

2018-05-14T11:06:56Z

Clerkendweller:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cornucopia-header.jpg|link=]]</div>
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#Lab_Projects]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Cornucopia==
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.

==Introduction==
The idea behind Cornucopia is to help development teams, especially those using Agile methodologies, to identify application security requirements and develop security-based user stories. Although the idea had been waiting for enough time to progress it, the final motivation came when [http://www.safecode.org/ SAFECode] published its [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf Practical Security Stories and Security Tasks for Agile Development Environments] in July 2012.

The Microsoft SDL team had already published its super [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] (EoP) but that did not seem to address the most appropriate kind of issues that web application development teams mostly have to address. EoP is a great concept and game strategy, and was [http://blogs.msdn.com/b/sdl/archive/2010/03/02/announcing-elevation-of-privilege-the-threat-modeling-game.aspx published under] a [http://creativecommons.org/licenses/by/3.0/ Creative Commons Attribution License].
Cornucopia {{#switchtablink:Ecommerce Website Edition|Ecommerce Website Edition}} is based the concepts and game ideas in EoP, but those have been modified to be more relevant to the types of issues ecommerce website developers encounter. It attempts to introduce threat-modelling ideas into development teams that use Agile methodologies, or are more focused on web application weaknesses than other types of software vulnerabilities or are not familiar with STRIDE and DREAD.

==The Card Decks==

''Ecommerce Website Edition''

Instead of EoP’s STRIDE suits, Cornucopia suits were selected based on the structure of the [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide OWASP Secure Coding Practices - Quick Reference Guide] (SCP), but with additional consideration of sections in the [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard], the [https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Testing Guide] and David Rook’s [http://www.securityninja.co.uk/secure-development/the-principles-place/ Principles of Secure Development]. These provided five suits, and a sixth called “Cornucopia” was created for everything else:

* Data validation and encoding
* Authentication
* Session management
* Authorization
* Cryptography
* Cornucopia

Each suit contains 13 cards (Ace, 2-10, Jack, Queen and King) but, unlike EoP, there are also two Joker cards. The content was mainly drawn from the SCP.

''Other Decks''

Future editions such as for mobile app development will use different sources of information and suits.

==Mappings==
The other driver for Cornucopia is to link the attacks with requirements and verification techniques. An initial aim had been to reference [http://cwe.mitre.org/ CWE] weakness IDs, but these proved too numerous, and instead it was decided to map each card to [http://capec.mitre.org/ CAPEC] software attack pattern IDs which themselves are mapped to CWEs, so the desired result is achieved.

Each card is also mapped to the 36 primary security stories in the [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode document], as well as to the OWASP [https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide SCP v2], [https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf ASVS v3.0.1] and [https://www.owasp.org/index.php/OWASP_AppSensor_Project AppSensor] (application attack detection and response) to help teams create their own security-related stories for use in Agile processes.

==Licensing==
OWASP Cornucopia is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game] mentioned above, [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), [https://www.owasp.org/index.php/OWASP_Snakes_and_Ladders OWASP Snakes and Ladders], and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is Cornucopia? ==

OWASP Cornucopia is a card game used to help derive application security requirements during the software development life cycle. To start using Cornucopia:

* Download the document
* Print the cards onto plain paper or pre-scored card
* Cut/separate the individual cards
* Identify an application, module or component to assess
* Invite business owners, architects, developers, testers along for a card game
* Get those infosec folk to provide chocolate, pizza, beer, flowers or all four as prizes
* Select a portion of the deck to start with
* {{#switchtablink:How to Play|Play the game}} to discuss & document security requirements (and to win rounds)
* Remember, points make prizes!

Listen to the [http://trustedsoftwarealliance.com/2014/03/21/the-owasp-cornucopia-project-with-colin-watson/ OWASP 24/7 Podcast] about Cornucopia.

== Presentation ==

[[File:Cornucopia-presentation-small.jpg|link=media:Owaspnl-colinwatson-cornucopia.odp]]

The game rules are in the document download. But the OpenOffice [[media:Owasplondon-colinwatson-cornucopia.odp|project presentation]] includes an animated version of four demonstration rounds. The presentation is recorded [http://youtu.be/Q_LE-8xNXVk on video].

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Dariodf Darío De Filippis] [mailto:dariodefilippis@gmail.com @]

== Related Projects ==

* [[OWASP Secure Coding Practices - Quick Reference Guide]]
* [[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://youtu.be/i5Y0akWj31k How to Play] video
* [https://www.owasp.org/index.php/File:Cornucopia-scoresheet.pdf Scoresheet]
* {{#switchtablink:Get the Cards|All sources and downloads...}}

== Reference Files ==

* [https://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_Guide_v2.pdf OWASP SCP requirements]
* [https://www.owasp.org/images/5/58/OWASP_ASVS_Version_2.pdf OWASP ASVS verification IDs]
* [https://www.owasp.org/index.php/AppSensor_DetectionPoints OWASP AppSensor attack detection point IDs]
* [http://capec.mitre.org/data/archive/capec_v1.7.1.zip CAPEC IDs]
* [http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf SAFECode security-focused story IDs]

The OWASP SCP does not include identity values for the requirements, so please use [https://www.owasp.org/index.php/File:Owasp-requirements-numbering.zip this list].

== News and Events ==
* [23 Aug 2016] Presentation at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [29 Jun 2016] v1.20 released
* [21 Jan 2016] [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki Deck]] published
* [30 Dec 2015] Darío De Filippis becomes project co-leader
* [24 Sep 2015] [http://appsecusa2015.sched.org/event/7f3dba889c0ec9e37900e289c9660503#.VZ6aoXhflNY Lightning training] at AppSec USA 2015
* [01 Jun 2015] [https://youtu.be/i5Y0akWj31k How to Play video] published
* [20 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - How to play video
* [31 Mar 2015] v1.10 released
* [02 Mar 2015] Decks available from [https://www.owasp.org/index.php/OWASP_Merchandise#Cornucopia_Cards OWASP merchandise store]
* [18 Feb 2015] Project awarded Labs status

==PCIDSS==
[[File:Cornucopia-pcidss-ecommerce-guidelines-small.jpg|link=https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf]]

OWASP Cornucopia Ecommerce Website Edition is referenced in the current [https://www.pcisecuritystandards.org Payment Card Industry Security Standards Council] information supplement [https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf PCI DSS E-commerce Guidelines] v2, January 2013

==Classifications==

{| width="200" cellpadding="2"
|-
| rowspan="2" align="center" valign="top" width="50%" | [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Get the Cards =

==Printed==

[[File:Cornucopia-square-logo-350.jpg|right|link=]]

Professionally printed decks are available by two methods:
* Single decks or in bulk from OWASP (v1.20)
** As promotion items '''by OWASP Leaders''' from their own chapter budgets [https://docs.google.com/a/owasp.org/forms/d/e/1FAIpQLSez9mV97HuqvYhCldE2hYhX3UjQM1oO5bLy44HkOZSpni0OzQ/viewform?formkey=dF85bGtvdWdrd2JjYldNZ1gxSkJxaEE6MQ Chapter and Project Merchandise Request form]
** For other individuals, organisations and companies, please email [mailto:dawn.aitken@owasp.org dawn.aitken@owasp.org] with purchase enquiries
* Request a free deck of cards gifted by [http://blackfootuk.com/ Blackfoot UK Limited] or download their donated print-ready artwork:
** Request a free [http://blackfootuk.com/cornucopia/receive-a-set-of-cards/ pack of cards (v1.10)] (gifted by Blackfoot UK)

==Source files==

Cornucopia - Ecommerce Website Edition:
* v1.20 EN (current version)
** [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx DOC]
** [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf PDF]
** Wiki Deck - coming soon
** [https://drive.google.com/open?id=0ByNJ8mfWALwjNXpQMUNBYnJsT2QyQ0lkb3VNX1BCM3JLNlBZ Print-Ready design files] 24Mb zip
* v1.10 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [[Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck|Wiki]]
** [https://drive.google.com/open?id=0ByNJ8mfWALwjb283ZE5GNmFMM2FGWGl2WC14aDJDQ0ZsNk00 Print-Ready design files] 24Mb zip
* v1.04 EN
** DOC - see current version link above for previous versions of DOC including with track changes
** PDF - see current version link above for previous versions of PDF
** [https://4ed64fe7f7e3f627b8d0-bc104063a9fe564c2d8a75b1e218477a.ssl.cf2.rackcdn.com/cornucopia-ecom-1v04-blackfoot.zip Print-Ready design files] (gifted by Blackfoot UK) 47Mb Zip

The current version of Cornucopia Ecommerce Website Edition cards (v1.20 with updated mapping to ASVS v3.0.1 and CAPEC v2.8, and has some minor text changes on the cards) can be self-printed using the following methods:
# Download and self-print the free [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx word-processing document] or [https://www.owasp.org/index.php/File:Owasp-cornucopia-ecommerce_website.pdf PDF]
## Print the document onto business card blank cards; or
## Print the document onto normal card and cut the cards out individually using the guide; or
# Generate your own cards from the free [https://www.owasp.org/index.php/File:Cornucopia-deck-ecommercewebsite-XML.zip source XML data file]

There are also other ways to obtain particular versions:
* Download the free [https://www.owasp.org/index.php/File:Owasp_cornucopia_printreadyimages.zip PDF (v1.03)] (gifted by Travelex)
** Have the cards commercially printed; or
** Import into your own files (such as [http://lists.owasp.org/pipermail/owasp_cornucopia/2014-January/000018.html this way] suggested by Cam Morris via the mailing list)

OWASP does not endorse or recommend commercial products or services.

==Twitter==

Collect/share/use the pseudo-random cards tweeted twice daily [https://twitter.com/OWASPCornucopia @OWASPCornucopia]

= How to Play =

[[File:Cornucopia-card-cornucopia-K.png|right|link=]]
[[File:Cornucopia-card-session-9.png|right|link=]]

It is possible to play Cornucopia in many different ways. Here is one way, and explained in a [https://youtu.be/i5Y0akWj31k YouTube video].

== Primary method ==

;A - Preparations
:A1. Obtain a deck, or print your own Cornucopia deck and separate/cut out the cards
:A2. Identify an application or application process to review; this might be a concept, design or an actual implementation
:A3. Create a data flow diagram
:A4. Identify and invite a group of 3-6 architects, developers, testers and other business stakeholders together and sit around a table (try to include someone fairly familiar with application security)
:A5. Have some prizes to hand (gold stars, chocolate, pizza, beer or flowers depending upon your office culture)
;B - Play
:One suit - Cornucopia - acts as trumps. Aces are high (i.e. they beat Kings). It helps if there is someone dedicated to documenting the results who is not playing.
:B1. Remove the Jokers and a few low-score (2, 3, 4) cards from Cornucopia suit to ensure each player will have the same number of cards
:B2. Shuffle the pack and deal all the cards
:B3. To begin, choose a player randomly who will play the first card - they can play any card from their hand except from the trump suit - Cornucopia
:B4. To play a card, each player must read it out aloud, and explain how (or not) the threat could apply (the player gets a point for attacks that work, and the group thinks it is an actionable bug) - don’t try to think of mitigations at this stage, and don’t exclude a threat just because it is believed it is already mitigated - someone record the card on the score sheet
:B5. Play clockwise, each person must play a card in the same way; if you have any card of the matching lead suit you must play one of those, otherwise they can play a card from any other suit. Only a higher card of the same suit, or the highest card in the trump suit Cornucopia, wins the hand.
:B6. The person who wins the round, leads the next round (i.e. they play first), and thus defines the next lead suit
:B7. Repeat until all the cards are played
;C - Scoring
:The objective is to identify applicable threats, and win hands (rounds):
:C1. Score +1 for each card you can identify as a valid threat to the application under consideration
:C2. Score +1 if you win a round
:C3. Once all cards have been played, whoever has the most points wins
;D - Closure
:D1. Review all the applicable threats and the matching security requirements
:D2. Create user stories, specifications and test cases as required for your development methodology

==Alternative game rules==

* If you are new to the game, remove the two Joker cards to begin with. Add the Joker cards back in once people become more familiar with the process. Apart from the “trumps card game” rules described above which are very similar to the EoP, the deck can also be played as the “twenty-one card game” (also known as “pontoon” or “blackjack”) which normally reduces the number of cards played in each round.
* Practice on an imaginary application, or even a future planned application, rather than trying to find fault with existing applications until the participants are happy with the usefulness of the game.
* Consider just playing with one suit to make a shorter session – but try to cover all the suits for every project. Or even better just play one hand with some pre-selected cards, and score only on the ability to identify security requirements. Perhaps have one game of each suit each day for a week or so, if the participants cannot spare long enough for a full deck.
* Some teams have preferred to play a full hand of cards, and then discuss what is on the cards after each round (instead of after each person plays a card).
* Another suggestion is that if a player fails to identify the card is relevant, allow other players to suggest ideas, and potentially let them gain the point for the card. Consider allowing extra points for especially good contributions.
* You can even play by yourself. Just use the cards to act as thought-provokers. Involving more people will be beneficial though.
* In Microsoft's EoP guidance, they recommend cheating as a good game strategy

=FAQs=

[[File:Cornucopia-card-authorization-8.png|right|link=]]
[[File:Cornucopia-card-cryptography-j.png|right|link=]]

; Can I copy or edit the game?
:Yes of course. All OWASP materials are free to do with as you like provided you comply with the Creative Commons Attribution-ShareAlike 3.0 license. Perhaps if you create a new version, you might donate it to the OWASP Cornucopia Project?

; How can I get involved?
: Please send ideas or offers of help to the project’s mailing list.

; How were the attackers’ names chosen?
: EoP begins every description with words like "An attacker can...". These have to be phrased as an attack but I was not keen on the anonymous terminology, wanting something more engaging, and therefore used personal names. These can be thought of as external or internal people or aliases for computer systems. But instead of just random names, I thought how they might reflect the OWASP community aspect. Therefore, apart from "Alice and Bob", I use the given (first) names of current and recent OWASP employees and Board members (assigned in no order), and then randomly selected the remaining 50 or so names from the current list of paying individual OWASP members. No name was used more than once, and where people had provided two personal names, I dropped one part to try to ensure no-one can be easily identified. Names were not deliberately allocated to any particular attack, defence or requirement. The cultural and gender mix simply reflects theses sources of names, and is not meant to be world-representative.

; Why aren’t there any images on the card faces?
: There is quite a lot of text on the cards, and the cross-referencing takes up space too. But it would be great to have additional design elements included. Any volunteers?

; Are the attacks ranked by the number on the card?
: Only approximately. The risk will be application and organisation dependent, due to varying security and compliance requirements, so your own severity rating may place the cards in some other order than the numbers on the cards.

; How long does it take to play a round of cards using the full deck?
: This depends upon the amount of discussion and how familiar the players are with application security concepts. But perhaps allow 1.5 to 2.0 hours for 4-6 people.

; What sort of people should play the game?
:Always try to have a mix of roles who can contribute alternative perspectives. But include someone who has a reasonable knowledge of application vulnerability terminology. Otherwise try to include a mix of architects, developers, testers and a relevant project manager or business owner.

; Who should take notes and record scores?
: It is better if that someone else, not playing the game, takes notes about the requirements identified and issues discussed. This could be used as training for a more junior developer, or performed by the project manager. Some organisations have made a recording to review afterwards when the requirements are written up more formally.

; Should we always use the full deck of cards?
: No. A smaller deck is quicker to play. Start your first game with only enough cards for two or three rounds. Always consider removing cards that are not appropriate at all of the target application or function being reviewed. For the first few times people play the game it is also usually better to remove the Aces and the two Jokers. It is also usual to play the game without any trumps suit until people are more familiar with the idea.

; What should players do when they have an Ace card that says “invented a new X attack”?
: The player can make up any attack they think is valid, but must match the suit of the card e.g. data validation and encoding). With players new to the game, it can be better to remove these to begin with.

; I don’t understand what the attack means on each card - is there more detailed information?
: Yes, the Wiki Deck at was created to help players understand the attacks. See [https://www.owasp.org/index.php/Cornucopia_-_Ecommerce_Website_Edition_-_Wiki_Deck Wiki Deck].

; My company wants to print its own version of OWASP Cornucopia - what license do we need to refer to?
: What is required/reasonable might depend upon how you propose to use the source Cornucopia material. See fuller answer immediately below.

Some examples of re-using or reproducing Cornucopia are:

# Print some decks and give them away to customers
# Reproduce the game exactly but with a corporate-branded package
# Use the idea and/or source files to produce a similar game but with different attacks/mappings
# Distribute modified design files

If option 1 above, you can order these in bulk from OWASP and attach your own details below the "compliments of" section on the boxes. There are three aspects to consider for options 2, 3 or 4, or combinations of those - see below. The existing printed decks (and their boxes and leaflets include such text).

''A - Cornucopia License''

The precise wording will depend how the material is being used or reproduced. Under Creative Commons Attribution-ShareAlike 3.0 license it is necessary to attribute all previous contributions (in this case, Microsoft, Boeing, Mitre, etc). The easiest place to put the wording is on the leaflet (folded inside, or separate booklet). The current required long-form wording is:

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license http://creativecommons.org/licenses/by-sa/3.0/

The files used to create these materials were created from the OWASP project and are also open source, and are licensed under the same conditions.

OWASP Cornucopia can be downloaded for free from the OWASP website and printed yourself. The OWASP Cornucopia project source in vendor neutral and unbranded.

OWASP does not endorse or recommend commercial products or services.

© 2012-2016 OWASP Foundation

This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license.

Acknowledgments:

Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.

Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.

Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.

Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.

Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.

Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.

Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

The box/container for the cards must have the wording:

Created by Colin Watson.

Contains: One pack of Cornucopia Ecommerce Website playing cards. OWASP Cornucopia is open source and can be downloaded free of charge from the OWASP website.

OWASP Cornucopia is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The following short-form wording must also appear on any materials referencing the outputs (e.g. press releases, leaflets, reports, blog posts):

OWASP does not endorse or recommend commercial products or services.

OWASP Cornucopia is licensed under the Creative Commons Attribution-ShareAlike 3.0 license and is © 2012-2016 OWASP Foundation.

If any files are distributed electronically, the long-form wording should also be aded in a license.txt file within the distribution.

If the intention is to use the idea only (option 3 above), the long-form, box and short-form wording might be different, and probably simpler. And it might make more sense to start with the Microsoft-provided Elevation of Privilege files (and open source license).

''B - Upcoming update to Cornucopia''

Note that the current print design files are v1.04, and the current Word document is v1.10, but we are in the process of updating all of these to v1.20.

Whatever is used as a starting point, please state the source version, for example:

Based on OWASP Cornucopia Ecommerce Website Edition v1.04

''C - OWASP brand usage''

Additionally individuals, companies and other organisations must not breach OWASP's brand usage guidelines.

https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES

In the case of Cornucopia, in 2014 Blackfoot Limited produced some printed decks of cards. Blackfoot's name and logo did not appear anywhere on the OWASP-branded cards, and the OWASP logo did not appear on the Blackfoot-branded box and leaflet. In fact there is no OWASP logo on any part of the Blackfoot branded decks.

= Acknowledgements =

[[File:Cornucopia-card-data-A.png|right|link=]]

==Volunteers==
Cornucopia is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Simon Bennetts
* Tom Brennan
* Fabio Cerullo
* Oana Cornea
* Johanna Curiel
* Todd Dahl
* Luis Enriquez
* Ken Ferris
* Darío De Filippis
* Sebastien Gioria
* Tobias Gondrom
* Timo Goosen
* Anthony Harrison
* John Herrlin
* Jerry Hoff
* Marios Kourtesis
* Antonis Manaras
* Jim Manico
* Mark Miller
* Cam Morris
* Susana Romaniz
* Ravishankar Sahadevan
* Tao Sauvage
* Stephen de Vries
* Colin Watson

Also:

* Attendees at OWASP London, OWASP Manchester and OWASP Netherlands chapter meetings, the London Gamification meetup, and the training at AppSec USA 2015 in san Francisco who made helpful suggestions and asked challenging questions

==Others==
* Microsoft SDL Team for the Elevation of Privilege Threat Modelling Game, published under a Creative Commons Attribution license, as the inspiration for Cornucopia and from which many ideas, especially the game theory, were copied.
* Keith Turpin and contributors to the “OWASP Secure Coding Practices - Quick Reference Guide”, originally donated to OWASP by Boeing, which is used as the primary source of security requirements information to formulate the content of the cards.
* Contributors, supporters, sponsors and volunteers to the OWASP ASVS, AppSensor and Web Framework Security Matrix projects, Mitre’s Common Attack Pattern Enumeration and Classification (CAPEC), and SAFECode’s “Practical Security Stories and Security Tasks for Agile Development Environments” which are all used in the cross-references provided.
* Playgen for providing an illuminating afternoon seminar on task gamification, and tartanmaker.com for the online tool to help create the card back pattern.
* Blackfoot UK Limited for creating and donating print-ready design files, Tom Brennan and the OWASP Foundation for instigating the creation of an OWASP-branded box and leaflet, and OWASP employees, especially Kate Hartmann, for managing the ordering, stocking and despatch of printed card decks.
* Oana Cornea and other participants at the AppSec EU 2015 project summit for their help in creating the demonstration video.
* Colin Watson as author and co-project leader with Darío De Filippis, along with other OWASP volunteers who have helped in many ways.

= Road Map and Getting Involved =

[[File:Cornucopia-card-authentication-7.png|right|link=]]
[[File:Cornucopia-card-joker-a.png|right|link=]]

Version history (see [https://www.owasp.org/index.php/File:OWASP-Cornucopia-Ecommerce_Website.docx uploads]):
* Alpha version (0.40) was issued in August 2012
* Beta version (1.00) was released in February 2013
* Stable release (1.02) was released in August 2013, following feedback from mailing list and use with groups of developers
* Release v1.03 included minor changes
* Release v1.04 included a text correction on one card
* Release v1.05 included additional narrative and FAQs
* Current release v1.10 included cross-references updated for 2014 version of ASVS, contributors updated and minor text changes to cards to improve readability
* Current release v1.20 included cross-references updated for version 3.0.1 of ASVS and CAPEC v2.8, and many minor text changes including further contributors.

As of May 2016, the priorities are:
* <strike>Develop Cornucopia Wiki Deck</strike> done
* <strike>Update the document/deck to shorten some card text [completed ready for v1.10]</strike> done
* <strike>Map to ASVS 2014</strike> done
* <strike>Map to ASVSv3 2016</strike> done
* <strike>Check/update CAPEC mappings</strike> done
* Translate into French (Started in June 2015 by [[User:SebastienGioria]] ) , Japanese, Spanish (almost complete May 2016) and other languages (help needed please) - German in progress (from June 2014)
* <strike>Make card decks available via OWASP Merchandise Store</strike> done
* <strike>Create a video "how to play"</strike> done
* Update printed decks in OWASP Merchandise Store to v1.20 in both EN and ES languages

Involvement in the development and promotion of Cornucopia is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
==Localization==
Are you fluent in another language? Can you help translate Cornucopia into that language?
==Use and Promote the Cornucopia Card Decks==
Please help raise awareness of Cornucopia by printing cards:
* Use Cornucopia with specifiers, architects, designers, developers, testers and others, in part to train them, but also to solicit feedback on their usability, practicality and appropriateness for their work
* Create video about how to play the game
* Develop a mobile app to play the game
==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] for feedback:
* What do like?
* What don't you like?
* What cards don't make sense?
* How could the guidance be improved?
* What other decks would you like to see?
==Keep the Cards Updated==
As the source referenced documents change, we have to update the decks. You may also find errors and omissions. In the first instance, please send a message to the [https://lists.owasp.org/mailman/listinfo/owasp_cornucopia friendly project mailing list] if you have identified errors & omissions, have some time to maintain the source documents, or can help in other ways.
==Create a New Deck==
The only version currently available is the Cornucopia Ecommerce Website Edition in English. We would like to create a new mobile app specific deck, probably using the wonderful [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Security Project] as inspiration for the card source materials. Do you have an idea for your own application security requirements card deck? Perhaps for {{#switchtablink:Mobile App Edition|mobile apps}} or something else?

= About Ecommerce Website Edition =
{{:Projects/OWASP Cornucopia Ecommerce Website Edition | Project About}}

__NOTOC__ <headertabs></headertabs>

[[Category: Attack]]
[[Category: Threat_Modeling]]
[[Category:OWASP Project]]
[[Category:OWASP_Builders]]
[[Category:OWASP_Defenders]]
[[Category:OWASP_Document]]
[[Category:OWASP_Download]]
[[Category:SAMM-SR-1]]
[[Category:SAMM-SR-2]]
[[Category:SAMM-TA-1]]
[[Category:SAMM-EG-2]]

OWASP Snakes and Ladders

2018-05-09T18:00:30Z

Clerkendweller: /* Editions */ Dates

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Snakes_and_ladders-header.png|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Snakes and Ladders==

Snakes and Ladders is an educational project. It uses gamification to promote awareness of application security controls and risks, and in particular knowledge of other OWASP documents and tools.

== Editions==

''Web Applications''

In the board game for {{#switchtablink:Web Applications Edition|web applications}}, the virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2018) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013-2017). See also a [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Top_Ten_Mapping mapping between these two lists].

''Mobile Apps''

The identical board game for {{#switchtablink:Mobile Apps Edition|mobile apps}} uses mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) as the virtuous behaviours and mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014 from the same project) as the vices.

== Background ==

This board game was created to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, we use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

The game is quite lightweight, and does not have the same rigour or depth as the card game Cornucopia, but it is meant to be just some fun with some learning attached.

Print-ready PDFs have been published - these are poster sized A2 (international ISO 216 [https://en.wikipedia.org/wiki/Paper_size paper size] 420×594mm, approximately 16.5×23.4in, with 3mm bleed and printers' marks). But the original files are in Adobe Illustrator, so these are also available for anyone to use and improve upon. We recommend playing using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

We hope it may be of use in any upcoming office party, celebration, festival, seasonal event, application security awareness or training exercise. Or just to help spread the word about controls and risks at work, at college or at school. If you are training anyone about the OWASP Top Ten, OWASP Proactive Controls or the OWASP Mobile projects, please consider giving each attendee a printed copy of the game as a take away.

==Licensing==

OWASP Snakes and Ladders is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia], [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game], [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is This? ==

Snakes and Ladders is a popular board game, with [http://en.wikipedia.org/wiki/Snakes_and_Ladders ancient provenance] imported into [http://sandradodd.com/game/snakesandladders Great Britain from Asia] in the 19th century. The original game showed the effects of good and evil, or virtues and vices. This OWASP game is a poster-sized ''print-your-own'' paper sheet with the game board on it. Just get some players together with a die and counters. The virtues are application security controls, and the vices are risks.

==How to Play==

* The game is for 2-6 players.
* Firstly print the sheet out.
* Give each player a coloured counter (marker). To begin, each player should throw the die to determine who plays first; the highest can lead.
* Put all the players' counters onto the first square labelled “Start 1”.
* In turn, each player rolls the die and moves their counter by the number of squares indicated on the die. At the end of the move, if a player’s counter is at the bottom end of a ladder, the counter must be moved up the ladder to the square at its higher end. Conversely, if the player’s counter is located at the mouth of a snake, the counter must be moved down to the end of the snake’s tail.
* ''As a better alternative to enhance learning, either require the participants to discuss the risk/control when a player reaches each square, or only allow players to climb up a ladder after a quest about the control (e.g. simply describing the control, explain the risk (one example) the named control addresses and how the control (one example) could help prevent the named it''
*The first player to reach “100” at the top left wins. Give a prize.

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Katyanton Katy Anton] [mailto:katy.anton@owasp.org @]

== Related Projects ==

* [[OWASP Proactive Controls]]
* [[:Category:OWASP Top Ten Project|OWASP Top Ten]]
* [[OWASP Mobile Security Project|OWASP Mobile Security]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* Web Applications v1.0/v1.1
** [[media:OWASP-SnakesAndLadders-WebApplications-BR.pdf|BR]], [[media:OWASP-SnakesAndLadders-WebApplications-DE.pdf|DE]], [[media:OWASP-SnakesAndLadders-WebApplications-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-WebApplications-ES.pdf|ES]], [[media:OWASP-SnakesAndLadders-WebApplications-FR.pdf|FR]], [[media:OWASP-SnakesAndLadders-WebApplications-JA.pdf|JA]], [[media:OWASP-SnakesAndLadders-WebApplications-TR.pdf|TR]], [[media:OWASP-SnakesAndLadders-WebApplications-ZH.pdf|ZH]]
** {{#switchtablink:Web Applications Edition|More options...}}

* Mobile Apps v1.0
** [[media:OWASP-SnakesAndLadders-MobileApps-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-MobileApps-JA.pdf|JA]]
** {{#switchtablink:Mobile Apps Edition|More options...}}

== News and Events ==
* [09 May 2018] Web Applications v1.20 released in EN
* [12 May 2017] Web Applications TR
* [30 Jun 2016] Free copies at OWASP AppSec EU Rome 2017
* [05 Jun 2016] Web Applications v1.10 released in EN
* [30 Dec 2015] Katy Anton becomes project co-leader
* [01 Dec 2015] Free copies at PHP North West user group
* [24 Nov 2015] Free copies at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [12 Oct 2015] Free copies at PHP Hampshire user group
* [29 Sep 2015] Web Application v1.0 released in PT-BR
* [19 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Dutch translation
* [11 May 2015] Lightning talk at the [http://tickets.digitalshoreditch.com/make/#session-53 Digital Shoreditch Festival]
* [04 Dec 2014] Free copies at [https://www.owasp.org/index.php/London OWASP London]
* [02 Dec 2014] Free copies at [https://www.owasp.org/index.php/Cambridge OWASP Cambridge]
* [02 Dec 2014] Mobile Apps JA
* [25 Nov 2014] Web Applications FR, JA and ZH
* [31 Oct 2014] Web Applications v1.0 released in DE, EN and ES
* [31 Oct 2014] Mobile Apps v1.0 released in EN

== Twitter ==

[[File:OWASPSnakesWeb-profile-small.jpg|link=]]
Follow two mock games running on Twitter:
* [https://twitter.com/OWASPSnakesWeb @OWASPSnakesWeb]
* [https://twitter.com/OWASPSnakesMob @OWASPSnakesMob]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Web Applications Edition =

== OWASP Snakes and Ladders - Web Applications ==

This was the first edition created. The objective is to raise awareness of the security controls that every web application should have, but link that with the much more widely known Top Ten Risks. The virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2018) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013-2017).

<div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-web-de.jpg|link=]]</div>

== Current Release ==

{|
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-BR.pdf BR: Português Brasileiro]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-DE.pdf DE: Deutsch]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-EN.pdf EN: English]
|-
| align="center" valign="top" | [[Image:Osn-webapp-BR.png|link=File:OWASP-SnakesAndLadders-WebApplications-BR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-DE.png|link=File:OWASP-SnakesAndLadders-WebApplications-DE.pdf]]
| align="center" valign="top" |[[Image:Osn-webapp-EN.png|link=File:OWASP-SnakesAndLadders-WebApplications-EN.pdf]]
|-
| align="center" valign="top" width="250" | Serpentes e Escadas<br>Aplicativos da Web
| align="center" valign="top" width="250" | Schlangen und Leitern<br>Web Anwendungen
| align="center" valign="top" width="250" | Snakes and Ladders<br>Web Applications
|-
| <br><br>
| <br><br>
| <br><br>
|-
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ES.pdf ES: Español]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-FR.pdf FR: Français]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語]
|-
| align="center" valign="top" | [[Image:Osn-webapp-ES.png|link=File:OWASP-SnakesAndLadders-WebApplications-ES.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-FR.png|link=File:OWASP-SnakesAndLadders-WebApplications-FR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-JA.png|link=File:OWASP-SnakesAndLadders-WebApplications-JA.pdf]]
|-
| align="center" valign="top" width="250" | Serpientes y Escaleras<br>Aplicaciones Web
| align="center" valign="top" width="250" | Serpents et Échelles<br>Application Web
| align="center" valign="top" width="250" | 蛇とはしご<br>ウェブアプリケーション
|-
| <br><br>
| <br><br>
| <br><br>
|-
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-TR.pdf TR: Türkçe]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf ZH: 中文]
| align="center" valign="top" |
|-
| align="center" valign="top" | [[Image:Osn-webapp-TR.png|link=File:OWASP-SnakesAndLadders-WebApplications-TR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-ZH.png|link=File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf]]
| align="center" valign="top" |
|-
| align="center" valign="top" width="250" | Yılanlar ve Merdivenler<br>Web Uygulamaları
| align="center" valign="top" width="250" | 蛇梯棋<br>WEB应用程序
| align="center" valign="top" width="250" |
|}

Note that some languages choose not to change the EN text for risk and control names.

([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-Illustrator.zip Source Adobe Illustrator file])

== Release History ==

* [09 May 2018] 1.2 - EN version updated
* [12 May 2017] 1.11 - TR version release
* [15 Jun 2016] 1.1 - EN version updated
* [29 Sep 2015] 1.0.2 - BR version release
* [25 Nov 2014] 1.0.2 - Additional contributors added, FR, JA and ZH versions released
* [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; PDFs regenerated
* [31 Oct 2014] 1.0 - First release

== Colour Scheme 'Classic' ==

This edition uses simple primary colours, like [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 many versions] that can be seen in pictures of Snakes and Ladders games. The colours used in 'Classic' are:

* Green
* Yellow
* White
* Red
* Blue

<div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_webapp-mini-banner.png|link=]]</div>

The start square (1) is yellow and the final square (100) is red.

= Mobile Apps Edition =

== OWASP Snakes and Ladders - Mobile Apps ==

The edition for Mobile Apps was created after working out the idea and design for the web application version of the board game. It seemed easy to replicate the idea since the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Project] lists both security controls and risks. The virtuous behaviours (ladders) are mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) and the vices (snakes) are mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014).

<div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-mob-ja.jpg|link=]]</div>

== Current Release ==

{|
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-EN.pdf EN: English]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語]
|-
| align="center" valign="top" | [[Image:Osn-mobapp-EN.png|link=File:OWASP-SnakesAndLadders-MobileApps-EN.pdf]]
| align="center" valign="top" | [[Image:Osn-mobapp-JA.png|link=File:OWASP-SnakesAndLadders-MobileApps-JA.pdf]]
|-
| align="center" valign="top" width="250" | Snakes and Ladders<br>Mobile Apps
| align="center" valign="top" width="250" | 蛇とはしご<br> モバイルアプリ版
|}

([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-Illustrator.zip Source Adobe Illustrator file])

== Release History ==

* [02 Dec 2014] 1.0.2 - Additional contributor added, JA version released
* [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; EN PDF regenerated
* [31 Oct 2014] 1.0 - First release

== Colour Scheme 'Farringdon' ==

Other people's versions of Snakes and Ladders [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 use a wide variety of designs and colour schemes]. Thus to make a complete contrast to the edition for web applications, the colours used are the designatory colours of the underground and mainline train services that run through Colin Watson's local station at Farringdon in Clerkenwell, London EC1. The colours in 'Farringdon' are:

* Purple (future <strike>Crossrail</strike> Elizabeth)
* Yellow (Circle)
* White (Thameslink)
* Maroon (Metropolitan)
* Pink (Hammersmith & City)

<div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_mobapp-mini-banner.png|link=]]</div>

You can see these colours on [https://www.tfl.gov.uk/assets/downloads/standard-tube-map.pdf tube maps] and station signage. The start square (1) is yellow and the final square (100) is maroon.

=FAQs=

[[File:Snakesandladders-mockup.jpg|right|link=]]

==Why Snakes & Ladders? ==

The OWASP Top 10 is the most well known document, but OWASP has many other resources which provide better approaches for secure application development. In particular, there are some "top 10 controls" lists, and I wanted to highlight those. Creating a board game that features both risks and controls is a simple way to compare and contrast these aspects.

Players do not need to know either the risks or controls on the lists, since they are just the decoration to what is otherwise standard Snakes & Ladders. But as players land on assigned squares, this can be used to discuss the risks and controls they are labelled with.

Also, after undertaking some due diligence, it was noted that since Snakes & Ladders is such an ancient game it is not anyone's intellectual property and many others have already created thousands of different designs and versions. Other games would not meet this requirement.

==How was the game created?==
By hard work! Each list of risks and controls contains ten items, so the rough layout of snakes and ladder starting and end points was sketched out on paper, as shown for web applications on the right. Instructional text was written.

The concept was then converted into a layered Adobe Illustrator file, and the text and graphics added. This design went through a number of iterations to ensure it was legible and appealing. The PDF was exported and both the PDF and AI files added to the project page. When translations were provided, these were added as separate text layers in the source Illustrator file, and then new files uploaded again to the project.

Once Web Applications Snakes & Ladders was complete, the file was duplicated and edited for Mobile Apps. This has different risks, controls and arrangement of snakes and ladders. It also has its own colour scheme.

==How can I participate in your project?==
All you have to do is make the Project Leader aware of your available time to contribute to the project. It is also important to let the Leader know how you would like to contribute and pitch in to help the project meet its goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. Please see the {{#switchtablink:Road Map_and Getting Involved|road map and getting involved section}}

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for users, translators and people to promote the project.

= Acknowledgements =

==Volunteers==
Snakes and Ladders is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Ziyahan Albeniz
* Kembolle Amilkar
* Katy Anton
* Manuel Lopez Arredondo
* Fabio Cerullo
* Álan Carlos B. Eufrázio
* Tobias Gondrom
* Martin Haslinger
* Yongliang He
* Manfred Hofmeier
* Cédric Messeguer
* Takanori Nakanowatari
* Marcos Vinícius Nunes de Arruda
* Riotaro Okada
* Gabriel Pedro S. Peres
* Alison S. Ribeiro
* Ivy Zhang
* Colin Watson

==Others==
* The project leaders and contributors to the referenced controls and risks:
** [[OWASP Proactive Controls]]
** [[:Category:OWASP Top Ten Project|OWASP Top Ten]]
** [[OWASP Mobile Security Project|OWASP Mobile Security]]
* OWASP staff for helping to set up the project and support its ongoing activities.

= Road Map and Getting Involved =

Recently completed:
* Update web applications edition to Proactive Controls 2018 [EN recently completed]
* Translate into other languages [TR recently completed]
* Handouts at events

As of May 2018, the priorities are:
* Update as other referenced projects updated (e.g. Top Ten)

Other ideas are:

* Promote use of Snakes and Ladders
* Develop other boards

Involvement in the development and promotion of Snakes and Ladders is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help are listed below.

==Localization==
Are you fluent in another language? Can you help translate Snakes and Ladders into that language?

The project is on [https://crowdin.com/project/owasp-snakes-and-ladders Crowdin]

==Use and Promote the Board Game==
Please help raise awareness of Snakes and Ladders:
* Use the game with your colleagues, friends, families, students and children
* Create video about how to play the game
* Develop a multi-user mobile app or web application to play the game

==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders project mailing list] for feedback:
* How did you use it?
* What is people's reaction?
* What do like?
* What don't you like?
* What doesn't make sense?
* How could the guidance be improved?
* What other boards would you like to see?

==Create a Board==
Do you have an idea for your own application security Snakes and Ladders board? Please contribute your ideas via the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders mailing list].


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-EG-1]]

OWASP Snakes and Ladders

2018-05-09T18:00:06Z

Clerkendweller: /* OWASP Snakes and Ladders - Web Applications */ Dates

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Snakes_and_ladders-header.png|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Snakes and Ladders==

Snakes and Ladders is an educational project. It uses gamification to promote awareness of application security controls and risks, and in particular knowledge of other OWASP documents and tools.

== Editions==

''Web Applications''

In the board game for {{#switchtablink:Web Applications Edition|web applications}}, the virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2018) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013). See also a [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Top_Ten_Mapping mapping between these two lists].

''Mobile Apps''

The identical board game for {{#switchtablink:Mobile Apps Edition|mobile apps}} uses mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) as the virtuous behaviours and mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014 from the same project) as the vices.

== Background ==

This board game was created to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, we use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

The game is quite lightweight, and does not have the same rigour or depth as the card game Cornucopia, but it is meant to be just some fun with some learning attached.

Print-ready PDFs have been published - these are poster sized A2 (international ISO 216 [https://en.wikipedia.org/wiki/Paper_size paper size] 420×594mm, approximately 16.5×23.4in, with 3mm bleed and printers' marks). But the original files are in Adobe Illustrator, so these are also available for anyone to use and improve upon. We recommend playing using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

We hope it may be of use in any upcoming office party, celebration, festival, seasonal event, application security awareness or training exercise. Or just to help spread the word about controls and risks at work, at college or at school. If you are training anyone about the OWASP Top Ten, OWASP Proactive Controls or the OWASP Mobile projects, please consider giving each attendee a printed copy of the game as a take away.

==Licensing==

OWASP Snakes and Ladders is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia], [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game], [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is This? ==

Snakes and Ladders is a popular board game, with [http://en.wikipedia.org/wiki/Snakes_and_Ladders ancient provenance] imported into [http://sandradodd.com/game/snakesandladders Great Britain from Asia] in the 19th century. The original game showed the effects of good and evil, or virtues and vices. This OWASP game is a poster-sized ''print-your-own'' paper sheet with the game board on it. Just get some players together with a die and counters. The virtues are application security controls, and the vices are risks.

==How to Play==

* The game is for 2-6 players.
* Firstly print the sheet out.
* Give each player a coloured counter (marker). To begin, each player should throw the die to determine who plays first; the highest can lead.
* Put all the players' counters onto the first square labelled “Start 1”.
* In turn, each player rolls the die and moves their counter by the number of squares indicated on the die. At the end of the move, if a player’s counter is at the bottom end of a ladder, the counter must be moved up the ladder to the square at its higher end. Conversely, if the player’s counter is located at the mouth of a snake, the counter must be moved down to the end of the snake’s tail.
* ''As a better alternative to enhance learning, either require the participants to discuss the risk/control when a player reaches each square, or only allow players to climb up a ladder after a quest about the control (e.g. simply describing the control, explain the risk (one example) the named control addresses and how the control (one example) could help prevent the named it''
*The first player to reach “100” at the top left wins. Give a prize.

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Katyanton Katy Anton] [mailto:katy.anton@owasp.org @]

== Related Projects ==

* [[OWASP Proactive Controls]]
* [[:Category:OWASP Top Ten Project|OWASP Top Ten]]
* [[OWASP Mobile Security Project|OWASP Mobile Security]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* Web Applications v1.0/v1.1
** [[media:OWASP-SnakesAndLadders-WebApplications-BR.pdf|BR]], [[media:OWASP-SnakesAndLadders-WebApplications-DE.pdf|DE]], [[media:OWASP-SnakesAndLadders-WebApplications-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-WebApplications-ES.pdf|ES]], [[media:OWASP-SnakesAndLadders-WebApplications-FR.pdf|FR]], [[media:OWASP-SnakesAndLadders-WebApplications-JA.pdf|JA]], [[media:OWASP-SnakesAndLadders-WebApplications-TR.pdf|TR]], [[media:OWASP-SnakesAndLadders-WebApplications-ZH.pdf|ZH]]
** {{#switchtablink:Web Applications Edition|More options...}}

* Mobile Apps v1.0
** [[media:OWASP-SnakesAndLadders-MobileApps-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-MobileApps-JA.pdf|JA]]
** {{#switchtablink:Mobile Apps Edition|More options...}}

== News and Events ==
* [09 May 2018] Web Applications v1.20 released in EN
* [12 May 2017] Web Applications TR
* [30 Jun 2016] Free copies at OWASP AppSec EU Rome 2017
* [05 Jun 2016] Web Applications v1.10 released in EN
* [30 Dec 2015] Katy Anton becomes project co-leader
* [01 Dec 2015] Free copies at PHP North West user group
* [24 Nov 2015] Free copies at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [12 Oct 2015] Free copies at PHP Hampshire user group
* [29 Sep 2015] Web Application v1.0 released in PT-BR
* [19 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Dutch translation
* [11 May 2015] Lightning talk at the [http://tickets.digitalshoreditch.com/make/#session-53 Digital Shoreditch Festival]
* [04 Dec 2014] Free copies at [https://www.owasp.org/index.php/London OWASP London]
* [02 Dec 2014] Free copies at [https://www.owasp.org/index.php/Cambridge OWASP Cambridge]
* [02 Dec 2014] Mobile Apps JA
* [25 Nov 2014] Web Applications FR, JA and ZH
* [31 Oct 2014] Web Applications v1.0 released in DE, EN and ES
* [31 Oct 2014] Mobile Apps v1.0 released in EN

== Twitter ==

[[File:OWASPSnakesWeb-profile-small.jpg|link=]]
Follow two mock games running on Twitter:
* [https://twitter.com/OWASPSnakesWeb @OWASPSnakesWeb]
* [https://twitter.com/OWASPSnakesMob @OWASPSnakesMob]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Web Applications Edition =

== OWASP Snakes and Ladders - Web Applications ==

This was the first edition created. The objective is to raise awareness of the security controls that every web application should have, but link that with the much more widely known Top Ten Risks. The virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2018) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013-2017).

<div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-web-de.jpg|link=]]</div>

== Current Release ==

{|
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-BR.pdf BR: Português Brasileiro]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-DE.pdf DE: Deutsch]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-EN.pdf EN: English]
|-
| align="center" valign="top" | [[Image:Osn-webapp-BR.png|link=File:OWASP-SnakesAndLadders-WebApplications-BR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-DE.png|link=File:OWASP-SnakesAndLadders-WebApplications-DE.pdf]]
| align="center" valign="top" |[[Image:Osn-webapp-EN.png|link=File:OWASP-SnakesAndLadders-WebApplications-EN.pdf]]
|-
| align="center" valign="top" width="250" | Serpentes e Escadas<br>Aplicativos da Web
| align="center" valign="top" width="250" | Schlangen und Leitern<br>Web Anwendungen
| align="center" valign="top" width="250" | Snakes and Ladders<br>Web Applications
|-
| <br><br>
| <br><br>
| <br><br>
|-
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ES.pdf ES: Español]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-FR.pdf FR: Français]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語]
|-
| align="center" valign="top" | [[Image:Osn-webapp-ES.png|link=File:OWASP-SnakesAndLadders-WebApplications-ES.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-FR.png|link=File:OWASP-SnakesAndLadders-WebApplications-FR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-JA.png|link=File:OWASP-SnakesAndLadders-WebApplications-JA.pdf]]
|-
| align="center" valign="top" width="250" | Serpientes y Escaleras<br>Aplicaciones Web
| align="center" valign="top" width="250" | Serpents et Échelles<br>Application Web
| align="center" valign="top" width="250" | 蛇とはしご<br>ウェブアプリケーション
|-
| <br><br>
| <br><br>
| <br><br>
|-
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-TR.pdf TR: Türkçe]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf ZH: 中文]
| align="center" valign="top" |
|-
| align="center" valign="top" | [[Image:Osn-webapp-TR.png|link=File:OWASP-SnakesAndLadders-WebApplications-TR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-ZH.png|link=File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf]]
| align="center" valign="top" |
|-
| align="center" valign="top" width="250" | Yılanlar ve Merdivenler<br>Web Uygulamaları
| align="center" valign="top" width="250" | 蛇梯棋<br>WEB应用程序
| align="center" valign="top" width="250" |
|}

Note that some languages choose not to change the EN text for risk and control names.

([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-Illustrator.zip Source Adobe Illustrator file])

== Release History ==

* [09 May 2018] 1.2 - EN version updated
* [12 May 2017] 1.11 - TR version release
* [15 Jun 2016] 1.1 - EN version updated
* [29 Sep 2015] 1.0.2 - BR version release
* [25 Nov 2014] 1.0.2 - Additional contributors added, FR, JA and ZH versions released
* [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; PDFs regenerated
* [31 Oct 2014] 1.0 - First release

== Colour Scheme 'Classic' ==

This edition uses simple primary colours, like [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 many versions] that can be seen in pictures of Snakes and Ladders games. The colours used in 'Classic' are:

* Green
* Yellow
* White
* Red
* Blue

<div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_webapp-mini-banner.png|link=]]</div>

The start square (1) is yellow and the final square (100) is red.

= Mobile Apps Edition =

== OWASP Snakes and Ladders - Mobile Apps ==

The edition for Mobile Apps was created after working out the idea and design for the web application version of the board game. It seemed easy to replicate the idea since the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Project] lists both security controls and risks. The virtuous behaviours (ladders) are mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) and the vices (snakes) are mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014).

<div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-mob-ja.jpg|link=]]</div>

== Current Release ==

{|
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-EN.pdf EN: English]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語]
|-
| align="center" valign="top" | [[Image:Osn-mobapp-EN.png|link=File:OWASP-SnakesAndLadders-MobileApps-EN.pdf]]
| align="center" valign="top" | [[Image:Osn-mobapp-JA.png|link=File:OWASP-SnakesAndLadders-MobileApps-JA.pdf]]
|-
| align="center" valign="top" width="250" | Snakes and Ladders<br>Mobile Apps
| align="center" valign="top" width="250" | 蛇とはしご<br> モバイルアプリ版
|}

([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-Illustrator.zip Source Adobe Illustrator file])

== Release History ==

* [02 Dec 2014] 1.0.2 - Additional contributor added, JA version released
* [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; EN PDF regenerated
* [31 Oct 2014] 1.0 - First release

== Colour Scheme 'Farringdon' ==

Other people's versions of Snakes and Ladders [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 use a wide variety of designs and colour schemes]. Thus to make a complete contrast to the edition for web applications, the colours used are the designatory colours of the underground and mainline train services that run through Colin Watson's local station at Farringdon in Clerkenwell, London EC1. The colours in 'Farringdon' are:

* Purple (future <strike>Crossrail</strike> Elizabeth)
* Yellow (Circle)
* White (Thameslink)
* Maroon (Metropolitan)
* Pink (Hammersmith & City)

<div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_mobapp-mini-banner.png|link=]]</div>

You can see these colours on [https://www.tfl.gov.uk/assets/downloads/standard-tube-map.pdf tube maps] and station signage. The start square (1) is yellow and the final square (100) is maroon.

=FAQs=

[[File:Snakesandladders-mockup.jpg|right|link=]]

==Why Snakes & Ladders? ==

The OWASP Top 10 is the most well known document, but OWASP has many other resources which provide better approaches for secure application development. In particular, there are some "top 10 controls" lists, and I wanted to highlight those. Creating a board game that features both risks and controls is a simple way to compare and contrast these aspects.

Players do not need to know either the risks or controls on the lists, since they are just the decoration to what is otherwise standard Snakes & Ladders. But as players land on assigned squares, this can be used to discuss the risks and controls they are labelled with.

Also, after undertaking some due diligence, it was noted that since Snakes & Ladders is such an ancient game it is not anyone's intellectual property and many others have already created thousands of different designs and versions. Other games would not meet this requirement.

==How was the game created?==
By hard work! Each list of risks and controls contains ten items, so the rough layout of snakes and ladder starting and end points was sketched out on paper, as shown for web applications on the right. Instructional text was written.

The concept was then converted into a layered Adobe Illustrator file, and the text and graphics added. This design went through a number of iterations to ensure it was legible and appealing. The PDF was exported and both the PDF and AI files added to the project page. When translations were provided, these were added as separate text layers in the source Illustrator file, and then new files uploaded again to the project.

Once Web Applications Snakes & Ladders was complete, the file was duplicated and edited for Mobile Apps. This has different risks, controls and arrangement of snakes and ladders. It also has its own colour scheme.

==How can I participate in your project?==
All you have to do is make the Project Leader aware of your available time to contribute to the project. It is also important to let the Leader know how you would like to contribute and pitch in to help the project meet its goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. Please see the {{#switchtablink:Road Map_and Getting Involved|road map and getting involved section}}

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for users, translators and people to promote the project.

= Acknowledgements =

==Volunteers==
Snakes and Ladders is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Ziyahan Albeniz
* Kembolle Amilkar
* Katy Anton
* Manuel Lopez Arredondo
* Fabio Cerullo
* Álan Carlos B. Eufrázio
* Tobias Gondrom
* Martin Haslinger
* Yongliang He
* Manfred Hofmeier
* Cédric Messeguer
* Takanori Nakanowatari
* Marcos Vinícius Nunes de Arruda
* Riotaro Okada
* Gabriel Pedro S. Peres
* Alison S. Ribeiro
* Ivy Zhang
* Colin Watson

==Others==
* The project leaders and contributors to the referenced controls and risks:
** [[OWASP Proactive Controls]]
** [[:Category:OWASP Top Ten Project|OWASP Top Ten]]
** [[OWASP Mobile Security Project|OWASP Mobile Security]]
* OWASP staff for helping to set up the project and support its ongoing activities.

= Road Map and Getting Involved =

Recently completed:
* Update web applications edition to Proactive Controls 2018 [EN recently completed]
* Translate into other languages [TR recently completed]
* Handouts at events

As of May 2018, the priorities are:
* Update as other referenced projects updated (e.g. Top Ten)

Other ideas are:

* Promote use of Snakes and Ladders
* Develop other boards

Involvement in the development and promotion of Snakes and Ladders is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help are listed below.

==Localization==
Are you fluent in another language? Can you help translate Snakes and Ladders into that language?

The project is on [https://crowdin.com/project/owasp-snakes-and-ladders Crowdin]

==Use and Promote the Board Game==
Please help raise awareness of Snakes and Ladders:
* Use the game with your colleagues, friends, families, students and children
* Create video about how to play the game
* Develop a multi-user mobile app or web application to play the game

==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders project mailing list] for feedback:
* How did you use it?
* What is people's reaction?
* What do like?
* What don't you like?
* What doesn't make sense?
* How could the guidance be improved?
* What other boards would you like to see?

==Create a Board==
Do you have an idea for your own application security Snakes and Ladders board? Please contribute your ideas via the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders mailing list].


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-EG-1]]

OWASP Snakes and Ladders

2018-05-09T17:57:50Z

Clerkendweller: /* Editions */ To reflect release

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Snakes_and_ladders-header.png|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Snakes and Ladders==

Snakes and Ladders is an educational project. It uses gamification to promote awareness of application security controls and risks, and in particular knowledge of other OWASP documents and tools.

== Editions==

''Web Applications''

In the board game for {{#switchtablink:Web Applications Edition|web applications}}, the virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2018) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013). See also a [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Top_Ten_Mapping mapping between these two lists].

''Mobile Apps''

The identical board game for {{#switchtablink:Mobile Apps Edition|mobile apps}} uses mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) as the virtuous behaviours and mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014 from the same project) as the vices.

== Background ==

This board game was created to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, we use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

The game is quite lightweight, and does not have the same rigour or depth as the card game Cornucopia, but it is meant to be just some fun with some learning attached.

Print-ready PDFs have been published - these are poster sized A2 (international ISO 216 [https://en.wikipedia.org/wiki/Paper_size paper size] 420×594mm, approximately 16.5×23.4in, with 3mm bleed and printers' marks). But the original files are in Adobe Illustrator, so these are also available for anyone to use and improve upon. We recommend playing using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

We hope it may be of use in any upcoming office party, celebration, festival, seasonal event, application security awareness or training exercise. Or just to help spread the word about controls and risks at work, at college or at school. If you are training anyone about the OWASP Top Ten, OWASP Proactive Controls or the OWASP Mobile projects, please consider giving each attendee a printed copy of the game as a take away.

==Licensing==

OWASP Snakes and Ladders is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia], [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game], [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is This? ==

Snakes and Ladders is a popular board game, with [http://en.wikipedia.org/wiki/Snakes_and_Ladders ancient provenance] imported into [http://sandradodd.com/game/snakesandladders Great Britain from Asia] in the 19th century. The original game showed the effects of good and evil, or virtues and vices. This OWASP game is a poster-sized ''print-your-own'' paper sheet with the game board on it. Just get some players together with a die and counters. The virtues are application security controls, and the vices are risks.

==How to Play==

* The game is for 2-6 players.
* Firstly print the sheet out.
* Give each player a coloured counter (marker). To begin, each player should throw the die to determine who plays first; the highest can lead.
* Put all the players' counters onto the first square labelled “Start 1”.
* In turn, each player rolls the die and moves their counter by the number of squares indicated on the die. At the end of the move, if a player’s counter is at the bottom end of a ladder, the counter must be moved up the ladder to the square at its higher end. Conversely, if the player’s counter is located at the mouth of a snake, the counter must be moved down to the end of the snake’s tail.
* ''As a better alternative to enhance learning, either require the participants to discuss the risk/control when a player reaches each square, or only allow players to climb up a ladder after a quest about the control (e.g. simply describing the control, explain the risk (one example) the named control addresses and how the control (one example) could help prevent the named it''
*The first player to reach “100” at the top left wins. Give a prize.

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Katyanton Katy Anton] [mailto:katy.anton@owasp.org @]

== Related Projects ==

* [[OWASP Proactive Controls]]
* [[:Category:OWASP Top Ten Project|OWASP Top Ten]]
* [[OWASP Mobile Security Project|OWASP Mobile Security]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* Web Applications v1.0/v1.1
** [[media:OWASP-SnakesAndLadders-WebApplications-BR.pdf|BR]], [[media:OWASP-SnakesAndLadders-WebApplications-DE.pdf|DE]], [[media:OWASP-SnakesAndLadders-WebApplications-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-WebApplications-ES.pdf|ES]], [[media:OWASP-SnakesAndLadders-WebApplications-FR.pdf|FR]], [[media:OWASP-SnakesAndLadders-WebApplications-JA.pdf|JA]], [[media:OWASP-SnakesAndLadders-WebApplications-TR.pdf|TR]], [[media:OWASP-SnakesAndLadders-WebApplications-ZH.pdf|ZH]]
** {{#switchtablink:Web Applications Edition|More options...}}

* Mobile Apps v1.0
** [[media:OWASP-SnakesAndLadders-MobileApps-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-MobileApps-JA.pdf|JA]]
** {{#switchtablink:Mobile Apps Edition|More options...}}

== News and Events ==
* [09 May 2018] Web Applications v1.20 released in EN
* [12 May 2017] Web Applications TR
* [30 Jun 2016] Free copies at OWASP AppSec EU Rome 2017
* [05 Jun 2016] Web Applications v1.10 released in EN
* [30 Dec 2015] Katy Anton becomes project co-leader
* [01 Dec 2015] Free copies at PHP North West user group
* [24 Nov 2015] Free copies at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [12 Oct 2015] Free copies at PHP Hampshire user group
* [29 Sep 2015] Web Application v1.0 released in PT-BR
* [19 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Dutch translation
* [11 May 2015] Lightning talk at the [http://tickets.digitalshoreditch.com/make/#session-53 Digital Shoreditch Festival]
* [04 Dec 2014] Free copies at [https://www.owasp.org/index.php/London OWASP London]
* [02 Dec 2014] Free copies at [https://www.owasp.org/index.php/Cambridge OWASP Cambridge]
* [02 Dec 2014] Mobile Apps JA
* [25 Nov 2014] Web Applications FR, JA and ZH
* [31 Oct 2014] Web Applications v1.0 released in DE, EN and ES
* [31 Oct 2014] Mobile Apps v1.0 released in EN

== Twitter ==

[[File:OWASPSnakesWeb-profile-small.jpg|link=]]
Follow two mock games running on Twitter:
* [https://twitter.com/OWASPSnakesWeb @OWASPSnakesWeb]
* [https://twitter.com/OWASPSnakesMob @OWASPSnakesMob]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Web Applications Edition =

== OWASP Snakes and Ladders - Web Applications ==

This was the first edition created. The objective is to raise awareness of the security controls that every web application should have, but link that with the much more widely known Top Ten Risks. The virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2018) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013).

<div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-web-de.jpg|link=]]</div>

== Current Release ==

{|
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-BR.pdf BR: Português Brasileiro]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-DE.pdf DE: Deutsch]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-EN.pdf EN: English]
|-
| align="center" valign="top" | [[Image:Osn-webapp-BR.png|link=File:OWASP-SnakesAndLadders-WebApplications-BR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-DE.png|link=File:OWASP-SnakesAndLadders-WebApplications-DE.pdf]]
| align="center" valign="top" |[[Image:Osn-webapp-EN.png|link=File:OWASP-SnakesAndLadders-WebApplications-EN.pdf]]
|-
| align="center" valign="top" width="250" | Serpentes e Escadas<br>Aplicativos da Web
| align="center" valign="top" width="250" | Schlangen und Leitern<br>Web Anwendungen
| align="center" valign="top" width="250" | Snakes and Ladders<br>Web Applications
|-
| <br><br>
| <br><br>
| <br><br>
|-
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ES.pdf ES: Español]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-FR.pdf FR: Français]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語]
|-
| align="center" valign="top" | [[Image:Osn-webapp-ES.png|link=File:OWASP-SnakesAndLadders-WebApplications-ES.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-FR.png|link=File:OWASP-SnakesAndLadders-WebApplications-FR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-JA.png|link=File:OWASP-SnakesAndLadders-WebApplications-JA.pdf]]
|-
| align="center" valign="top" width="250" | Serpientes y Escaleras<br>Aplicaciones Web
| align="center" valign="top" width="250" | Serpents et Échelles<br>Application Web
| align="center" valign="top" width="250" | 蛇とはしご<br>ウェブアプリケーション
|-
| <br><br>
| <br><br>
| <br><br>
|-
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-TR.pdf TR: Türkçe]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf ZH: 中文]
| align="center" valign="top" |
|-
| align="center" valign="top" | [[Image:Osn-webapp-TR.png|link=File:OWASP-SnakesAndLadders-WebApplications-TR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-ZH.png|link=File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf]]
| align="center" valign="top" |
|-
| align="center" valign="top" width="250" | Yılanlar ve Merdivenler<br>Web Uygulamaları
| align="center" valign="top" width="250" | 蛇梯棋<br>WEB应用程序
| align="center" valign="top" width="250" |
|}

Note that some languages choose not to change the EN text for risk and control names.

([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-Illustrator.zip Source Adobe Illustrator file])

== Release History ==

* [09 May 2018] 1.2 - EN version updated
* [12 May 2017] 1.11 - TR version release
* [15 Jun 2016] 1.1 - EN version updated
* [29 Sep 2015] 1.0.2 - BR version release
* [25 Nov 2014] 1.0.2 - Additional contributors added, FR, JA and ZH versions released
* [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; PDFs regenerated
* [31 Oct 2014] 1.0 - First release

== Colour Scheme 'Classic' ==

This edition uses simple primary colours, like [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 many versions] that can be seen in pictures of Snakes and Ladders games. The colours used in 'Classic' are:

* Green
* Yellow
* White
* Red
* Blue

<div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_webapp-mini-banner.png|link=]]</div>

The start square (1) is yellow and the final square (100) is red.

= Mobile Apps Edition =

== OWASP Snakes and Ladders - Mobile Apps ==

The edition for Mobile Apps was created after working out the idea and design for the web application version of the board game. It seemed easy to replicate the idea since the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Project] lists both security controls and risks. The virtuous behaviours (ladders) are mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) and the vices (snakes) are mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014).

<div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-mob-ja.jpg|link=]]</div>

== Current Release ==

{|
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-EN.pdf EN: English]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語]
|-
| align="center" valign="top" | [[Image:Osn-mobapp-EN.png|link=File:OWASP-SnakesAndLadders-MobileApps-EN.pdf]]
| align="center" valign="top" | [[Image:Osn-mobapp-JA.png|link=File:OWASP-SnakesAndLadders-MobileApps-JA.pdf]]
|-
| align="center" valign="top" width="250" | Snakes and Ladders<br>Mobile Apps
| align="center" valign="top" width="250" | 蛇とはしご<br> モバイルアプリ版
|}

([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-Illustrator.zip Source Adobe Illustrator file])

== Release History ==

* [02 Dec 2014] 1.0.2 - Additional contributor added, JA version released
* [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; EN PDF regenerated
* [31 Oct 2014] 1.0 - First release

== Colour Scheme 'Farringdon' ==

Other people's versions of Snakes and Ladders [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 use a wide variety of designs and colour schemes]. Thus to make a complete contrast to the edition for web applications, the colours used are the designatory colours of the underground and mainline train services that run through Colin Watson's local station at Farringdon in Clerkenwell, London EC1. The colours in 'Farringdon' are:

* Purple (future <strike>Crossrail</strike> Elizabeth)
* Yellow (Circle)
* White (Thameslink)
* Maroon (Metropolitan)
* Pink (Hammersmith & City)

<div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_mobapp-mini-banner.png|link=]]</div>

You can see these colours on [https://www.tfl.gov.uk/assets/downloads/standard-tube-map.pdf tube maps] and station signage. The start square (1) is yellow and the final square (100) is maroon.

=FAQs=

[[File:Snakesandladders-mockup.jpg|right|link=]]

==Why Snakes & Ladders? ==

The OWASP Top 10 is the most well known document, but OWASP has many other resources which provide better approaches for secure application development. In particular, there are some "top 10 controls" lists, and I wanted to highlight those. Creating a board game that features both risks and controls is a simple way to compare and contrast these aspects.

Players do not need to know either the risks or controls on the lists, since they are just the decoration to what is otherwise standard Snakes & Ladders. But as players land on assigned squares, this can be used to discuss the risks and controls they are labelled with.

Also, after undertaking some due diligence, it was noted that since Snakes & Ladders is such an ancient game it is not anyone's intellectual property and many others have already created thousands of different designs and versions. Other games would not meet this requirement.

==How was the game created?==
By hard work! Each list of risks and controls contains ten items, so the rough layout of snakes and ladder starting and end points was sketched out on paper, as shown for web applications on the right. Instructional text was written.

The concept was then converted into a layered Adobe Illustrator file, and the text and graphics added. This design went through a number of iterations to ensure it was legible and appealing. The PDF was exported and both the PDF and AI files added to the project page. When translations were provided, these were added as separate text layers in the source Illustrator file, and then new files uploaded again to the project.

Once Web Applications Snakes & Ladders was complete, the file was duplicated and edited for Mobile Apps. This has different risks, controls and arrangement of snakes and ladders. It also has its own colour scheme.

==How can I participate in your project?==
All you have to do is make the Project Leader aware of your available time to contribute to the project. It is also important to let the Leader know how you would like to contribute and pitch in to help the project meet its goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. Please see the {{#switchtablink:Road Map_and Getting Involved|road map and getting involved section}}

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for users, translators and people to promote the project.

= Acknowledgements =

==Volunteers==
Snakes and Ladders is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Ziyahan Albeniz
* Kembolle Amilkar
* Katy Anton
* Manuel Lopez Arredondo
* Fabio Cerullo
* Álan Carlos B. Eufrázio
* Tobias Gondrom
* Martin Haslinger
* Yongliang He
* Manfred Hofmeier
* Cédric Messeguer
* Takanori Nakanowatari
* Marcos Vinícius Nunes de Arruda
* Riotaro Okada
* Gabriel Pedro S. Peres
* Alison S. Ribeiro
* Ivy Zhang
* Colin Watson

==Others==
* The project leaders and contributors to the referenced controls and risks:
** [[OWASP Proactive Controls]]
** [[:Category:OWASP Top Ten Project|OWASP Top Ten]]
** [[OWASP Mobile Security Project|OWASP Mobile Security]]
* OWASP staff for helping to set up the project and support its ongoing activities.

= Road Map and Getting Involved =

Recently completed:
* Update web applications edition to Proactive Controls 2018 [EN recently completed]
* Translate into other languages [TR recently completed]
* Handouts at events

As of May 2018, the priorities are:
* Update as other referenced projects updated (e.g. Top Ten)

Other ideas are:

* Promote use of Snakes and Ladders
* Develop other boards

Involvement in the development and promotion of Snakes and Ladders is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help are listed below.

==Localization==
Are you fluent in another language? Can you help translate Snakes and Ladders into that language?

The project is on [https://crowdin.com/project/owasp-snakes-and-ladders Crowdin]

==Use and Promote the Board Game==
Please help raise awareness of Snakes and Ladders:
* Use the game with your colleagues, friends, families, students and children
* Create video about how to play the game
* Develop a multi-user mobile app or web application to play the game

==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders project mailing list] for feedback:
* How did you use it?
* What is people's reaction?
* What do like?
* What don't you like?
* What doesn't make sense?
* How could the guidance be improved?
* What other boards would you like to see?

==Create a Board==
Do you have an idea for your own application security Snakes and Ladders board? Please contribute your ideas via the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders mailing list].


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-EG-1]]

OWASP Snakes and Ladders

2018-05-09T17:57:16Z

Clerkendweller: News v1.20 EN / Project plan

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Snakes_and_ladders-header.png|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Snakes and Ladders==

Snakes and Ladders is an educational project. It uses gamification to promote awareness of application security controls and risks, and in particular knowledge of other OWASP documents and tools.

== Editions==

''Web Applications''

In the board game for {{#switchtablink:Web Applications Edition|web applications}}, the virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2016) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013). See also a [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Top_Ten_Mapping mapping between these two lists].

''Mobile Apps''

The identical board game for {{#switchtablink:Mobile Apps Edition|mobile apps}} uses mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) as the virtuous behaviours and mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014 from the same project) as the vices.

''Application Intrusion Detection''

Coming soon.

== Background ==

This board game was created to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, we use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

The game is quite lightweight, and does not have the same rigour or depth as the card game Cornucopia, but it is meant to be just some fun with some learning attached.

Print-ready PDFs have been published - these are poster sized A2 (international ISO 216 [https://en.wikipedia.org/wiki/Paper_size paper size] 420×594mm, approximately 16.5×23.4in, with 3mm bleed and printers' marks). But the original files are in Adobe Illustrator, so these are also available for anyone to use and improve upon. We recommend playing using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

We hope it may be of use in any upcoming office party, celebration, festival, seasonal event, application security awareness or training exercise. Or just to help spread the word about controls and risks at work, at college or at school. If you are training anyone about the OWASP Top Ten, OWASP Proactive Controls or the OWASP Mobile projects, please consider giving each attendee a printed copy of the game as a take away.

==Licensing==

OWASP Snakes and Ladders is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia], [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game], [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is This? ==

Snakes and Ladders is a popular board game, with [http://en.wikipedia.org/wiki/Snakes_and_Ladders ancient provenance] imported into [http://sandradodd.com/game/snakesandladders Great Britain from Asia] in the 19th century. The original game showed the effects of good and evil, or virtues and vices. This OWASP game is a poster-sized ''print-your-own'' paper sheet with the game board on it. Just get some players together with a die and counters. The virtues are application security controls, and the vices are risks.

==How to Play==

* The game is for 2-6 players.
* Firstly print the sheet out.
* Give each player a coloured counter (marker). To begin, each player should throw the die to determine who plays first; the highest can lead.
* Put all the players' counters onto the first square labelled “Start 1”.
* In turn, each player rolls the die and moves their counter by the number of squares indicated on the die. At the end of the move, if a player’s counter is at the bottom end of a ladder, the counter must be moved up the ladder to the square at its higher end. Conversely, if the player’s counter is located at the mouth of a snake, the counter must be moved down to the end of the snake’s tail.
* ''As a better alternative to enhance learning, either require the participants to discuss the risk/control when a player reaches each square, or only allow players to climb up a ladder after a quest about the control (e.g. simply describing the control, explain the risk (one example) the named control addresses and how the control (one example) could help prevent the named it''
*The first player to reach “100” at the top left wins. Give a prize.

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Katyanton Katy Anton] [mailto:katy.anton@owasp.org @]

== Related Projects ==

* [[OWASP Proactive Controls]]
* [[:Category:OWASP Top Ten Project|OWASP Top Ten]]
* [[OWASP Mobile Security Project|OWASP Mobile Security]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* Web Applications v1.0/v1.1
** [[media:OWASP-SnakesAndLadders-WebApplications-BR.pdf|BR]], [[media:OWASP-SnakesAndLadders-WebApplications-DE.pdf|DE]], [[media:OWASP-SnakesAndLadders-WebApplications-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-WebApplications-ES.pdf|ES]], [[media:OWASP-SnakesAndLadders-WebApplications-FR.pdf|FR]], [[media:OWASP-SnakesAndLadders-WebApplications-JA.pdf|JA]], [[media:OWASP-SnakesAndLadders-WebApplications-TR.pdf|TR]], [[media:OWASP-SnakesAndLadders-WebApplications-ZH.pdf|ZH]]
** {{#switchtablink:Web Applications Edition|More options...}}

* Mobile Apps v1.0
** [[media:OWASP-SnakesAndLadders-MobileApps-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-MobileApps-JA.pdf|JA]]
** {{#switchtablink:Mobile Apps Edition|More options...}}

== News and Events ==
* [09 May 2018] Web Applications v1.20 released in EN
* [12 May 2017] Web Applications TR
* [30 Jun 2016] Free copies at OWASP AppSec EU Rome 2017
* [05 Jun 2016] Web Applications v1.10 released in EN
* [30 Dec 2015] Katy Anton becomes project co-leader
* [01 Dec 2015] Free copies at PHP North West user group
* [24 Nov 2015] Free copies at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [12 Oct 2015] Free copies at PHP Hampshire user group
* [29 Sep 2015] Web Application v1.0 released in PT-BR
* [19 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Dutch translation
* [11 May 2015] Lightning talk at the [http://tickets.digitalshoreditch.com/make/#session-53 Digital Shoreditch Festival]
* [04 Dec 2014] Free copies at [https://www.owasp.org/index.php/London OWASP London]
* [02 Dec 2014] Free copies at [https://www.owasp.org/index.php/Cambridge OWASP Cambridge]
* [02 Dec 2014] Mobile Apps JA
* [25 Nov 2014] Web Applications FR, JA and ZH
* [31 Oct 2014] Web Applications v1.0 released in DE, EN and ES
* [31 Oct 2014] Mobile Apps v1.0 released in EN

== Twitter ==

[[File:OWASPSnakesWeb-profile-small.jpg|link=]]
Follow two mock games running on Twitter:
* [https://twitter.com/OWASPSnakesWeb @OWASPSnakesWeb]
* [https://twitter.com/OWASPSnakesMob @OWASPSnakesMob]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Web Applications Edition =

== OWASP Snakes and Ladders - Web Applications ==

This was the first edition created. The objective is to raise awareness of the security controls that every web application should have, but link that with the much more widely known Top Ten Risks. The virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2018) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013).

<div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-web-de.jpg|link=]]</div>

== Current Release ==

{|
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-BR.pdf BR: Português Brasileiro]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-DE.pdf DE: Deutsch]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-EN.pdf EN: English]
|-
| align="center" valign="top" | [[Image:Osn-webapp-BR.png|link=File:OWASP-SnakesAndLadders-WebApplications-BR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-DE.png|link=File:OWASP-SnakesAndLadders-WebApplications-DE.pdf]]
| align="center" valign="top" |[[Image:Osn-webapp-EN.png|link=File:OWASP-SnakesAndLadders-WebApplications-EN.pdf]]
|-
| align="center" valign="top" width="250" | Serpentes e Escadas<br>Aplicativos da Web
| align="center" valign="top" width="250" | Schlangen und Leitern<br>Web Anwendungen
| align="center" valign="top" width="250" | Snakes and Ladders<br>Web Applications
|-
| <br><br>
| <br><br>
| <br><br>
|-
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ES.pdf ES: Español]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-FR.pdf FR: Français]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語]
|-
| align="center" valign="top" | [[Image:Osn-webapp-ES.png|link=File:OWASP-SnakesAndLadders-WebApplications-ES.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-FR.png|link=File:OWASP-SnakesAndLadders-WebApplications-FR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-JA.png|link=File:OWASP-SnakesAndLadders-WebApplications-JA.pdf]]
|-
| align="center" valign="top" width="250" | Serpientes y Escaleras<br>Aplicaciones Web
| align="center" valign="top" width="250" | Serpents et Échelles<br>Application Web
| align="center" valign="top" width="250" | 蛇とはしご<br>ウェブアプリケーション
|-
| <br><br>
| <br><br>
| <br><br>
|-
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-TR.pdf TR: Türkçe]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf ZH: 中文]
| align="center" valign="top" |
|-
| align="center" valign="top" | [[Image:Osn-webapp-TR.png|link=File:OWASP-SnakesAndLadders-WebApplications-TR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-ZH.png|link=File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf]]
| align="center" valign="top" |
|-
| align="center" valign="top" width="250" | Yılanlar ve Merdivenler<br>Web Uygulamaları
| align="center" valign="top" width="250" | 蛇梯棋<br>WEB应用程序
| align="center" valign="top" width="250" |
|}

Note that some languages choose not to change the EN text for risk and control names.

([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-Illustrator.zip Source Adobe Illustrator file])

== Release History ==

* [09 May 2018] 1.2 - EN version updated
* [12 May 2017] 1.11 - TR version release
* [15 Jun 2016] 1.1 - EN version updated
* [29 Sep 2015] 1.0.2 - BR version release
* [25 Nov 2014] 1.0.2 - Additional contributors added, FR, JA and ZH versions released
* [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; PDFs regenerated
* [31 Oct 2014] 1.0 - First release

== Colour Scheme 'Classic' ==

This edition uses simple primary colours, like [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 many versions] that can be seen in pictures of Snakes and Ladders games. The colours used in 'Classic' are:

* Green
* Yellow
* White
* Red
* Blue

<div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_webapp-mini-banner.png|link=]]</div>

The start square (1) is yellow and the final square (100) is red.

= Mobile Apps Edition =

== OWASP Snakes and Ladders - Mobile Apps ==

The edition for Mobile Apps was created after working out the idea and design for the web application version of the board game. It seemed easy to replicate the idea since the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Project] lists both security controls and risks. The virtuous behaviours (ladders) are mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) and the vices (snakes) are mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014).

<div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-mob-ja.jpg|link=]]</div>

== Current Release ==

{|
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-EN.pdf EN: English]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語]
|-
| align="center" valign="top" | [[Image:Osn-mobapp-EN.png|link=File:OWASP-SnakesAndLadders-MobileApps-EN.pdf]]
| align="center" valign="top" | [[Image:Osn-mobapp-JA.png|link=File:OWASP-SnakesAndLadders-MobileApps-JA.pdf]]
|-
| align="center" valign="top" width="250" | Snakes and Ladders<br>Mobile Apps
| align="center" valign="top" width="250" | 蛇とはしご<br> モバイルアプリ版
|}

([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-Illustrator.zip Source Adobe Illustrator file])

== Release History ==

* [02 Dec 2014] 1.0.2 - Additional contributor added, JA version released
* [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; EN PDF regenerated
* [31 Oct 2014] 1.0 - First release

== Colour Scheme 'Farringdon' ==

Other people's versions of Snakes and Ladders [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 use a wide variety of designs and colour schemes]. Thus to make a complete contrast to the edition for web applications, the colours used are the designatory colours of the underground and mainline train services that run through Colin Watson's local station at Farringdon in Clerkenwell, London EC1. The colours in 'Farringdon' are:

* Purple (future <strike>Crossrail</strike> Elizabeth)
* Yellow (Circle)
* White (Thameslink)
* Maroon (Metropolitan)
* Pink (Hammersmith & City)

<div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_mobapp-mini-banner.png|link=]]</div>

You can see these colours on [https://www.tfl.gov.uk/assets/downloads/standard-tube-map.pdf tube maps] and station signage. The start square (1) is yellow and the final square (100) is maroon.

=FAQs=

[[File:Snakesandladders-mockup.jpg|right|link=]]

==Why Snakes & Ladders? ==

The OWASP Top 10 is the most well known document, but OWASP has many other resources which provide better approaches for secure application development. In particular, there are some "top 10 controls" lists, and I wanted to highlight those. Creating a board game that features both risks and controls is a simple way to compare and contrast these aspects.

Players do not need to know either the risks or controls on the lists, since they are just the decoration to what is otherwise standard Snakes & Ladders. But as players land on assigned squares, this can be used to discuss the risks and controls they are labelled with.

Also, after undertaking some due diligence, it was noted that since Snakes & Ladders is such an ancient game it is not anyone's intellectual property and many others have already created thousands of different designs and versions. Other games would not meet this requirement.

==How was the game created?==
By hard work! Each list of risks and controls contains ten items, so the rough layout of snakes and ladder starting and end points was sketched out on paper, as shown for web applications on the right. Instructional text was written.

The concept was then converted into a layered Adobe Illustrator file, and the text and graphics added. This design went through a number of iterations to ensure it was legible and appealing. The PDF was exported and both the PDF and AI files added to the project page. When translations were provided, these were added as separate text layers in the source Illustrator file, and then new files uploaded again to the project.

Once Web Applications Snakes & Ladders was complete, the file was duplicated and edited for Mobile Apps. This has different risks, controls and arrangement of snakes and ladders. It also has its own colour scheme.

==How can I participate in your project?==
All you have to do is make the Project Leader aware of your available time to contribute to the project. It is also important to let the Leader know how you would like to contribute and pitch in to help the project meet its goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. Please see the {{#switchtablink:Road Map_and Getting Involved|road map and getting involved section}}

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for users, translators and people to promote the project.

= Acknowledgements =

==Volunteers==
Snakes and Ladders is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Ziyahan Albeniz
* Kembolle Amilkar
* Katy Anton
* Manuel Lopez Arredondo
* Fabio Cerullo
* Álan Carlos B. Eufrázio
* Tobias Gondrom
* Martin Haslinger
* Yongliang He
* Manfred Hofmeier
* Cédric Messeguer
* Takanori Nakanowatari
* Marcos Vinícius Nunes de Arruda
* Riotaro Okada
* Gabriel Pedro S. Peres
* Alison S. Ribeiro
* Ivy Zhang
* Colin Watson

==Others==
* The project leaders and contributors to the referenced controls and risks:
** [[OWASP Proactive Controls]]
** [[:Category:OWASP Top Ten Project|OWASP Top Ten]]
** [[OWASP Mobile Security Project|OWASP Mobile Security]]
* OWASP staff for helping to set up the project and support its ongoing activities.

= Road Map and Getting Involved =

Recently completed:
* Update web applications edition to Proactive Controls 2018 [EN recently completed]
* Translate into other languages [TR recently completed]
* Handouts at events

As of May 2018, the priorities are:
* Update as other referenced projects updated (e.g. Top Ten)

Other ideas are:

* Promote use of Snakes and Ladders
* Develop other boards

Involvement in the development and promotion of Snakes and Ladders is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help are listed below.

==Localization==
Are you fluent in another language? Can you help translate Snakes and Ladders into that language?

The project is on [https://crowdin.com/project/owasp-snakes-and-ladders Crowdin]

==Use and Promote the Board Game==
Please help raise awareness of Snakes and Ladders:
* Use the game with your colleagues, friends, families, students and children
* Create video about how to play the game
* Develop a multi-user mobile app or web application to play the game

==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders project mailing list] for feedback:
* How did you use it?
* What is people's reaction?
* What do like?
* What don't you like?
* What doesn't make sense?
* How could the guidance be improved?
* What other boards would you like to see?

==Create a Board==
Do you have an idea for your own application security Snakes and Ladders board? Please contribute your ideas via the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders mailing list].


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-EG-1]]

OWASP Snakes and Ladders

2018-05-09T17:54:14Z

Clerkendweller: /* Release History */ v1.20 EN

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Snakes_and_ladders-header.png|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP Snakes and Ladders==

Snakes and Ladders is an educational project. It uses gamification to promote awareness of application security controls and risks, and in particular knowledge of other OWASP documents and tools.

== Editions==

''Web Applications''

In the board game for {{#switchtablink:Web Applications Edition|web applications}}, the virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2016) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013). See also a [https://www.owasp.org/index.php/OWASP_Proactive_Controls#tab=Top_Ten_Mapping mapping between these two lists].

''Mobile Apps''

The identical board game for {{#switchtablink:Mobile Apps Edition|mobile apps}} uses mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) as the virtuous behaviours and mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014 from the same project) as the vices.

''Application Intrusion Detection''

Coming soon.

== Background ==

This board game was created to use as an ice-breaker in application security training, but it potentially has wider appeal simply as a promotional hand-out, and maybe also more usefully as learning materials for younger coders. To cover all of that, we use the phrase "OWASP Snakes and Ladders is meant to be used by software programmers, big and small".

The game is quite lightweight, and does not have the same rigour or depth as the card game Cornucopia, but it is meant to be just some fun with some learning attached.

Print-ready PDFs have been published - these are poster sized A2 (international ISO 216 [https://en.wikipedia.org/wiki/Paper_size paper size] 420×594mm, approximately 16.5×23.4in, with 3mm bleed and printers' marks). But the original files are in Adobe Illustrator, so these are also available for anyone to use and improve upon. We recommend playing using a real die and counters (markers), but you can cut out and make these from the paper sheet itself if you have scissor and glue skills.

We hope it may be of use in any upcoming office party, celebration, festival, seasonal event, application security awareness or training exercise. Or just to help spread the word about controls and risks at work, at college or at school. If you are training anyone about the OWASP Top Ten, OWASP Proactive Controls or the OWASP Mobile projects, please consider giving each attendee a printed copy of the game as a take away.

==Licensing==

OWASP Snakes and Ladders is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

==Other Security Gamification==
If you are interested in using gaming for security, also see [https://www.owasp.org/index.php/OWASP_Cornucopia OWASP Cornucopia], [http://www.microsoft.com/security/sdl/adopt/eop.aspx Elevation of Privilege: The Threat Modeling Game], [http://securitycards.cs.washington.edu/ Security Cards] from the University of Washington, the commercial card game [http://www.controlalthack.com/ Control-Alt-Hack] ([http://media.blackhat.com/bh-us-12/Briefings/Kohno/BH_US_12_Kohno_Control_Alt_Hack_Slides.pdf presentation] for latter), and web application security training tools incorporating gamification such as [https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project OWASP Hackademic Challenges Project], [https://www.owasp.org/index.php/OWASP_Security_Shepherd OWASP Security Shepherd] and [http://itsecgames.blogspot.co.uk/ ITSEC Games].

Additionally, Adam Shostack maintains a list of tabletop security games and related resources at [http://adam.shostack.org/games.html security games].


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is This? ==

Snakes and Ladders is a popular board game, with [http://en.wikipedia.org/wiki/Snakes_and_Ladders ancient provenance] imported into [http://sandradodd.com/game/snakesandladders Great Britain from Asia] in the 19th century. The original game showed the effects of good and evil, or virtues and vices. This OWASP game is a poster-sized ''print-your-own'' paper sheet with the game board on it. Just get some players together with a die and counters. The virtues are application security controls, and the vices are risks.

==How to Play==

* The game is for 2-6 players.
* Firstly print the sheet out.
* Give each player a coloured counter (marker). To begin, each player should throw the die to determine who plays first; the highest can lead.
* Put all the players' counters onto the first square labelled “Start 1”.
* In turn, each player rolls the die and moves their counter by the number of squares indicated on the die. At the end of the move, if a player’s counter is at the bottom end of a ladder, the counter must be moved up the ladder to the square at its higher end. Conversely, if the player’s counter is located at the mouth of a snake, the counter must be moved down to the end of the snake’s tail.
* ''As a better alternative to enhance learning, either require the participants to discuss the risk/control when a player reaches each square, or only allow players to climb up a ladder after a quest about the control (e.g. simply describing the control, explain the risk (one example) the named control addresses and how the control (one example) could help prevent the named it''
*The first player to reach “100” at the top left wins. Give a prize.

== Project Leaders ==

* [https://www.owasp.org/index.php/User:Clerkendweller Colin Watson] [mailto:colin.watson@owasp.org @]
* [https://www.owasp.org/index.php/User:Katyanton Katy Anton] [mailto:katy.anton@owasp.org @]

== Related Projects ==

* [[OWASP Proactive Controls]]
* [[:Category:OWASP Top Ten Project|OWASP Top Ten]]
* [[OWASP Mobile Security Project|OWASP Mobile Security]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* Web Applications v1.0/v1.1
** [[media:OWASP-SnakesAndLadders-WebApplications-BR.pdf|BR]], [[media:OWASP-SnakesAndLadders-WebApplications-DE.pdf|DE]], [[media:OWASP-SnakesAndLadders-WebApplications-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-WebApplications-ES.pdf|ES]], [[media:OWASP-SnakesAndLadders-WebApplications-FR.pdf|FR]], [[media:OWASP-SnakesAndLadders-WebApplications-JA.pdf|JA]], [[media:OWASP-SnakesAndLadders-WebApplications-TR.pdf|TR]], [[media:OWASP-SnakesAndLadders-WebApplications-ZH.pdf|ZH]]
** {{#switchtablink:Web Applications Edition|More options...}}

* Mobile Apps v1.0
** [[media:OWASP-SnakesAndLadders-MobileApps-EN.pdf|EN]], [[media:OWASP-SnakesAndLadders-MobileApps-JA.pdf|JA]]
** {{#switchtablink:Mobile Apps Edition|More options...}}

== News and Events ==
* [12 May 2017] Web Applications TR
* [30 Jun 2016] Free copies at OWASP AppSec EU Rome 2017
* [05 Jun 2016] Web Applications v1.10 released in EN
* [30 Dec 2015] Katy Anton becomes project co-leader
* [01 Dec 2015] Free copies at PHP North West user group
* [24 Nov 2015] Free copies at [https://www.owasp.org/index.php/Newcastle OWASP Newcastle]
* [12 Oct 2015] Free copies at PHP Hampshire user group
* [29 Sep 2015] Web Application v1.0 released in PT-BR
* [19 May 2015] Working session at [http://2015.appsec.eu/project-summit/ OWASP Project Summit] - Dutch translation
* [11 May 2015] Lightning talk at the [http://tickets.digitalshoreditch.com/make/#session-53 Digital Shoreditch Festival]
* [04 Dec 2014] Free copies at [https://www.owasp.org/index.php/London OWASP London]
* [02 Dec 2014] Free copies at [https://www.owasp.org/index.php/Cambridge OWASP Cambridge]
* [02 Dec 2014] Mobile Apps JA
* [25 Nov 2014] Web Applications FR, JA and ZH
* [31 Oct 2014] Web Applications v1.0 released in DE, EN and ES
* [31 Oct 2014] Mobile Apps v1.0 released in EN

== Twitter ==

[[File:OWASPSnakesWeb-profile-small.jpg|link=]]
Follow two mock games running on Twitter:
* [https://twitter.com/OWASPSnakesWeb @OWASPSnakesWeb]
* [https://twitter.com/OWASPSnakesMob @OWASPSnakesMob]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Web Applications Edition =

== OWASP Snakes and Ladders - Web Applications ==

This was the first edition created. The objective is to raise awareness of the security controls that every web application should have, but link that with the much more widely known Top Ten Risks. The virtuous behaviours (ladders) are secure coding practices (from [[OWASP Proactive Controls|OWASP Proactive Controls project]] 2014-2016) and the vices (snakes) are application security risks (from [[:Category:OWASP Top Ten Project|OWASP Top Ten Project]] 2013).

<div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-web-de.jpg|link=]]</div>

== Current Release ==

{|
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-BR.pdf BR: Português Brasileiro]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-DE.pdf DE: Deutsch]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-EN.pdf EN: English]
|-
| align="center" valign="top" | [[Image:Osn-webapp-BR.png|link=File:OWASP-SnakesAndLadders-WebApplications-BR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-DE.png|link=File:OWASP-SnakesAndLadders-WebApplications-DE.pdf]]
| align="center" valign="top" |[[Image:Osn-webapp-EN.png|link=File:OWASP-SnakesAndLadders-WebApplications-EN.pdf]]
|-
| align="center" valign="top" width="250" | Serpentes e Escadas<br>Aplicativos da Web
| align="center" valign="top" width="250" | Schlangen und Leitern<br>Web Anwendungen
| align="center" valign="top" width="250" | Snakes and Ladders<br>Web Applications
|-
| <br><br>
| <br><br>
| <br><br>
|-
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ES.pdf ES: Español]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-FR.pdf FR: Français]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語]
|-
| align="center" valign="top" | [[Image:Osn-webapp-ES.png|link=File:OWASP-SnakesAndLadders-WebApplications-ES.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-FR.png|link=File:OWASP-SnakesAndLadders-WebApplications-FR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-JA.png|link=File:OWASP-SnakesAndLadders-WebApplications-JA.pdf]]
|-
| align="center" valign="top" width="250" | Serpientes y Escaleras<br>Aplicaciones Web
| align="center" valign="top" width="250" | Serpents et Échelles<br>Application Web
| align="center" valign="top" width="250" | 蛇とはしご<br>ウェブアプリケーション
|-
| <br><br>
| <br><br>
| <br><br>
|-
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-TR.pdf TR: Türkçe]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf ZH: 中文]
| align="center" valign="top" |
|-
| align="center" valign="top" | [[Image:Osn-webapp-TR.png|link=File:OWASP-SnakesAndLadders-WebApplications-TR.pdf]]
| align="center" valign="top" | [[Image:Osn-webapp-ZH.png|link=File:OWASP-SnakesAndLadders-WebApplications-ZH.pdf]]
| align="center" valign="top" |
|-
| align="center" valign="top" width="250" | Yılanlar ve Merdivenler<br>Web Uygulamaları
| align="center" valign="top" width="250" | 蛇梯棋<br>WEB应用程序
| align="center" valign="top" width="250" |
|}

Note that some languages choose not to change the EN text for risk and control names.

([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-Illustrator.zip Source Adobe Illustrator file])

== Release History ==

* [09 May 2018] 1.2 - EN version updated
* [12 May 2017] 1.11 - TR version release
* [15 Jun 2016] 1.1 - EN version updated
* [29 Sep 2015] 1.0.2 - BR version release
* [25 Nov 2014] 1.0.2 - Additional contributors added, FR, JA and ZH versions released
* [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; PDFs regenerated
* [31 Oct 2014] 1.0 - First release

== Colour Scheme 'Classic' ==

This edition uses simple primary colours, like [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 many versions] that can be seen in pictures of Snakes and Ladders games. The colours used in 'Classic' are:

* Green
* Yellow
* White
* Red
* Blue

<div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_webapp-mini-banner.png|link=]]</div>

The start square (1) is yellow and the final square (100) is red.

= Mobile Apps Edition =

== OWASP Snakes and Ladders - Mobile Apps ==

The edition for Mobile Apps was created after working out the idea and design for the web application version of the board game. It seemed easy to replicate the idea since the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project OWASP Mobile Project] lists both security controls and risks. The virtuous behaviours (ladders) are mobile controls (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Controls Mobile Security Project Top Ten Controls] 2013) and the vices (snakes) are mobile risks (from the [https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Top Ten Mobile Risks] 2014).

<div style="height:539px;max-width:750px;border:0,margin:0;overflow:hidden;">[[File:Osn-poster-mob-ja.jpg|link=]]</div>

== Current Release ==

{|
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-EN.pdf EN: English]
| align="center" valign="top" | [https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-WebApplications-JA.pdf JA: 日本語]
|-
| align="center" valign="top" | [[Image:Osn-mobapp-EN.png|link=File:OWASP-SnakesAndLadders-MobileApps-EN.pdf]]
| align="center" valign="top" | [[Image:Osn-mobapp-JA.png|link=File:OWASP-SnakesAndLadders-MobileApps-JA.pdf]]
|-
| align="center" valign="top" width="250" | Snakes and Ladders<br>Mobile Apps
| align="center" valign="top" width="250" | 蛇とはしご<br> モバイルアプリ版
|}

([https://www.owasp.org/index.php/File:OWASP-SnakesAndLadders-MobileApps-Illustrator.zip Source Adobe Illustrator file])

== Release History ==

* [02 Dec 2014] 1.0.2 - Additional contributor added, JA version released
* [05 Nov 2014] 1.0.1 - Correction to paths in source Illustrator file; EN PDF regenerated
* [31 Oct 2014] 1.0 - First release

== Colour Scheme 'Farringdon' ==

Other people's versions of Snakes and Ladders [https://search.disconnect.me/searchTerms/serp?search=c45431fe-9ce8-415a-ac25-1e511f45ef51 use a wide variety of designs and colour schemes]. Thus to make a complete contrast to the edition for web applications, the colours used are the designatory colours of the underground and mainline train services that run through Colin Watson's local station at Farringdon in Clerkenwell, London EC1. The colours in 'Farringdon' are:

* Purple (future Crossrail)
* Yellow (Circle)
* White (Thameslink)
* Maroon (Metropolitan)
* Pink (Hammersmith & City)

<div style="height:75px;max-width:100%;border:0,margin:0;overflow:hidden;">[[File:Snakes_and_ladders_mobapp-mini-banner.png|link=]]</div>

You can see these colours on [https://www.tfl.gov.uk/assets/downloads/standard-tube-map.pdf tube maps] and station signage. The start square (1) is yellow and the final square (100) is maroon.

=FAQs=

[[File:Snakesandladders-mockup.jpg|right|link=]]

==Why Snakes & Ladders? ==

The OWASP Top 10 is the most well known document, but OWASP has many other resources which provide better approaches for secure application development. In particular, there are some "top 10 controls" lists, and I wanted to highlight those. Creating a board game that features both risks and controls is a simple way to compare and contrast these aspects.

Players do not need to know either the risks or controls on the lists, since they are just the decoration to what is otherwise standard Snakes & Ladders. But as players land on assigned squares, this can be used to discuss the risks and controls they are labelled with.

Also, after undertaking some due diligence, it was noted that since Snakes & Ladders is such an ancient game it is not anyone's intellectual property and many others have already created thousands of different designs and versions. Other games would not meet this requirement.

==How was the game created?==
By hard work! Each list of risks and controls contains ten items, so the rough layout of snakes and ladder starting and end points was sketched out on paper, as shown for web applications on the right. Instructional text was written.

The concept was then converted into a layered Adobe Illustrator file, and the text and graphics added. This design went through a number of iterations to ensure it was legible and appealing. The PDF was exported and both the PDF and AI files added to the project page. When translations were provided, these were added as separate text layers in the source Illustrator file, and then new files uploaded again to the project.

Once Web Applications Snakes & Ladders was complete, the file was duplicated and edited for Mobile Apps. This has different risks, controls and arrangement of snakes and ladders. It also has its own colour scheme.

==How can I participate in your project?==
All you have to do is make the Project Leader aware of your available time to contribute to the project. It is also important to let the Leader know how you would like to contribute and pitch in to help the project meet its goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. Please see the {{#switchtablink:Road Map_and Getting Involved|road map and getting involved section}}

==If I am not a programmer can I participate in your project?==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for users, translators and people to promote the project.

= Acknowledgements =

==Volunteers==
Snakes and Ladders is developed, maintained, updated and promoted by a worldwide team of volunteers. The contributors to date have been:

* Ziyahan Albeniz
* Kembolle Amilkar
* Katy Anton
* Manuel Lopez Arredondo
* Fabio Cerullo
* Álan Carlos B. Eufrázio
* Tobias Gondrom
* Martin Haslinger
* Yongliang He
* Manfred Hofmeier
* Cédric Messeguer
* Takanori Nakanowatari
* Marcos Vinícius Nunes de Arruda
* Riotaro Okada
* Gabriel Pedro S. Peres
* Alison S. Ribeiro
* Ivy Zhang
* Colin Watson

==Others==
* The project leaders and contributors to the referenced controls and risks:
** [[OWASP Proactive Controls]]
** [[:Category:OWASP Top Ten Project|OWASP Top Ten]]
** [[OWASP Mobile Security Project|OWASP Mobile Security]]
* OWASP staff for helping to set up the project and support its ongoing activities.

= Road Map and Getting Involved =

Recently completed:
* Update web applications edition to Proactive Controls 2016 [EN recently completed]
* Translate into other languages [TR recently completed]
* Handouts at events

As of May 2017, the priorities are:
* Update as other referenced projects updated (e.g. Top Ten 2017)

Other ideas are:

* Promote use of Snakes and Ladders
* Develop other boards

Involvement in the development and promotion of Snakes and Ladders is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help are listed below.

==Localization==
Are you fluent in another language? Can you help translate Snakes and Ladders into that language?

The project is on [https://crowdin.com/project/owasp-snakes-and-ladders Crowdin]

==Use and Promote the Board Game==
Please help raise awareness of Snakes and Ladders:
* Use the game with your colleagues, friends, families, students and children
* Create video about how to play the game
* Develop a multi-user mobile app or web application to play the game

==Feedback==
Please use the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders project mailing list] for feedback:
* How did you use it?
* What is people's reaction?
* What do like?
* What don't you like?
* What doesn't make sense?
* How could the guidance be improved?
* What other boards would you like to see?

==Create a Board==
Do you have an idea for your own application security Snakes and Ladders board? Please contribute your ideas via the [https://lists.owasp.org/mailman/listinfo/owasp_snakes_and_ladders mailing list].


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-EG-1]]

File:OWASP-SnakesAndLadders-WebApplications-EN.pdf

2018-05-09T17:52:45Z

Clerkendweller: Clerkendweller uploaded a new version of File:OWASP-SnakesAndLadders-WebApplications-EN.pdf

Snakes and Ladders for Web Applications - EN - Version 1.0

OWASP Cheat Sheet Series

2018-04-09T16:15:07Z

Clerkendweller: Updated spec

= Main =
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Our goal ==

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.

If you have any questions about the OWASP Cheat Sheet Series, please email the project leader [mailto:jim.manico@owasp.org Jim Manico], subscribe to our [https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets project email list] or contact us on the project's Slack channel.

== Authors ==

'''Project Leaders:''' [https://www.owasp.org/index.php/User:Jmanico Jim Manico] and [https://www.owasp.org/index.php/User:Dominique_RIGHETTO Dominique Righetto] [mailto:dominique.righetto@owasp.org @]

'''Contributors:''' Paweł Krawczyk, Mishra Dhiraj, Shruti Kulkarni, Torsten Gigler, Michael Coates, Jeff Williams, Dave Wichers, Kevin Wall, Jeffrey Walton, Eric Sheridan, Kevin Kenan, David Rook, Fred Donovan, Abraham Kang, Dave Ferguson, Shreeraj Shah, Raul Siles, Colin Watson, Neil Matatall, Zaur Molotnikov and <b>many more</b>!

== OWASP Cheat Sheets ==

{{Cheatsheet_Navigation_Body}}

| valign="top" style="padding-left:25px;width:200px;" |

== Classifications ==

{| width="200" cellpadding="2"
|-
| rowspan="3" align="center" valign="top" width="50%" | [[File:Midlevel_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects|Lab Project]]
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]
|-
| align="center" valign="center" width="50%" |
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

== Slack & Twitter ==

Slack channel information:
* Server <code>owasp.slack.com</code>
* Channel <code>cheatsheets</code>

Twitter hash tag: '''#[https://twitter.com/search?q=%23owaspcheatsheetseries&src=typd owaspcheatsheetseries]'''

== Email List ==
[https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets Project Email List]

== Licensing ==
The OWASP <i>Cheat Sheet Series</i> is free to use under the [https://creativecommons.org/licenses/by-sa/3.0/us/ Creative Commons ShareAlike 3 License].

== Related Projects ==
* [[OWASP Proactive Controls]]
* [https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP Application Security Verification Standard Project]

== News and Events ==
* [Mar 18 2018] [[Password_Storage_Cheat_Sheet|Password Storage Cheat Sheet]] updated
* [Feb 21 2018] [[HTML5_Security_Cheat_Sheet|HTML5 Security Cheat Sheet]] updated
* [Feb 18 2018] [[Password_Storage_Cheat_Sheet|Password Storage Cheat Sheet]] updated
* [Jan 14 2018] [[Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet|Insecure Direct Object Reference Prevention Cheat Sheet]] updated
* [Dec 04 2017] [[Ruby_on_Rails_Cheatsheet|Ruby On Rails Cheat Sheet]] updated
* [Nov 19 2017] [[JSON_Web_Token_(JWT)_Cheat_Sheet_for_Java|JWT Cheat Sheet for Java]] updated
* [Nov 17 2017] [[OS_Command_Injection_Defense_Cheat_Sheet|OS Command Injection Defense Cheat Sheet]] added to project
* [Nov 04 2017] [[Authorization_Testing_Automation|Authorization Testing Automation Cheat Sheet]] added to project
* [Jan 17 2017] [[XML_Security_Cheat_Sheet|XML Security Cheat Sheet]] added to project
* [Feb 06 2016] New navigation template rolled out project-wide
* [Jun 11 2015] [[SAML_Security_Cheat_Sheet|SAML Cheat Sheet]] added to project
* [Feb 11 2015] [https://www.owasp.org/images/9/9a/OWASP_Cheatsheets_Book.pdf Cheat Sheet "book"] added to project
* [Apr 04 2014] All non-draft cheat sheets moved to new wiki template!
* [Feb 04 2014] Project-wide cleanup started

|}

= Master Cheat Sheet =

==Authentication==
Ensure all entities go through an appropriate and adequate form of authentication. All the application non-public resource must be protected and shouldn't be bypassed.

For more information, check [https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheet]

==Session Management==

Use secure session management practices that ensure that authenticated users have a robust and cryptographically secure association with their session.

For more information, check [https://www.owasp.org/index.php/Session_Management_Cheat_Sheet Session Management Cheat Sheet]

==Access Control==

Ensure that a user has access only to the resources they are entitled to. Perform access control checks on the server side on every request. All user-controlled parameters should be validated for entitlemens checks. Check if user name or role name is passed through the URL or through hidden variables. Prepare an ACL containing the Role-to-Function mapping and validate if the users are granted access as per the ACL.

For more information, check [https://www.owasp.org/index.php/Access_Control_Cheat_Sheet Access Control Cheat Sheet]

==Input Validation==

Input validation is performed to minimize malformed data from entering the system. Input Validation is NOT the primary method of preventing XSS, SQL Injection. These are covered in output encoding below.

For more information, check [https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet Input Validation Cheat Sheet]

==Output Encoding==

Output encoding is the primary method of preventing XSS and injection attacks. Input validation helps minimize the introduction of malformed data, but it is a secondary control.

For more information, check [https://www.owasp.org/index.php/XSS_Prevention_Cheat_Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet].

==Cross Domain==

Ensure that adequate controls are present to prevent against Cross-site Request Forgery, Clickjacking and other 3rd Party Malicious scripts.

For more information, check [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet Cross Site Request Forgery]

==Secure Transmission==

Ensure that all the applications pages are served over cryptographically secure HTTPs protocols. Prohibit the transmission of session cookies over HTTP.

For more information, check [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Protection Cheat Sheet]

==Logging==

Ensure that all the security related events are logged. Events include: User log-in (success/fail); view; update; create, delete, file upload/download, attempt to access through URL, URL tampering. Audit logs should be immutable and write only and must be protected from unauthorized access.

For more information, check [https://www.owasp.org/index.php/Logging_Cheat_Sheet Logging Cheat Sheet]

==Uploads==

Ensure that the size, type, contents, and name of the uploaded files are validated. Uploaded files must not be accessible to users by direct browsing. Preferably store all the uploaded files in a different file server/drive on the server. All files must be virus scanned using a regularly updated scanner.

For more information, check https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#File_Uploads

= Roadmap =

'''Global:'''

* Bring all cheat sheets out of draft fin end of 2018.
* Go through the cheat sheets to make sure what they recommend is consistent with ASVS.
* Move all code snippets of CS from '''pre''' tag to '''syntaxhighlight''' tag to enhance CS readability.
* Find a way to automate the generation of a PDF referential file gathering all CS.
* Go through the cheat sheets to make sure they follow the CS guideline.
* Create branding stickers for the project.
* Remove CS that that do not bring added value.

'''Next work on Cheat Sheets (CS) and work assignment:'''

* [[Ruby_on_Rails_Cheatsheet|Ruby On Rails]] CS:
** '''Action:''' CS complete refactoring.
** '''People in charge:''' Zaur Molotnikov.
** '''Status:''' <span style="background:#008000;color:#ffffff">Work in progress</span>.
* Android and iOS CS:
** '''Action:''' Replace content of the following CS to pointer to the dedicated section in the [https://github.com/OWASP/owasp-mstg OWASP Mobile Security Testing Guide] project, motivation is explained [https://github.com/OWASP/owasp-mstg/issues/872 here]:
*** [[Android_Testing_Cheat_Sheet|Android Testing Cheat Sheet]]
*** [[IOS_Developer_Cheat_Sheet|IOS Developer Cheat Sheet]]
*** [[IOS_Application_Security_Testing_Cheat_Sheet|IOS Application Security Testing Cheat Sheet]]
** '''People in charge:''' Dominique Righetto.
** '''Status:''' <span style="background:#008000;color:#ffffff">Work in progress</span>.
* General OAuth introduction CS:
** '''Action:''' Create it.
** '''People in charge:''' Simon Bennetts & Jim Manico.
** '''Status:''' <span style="background:#008000;color:#ffffff">Work in progress</span>.
* OAuth and OIDC for SPA Applications CS:
** '''Action:''' Create it.
** '''People in charge:''' Simon Bennetts & Jim Manico.
** '''Status:''' <span style="background:#008000;color:#ffffff">Work in progress</span>.
* [[Credential_Stuffing_Prevention_Cheat_Sheet|Credential Stuffing Prevention]] CS:
** '''Action:''' Refresh it.
** '''People in charge:''' Not assigned.
** '''Status:''' <span style="background:#ff9933;color:#ffffff">In backlog</span>.
* Server Side Request Forgery Defense CS:
** '''Action:''' Create it.
** '''People in charge:''' Not assigned.
** '''Status:''' <span style="background:#ff9933;color:#ffffff">In backlog</span>.
* [[Forgot_Password_Cheat_Sheet|Forgot Password]] CS:
** '''Action:''' Add a POC in order to provide actionable code.
** '''People in charge:''' Not assigned.
** '''Status:''' <span style="background:#ff9933;color:#ffffff">In backlog</span>.
* [[OS_Command_Injection_Defense_Cheat_Sheet|OS Command Injection Defense]] CS:
** '''Action:''' Add information about system command escaping.
** '''People in charge:''' Not assigned.
** '''Status:''' <span style="background:#ff9933;color:#ffffff">In backlog</span>.

= Cheat sheet Guideline =

== Cheat sheet content ==

The key points that all cheat sheets (called '''CS''') must provides are the following:

# Address a single topic (ex: password storage, OS command injection, REST service, CSRF, HTML5 new features security...).
# Be concise and focused: A cheat sheet must be directly actionable (a CS is not a guide) and must be directly useful for a developer.
# Do not re-address topic handled by others CS. In this case, the target CS will be enhanced with missing points.
# When applicable, provide a solution proposal implementation through a full documented POC on a public well know Git repository (GitHub is highly prefered), the POC can be used as a '''playground''' for a developer wanting to play/evaluate your solution proposal.

== Cheat sheet structure ==

A CS must have these sections:

# '''Introduction''': Provide high level information about the topic in order to introduce it to people that do not know it. You can add pointer to external sources if needed but at least give an overview allowing a reader to continue on the CS. You can also add schema or diagram in any part of the CS but be sure to respect the copyright of the source file.
# '''Context''': Describe the security issues that are bring or commonly meet when someone must work on this topic.
# '''Objective''': Describe the objective of the CS. What the CS will bring to the reader?
# '''Proposition''':
## Describe how to address the security issues in a possible technology agnostic approach.
## Using your POC, describe your solution proposal in the more teaching possible way.
# '''Sources of the prototype''': Add pointer to the public GitHub repository on which the source code of POC is hosted.

For the code snippet, use the mediawiki tag '''syntaxhighlight''':
* Tag [https://www.mediawiki.org/wiki/Extension:SyntaxHighlight documentation].
* Supported [http://pygments.org/languages languages].

If you want to be careful in order to prevent to break something in the target existing CS, you can follow this contribution procedure:
# Take a copy of the CS that you want to enhance (mediawiki syntax in the source tab).
# Add your enhancement and publish the updated CS on the same GitHub repository than your POC (it support the mediawiki syntax).
# Notify the CS Community using this mailing [https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets list] and the CS Community will review the CS using GitHub comments system.
# When the feedback loop is finished, the CS Community will help you to have right access to the wiki in order to update the CS.

== Cheat sheet template ==

If the target CS is a new one then please use the following template struture.

It allow you to work:
* Online by using the wiki ''Show preview'' option.
* Offline by using an text editor like [https://atom.io/ Atom] with the [https://atom.io/packages/language-mediawiki mediawiki plugin].

<syntaxhighlight lang="html" highlight="10,18,24,31,38,44">
__NOTOC__
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

__TOC__{{TOC hidden}}

= Introduction =

<pre>
Provide high level information about the topic in order to introduce it to people that do not know it.
You can add pointer to external sources if needed but at least give an overview allowing a reader to continue on the CS.
You can also add schema or diagram in any part of the CS but be sure to respect the copyright of the source file.
</pre>

= Context =

<pre>
Describe the security issues that are bring or commonly meet when someone must work on this topic.
</pre>

= Objective =

<pre>
Describe the objective of the CS.
What the CS will bring to the reader.
</pre>

= Proposition =

<pre>
1. Describe how to address the security issues in a possible technology agnostic approach.
2. Using your POC, describe your solution proposal in the more teaching possible way. Use "syntaxhighlight" tag for code snippet.
</pre>

= Sources of the prototype =

<pre>
Add pointer to the public GitHub repository on which the source code of POC is hosted.
</pre>

= Authors and Primary Editors =

<pre>
Add your name and email.
</pre>

= Other Cheatsheets =

{{Cheatsheet_Navigation_Body}}

|}

[[Category:Cheatsheets]]
</syntaxhighlight>

= Project Logo =

This section contains the information that we have gathered and plan to use for the creation of the project logo and related design materials.

The first phase of the work is to commission a project logo.

== Phase 1: Logo ==

=== Introduction ===

The project requires a logo which will comprise three components:

* Graphical element indicating the idea or use of the cheat sheets
* The project title
* Motto/straplines.

Not all of these will necessarily be shown together at the same time. Phase 1 requires the creation of a logo, which may be used with one, two or all three of these components.

The logo will be used in many ways such as on a website banner, or just the graphical element on a bag, or the graphical element and a motto/strapline on a t-shirt. These other outputs are not included in the scope of Phase 1.

=== Project Name ===

The project name is ''OWASP Cheat Sheet Series project''. The project name will be positioned next to the graphical element in some outputs, and this layout must be provided. In other cases, the project name will not be included beside the logo.

=== Motto/Strapline ===

Three mottos/straplines will be used in the logo - they are context dependent:

* ''Life is too short, AppSec is tough, Cheat!''
* ''Its not cheating if you do it for the right reasons''
* ''Sometimes the only good thing to do is cheat''.

The logo layout must allow for any of these or none to be included.

=== Layout, Media Formats and Colours ===

Some media or placements may mean the motto/strapline does not fit or is not needed. Therefore the logo must be usable with, or without, the motto/strapline.

The logo will need to be used at multiple scales. For example, if the logo is square excluding the motto/strapline, the following formats must work

* Low-resolution use on web pages (e.g. as small as 100x100 pixels excluding moto/strapline)
* Medium resolution use on fabric such as t-sirts or bags (e.g. 900x900 pixels at 150 dpi)
* High-resolution use on large posters and banners (e.g. as large as 5,000x5,000 pixels at 300dpi).

The logo may be printed in CMYK for physical media, but must also have RGB colours for screen use. Additionally the logo must also be available in grayscale, and separately as single colour (i.e. black and white without any tones).

=== Deliverables Required ===

All outputs must be provided digitally:

# Logo demonstrating how it looks with just the graphical element, the graphical element with the project title, and the graphical element with each of the mottos/straplines, and everything together
# Source layered vector graphic files created in Adobe Illustrator
# Exported versions for quick use low, medium and high resolution full-colour PNG/JPEGs in RGB and CMYK
# Colour and font specification.

Rights/licensing:

# The designer will not retain any rights - all design and use rights will be given to OWASP, who will publish the logo and files using am open source licence, and OWASP will be able to use the logo, source files, ideas, designs in any manner it desires in any media in any quantity, without any additional payments, commission or royalties to the designer or anyone else
# All fonts used in the design must be provided to OWASP and comply with the above requirements

== Future Phases: Other Graphical Elements ==

Scope TBC - Banners, t-shirts, etc

Background pictures (picture provider and designer will be cited on the project site):
* ''A smart tech looking woman reading a piece of paper (the cheatsheet) while resting on a beach.''
* ''A woman hand holding cards with an ace up the sleeve.''

Pictures proposal (just a proposal as bootstrap, others pictures can be used):
* Cards:
** https://www.pexels.com/photo/woman-holding-queen-of-hearts-and-diamonds-922706/
** https://www.pexels.com/photo/ace-card-gambling-hand-274373/
** https://www.pexels.com/photo/ace-bet-business-card-262333/
* Beach:
** https://www.pexels.com/photo/laptop-mockup-notebook-outside-4778/
** https://www.pexels.com/photo/apple-check-computer-female-7079/
** https://www.pexels.com/photo/beach-beach-chair-blur-casual-319921/
** https://www.pexels.com/photo/close-up-of-woman-typing-on-keyboard-of-laptop-6352/
** https://www.pexels.com/photo/black-and-gray-computer-laptop-159784/

__NOTOC__ <headertabs />

[[Category:OWASP_Project|OWASP Cheat Sheets Project]]
[[Category:OWASP_Document]]
[[Category:OWASP_Alpha_Quality_Document]]
[[Category:SAMM-EG-1]]

Newcastle

2018-03-26T12:23:21Z

Clerkendweller: Added project and presentation links

{{Chapter Template|chaptername=Newcastle|extra=The chapter leaders are [mailto:connor.carr@owasp.org Connor Carr], [mailto:robin.fewster@owasp.org Robin Fewster], [mailto:mike.goodwin@owasp.org Mike Goodwin,] and [mailto:andrew.pannell@owasp.org Andi Pannell]

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Newcastle|emailarchives=http://lists.owasp.org/pipermail/owasp-newcastle}}
= Upcoming Events =

Our next event will be held on 27th March 2018. 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.

''Talk 1: Andi Pannell''

''The Internet of (broken) Things''

Talk: This talk will focus on the internet of things, how we’re connecting everything to the internet now, because why not add a WiFi connection to your Fridge? And how security is unlikely to be a consideration when making these products. I’ll also talk about DefCon, as last year my company sent a team of us to DefCon 25 in Las Vegas, explaining what DefCon is, what happens there, and how we won the IoT Village 0-day contest and I'll conclude with a '''live hacking demo'''.

''Talk 2: Colin Watson''

''An introduction to The OWASP Automated Threats to Web Applications''

Talk: Web applications are subjected to unwanted automated usage – day in, day out. The vast majority of these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is often mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the attacker’s primary intent.

This OWASP project researched these aspects in 2015 and created a new ontology of web application automation threats, and has been updated twice since with the most recent release in February 2018. This presentation will describe the need, how the threats were classified and names defined, and how they information can be used in the real world developing and operating web applications. Attendees to the OWASP Newcastle event will receive a printed copy of the handbook; the PDF handbook and all other outputs are free to download from the OWASP website. [https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications Project page] | [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Handbook PDF file] | [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-23540699.html Handbook print version] | [https://www.owasp.org/index.php/File:AutomatedThreats-Newcastle-20180327.pptx Newcastle PPT presentation]

Keep updated and in touch using the [https://lists.owasp.org/mailman/listinfo/owasp-Newcastle chapter mailing list] and/or Twitter [https://twitter.com/OWASP_Newcastle @OWASP_Newcastle]

= Past Events =
'''2018 Dates'''
----

30/01/2018 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE01-008.

Speakers
* '''Neil Dixley: Code that fights back.''' Lessons from the gaming world on detecting and responding to attacks on software assets. An introduction to proactive software security including a philosophical look at how far we should go to protect our apps.

* '''Luke Sadler: Practical demonstration of mobile software penetration'''. Luke Sadler walks us through hands on examples of cracking mobile technology.
----'''2017 Dates'''
----

21/11/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.

Speakers:
* '''Lorenzo Grespan: Explain hacking in ten minutes.''' Bio: Lorenzo Grespan is a computer scientist currently working as an application security specialist for Secarma, Ltd. While his main interest has always been computer security, he also worked as a developer, systems administrator and project manager for a research effort in robotic surgery. His background is in computational neuroscience, neural networks and evolutionary systems and he likes to solve interesting problems at the intersection of people and technology. Talk (30 minutes): Recently I had to show a 10-minute "live hack" to a non-technical audience. As an introvert and a geek my main effort was in maintaining technical accuracy, however what made the audience go "aha!" turned out to be what for me was the least significant detail of the entire demo. In this talk I will show the hack, share the lessons learned and discuss how to communicate security concerns to non technical stakeholders, higher management and end users. [[Media:OWASPNCL LG 21112017.pdf]]

* '''Robin Sillem:''' '''Building a Development Environment That's 'Secure Enough'.''' This will be a discussion of how a team at DWP is using modern DevOps practices to create a dev/build/test platform secure enough for development of services handling large volumes of UK citizen data. [[Media:Modern_DevOps_and_security.pptx]]
----

19/09/2017 from 18:00 to 21:00 at Northumbria University, City Campus East, room CCE1-024.

Speakers:
* '''Gareth Dixon: Running a security event using OWASP Security Shepherd.''' In this talk I will cover running a security event using [[OWASP Security Shepherd]]. The event to be discussed was staged to promote engagement in a security initiative, understanding of security vulnerabilities and the application of knowledge to production services and applications. This talk will cover the project planning stage, through execution to the project retrospective. [[Media:Security_Shepherd.pptx]]
* '''Mike Goodwin: Enter the (Threat ) Dragon:Threat Modeling with OWASP Threat Dragon'''. Threat modelling is a great technique for hardening your application designs, but current tooling is a bit "crashy", limited to Windows or not free. [[OWASP Threat Dragon]] is an OWASP incubator project that aims to fix this and bring threat modeling to the masses. This talk is a tour round the tool, it's future road map and a look under it's hood. Mike the the project leader for Threat Dragon, so if you want to contribute, he would be very pleased to speak to you. [[Media:Owasp_threat_dragon_201709_.pptx]]
----

'''2016 Dates'''

----

23/08/2016 from 18:00 to 21:00 at The Auditorium - Bunker Coffee and Kitchen 9-11 Carliol Square, Newcastle-upon-Tyne, NE1 6UF.

Speakers:

* '''Andrew Pannell: 50 Million Downloads and All I Got Was Malware.''' How is it a free Android application that has been downloaded more times than WhatsApp can turn your phone into malware, sending your private data to China and inserting adverts? I’ll be discussing my journey of researching mobile malware and how you can too. [https://www.droidandy.com/uploads/50MillionDownloads.pdf]
* '''Colin Watson: OWASP Cornucopia.''' OWASP Cornucopia is a free open-source card game, referenced by a PCI DSS information supplement, that helps derive application security requirements during the software development life cycle. This session will use an example eCommerce application to demonstrate how to utilise the card game. After an introduction and explanation, we will split into smaller groups to play the game gaining insights into relevant web application threats. The game is best played in groups of 4-6 with people who have a good knowledge of the application being assessed, and who have a mixture of backgrounds/experience - architects, developers, product owners, project managers, testers, etc, and those with software security responsibilities. Bring your colleagues along. Cornucopia is suitable for people aged 10 to 110 (decimal). [https://www.owasp.org/index.php/File:OwaspNCL-cornucopia-colinwatson.odp]

----

'''2015 Dates'''

----

24/11/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002

Speakers:
* '''Ben Lee''' and '''Ross Dargan''': '''The problems with proving identity.''' In this talk Ross (@rossdargan) and Ben (@bibbleq) will discuss the conundrum of proving (and more importantly verifying!) identity online. While both of these tasks might seem simple at first, they really aren't. This is a problem that people have grappled with since the beginning of communications (okay so not the online part!) and we still don't have all the answers. The talk will cover among other things; Twitter, wax seals (!), hashing, certificates and much more…* (*Talk may not be historically accurate! ;)) [[Media: OWASPNewcastle_the_problem_with_proving_identity.pptx]]
* '''Colin Watson - Think about the Top 10 Controls, not the Top 10 Risks.''' The OWASP Top 10 is the most well-known OWASP project, but how can awareness of OWASP guidance for developers be improved? In this presentation Colin Watson will describe a board game that encourages developers to think and learn about the most important web application security controls, rather than risks or vulnerabilities. Take a copy of the game away with you - it is suitable for developers of all sizes. [[Media: Owaspnewcastle-snakesandladders.pptx]]
* '''Michael Haselhurst - Automated Security Testing Using The ZAP API.''' This talk will show you how to integrate the OWASP ZAP API with automated test scripts using Sahi. [[Media: OWASPNewcastle_automated_security_testing_using_ZAP_API.pptx]]
* '''Mike Goodwin - Real world defence in depth (part 1).''' Everyone should be aiming for defence in depth, but what does it actually mean to an application developer? This is the first of a series of short talks about real world scenarios where defence in depth is genuinely useful and easily achievable. It should help you turn defence in depth from an aspiration into practical reality. [[Media: Owaspnewcastle-real_world_defence_in_depth.pptx]]
----

29/09/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002

Speakers:

* '''John Beddard''' on Securing Real-Time Networks (short talk) [[Media: PassiveDefense_Newcastle_Chapter_Sept_2015.pdf]]
* '''Ian Oxley''' on Content Security Policy (short talk) [[Media: CSP_Newcastle_Chapter_Sept_2015.pdf |Media: CSP_Newcastle_Chapter_Sept_2015.pdf]]
* '''Mike Goodwin''' on Threat Dragon - a new threat modelling tool project from OWASP (short talk) [[Media: OWASP_Threat_Dragon_Newcastle_Chapter_Sept_2015.pptx]]
* '''Neil Dixley''' on 'OWASP Top 10 Mobile Risks' (long talk) [[Media: OWASP_Mobile_Security_Project_Newcastle_Chapter_Sept_2015.pptx]]

----

28/07/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.

Speakers:
* '''Andrew Waite: Honeypots; from research to the Enterprise.''' [[Media: OWASP_Honeypots.odp]]

* '''George Chlapoutakis: Security in the World of Containerisation.''' [[Media: OWASP_Security_Containerisation.ppt]]
----

29/05/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA102B.

Speakers:
* '''Robin Fewster: An introduction to basic application penetration testing.''' An introduction to penetration testing, using several OWASP projects as well as other open source and free programs. [[Media: An_introduction_to_penetration_testing.pptx]]

* '''Neil Dixley: The Elevation of Privilege Threat Modelling Tool.''' An introduction to threat modelling and using the 'Elevation of Privilege' card game to facilitate and improve team threat modelling exercises. [[Media: Threat_Modeling_Presentation.pptx]]
----

24/03/2015 from 18:00 to 21:00 at Northumbria University Ellison Building EBA002.

Speakers:

* '''Neil Dixley: Cognitive Bias and Security Vulnerabilities: The psychology of software engineering.''' An introduction to the psychology of cognitive bias and how human nature and cognitive biases are the key to user based security vulnerabilities. A look at how our brains trick us into feeling safe while giving our pin number to strangers on the phone plus a look at how we can use technology to disrupt cognitive bias and use these human traits to mitigate threats and strengthen application security. [[Media:Cognitive_Bias_and_Security_Vulnerabilities__Presentation.pptx]]
* '''Andy Ward: Security Compliance for Developers - Are we Certified... or Certifiable?.''' Against a background of increasing threats and hacks, with more and more of our personal lives and business processes conducted online, it's never been more important to ensure our software is secure and robust. But how do you prove it? These days, reassuring your customers takes more than an SSL padlock, and some marketing spiel mentioning 'banking grade encryption'! After a quick reminder of "what's the worst that can happen...", Andy will introduce some of the security Compliance and Certification systems that help you 'walk the walk', and provide confidence that your system has its security in good hands, before looking at what it means for developers and engineering teams. [[Media: OWASP_Compliance_for_Devs.pptx]]
----

= Chapter Leaders =

The chapter leaders are:

* [[User:Connor Carr|Connor Carr]]
* [[User:Robin Fewster|Robin Fewster]]
* [[User:Michael Goodwin|Mike Goodwin]]
* [[User:Andi Pannell|Andi Pannell]]

We are always happy to hear from people who want to contribute to the chapter as a leader.

= Slack =
OWASP Newcastle has a slack group which you're welcome to join and chat to us! You can join us [https://owasp.slack.com/messages/C0CLHS45S Here]
= Sponsorship =

The Newcastle chapter is very grateful to Sage (platinum sponsor) for its generous support.

[[File:sage-logo.jpg]]

Chapter sponsorship helps pay for venue hire, pizzas, speaker travel expenses, pizzas, giveaway swag for meetings and pizzas. Also, a proportion of the sponsorship goes to support the OWASP global mission. If you would like to sponsor the chapter, please contact one of the chapter leaders. The corporate sponsorship costs are:

* Platinum sponsor (£1200)
* Gold sponsor (£600)
* Silver sponsor (£300)

Any other donation is also gratefully received.

= Local Organisations =

Other related organisations in the Newcastle area:

* '''(ISC)2 North East Chapter''' - for information, contact the chapter secretary, [mailto:robin.fewster@sage.com Robin Fewster], the chapter president [mailto:ken.walls@rpmi.co.uk Ken Walls], the chapter membership officer [mailto:scott.wakeling@atos.net Scott Wakeling] or the chapter events and corporate sponsorship officer [mailto:katy.l.buller@pwc.com Katy Buller].

Please get in touch with one of the OWASP Newcastle chapter leaders to get your organisation listed here.

And feel free to use the [https://lists.owasp.org/mailman/listinfo/owasp-newcastle Newcastle mailing list] to publicise related events (this list is moderated).

__NOTOC__ <headertabs></headertabs>

[[Category:OWASP Chapter]]
[[Category:United Kingdom]]

File:AutomatedThreats-Newcastle-20180327.pptx

2018-03-26T12:19:10Z

Clerkendweller: Clerkendweller uploaded a new version of File:AutomatedThreats-Newcastle-20180327.pptx

OWASP Automated Threats to Web Applications presentation for OWASP Newcastle on 27 March 2018, by Colin Watson

File:AutomatedThreats-Newcastle-20180327.pptx

2018-03-07T14:25:34Z

Clerkendweller: OWASP Automated Threats to Web Applications presentation for OWASP Newcastle on 27 March 2018, by Colin Watson

OWASP Automated Threats to Web Applications presentation for OWASP Newcastle on 27 March 2018, by Colin Watson

OWASP Automated Threats to Web Applications

2018-02-26T19:54:18Z

Clerkendweller: /* What Isn't It? */ Nots

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Automated-threats-header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Automated Threats to Web Applications==

The OWASP Automated Threats to Web Applications Project has completed a review of reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify, name and classify these scenarios – automated by software causing a divergence from accepted behavior producing one or more undesirable effects on a web application, but excluding tool-based exploitation of single-issue vulnerabilities. The initial objective was to produce an ontology providing a common language for developers, architects, operators, business owners, security engineers, purchasers and suppliers/ vendors, to facilitate clear communication and help tackle the issues.
The project also identifies symptoms, mitigations and controls in this problem area. Like all OWASP outputs, everything is free and published using an open source license.

[https://www.owasp.org/index.php/File:Automation-project-briefing.pdf Two page summary project briefing as a PDF].

== Description==

Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.

== Automated Threats ==

The list of threat events, defined more fully in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| width="300" align="left" valign="top" |

* [[OAT-020 Account Aggregation]]
* [[OAT-019 Account Creation]]
* [[OAT-003 Ad Fraud]]
* [[OAT-009 CAPTCHA Defeat]]
* [[OAT-010 Card Cracking]]
* [[OAT-001 Carding]]
* [[OAT-012 Cashing Out]]
* [[OAT-007 Credential Cracking]]
* [[OAT-008 Credential Stuffing]]
* [[OAT-021 Denial of Inventory]]
* [[OAT-015 Denial of Service]]

| width="300" align="left" valign="top" |

* [[OAT-006 Expediting]]
* [[OAT-004 Fingerprinting]]
* [[OAT-018 Footprinting]]
* [[OAT-005 Scalping]]
* [[OAT-011 Scraping]]
* [[OAT-016 Skewing]]
* [[OAT-013 Sniping]]
* [[OAT-017 Spamming]]
* [[OAT-002 Token Cracking]]
* [[OAT-014 Vulnerability Scanning]]

|}

Not sure which is which? Use the [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] in conjunction with the full [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook].

==Licensing==

All the materials are free to use. They are licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What Is This? ==

Information and resources to help web application owners defend against [[:Category:Automated Threat|automated threats]]

== What Isn't It? ==

* Not another vulnerability list
* Not an OWASP Top N List
* Not threat modelling
* Not attack trees
* Not non web
* Not non application

==Project Objective==

This project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available.

== Presentation ==

[[File:Automatedthreats-presentation-small.jpg|link=media:Bots-AppSecUSA2017-Project-Summit.pptx]]

== Project Leaders ==

* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

== Related Projects ==

* [[OWASP WASC Web Hacking Incidents Database Project|OWASP WASC Web Hacking Incidents Database Project]]
* [[OWASP AppSensor Project|OWASP AppSensor Project]]
* [[OWASP ModSecurity Core Rule Set Project|OWASP ModSecurity Core Rule Set Project]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Download the free handbook as a PDF]

== News and Events ==

* [16 Feb 2018] OAT wiki pages created
* [15 Feb 2018] v1.2 Handbook published
* [25 Sep 2017] Promoted to Labs status
* [19-20 Sep 2017] Working session at the AppSecUSA 2017 Project Summit
* [15 May 2017] Draft feedback on Top Ten A7 shared
* [17 Apr 2017] [https://www.owasp.org/index.php/File:BadBots_OWASP_AppSec_CA_2017.pptx Slides] from AppSec California (2017)
* [20 Dec 2016] Threat identification chart [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf published]
* [03 Nov 2016] Presentation at [http://lascon.org/ LASCON 2016]
* [03 Nov 2016] v1.1 Handbook published
* [11-12 Oct 2016] Working session at the [https://docs.google.com/presentation/d/1iMQHTc-h5qcP7gBBRcPHGmVaTWqx3dpMwNMVlA--rqs/edit#slide=id.p3 AppSecUSA 2017 Project Summit]
* [04 Aug 2016] Project Q&A at Blackhat USA 2-5pm in the OWASP booth
* [26 Oct 2015] [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf v1.01 handbook] published
* [24 Sep 2015] [https://www.owasp.org/index.php/File:Colinwatson-a-new-ontology-of-unwanted-automation.pptx Presentation] at [https://2015.appsecusa.org/c/?page_id=896#a AppSec USA 2015]

==In Print==

[[File:AutomatedThreatHandbook_small.jpg|link=http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html]]

The [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-23540699.html Automated Threat Handbook] can be purchased at cost as a print on demand book.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]

|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Scope and Definitions =

==Scope==

The aim was to create a listing of vendor-neutral and technology agnostic terms that describe real-world automated threats to web applications, at a level of abstraction that application owners can relate to. These terms are threat events to web applications undertaken using automated actions.

The focus is on abuse of functionality - misuse of inherent functionality and related design flaws, some of which are also referred to as business logic flaws. There is almost no focus on implementation bugs. It is not that the latter are not the target for attacks, but there is much more knowledge published in that area with a greater agreement on terminology. All the scenarios identified must require the web to exist for the threat to be materialised. Many of the scenarios have impacts upon the organisation that owns or operates web applications, but some scenarios have impacts more focused on individuals or other bodies. An attack that can be achieved without the web is out of scope.

==Definitions ==

=== Automated Threats to Web Applications ===

Threat events to web applications undertaken using automated actions.

An attack that can be achieved without the web is out of scope.

== Glossary ==

;Action
: An act taken against an asset by a threat agent. Requires first that contact occurs between the asset and threat agent (Ref 1)

; Application
: Software that performs a business process i.e. not system software
: A software program hosted by an information system (Ref 2)

; Application layer
: "Layer 7” in the OSI model (Ref 3) and “application layer” in the TCP/IP model (Ref 4)

;Threat
: Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures (Ref 1)

;Threat Agent
: Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm (Ref 1)

;Threat Event
: Occurs when a threat agent acts against an asset (Ref 1)

; Web
: The World Wide Web (WWW, or simply Web) is an information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI) (Ref 5)
: The first three specifications for Web technologies defined URLs, HTTP, and HTML (Ref 6)

; Web application
: An application delivered over the web

Glossary references:
# [http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf Risk Taxonomy, Technical Standard, The Open Group, 2009]
# [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2, NIST]
# [http://en.wikipedia.org/wiki/OSI_model OSI model, Wikipedia]
# [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP model, Wikipedia]
# [http://www.w3.org/TR/webarch/ Architecture of the World Wide Web, Volume One, W3C]
# [http://www.w3.org/Help/ Help and FAQ, W3C]

=Use Case Scanarios=

The following scenarios and organisation names are completely fictitious.

==Defining application development security requirements==

Cinnaminta SpA intends to build and launch a new multi-lingual and multi-currency ecommerce website. The development will be outsourced and Cinnaminta has been working on the functional design document. Among many other requirements, the application security specification requires that the website must not include any vulnerabilities identified in PCI DSS v3.1 Requirement 6.5, nor any other vulnerabilities that could affect the protection of payment cardholder data. Cinnaminta specifies that the website's payment functions must not be susceptible to the threat events '''OAT-001 Carding''' or '''OAT-010 Card Cracking''' as defined in the '''OWASP Automated Threat Handbook'''. In addition, the application must interact with the company's existing fraud detection system to counter '''OAT-012 Cashing Out'''. The requirements are specified in terms of these threat events, rather than particular product or service categories. Development houses responding to the call for bids use the ontology to focus their answers to these aspects appropriately.

== Sharing intelligence within a sector==

Unlimited Innovations Inc develops and supports patient-facing software solutions to a range of healthcare providers, many of which participate in the National Health Service Cyber Intelligence Sharing Center (NHS-CISC). Unlimited Innovations already builds continuous monitoring capabilities into its software and decides to provide an optional enhancement so that customers could choose to share their misuse event data with each other, to benefit from the combined threat intelligence. Rather than sharing large quantities of low-level data, Unlimited Innovations aggregates information and broadcasts validated and categorised threat data amongst the participating organisations. Automation attacks are classified according to the threat events defined in the '''OWASP Automated Threat Handbook''' so that each receiving party understands the nature of the threat. Even organisations that do not want to take part in this information sharing can benefit, since their own categorised information is made available to internal business management in the form of an easy-to-comprehend monitoring dashboard. The information gathered can also be fed into their other business information management systems to help improve patient service.

== Exchanging threat data between CERTs==

National Computer Emergency Response Teams (CERTs) recognise that sharing of local information can contribute to worldwide prevention of cyber attacks. Despite advances in cooperation between CERTs, anything to increase continuity and interoperability, such as standards for data exchange, is encouraged. CERT Zog is concerned about the sparsity of application-specific data it receives, and also the classification of that data. It has a particular concern about attacks and breaches that affect sectors defined in Zog's 2015 national cyber security strategy. CERT Zog and its neighbour CERT Tarset agree to tag threat events using the '''OWASP Automated Threat Handbook''' in order to add greater context to existing solutions being used for threat data exchange between them. The programme also collects sector metadata, so that all organisations within these can benefit from the centralised intelligence.

== Enhancing application penetration test findings==

Specialist application security penetration testing firm Cherak Industries Pte Ltd works primarily for financial services companies in the banking and insurance sectors, and is looking to expand its business throughout Asia. Cherak has some innovative pen test result reporting systems which integrate with client software fault and vulnerability tracking systems, and it actively looks for methods to provide additional value to its clients. Cherak has identified that pen test clients would benefit from help to in understanding the effects of combinations of vulnerabilities, especially design flaws, and has decided to utilise the '''OWASP Automated Threat Handbook''' to define and explain the automation-related threats. The individual vulnerabilities were scored as normal using CVSSv2 and v3, the matching CWEs identified, and mitigations in place documented. In addition, Cherak uses the threat events defined in the '''OWASP Automated Threat Handbook''' to help create a new section in the executive summary that explains how combinations of the issues found could lead to automation threats and the possible technical and business impacts. For example, an assessment for one client had identified weaknesses in authentication so that there is a risk of '''OAT-008 Credential Stuffing'''. The defined identifier was provided to the client, so its technical staff could refer to additional information on the OWASP website.

== Specifying service acquisition needs==

Falstone Paradise Inc is concerned about malicious use of their portfolio of hotel and resort websites. The majority of the websites use a shared application platform, but there are some unique applications and a large number of other micro-sites, some of which use generic content management systems such as Wordpress and Drupal. Falstone Paradise has identified that its IT operations team are spending too much time dealing with the effects of automated misuse, such as cleaning up data, resetting customer accounts and providing extra capacity during attacks. Furthermore, the unwanted automation is also causing some instabilities leading to negative feedback from customers. Therefore Falstone Paradise decides to go out to the security marketplace to identify, assess and select products or services that might help address these automation issues for all its websites. Their buying team works with their information technology colleagues to write the detailed requirements in an Invitation to Tender (ITT) document. This describes the types of attacks its web applications are receiving, their frequency of occurrence and their magnitudes. These are defined according to the '''OWASP Automated Threat Handbook''', so that vendors do not misunderstand the requirements, and each vendor's offering can be assessed against the particular automation threat events of concern.

== Characterising vendor services ==

Better Best Ltd has developed an innovative technology to help gaming companies defend against a range of automated threats that can otherwise permit cheating and distortion of the game, leading to disruption for normal players. The solution can be deployed on premises, but is also available in the cloud as a service. But Better Best is finding difficulty explaining its solution in the market place, especially since it does not fit into any conventional product category. Better Best decide to use the terminology and threat events listed in the '''OWASP Automated Threat Handbook''' to define their product's capabilities. They hope this will provide some clarity about their offering, and also demonstrate how their product can be used to replace more than one other conventional security device. Additionally, Better Best writes a white paper describing how their product has been successfully used by one of their reference customers Hollybush Challenge Games to protect against '''OAT-006 Expediting''', '''OAT-005 Scalping''', '''OAT-016 Skewing''' and '''OAT-013 Sniping'''.

=Ontology=

==Introduction==

The A-Z list of [[:Category:Automated Threat|automated threat events]] and summary descriptions, defined in full in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| align="left" valign="top" |
[[OAT-020 Account Aggregation]]
| align="left" valign="top" |
Use by an intermediary application that collects together multiple accounts and interacts on their behalf.
|-
| align="left" valign="top" |
[[OAT-019 Account Creation]]
| align="left" valign="top" |
Create multiple accounts for subsequent misuse.
|-
| align="left" valign="top" |
[[OAT-003 Ad Fraud]]
| align="left" valign="top" |
False clicks and fraudulent display of web-placed advertisements.
|-
| align="left" valign="top" |
[[OAT-009 CAPTCHA Defeat]]
| align="left" valign="top" |
Solve anti-automation tests.
|-
| align="left" valign="top" |
[[OAT-010 Card Cracking]]
| align="left" valign="top" |
Identify missing start/expiry dates and security codes for stolen payment card data by trying different values.
|-
| align="left" valign="top" |
[[OAT-001 Carding]]
| align="left" valign="top" |
Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.
|-
| align="left" valign="top" |
[[OAT-012 Cashing Out]]
| align="left" valign="top" |
Buy goods or obtain cash utilising validated stolen payment card or other user account data.
|-
| align="left" valign="top" |
[[OAT-007 Credential Cracking]]
| align="left" valign="top" |
Identify valid login credentials by trying different values for usernames and/or passwords.
|-
| align="left" valign="top" |
[[OAT-008 Credential Stuffing]]
| align="left" valign="top" |
Mass log in attempts used to verify the validity of stolen username/password pairs.
|-
| align="left" valign="top" |
[[OAT-021 Denial of Inventory]]
| align="left" valign="top" |
Deplete goods or services stock without ever completing the purchase or committing to the transaction.
|-
| align="left" valign="top" |
[[OAT-015 Denial of Service]]
| align="left" valign="top" |
Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS).
|-
| align="left" valign="top" |
[[OAT-006 Expediting]]
| align="left" valign="top" |
Perform actions to hasten progress of usually slow, tedious or time-consuming actions.
|-
| align="left" valign="top" |
[[OAT-004 Fingerprinting]]
| align="left" valign="top" |
Elicit information about the supporting software and framework types and versions.
|-
| align="left" valign="top" |
[[OAT-018 Footprinting]]
| align="left" valign="top" |
Probe and explore application to identify its constituents and properties.
|-
| align="left" valign="top" |
[[OAT-005 Scalping]]
| align="left" valign="top" |
Obtain limited-availability and/or preferred goods/services by unfair methods.
|-
| align="left" valign="top" |
[[OAT-011 Scraping]]
| align="left" valign="top" |
Collect application content and/or other data for use elsewhere.
|-
| align="left" valign="top" |
[[OAT-016 Skewing]]
| align="left" valign="top" |
Repeated link clicks, page requests or form submissions intended to alter some metric.
|-
| align="left" valign="top" |
[[OAT-013 Sniping]]
| align="left" valign="top" |
Last minute bid or offer for goods or services.
|-
| align="left" valign="top" |
[[OAT-017 Spamming]]
| align="left" valign="top" |
Malicious or questionable information addition that appears in public or private content, databases or user messages.
|-
| align="left" valign="top" |
[[OAT-002 Token Cracking]]
| align="left" valign="top" |
Mass enumeration of coupon numbers, voucher codes, discount tokens, etc.
|-
| align="left" valign="top" |
[[OAT-014 Vulnerability Scanning]]
| align="left" valign="top" |
Crawl and fuzz application to identify weaknesses and possible vulnerabilities.
|}

==Comparison with other dictionaries, taxonomies and lists==

===[https://capec.mitre.org/ Common Attack Pattern Enumeration and Classification] (CAPEC)===

[[File:Ontology-chart-capec-wiki.png|link=]]

CAPEC is a dictionary and classification taxonomy of known attacks on software. Its primary classification structures are:

* [https://capec.mitre.org/data/definitions/3000.html Domains of attack] (3000) - Social Engineering (403), [https://capec.mitre.org/data/definitions/437.html Supply Chain] (437), Communications (512), [https://capec.mitre.org/data/definitions/513.html Software] (513), Physical Security (514), Hardware (515)
* Mechanism of Attack (1000) - Gather Information (118), Deplete Resources (119), Injection (152), Deceptive Interactions (156), Manipulate Timing and State (172), Abuse of Functionality (210), Probabilistic Techniques (223), Exploitation of Authentication (225), Exploitation of Authorization (232), Manipulate Data Structures (255), Manipulate Resources (262), Analyze Target (281), Gain Physical Access (436), Malicious Code Execution (525), Alter System Components (526), Manipulate System Users (527)

===[http://projects.webappsec.org/w/page/13246978/Threat%20Classification WASC Threat Classification]===

[[File:Ontology-chart-wasc-wiki.png|link=]]

The WASC Threat Classification classifies weaknesses and attacks that can lead to the compromise of a website, its data, or its users.

===[[OWASP WASC Web Hacking Incidents Database Project]] (WHID)===

WHID [https://www.google.com/fusiontables/DataSource?snapid=S1536501YnLo classifies] publicly known incidents using:

* attack methods e.g. ARP spoofing, abuse of functionality, account compromise, administration error, automation, backdoor, banking trojan, brute force, clickjacking, code injection, content injection, content spoofing, credential/session prediction, cross site request forgery (CSRF), cross-site scripting (XSS), denial of service, directory traversal, domain hijacking, DNS hijacking, forceful browsing, HTTP response splitting, hidden parameter manipulation, hosting malicious code, information leakage, insufficient authentication, known vulnerability, local file inclusion (LFI), malvertising, malware, malware injection, mass assignment, misconfiguration, OS commanding, parameter manipulation, path traversal, phishing, predictable resource location, process automation, redirection, remote file inclusion (RFI), rogue 3rd party app, scaping, search engine poisoning, shell injection, social engineering, stolen credentials, SQL injection, unintentional information disclosure, weak password recovery validation, worm
* weakness e.g. abuse of functionality, application misconfiguration, directory indexing, improper filesystem permissions, improper input handling, improper output handling, information leakage, insecure indexing, insufficient anti-automation, insufficient authentication, insufficient authorization, insufficient entropy, insufficient password recovery, insufficient process validation, insufficient session expiration, insufficient transport layer protection, misconfiguration, predictable resource location, weak password
* outcome account hijacking, account takeover, botnet participation, chaos, credit card leakage, data loss, defacement, DDoS attacks, DNS hijacking, DNS redirection, disinformation, disclosure only, downtime, extortion, fraud, information warfare, leakage of information, link spam, loss of sales, malware distribution, monetary loss, phishing, planting of malware, service disruption, session hijacking, spam, spam links, stolen credentials, worm

Plus other/various/unknown.

= Bibliography =

The following academic, open source, commercial and news sources were used in the research on automated threats to web applications. OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. We operate under a vendor neutral policy and we do not endorse products or services.

* 10 years of Application Security, Denyall http://www.denyall.com/resources/whitepapers/?aliId=3438442
* 2012 Payment Card Threat Report https://www.securitymetrics.com/static/resources/orange/2012%20Payment%20Card%20Threat%20Report%20copy.pdf
* 2014 Bot Traffic Report: Just the Droids You were Looking for http://www.incapsula.com/blog/bot-traffic-report-2014.html
* 3 Types of ‘Return Fraud’ to Monitor this Holiday Season http://www.practicalecommerce.com/articles/3168-3-Types-of-%E2%80%98Return-Fraud-to-Monitor-this-Holiday-Season
* 7 Ways Bots Hurt Your Website, Distil Networks http://www.distilnetworks.com/7-ways-bots-hurt-website-whitepaper/
* Abusing HTML 5 Structured Client-side Storage 2008 http://packetstorm.wowhacker.com/papers/general/html5whitepaper.pdf
* Acquiring Experience with Ontology and Vocabularies, Walt Melo, Risa Mayan and Jean Stanford, 2011 http://www.omg.org/news/meetings/workshops/SOA-HC/presentations-2011/13_SC-6_Melo_Stanford_Mayan.pdf
* An Anatomy of a SQL Injection Attack Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf
* The Anatomy of Clickbot.A https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/daswani/daswani.pdf
* Anatomy of comment spam Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Anatomy_of_Comment_Spam.pdf
* Anti-Automation Monitoring and Prevention 2015 https://www.clerkendweller.uk/2015/1/29/AntiAutomation-Monitoring-and-Prevention
* Anti-DDoS Solution for Internet Corporation http://www.nsfocus.com/uploadfile/Solution/NSFOCUS%20Anti-DDoS%20Solution%20for%20Internet%20Corporation.pdf
* Anti-Fraud Principles and Proposed Taxonomy Sep 2014 http://www.iab.net/media/file/IAB_Anti_Fraud_Principles_and_Taxonomy.pdf
* Apache Security Ivan Ristic
* Application Security Desk Reference, OWASP https://www.owasp.org/index.php/Category:OWASP_ASDR_Project
* Application Security Guide For CISOs, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf
* AppSensor, OWASP https://www.owasp.org/index.php/OWASP_AppSensor_Project
* Attack & Defense Labs http://www.andlabs.org/html5.html
* Attack categories OWASP https://www.owasp.org/index.php/Category:Attack
* Attack Trees, Schneier, Dr. Dobb's Journal, December 1999 https://www.schneier.com/paper-attacktrees-ddj-ft.html
* Attacking with HTML5 2010 https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-wp.pdf
* Automated attacks Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Automation_of_Attacks.pdf
* Avoiding the Top 10 Software Security Design Flaws http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* Bad Bots On The Rise Dec 2014 http://www.darkreading.com/informationweek-home/bad-bots-on-the-rise/d/d-id/1318276
* Banking Botnets Persist Despite Takedowns, Dell SecureWorks, 2015 http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets-persist-despite-takedowns/
* The Barracuda Web Application Firewall: XML Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_XML_Firewall.pdf
* Blocking Brute Force Attacks http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php
* Bot Traffic Growing Problem for Digital Oct 2014 http://www.netnewscheck.com/article/36537/bot-traffic-growing-problem-for-digital
* BotoPedia Incapsula http://www.botopedia.org/
* Boy in the Browser Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser
* Business Logic Attacks - Bots and BATs, Eldad Chai, 2009 http://www.owasp.org/images/9/96/AppSecEU09_BusinessLogicAttacks_EldadChai.ppt
* Bypassing Client Application Protection Techniques http://www.securiteam.com/securityreviews/6S0030ABPE.html
* A CAPTCHA in the Rye Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_a_CAPTCHA_in_the_Rye.pdf
* Characterizing Large Scale Click fraud http://cseweb.ucsd.edu/~voelker/pubs/za-ccs14.pdf
* Charter Addition Proposal: "Trusted Code" for the Web https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0150.html
* A cheesy Apache / IIS DoS vuln (+a question) http://www.securityfocus.com/archive/1/456339/30/0/threaded
* China's Man-on-the-Side Attack on GitHub http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub
* The CISO Survey and Report, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-report-2013-1.0.pdf
* Common Attack Pattern Enumeration and Classification (CAPEC), Mitre https://capec.mitre.org/
* Common Cyber Attacks: Reducing the Impact CERT-UK https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf
* Corporate espionage – the internet’s new growth industry http://www.itproportal.com/2015/03/19/corporate-espionage-internets-new-growth-industry/
* CSA Top Threats to Cloud Computing https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
* CSRF vulnerability in GMail service http://seclists.org/fulldisclosure/2009/Mar/29
* CWE/SANS Top 25 Most Dangerous Software Errors, 2011 http://cwe.mitre.org/top25/
* Cyber Fraud - Tactics Techniques and Procedures http://www.crcpress.com/product/isbn/9781420091274
* Cybercrime Report: Q1 2015, ThreatMetrix, 2015 http://info.threatmetrix.com/WP-2015Q1CybercrimeReport_WP-LP.html
* Data Breach Investigations Report (DBIR), 2014 http://www.verizonenterprise.com/DBIR/2014/
* Data Breach Investigations Report (DBIR), 2015 http://www.verizonenterprise.com/DBIR/2015/
* Data Breaches Fuel Login Attacks Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2014-state-of-the-internet-threat-advisory-public-data-breaches-fuel-login-attacks.pdf
* Data Scraping Wikipedia http://en.wikipedia.org/wiki/Data_scraping
* DDoS Quick Guide https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
* DDoS Threat Landscape Report, 2013-2014 http://lp.incapsula.com/rs/incapsulainc/images/2013-14_ddos_threat_landscape.pdf
* Defending Against an Internet-based Attack on the Physical World http://avirubin.com/scripted.attacks.pdf
* Defending Against Application-Based DDoS Attacks with the Barracuda Web Application Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_Defending%20_Against_%20Application-Based_%20DDoS_%20Attacks.pdf
* Demystifying HTML 5 Attacks http://resources.infosecinstitute.com/demystifying-html-5-attacks/
* Denial of Service Attacks: A Comprehensive Guide to Trends Techniques and Technologies Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf
* Detecting and Blocking Site Scraping Attacks Imperva http://www.imperva.com/docs/WP_Detecting_and_Blocking_Site_Scraping_Attacks.pdf
* Detecting Automation of Twitter Accounts: Are you a human cyborg or a bot? http://www.cs.wm.edu/~hnw/paper/tdsc12b.pdf
* Detecting Malice Robert "RSnake" Hansen 2009 http://www.detectmalice.com/
* Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1414072277428&uri=CELEX:32002L0058
* Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046
* Distributed Denial-of-Service (DDoS) Cyber-Attacks Risk Mitigation and Additional Resources Federal Financial Institutions Examination Council http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf
* Do Evil - The Business of Social Media Bots Forbes http://www.forbes.com/sites/lutzfinger/2015/02/17/do-evil-the-business-of-social-media-bots/
* DoS and DDoS Glossary of Terms prolexic http://www.prolexic.com/knowledge-center-dos-and-ddos-glossary.html#layer-7-ddos-attack
* E-commerce Malware Trustwave https://gsr.trustwave.com/topics/placeholder-topic/e-commerce-malware/
* Exploiting Software, G. Hoglund and G. McGraw, Addison-Wesley, 2004
* Five Trends to Track in E-Commerce Fraud, ThreatMetrix, 2013 http://info.threatmetrix.com/rs/threatmetrix/images/Five_Trends_eCommerce_Fraud_WP.pdf
* Hacker builds cheatbot for hit app Trivia Crack http://www.theregister.co.uk/2015/03/26/hacker_builds_trivia_crack_cheat_app/
* Has Walmart opened itself up to “Denial of inventory” attacks? https://arstechnica.com/business/2012/05/has-walmart-opened-itself-up-to-denial-of-inventory-attacks/
* How Hoarder Bots Steal sales from Online Retailers https://www.internetretailer.com/mobile/2016/12/16/how-hoarder-bots-steal-sales-online-retailers
* How to Defend Against DDoS Attacks - Strategies for the Network Transport and Application Layers Prolexic http://www.prolexic.com/kcresources/white-paper/strategies-for-the-network-transport-and-application-layers-412/Strategies_for_the_Network_Transport_and_Application_Layers_Prolexic_White_Paper_A4_082412.pdf
* How to Defend Online Travel Websites in the Era of Site Scraping, Distil Networks http://www.distilnetworks.com/defend-online-travel-websites-era-site-scraping-download/
* How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
* HTML5 Overview A look at HTML5 Attack Scenarios Trend Micro 2011 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf
* HTML5 Top 10 Threats Stealth Attacks and Silent Exploits 2012 https://media.blackhat.com/bh-eu-12/shah/bh-eu-12-Shah_HTML5_Top_10-WP.pdf
* HTML5 web security 2011 http://media.hacking-lab.com/hlnews/HTML5_Web_Security_v1.0.pdf
* HTTPPOST - Slow POST Wong Onn Chee OWASP AppSec DC 2010 https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
* If you've got @British_Airways account may make sense to change your password. Just had all my Avios cleared out! https://twitter.com/suttonnick/status/581556027948195840/photo/1
* Internet Security Threat Report, Volume 19, 2014 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
* An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks http://www.springer.com/gb/book/9788132202769
* Is Your Data Center Ready for Today’s DDoS Threats? DDoS attack types protection methods and testing your detection and mitigation defenses http://www.fortinet.com/sites/default/files/whitepapers/WP-DDoS-Testing.pdf
* Joomla Reflection DDoS-for-Hire Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2015-state-of-the-internet-threat-advisory-joomla-reflection-attack-ddos-for-hire.pdf
* Layer 7 DDOS – Blocking HTTP Flood Attacks http://blog.sucuri.net/2014/02/layer-7-ddos-blocking-http-flood-attacks.html
* Lenovo Superfish put smut on my system' – class-action lawsuit The Register http://www.theregister.co.uk/2015/02/23/lenovo_superfish_class_action_lawsuit/
* List of Attack Vectors Relative Vulnerability Rating TECAPI http://www.tecapi.com/public/relative-vulnerability-rating-gui.jsp#
* Man in the Browser http://scisweb.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf
* Man in the Browser Attack https://www.owasp.org/index.php/Man-in-the-browser_attack
* Mapping and Measuring Cybercrime, Oxford Internet Institute http://www.oii.ox.ac.uk/publications/FD18.pdf
* Massive Changes in the Criminal Landscape Europol 2015 https://www.europol.europa.eu/content/massive-changes-criminal-landscape
* Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs http://collaboration.csc.ncsu.edu/laurie/Papers/ICSE_Final_MCG_LW.pdf
* Mitigating DDoS Attacks with F5 Technology F5 https://f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology
* Mitigating the DoS/DDosS Threat, Radware, 2012 http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452061
* Modern Web Attacks, Sophos, 2007 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/modern-web-attacks.aspx
* ModSecurity Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-ModSecurity-Advanced-Topic-of-the-Week--Mitigating-Slow-HTTP-DoS-Attacks/
* Most common attacks on web applications https://ipsec.pl/web-application-security/most-common-attacks-web-applications.html
* Multi-dimensional Vulnerability Hierarchies Daniel Miessler https://danielmiessler.com/study/multi-dimensional-vulnerability-hierarchies/
* New Wave of DDoS Attacks Launched BankInfoSecurity.com Mar 2013 http://www.bankinfosecurity.com/new-wave-ddos-attacks-launched-a-5584/op-1
* NOMAD: Toward Non-Invasive Moving Target Defense Against Web Bots http://faculty.cs.tamu.edu/guofei/paper/NOMAD_CNS13.pdf
* Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year Sep 2014 http://www.darkreading.com/analytics/threat-intelligence/online-ad-fraud-exposed-advertisers-losing-$63-billion-to-$10-billion-per-year/d/d-id/1317979
* Online Data Companies versus Bots: The Fight is on for Control of Online Data, Distil Networks http://www.distilnetworks.com/online-data-companies-vs-bots-download/
* Optimal Airline Ticket Purchasing Using Automated User-Guided Feature Selection http://ijcai.org/papers13/Papers/IJCAI13-032.pdf
* Payment Checkout Flaws and Bugs 2014 https://www.clerkendweller.uk/2014/11/4/Payment-Checkout-Flaws-and-Bugs
* PCI Compliance Report 2015 Verizon http://www.verizonenterprise.com/pcireport/2015/
* Pixel Perfect Timing Attacks with HTML5 2013 http://www.contextis.com/services/research/white-papers/pixel-perfect-timing-attacks-html5/
* Polymorphism as a Defense for Automated Attack of Websites http://link.springer.com/chapter/10.1007%2F978-3-319-07536-5_30
* Preventing Web Scraping: Best Practice https://creativedigitalideas.files.wordpress.com/2014/11/best-practice-to-prevent-web-scraping.pdf
* Profile: Automated Credit Card Fraud http://old.honeynet.org/papers/profiles/cc-fraud.pdf
* Protecting Against Web Floods, Radware http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452968
* Q4 2014 State of the Internet Security Report prolexic http://www.stateoftheinternet.com/downloads/pdfs/2014-internet-security-report-q4.pdf
* Reflection injection http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* A Report on taxonomy and evaluation of existing inventories, ENISAhttp://ecrime-project.eu/wp-content/uploads/2015/02/E-Crime-Deliverable-2-1-20141128_FINAL.pdf
* Reporting Intellectual Property Crime: A Guide for Victims of Copyright Infringement, Trademark Counterfeiting, and Trade Secret Theft, Dept of Justice http://www.justice.gov/criminal/cybercrime/docs/ip-victim-guide-and-checklist-march-2013.pdf
* SANS Top 20 Critical Controls https://www.sans.org/critical-security-controls/
* Securing Websites, Sophos, 2011 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/securing-websites.aspx
* Security Insights: Defending Against Automated Threats http://www.securityweek.com/security-insights-defending-against-automated-threats
* Server side DDoS Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/DDOS_Attack_Method_Payload_05182010
* Slow Read Denial of Service attack https://code.google.com/p/slowhttptest/wiki/SlowReadTest
* Slow-Read DoS Attack https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Mitigation-of--Slow-Read--Denial-of-Service-Attack/
* Slowloris HTTP DoS http://ha.ckers.org/slowloris/
* So what are the "most critical" application flaws? On new OWASP Top 10 https://ipsec.pl/application-security/2013/so-what-are-most-critical-application-flaws-new-owasp-top-10.html
* Social Media Bots Offer Phony Friends and Real Profit NY Times http://www.nytimes.com/2014/11/20/fashion/social-media-bots-offer-phony-friends-and-real-profit.html?_r=1
* Software Vulnerability Analysis, Krsul, 1998 http://www.krsul.org/ivan/articles/main.pdf
* Sophos Security Threat Report http://blogs.sophos.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/
* SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/#.VSuiEhPSngM
* State of Software Security Report, Volume 5, Veracode, 2013 https://info.veracode.com/state-of-software-security-report-volume5.html
* Stopping Automated Attack Tools http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html
* Taxonomy on Online Game Security http://www.math.snu.ac.kr/~jhcheon/publications/2004/Taxonomy%20on%20online%20game%20security_EL.pdf
* A Taxonomy of Computer Program Security Flaws, with Examples, Landwehr https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
* A Taxonomy of Security Faults in the UNIX Operating System, Aslam, 1995 https://cwe.mitre.org/documents/sources/ATaxonomyofSecurityFaultsintheUNIXOperatingSystem%5BAslam95%5D.pdf
* Testing Guide, v4, OWASP, 2014 https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
* The Bot Baseline: Fraud in Digital Advertising https://s3.amazonaws.com/whiteops-public/WO-ANA-Baseline-Study-of-Bot-Fraud.pdf
* The Internet Organised Crime Threat Assessment (iOCTA) 2014 https://www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta
* The Notorious Nine Cloud Computing Top Threats in 2013 CSA https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
* The Risks of Content Management Systems, IBM, 2015 https://portal.sec.ibm.com/mss/html/en_US/support_resources/pdf/CMS_Threats_MSS_Threat_Report.pdf
* The Spy in the Sandbox – Practical Cache Attacks in Javascript http://iss.oy.ne.ro/SpyInTheSandbox.pdf
* Thousands of Hacked Uber Accounts Selling on Dark Web for $1 http://thehackernews.com/2015/03/thousands-of-hacked-uber-accounts_30.html?m=1
* Threat Intelligence Quarterly, IBM, 1Q 2015 https://www.ibm.com/services/forms/signup.do?source=swg-WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101
* Threat Modeling: Designing for Security, Adam Shostack, Wiley, April 2014 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118809998.html
* Threats and Mitigations: A Guide to Multi-Layered Web Security - eBook Prolexic http://www.prolexic.com/knowledge-center/prolexic-download/guide-multi-layered-web-security-ebook.pdf
* Trapping Unknown Malware in a Context Web, Sophos http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/HuqSzabo-VB2013.pdf?la=en.pdf
* Trustwave Global Security Report 2014 https://www2.trustwave.com/GSR2014.html?utm_source=redirect&utm_medium=web&utm_campaign=GSR2014
* TurboTax’s Anti-Fraud Efforts Under Scrutiny http://krebsonsecurity.com/2015/02/turbotaxs-anti-fraud-efforts-under-scrutiny/
* Two Security Vulnerabilities in the Spring Framework’s MVC pdf (from 2008) http://blog.diniscruz.com/2011/07/two-security-vulnerabilities-in-spring.html
* The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns http://static.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf
* Understanding Web Bots and How They Hurt Your Business Encapsula http://www.slideshare.net/Incapsula/understanding-web-bots-and-how-they-hurt-your-business
* Use of A Taxonomy of Security Faults, Taimur Aslam, Ivan Krsul and Eugene H Spafford, 1996 http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=2304&context=cstech
* The WASC Threat Classification v2.0 http://projects.webappsec.org/w/page/13246978/Threat%20Classification
* Warhol Worms: The Potential for Very Fast Internet Plagues http://www.iwar.org.uk/comsec/resources/worms/warhol-worm.htm
* Web Application Attack Report #5 Imperva http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed5.pdf
* Web Application Defender's Cookbook: Battling Hackers and Protecting Users, Ryan Barnett, Wiley, December 2012 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html
* Web Attacks in the Wild Corsaire https://www.owasp.org/images/a/a7/Web_attacks_in_the_wild_-_ap.pdf
* Web Automation Friend or Foe? https://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf
* Web Spambot Detection Based on Web Navigation Behaviour http://pedramhayati.com/papers/Web_Spambot_Detection_Based_on_Web_Usage_Behaviour.pdf
* Website Security Statistics Report, 2014 http://info.whitehatsec.com/rs/whitehatsecurity/images/statsreport2014-20140410.pdf
* What is Zeus? http://www.sophos.com/medialibrary/pdfs/technical%20papers/sophos%20what%20is%20zeus%20tp.pdf
* When Web 2.0 Attacks! Understanding Ajax Flash and other highly interactive web technologies… https://www.owasp.org/images/f/fc/When_Web_2.0_Attacks_-_Understanding_Security_Implications_of_Highly_Interactive_Technologies-Rafal_Los.pdf
* Where have all of our Passwords Gone? Gartner 2015 http://blogs.gartner.com/avivah-litan/2015/01/22/where-have-all-our-passwords-gone/
* WS-Attacks.org http://www.ws-attacks.org/index.php/Main_Page

=FAQs=

; What do you mean by "web", "application" and "automated threat"?
: See the definitions in the project's {{#switchtablink:Project Scope and Definitions|glossary}}.

; What is an "ontology"?
: An ontology is a set of types, properties, and relationship. These together define a subject description language. This particular ontology is meant to represent what automated threats real world owners observe affecting their web applications in usual operations.

; Isn't this another bug (vulnerability) list?
: No, none of the named automated threat events are implementation bugs - they relate to abuse of functionality using automated means.

; But is it an OWASP Top N List?
: Again no, it's an ontology which currently contains 21 items but there may be more identified in the future. Also it is not an ordered list (like OWASP Top N lists) - the OAT identification numbers were randomly assigned, so the list is often written in alphabetical order to emphasize this.

; I thought "so and so" already did that?
: We found that it did not exist. While many threats are mentioned in the sources researched, there was no overall list or definitions. We found the automated threat events tended to all be in a small number of definied items from Mitre CAPEC and WASC Threat Classification. If you know of other automated threat lists/taxonomies/ontologies, please share them.

; What is an "oat"?
: It is our abbreviation for OWASP Automated Threat (OAT).

; I am confused and don't know which OAT my problem is - how do I identify it?
: In 2017 we created a [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] to help identify the correct OAT, which can then be confirmed by reading the full description in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook]. The short summaries are important explanations of each OAT name.

; How can I help?
: Please join our mailing list, send ideas, contribute clarifications, corrections and improvement, and let other people know about the project and its handbook.

= Acknowledgements and Sponsors =

==Contributors==

* Sumit Agarwal
* Jason Chan
* Mark Hall
* Omri Iluz
* Andrew van der Stock
* Roland Weber
* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

Additionally other professional colleagues and website owners and operators who provided feedback.

==Reviewers==

* Igor Andriushchenko
* Gabriel Mendez Justiniano
* Matt Tesauro

== Sponsors ==

All OWASP Projects are run and developed by volunteers and rely on personal donations and sponsorship to continue their development. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. This project has received the sponsorship part of their Corporate OWASP membership fees from Verizon Digital Media Services in 2016 and Distil Networks in 2017, which has already contributed to the v1.2 production design costs, and will also be utilised to help promote knowledge of the project.

[[file:Verizon_Digital_Medial_Logo.jpg|size=150x45px|link=https://www.verizondigitalmedia.com]]

[[File:Distil-flat-logo-2.png|link=https://www.distilnetworks.com]]

= Road Map and Getting Involved =

Can you help? The project is looking for information on the prevalence and types of automated threats seen by web application owners in the real world. This will be used to refine and organise the information gathered from research papers, whitepapers, security reports and industry news. Please use the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:

* [https://lists.owasp.org/mailman/listinfo/automated_threats_to_web_applications Mailing list]

To share information confidentially, you can email the project leaders directly: [mailto:tin.zaw@owasp.org Tin Zaw] and [mailto:colin.watson@owasp.org Colin Watson].

== Completed Outputs==

* {{#switchtablink:Scope and Definitions|Glossary}}
* {{#switchtablink:Bibliography|Bibligraphy of information sources}}
* A [https://www.owasp.org/index.php/File:Automated-threats.pdf summary chart] has been published summarising the information gathered and work to date
* Identifying automated threats to web applications, and determining the primary name used. This first part of the project intends to produce a consistent vocabulary for discussing the threats before moving onto other aspects
* The primary terms have now been defined and described for the ontology
* A [https://www.owasp.org/index.php/File:Automation-briefing.pdf briefing document] was produced in May 2015
* Release [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Automated Threat Handbook] July 2015 [https://www.owasp.org/index.php/File:Owasp-automated-threat-handbook-source-files.zip source files], updated in November 2016
* Release [https://www.owasp.org/index.php/File:Automation-project-briefing.pdf project overview flyer] July 2015
* Release [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] December 2016

== Roadmap==

The project's roadmap was updated in October 2017.

===Q1 2015===
* <strike>Feb 2015: Define scope and terminology</strike> Done
* <strike>Mar 2015: Research prior work and reports about automated threats to web applications to create bibliography</strike> Done

===Q2 2015===
* <strike>Apr 2015: Assess threats/attacks and create ontology</strike> Done
* <strike>Apr 2015: Application owner interviews and creation of initial project outputs, to refine model</strike> Done
* <strike>May 2015: Publication of outputs and request for review/data</strike> Done
* <strike>May 2015: Summit session and survey at AppSec EU</strike> Done
* <strike>Jun 2015 Review</strike> Done
* <strike>Jun 2015 Write ontology document</strike> Done
* <strike>Jun Write 2-page project briefing</strike> Done
* <strike>Jun Publish project briefing</strike> Done
* <strike>Jul 2015: Publish v1.0 ontology</strike> Done

===Q3 2016===
* <strike>Jul-Sep 2016: Gathering of additional contributions and update handbook</strike> Done

===Q4 2016===
* <strike>Nov 2016: Release updated handbook</strike> Done
* <strike>Dec 2016: Threat identification chart</strike> Done

=== Q1 2017 ===
* <strike>Dec-Mar 2017: Further review and update to handbook</strike> Done
* <strike>Check against changes to CAPEC v2.9</strike> Done

=== Q2 2017 ===
* <strike>Apr-Jun 2017: Further review and update to handbook</strike> Done
* <strike>Project summit at AppSecEU</strike> Done

=== Q3 2017 ===
* <strike>Chase up ongoing project review</strike> Done
* <strike>Project summit at AppSecUS</strike> Done

=== Q4 2017 ===
* <strike>Release v1.2 </strike> Done

=== Q1 2018 ===
* <strike>Create OAT wiki pages</strike> Done

=== Future ===
* Write executive summary
* Release executive summary document


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-SR-2]] [[Category:SAMM-TA-1]] [[Category:SAMM-EG-2]]

OWASP Automated Threats to Web Applications

2018-02-26T15:47:00Z

Clerkendweller: /* Roadmap */ v1.2 released

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Automated-threats-header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Automated Threats to Web Applications==

The OWASP Automated Threats to Web Applications Project has completed a review of reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify, name and classify these scenarios – automated by software causing a divergence from accepted behavior producing one or more undesirable effects on a web application, but excluding tool-based exploitation of single-issue vulnerabilities. The initial objective was to produce an ontology providing a common language for developers, architects, operators, business owners, security engineers, purchasers and suppliers/ vendors, to facilitate clear communication and help tackle the issues.
The project also identifies symptoms, mitigations and controls in this problem area. Like all OWASP outputs, everything is free and published using an open source license.

[https://www.owasp.org/index.php/File:Automation-project-briefing.pdf Two page summary project briefing as a PDF].

== Description==

Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.

== Automated Threats ==

The list of threat events, defined more fully in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| width="300" align="left" valign="top" |

* [[OAT-020 Account Aggregation]]
* [[OAT-019 Account Creation]]
* [[OAT-003 Ad Fraud]]
* [[OAT-009 CAPTCHA Defeat]]
* [[OAT-010 Card Cracking]]
* [[OAT-001 Carding]]
* [[OAT-012 Cashing Out]]
* [[OAT-007 Credential Cracking]]
* [[OAT-008 Credential Stuffing]]
* [[OAT-021 Denial of Inventory]]
* [[OAT-015 Denial of Service]]

| width="300" align="left" valign="top" |

* [[OAT-006 Expediting]]
* [[OAT-004 Fingerprinting]]
* [[OAT-018 Footprinting]]
* [[OAT-005 Scalping]]
* [[OAT-011 Scraping]]
* [[OAT-016 Skewing]]
* [[OAT-013 Sniping]]
* [[OAT-017 Spamming]]
* [[OAT-002 Token Cracking]]
* [[OAT-014 Vulnerability Scanning]]

|}

Not sure which is which? Use the [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] in conjunction with the full [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook].

==Licensing==

All the materials are free to use. They are licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What Is This? ==

Information and resources to help web application owners defend against [[:Category:Automated Threat|automated threats]]

== What Isn't It? ==

* Another vulnerability list
* An OWASP Top N List
* Threat modelling
* Attack trees
* Non web
* Non application

==Project Objective==

This project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available.

== Presentation ==

[[File:Automatedthreats-presentation-small.jpg|link=media:Bots-AppSecUSA2017-Project-Summit.pptx]]

== Project Leaders ==

* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

== Related Projects ==

* [[OWASP WASC Web Hacking Incidents Database Project|OWASP WASC Web Hacking Incidents Database Project]]
* [[OWASP AppSensor Project|OWASP AppSensor Project]]
* [[OWASP ModSecurity Core Rule Set Project|OWASP ModSecurity Core Rule Set Project]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Download the free handbook as a PDF]

== News and Events ==

* [16 Feb 2018] OAT wiki pages created
* [15 Feb 2018] v1.2 Handbook published
* [25 Sep 2017] Promoted to Labs status
* [19-20 Sep 2017] Working session at the AppSecUSA 2017 Project Summit
* [15 May 2017] Draft feedback on Top Ten A7 shared
* [17 Apr 2017] [https://www.owasp.org/index.php/File:BadBots_OWASP_AppSec_CA_2017.pptx Slides] from AppSec California (2017)
* [20 Dec 2016] Threat identification chart [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf published]
* [03 Nov 2016] Presentation at [http://lascon.org/ LASCON 2016]
* [03 Nov 2016] v1.1 Handbook published
* [11-12 Oct 2016] Working session at the [https://docs.google.com/presentation/d/1iMQHTc-h5qcP7gBBRcPHGmVaTWqx3dpMwNMVlA--rqs/edit#slide=id.p3 AppSecUSA 2017 Project Summit]
* [04 Aug 2016] Project Q&A at Blackhat USA 2-5pm in the OWASP booth
* [26 Oct 2015] [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf v1.01 handbook] published
* [24 Sep 2015] [https://www.owasp.org/index.php/File:Colinwatson-a-new-ontology-of-unwanted-automation.pptx Presentation] at [https://2015.appsecusa.org/c/?page_id=896#a AppSec USA 2015]

==In Print==

[[File:AutomatedThreatHandbook_small.jpg|link=http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html]]

The [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-23540699.html Automated Threat Handbook] can be purchased at cost as a print on demand book.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]

|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Scope and Definitions =

==Scope==

The aim was to create a listing of vendor-neutral and technology agnostic terms that describe real-world automated threats to web applications, at a level of abstraction that application owners can relate to. These terms are threat events to web applications undertaken using automated actions.

The focus is on abuse of functionality - misuse of inherent functionality and related design flaws, some of which are also referred to as business logic flaws. There is almost no focus on implementation bugs. It is not that the latter are not the target for attacks, but there is much more knowledge published in that area with a greater agreement on terminology. All the scenarios identified must require the web to exist for the threat to be materialised. Many of the scenarios have impacts upon the organisation that owns or operates web applications, but some scenarios have impacts more focused on individuals or other bodies. An attack that can be achieved without the web is out of scope.

==Definitions ==

=== Automated Threats to Web Applications ===

Threat events to web applications undertaken using automated actions.

An attack that can be achieved without the web is out of scope.

== Glossary ==

;Action
: An act taken against an asset by a threat agent. Requires first that contact occurs between the asset and threat agent (Ref 1)

; Application
: Software that performs a business process i.e. not system software
: A software program hosted by an information system (Ref 2)

; Application layer
: "Layer 7” in the OSI model (Ref 3) and “application layer” in the TCP/IP model (Ref 4)

;Threat
: Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures (Ref 1)

;Threat Agent
: Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm (Ref 1)

;Threat Event
: Occurs when a threat agent acts against an asset (Ref 1)

; Web
: The World Wide Web (WWW, or simply Web) is an information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI) (Ref 5)
: The first three specifications for Web technologies defined URLs, HTTP, and HTML (Ref 6)

; Web application
: An application delivered over the web

Glossary references:
# [http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf Risk Taxonomy, Technical Standard, The Open Group, 2009]
# [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2, NIST]
# [http://en.wikipedia.org/wiki/OSI_model OSI model, Wikipedia]
# [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP model, Wikipedia]
# [http://www.w3.org/TR/webarch/ Architecture of the World Wide Web, Volume One, W3C]
# [http://www.w3.org/Help/ Help and FAQ, W3C]

=Use Case Scanarios=

The following scenarios and organisation names are completely fictitious.

==Defining application development security requirements==

Cinnaminta SpA intends to build and launch a new multi-lingual and multi-currency ecommerce website. The development will be outsourced and Cinnaminta has been working on the functional design document. Among many other requirements, the application security specification requires that the website must not include any vulnerabilities identified in PCI DSS v3.1 Requirement 6.5, nor any other vulnerabilities that could affect the protection of payment cardholder data. Cinnaminta specifies that the website's payment functions must not be susceptible to the threat events '''OAT-001 Carding''' or '''OAT-010 Card Cracking''' as defined in the '''OWASP Automated Threat Handbook'''. In addition, the application must interact with the company's existing fraud detection system to counter '''OAT-012 Cashing Out'''. The requirements are specified in terms of these threat events, rather than particular product or service categories. Development houses responding to the call for bids use the ontology to focus their answers to these aspects appropriately.

== Sharing intelligence within a sector==

Unlimited Innovations Inc develops and supports patient-facing software solutions to a range of healthcare providers, many of which participate in the National Health Service Cyber Intelligence Sharing Center (NHS-CISC). Unlimited Innovations already builds continuous monitoring capabilities into its software and decides to provide an optional enhancement so that customers could choose to share their misuse event data with each other, to benefit from the combined threat intelligence. Rather than sharing large quantities of low-level data, Unlimited Innovations aggregates information and broadcasts validated and categorised threat data amongst the participating organisations. Automation attacks are classified according to the threat events defined in the '''OWASP Automated Threat Handbook''' so that each receiving party understands the nature of the threat. Even organisations that do not want to take part in this information sharing can benefit, since their own categorised information is made available to internal business management in the form of an easy-to-comprehend monitoring dashboard. The information gathered can also be fed into their other business information management systems to help improve patient service.

== Exchanging threat data between CERTs==

National Computer Emergency Response Teams (CERTs) recognise that sharing of local information can contribute to worldwide prevention of cyber attacks. Despite advances in cooperation between CERTs, anything to increase continuity and interoperability, such as standards for data exchange, is encouraged. CERT Zog is concerned about the sparsity of application-specific data it receives, and also the classification of that data. It has a particular concern about attacks and breaches that affect sectors defined in Zog's 2015 national cyber security strategy. CERT Zog and its neighbour CERT Tarset agree to tag threat events using the '''OWASP Automated Threat Handbook''' in order to add greater context to existing solutions being used for threat data exchange between them. The programme also collects sector metadata, so that all organisations within these can benefit from the centralised intelligence.

== Enhancing application penetration test findings==

Specialist application security penetration testing firm Cherak Industries Pte Ltd works primarily for financial services companies in the banking and insurance sectors, and is looking to expand its business throughout Asia. Cherak has some innovative pen test result reporting systems which integrate with client software fault and vulnerability tracking systems, and it actively looks for methods to provide additional value to its clients. Cherak has identified that pen test clients would benefit from help to in understanding the effects of combinations of vulnerabilities, especially design flaws, and has decided to utilise the '''OWASP Automated Threat Handbook''' to define and explain the automation-related threats. The individual vulnerabilities were scored as normal using CVSSv2 and v3, the matching CWEs identified, and mitigations in place documented. In addition, Cherak uses the threat events defined in the '''OWASP Automated Threat Handbook''' to help create a new section in the executive summary that explains how combinations of the issues found could lead to automation threats and the possible technical and business impacts. For example, an assessment for one client had identified weaknesses in authentication so that there is a risk of '''OAT-008 Credential Stuffing'''. The defined identifier was provided to the client, so its technical staff could refer to additional information on the OWASP website.

== Specifying service acquisition needs==

Falstone Paradise Inc is concerned about malicious use of their portfolio of hotel and resort websites. The majority of the websites use a shared application platform, but there are some unique applications and a large number of other micro-sites, some of which use generic content management systems such as Wordpress and Drupal. Falstone Paradise has identified that its IT operations team are spending too much time dealing with the effects of automated misuse, such as cleaning up data, resetting customer accounts and providing extra capacity during attacks. Furthermore, the unwanted automation is also causing some instabilities leading to negative feedback from customers. Therefore Falstone Paradise decides to go out to the security marketplace to identify, assess and select products or services that might help address these automation issues for all its websites. Their buying team works with their information technology colleagues to write the detailed requirements in an Invitation to Tender (ITT) document. This describes the types of attacks its web applications are receiving, their frequency of occurrence and their magnitudes. These are defined according to the '''OWASP Automated Threat Handbook''', so that vendors do not misunderstand the requirements, and each vendor's offering can be assessed against the particular automation threat events of concern.

== Characterising vendor services ==

Better Best Ltd has developed an innovative technology to help gaming companies defend against a range of automated threats that can otherwise permit cheating and distortion of the game, leading to disruption for normal players. The solution can be deployed on premises, but is also available in the cloud as a service. But Better Best is finding difficulty explaining its solution in the market place, especially since it does not fit into any conventional product category. Better Best decide to use the terminology and threat events listed in the '''OWASP Automated Threat Handbook''' to define their product's capabilities. They hope this will provide some clarity about their offering, and also demonstrate how their product can be used to replace more than one other conventional security device. Additionally, Better Best writes a white paper describing how their product has been successfully used by one of their reference customers Hollybush Challenge Games to protect against '''OAT-006 Expediting''', '''OAT-005 Scalping''', '''OAT-016 Skewing''' and '''OAT-013 Sniping'''.

=Ontology=

==Introduction==

The A-Z list of [[:Category:Automated Threat|automated threat events]] and summary descriptions, defined in full in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| align="left" valign="top" |
[[OAT-020 Account Aggregation]]
| align="left" valign="top" |
Use by an intermediary application that collects together multiple accounts and interacts on their behalf.
|-
| align="left" valign="top" |
[[OAT-019 Account Creation]]
| align="left" valign="top" |
Create multiple accounts for subsequent misuse.
|-
| align="left" valign="top" |
[[OAT-003 Ad Fraud]]
| align="left" valign="top" |
False clicks and fraudulent display of web-placed advertisements.
|-
| align="left" valign="top" |
[[OAT-009 CAPTCHA Defeat]]
| align="left" valign="top" |
Solve anti-automation tests.
|-
| align="left" valign="top" |
[[OAT-010 Card Cracking]]
| align="left" valign="top" |
Identify missing start/expiry dates and security codes for stolen payment card data by trying different values.
|-
| align="left" valign="top" |
[[OAT-001 Carding]]
| align="left" valign="top" |
Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.
|-
| align="left" valign="top" |
[[OAT-012 Cashing Out]]
| align="left" valign="top" |
Buy goods or obtain cash utilising validated stolen payment card or other user account data.
|-
| align="left" valign="top" |
[[OAT-007 Credential Cracking]]
| align="left" valign="top" |
Identify valid login credentials by trying different values for usernames and/or passwords.
|-
| align="left" valign="top" |
[[OAT-008 Credential Stuffing]]
| align="left" valign="top" |
Mass log in attempts used to verify the validity of stolen username/password pairs.
|-
| align="left" valign="top" |
[[OAT-021 Denial of Inventory]]
| align="left" valign="top" |
Deplete goods or services stock without ever completing the purchase or committing to the transaction.
|-
| align="left" valign="top" |
[[OAT-015 Denial of Service]]
| align="left" valign="top" |
Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS).
|-
| align="left" valign="top" |
[[OAT-006 Expediting]]
| align="left" valign="top" |
Perform actions to hasten progress of usually slow, tedious or time-consuming actions.
|-
| align="left" valign="top" |
[[OAT-004 Fingerprinting]]
| align="left" valign="top" |
Elicit information about the supporting software and framework types and versions.
|-
| align="left" valign="top" |
[[OAT-018 Footprinting]]
| align="left" valign="top" |
Probe and explore application to identify its constituents and properties.
|-
| align="left" valign="top" |
[[OAT-005 Scalping]]
| align="left" valign="top" |
Obtain limited-availability and/or preferred goods/services by unfair methods.
|-
| align="left" valign="top" |
[[OAT-011 Scraping]]
| align="left" valign="top" |
Collect application content and/or other data for use elsewhere.
|-
| align="left" valign="top" |
[[OAT-016 Skewing]]
| align="left" valign="top" |
Repeated link clicks, page requests or form submissions intended to alter some metric.
|-
| align="left" valign="top" |
[[OAT-013 Sniping]]
| align="left" valign="top" |
Last minute bid or offer for goods or services.
|-
| align="left" valign="top" |
[[OAT-017 Spamming]]
| align="left" valign="top" |
Malicious or questionable information addition that appears in public or private content, databases or user messages.
|-
| align="left" valign="top" |
[[OAT-002 Token Cracking]]
| align="left" valign="top" |
Mass enumeration of coupon numbers, voucher codes, discount tokens, etc.
|-
| align="left" valign="top" |
[[OAT-014 Vulnerability Scanning]]
| align="left" valign="top" |
Crawl and fuzz application to identify weaknesses and possible vulnerabilities.
|}

==Comparison with other dictionaries, taxonomies and lists==

===[https://capec.mitre.org/ Common Attack Pattern Enumeration and Classification] (CAPEC)===

[[File:Ontology-chart-capec-wiki.png|link=]]

CAPEC is a dictionary and classification taxonomy of known attacks on software. Its primary classification structures are:

* [https://capec.mitre.org/data/definitions/3000.html Domains of attack] (3000) - Social Engineering (403), [https://capec.mitre.org/data/definitions/437.html Supply Chain] (437), Communications (512), [https://capec.mitre.org/data/definitions/513.html Software] (513), Physical Security (514), Hardware (515)
* Mechanism of Attack (1000) - Gather Information (118), Deplete Resources (119), Injection (152), Deceptive Interactions (156), Manipulate Timing and State (172), Abuse of Functionality (210), Probabilistic Techniques (223), Exploitation of Authentication (225), Exploitation of Authorization (232), Manipulate Data Structures (255), Manipulate Resources (262), Analyze Target (281), Gain Physical Access (436), Malicious Code Execution (525), Alter System Components (526), Manipulate System Users (527)

===[http://projects.webappsec.org/w/page/13246978/Threat%20Classification WASC Threat Classification]===

[[File:Ontology-chart-wasc-wiki.png|link=]]

The WASC Threat Classification classifies weaknesses and attacks that can lead to the compromise of a website, its data, or its users.

===[[OWASP WASC Web Hacking Incidents Database Project]] (WHID)===

WHID [https://www.google.com/fusiontables/DataSource?snapid=S1536501YnLo classifies] publicly known incidents using:

* attack methods e.g. ARP spoofing, abuse of functionality, account compromise, administration error, automation, backdoor, banking trojan, brute force, clickjacking, code injection, content injection, content spoofing, credential/session prediction, cross site request forgery (CSRF), cross-site scripting (XSS), denial of service, directory traversal, domain hijacking, DNS hijacking, forceful browsing, HTTP response splitting, hidden parameter manipulation, hosting malicious code, information leakage, insufficient authentication, known vulnerability, local file inclusion (LFI), malvertising, malware, malware injection, mass assignment, misconfiguration, OS commanding, parameter manipulation, path traversal, phishing, predictable resource location, process automation, redirection, remote file inclusion (RFI), rogue 3rd party app, scaping, search engine poisoning, shell injection, social engineering, stolen credentials, SQL injection, unintentional information disclosure, weak password recovery validation, worm
* weakness e.g. abuse of functionality, application misconfiguration, directory indexing, improper filesystem permissions, improper input handling, improper output handling, information leakage, insecure indexing, insufficient anti-automation, insufficient authentication, insufficient authorization, insufficient entropy, insufficient password recovery, insufficient process validation, insufficient session expiration, insufficient transport layer protection, misconfiguration, predictable resource location, weak password
* outcome account hijacking, account takeover, botnet participation, chaos, credit card leakage, data loss, defacement, DDoS attacks, DNS hijacking, DNS redirection, disinformation, disclosure only, downtime, extortion, fraud, information warfare, leakage of information, link spam, loss of sales, malware distribution, monetary loss, phishing, planting of malware, service disruption, session hijacking, spam, spam links, stolen credentials, worm

Plus other/various/unknown.

= Bibliography =

The following academic, open source, commercial and news sources were used in the research on automated threats to web applications. OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. We operate under a vendor neutral policy and we do not endorse products or services.

* 10 years of Application Security, Denyall http://www.denyall.com/resources/whitepapers/?aliId=3438442
* 2012 Payment Card Threat Report https://www.securitymetrics.com/static/resources/orange/2012%20Payment%20Card%20Threat%20Report%20copy.pdf
* 2014 Bot Traffic Report: Just the Droids You were Looking for http://www.incapsula.com/blog/bot-traffic-report-2014.html
* 3 Types of ‘Return Fraud’ to Monitor this Holiday Season http://www.practicalecommerce.com/articles/3168-3-Types-of-%E2%80%98Return-Fraud-to-Monitor-this-Holiday-Season
* 7 Ways Bots Hurt Your Website, Distil Networks http://www.distilnetworks.com/7-ways-bots-hurt-website-whitepaper/
* Abusing HTML 5 Structured Client-side Storage 2008 http://packetstorm.wowhacker.com/papers/general/html5whitepaper.pdf
* Acquiring Experience with Ontology and Vocabularies, Walt Melo, Risa Mayan and Jean Stanford, 2011 http://www.omg.org/news/meetings/workshops/SOA-HC/presentations-2011/13_SC-6_Melo_Stanford_Mayan.pdf
* An Anatomy of a SQL Injection Attack Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf
* The Anatomy of Clickbot.A https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/daswani/daswani.pdf
* Anatomy of comment spam Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Anatomy_of_Comment_Spam.pdf
* Anti-Automation Monitoring and Prevention 2015 https://www.clerkendweller.uk/2015/1/29/AntiAutomation-Monitoring-and-Prevention
* Anti-DDoS Solution for Internet Corporation http://www.nsfocus.com/uploadfile/Solution/NSFOCUS%20Anti-DDoS%20Solution%20for%20Internet%20Corporation.pdf
* Anti-Fraud Principles and Proposed Taxonomy Sep 2014 http://www.iab.net/media/file/IAB_Anti_Fraud_Principles_and_Taxonomy.pdf
* Apache Security Ivan Ristic
* Application Security Desk Reference, OWASP https://www.owasp.org/index.php/Category:OWASP_ASDR_Project
* Application Security Guide For CISOs, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf
* AppSensor, OWASP https://www.owasp.org/index.php/OWASP_AppSensor_Project
* Attack & Defense Labs http://www.andlabs.org/html5.html
* Attack categories OWASP https://www.owasp.org/index.php/Category:Attack
* Attack Trees, Schneier, Dr. Dobb's Journal, December 1999 https://www.schneier.com/paper-attacktrees-ddj-ft.html
* Attacking with HTML5 2010 https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-wp.pdf
* Automated attacks Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Automation_of_Attacks.pdf
* Avoiding the Top 10 Software Security Design Flaws http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* Bad Bots On The Rise Dec 2014 http://www.darkreading.com/informationweek-home/bad-bots-on-the-rise/d/d-id/1318276
* Banking Botnets Persist Despite Takedowns, Dell SecureWorks, 2015 http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets-persist-despite-takedowns/
* The Barracuda Web Application Firewall: XML Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_XML_Firewall.pdf
* Blocking Brute Force Attacks http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php
* Bot Traffic Growing Problem for Digital Oct 2014 http://www.netnewscheck.com/article/36537/bot-traffic-growing-problem-for-digital
* BotoPedia Incapsula http://www.botopedia.org/
* Boy in the Browser Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser
* Business Logic Attacks - Bots and BATs, Eldad Chai, 2009 http://www.owasp.org/images/9/96/AppSecEU09_BusinessLogicAttacks_EldadChai.ppt
* Bypassing Client Application Protection Techniques http://www.securiteam.com/securityreviews/6S0030ABPE.html
* A CAPTCHA in the Rye Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_a_CAPTCHA_in_the_Rye.pdf
* Characterizing Large Scale Click fraud http://cseweb.ucsd.edu/~voelker/pubs/za-ccs14.pdf
* Charter Addition Proposal: "Trusted Code" for the Web https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0150.html
* A cheesy Apache / IIS DoS vuln (+a question) http://www.securityfocus.com/archive/1/456339/30/0/threaded
* China's Man-on-the-Side Attack on GitHub http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub
* The CISO Survey and Report, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-report-2013-1.0.pdf
* Common Attack Pattern Enumeration and Classification (CAPEC), Mitre https://capec.mitre.org/
* Common Cyber Attacks: Reducing the Impact CERT-UK https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf
* Corporate espionage – the internet’s new growth industry http://www.itproportal.com/2015/03/19/corporate-espionage-internets-new-growth-industry/
* CSA Top Threats to Cloud Computing https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
* CSRF vulnerability in GMail service http://seclists.org/fulldisclosure/2009/Mar/29
* CWE/SANS Top 25 Most Dangerous Software Errors, 2011 http://cwe.mitre.org/top25/
* Cyber Fraud - Tactics Techniques and Procedures http://www.crcpress.com/product/isbn/9781420091274
* Cybercrime Report: Q1 2015, ThreatMetrix, 2015 http://info.threatmetrix.com/WP-2015Q1CybercrimeReport_WP-LP.html
* Data Breach Investigations Report (DBIR), 2014 http://www.verizonenterprise.com/DBIR/2014/
* Data Breach Investigations Report (DBIR), 2015 http://www.verizonenterprise.com/DBIR/2015/
* Data Breaches Fuel Login Attacks Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2014-state-of-the-internet-threat-advisory-public-data-breaches-fuel-login-attacks.pdf
* Data Scraping Wikipedia http://en.wikipedia.org/wiki/Data_scraping
* DDoS Quick Guide https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
* DDoS Threat Landscape Report, 2013-2014 http://lp.incapsula.com/rs/incapsulainc/images/2013-14_ddos_threat_landscape.pdf
* Defending Against an Internet-based Attack on the Physical World http://avirubin.com/scripted.attacks.pdf
* Defending Against Application-Based DDoS Attacks with the Barracuda Web Application Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_Defending%20_Against_%20Application-Based_%20DDoS_%20Attacks.pdf
* Demystifying HTML 5 Attacks http://resources.infosecinstitute.com/demystifying-html-5-attacks/
* Denial of Service Attacks: A Comprehensive Guide to Trends Techniques and Technologies Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf
* Detecting and Blocking Site Scraping Attacks Imperva http://www.imperva.com/docs/WP_Detecting_and_Blocking_Site_Scraping_Attacks.pdf
* Detecting Automation of Twitter Accounts: Are you a human cyborg or a bot? http://www.cs.wm.edu/~hnw/paper/tdsc12b.pdf
* Detecting Malice Robert "RSnake" Hansen 2009 http://www.detectmalice.com/
* Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1414072277428&uri=CELEX:32002L0058
* Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046
* Distributed Denial-of-Service (DDoS) Cyber-Attacks Risk Mitigation and Additional Resources Federal Financial Institutions Examination Council http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf
* Do Evil - The Business of Social Media Bots Forbes http://www.forbes.com/sites/lutzfinger/2015/02/17/do-evil-the-business-of-social-media-bots/
* DoS and DDoS Glossary of Terms prolexic http://www.prolexic.com/knowledge-center-dos-and-ddos-glossary.html#layer-7-ddos-attack
* E-commerce Malware Trustwave https://gsr.trustwave.com/topics/placeholder-topic/e-commerce-malware/
* Exploiting Software, G. Hoglund and G. McGraw, Addison-Wesley, 2004
* Five Trends to Track in E-Commerce Fraud, ThreatMetrix, 2013 http://info.threatmetrix.com/rs/threatmetrix/images/Five_Trends_eCommerce_Fraud_WP.pdf
* Hacker builds cheatbot for hit app Trivia Crack http://www.theregister.co.uk/2015/03/26/hacker_builds_trivia_crack_cheat_app/
* Has Walmart opened itself up to “Denial of inventory” attacks? https://arstechnica.com/business/2012/05/has-walmart-opened-itself-up-to-denial-of-inventory-attacks/
* How Hoarder Bots Steal sales from Online Retailers https://www.internetretailer.com/mobile/2016/12/16/how-hoarder-bots-steal-sales-online-retailers
* How to Defend Against DDoS Attacks - Strategies for the Network Transport and Application Layers Prolexic http://www.prolexic.com/kcresources/white-paper/strategies-for-the-network-transport-and-application-layers-412/Strategies_for_the_Network_Transport_and_Application_Layers_Prolexic_White_Paper_A4_082412.pdf
* How to Defend Online Travel Websites in the Era of Site Scraping, Distil Networks http://www.distilnetworks.com/defend-online-travel-websites-era-site-scraping-download/
* How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
* HTML5 Overview A look at HTML5 Attack Scenarios Trend Micro 2011 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf
* HTML5 Top 10 Threats Stealth Attacks and Silent Exploits 2012 https://media.blackhat.com/bh-eu-12/shah/bh-eu-12-Shah_HTML5_Top_10-WP.pdf
* HTML5 web security 2011 http://media.hacking-lab.com/hlnews/HTML5_Web_Security_v1.0.pdf
* HTTPPOST - Slow POST Wong Onn Chee OWASP AppSec DC 2010 https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
* If you've got @British_Airways account may make sense to change your password. Just had all my Avios cleared out! https://twitter.com/suttonnick/status/581556027948195840/photo/1
* Internet Security Threat Report, Volume 19, 2014 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
* An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks http://www.springer.com/gb/book/9788132202769
* Is Your Data Center Ready for Today’s DDoS Threats? DDoS attack types protection methods and testing your detection and mitigation defenses http://www.fortinet.com/sites/default/files/whitepapers/WP-DDoS-Testing.pdf
* Joomla Reflection DDoS-for-Hire Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2015-state-of-the-internet-threat-advisory-joomla-reflection-attack-ddos-for-hire.pdf
* Layer 7 DDOS – Blocking HTTP Flood Attacks http://blog.sucuri.net/2014/02/layer-7-ddos-blocking-http-flood-attacks.html
* Lenovo Superfish put smut on my system' – class-action lawsuit The Register http://www.theregister.co.uk/2015/02/23/lenovo_superfish_class_action_lawsuit/
* List of Attack Vectors Relative Vulnerability Rating TECAPI http://www.tecapi.com/public/relative-vulnerability-rating-gui.jsp#
* Man in the Browser http://scisweb.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf
* Man in the Browser Attack https://www.owasp.org/index.php/Man-in-the-browser_attack
* Mapping and Measuring Cybercrime, Oxford Internet Institute http://www.oii.ox.ac.uk/publications/FD18.pdf
* Massive Changes in the Criminal Landscape Europol 2015 https://www.europol.europa.eu/content/massive-changes-criminal-landscape
* Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs http://collaboration.csc.ncsu.edu/laurie/Papers/ICSE_Final_MCG_LW.pdf
* Mitigating DDoS Attacks with F5 Technology F5 https://f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology
* Mitigating the DoS/DDosS Threat, Radware, 2012 http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452061
* Modern Web Attacks, Sophos, 2007 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/modern-web-attacks.aspx
* ModSecurity Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-ModSecurity-Advanced-Topic-of-the-Week--Mitigating-Slow-HTTP-DoS-Attacks/
* Most common attacks on web applications https://ipsec.pl/web-application-security/most-common-attacks-web-applications.html
* Multi-dimensional Vulnerability Hierarchies Daniel Miessler https://danielmiessler.com/study/multi-dimensional-vulnerability-hierarchies/
* New Wave of DDoS Attacks Launched BankInfoSecurity.com Mar 2013 http://www.bankinfosecurity.com/new-wave-ddos-attacks-launched-a-5584/op-1
* NOMAD: Toward Non-Invasive Moving Target Defense Against Web Bots http://faculty.cs.tamu.edu/guofei/paper/NOMAD_CNS13.pdf
* Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year Sep 2014 http://www.darkreading.com/analytics/threat-intelligence/online-ad-fraud-exposed-advertisers-losing-$63-billion-to-$10-billion-per-year/d/d-id/1317979
* Online Data Companies versus Bots: The Fight is on for Control of Online Data, Distil Networks http://www.distilnetworks.com/online-data-companies-vs-bots-download/
* Optimal Airline Ticket Purchasing Using Automated User-Guided Feature Selection http://ijcai.org/papers13/Papers/IJCAI13-032.pdf
* Payment Checkout Flaws and Bugs 2014 https://www.clerkendweller.uk/2014/11/4/Payment-Checkout-Flaws-and-Bugs
* PCI Compliance Report 2015 Verizon http://www.verizonenterprise.com/pcireport/2015/
* Pixel Perfect Timing Attacks with HTML5 2013 http://www.contextis.com/services/research/white-papers/pixel-perfect-timing-attacks-html5/
* Polymorphism as a Defense for Automated Attack of Websites http://link.springer.com/chapter/10.1007%2F978-3-319-07536-5_30
* Preventing Web Scraping: Best Practice https://creativedigitalideas.files.wordpress.com/2014/11/best-practice-to-prevent-web-scraping.pdf
* Profile: Automated Credit Card Fraud http://old.honeynet.org/papers/profiles/cc-fraud.pdf
* Protecting Against Web Floods, Radware http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452968
* Q4 2014 State of the Internet Security Report prolexic http://www.stateoftheinternet.com/downloads/pdfs/2014-internet-security-report-q4.pdf
* Reflection injection http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* A Report on taxonomy and evaluation of existing inventories, ENISAhttp://ecrime-project.eu/wp-content/uploads/2015/02/E-Crime-Deliverable-2-1-20141128_FINAL.pdf
* Reporting Intellectual Property Crime: A Guide for Victims of Copyright Infringement, Trademark Counterfeiting, and Trade Secret Theft, Dept of Justice http://www.justice.gov/criminal/cybercrime/docs/ip-victim-guide-and-checklist-march-2013.pdf
* SANS Top 20 Critical Controls https://www.sans.org/critical-security-controls/
* Securing Websites, Sophos, 2011 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/securing-websites.aspx
* Security Insights: Defending Against Automated Threats http://www.securityweek.com/security-insights-defending-against-automated-threats
* Server side DDoS Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/DDOS_Attack_Method_Payload_05182010
* Slow Read Denial of Service attack https://code.google.com/p/slowhttptest/wiki/SlowReadTest
* Slow-Read DoS Attack https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Mitigation-of--Slow-Read--Denial-of-Service-Attack/
* Slowloris HTTP DoS http://ha.ckers.org/slowloris/
* So what are the "most critical" application flaws? On new OWASP Top 10 https://ipsec.pl/application-security/2013/so-what-are-most-critical-application-flaws-new-owasp-top-10.html
* Social Media Bots Offer Phony Friends and Real Profit NY Times http://www.nytimes.com/2014/11/20/fashion/social-media-bots-offer-phony-friends-and-real-profit.html?_r=1
* Software Vulnerability Analysis, Krsul, 1998 http://www.krsul.org/ivan/articles/main.pdf
* Sophos Security Threat Report http://blogs.sophos.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/
* SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/#.VSuiEhPSngM
* State of Software Security Report, Volume 5, Veracode, 2013 https://info.veracode.com/state-of-software-security-report-volume5.html
* Stopping Automated Attack Tools http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html
* Taxonomy on Online Game Security http://www.math.snu.ac.kr/~jhcheon/publications/2004/Taxonomy%20on%20online%20game%20security_EL.pdf
* A Taxonomy of Computer Program Security Flaws, with Examples, Landwehr https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
* A Taxonomy of Security Faults in the UNIX Operating System, Aslam, 1995 https://cwe.mitre.org/documents/sources/ATaxonomyofSecurityFaultsintheUNIXOperatingSystem%5BAslam95%5D.pdf
* Testing Guide, v4, OWASP, 2014 https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
* The Bot Baseline: Fraud in Digital Advertising https://s3.amazonaws.com/whiteops-public/WO-ANA-Baseline-Study-of-Bot-Fraud.pdf
* The Internet Organised Crime Threat Assessment (iOCTA) 2014 https://www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta
* The Notorious Nine Cloud Computing Top Threats in 2013 CSA https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
* The Risks of Content Management Systems, IBM, 2015 https://portal.sec.ibm.com/mss/html/en_US/support_resources/pdf/CMS_Threats_MSS_Threat_Report.pdf
* The Spy in the Sandbox – Practical Cache Attacks in Javascript http://iss.oy.ne.ro/SpyInTheSandbox.pdf
* Thousands of Hacked Uber Accounts Selling on Dark Web for $1 http://thehackernews.com/2015/03/thousands-of-hacked-uber-accounts_30.html?m=1
* Threat Intelligence Quarterly, IBM, 1Q 2015 https://www.ibm.com/services/forms/signup.do?source=swg-WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101
* Threat Modeling: Designing for Security, Adam Shostack, Wiley, April 2014 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118809998.html
* Threats and Mitigations: A Guide to Multi-Layered Web Security - eBook Prolexic http://www.prolexic.com/knowledge-center/prolexic-download/guide-multi-layered-web-security-ebook.pdf
* Trapping Unknown Malware in a Context Web, Sophos http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/HuqSzabo-VB2013.pdf?la=en.pdf
* Trustwave Global Security Report 2014 https://www2.trustwave.com/GSR2014.html?utm_source=redirect&utm_medium=web&utm_campaign=GSR2014
* TurboTax’s Anti-Fraud Efforts Under Scrutiny http://krebsonsecurity.com/2015/02/turbotaxs-anti-fraud-efforts-under-scrutiny/
* Two Security Vulnerabilities in the Spring Framework’s MVC pdf (from 2008) http://blog.diniscruz.com/2011/07/two-security-vulnerabilities-in-spring.html
* The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns http://static.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf
* Understanding Web Bots and How They Hurt Your Business Encapsula http://www.slideshare.net/Incapsula/understanding-web-bots-and-how-they-hurt-your-business
* Use of A Taxonomy of Security Faults, Taimur Aslam, Ivan Krsul and Eugene H Spafford, 1996 http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=2304&context=cstech
* The WASC Threat Classification v2.0 http://projects.webappsec.org/w/page/13246978/Threat%20Classification
* Warhol Worms: The Potential for Very Fast Internet Plagues http://www.iwar.org.uk/comsec/resources/worms/warhol-worm.htm
* Web Application Attack Report #5 Imperva http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed5.pdf
* Web Application Defender's Cookbook: Battling Hackers and Protecting Users, Ryan Barnett, Wiley, December 2012 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html
* Web Attacks in the Wild Corsaire https://www.owasp.org/images/a/a7/Web_attacks_in_the_wild_-_ap.pdf
* Web Automation Friend or Foe? https://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf
* Web Spambot Detection Based on Web Navigation Behaviour http://pedramhayati.com/papers/Web_Spambot_Detection_Based_on_Web_Usage_Behaviour.pdf
* Website Security Statistics Report, 2014 http://info.whitehatsec.com/rs/whitehatsecurity/images/statsreport2014-20140410.pdf
* What is Zeus? http://www.sophos.com/medialibrary/pdfs/technical%20papers/sophos%20what%20is%20zeus%20tp.pdf
* When Web 2.0 Attacks! Understanding Ajax Flash and other highly interactive web technologies… https://www.owasp.org/images/f/fc/When_Web_2.0_Attacks_-_Understanding_Security_Implications_of_Highly_Interactive_Technologies-Rafal_Los.pdf
* Where have all of our Passwords Gone? Gartner 2015 http://blogs.gartner.com/avivah-litan/2015/01/22/where-have-all-our-passwords-gone/
* WS-Attacks.org http://www.ws-attacks.org/index.php/Main_Page

=FAQs=

; What do you mean by "web", "application" and "automated threat"?
: See the definitions in the project's {{#switchtablink:Project Scope and Definitions|glossary}}.

; What is an "ontology"?
: An ontology is a set of types, properties, and relationship. These together define a subject description language. This particular ontology is meant to represent what automated threats real world owners observe affecting their web applications in usual operations.

; Isn't this another bug (vulnerability) list?
: No, none of the named automated threat events are implementation bugs - they relate to abuse of functionality using automated means.

; But is it an OWASP Top N List?
: Again no, it's an ontology which currently contains 21 items but there may be more identified in the future. Also it is not an ordered list (like OWASP Top N lists) - the OAT identification numbers were randomly assigned, so the list is often written in alphabetical order to emphasize this.

; I thought "so and so" already did that?
: We found that it did not exist. While many threats are mentioned in the sources researched, there was no overall list or definitions. We found the automated threat events tended to all be in a small number of definied items from Mitre CAPEC and WASC Threat Classification. If you know of other automated threat lists/taxonomies/ontologies, please share them.

; What is an "oat"?
: It is our abbreviation for OWASP Automated Threat (OAT).

; I am confused and don't know which OAT my problem is - how do I identify it?
: In 2017 we created a [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] to help identify the correct OAT, which can then be confirmed by reading the full description in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook]. The short summaries are important explanations of each OAT name.

; How can I help?
: Please join our mailing list, send ideas, contribute clarifications, corrections and improvement, and let other people know about the project and its handbook.

= Acknowledgements and Sponsors =

==Contributors==

* Sumit Agarwal
* Jason Chan
* Mark Hall
* Omri Iluz
* Andrew van der Stock
* Roland Weber
* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

Additionally other professional colleagues and website owners and operators who provided feedback.

==Reviewers==

* Igor Andriushchenko
* Gabriel Mendez Justiniano
* Matt Tesauro

== Sponsors ==

All OWASP Projects are run and developed by volunteers and rely on personal donations and sponsorship to continue their development. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. This project has received the sponsorship part of their Corporate OWASP membership fees from Verizon Digital Media Services in 2016 and Distil Networks in 2017, which has already contributed to the v1.2 production design costs, and will also be utilised to help promote knowledge of the project.

[[file:Verizon_Digital_Medial_Logo.jpg|size=150x45px|link=https://www.verizondigitalmedia.com]]

[[File:Distil-flat-logo-2.png|link=https://www.distilnetworks.com]]

= Road Map and Getting Involved =

Can you help? The project is looking for information on the prevalence and types of automated threats seen by web application owners in the real world. This will be used to refine and organise the information gathered from research papers, whitepapers, security reports and industry news. Please use the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:

* [https://lists.owasp.org/mailman/listinfo/automated_threats_to_web_applications Mailing list]

To share information confidentially, you can email the project leaders directly: [mailto:tin.zaw@owasp.org Tin Zaw] and [mailto:colin.watson@owasp.org Colin Watson].

== Completed Outputs==

* {{#switchtablink:Scope and Definitions|Glossary}}
* {{#switchtablink:Bibliography|Bibligraphy of information sources}}
* A [https://www.owasp.org/index.php/File:Automated-threats.pdf summary chart] has been published summarising the information gathered and work to date
* Identifying automated threats to web applications, and determining the primary name used. This first part of the project intends to produce a consistent vocabulary for discussing the threats before moving onto other aspects
* The primary terms have now been defined and described for the ontology
* A [https://www.owasp.org/index.php/File:Automation-briefing.pdf briefing document] was produced in May 2015
* Release [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Automated Threat Handbook] July 2015 [https://www.owasp.org/index.php/File:Owasp-automated-threat-handbook-source-files.zip source files], updated in November 2016
* Release [https://www.owasp.org/index.php/File:Automation-project-briefing.pdf project overview flyer] July 2015
* Release [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] December 2016

== Roadmap==

The project's roadmap was updated in October 2017.

===Q1 2015===
* <strike>Feb 2015: Define scope and terminology</strike> Done
* <strike>Mar 2015: Research prior work and reports about automated threats to web applications to create bibliography</strike> Done

===Q2 2015===
* <strike>Apr 2015: Assess threats/attacks and create ontology</strike> Done
* <strike>Apr 2015: Application owner interviews and creation of initial project outputs, to refine model</strike> Done
* <strike>May 2015: Publication of outputs and request for review/data</strike> Done
* <strike>May 2015: Summit session and survey at AppSec EU</strike> Done
* <strike>Jun 2015 Review</strike> Done
* <strike>Jun 2015 Write ontology document</strike> Done
* <strike>Jun Write 2-page project briefing</strike> Done
* <strike>Jun Publish project briefing</strike> Done
* <strike>Jul 2015: Publish v1.0 ontology</strike> Done

===Q3 2016===
* <strike>Jul-Sep 2016: Gathering of additional contributions and update handbook</strike> Done

===Q4 2016===
* <strike>Nov 2016: Release updated handbook</strike> Done
* <strike>Dec 2016: Threat identification chart</strike> Done

=== Q1 2017 ===
* <strike>Dec-Mar 2017: Further review and update to handbook</strike> Done
* <strike>Check against changes to CAPEC v2.9</strike> Done

=== Q2 2017 ===
* <strike>Apr-Jun 2017: Further review and update to handbook</strike> Done
* <strike>Project summit at AppSecEU</strike> Done

=== Q3 2017 ===
* <strike>Chase up ongoing project review</strike> Done
* <strike>Project summit at AppSecUS</strike> Done

=== Q4 2017 ===
* <strike>Release v1.2 </strike> Done

=== Q1 2018 ===
* <strike>Create OAT wiki pages</strike> Done

=== Future ===
* Write executive summary
* Release executive summary document


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-SR-2]] [[Category:SAMM-TA-1]] [[Category:SAMM-EG-2]]

OWASP Automated Threats to Web Applications

2018-02-26T15:46:10Z

Clerkendweller: /* In Print */ Updated Lulu link for v1.2

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Automated-threats-header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Automated Threats to Web Applications==

The OWASP Automated Threats to Web Applications Project has completed a review of reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify, name and classify these scenarios – automated by software causing a divergence from accepted behavior producing one or more undesirable effects on a web application, but excluding tool-based exploitation of single-issue vulnerabilities. The initial objective was to produce an ontology providing a common language for developers, architects, operators, business owners, security engineers, purchasers and suppliers/ vendors, to facilitate clear communication and help tackle the issues.
The project also identifies symptoms, mitigations and controls in this problem area. Like all OWASP outputs, everything is free and published using an open source license.

[https://www.owasp.org/index.php/File:Automation-project-briefing.pdf Two page summary project briefing as a PDF].

== Description==

Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.

== Automated Threats ==

The list of threat events, defined more fully in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| width="300" align="left" valign="top" |

* [[OAT-020 Account Aggregation]]
* [[OAT-019 Account Creation]]
* [[OAT-003 Ad Fraud]]
* [[OAT-009 CAPTCHA Defeat]]
* [[OAT-010 Card Cracking]]
* [[OAT-001 Carding]]
* [[OAT-012 Cashing Out]]
* [[OAT-007 Credential Cracking]]
* [[OAT-008 Credential Stuffing]]
* [[OAT-021 Denial of Inventory]]
* [[OAT-015 Denial of Service]]

| width="300" align="left" valign="top" |

* [[OAT-006 Expediting]]
* [[OAT-004 Fingerprinting]]
* [[OAT-018 Footprinting]]
* [[OAT-005 Scalping]]
* [[OAT-011 Scraping]]
* [[OAT-016 Skewing]]
* [[OAT-013 Sniping]]
* [[OAT-017 Spamming]]
* [[OAT-002 Token Cracking]]
* [[OAT-014 Vulnerability Scanning]]

|}

Not sure which is which? Use the [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] in conjunction with the full [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook].

==Licensing==

All the materials are free to use. They are licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What Is This? ==

Information and resources to help web application owners defend against [[:Category:Automated Threat|automated threats]]

== What Isn't It? ==

* Another vulnerability list
* An OWASP Top N List
* Threat modelling
* Attack trees
* Non web
* Non application

==Project Objective==

This project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available.

== Presentation ==

[[File:Automatedthreats-presentation-small.jpg|link=media:Bots-AppSecUSA2017-Project-Summit.pptx]]

== Project Leaders ==

* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

== Related Projects ==

* [[OWASP WASC Web Hacking Incidents Database Project|OWASP WASC Web Hacking Incidents Database Project]]
* [[OWASP AppSensor Project|OWASP AppSensor Project]]
* [[OWASP ModSecurity Core Rule Set Project|OWASP ModSecurity Core Rule Set Project]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Download the free handbook as a PDF]

== News and Events ==

* [16 Feb 2018] OAT wiki pages created
* [15 Feb 2018] v1.2 Handbook published
* [25 Sep 2017] Promoted to Labs status
* [19-20 Sep 2017] Working session at the AppSecUSA 2017 Project Summit
* [15 May 2017] Draft feedback on Top Ten A7 shared
* [17 Apr 2017] [https://www.owasp.org/index.php/File:BadBots_OWASP_AppSec_CA_2017.pptx Slides] from AppSec California (2017)
* [20 Dec 2016] Threat identification chart [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf published]
* [03 Nov 2016] Presentation at [http://lascon.org/ LASCON 2016]
* [03 Nov 2016] v1.1 Handbook published
* [11-12 Oct 2016] Working session at the [https://docs.google.com/presentation/d/1iMQHTc-h5qcP7gBBRcPHGmVaTWqx3dpMwNMVlA--rqs/edit#slide=id.p3 AppSecUSA 2017 Project Summit]
* [04 Aug 2016] Project Q&A at Blackhat USA 2-5pm in the OWASP booth
* [26 Oct 2015] [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf v1.01 handbook] published
* [24 Sep 2015] [https://www.owasp.org/index.php/File:Colinwatson-a-new-ontology-of-unwanted-automation.pptx Presentation] at [https://2015.appsecusa.org/c/?page_id=896#a AppSec USA 2015]

==In Print==

[[File:AutomatedThreatHandbook_small.jpg|link=http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html]]

The [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-23540699.html Automated Threat Handbook] can be purchased at cost as a print on demand book.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]

|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Scope and Definitions =

==Scope==

The aim was to create a listing of vendor-neutral and technology agnostic terms that describe real-world automated threats to web applications, at a level of abstraction that application owners can relate to. These terms are threat events to web applications undertaken using automated actions.

The focus is on abuse of functionality - misuse of inherent functionality and related design flaws, some of which are also referred to as business logic flaws. There is almost no focus on implementation bugs. It is not that the latter are not the target for attacks, but there is much more knowledge published in that area with a greater agreement on terminology. All the scenarios identified must require the web to exist for the threat to be materialised. Many of the scenarios have impacts upon the organisation that owns or operates web applications, but some scenarios have impacts more focused on individuals or other bodies. An attack that can be achieved without the web is out of scope.

==Definitions ==

=== Automated Threats to Web Applications ===

Threat events to web applications undertaken using automated actions.

An attack that can be achieved without the web is out of scope.

== Glossary ==

;Action
: An act taken against an asset by a threat agent. Requires first that contact occurs between the asset and threat agent (Ref 1)

; Application
: Software that performs a business process i.e. not system software
: A software program hosted by an information system (Ref 2)

; Application layer
: "Layer 7” in the OSI model (Ref 3) and “application layer” in the TCP/IP model (Ref 4)

;Threat
: Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures (Ref 1)

;Threat Agent
: Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm (Ref 1)

;Threat Event
: Occurs when a threat agent acts against an asset (Ref 1)

; Web
: The World Wide Web (WWW, or simply Web) is an information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI) (Ref 5)
: The first three specifications for Web technologies defined URLs, HTTP, and HTML (Ref 6)

; Web application
: An application delivered over the web

Glossary references:
# [http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf Risk Taxonomy, Technical Standard, The Open Group, 2009]
# [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2, NIST]
# [http://en.wikipedia.org/wiki/OSI_model OSI model, Wikipedia]
# [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP model, Wikipedia]
# [http://www.w3.org/TR/webarch/ Architecture of the World Wide Web, Volume One, W3C]
# [http://www.w3.org/Help/ Help and FAQ, W3C]

=Use Case Scanarios=

The following scenarios and organisation names are completely fictitious.

==Defining application development security requirements==

Cinnaminta SpA intends to build and launch a new multi-lingual and multi-currency ecommerce website. The development will be outsourced and Cinnaminta has been working on the functional design document. Among many other requirements, the application security specification requires that the website must not include any vulnerabilities identified in PCI DSS v3.1 Requirement 6.5, nor any other vulnerabilities that could affect the protection of payment cardholder data. Cinnaminta specifies that the website's payment functions must not be susceptible to the threat events '''OAT-001 Carding''' or '''OAT-010 Card Cracking''' as defined in the '''OWASP Automated Threat Handbook'''. In addition, the application must interact with the company's existing fraud detection system to counter '''OAT-012 Cashing Out'''. The requirements are specified in terms of these threat events, rather than particular product or service categories. Development houses responding to the call for bids use the ontology to focus their answers to these aspects appropriately.

== Sharing intelligence within a sector==

Unlimited Innovations Inc develops and supports patient-facing software solutions to a range of healthcare providers, many of which participate in the National Health Service Cyber Intelligence Sharing Center (NHS-CISC). Unlimited Innovations already builds continuous monitoring capabilities into its software and decides to provide an optional enhancement so that customers could choose to share their misuse event data with each other, to benefit from the combined threat intelligence. Rather than sharing large quantities of low-level data, Unlimited Innovations aggregates information and broadcasts validated and categorised threat data amongst the participating organisations. Automation attacks are classified according to the threat events defined in the '''OWASP Automated Threat Handbook''' so that each receiving party understands the nature of the threat. Even organisations that do not want to take part in this information sharing can benefit, since their own categorised information is made available to internal business management in the form of an easy-to-comprehend monitoring dashboard. The information gathered can also be fed into their other business information management systems to help improve patient service.

== Exchanging threat data between CERTs==

National Computer Emergency Response Teams (CERTs) recognise that sharing of local information can contribute to worldwide prevention of cyber attacks. Despite advances in cooperation between CERTs, anything to increase continuity and interoperability, such as standards for data exchange, is encouraged. CERT Zog is concerned about the sparsity of application-specific data it receives, and also the classification of that data. It has a particular concern about attacks and breaches that affect sectors defined in Zog's 2015 national cyber security strategy. CERT Zog and its neighbour CERT Tarset agree to tag threat events using the '''OWASP Automated Threat Handbook''' in order to add greater context to existing solutions being used for threat data exchange between them. The programme also collects sector metadata, so that all organisations within these can benefit from the centralised intelligence.

== Enhancing application penetration test findings==

Specialist application security penetration testing firm Cherak Industries Pte Ltd works primarily for financial services companies in the banking and insurance sectors, and is looking to expand its business throughout Asia. Cherak has some innovative pen test result reporting systems which integrate with client software fault and vulnerability tracking systems, and it actively looks for methods to provide additional value to its clients. Cherak has identified that pen test clients would benefit from help to in understanding the effects of combinations of vulnerabilities, especially design flaws, and has decided to utilise the '''OWASP Automated Threat Handbook''' to define and explain the automation-related threats. The individual vulnerabilities were scored as normal using CVSSv2 and v3, the matching CWEs identified, and mitigations in place documented. In addition, Cherak uses the threat events defined in the '''OWASP Automated Threat Handbook''' to help create a new section in the executive summary that explains how combinations of the issues found could lead to automation threats and the possible technical and business impacts. For example, an assessment for one client had identified weaknesses in authentication so that there is a risk of '''OAT-008 Credential Stuffing'''. The defined identifier was provided to the client, so its technical staff could refer to additional information on the OWASP website.

== Specifying service acquisition needs==

Falstone Paradise Inc is concerned about malicious use of their portfolio of hotel and resort websites. The majority of the websites use a shared application platform, but there are some unique applications and a large number of other micro-sites, some of which use generic content management systems such as Wordpress and Drupal. Falstone Paradise has identified that its IT operations team are spending too much time dealing with the effects of automated misuse, such as cleaning up data, resetting customer accounts and providing extra capacity during attacks. Furthermore, the unwanted automation is also causing some instabilities leading to negative feedback from customers. Therefore Falstone Paradise decides to go out to the security marketplace to identify, assess and select products or services that might help address these automation issues for all its websites. Their buying team works with their information technology colleagues to write the detailed requirements in an Invitation to Tender (ITT) document. This describes the types of attacks its web applications are receiving, their frequency of occurrence and their magnitudes. These are defined according to the '''OWASP Automated Threat Handbook''', so that vendors do not misunderstand the requirements, and each vendor's offering can be assessed against the particular automation threat events of concern.

== Characterising vendor services ==

Better Best Ltd has developed an innovative technology to help gaming companies defend against a range of automated threats that can otherwise permit cheating and distortion of the game, leading to disruption for normal players. The solution can be deployed on premises, but is also available in the cloud as a service. But Better Best is finding difficulty explaining its solution in the market place, especially since it does not fit into any conventional product category. Better Best decide to use the terminology and threat events listed in the '''OWASP Automated Threat Handbook''' to define their product's capabilities. They hope this will provide some clarity about their offering, and also demonstrate how their product can be used to replace more than one other conventional security device. Additionally, Better Best writes a white paper describing how their product has been successfully used by one of their reference customers Hollybush Challenge Games to protect against '''OAT-006 Expediting''', '''OAT-005 Scalping''', '''OAT-016 Skewing''' and '''OAT-013 Sniping'''.

=Ontology=

==Introduction==

The A-Z list of [[:Category:Automated Threat|automated threat events]] and summary descriptions, defined in full in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| align="left" valign="top" |
[[OAT-020 Account Aggregation]]
| align="left" valign="top" |
Use by an intermediary application that collects together multiple accounts and interacts on their behalf.
|-
| align="left" valign="top" |
[[OAT-019 Account Creation]]
| align="left" valign="top" |
Create multiple accounts for subsequent misuse.
|-
| align="left" valign="top" |
[[OAT-003 Ad Fraud]]
| align="left" valign="top" |
False clicks and fraudulent display of web-placed advertisements.
|-
| align="left" valign="top" |
[[OAT-009 CAPTCHA Defeat]]
| align="left" valign="top" |
Solve anti-automation tests.
|-
| align="left" valign="top" |
[[OAT-010 Card Cracking]]
| align="left" valign="top" |
Identify missing start/expiry dates and security codes for stolen payment card data by trying different values.
|-
| align="left" valign="top" |
[[OAT-001 Carding]]
| align="left" valign="top" |
Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.
|-
| align="left" valign="top" |
[[OAT-012 Cashing Out]]
| align="left" valign="top" |
Buy goods or obtain cash utilising validated stolen payment card or other user account data.
|-
| align="left" valign="top" |
[[OAT-007 Credential Cracking]]
| align="left" valign="top" |
Identify valid login credentials by trying different values for usernames and/or passwords.
|-
| align="left" valign="top" |
[[OAT-008 Credential Stuffing]]
| align="left" valign="top" |
Mass log in attempts used to verify the validity of stolen username/password pairs.
|-
| align="left" valign="top" |
[[OAT-021 Denial of Inventory]]
| align="left" valign="top" |
Deplete goods or services stock without ever completing the purchase or committing to the transaction.
|-
| align="left" valign="top" |
[[OAT-015 Denial of Service]]
| align="left" valign="top" |
Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS).
|-
| align="left" valign="top" |
[[OAT-006 Expediting]]
| align="left" valign="top" |
Perform actions to hasten progress of usually slow, tedious or time-consuming actions.
|-
| align="left" valign="top" |
[[OAT-004 Fingerprinting]]
| align="left" valign="top" |
Elicit information about the supporting software and framework types and versions.
|-
| align="left" valign="top" |
[[OAT-018 Footprinting]]
| align="left" valign="top" |
Probe and explore application to identify its constituents and properties.
|-
| align="left" valign="top" |
[[OAT-005 Scalping]]
| align="left" valign="top" |
Obtain limited-availability and/or preferred goods/services by unfair methods.
|-
| align="left" valign="top" |
[[OAT-011 Scraping]]
| align="left" valign="top" |
Collect application content and/or other data for use elsewhere.
|-
| align="left" valign="top" |
[[OAT-016 Skewing]]
| align="left" valign="top" |
Repeated link clicks, page requests or form submissions intended to alter some metric.
|-
| align="left" valign="top" |
[[OAT-013 Sniping]]
| align="left" valign="top" |
Last minute bid or offer for goods or services.
|-
| align="left" valign="top" |
[[OAT-017 Spamming]]
| align="left" valign="top" |
Malicious or questionable information addition that appears in public or private content, databases or user messages.
|-
| align="left" valign="top" |
[[OAT-002 Token Cracking]]
| align="left" valign="top" |
Mass enumeration of coupon numbers, voucher codes, discount tokens, etc.
|-
| align="left" valign="top" |
[[OAT-014 Vulnerability Scanning]]
| align="left" valign="top" |
Crawl and fuzz application to identify weaknesses and possible vulnerabilities.
|}

==Comparison with other dictionaries, taxonomies and lists==

===[https://capec.mitre.org/ Common Attack Pattern Enumeration and Classification] (CAPEC)===

[[File:Ontology-chart-capec-wiki.png|link=]]

CAPEC is a dictionary and classification taxonomy of known attacks on software. Its primary classification structures are:

* [https://capec.mitre.org/data/definitions/3000.html Domains of attack] (3000) - Social Engineering (403), [https://capec.mitre.org/data/definitions/437.html Supply Chain] (437), Communications (512), [https://capec.mitre.org/data/definitions/513.html Software] (513), Physical Security (514), Hardware (515)
* Mechanism of Attack (1000) - Gather Information (118), Deplete Resources (119), Injection (152), Deceptive Interactions (156), Manipulate Timing and State (172), Abuse of Functionality (210), Probabilistic Techniques (223), Exploitation of Authentication (225), Exploitation of Authorization (232), Manipulate Data Structures (255), Manipulate Resources (262), Analyze Target (281), Gain Physical Access (436), Malicious Code Execution (525), Alter System Components (526), Manipulate System Users (527)

===[http://projects.webappsec.org/w/page/13246978/Threat%20Classification WASC Threat Classification]===

[[File:Ontology-chart-wasc-wiki.png|link=]]

The WASC Threat Classification classifies weaknesses and attacks that can lead to the compromise of a website, its data, or its users.

===[[OWASP WASC Web Hacking Incidents Database Project]] (WHID)===

WHID [https://www.google.com/fusiontables/DataSource?snapid=S1536501YnLo classifies] publicly known incidents using:

* attack methods e.g. ARP spoofing, abuse of functionality, account compromise, administration error, automation, backdoor, banking trojan, brute force, clickjacking, code injection, content injection, content spoofing, credential/session prediction, cross site request forgery (CSRF), cross-site scripting (XSS), denial of service, directory traversal, domain hijacking, DNS hijacking, forceful browsing, HTTP response splitting, hidden parameter manipulation, hosting malicious code, information leakage, insufficient authentication, known vulnerability, local file inclusion (LFI), malvertising, malware, malware injection, mass assignment, misconfiguration, OS commanding, parameter manipulation, path traversal, phishing, predictable resource location, process automation, redirection, remote file inclusion (RFI), rogue 3rd party app, scaping, search engine poisoning, shell injection, social engineering, stolen credentials, SQL injection, unintentional information disclosure, weak password recovery validation, worm
* weakness e.g. abuse of functionality, application misconfiguration, directory indexing, improper filesystem permissions, improper input handling, improper output handling, information leakage, insecure indexing, insufficient anti-automation, insufficient authentication, insufficient authorization, insufficient entropy, insufficient password recovery, insufficient process validation, insufficient session expiration, insufficient transport layer protection, misconfiguration, predictable resource location, weak password
* outcome account hijacking, account takeover, botnet participation, chaos, credit card leakage, data loss, defacement, DDoS attacks, DNS hijacking, DNS redirection, disinformation, disclosure only, downtime, extortion, fraud, information warfare, leakage of information, link spam, loss of sales, malware distribution, monetary loss, phishing, planting of malware, service disruption, session hijacking, spam, spam links, stolen credentials, worm

Plus other/various/unknown.

= Bibliography =

The following academic, open source, commercial and news sources were used in the research on automated threats to web applications. OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. We operate under a vendor neutral policy and we do not endorse products or services.

* 10 years of Application Security, Denyall http://www.denyall.com/resources/whitepapers/?aliId=3438442
* 2012 Payment Card Threat Report https://www.securitymetrics.com/static/resources/orange/2012%20Payment%20Card%20Threat%20Report%20copy.pdf
* 2014 Bot Traffic Report: Just the Droids You were Looking for http://www.incapsula.com/blog/bot-traffic-report-2014.html
* 3 Types of ‘Return Fraud’ to Monitor this Holiday Season http://www.practicalecommerce.com/articles/3168-3-Types-of-%E2%80%98Return-Fraud-to-Monitor-this-Holiday-Season
* 7 Ways Bots Hurt Your Website, Distil Networks http://www.distilnetworks.com/7-ways-bots-hurt-website-whitepaper/
* Abusing HTML 5 Structured Client-side Storage 2008 http://packetstorm.wowhacker.com/papers/general/html5whitepaper.pdf
* Acquiring Experience with Ontology and Vocabularies, Walt Melo, Risa Mayan and Jean Stanford, 2011 http://www.omg.org/news/meetings/workshops/SOA-HC/presentations-2011/13_SC-6_Melo_Stanford_Mayan.pdf
* An Anatomy of a SQL Injection Attack Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf
* The Anatomy of Clickbot.A https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/daswani/daswani.pdf
* Anatomy of comment spam Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Anatomy_of_Comment_Spam.pdf
* Anti-Automation Monitoring and Prevention 2015 https://www.clerkendweller.uk/2015/1/29/AntiAutomation-Monitoring-and-Prevention
* Anti-DDoS Solution for Internet Corporation http://www.nsfocus.com/uploadfile/Solution/NSFOCUS%20Anti-DDoS%20Solution%20for%20Internet%20Corporation.pdf
* Anti-Fraud Principles and Proposed Taxonomy Sep 2014 http://www.iab.net/media/file/IAB_Anti_Fraud_Principles_and_Taxonomy.pdf
* Apache Security Ivan Ristic
* Application Security Desk Reference, OWASP https://www.owasp.org/index.php/Category:OWASP_ASDR_Project
* Application Security Guide For CISOs, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf
* AppSensor, OWASP https://www.owasp.org/index.php/OWASP_AppSensor_Project
* Attack & Defense Labs http://www.andlabs.org/html5.html
* Attack categories OWASP https://www.owasp.org/index.php/Category:Attack
* Attack Trees, Schneier, Dr. Dobb's Journal, December 1999 https://www.schneier.com/paper-attacktrees-ddj-ft.html
* Attacking with HTML5 2010 https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-wp.pdf
* Automated attacks Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Automation_of_Attacks.pdf
* Avoiding the Top 10 Software Security Design Flaws http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* Bad Bots On The Rise Dec 2014 http://www.darkreading.com/informationweek-home/bad-bots-on-the-rise/d/d-id/1318276
* Banking Botnets Persist Despite Takedowns, Dell SecureWorks, 2015 http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets-persist-despite-takedowns/
* The Barracuda Web Application Firewall: XML Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_XML_Firewall.pdf
* Blocking Brute Force Attacks http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php
* Bot Traffic Growing Problem for Digital Oct 2014 http://www.netnewscheck.com/article/36537/bot-traffic-growing-problem-for-digital
* BotoPedia Incapsula http://www.botopedia.org/
* Boy in the Browser Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser
* Business Logic Attacks - Bots and BATs, Eldad Chai, 2009 http://www.owasp.org/images/9/96/AppSecEU09_BusinessLogicAttacks_EldadChai.ppt
* Bypassing Client Application Protection Techniques http://www.securiteam.com/securityreviews/6S0030ABPE.html
* A CAPTCHA in the Rye Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_a_CAPTCHA_in_the_Rye.pdf
* Characterizing Large Scale Click fraud http://cseweb.ucsd.edu/~voelker/pubs/za-ccs14.pdf
* Charter Addition Proposal: "Trusted Code" for the Web https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0150.html
* A cheesy Apache / IIS DoS vuln (+a question) http://www.securityfocus.com/archive/1/456339/30/0/threaded
* China's Man-on-the-Side Attack on GitHub http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub
* The CISO Survey and Report, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-report-2013-1.0.pdf
* Common Attack Pattern Enumeration and Classification (CAPEC), Mitre https://capec.mitre.org/
* Common Cyber Attacks: Reducing the Impact CERT-UK https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf
* Corporate espionage – the internet’s new growth industry http://www.itproportal.com/2015/03/19/corporate-espionage-internets-new-growth-industry/
* CSA Top Threats to Cloud Computing https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
* CSRF vulnerability in GMail service http://seclists.org/fulldisclosure/2009/Mar/29
* CWE/SANS Top 25 Most Dangerous Software Errors, 2011 http://cwe.mitre.org/top25/
* Cyber Fraud - Tactics Techniques and Procedures http://www.crcpress.com/product/isbn/9781420091274
* Cybercrime Report: Q1 2015, ThreatMetrix, 2015 http://info.threatmetrix.com/WP-2015Q1CybercrimeReport_WP-LP.html
* Data Breach Investigations Report (DBIR), 2014 http://www.verizonenterprise.com/DBIR/2014/
* Data Breach Investigations Report (DBIR), 2015 http://www.verizonenterprise.com/DBIR/2015/
* Data Breaches Fuel Login Attacks Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2014-state-of-the-internet-threat-advisory-public-data-breaches-fuel-login-attacks.pdf
* Data Scraping Wikipedia http://en.wikipedia.org/wiki/Data_scraping
* DDoS Quick Guide https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
* DDoS Threat Landscape Report, 2013-2014 http://lp.incapsula.com/rs/incapsulainc/images/2013-14_ddos_threat_landscape.pdf
* Defending Against an Internet-based Attack on the Physical World http://avirubin.com/scripted.attacks.pdf
* Defending Against Application-Based DDoS Attacks with the Barracuda Web Application Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_Defending%20_Against_%20Application-Based_%20DDoS_%20Attacks.pdf
* Demystifying HTML 5 Attacks http://resources.infosecinstitute.com/demystifying-html-5-attacks/
* Denial of Service Attacks: A Comprehensive Guide to Trends Techniques and Technologies Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf
* Detecting and Blocking Site Scraping Attacks Imperva http://www.imperva.com/docs/WP_Detecting_and_Blocking_Site_Scraping_Attacks.pdf
* Detecting Automation of Twitter Accounts: Are you a human cyborg or a bot? http://www.cs.wm.edu/~hnw/paper/tdsc12b.pdf
* Detecting Malice Robert "RSnake" Hansen 2009 http://www.detectmalice.com/
* Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1414072277428&uri=CELEX:32002L0058
* Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046
* Distributed Denial-of-Service (DDoS) Cyber-Attacks Risk Mitigation and Additional Resources Federal Financial Institutions Examination Council http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf
* Do Evil - The Business of Social Media Bots Forbes http://www.forbes.com/sites/lutzfinger/2015/02/17/do-evil-the-business-of-social-media-bots/
* DoS and DDoS Glossary of Terms prolexic http://www.prolexic.com/knowledge-center-dos-and-ddos-glossary.html#layer-7-ddos-attack
* E-commerce Malware Trustwave https://gsr.trustwave.com/topics/placeholder-topic/e-commerce-malware/
* Exploiting Software, G. Hoglund and G. McGraw, Addison-Wesley, 2004
* Five Trends to Track in E-Commerce Fraud, ThreatMetrix, 2013 http://info.threatmetrix.com/rs/threatmetrix/images/Five_Trends_eCommerce_Fraud_WP.pdf
* Hacker builds cheatbot for hit app Trivia Crack http://www.theregister.co.uk/2015/03/26/hacker_builds_trivia_crack_cheat_app/
* Has Walmart opened itself up to “Denial of inventory” attacks? https://arstechnica.com/business/2012/05/has-walmart-opened-itself-up-to-denial-of-inventory-attacks/
* How Hoarder Bots Steal sales from Online Retailers https://www.internetretailer.com/mobile/2016/12/16/how-hoarder-bots-steal-sales-online-retailers
* How to Defend Against DDoS Attacks - Strategies for the Network Transport and Application Layers Prolexic http://www.prolexic.com/kcresources/white-paper/strategies-for-the-network-transport-and-application-layers-412/Strategies_for_the_Network_Transport_and_Application_Layers_Prolexic_White_Paper_A4_082412.pdf
* How to Defend Online Travel Websites in the Era of Site Scraping, Distil Networks http://www.distilnetworks.com/defend-online-travel-websites-era-site-scraping-download/
* How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
* HTML5 Overview A look at HTML5 Attack Scenarios Trend Micro 2011 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf
* HTML5 Top 10 Threats Stealth Attacks and Silent Exploits 2012 https://media.blackhat.com/bh-eu-12/shah/bh-eu-12-Shah_HTML5_Top_10-WP.pdf
* HTML5 web security 2011 http://media.hacking-lab.com/hlnews/HTML5_Web_Security_v1.0.pdf
* HTTPPOST - Slow POST Wong Onn Chee OWASP AppSec DC 2010 https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
* If you've got @British_Airways account may make sense to change your password. Just had all my Avios cleared out! https://twitter.com/suttonnick/status/581556027948195840/photo/1
* Internet Security Threat Report, Volume 19, 2014 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
* An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks http://www.springer.com/gb/book/9788132202769
* Is Your Data Center Ready for Today’s DDoS Threats? DDoS attack types protection methods and testing your detection and mitigation defenses http://www.fortinet.com/sites/default/files/whitepapers/WP-DDoS-Testing.pdf
* Joomla Reflection DDoS-for-Hire Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2015-state-of-the-internet-threat-advisory-joomla-reflection-attack-ddos-for-hire.pdf
* Layer 7 DDOS – Blocking HTTP Flood Attacks http://blog.sucuri.net/2014/02/layer-7-ddos-blocking-http-flood-attacks.html
* Lenovo Superfish put smut on my system' – class-action lawsuit The Register http://www.theregister.co.uk/2015/02/23/lenovo_superfish_class_action_lawsuit/
* List of Attack Vectors Relative Vulnerability Rating TECAPI http://www.tecapi.com/public/relative-vulnerability-rating-gui.jsp#
* Man in the Browser http://scisweb.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf
* Man in the Browser Attack https://www.owasp.org/index.php/Man-in-the-browser_attack
* Mapping and Measuring Cybercrime, Oxford Internet Institute http://www.oii.ox.ac.uk/publications/FD18.pdf
* Massive Changes in the Criminal Landscape Europol 2015 https://www.europol.europa.eu/content/massive-changes-criminal-landscape
* Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs http://collaboration.csc.ncsu.edu/laurie/Papers/ICSE_Final_MCG_LW.pdf
* Mitigating DDoS Attacks with F5 Technology F5 https://f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology
* Mitigating the DoS/DDosS Threat, Radware, 2012 http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452061
* Modern Web Attacks, Sophos, 2007 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/modern-web-attacks.aspx
* ModSecurity Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-ModSecurity-Advanced-Topic-of-the-Week--Mitigating-Slow-HTTP-DoS-Attacks/
* Most common attacks on web applications https://ipsec.pl/web-application-security/most-common-attacks-web-applications.html
* Multi-dimensional Vulnerability Hierarchies Daniel Miessler https://danielmiessler.com/study/multi-dimensional-vulnerability-hierarchies/
* New Wave of DDoS Attacks Launched BankInfoSecurity.com Mar 2013 http://www.bankinfosecurity.com/new-wave-ddos-attacks-launched-a-5584/op-1
* NOMAD: Toward Non-Invasive Moving Target Defense Against Web Bots http://faculty.cs.tamu.edu/guofei/paper/NOMAD_CNS13.pdf
* Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year Sep 2014 http://www.darkreading.com/analytics/threat-intelligence/online-ad-fraud-exposed-advertisers-losing-$63-billion-to-$10-billion-per-year/d/d-id/1317979
* Online Data Companies versus Bots: The Fight is on for Control of Online Data, Distil Networks http://www.distilnetworks.com/online-data-companies-vs-bots-download/
* Optimal Airline Ticket Purchasing Using Automated User-Guided Feature Selection http://ijcai.org/papers13/Papers/IJCAI13-032.pdf
* Payment Checkout Flaws and Bugs 2014 https://www.clerkendweller.uk/2014/11/4/Payment-Checkout-Flaws-and-Bugs
* PCI Compliance Report 2015 Verizon http://www.verizonenterprise.com/pcireport/2015/
* Pixel Perfect Timing Attacks with HTML5 2013 http://www.contextis.com/services/research/white-papers/pixel-perfect-timing-attacks-html5/
* Polymorphism as a Defense for Automated Attack of Websites http://link.springer.com/chapter/10.1007%2F978-3-319-07536-5_30
* Preventing Web Scraping: Best Practice https://creativedigitalideas.files.wordpress.com/2014/11/best-practice-to-prevent-web-scraping.pdf
* Profile: Automated Credit Card Fraud http://old.honeynet.org/papers/profiles/cc-fraud.pdf
* Protecting Against Web Floods, Radware http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452968
* Q4 2014 State of the Internet Security Report prolexic http://www.stateoftheinternet.com/downloads/pdfs/2014-internet-security-report-q4.pdf
* Reflection injection http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* A Report on taxonomy and evaluation of existing inventories, ENISAhttp://ecrime-project.eu/wp-content/uploads/2015/02/E-Crime-Deliverable-2-1-20141128_FINAL.pdf
* Reporting Intellectual Property Crime: A Guide for Victims of Copyright Infringement, Trademark Counterfeiting, and Trade Secret Theft, Dept of Justice http://www.justice.gov/criminal/cybercrime/docs/ip-victim-guide-and-checklist-march-2013.pdf
* SANS Top 20 Critical Controls https://www.sans.org/critical-security-controls/
* Securing Websites, Sophos, 2011 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/securing-websites.aspx
* Security Insights: Defending Against Automated Threats http://www.securityweek.com/security-insights-defending-against-automated-threats
* Server side DDoS Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/DDOS_Attack_Method_Payload_05182010
* Slow Read Denial of Service attack https://code.google.com/p/slowhttptest/wiki/SlowReadTest
* Slow-Read DoS Attack https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Mitigation-of--Slow-Read--Denial-of-Service-Attack/
* Slowloris HTTP DoS http://ha.ckers.org/slowloris/
* So what are the "most critical" application flaws? On new OWASP Top 10 https://ipsec.pl/application-security/2013/so-what-are-most-critical-application-flaws-new-owasp-top-10.html
* Social Media Bots Offer Phony Friends and Real Profit NY Times http://www.nytimes.com/2014/11/20/fashion/social-media-bots-offer-phony-friends-and-real-profit.html?_r=1
* Software Vulnerability Analysis, Krsul, 1998 http://www.krsul.org/ivan/articles/main.pdf
* Sophos Security Threat Report http://blogs.sophos.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/
* SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/#.VSuiEhPSngM
* State of Software Security Report, Volume 5, Veracode, 2013 https://info.veracode.com/state-of-software-security-report-volume5.html
* Stopping Automated Attack Tools http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html
* Taxonomy on Online Game Security http://www.math.snu.ac.kr/~jhcheon/publications/2004/Taxonomy%20on%20online%20game%20security_EL.pdf
* A Taxonomy of Computer Program Security Flaws, with Examples, Landwehr https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
* A Taxonomy of Security Faults in the UNIX Operating System, Aslam, 1995 https://cwe.mitre.org/documents/sources/ATaxonomyofSecurityFaultsintheUNIXOperatingSystem%5BAslam95%5D.pdf
* Testing Guide, v4, OWASP, 2014 https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
* The Bot Baseline: Fraud in Digital Advertising https://s3.amazonaws.com/whiteops-public/WO-ANA-Baseline-Study-of-Bot-Fraud.pdf
* The Internet Organised Crime Threat Assessment (iOCTA) 2014 https://www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta
* The Notorious Nine Cloud Computing Top Threats in 2013 CSA https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
* The Risks of Content Management Systems, IBM, 2015 https://portal.sec.ibm.com/mss/html/en_US/support_resources/pdf/CMS_Threats_MSS_Threat_Report.pdf
* The Spy in the Sandbox – Practical Cache Attacks in Javascript http://iss.oy.ne.ro/SpyInTheSandbox.pdf
* Thousands of Hacked Uber Accounts Selling on Dark Web for $1 http://thehackernews.com/2015/03/thousands-of-hacked-uber-accounts_30.html?m=1
* Threat Intelligence Quarterly, IBM, 1Q 2015 https://www.ibm.com/services/forms/signup.do?source=swg-WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101
* Threat Modeling: Designing for Security, Adam Shostack, Wiley, April 2014 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118809998.html
* Threats and Mitigations: A Guide to Multi-Layered Web Security - eBook Prolexic http://www.prolexic.com/knowledge-center/prolexic-download/guide-multi-layered-web-security-ebook.pdf
* Trapping Unknown Malware in a Context Web, Sophos http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/HuqSzabo-VB2013.pdf?la=en.pdf
* Trustwave Global Security Report 2014 https://www2.trustwave.com/GSR2014.html?utm_source=redirect&utm_medium=web&utm_campaign=GSR2014
* TurboTax’s Anti-Fraud Efforts Under Scrutiny http://krebsonsecurity.com/2015/02/turbotaxs-anti-fraud-efforts-under-scrutiny/
* Two Security Vulnerabilities in the Spring Framework’s MVC pdf (from 2008) http://blog.diniscruz.com/2011/07/two-security-vulnerabilities-in-spring.html
* The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns http://static.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf
* Understanding Web Bots and How They Hurt Your Business Encapsula http://www.slideshare.net/Incapsula/understanding-web-bots-and-how-they-hurt-your-business
* Use of A Taxonomy of Security Faults, Taimur Aslam, Ivan Krsul and Eugene H Spafford, 1996 http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=2304&context=cstech
* The WASC Threat Classification v2.0 http://projects.webappsec.org/w/page/13246978/Threat%20Classification
* Warhol Worms: The Potential for Very Fast Internet Plagues http://www.iwar.org.uk/comsec/resources/worms/warhol-worm.htm
* Web Application Attack Report #5 Imperva http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed5.pdf
* Web Application Defender's Cookbook: Battling Hackers and Protecting Users, Ryan Barnett, Wiley, December 2012 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html
* Web Attacks in the Wild Corsaire https://www.owasp.org/images/a/a7/Web_attacks_in_the_wild_-_ap.pdf
* Web Automation Friend or Foe? https://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf
* Web Spambot Detection Based on Web Navigation Behaviour http://pedramhayati.com/papers/Web_Spambot_Detection_Based_on_Web_Usage_Behaviour.pdf
* Website Security Statistics Report, 2014 http://info.whitehatsec.com/rs/whitehatsecurity/images/statsreport2014-20140410.pdf
* What is Zeus? http://www.sophos.com/medialibrary/pdfs/technical%20papers/sophos%20what%20is%20zeus%20tp.pdf
* When Web 2.0 Attacks! Understanding Ajax Flash and other highly interactive web technologies… https://www.owasp.org/images/f/fc/When_Web_2.0_Attacks_-_Understanding_Security_Implications_of_Highly_Interactive_Technologies-Rafal_Los.pdf
* Where have all of our Passwords Gone? Gartner 2015 http://blogs.gartner.com/avivah-litan/2015/01/22/where-have-all-our-passwords-gone/
* WS-Attacks.org http://www.ws-attacks.org/index.php/Main_Page

=FAQs=

; What do you mean by "web", "application" and "automated threat"?
: See the definitions in the project's {{#switchtablink:Project Scope and Definitions|glossary}}.

; What is an "ontology"?
: An ontology is a set of types, properties, and relationship. These together define a subject description language. This particular ontology is meant to represent what automated threats real world owners observe affecting their web applications in usual operations.

; Isn't this another bug (vulnerability) list?
: No, none of the named automated threat events are implementation bugs - they relate to abuse of functionality using automated means.

; But is it an OWASP Top N List?
: Again no, it's an ontology which currently contains 21 items but there may be more identified in the future. Also it is not an ordered list (like OWASP Top N lists) - the OAT identification numbers were randomly assigned, so the list is often written in alphabetical order to emphasize this.

; I thought "so and so" already did that?
: We found that it did not exist. While many threats are mentioned in the sources researched, there was no overall list or definitions. We found the automated threat events tended to all be in a small number of definied items from Mitre CAPEC and WASC Threat Classification. If you know of other automated threat lists/taxonomies/ontologies, please share them.

; What is an "oat"?
: It is our abbreviation for OWASP Automated Threat (OAT).

; I am confused and don't know which OAT my problem is - how do I identify it?
: In 2017 we created a [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] to help identify the correct OAT, which can then be confirmed by reading the full description in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook]. The short summaries are important explanations of each OAT name.

; How can I help?
: Please join our mailing list, send ideas, contribute clarifications, corrections and improvement, and let other people know about the project and its handbook.

= Acknowledgements and Sponsors =

==Contributors==

* Sumit Agarwal
* Jason Chan
* Mark Hall
* Omri Iluz
* Andrew van der Stock
* Roland Weber
* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

Additionally other professional colleagues and website owners and operators who provided feedback.

==Reviewers==

* Igor Andriushchenko
* Gabriel Mendez Justiniano
* Matt Tesauro

== Sponsors ==

All OWASP Projects are run and developed by volunteers and rely on personal donations and sponsorship to continue their development. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. This project has received the sponsorship part of their Corporate OWASP membership fees from Verizon Digital Media Services in 2016 and Distil Networks in 2017, which has already contributed to the v1.2 production design costs, and will also be utilised to help promote knowledge of the project.

[[file:Verizon_Digital_Medial_Logo.jpg|size=150x45px|link=https://www.verizondigitalmedia.com]]

[[File:Distil-flat-logo-2.png|link=https://www.distilnetworks.com]]

= Road Map and Getting Involved =

Can you help? The project is looking for information on the prevalence and types of automated threats seen by web application owners in the real world. This will be used to refine and organise the information gathered from research papers, whitepapers, security reports and industry news. Please use the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:

* [https://lists.owasp.org/mailman/listinfo/automated_threats_to_web_applications Mailing list]

To share information confidentially, you can email the project leaders directly: [mailto:tin.zaw@owasp.org Tin Zaw] and [mailto:colin.watson@owasp.org Colin Watson].

== Completed Outputs==

* {{#switchtablink:Scope and Definitions|Glossary}}
* {{#switchtablink:Bibliography|Bibligraphy of information sources}}
* A [https://www.owasp.org/index.php/File:Automated-threats.pdf summary chart] has been published summarising the information gathered and work to date
* Identifying automated threats to web applications, and determining the primary name used. This first part of the project intends to produce a consistent vocabulary for discussing the threats before moving onto other aspects
* The primary terms have now been defined and described for the ontology
* A [https://www.owasp.org/index.php/File:Automation-briefing.pdf briefing document] was produced in May 2015
* Release [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Automated Threat Handbook] July 2015 [https://www.owasp.org/index.php/File:Owasp-automated-threat-handbook-source-files.zip source files], updated in November 2016
* Release [https://www.owasp.org/index.php/File:Automation-project-briefing.pdf project overview flyer] July 2015
* Release [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] December 2016

== Roadmap==

The project's roadmap was updated in October 2017.

===Q1 2015===
* <strike>Feb 2015: Define scope and terminology</strike> Done
* <strike>Mar 2015: Research prior work and reports about automated threats to web applications to create bibliography</strike> Done

===Q2 2015===
* <strike>Apr 2015: Assess threats/attacks and create ontology</strike> Done
* <strike>Apr 2015: Application owner interviews and creation of initial project outputs, to refine model</strike> Done
* <strike>May 2015: Publication of outputs and request for review/data</strike> Done
* <strike>May 2015: Summit session and survey at AppSec EU</strike> Done
* <strike>Jun 2015 Review</strike> Done
* <strike>Jun 2015 Write ontology document</strike> Done
* <strike>Jun Write 2-page project briefing</strike> Done
* <strike>Jun Publish project briefing</strike> Done
* <strike>Jul 2015: Publish v1.0 ontology</strike> Done

===Q3 2016===
* <strike>Jul-Sep 2016: Gathering of additional contributions and update handbook</strike> Done

===Q4 2016===
* <strike>Nov 2016: Release updated handbook</strike> Done
* <strike>Dec 2016: Threat identification chart</strike> Done

=== Q1 2017 ===
* <strike>Dec-Mar 2017: Further review and update to handbook</strike> Done
* <strike>Check against changes to CAPEC v2.9</strike> Done

=== Q2 2017 ===
* <strike>Apr-Jun 2017: Further review and update to handbook</strike> Done
* <strike>Project summit at AppSecEU</strike> Done

=== Q3 2017 ===
* <strike>Chase up ongoing project review</strike> Done
* <strike>Project summit at AppSecUS</strike> Done

=== Q4 2017 ===
* Release v1.2 (now due 15 Feb 2018)

=== Q1 2018 ===
* <strike>Create OAT wiki pages</strike> Done

=== Future ===
* Write executive summary
* Release executive summary document


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-SR-2]] [[Category:SAMM-TA-1]] [[Category:SAMM-EG-2]]

File:Oat-ontology-decision-chart.pdf

2018-02-26T12:12:05Z

Clerkendweller: Clerkendweller uploaded a new version of File:Oat-ontology-decision-chart.pdf

OWASP Automated Threats to Web Applications - Threat Event Identification Chart v1.0

OWASP Automated Threats to Web Applications

2018-02-26T12:06:18Z

Clerkendweller: FAQs

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Automated-threats-header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Automated Threats to Web Applications==

The OWASP Automated Threats to Web Applications Project has completed a review of reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify, name and classify these scenarios – automated by software causing a divergence from accepted behavior producing one or more undesirable effects on a web application, but excluding tool-based exploitation of single-issue vulnerabilities. The initial objective was to produce an ontology providing a common language for developers, architects, operators, business owners, security engineers, purchasers and suppliers/ vendors, to facilitate clear communication and help tackle the issues.
The project also identifies symptoms, mitigations and controls in this problem area. Like all OWASP outputs, everything is free and published using an open source license.

[https://www.owasp.org/index.php/File:Automation-project-briefing.pdf Two page summary project briefing as a PDF].

== Description==

Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.

== Automated Threats ==

The list of threat events, defined more fully in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| width="300" align="left" valign="top" |

* [[OAT-020 Account Aggregation]]
* [[OAT-019 Account Creation]]
* [[OAT-003 Ad Fraud]]
* [[OAT-009 CAPTCHA Defeat]]
* [[OAT-010 Card Cracking]]
* [[OAT-001 Carding]]
* [[OAT-012 Cashing Out]]
* [[OAT-007 Credential Cracking]]
* [[OAT-008 Credential Stuffing]]
* [[OAT-021 Denial of Inventory]]
* [[OAT-015 Denial of Service]]

| width="300" align="left" valign="top" |

* [[OAT-006 Expediting]]
* [[OAT-004 Fingerprinting]]
* [[OAT-018 Footprinting]]
* [[OAT-005 Scalping]]
* [[OAT-011 Scraping]]
* [[OAT-016 Skewing]]
* [[OAT-013 Sniping]]
* [[OAT-017 Spamming]]
* [[OAT-002 Token Cracking]]
* [[OAT-014 Vulnerability Scanning]]

|}

Not sure which is which? Use the [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] in conjunction with the full [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook].

==Licensing==

All the materials are free to use. They are licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What Is This? ==

Information and resources to help web application owners defend against [[:Category:Automated Threat|automated threats]]

== What Isn't It? ==

* Another vulnerability list
* An OWASP Top N List
* Threat modelling
* Attack trees
* Non web
* Non application

==Project Objective==

This project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available.

== Presentation ==

[[File:Automatedthreats-presentation-small.jpg|link=media:Bots-AppSecUSA2017-Project-Summit.pptx]]

== Project Leaders ==

* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

== Related Projects ==

* [[OWASP WASC Web Hacking Incidents Database Project|OWASP WASC Web Hacking Incidents Database Project]]
* [[OWASP AppSensor Project|OWASP AppSensor Project]]
* [[OWASP ModSecurity Core Rule Set Project|OWASP ModSecurity Core Rule Set Project]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Download the free handbook as a PDF]

== News and Events ==

* [16 Feb 2018] OAT wiki pages created
* [15 Feb 2018] v1.2 Handbook published
* [25 Sep 2017] Promoted to Labs status
* [19-20 Sep 2017] Working session at the AppSecUSA 2017 Project Summit
* [15 May 2017] Draft feedback on Top Ten A7 shared
* [17 Apr 2017] [https://www.owasp.org/index.php/File:BadBots_OWASP_AppSec_CA_2017.pptx Slides] from AppSec California (2017)
* [20 Dec 2016] Threat identification chart [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf published]
* [03 Nov 2016] Presentation at [http://lascon.org/ LASCON 2016]
* [03 Nov 2016] v1.1 Handbook published
* [11-12 Oct 2016] Working session at the [https://docs.google.com/presentation/d/1iMQHTc-h5qcP7gBBRcPHGmVaTWqx3dpMwNMVlA--rqs/edit#slide=id.p3 AppSecUSA 2017 Project Summit]
* [04 Aug 2016] Project Q&A at Blackhat USA 2-5pm in the OWASP booth
* [26 Oct 2015] [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf v1.01 handbook] published
* [24 Sep 2015] [https://www.owasp.org/index.php/File:Colinwatson-a-new-ontology-of-unwanted-automation.pptx Presentation] at [https://2015.appsecusa.org/c/?page_id=896#a AppSec USA 2015]

==In Print==

[[File:AutomatedThreatHandbook_small.jpg|link=http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html]]

The [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html Automated Threat Handbook] can be purchased at cost as a print on demand book.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]

|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Scope and Definitions =

==Scope==

The aim was to create a listing of vendor-neutral and technology agnostic terms that describe real-world automated threats to web applications, at a level of abstraction that application owners can relate to. These terms are threat events to web applications undertaken using automated actions.

The focus is on abuse of functionality - misuse of inherent functionality and related design flaws, some of which are also referred to as business logic flaws. There is almost no focus on implementation bugs. It is not that the latter are not the target for attacks, but there is much more knowledge published in that area with a greater agreement on terminology. All the scenarios identified must require the web to exist for the threat to be materialised. Many of the scenarios have impacts upon the organisation that owns or operates web applications, but some scenarios have impacts more focused on individuals or other bodies. An attack that can be achieved without the web is out of scope.

==Definitions ==

=== Automated Threats to Web Applications ===

Threat events to web applications undertaken using automated actions.

An attack that can be achieved without the web is out of scope.

== Glossary ==

;Action
: An act taken against an asset by a threat agent. Requires first that contact occurs between the asset and threat agent (Ref 1)

; Application
: Software that performs a business process i.e. not system software
: A software program hosted by an information system (Ref 2)

; Application layer
: "Layer 7” in the OSI model (Ref 3) and “application layer” in the TCP/IP model (Ref 4)

;Threat
: Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures (Ref 1)

;Threat Agent
: Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm (Ref 1)

;Threat Event
: Occurs when a threat agent acts against an asset (Ref 1)

; Web
: The World Wide Web (WWW, or simply Web) is an information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI) (Ref 5)
: The first three specifications for Web technologies defined URLs, HTTP, and HTML (Ref 6)

; Web application
: An application delivered over the web

Glossary references:
# [http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf Risk Taxonomy, Technical Standard, The Open Group, 2009]
# [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2, NIST]
# [http://en.wikipedia.org/wiki/OSI_model OSI model, Wikipedia]
# [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP model, Wikipedia]
# [http://www.w3.org/TR/webarch/ Architecture of the World Wide Web, Volume One, W3C]
# [http://www.w3.org/Help/ Help and FAQ, W3C]

=Use Case Scanarios=

The following scenarios and organisation names are completely fictitious.

==Defining application development security requirements==

Cinnaminta SpA intends to build and launch a new multi-lingual and multi-currency ecommerce website. The development will be outsourced and Cinnaminta has been working on the functional design document. Among many other requirements, the application security specification requires that the website must not include any vulnerabilities identified in PCI DSS v3.1 Requirement 6.5, nor any other vulnerabilities that could affect the protection of payment cardholder data. Cinnaminta specifies that the website's payment functions must not be susceptible to the threat events '''OAT-001 Carding''' or '''OAT-010 Card Cracking''' as defined in the '''OWASP Automated Threat Handbook'''. In addition, the application must interact with the company's existing fraud detection system to counter '''OAT-012 Cashing Out'''. The requirements are specified in terms of these threat events, rather than particular product or service categories. Development houses responding to the call for bids use the ontology to focus their answers to these aspects appropriately.

== Sharing intelligence within a sector==

Unlimited Innovations Inc develops and supports patient-facing software solutions to a range of healthcare providers, many of which participate in the National Health Service Cyber Intelligence Sharing Center (NHS-CISC). Unlimited Innovations already builds continuous monitoring capabilities into its software and decides to provide an optional enhancement so that customers could choose to share their misuse event data with each other, to benefit from the combined threat intelligence. Rather than sharing large quantities of low-level data, Unlimited Innovations aggregates information and broadcasts validated and categorised threat data amongst the participating organisations. Automation attacks are classified according to the threat events defined in the '''OWASP Automated Threat Handbook''' so that each receiving party understands the nature of the threat. Even organisations that do not want to take part in this information sharing can benefit, since their own categorised information is made available to internal business management in the form of an easy-to-comprehend monitoring dashboard. The information gathered can also be fed into their other business information management systems to help improve patient service.

== Exchanging threat data between CERTs==

National Computer Emergency Response Teams (CERTs) recognise that sharing of local information can contribute to worldwide prevention of cyber attacks. Despite advances in cooperation between CERTs, anything to increase continuity and interoperability, such as standards for data exchange, is encouraged. CERT Zog is concerned about the sparsity of application-specific data it receives, and also the classification of that data. It has a particular concern about attacks and breaches that affect sectors defined in Zog's 2015 national cyber security strategy. CERT Zog and its neighbour CERT Tarset agree to tag threat events using the '''OWASP Automated Threat Handbook''' in order to add greater context to existing solutions being used for threat data exchange between them. The programme also collects sector metadata, so that all organisations within these can benefit from the centralised intelligence.

== Enhancing application penetration test findings==

Specialist application security penetration testing firm Cherak Industries Pte Ltd works primarily for financial services companies in the banking and insurance sectors, and is looking to expand its business throughout Asia. Cherak has some innovative pen test result reporting systems which integrate with client software fault and vulnerability tracking systems, and it actively looks for methods to provide additional value to its clients. Cherak has identified that pen test clients would benefit from help to in understanding the effects of combinations of vulnerabilities, especially design flaws, and has decided to utilise the '''OWASP Automated Threat Handbook''' to define and explain the automation-related threats. The individual vulnerabilities were scored as normal using CVSSv2 and v3, the matching CWEs identified, and mitigations in place documented. In addition, Cherak uses the threat events defined in the '''OWASP Automated Threat Handbook''' to help create a new section in the executive summary that explains how combinations of the issues found could lead to automation threats and the possible technical and business impacts. For example, an assessment for one client had identified weaknesses in authentication so that there is a risk of '''OAT-008 Credential Stuffing'''. The defined identifier was provided to the client, so its technical staff could refer to additional information on the OWASP website.

== Specifying service acquisition needs==

Falstone Paradise Inc is concerned about malicious use of their portfolio of hotel and resort websites. The majority of the websites use a shared application platform, but there are some unique applications and a large number of other micro-sites, some of which use generic content management systems such as Wordpress and Drupal. Falstone Paradise has identified that its IT operations team are spending too much time dealing with the effects of automated misuse, such as cleaning up data, resetting customer accounts and providing extra capacity during attacks. Furthermore, the unwanted automation is also causing some instabilities leading to negative feedback from customers. Therefore Falstone Paradise decides to go out to the security marketplace to identify, assess and select products or services that might help address these automation issues for all its websites. Their buying team works with their information technology colleagues to write the detailed requirements in an Invitation to Tender (ITT) document. This describes the types of attacks its web applications are receiving, their frequency of occurrence and their magnitudes. These are defined according to the '''OWASP Automated Threat Handbook''', so that vendors do not misunderstand the requirements, and each vendor's offering can be assessed against the particular automation threat events of concern.

== Characterising vendor services ==

Better Best Ltd has developed an innovative technology to help gaming companies defend against a range of automated threats that can otherwise permit cheating and distortion of the game, leading to disruption for normal players. The solution can be deployed on premises, but is also available in the cloud as a service. But Better Best is finding difficulty explaining its solution in the market place, especially since it does not fit into any conventional product category. Better Best decide to use the terminology and threat events listed in the '''OWASP Automated Threat Handbook''' to define their product's capabilities. They hope this will provide some clarity about their offering, and also demonstrate how their product can be used to replace more than one other conventional security device. Additionally, Better Best writes a white paper describing how their product has been successfully used by one of their reference customers Hollybush Challenge Games to protect against '''OAT-006 Expediting''', '''OAT-005 Scalping''', '''OAT-016 Skewing''' and '''OAT-013 Sniping'''.

=Ontology=

==Introduction==

The A-Z list of [[:Category:Automated Threat|automated threat events]] and summary descriptions, defined in full in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| align="left" valign="top" |
[[OAT-020 Account Aggregation]]
| align="left" valign="top" |
Use by an intermediary application that collects together multiple accounts and interacts on their behalf.
|-
| align="left" valign="top" |
[[OAT-019 Account Creation]]
| align="left" valign="top" |
Create multiple accounts for subsequent misuse.
|-
| align="left" valign="top" |
[[OAT-003 Ad Fraud]]
| align="left" valign="top" |
False clicks and fraudulent display of web-placed advertisements.
|-
| align="left" valign="top" |
[[OAT-009 CAPTCHA Defeat]]
| align="left" valign="top" |
Solve anti-automation tests.
|-
| align="left" valign="top" |
[[OAT-010 Card Cracking]]
| align="left" valign="top" |
Identify missing start/expiry dates and security codes for stolen payment card data by trying different values.
|-
| align="left" valign="top" |
[[OAT-001 Carding]]
| align="left" valign="top" |
Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.
|-
| align="left" valign="top" |
[[OAT-012 Cashing Out]]
| align="left" valign="top" |
Buy goods or obtain cash utilising validated stolen payment card or other user account data.
|-
| align="left" valign="top" |
[[OAT-007 Credential Cracking]]
| align="left" valign="top" |
Identify valid login credentials by trying different values for usernames and/or passwords.
|-
| align="left" valign="top" |
[[OAT-008 Credential Stuffing]]
| align="left" valign="top" |
Mass log in attempts used to verify the validity of stolen username/password pairs.
|-
| align="left" valign="top" |
[[OAT-021 Denial of Inventory]]
| align="left" valign="top" |
Deplete goods or services stock without ever completing the purchase or committing to the transaction.
|-
| align="left" valign="top" |
[[OAT-015 Denial of Service]]
| align="left" valign="top" |
Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS).
|-
| align="left" valign="top" |
[[OAT-006 Expediting]]
| align="left" valign="top" |
Perform actions to hasten progress of usually slow, tedious or time-consuming actions.
|-
| align="left" valign="top" |
[[OAT-004 Fingerprinting]]
| align="left" valign="top" |
Elicit information about the supporting software and framework types and versions.
|-
| align="left" valign="top" |
[[OAT-018 Footprinting]]
| align="left" valign="top" |
Probe and explore application to identify its constituents and properties.
|-
| align="left" valign="top" |
[[OAT-005 Scalping]]
| align="left" valign="top" |
Obtain limited-availability and/or preferred goods/services by unfair methods.
|-
| align="left" valign="top" |
[[OAT-011 Scraping]]
| align="left" valign="top" |
Collect application content and/or other data for use elsewhere.
|-
| align="left" valign="top" |
[[OAT-016 Skewing]]
| align="left" valign="top" |
Repeated link clicks, page requests or form submissions intended to alter some metric.
|-
| align="left" valign="top" |
[[OAT-013 Sniping]]
| align="left" valign="top" |
Last minute bid or offer for goods or services.
|-
| align="left" valign="top" |
[[OAT-017 Spamming]]
| align="left" valign="top" |
Malicious or questionable information addition that appears in public or private content, databases or user messages.
|-
| align="left" valign="top" |
[[OAT-002 Token Cracking]]
| align="left" valign="top" |
Mass enumeration of coupon numbers, voucher codes, discount tokens, etc.
|-
| align="left" valign="top" |
[[OAT-014 Vulnerability Scanning]]
| align="left" valign="top" |
Crawl and fuzz application to identify weaknesses and possible vulnerabilities.
|}

==Comparison with other dictionaries, taxonomies and lists==

===[https://capec.mitre.org/ Common Attack Pattern Enumeration and Classification] (CAPEC)===

[[File:Ontology-chart-capec-wiki.png|link=]]

CAPEC is a dictionary and classification taxonomy of known attacks on software. Its primary classification structures are:

* [https://capec.mitre.org/data/definitions/3000.html Domains of attack] (3000) - Social Engineering (403), [https://capec.mitre.org/data/definitions/437.html Supply Chain] (437), Communications (512), [https://capec.mitre.org/data/definitions/513.html Software] (513), Physical Security (514), Hardware (515)
* Mechanism of Attack (1000) - Gather Information (118), Deplete Resources (119), Injection (152), Deceptive Interactions (156), Manipulate Timing and State (172), Abuse of Functionality (210), Probabilistic Techniques (223), Exploitation of Authentication (225), Exploitation of Authorization (232), Manipulate Data Structures (255), Manipulate Resources (262), Analyze Target (281), Gain Physical Access (436), Malicious Code Execution (525), Alter System Components (526), Manipulate System Users (527)

===[http://projects.webappsec.org/w/page/13246978/Threat%20Classification WASC Threat Classification]===

[[File:Ontology-chart-wasc-wiki.png|link=]]

The WASC Threat Classification classifies weaknesses and attacks that can lead to the compromise of a website, its data, or its users.

===[[OWASP WASC Web Hacking Incidents Database Project]] (WHID)===

WHID [https://www.google.com/fusiontables/DataSource?snapid=S1536501YnLo classifies] publicly known incidents using:

* attack methods e.g. ARP spoofing, abuse of functionality, account compromise, administration error, automation, backdoor, banking trojan, brute force, clickjacking, code injection, content injection, content spoofing, credential/session prediction, cross site request forgery (CSRF), cross-site scripting (XSS), denial of service, directory traversal, domain hijacking, DNS hijacking, forceful browsing, HTTP response splitting, hidden parameter manipulation, hosting malicious code, information leakage, insufficient authentication, known vulnerability, local file inclusion (LFI), malvertising, malware, malware injection, mass assignment, misconfiguration, OS commanding, parameter manipulation, path traversal, phishing, predictable resource location, process automation, redirection, remote file inclusion (RFI), rogue 3rd party app, scaping, search engine poisoning, shell injection, social engineering, stolen credentials, SQL injection, unintentional information disclosure, weak password recovery validation, worm
* weakness e.g. abuse of functionality, application misconfiguration, directory indexing, improper filesystem permissions, improper input handling, improper output handling, information leakage, insecure indexing, insufficient anti-automation, insufficient authentication, insufficient authorization, insufficient entropy, insufficient password recovery, insufficient process validation, insufficient session expiration, insufficient transport layer protection, misconfiguration, predictable resource location, weak password
* outcome account hijacking, account takeover, botnet participation, chaos, credit card leakage, data loss, defacement, DDoS attacks, DNS hijacking, DNS redirection, disinformation, disclosure only, downtime, extortion, fraud, information warfare, leakage of information, link spam, loss of sales, malware distribution, monetary loss, phishing, planting of malware, service disruption, session hijacking, spam, spam links, stolen credentials, worm

Plus other/various/unknown.

= Bibliography =

The following academic, open source, commercial and news sources were used in the research on automated threats to web applications. OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. We operate under a vendor neutral policy and we do not endorse products or services.

* 10 years of Application Security, Denyall http://www.denyall.com/resources/whitepapers/?aliId=3438442
* 2012 Payment Card Threat Report https://www.securitymetrics.com/static/resources/orange/2012%20Payment%20Card%20Threat%20Report%20copy.pdf
* 2014 Bot Traffic Report: Just the Droids You were Looking for http://www.incapsula.com/blog/bot-traffic-report-2014.html
* 3 Types of ‘Return Fraud’ to Monitor this Holiday Season http://www.practicalecommerce.com/articles/3168-3-Types-of-%E2%80%98Return-Fraud-to-Monitor-this-Holiday-Season
* 7 Ways Bots Hurt Your Website, Distil Networks http://www.distilnetworks.com/7-ways-bots-hurt-website-whitepaper/
* Abusing HTML 5 Structured Client-side Storage 2008 http://packetstorm.wowhacker.com/papers/general/html5whitepaper.pdf
* Acquiring Experience with Ontology and Vocabularies, Walt Melo, Risa Mayan and Jean Stanford, 2011 http://www.omg.org/news/meetings/workshops/SOA-HC/presentations-2011/13_SC-6_Melo_Stanford_Mayan.pdf
* An Anatomy of a SQL Injection Attack Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf
* The Anatomy of Clickbot.A https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/daswani/daswani.pdf
* Anatomy of comment spam Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Anatomy_of_Comment_Spam.pdf
* Anti-Automation Monitoring and Prevention 2015 https://www.clerkendweller.uk/2015/1/29/AntiAutomation-Monitoring-and-Prevention
* Anti-DDoS Solution for Internet Corporation http://www.nsfocus.com/uploadfile/Solution/NSFOCUS%20Anti-DDoS%20Solution%20for%20Internet%20Corporation.pdf
* Anti-Fraud Principles and Proposed Taxonomy Sep 2014 http://www.iab.net/media/file/IAB_Anti_Fraud_Principles_and_Taxonomy.pdf
* Apache Security Ivan Ristic
* Application Security Desk Reference, OWASP https://www.owasp.org/index.php/Category:OWASP_ASDR_Project
* Application Security Guide For CISOs, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf
* AppSensor, OWASP https://www.owasp.org/index.php/OWASP_AppSensor_Project
* Attack & Defense Labs http://www.andlabs.org/html5.html
* Attack categories OWASP https://www.owasp.org/index.php/Category:Attack
* Attack Trees, Schneier, Dr. Dobb's Journal, December 1999 https://www.schneier.com/paper-attacktrees-ddj-ft.html
* Attacking with HTML5 2010 https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-wp.pdf
* Automated attacks Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Automation_of_Attacks.pdf
* Avoiding the Top 10 Software Security Design Flaws http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* Bad Bots On The Rise Dec 2014 http://www.darkreading.com/informationweek-home/bad-bots-on-the-rise/d/d-id/1318276
* Banking Botnets Persist Despite Takedowns, Dell SecureWorks, 2015 http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets-persist-despite-takedowns/
* The Barracuda Web Application Firewall: XML Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_XML_Firewall.pdf
* Blocking Brute Force Attacks http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php
* Bot Traffic Growing Problem for Digital Oct 2014 http://www.netnewscheck.com/article/36537/bot-traffic-growing-problem-for-digital
* BotoPedia Incapsula http://www.botopedia.org/
* Boy in the Browser Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser
* Business Logic Attacks - Bots and BATs, Eldad Chai, 2009 http://www.owasp.org/images/9/96/AppSecEU09_BusinessLogicAttacks_EldadChai.ppt
* Bypassing Client Application Protection Techniques http://www.securiteam.com/securityreviews/6S0030ABPE.html
* A CAPTCHA in the Rye Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_a_CAPTCHA_in_the_Rye.pdf
* Characterizing Large Scale Click fraud http://cseweb.ucsd.edu/~voelker/pubs/za-ccs14.pdf
* Charter Addition Proposal: "Trusted Code" for the Web https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0150.html
* A cheesy Apache / IIS DoS vuln (+a question) http://www.securityfocus.com/archive/1/456339/30/0/threaded
* China's Man-on-the-Side Attack on GitHub http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub
* The CISO Survey and Report, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-report-2013-1.0.pdf
* Common Attack Pattern Enumeration and Classification (CAPEC), Mitre https://capec.mitre.org/
* Common Cyber Attacks: Reducing the Impact CERT-UK https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf
* Corporate espionage – the internet’s new growth industry http://www.itproportal.com/2015/03/19/corporate-espionage-internets-new-growth-industry/
* CSA Top Threats to Cloud Computing https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
* CSRF vulnerability in GMail service http://seclists.org/fulldisclosure/2009/Mar/29
* CWE/SANS Top 25 Most Dangerous Software Errors, 2011 http://cwe.mitre.org/top25/
* Cyber Fraud - Tactics Techniques and Procedures http://www.crcpress.com/product/isbn/9781420091274
* Cybercrime Report: Q1 2015, ThreatMetrix, 2015 http://info.threatmetrix.com/WP-2015Q1CybercrimeReport_WP-LP.html
* Data Breach Investigations Report (DBIR), 2014 http://www.verizonenterprise.com/DBIR/2014/
* Data Breach Investigations Report (DBIR), 2015 http://www.verizonenterprise.com/DBIR/2015/
* Data Breaches Fuel Login Attacks Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2014-state-of-the-internet-threat-advisory-public-data-breaches-fuel-login-attacks.pdf
* Data Scraping Wikipedia http://en.wikipedia.org/wiki/Data_scraping
* DDoS Quick Guide https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
* DDoS Threat Landscape Report, 2013-2014 http://lp.incapsula.com/rs/incapsulainc/images/2013-14_ddos_threat_landscape.pdf
* Defending Against an Internet-based Attack on the Physical World http://avirubin.com/scripted.attacks.pdf
* Defending Against Application-Based DDoS Attacks with the Barracuda Web Application Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_Defending%20_Against_%20Application-Based_%20DDoS_%20Attacks.pdf
* Demystifying HTML 5 Attacks http://resources.infosecinstitute.com/demystifying-html-5-attacks/
* Denial of Service Attacks: A Comprehensive Guide to Trends Techniques and Technologies Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf
* Detecting and Blocking Site Scraping Attacks Imperva http://www.imperva.com/docs/WP_Detecting_and_Blocking_Site_Scraping_Attacks.pdf
* Detecting Automation of Twitter Accounts: Are you a human cyborg or a bot? http://www.cs.wm.edu/~hnw/paper/tdsc12b.pdf
* Detecting Malice Robert "RSnake" Hansen 2009 http://www.detectmalice.com/
* Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1414072277428&uri=CELEX:32002L0058
* Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046
* Distributed Denial-of-Service (DDoS) Cyber-Attacks Risk Mitigation and Additional Resources Federal Financial Institutions Examination Council http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf
* Do Evil - The Business of Social Media Bots Forbes http://www.forbes.com/sites/lutzfinger/2015/02/17/do-evil-the-business-of-social-media-bots/
* DoS and DDoS Glossary of Terms prolexic http://www.prolexic.com/knowledge-center-dos-and-ddos-glossary.html#layer-7-ddos-attack
* E-commerce Malware Trustwave https://gsr.trustwave.com/topics/placeholder-topic/e-commerce-malware/
* Exploiting Software, G. Hoglund and G. McGraw, Addison-Wesley, 2004
* Five Trends to Track in E-Commerce Fraud, ThreatMetrix, 2013 http://info.threatmetrix.com/rs/threatmetrix/images/Five_Trends_eCommerce_Fraud_WP.pdf
* Hacker builds cheatbot for hit app Trivia Crack http://www.theregister.co.uk/2015/03/26/hacker_builds_trivia_crack_cheat_app/
* Has Walmart opened itself up to “Denial of inventory” attacks? https://arstechnica.com/business/2012/05/has-walmart-opened-itself-up-to-denial-of-inventory-attacks/
* How Hoarder Bots Steal sales from Online Retailers https://www.internetretailer.com/mobile/2016/12/16/how-hoarder-bots-steal-sales-online-retailers
* How to Defend Against DDoS Attacks - Strategies for the Network Transport and Application Layers Prolexic http://www.prolexic.com/kcresources/white-paper/strategies-for-the-network-transport-and-application-layers-412/Strategies_for_the_Network_Transport_and_Application_Layers_Prolexic_White_Paper_A4_082412.pdf
* How to Defend Online Travel Websites in the Era of Site Scraping, Distil Networks http://www.distilnetworks.com/defend-online-travel-websites-era-site-scraping-download/
* How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
* HTML5 Overview A look at HTML5 Attack Scenarios Trend Micro 2011 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf
* HTML5 Top 10 Threats Stealth Attacks and Silent Exploits 2012 https://media.blackhat.com/bh-eu-12/shah/bh-eu-12-Shah_HTML5_Top_10-WP.pdf
* HTML5 web security 2011 http://media.hacking-lab.com/hlnews/HTML5_Web_Security_v1.0.pdf
* HTTPPOST - Slow POST Wong Onn Chee OWASP AppSec DC 2010 https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
* If you've got @British_Airways account may make sense to change your password. Just had all my Avios cleared out! https://twitter.com/suttonnick/status/581556027948195840/photo/1
* Internet Security Threat Report, Volume 19, 2014 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
* An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks http://www.springer.com/gb/book/9788132202769
* Is Your Data Center Ready for Today’s DDoS Threats? DDoS attack types protection methods and testing your detection and mitigation defenses http://www.fortinet.com/sites/default/files/whitepapers/WP-DDoS-Testing.pdf
* Joomla Reflection DDoS-for-Hire Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2015-state-of-the-internet-threat-advisory-joomla-reflection-attack-ddos-for-hire.pdf
* Layer 7 DDOS – Blocking HTTP Flood Attacks http://blog.sucuri.net/2014/02/layer-7-ddos-blocking-http-flood-attacks.html
* Lenovo Superfish put smut on my system' – class-action lawsuit The Register http://www.theregister.co.uk/2015/02/23/lenovo_superfish_class_action_lawsuit/
* List of Attack Vectors Relative Vulnerability Rating TECAPI http://www.tecapi.com/public/relative-vulnerability-rating-gui.jsp#
* Man in the Browser http://scisweb.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf
* Man in the Browser Attack https://www.owasp.org/index.php/Man-in-the-browser_attack
* Mapping and Measuring Cybercrime, Oxford Internet Institute http://www.oii.ox.ac.uk/publications/FD18.pdf
* Massive Changes in the Criminal Landscape Europol 2015 https://www.europol.europa.eu/content/massive-changes-criminal-landscape
* Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs http://collaboration.csc.ncsu.edu/laurie/Papers/ICSE_Final_MCG_LW.pdf
* Mitigating DDoS Attacks with F5 Technology F5 https://f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology
* Mitigating the DoS/DDosS Threat, Radware, 2012 http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452061
* Modern Web Attacks, Sophos, 2007 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/modern-web-attacks.aspx
* ModSecurity Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-ModSecurity-Advanced-Topic-of-the-Week--Mitigating-Slow-HTTP-DoS-Attacks/
* Most common attacks on web applications https://ipsec.pl/web-application-security/most-common-attacks-web-applications.html
* Multi-dimensional Vulnerability Hierarchies Daniel Miessler https://danielmiessler.com/study/multi-dimensional-vulnerability-hierarchies/
* New Wave of DDoS Attacks Launched BankInfoSecurity.com Mar 2013 http://www.bankinfosecurity.com/new-wave-ddos-attacks-launched-a-5584/op-1
* NOMAD: Toward Non-Invasive Moving Target Defense Against Web Bots http://faculty.cs.tamu.edu/guofei/paper/NOMAD_CNS13.pdf
* Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year Sep 2014 http://www.darkreading.com/analytics/threat-intelligence/online-ad-fraud-exposed-advertisers-losing-$63-billion-to-$10-billion-per-year/d/d-id/1317979
* Online Data Companies versus Bots: The Fight is on for Control of Online Data, Distil Networks http://www.distilnetworks.com/online-data-companies-vs-bots-download/
* Optimal Airline Ticket Purchasing Using Automated User-Guided Feature Selection http://ijcai.org/papers13/Papers/IJCAI13-032.pdf
* Payment Checkout Flaws and Bugs 2014 https://www.clerkendweller.uk/2014/11/4/Payment-Checkout-Flaws-and-Bugs
* PCI Compliance Report 2015 Verizon http://www.verizonenterprise.com/pcireport/2015/
* Pixel Perfect Timing Attacks with HTML5 2013 http://www.contextis.com/services/research/white-papers/pixel-perfect-timing-attacks-html5/
* Polymorphism as a Defense for Automated Attack of Websites http://link.springer.com/chapter/10.1007%2F978-3-319-07536-5_30
* Preventing Web Scraping: Best Practice https://creativedigitalideas.files.wordpress.com/2014/11/best-practice-to-prevent-web-scraping.pdf
* Profile: Automated Credit Card Fraud http://old.honeynet.org/papers/profiles/cc-fraud.pdf
* Protecting Against Web Floods, Radware http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452968
* Q4 2014 State of the Internet Security Report prolexic http://www.stateoftheinternet.com/downloads/pdfs/2014-internet-security-report-q4.pdf
* Reflection injection http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* A Report on taxonomy and evaluation of existing inventories, ENISAhttp://ecrime-project.eu/wp-content/uploads/2015/02/E-Crime-Deliverable-2-1-20141128_FINAL.pdf
* Reporting Intellectual Property Crime: A Guide for Victims of Copyright Infringement, Trademark Counterfeiting, and Trade Secret Theft, Dept of Justice http://www.justice.gov/criminal/cybercrime/docs/ip-victim-guide-and-checklist-march-2013.pdf
* SANS Top 20 Critical Controls https://www.sans.org/critical-security-controls/
* Securing Websites, Sophos, 2011 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/securing-websites.aspx
* Security Insights: Defending Against Automated Threats http://www.securityweek.com/security-insights-defending-against-automated-threats
* Server side DDoS Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/DDOS_Attack_Method_Payload_05182010
* Slow Read Denial of Service attack https://code.google.com/p/slowhttptest/wiki/SlowReadTest
* Slow-Read DoS Attack https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Mitigation-of--Slow-Read--Denial-of-Service-Attack/
* Slowloris HTTP DoS http://ha.ckers.org/slowloris/
* So what are the "most critical" application flaws? On new OWASP Top 10 https://ipsec.pl/application-security/2013/so-what-are-most-critical-application-flaws-new-owasp-top-10.html
* Social Media Bots Offer Phony Friends and Real Profit NY Times http://www.nytimes.com/2014/11/20/fashion/social-media-bots-offer-phony-friends-and-real-profit.html?_r=1
* Software Vulnerability Analysis, Krsul, 1998 http://www.krsul.org/ivan/articles/main.pdf
* Sophos Security Threat Report http://blogs.sophos.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/
* SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/#.VSuiEhPSngM
* State of Software Security Report, Volume 5, Veracode, 2013 https://info.veracode.com/state-of-software-security-report-volume5.html
* Stopping Automated Attack Tools http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html
* Taxonomy on Online Game Security http://www.math.snu.ac.kr/~jhcheon/publications/2004/Taxonomy%20on%20online%20game%20security_EL.pdf
* A Taxonomy of Computer Program Security Flaws, with Examples, Landwehr https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
* A Taxonomy of Security Faults in the UNIX Operating System, Aslam, 1995 https://cwe.mitre.org/documents/sources/ATaxonomyofSecurityFaultsintheUNIXOperatingSystem%5BAslam95%5D.pdf
* Testing Guide, v4, OWASP, 2014 https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
* The Bot Baseline: Fraud in Digital Advertising https://s3.amazonaws.com/whiteops-public/WO-ANA-Baseline-Study-of-Bot-Fraud.pdf
* The Internet Organised Crime Threat Assessment (iOCTA) 2014 https://www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta
* The Notorious Nine Cloud Computing Top Threats in 2013 CSA https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
* The Risks of Content Management Systems, IBM, 2015 https://portal.sec.ibm.com/mss/html/en_US/support_resources/pdf/CMS_Threats_MSS_Threat_Report.pdf
* The Spy in the Sandbox – Practical Cache Attacks in Javascript http://iss.oy.ne.ro/SpyInTheSandbox.pdf
* Thousands of Hacked Uber Accounts Selling on Dark Web for $1 http://thehackernews.com/2015/03/thousands-of-hacked-uber-accounts_30.html?m=1
* Threat Intelligence Quarterly, IBM, 1Q 2015 https://www.ibm.com/services/forms/signup.do?source=swg-WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101
* Threat Modeling: Designing for Security, Adam Shostack, Wiley, April 2014 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118809998.html
* Threats and Mitigations: A Guide to Multi-Layered Web Security - eBook Prolexic http://www.prolexic.com/knowledge-center/prolexic-download/guide-multi-layered-web-security-ebook.pdf
* Trapping Unknown Malware in a Context Web, Sophos http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/HuqSzabo-VB2013.pdf?la=en.pdf
* Trustwave Global Security Report 2014 https://www2.trustwave.com/GSR2014.html?utm_source=redirect&utm_medium=web&utm_campaign=GSR2014
* TurboTax’s Anti-Fraud Efforts Under Scrutiny http://krebsonsecurity.com/2015/02/turbotaxs-anti-fraud-efforts-under-scrutiny/
* Two Security Vulnerabilities in the Spring Framework’s MVC pdf (from 2008) http://blog.diniscruz.com/2011/07/two-security-vulnerabilities-in-spring.html
* The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns http://static.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf
* Understanding Web Bots and How They Hurt Your Business Encapsula http://www.slideshare.net/Incapsula/understanding-web-bots-and-how-they-hurt-your-business
* Use of A Taxonomy of Security Faults, Taimur Aslam, Ivan Krsul and Eugene H Spafford, 1996 http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=2304&context=cstech
* The WASC Threat Classification v2.0 http://projects.webappsec.org/w/page/13246978/Threat%20Classification
* Warhol Worms: The Potential for Very Fast Internet Plagues http://www.iwar.org.uk/comsec/resources/worms/warhol-worm.htm
* Web Application Attack Report #5 Imperva http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed5.pdf
* Web Application Defender's Cookbook: Battling Hackers and Protecting Users, Ryan Barnett, Wiley, December 2012 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html
* Web Attacks in the Wild Corsaire https://www.owasp.org/images/a/a7/Web_attacks_in_the_wild_-_ap.pdf
* Web Automation Friend or Foe? https://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf
* Web Spambot Detection Based on Web Navigation Behaviour http://pedramhayati.com/papers/Web_Spambot_Detection_Based_on_Web_Usage_Behaviour.pdf
* Website Security Statistics Report, 2014 http://info.whitehatsec.com/rs/whitehatsecurity/images/statsreport2014-20140410.pdf
* What is Zeus? http://www.sophos.com/medialibrary/pdfs/technical%20papers/sophos%20what%20is%20zeus%20tp.pdf
* When Web 2.0 Attacks! Understanding Ajax Flash and other highly interactive web technologies… https://www.owasp.org/images/f/fc/When_Web_2.0_Attacks_-_Understanding_Security_Implications_of_Highly_Interactive_Technologies-Rafal_Los.pdf
* Where have all of our Passwords Gone? Gartner 2015 http://blogs.gartner.com/avivah-litan/2015/01/22/where-have-all-our-passwords-gone/
* WS-Attacks.org http://www.ws-attacks.org/index.php/Main_Page

=FAQs=

; What do you mean by "web", "application" and "automated threat"?
: See the definitions in the project's {{#switchtablink:Project Scope and Definitions|glossary}}.

; What is an "ontology"?
: An ontology is a set of types, properties, and relationship. These together define a subject description language. This particular ontology is meant to represent what automated threats real world owners observe affecting their web applications in usual operations.

; Isn't this another bug (vulnerability) list?
: No, none of the named automated threat events are implementation bugs - they relate to abuse of functionality using automated means.

; But is it an OWASP Top N List?
: Again no, it's an ontology which currently contains 21 items but there may be more identified in the future. Also it is not an ordered list (like OWASP Top N lists) - the OAT identification numbers were randomly assigned, so the list is often written in alphabetical order to emphasize this.

; I thought "so and so" already did that?
: We found that it did not exist. While many threats are mentioned in the sources researched, there was no overall list or definitions. We found the automated threat events tended to all be in a small number of definied items from Mitre CAPEC and WASC Threat Classification. If you know of other automated threat lists/taxonomies/ontologies, please share them.

; What is an "oat"?
: It is our abbreviation for OWASP Automated Threat (OAT).

; I am confused and don't know which OAT my problem is - how do I identify it?
: In 2017 we created a [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] to help identify the correct OAT, which can then be confirmed by reading the full description in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook]. The short summaries are important explanations of each OAT name.

; How can I help?
: Please join our mailing list, send ideas, contribute clarifications, corrections and improvement, and let other people know about the project and its handbook.

= Acknowledgements and Sponsors =

==Contributors==

* Sumit Agarwal
* Jason Chan
* Mark Hall
* Omri Iluz
* Andrew van der Stock
* Roland Weber
* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

Additionally other professional colleagues and website owners and operators who provided feedback.

==Reviewers==

* Igor Andriushchenko
* Gabriel Mendez Justiniano
* Matt Tesauro

== Sponsors ==

All OWASP Projects are run and developed by volunteers and rely on personal donations and sponsorship to continue their development. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. This project has received the sponsorship part of their Corporate OWASP membership fees from Verizon Digital Media Services in 2016 and Distil Networks in 2017, which has already contributed to the v1.2 production design costs, and will also be utilised to help promote knowledge of the project.

[[file:Verizon_Digital_Medial_Logo.jpg|size=150x45px|link=https://www.verizondigitalmedia.com]]

[[File:Distil-flat-logo-2.png|link=https://www.distilnetworks.com]]

= Road Map and Getting Involved =

Can you help? The project is looking for information on the prevalence and types of automated threats seen by web application owners in the real world. This will be used to refine and organise the information gathered from research papers, whitepapers, security reports and industry news. Please use the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:

* [https://lists.owasp.org/mailman/listinfo/automated_threats_to_web_applications Mailing list]

To share information confidentially, you can email the project leaders directly: [mailto:tin.zaw@owasp.org Tin Zaw] and [mailto:colin.watson@owasp.org Colin Watson].

== Completed Outputs==

* {{#switchtablink:Scope and Definitions|Glossary}}
* {{#switchtablink:Bibliography|Bibligraphy of information sources}}
* A [https://www.owasp.org/index.php/File:Automated-threats.pdf summary chart] has been published summarising the information gathered and work to date
* Identifying automated threats to web applications, and determining the primary name used. This first part of the project intends to produce a consistent vocabulary for discussing the threats before moving onto other aspects
* The primary terms have now been defined and described for the ontology
* A [https://www.owasp.org/index.php/File:Automation-briefing.pdf briefing document] was produced in May 2015
* Release [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Automated Threat Handbook] July 2015 [https://www.owasp.org/index.php/File:Owasp-automated-threat-handbook-source-files.zip source files], updated in November 2016
* Release [https://www.owasp.org/index.php/File:Automation-project-briefing.pdf project overview flyer] July 2015
* Release [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] December 2016

== Roadmap==

The project's roadmap was updated in October 2017.

===Q1 2015===
* <strike>Feb 2015: Define scope and terminology</strike> Done
* <strike>Mar 2015: Research prior work and reports about automated threats to web applications to create bibliography</strike> Done

===Q2 2015===
* <strike>Apr 2015: Assess threats/attacks and create ontology</strike> Done
* <strike>Apr 2015: Application owner interviews and creation of initial project outputs, to refine model</strike> Done
* <strike>May 2015: Publication of outputs and request for review/data</strike> Done
* <strike>May 2015: Summit session and survey at AppSec EU</strike> Done
* <strike>Jun 2015 Review</strike> Done
* <strike>Jun 2015 Write ontology document</strike> Done
* <strike>Jun Write 2-page project briefing</strike> Done
* <strike>Jun Publish project briefing</strike> Done
* <strike>Jul 2015: Publish v1.0 ontology</strike> Done

===Q3 2016===
* <strike>Jul-Sep 2016: Gathering of additional contributions and update handbook</strike> Done

===Q4 2016===
* <strike>Nov 2016: Release updated handbook</strike> Done
* <strike>Dec 2016: Threat identification chart</strike> Done

=== Q1 2017 ===
* <strike>Dec-Mar 2017: Further review and update to handbook</strike> Done
* <strike>Check against changes to CAPEC v2.9</strike> Done

=== Q2 2017 ===
* <strike>Apr-Jun 2017: Further review and update to handbook</strike> Done
* <strike>Project summit at AppSecEU</strike> Done

=== Q3 2017 ===
* <strike>Chase up ongoing project review</strike> Done
* <strike>Project summit at AppSecUS</strike> Done

=== Q4 2017 ===
* Release v1.2 (now due 15 Feb 2018)

=== Q1 2018 ===
* <strike>Create OAT wiki pages</strike> Done

=== Future ===
* Write executive summary
* Release executive summary document


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-SR-2]] [[Category:SAMM-TA-1]] [[Category:SAMM-EG-2]]

OWASP Automated Threats to Web Applications

2018-02-26T12:02:16Z

Clerkendweller: /* Introduction */ Links to OAT wiki pages

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Automated-threats-header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Automated Threats to Web Applications==

The OWASP Automated Threats to Web Applications Project has completed a review of reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify, name and classify these scenarios – automated by software causing a divergence from accepted behavior producing one or more undesirable effects on a web application, but excluding tool-based exploitation of single-issue vulnerabilities. The initial objective was to produce an ontology providing a common language for developers, architects, operators, business owners, security engineers, purchasers and suppliers/ vendors, to facilitate clear communication and help tackle the issues.
The project also identifies symptoms, mitigations and controls in this problem area. Like all OWASP outputs, everything is free and published using an open source license.

[https://www.owasp.org/index.php/File:Automation-project-briefing.pdf Two page summary project briefing as a PDF].

== Description==

Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.

== Automated Threats ==

The list of threat events, defined more fully in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| width="300" align="left" valign="top" |

* [[OAT-020 Account Aggregation]]
* [[OAT-019 Account Creation]]
* [[OAT-003 Ad Fraud]]
* [[OAT-009 CAPTCHA Defeat]]
* [[OAT-010 Card Cracking]]
* [[OAT-001 Carding]]
* [[OAT-012 Cashing Out]]
* [[OAT-007 Credential Cracking]]
* [[OAT-008 Credential Stuffing]]
* [[OAT-021 Denial of Inventory]]
* [[OAT-015 Denial of Service]]

| width="300" align="left" valign="top" |

* [[OAT-006 Expediting]]
* [[OAT-004 Fingerprinting]]
* [[OAT-018 Footprinting]]
* [[OAT-005 Scalping]]
* [[OAT-011 Scraping]]
* [[OAT-016 Skewing]]
* [[OAT-013 Sniping]]
* [[OAT-017 Spamming]]
* [[OAT-002 Token Cracking]]
* [[OAT-014 Vulnerability Scanning]]

|}

Not sure which is which? Use the [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] in conjunction with the full [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook].

==Licensing==

All the materials are free to use. They are licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What Is This? ==

Information and resources to help web application owners defend against [[:Category:Automated Threat|automated threats]]

== What Isn't It? ==

* Another vulnerability list
* Threat modelling
* Attack trees
* Non web
* Non application

==Project Objective==

This project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available.

== Presentation ==

[[File:Automatedthreats-presentation-small.jpg|link=media:Bots-AppSecUSA2017-Project-Summit.pptx]]

== Project Leaders ==

* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

== Related Projects ==

* [[OWASP WASC Web Hacking Incidents Database Project|OWASP WASC Web Hacking Incidents Database Project]]
* [[OWASP AppSensor Project|OWASP AppSensor Project]]
* [[OWASP ModSecurity Core Rule Set Project|OWASP ModSecurity Core Rule Set Project]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Download the free handbook as a PDF]

== News and Events ==

* [16 Feb 2018] OAT wiki pages created
* [15 Feb 2018] v1.2 Handbook published
* [25 Sep 2017] Promoted to Labs status
* [19-20 Sep 2017] Working session at the AppSecUSA 2017 Project Summit
* [15 May 2017] Draft feedback on Top Ten A7 shared
* [17 Apr 2017] [https://www.owasp.org/index.php/File:BadBots_OWASP_AppSec_CA_2017.pptx Slides] from AppSec California (2017)
* [20 Dec 2016] Threat identification chart [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf published]
* [03 Nov 2016] Presentation at [http://lascon.org/ LASCON 2016]
* [03 Nov 2016] v1.1 Handbook published
* [11-12 Oct 2016] Working session at the [https://docs.google.com/presentation/d/1iMQHTc-h5qcP7gBBRcPHGmVaTWqx3dpMwNMVlA--rqs/edit#slide=id.p3 AppSecUSA 2017 Project Summit]
* [04 Aug 2016] Project Q&A at Blackhat USA 2-5pm in the OWASP booth
* [26 Oct 2015] [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf v1.01 handbook] published
* [24 Sep 2015] [https://www.owasp.org/index.php/File:Colinwatson-a-new-ontology-of-unwanted-automation.pptx Presentation] at [https://2015.appsecusa.org/c/?page_id=896#a AppSec USA 2015]

==In Print==

[[File:AutomatedThreatHandbook_small.jpg|link=http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html]]

The [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html Automated Threat Handbook] can be purchased at cost as a print on demand book.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]

|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Scope and Definitions =

==Scope==

The aim was to create a listing of vendor-neutral and technology agnostic terms that describe real-world automated threats to web applications, at a level of abstraction that application owners can relate to. These terms are threat events to web applications undertaken using automated actions.

The focus is on abuse of functionality - misuse of inherent functionality and related design flaws, some of which are also referred to as business logic flaws. There is almost no focus on implementation bugs. It is not that the latter are not the target for attacks, but there is much more knowledge published in that area with a greater agreement on terminology. All the scenarios identified must require the web to exist for the threat to be materialised. Many of the scenarios have impacts upon the organisation that owns or operates web applications, but some scenarios have impacts more focused on individuals or other bodies. An attack that can be achieved without the web is out of scope.

==Definitions ==

=== Automated Threats to Web Applications ===

Threat events to web applications undertaken using automated actions.

An attack that can be achieved without the web is out of scope.

== Glossary ==

;Action
: An act taken against an asset by a threat agent. Requires first that contact occurs between the asset and threat agent (Ref 1)

; Application
: Software that performs a business process i.e. not system software
: A software program hosted by an information system (Ref 2)

; Application layer
: "Layer 7” in the OSI model (Ref 3) and “application layer” in the TCP/IP model (Ref 4)

;Threat
: Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures (Ref 1)

;Threat Agent
: Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm (Ref 1)

;Threat Event
: Occurs when a threat agent acts against an asset (Ref 1)

; Web
: The World Wide Web (WWW, or simply Web) is an information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI) (Ref 5)
: The first three specifications for Web technologies defined URLs, HTTP, and HTML (Ref 6)

; Web application
: An application delivered over the web

Glossary references:
# [http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf Risk Taxonomy, Technical Standard, The Open Group, 2009]
# [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2, NIST]
# [http://en.wikipedia.org/wiki/OSI_model OSI model, Wikipedia]
# [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP model, Wikipedia]
# [http://www.w3.org/TR/webarch/ Architecture of the World Wide Web, Volume One, W3C]
# [http://www.w3.org/Help/ Help and FAQ, W3C]

=Use Case Scanarios=

The following scenarios and organisation names are completely fictitious.

==Defining application development security requirements==

Cinnaminta SpA intends to build and launch a new multi-lingual and multi-currency ecommerce website. The development will be outsourced and Cinnaminta has been working on the functional design document. Among many other requirements, the application security specification requires that the website must not include any vulnerabilities identified in PCI DSS v3.1 Requirement 6.5, nor any other vulnerabilities that could affect the protection of payment cardholder data. Cinnaminta specifies that the website's payment functions must not be susceptible to the threat events '''OAT-001 Carding''' or '''OAT-010 Card Cracking''' as defined in the '''OWASP Automated Threat Handbook'''. In addition, the application must interact with the company's existing fraud detection system to counter '''OAT-012 Cashing Out'''. The requirements are specified in terms of these threat events, rather than particular product or service categories. Development houses responding to the call for bids use the ontology to focus their answers to these aspects appropriately.

== Sharing intelligence within a sector==

Unlimited Innovations Inc develops and supports patient-facing software solutions to a range of healthcare providers, many of which participate in the National Health Service Cyber Intelligence Sharing Center (NHS-CISC). Unlimited Innovations already builds continuous monitoring capabilities into its software and decides to provide an optional enhancement so that customers could choose to share their misuse event data with each other, to benefit from the combined threat intelligence. Rather than sharing large quantities of low-level data, Unlimited Innovations aggregates information and broadcasts validated and categorised threat data amongst the participating organisations. Automation attacks are classified according to the threat events defined in the '''OWASP Automated Threat Handbook''' so that each receiving party understands the nature of the threat. Even organisations that do not want to take part in this information sharing can benefit, since their own categorised information is made available to internal business management in the form of an easy-to-comprehend monitoring dashboard. The information gathered can also be fed into their other business information management systems to help improve patient service.

== Exchanging threat data between CERTs==

National Computer Emergency Response Teams (CERTs) recognise that sharing of local information can contribute to worldwide prevention of cyber attacks. Despite advances in cooperation between CERTs, anything to increase continuity and interoperability, such as standards for data exchange, is encouraged. CERT Zog is concerned about the sparsity of application-specific data it receives, and also the classification of that data. It has a particular concern about attacks and breaches that affect sectors defined in Zog's 2015 national cyber security strategy. CERT Zog and its neighbour CERT Tarset agree to tag threat events using the '''OWASP Automated Threat Handbook''' in order to add greater context to existing solutions being used for threat data exchange between them. The programme also collects sector metadata, so that all organisations within these can benefit from the centralised intelligence.

== Enhancing application penetration test findings==

Specialist application security penetration testing firm Cherak Industries Pte Ltd works primarily for financial services companies in the banking and insurance sectors, and is looking to expand its business throughout Asia. Cherak has some innovative pen test result reporting systems which integrate with client software fault and vulnerability tracking systems, and it actively looks for methods to provide additional value to its clients. Cherak has identified that pen test clients would benefit from help to in understanding the effects of combinations of vulnerabilities, especially design flaws, and has decided to utilise the '''OWASP Automated Threat Handbook''' to define and explain the automation-related threats. The individual vulnerabilities were scored as normal using CVSSv2 and v3, the matching CWEs identified, and mitigations in place documented. In addition, Cherak uses the threat events defined in the '''OWASP Automated Threat Handbook''' to help create a new section in the executive summary that explains how combinations of the issues found could lead to automation threats and the possible technical and business impacts. For example, an assessment for one client had identified weaknesses in authentication so that there is a risk of '''OAT-008 Credential Stuffing'''. The defined identifier was provided to the client, so its technical staff could refer to additional information on the OWASP website.

== Specifying service acquisition needs==

Falstone Paradise Inc is concerned about malicious use of their portfolio of hotel and resort websites. The majority of the websites use a shared application platform, but there are some unique applications and a large number of other micro-sites, some of which use generic content management systems such as Wordpress and Drupal. Falstone Paradise has identified that its IT operations team are spending too much time dealing with the effects of automated misuse, such as cleaning up data, resetting customer accounts and providing extra capacity during attacks. Furthermore, the unwanted automation is also causing some instabilities leading to negative feedback from customers. Therefore Falstone Paradise decides to go out to the security marketplace to identify, assess and select products or services that might help address these automation issues for all its websites. Their buying team works with their information technology colleagues to write the detailed requirements in an Invitation to Tender (ITT) document. This describes the types of attacks its web applications are receiving, their frequency of occurrence and their magnitudes. These are defined according to the '''OWASP Automated Threat Handbook''', so that vendors do not misunderstand the requirements, and each vendor's offering can be assessed against the particular automation threat events of concern.

== Characterising vendor services ==

Better Best Ltd has developed an innovative technology to help gaming companies defend against a range of automated threats that can otherwise permit cheating and distortion of the game, leading to disruption for normal players. The solution can be deployed on premises, but is also available in the cloud as a service. But Better Best is finding difficulty explaining its solution in the market place, especially since it does not fit into any conventional product category. Better Best decide to use the terminology and threat events listed in the '''OWASP Automated Threat Handbook''' to define their product's capabilities. They hope this will provide some clarity about their offering, and also demonstrate how their product can be used to replace more than one other conventional security device. Additionally, Better Best writes a white paper describing how their product has been successfully used by one of their reference customers Hollybush Challenge Games to protect against '''OAT-006 Expediting''', '''OAT-005 Scalping''', '''OAT-016 Skewing''' and '''OAT-013 Sniping'''.

=Ontology=

==Introduction==

The A-Z list of [[:Category:Automated Threat|automated threat events]] and summary descriptions, defined in full in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| align="left" valign="top" |
[[OAT-020 Account Aggregation]]
| align="left" valign="top" |
Use by an intermediary application that collects together multiple accounts and interacts on their behalf.
|-
| align="left" valign="top" |
[[OAT-019 Account Creation]]
| align="left" valign="top" |
Create multiple accounts for subsequent misuse.
|-
| align="left" valign="top" |
[[OAT-003 Ad Fraud]]
| align="left" valign="top" |
False clicks and fraudulent display of web-placed advertisements.
|-
| align="left" valign="top" |
[[OAT-009 CAPTCHA Defeat]]
| align="left" valign="top" |
Solve anti-automation tests.
|-
| align="left" valign="top" |
[[OAT-010 Card Cracking]]
| align="left" valign="top" |
Identify missing start/expiry dates and security codes for stolen payment card data by trying different values.
|-
| align="left" valign="top" |
[[OAT-001 Carding]]
| align="left" valign="top" |
Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.
|-
| align="left" valign="top" |
[[OAT-012 Cashing Out]]
| align="left" valign="top" |
Buy goods or obtain cash utilising validated stolen payment card or other user account data.
|-
| align="left" valign="top" |
[[OAT-007 Credential Cracking]]
| align="left" valign="top" |
Identify valid login credentials by trying different values for usernames and/or passwords.
|-
| align="left" valign="top" |
[[OAT-008 Credential Stuffing]]
| align="left" valign="top" |
Mass log in attempts used to verify the validity of stolen username/password pairs.
|-
| align="left" valign="top" |
[[OAT-021 Denial of Inventory]]
| align="left" valign="top" |
Deplete goods or services stock without ever completing the purchase or committing to the transaction.
|-
| align="left" valign="top" |
[[OAT-015 Denial of Service]]
| align="left" valign="top" |
Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS).
|-
| align="left" valign="top" |
[[OAT-006 Expediting]]
| align="left" valign="top" |
Perform actions to hasten progress of usually slow, tedious or time-consuming actions.
|-
| align="left" valign="top" |
[[OAT-004 Fingerprinting]]
| align="left" valign="top" |
Elicit information about the supporting software and framework types and versions.
|-
| align="left" valign="top" |
[[OAT-018 Footprinting]]
| align="left" valign="top" |
Probe and explore application to identify its constituents and properties.
|-
| align="left" valign="top" |
[[OAT-005 Scalping]]
| align="left" valign="top" |
Obtain limited-availability and/or preferred goods/services by unfair methods.
|-
| align="left" valign="top" |
[[OAT-011 Scraping]]
| align="left" valign="top" |
Collect application content and/or other data for use elsewhere.
|-
| align="left" valign="top" |
[[OAT-016 Skewing]]
| align="left" valign="top" |
Repeated link clicks, page requests or form submissions intended to alter some metric.
|-
| align="left" valign="top" |
[[OAT-013 Sniping]]
| align="left" valign="top" |
Last minute bid or offer for goods or services.
|-
| align="left" valign="top" |
[[OAT-017 Spamming]]
| align="left" valign="top" |
Malicious or questionable information addition that appears in public or private content, databases or user messages.
|-
| align="left" valign="top" |
[[OAT-002 Token Cracking]]
| align="left" valign="top" |
Mass enumeration of coupon numbers, voucher codes, discount tokens, etc.
|-
| align="left" valign="top" |
[[OAT-014 Vulnerability Scanning]]
| align="left" valign="top" |
Crawl and fuzz application to identify weaknesses and possible vulnerabilities.
|}

==Comparison with other dictionaries, taxonomies and lists==

===[https://capec.mitre.org/ Common Attack Pattern Enumeration and Classification] (CAPEC)===

[[File:Ontology-chart-capec-wiki.png|link=]]

CAPEC is a dictionary and classification taxonomy of known attacks on software. Its primary classification structures are:

* [https://capec.mitre.org/data/definitions/3000.html Domains of attack] (3000) - Social Engineering (403), [https://capec.mitre.org/data/definitions/437.html Supply Chain] (437), Communications (512), [https://capec.mitre.org/data/definitions/513.html Software] (513), Physical Security (514), Hardware (515)
* Mechanism of Attack (1000) - Gather Information (118), Deplete Resources (119), Injection (152), Deceptive Interactions (156), Manipulate Timing and State (172), Abuse of Functionality (210), Probabilistic Techniques (223), Exploitation of Authentication (225), Exploitation of Authorization (232), Manipulate Data Structures (255), Manipulate Resources (262), Analyze Target (281), Gain Physical Access (436), Malicious Code Execution (525), Alter System Components (526), Manipulate System Users (527)

===[http://projects.webappsec.org/w/page/13246978/Threat%20Classification WASC Threat Classification]===

[[File:Ontology-chart-wasc-wiki.png|link=]]

The WASC Threat Classification classifies weaknesses and attacks that can lead to the compromise of a website, its data, or its users.

===[[OWASP WASC Web Hacking Incidents Database Project]] (WHID)===

WHID [https://www.google.com/fusiontables/DataSource?snapid=S1536501YnLo classifies] publicly known incidents using:

* attack methods e.g. ARP spoofing, abuse of functionality, account compromise, administration error, automation, backdoor, banking trojan, brute force, clickjacking, code injection, content injection, content spoofing, credential/session prediction, cross site request forgery (CSRF), cross-site scripting (XSS), denial of service, directory traversal, domain hijacking, DNS hijacking, forceful browsing, HTTP response splitting, hidden parameter manipulation, hosting malicious code, information leakage, insufficient authentication, known vulnerability, local file inclusion (LFI), malvertising, malware, malware injection, mass assignment, misconfiguration, OS commanding, parameter manipulation, path traversal, phishing, predictable resource location, process automation, redirection, remote file inclusion (RFI), rogue 3rd party app, scaping, search engine poisoning, shell injection, social engineering, stolen credentials, SQL injection, unintentional information disclosure, weak password recovery validation, worm
* weakness e.g. abuse of functionality, application misconfiguration, directory indexing, improper filesystem permissions, improper input handling, improper output handling, information leakage, insecure indexing, insufficient anti-automation, insufficient authentication, insufficient authorization, insufficient entropy, insufficient password recovery, insufficient process validation, insufficient session expiration, insufficient transport layer protection, misconfiguration, predictable resource location, weak password
* outcome account hijacking, account takeover, botnet participation, chaos, credit card leakage, data loss, defacement, DDoS attacks, DNS hijacking, DNS redirection, disinformation, disclosure only, downtime, extortion, fraud, information warfare, leakage of information, link spam, loss of sales, malware distribution, monetary loss, phishing, planting of malware, service disruption, session hijacking, spam, spam links, stolen credentials, worm

Plus other/various/unknown.

= Bibliography =

The following academic, open source, commercial and news sources were used in the research on automated threats to web applications. OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. We operate under a vendor neutral policy and we do not endorse products or services.

* 10 years of Application Security, Denyall http://www.denyall.com/resources/whitepapers/?aliId=3438442
* 2012 Payment Card Threat Report https://www.securitymetrics.com/static/resources/orange/2012%20Payment%20Card%20Threat%20Report%20copy.pdf
* 2014 Bot Traffic Report: Just the Droids You were Looking for http://www.incapsula.com/blog/bot-traffic-report-2014.html
* 3 Types of ‘Return Fraud’ to Monitor this Holiday Season http://www.practicalecommerce.com/articles/3168-3-Types-of-%E2%80%98Return-Fraud-to-Monitor-this-Holiday-Season
* 7 Ways Bots Hurt Your Website, Distil Networks http://www.distilnetworks.com/7-ways-bots-hurt-website-whitepaper/
* Abusing HTML 5 Structured Client-side Storage 2008 http://packetstorm.wowhacker.com/papers/general/html5whitepaper.pdf
* Acquiring Experience with Ontology and Vocabularies, Walt Melo, Risa Mayan and Jean Stanford, 2011 http://www.omg.org/news/meetings/workshops/SOA-HC/presentations-2011/13_SC-6_Melo_Stanford_Mayan.pdf
* An Anatomy of a SQL Injection Attack Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf
* The Anatomy of Clickbot.A https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/daswani/daswani.pdf
* Anatomy of comment spam Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Anatomy_of_Comment_Spam.pdf
* Anti-Automation Monitoring and Prevention 2015 https://www.clerkendweller.uk/2015/1/29/AntiAutomation-Monitoring-and-Prevention
* Anti-DDoS Solution for Internet Corporation http://www.nsfocus.com/uploadfile/Solution/NSFOCUS%20Anti-DDoS%20Solution%20for%20Internet%20Corporation.pdf
* Anti-Fraud Principles and Proposed Taxonomy Sep 2014 http://www.iab.net/media/file/IAB_Anti_Fraud_Principles_and_Taxonomy.pdf
* Apache Security Ivan Ristic
* Application Security Desk Reference, OWASP https://www.owasp.org/index.php/Category:OWASP_ASDR_Project
* Application Security Guide For CISOs, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf
* AppSensor, OWASP https://www.owasp.org/index.php/OWASP_AppSensor_Project
* Attack & Defense Labs http://www.andlabs.org/html5.html
* Attack categories OWASP https://www.owasp.org/index.php/Category:Attack
* Attack Trees, Schneier, Dr. Dobb's Journal, December 1999 https://www.schneier.com/paper-attacktrees-ddj-ft.html
* Attacking with HTML5 2010 https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-wp.pdf
* Automated attacks Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Automation_of_Attacks.pdf
* Avoiding the Top 10 Software Security Design Flaws http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* Bad Bots On The Rise Dec 2014 http://www.darkreading.com/informationweek-home/bad-bots-on-the-rise/d/d-id/1318276
* Banking Botnets Persist Despite Takedowns, Dell SecureWorks, 2015 http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets-persist-despite-takedowns/
* The Barracuda Web Application Firewall: XML Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_XML_Firewall.pdf
* Blocking Brute Force Attacks http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php
* Bot Traffic Growing Problem for Digital Oct 2014 http://www.netnewscheck.com/article/36537/bot-traffic-growing-problem-for-digital
* BotoPedia Incapsula http://www.botopedia.org/
* Boy in the Browser Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser
* Business Logic Attacks - Bots and BATs, Eldad Chai, 2009 http://www.owasp.org/images/9/96/AppSecEU09_BusinessLogicAttacks_EldadChai.ppt
* Bypassing Client Application Protection Techniques http://www.securiteam.com/securityreviews/6S0030ABPE.html
* A CAPTCHA in the Rye Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_a_CAPTCHA_in_the_Rye.pdf
* Characterizing Large Scale Click fraud http://cseweb.ucsd.edu/~voelker/pubs/za-ccs14.pdf
* Charter Addition Proposal: "Trusted Code" for the Web https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0150.html
* A cheesy Apache / IIS DoS vuln (+a question) http://www.securityfocus.com/archive/1/456339/30/0/threaded
* China's Man-on-the-Side Attack on GitHub http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub
* The CISO Survey and Report, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-report-2013-1.0.pdf
* Common Attack Pattern Enumeration and Classification (CAPEC), Mitre https://capec.mitre.org/
* Common Cyber Attacks: Reducing the Impact CERT-UK https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf
* Corporate espionage – the internet’s new growth industry http://www.itproportal.com/2015/03/19/corporate-espionage-internets-new-growth-industry/
* CSA Top Threats to Cloud Computing https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
* CSRF vulnerability in GMail service http://seclists.org/fulldisclosure/2009/Mar/29
* CWE/SANS Top 25 Most Dangerous Software Errors, 2011 http://cwe.mitre.org/top25/
* Cyber Fraud - Tactics Techniques and Procedures http://www.crcpress.com/product/isbn/9781420091274
* Cybercrime Report: Q1 2015, ThreatMetrix, 2015 http://info.threatmetrix.com/WP-2015Q1CybercrimeReport_WP-LP.html
* Data Breach Investigations Report (DBIR), 2014 http://www.verizonenterprise.com/DBIR/2014/
* Data Breach Investigations Report (DBIR), 2015 http://www.verizonenterprise.com/DBIR/2015/
* Data Breaches Fuel Login Attacks Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2014-state-of-the-internet-threat-advisory-public-data-breaches-fuel-login-attacks.pdf
* Data Scraping Wikipedia http://en.wikipedia.org/wiki/Data_scraping
* DDoS Quick Guide https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
* DDoS Threat Landscape Report, 2013-2014 http://lp.incapsula.com/rs/incapsulainc/images/2013-14_ddos_threat_landscape.pdf
* Defending Against an Internet-based Attack on the Physical World http://avirubin.com/scripted.attacks.pdf
* Defending Against Application-Based DDoS Attacks with the Barracuda Web Application Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_Defending%20_Against_%20Application-Based_%20DDoS_%20Attacks.pdf
* Demystifying HTML 5 Attacks http://resources.infosecinstitute.com/demystifying-html-5-attacks/
* Denial of Service Attacks: A Comprehensive Guide to Trends Techniques and Technologies Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf
* Detecting and Blocking Site Scraping Attacks Imperva http://www.imperva.com/docs/WP_Detecting_and_Blocking_Site_Scraping_Attacks.pdf
* Detecting Automation of Twitter Accounts: Are you a human cyborg or a bot? http://www.cs.wm.edu/~hnw/paper/tdsc12b.pdf
* Detecting Malice Robert "RSnake" Hansen 2009 http://www.detectmalice.com/
* Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1414072277428&uri=CELEX:32002L0058
* Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046
* Distributed Denial-of-Service (DDoS) Cyber-Attacks Risk Mitigation and Additional Resources Federal Financial Institutions Examination Council http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf
* Do Evil - The Business of Social Media Bots Forbes http://www.forbes.com/sites/lutzfinger/2015/02/17/do-evil-the-business-of-social-media-bots/
* DoS and DDoS Glossary of Terms prolexic http://www.prolexic.com/knowledge-center-dos-and-ddos-glossary.html#layer-7-ddos-attack
* E-commerce Malware Trustwave https://gsr.trustwave.com/topics/placeholder-topic/e-commerce-malware/
* Exploiting Software, G. Hoglund and G. McGraw, Addison-Wesley, 2004
* Five Trends to Track in E-Commerce Fraud, ThreatMetrix, 2013 http://info.threatmetrix.com/rs/threatmetrix/images/Five_Trends_eCommerce_Fraud_WP.pdf
* Hacker builds cheatbot for hit app Trivia Crack http://www.theregister.co.uk/2015/03/26/hacker_builds_trivia_crack_cheat_app/
* Has Walmart opened itself up to “Denial of inventory” attacks? https://arstechnica.com/business/2012/05/has-walmart-opened-itself-up-to-denial-of-inventory-attacks/
* How Hoarder Bots Steal sales from Online Retailers https://www.internetretailer.com/mobile/2016/12/16/how-hoarder-bots-steal-sales-online-retailers
* How to Defend Against DDoS Attacks - Strategies for the Network Transport and Application Layers Prolexic http://www.prolexic.com/kcresources/white-paper/strategies-for-the-network-transport-and-application-layers-412/Strategies_for_the_Network_Transport_and_Application_Layers_Prolexic_White_Paper_A4_082412.pdf
* How to Defend Online Travel Websites in the Era of Site Scraping, Distil Networks http://www.distilnetworks.com/defend-online-travel-websites-era-site-scraping-download/
* How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
* HTML5 Overview A look at HTML5 Attack Scenarios Trend Micro 2011 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf
* HTML5 Top 10 Threats Stealth Attacks and Silent Exploits 2012 https://media.blackhat.com/bh-eu-12/shah/bh-eu-12-Shah_HTML5_Top_10-WP.pdf
* HTML5 web security 2011 http://media.hacking-lab.com/hlnews/HTML5_Web_Security_v1.0.pdf
* HTTPPOST - Slow POST Wong Onn Chee OWASP AppSec DC 2010 https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
* If you've got @British_Airways account may make sense to change your password. Just had all my Avios cleared out! https://twitter.com/suttonnick/status/581556027948195840/photo/1
* Internet Security Threat Report, Volume 19, 2014 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
* An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks http://www.springer.com/gb/book/9788132202769
* Is Your Data Center Ready for Today’s DDoS Threats? DDoS attack types protection methods and testing your detection and mitigation defenses http://www.fortinet.com/sites/default/files/whitepapers/WP-DDoS-Testing.pdf
* Joomla Reflection DDoS-for-Hire Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2015-state-of-the-internet-threat-advisory-joomla-reflection-attack-ddos-for-hire.pdf
* Layer 7 DDOS – Blocking HTTP Flood Attacks http://blog.sucuri.net/2014/02/layer-7-ddos-blocking-http-flood-attacks.html
* Lenovo Superfish put smut on my system' – class-action lawsuit The Register http://www.theregister.co.uk/2015/02/23/lenovo_superfish_class_action_lawsuit/
* List of Attack Vectors Relative Vulnerability Rating TECAPI http://www.tecapi.com/public/relative-vulnerability-rating-gui.jsp#
* Man in the Browser http://scisweb.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf
* Man in the Browser Attack https://www.owasp.org/index.php/Man-in-the-browser_attack
* Mapping and Measuring Cybercrime, Oxford Internet Institute http://www.oii.ox.ac.uk/publications/FD18.pdf
* Massive Changes in the Criminal Landscape Europol 2015 https://www.europol.europa.eu/content/massive-changes-criminal-landscape
* Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs http://collaboration.csc.ncsu.edu/laurie/Papers/ICSE_Final_MCG_LW.pdf
* Mitigating DDoS Attacks with F5 Technology F5 https://f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology
* Mitigating the DoS/DDosS Threat, Radware, 2012 http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452061
* Modern Web Attacks, Sophos, 2007 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/modern-web-attacks.aspx
* ModSecurity Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-ModSecurity-Advanced-Topic-of-the-Week--Mitigating-Slow-HTTP-DoS-Attacks/
* Most common attacks on web applications https://ipsec.pl/web-application-security/most-common-attacks-web-applications.html
* Multi-dimensional Vulnerability Hierarchies Daniel Miessler https://danielmiessler.com/study/multi-dimensional-vulnerability-hierarchies/
* New Wave of DDoS Attacks Launched BankInfoSecurity.com Mar 2013 http://www.bankinfosecurity.com/new-wave-ddos-attacks-launched-a-5584/op-1
* NOMAD: Toward Non-Invasive Moving Target Defense Against Web Bots http://faculty.cs.tamu.edu/guofei/paper/NOMAD_CNS13.pdf
* Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year Sep 2014 http://www.darkreading.com/analytics/threat-intelligence/online-ad-fraud-exposed-advertisers-losing-$63-billion-to-$10-billion-per-year/d/d-id/1317979
* Online Data Companies versus Bots: The Fight is on for Control of Online Data, Distil Networks http://www.distilnetworks.com/online-data-companies-vs-bots-download/
* Optimal Airline Ticket Purchasing Using Automated User-Guided Feature Selection http://ijcai.org/papers13/Papers/IJCAI13-032.pdf
* Payment Checkout Flaws and Bugs 2014 https://www.clerkendweller.uk/2014/11/4/Payment-Checkout-Flaws-and-Bugs
* PCI Compliance Report 2015 Verizon http://www.verizonenterprise.com/pcireport/2015/
* Pixel Perfect Timing Attacks with HTML5 2013 http://www.contextis.com/services/research/white-papers/pixel-perfect-timing-attacks-html5/
* Polymorphism as a Defense for Automated Attack of Websites http://link.springer.com/chapter/10.1007%2F978-3-319-07536-5_30
* Preventing Web Scraping: Best Practice https://creativedigitalideas.files.wordpress.com/2014/11/best-practice-to-prevent-web-scraping.pdf
* Profile: Automated Credit Card Fraud http://old.honeynet.org/papers/profiles/cc-fraud.pdf
* Protecting Against Web Floods, Radware http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452968
* Q4 2014 State of the Internet Security Report prolexic http://www.stateoftheinternet.com/downloads/pdfs/2014-internet-security-report-q4.pdf
* Reflection injection http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* A Report on taxonomy and evaluation of existing inventories, ENISAhttp://ecrime-project.eu/wp-content/uploads/2015/02/E-Crime-Deliverable-2-1-20141128_FINAL.pdf
* Reporting Intellectual Property Crime: A Guide for Victims of Copyright Infringement, Trademark Counterfeiting, and Trade Secret Theft, Dept of Justice http://www.justice.gov/criminal/cybercrime/docs/ip-victim-guide-and-checklist-march-2013.pdf
* SANS Top 20 Critical Controls https://www.sans.org/critical-security-controls/
* Securing Websites, Sophos, 2011 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/securing-websites.aspx
* Security Insights: Defending Against Automated Threats http://www.securityweek.com/security-insights-defending-against-automated-threats
* Server side DDoS Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/DDOS_Attack_Method_Payload_05182010
* Slow Read Denial of Service attack https://code.google.com/p/slowhttptest/wiki/SlowReadTest
* Slow-Read DoS Attack https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Mitigation-of--Slow-Read--Denial-of-Service-Attack/
* Slowloris HTTP DoS http://ha.ckers.org/slowloris/
* So what are the "most critical" application flaws? On new OWASP Top 10 https://ipsec.pl/application-security/2013/so-what-are-most-critical-application-flaws-new-owasp-top-10.html
* Social Media Bots Offer Phony Friends and Real Profit NY Times http://www.nytimes.com/2014/11/20/fashion/social-media-bots-offer-phony-friends-and-real-profit.html?_r=1
* Software Vulnerability Analysis, Krsul, 1998 http://www.krsul.org/ivan/articles/main.pdf
* Sophos Security Threat Report http://blogs.sophos.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/
* SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/#.VSuiEhPSngM
* State of Software Security Report, Volume 5, Veracode, 2013 https://info.veracode.com/state-of-software-security-report-volume5.html
* Stopping Automated Attack Tools http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html
* Taxonomy on Online Game Security http://www.math.snu.ac.kr/~jhcheon/publications/2004/Taxonomy%20on%20online%20game%20security_EL.pdf
* A Taxonomy of Computer Program Security Flaws, with Examples, Landwehr https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
* A Taxonomy of Security Faults in the UNIX Operating System, Aslam, 1995 https://cwe.mitre.org/documents/sources/ATaxonomyofSecurityFaultsintheUNIXOperatingSystem%5BAslam95%5D.pdf
* Testing Guide, v4, OWASP, 2014 https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
* The Bot Baseline: Fraud in Digital Advertising https://s3.amazonaws.com/whiteops-public/WO-ANA-Baseline-Study-of-Bot-Fraud.pdf
* The Internet Organised Crime Threat Assessment (iOCTA) 2014 https://www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta
* The Notorious Nine Cloud Computing Top Threats in 2013 CSA https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
* The Risks of Content Management Systems, IBM, 2015 https://portal.sec.ibm.com/mss/html/en_US/support_resources/pdf/CMS_Threats_MSS_Threat_Report.pdf
* The Spy in the Sandbox – Practical Cache Attacks in Javascript http://iss.oy.ne.ro/SpyInTheSandbox.pdf
* Thousands of Hacked Uber Accounts Selling on Dark Web for $1 http://thehackernews.com/2015/03/thousands-of-hacked-uber-accounts_30.html?m=1
* Threat Intelligence Quarterly, IBM, 1Q 2015 https://www.ibm.com/services/forms/signup.do?source=swg-WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101
* Threat Modeling: Designing for Security, Adam Shostack, Wiley, April 2014 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118809998.html
* Threats and Mitigations: A Guide to Multi-Layered Web Security - eBook Prolexic http://www.prolexic.com/knowledge-center/prolexic-download/guide-multi-layered-web-security-ebook.pdf
* Trapping Unknown Malware in a Context Web, Sophos http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/HuqSzabo-VB2013.pdf?la=en.pdf
* Trustwave Global Security Report 2014 https://www2.trustwave.com/GSR2014.html?utm_source=redirect&utm_medium=web&utm_campaign=GSR2014
* TurboTax’s Anti-Fraud Efforts Under Scrutiny http://krebsonsecurity.com/2015/02/turbotaxs-anti-fraud-efforts-under-scrutiny/
* Two Security Vulnerabilities in the Spring Framework’s MVC pdf (from 2008) http://blog.diniscruz.com/2011/07/two-security-vulnerabilities-in-spring.html
* The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns http://static.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf
* Understanding Web Bots and How They Hurt Your Business Encapsula http://www.slideshare.net/Incapsula/understanding-web-bots-and-how-they-hurt-your-business
* Use of A Taxonomy of Security Faults, Taimur Aslam, Ivan Krsul and Eugene H Spafford, 1996 http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=2304&context=cstech
* The WASC Threat Classification v2.0 http://projects.webappsec.org/w/page/13246978/Threat%20Classification
* Warhol Worms: The Potential for Very Fast Internet Plagues http://www.iwar.org.uk/comsec/resources/worms/warhol-worm.htm
* Web Application Attack Report #5 Imperva http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed5.pdf
* Web Application Defender's Cookbook: Battling Hackers and Protecting Users, Ryan Barnett, Wiley, December 2012 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html
* Web Attacks in the Wild Corsaire https://www.owasp.org/images/a/a7/Web_attacks_in_the_wild_-_ap.pdf
* Web Automation Friend or Foe? https://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf
* Web Spambot Detection Based on Web Navigation Behaviour http://pedramhayati.com/papers/Web_Spambot_Detection_Based_on_Web_Usage_Behaviour.pdf
* Website Security Statistics Report, 2014 http://info.whitehatsec.com/rs/whitehatsecurity/images/statsreport2014-20140410.pdf
* What is Zeus? http://www.sophos.com/medialibrary/pdfs/technical%20papers/sophos%20what%20is%20zeus%20tp.pdf
* When Web 2.0 Attacks! Understanding Ajax Flash and other highly interactive web technologies… https://www.owasp.org/images/f/fc/When_Web_2.0_Attacks_-_Understanding_Security_Implications_of_Highly_Interactive_Technologies-Rafal_Los.pdf
* Where have all of our Passwords Gone? Gartner 2015 http://blogs.gartner.com/avivah-litan/2015/01/22/where-have-all-our-passwords-gone/
* WS-Attacks.org http://www.ws-attacks.org/index.php/Main_Page

=FAQs=

; What do you mean by "web", "application" and "automated threat"?
: See the definitions in the project's {{#switchtablink:Project Scope and Definitions|glossary}}.

; What is an "ontology"?
: An ontology is a set of types, properties, and relationship. These together define a subject description language. This particular ontology is meant to represent what automated threats real world owners observe affecting their web applications in usual operations.

; Isn't this another bug (vulnerability) list?
: No, none of the named automated threat events are implementation bugs - they relate to abuse of functionality using automated means.

; I thought "so and so" already did that?
: We found that it did not exist. While many threats are mentioned in the sources researched, there was no overall list or definitions. We found the automated threat events tended to all be in a small number of definied items from Mitre CAPEC and WASC Threat Classification. If you know of other automated threat lists/taxonomies/ontologies, please share them.

; What is an "oat"?
: It is our abbreviation for OWASP Automated Threat (OAT).

; I am confused and don't know which OAT my problem is - how do I identify it?
: In 2017 we created a [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] to help identify the correct OAT, which can then be confirmed by reading the full description in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook]. The short summaries are important explanations of each OAT name.

; How can I help?
: Please join our mailing list, send ideas, contribute clarifications, corrections and improvement, and let other people know about the project and its handbook.

= Acknowledgements and Sponsors =

==Contributors==

* Sumit Agarwal
* Jason Chan
* Mark Hall
* Omri Iluz
* Andrew van der Stock
* Roland Weber
* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

Additionally other professional colleagues and website owners and operators who provided feedback.

==Reviewers==

* Igor Andriushchenko
* Gabriel Mendez Justiniano
* Matt Tesauro

== Sponsors ==

All OWASP Projects are run and developed by volunteers and rely on personal donations and sponsorship to continue their development. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. This project has received the sponsorship part of their Corporate OWASP membership fees from Verizon Digital Media Services in 2016 and Distil Networks in 2017, which has already contributed to the v1.2 production design costs, and will also be utilised to help promote knowledge of the project.

[[file:Verizon_Digital_Medial_Logo.jpg|size=150x45px|link=https://www.verizondigitalmedia.com]]

[[File:Distil-flat-logo-2.png|link=https://www.distilnetworks.com]]

= Road Map and Getting Involved =

Can you help? The project is looking for information on the prevalence and types of automated threats seen by web application owners in the real world. This will be used to refine and organise the information gathered from research papers, whitepapers, security reports and industry news. Please use the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:

* [https://lists.owasp.org/mailman/listinfo/automated_threats_to_web_applications Mailing list]

To share information confidentially, you can email the project leaders directly: [mailto:tin.zaw@owasp.org Tin Zaw] and [mailto:colin.watson@owasp.org Colin Watson].

== Completed Outputs==

* {{#switchtablink:Scope and Definitions|Glossary}}
* {{#switchtablink:Bibliography|Bibligraphy of information sources}}
* A [https://www.owasp.org/index.php/File:Automated-threats.pdf summary chart] has been published summarising the information gathered and work to date
* Identifying automated threats to web applications, and determining the primary name used. This first part of the project intends to produce a consistent vocabulary for discussing the threats before moving onto other aspects
* The primary terms have now been defined and described for the ontology
* A [https://www.owasp.org/index.php/File:Automation-briefing.pdf briefing document] was produced in May 2015
* Release [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Automated Threat Handbook] July 2015 [https://www.owasp.org/index.php/File:Owasp-automated-threat-handbook-source-files.zip source files], updated in November 2016
* Release [https://www.owasp.org/index.php/File:Automation-project-briefing.pdf project overview flyer] July 2015
* Release [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] December 2016

== Roadmap==

The project's roadmap was updated in October 2017.

===Q1 2015===
* <strike>Feb 2015: Define scope and terminology</strike> Done
* <strike>Mar 2015: Research prior work and reports about automated threats to web applications to create bibliography</strike> Done

===Q2 2015===
* <strike>Apr 2015: Assess threats/attacks and create ontology</strike> Done
* <strike>Apr 2015: Application owner interviews and creation of initial project outputs, to refine model</strike> Done
* <strike>May 2015: Publication of outputs and request for review/data</strike> Done
* <strike>May 2015: Summit session and survey at AppSec EU</strike> Done
* <strike>Jun 2015 Review</strike> Done
* <strike>Jun 2015 Write ontology document</strike> Done
* <strike>Jun Write 2-page project briefing</strike> Done
* <strike>Jun Publish project briefing</strike> Done
* <strike>Jul 2015: Publish v1.0 ontology</strike> Done

===Q3 2016===
* <strike>Jul-Sep 2016: Gathering of additional contributions and update handbook</strike> Done

===Q4 2016===
* <strike>Nov 2016: Release updated handbook</strike> Done
* <strike>Dec 2016: Threat identification chart</strike> Done

=== Q1 2017 ===
* <strike>Dec-Mar 2017: Further review and update to handbook</strike> Done
* <strike>Check against changes to CAPEC v2.9</strike> Done

=== Q2 2017 ===
* <strike>Apr-Jun 2017: Further review and update to handbook</strike> Done
* <strike>Project summit at AppSecEU</strike> Done

=== Q3 2017 ===
* <strike>Chase up ongoing project review</strike> Done
* <strike>Project summit at AppSecUS</strike> Done

=== Q4 2017 ===
* Release v1.2 (now due 15 Feb 2018)

=== Q1 2018 ===
* <strike>Create OAT wiki pages</strike> Done

=== Future ===
* Write executive summary
* Release executive summary document


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-SR-2]] [[Category:SAMM-TA-1]] [[Category:SAMM-EG-2]]

OWASP Automated Threats to Web Applications

2018-02-21T18:36:48Z

Clerkendweller: /* Automated Threats */

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Automated-threats-header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Automated Threats to Web Applications==

The OWASP Automated Threats to Web Applications Project has completed a review of reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify, name and classify these scenarios – automated by software causing a divergence from accepted behavior producing one or more undesirable effects on a web application, but excluding tool-based exploitation of single-issue vulnerabilities. The initial objective was to produce an ontology providing a common language for developers, architects, operators, business owners, security engineers, purchasers and suppliers/ vendors, to facilitate clear communication and help tackle the issues.
The project also identifies symptoms, mitigations and controls in this problem area. Like all OWASP outputs, everything is free and published using an open source license.

[https://www.owasp.org/index.php/File:Automation-project-briefing.pdf Two page summary project briefing as a PDF].

== Description==

Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.

== Automated Threats ==

The list of threat events, defined more fully in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| width="300" align="left" valign="top" |

* [[OAT-020 Account Aggregation]]
* [[OAT-019 Account Creation]]
* [[OAT-003 Ad Fraud]]
* [[OAT-009 CAPTCHA Defeat]]
* [[OAT-010 Card Cracking]]
* [[OAT-001 Carding]]
* [[OAT-012 Cashing Out]]
* [[OAT-007 Credential Cracking]]
* [[OAT-008 Credential Stuffing]]
* [[OAT-021 Denial of Inventory]]
* [[OAT-015 Denial of Service]]

| width="300" align="left" valign="top" |

* [[OAT-006 Expediting]]
* [[OAT-004 Fingerprinting]]
* [[OAT-018 Footprinting]]
* [[OAT-005 Scalping]]
* [[OAT-011 Scraping]]
* [[OAT-016 Skewing]]
* [[OAT-013 Sniping]]
* [[OAT-017 Spamming]]
* [[OAT-002 Token Cracking]]
* [[OAT-014 Vulnerability Scanning]]

|}

Not sure which is which? Use the [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] in conjunction with the full [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook].

==Licensing==

All the materials are free to use. They are licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What Is This? ==

Information and resources to help web application owners defend against [[:Category:Automated Threat|automated threats]]

== What Isn't It? ==

* Another vulnerability list
* Threat modelling
* Attack trees
* Non web
* Non application

==Project Objective==

This project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available.

== Presentation ==

[[File:Automatedthreats-presentation-small.jpg|link=media:Bots-AppSecUSA2017-Project-Summit.pptx]]

== Project Leaders ==

* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

== Related Projects ==

* [[OWASP WASC Web Hacking Incidents Database Project|OWASP WASC Web Hacking Incidents Database Project]]
* [[OWASP AppSensor Project|OWASP AppSensor Project]]
* [[OWASP ModSecurity Core Rule Set Project|OWASP ModSecurity Core Rule Set Project]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Download the free handbook as a PDF]

== News and Events ==

* [16 Feb 2018] OAT wiki pages created
* [15 Feb 2018] v1.2 Handbook published
* [25 Sep 2017] Promoted to Labs status
* [19-20 Sep 2017] Working session at the AppSecUSA 2017 Project Summit
* [15 May 2017] Draft feedback on Top Ten A7 shared
* [17 Apr 2017] [https://www.owasp.org/index.php/File:BadBots_OWASP_AppSec_CA_2017.pptx Slides] from AppSec California (2017)
* [20 Dec 2016] Threat identification chart [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf published]
* [03 Nov 2016] Presentation at [http://lascon.org/ LASCON 2016]
* [03 Nov 2016] v1.1 Handbook published
* [11-12 Oct 2016] Working session at the [https://docs.google.com/presentation/d/1iMQHTc-h5qcP7gBBRcPHGmVaTWqx3dpMwNMVlA--rqs/edit#slide=id.p3 AppSecUSA 2017 Project Summit]
* [04 Aug 2016] Project Q&A at Blackhat USA 2-5pm in the OWASP booth
* [26 Oct 2015] [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf v1.01 handbook] published
* [24 Sep 2015] [https://www.owasp.org/index.php/File:Colinwatson-a-new-ontology-of-unwanted-automation.pptx Presentation] at [https://2015.appsecusa.org/c/?page_id=896#a AppSec USA 2015]

==In Print==

[[File:AutomatedThreatHandbook_small.jpg|link=http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html]]

The [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html Automated Threat Handbook] can be purchased at cost as a print on demand book.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]

|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Scope and Definitions =

==Scope==

The aim was to create a listing of vendor-neutral and technology agnostic terms that describe real-world automated threats to web applications, at a level of abstraction that application owners can relate to. These terms are threat events to web applications undertaken using automated actions.

The focus is on abuse of functionality - misuse of inherent functionality and related design flaws, some of which are also referred to as business logic flaws. There is almost no focus on implementation bugs. It is not that the latter are not the target for attacks, but there is much more knowledge published in that area with a greater agreement on terminology. All the scenarios identified must require the web to exist for the threat to be materialised. Many of the scenarios have impacts upon the organisation that owns or operates web applications, but some scenarios have impacts more focused on individuals or other bodies. An attack that can be achieved without the web is out of scope.

==Definitions ==

=== Automated Threats to Web Applications ===

Threat events to web applications undertaken using automated actions.

An attack that can be achieved without the web is out of scope.

== Glossary ==

;Action
: An act taken against an asset by a threat agent. Requires first that contact occurs between the asset and threat agent (Ref 1)

; Application
: Software that performs a business process i.e. not system software
: A software program hosted by an information system (Ref 2)

; Application layer
: "Layer 7” in the OSI model (Ref 3) and “application layer” in the TCP/IP model (Ref 4)

;Threat
: Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures (Ref 1)

;Threat Agent
: Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm (Ref 1)

;Threat Event
: Occurs when a threat agent acts against an asset (Ref 1)

; Web
: The World Wide Web (WWW, or simply Web) is an information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI) (Ref 5)
: The first three specifications for Web technologies defined URLs, HTTP, and HTML (Ref 6)

; Web application
: An application delivered over the web

Glossary references:
# [http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf Risk Taxonomy, Technical Standard, The Open Group, 2009]
# [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2, NIST]
# [http://en.wikipedia.org/wiki/OSI_model OSI model, Wikipedia]
# [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP model, Wikipedia]
# [http://www.w3.org/TR/webarch/ Architecture of the World Wide Web, Volume One, W3C]
# [http://www.w3.org/Help/ Help and FAQ, W3C]

=Use Case Scanarios=

The following scenarios and organisation names are completely fictitious.

==Defining application development security requirements==

Cinnaminta SpA intends to build and launch a new multi-lingual and multi-currency ecommerce website. The development will be outsourced and Cinnaminta has been working on the functional design document. Among many other requirements, the application security specification requires that the website must not include any vulnerabilities identified in PCI DSS v3.1 Requirement 6.5, nor any other vulnerabilities that could affect the protection of payment cardholder data. Cinnaminta specifies that the website's payment functions must not be susceptible to the threat events '''OAT-001 Carding''' or '''OAT-010 Card Cracking''' as defined in the '''OWASP Automated Threat Handbook'''. In addition, the application must interact with the company's existing fraud detection system to counter '''OAT-012 Cashing Out'''. The requirements are specified in terms of these threat events, rather than particular product or service categories. Development houses responding to the call for bids use the ontology to focus their answers to these aspects appropriately.

== Sharing intelligence within a sector==

Unlimited Innovations Inc develops and supports patient-facing software solutions to a range of healthcare providers, many of which participate in the National Health Service Cyber Intelligence Sharing Center (NHS-CISC). Unlimited Innovations already builds continuous monitoring capabilities into its software and decides to provide an optional enhancement so that customers could choose to share their misuse event data with each other, to benefit from the combined threat intelligence. Rather than sharing large quantities of low-level data, Unlimited Innovations aggregates information and broadcasts validated and categorised threat data amongst the participating organisations. Automation attacks are classified according to the threat events defined in the '''OWASP Automated Threat Handbook''' so that each receiving party understands the nature of the threat. Even organisations that do not want to take part in this information sharing can benefit, since their own categorised information is made available to internal business management in the form of an easy-to-comprehend monitoring dashboard. The information gathered can also be fed into their other business information management systems to help improve patient service.

== Exchanging threat data between CERTs==

National Computer Emergency Response Teams (CERTs) recognise that sharing of local information can contribute to worldwide prevention of cyber attacks. Despite advances in cooperation between CERTs, anything to increase continuity and interoperability, such as standards for data exchange, is encouraged. CERT Zog is concerned about the sparsity of application-specific data it receives, and also the classification of that data. It has a particular concern about attacks and breaches that affect sectors defined in Zog's 2015 national cyber security strategy. CERT Zog and its neighbour CERT Tarset agree to tag threat events using the '''OWASP Automated Threat Handbook''' in order to add greater context to existing solutions being used for threat data exchange between them. The programme also collects sector metadata, so that all organisations within these can benefit from the centralised intelligence.

== Enhancing application penetration test findings==

Specialist application security penetration testing firm Cherak Industries Pte Ltd works primarily for financial services companies in the banking and insurance sectors, and is looking to expand its business throughout Asia. Cherak has some innovative pen test result reporting systems which integrate with client software fault and vulnerability tracking systems, and it actively looks for methods to provide additional value to its clients. Cherak has identified that pen test clients would benefit from help to in understanding the effects of combinations of vulnerabilities, especially design flaws, and has decided to utilise the '''OWASP Automated Threat Handbook''' to define and explain the automation-related threats. The individual vulnerabilities were scored as normal using CVSSv2 and v3, the matching CWEs identified, and mitigations in place documented. In addition, Cherak uses the threat events defined in the '''OWASP Automated Threat Handbook''' to help create a new section in the executive summary that explains how combinations of the issues found could lead to automation threats and the possible technical and business impacts. For example, an assessment for one client had identified weaknesses in authentication so that there is a risk of '''OAT-008 Credential Stuffing'''. The defined identifier was provided to the client, so its technical staff could refer to additional information on the OWASP website.

== Specifying service acquisition needs==

Falstone Paradise Inc is concerned about malicious use of their portfolio of hotel and resort websites. The majority of the websites use a shared application platform, but there are some unique applications and a large number of other micro-sites, some of which use generic content management systems such as Wordpress and Drupal. Falstone Paradise has identified that its IT operations team are spending too much time dealing with the effects of automated misuse, such as cleaning up data, resetting customer accounts and providing extra capacity during attacks. Furthermore, the unwanted automation is also causing some instabilities leading to negative feedback from customers. Therefore Falstone Paradise decides to go out to the security marketplace to identify, assess and select products or services that might help address these automation issues for all its websites. Their buying team works with their information technology colleagues to write the detailed requirements in an Invitation to Tender (ITT) document. This describes the types of attacks its web applications are receiving, their frequency of occurrence and their magnitudes. These are defined according to the '''OWASP Automated Threat Handbook''', so that vendors do not misunderstand the requirements, and each vendor's offering can be assessed against the particular automation threat events of concern.

== Characterising vendor services ==

Better Best Ltd has developed an innovative technology to help gaming companies defend against a range of automated threats that can otherwise permit cheating and distortion of the game, leading to disruption for normal players. The solution can be deployed on premises, but is also available in the cloud as a service. But Better Best is finding difficulty explaining its solution in the market place, especially since it does not fit into any conventional product category. Better Best decide to use the terminology and threat events listed in the '''OWASP Automated Threat Handbook''' to define their product's capabilities. They hope this will provide some clarity about their offering, and also demonstrate how their product can be used to replace more than one other conventional security device. Additionally, Better Best writes a white paper describing how their product has been successfully used by one of their reference customers Hollybush Challenge Games to protect against '''OAT-006 Expediting''', '''OAT-005 Scalping''', '''OAT-016 Skewing''' and '''OAT-013 Sniping'''.

=Ontology=

==Introduction==

The list of [[:Category:Automated Threat|automated threat events]] and summary descriptions, defined in full in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| align="left" valign="top" |
'''OAT-020''' Account Aggregation
| align="left" valign="top" |
Use by an intermediary application that collects together multiple accounts and interacts on their behalf.
|-
| align="left" valign="top" |
'''OAT-019''' Account Creation
| align="left" valign="top" |
Create multiple accounts for subsequent misuse.
|-
| align="left" valign="top" |
'''OAT-003''' Ad Fraud
| align="left" valign="top" |
False clicks and fraudulent display of web-placed advertisements.
|-
| align="left" valign="top" |
'''OAT-009''' CAPTCHA Defeat
| align="left" valign="top" |
Solve anti-automation tests.
|-
| align="left" valign="top" |
'''OAT-010''' Card Cracking
| align="left" valign="top" |
Identify missing start/expiry dates and security codes for stolen payment card data by trying different values.
|-
| align="left" valign="top" |
'''OAT-001''' Carding
| align="left" valign="top" |
Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.
|-
| align="left" valign="top" |
'''OAT-012''' Cashing Out
| align="left" valign="top" |
Buy goods or obtain cash utilising validated stolen payment card or other user account data.
|-
| align="left" valign="top" |
'''OAT-007''' Credential Cracking
| align="left" valign="top" |
Identify valid login credentials by trying different values for usernames and/or passwords.
|-
| align="left" valign="top" |
'''OAT-008''' Credential Stuffing
| align="left" valign="top" |
Mass log in attempts used to verify the validity of stolen username/password pairs.
|-
| align="left" valign="top" |
'''OAT-021''' Denial of Inventory
| align="left" valign="top" |
Deplete goods or services stock without ever completing the purchase or committing to the transaction.
|-
| align="left" valign="top" |
'''OAT-015''' Denial of Service
| align="left" valign="top" |
Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS).
|-
| align="left" valign="top" |
'''OAT-006''' Expediting
| align="left" valign="top" |
Perform actions to hasten progress of usually slow, tedious or time-consuming actions.
|-
| align="left" valign="top" |
'''OAT-004''' Fingerprinting
| align="left" valign="top" |
Elicit information about the supporting software and framework types and versions.
|-
| align="left" valign="top" |
'''OAT-018''' Footprinting
| align="left" valign="top" |
Probe and explore application to identify its constituents and properties.
|-
| align="left" valign="top" |
'''OAT-005''' Scalping
| align="left" valign="top" |
Obtain limited-availability and/or preferred goods/services by unfair methods.
|-
| align="left" valign="top" |
'''OAT-011''' Scraping
| align="left" valign="top" |
Collect application content and/or other data for use elsewhere.
|-
| align="left" valign="top" |
'''OAT-016''' Skewing
| align="left" valign="top" |
Repeated link clicks, page requests or form submissions intended to alter some metric.
|-
| align="left" valign="top" |
'''OAT-013''' Sniping
| align="left" valign="top" |
Last minute bid or offer for goods or services.
|-
| align="left" valign="top" |
'''OAT-017''' Spamming
| align="left" valign="top" |
Malicious or questionable information addition that appears in public or private content, databases or user messages.
|-
| align="left" valign="top" |
'''OAT-002''' Token Cracking
| align="left" valign="top" |
Mass enumeration of coupon numbers, voucher codes, discount tokens, etc.
|-
| align="left" valign="top" |
'''OAT-014''' Vulnerability Scanning
| align="left" valign="top" |
Crawl and fuzz application to identify weaknesses and possible vulnerabilities.
|}

==Comparison with other dictionaries, taxonomies and lists==

===[https://capec.mitre.org/ Common Attack Pattern Enumeration and Classification] (CAPEC)===

[[File:Ontology-chart-capec-wiki.png|link=]]

CAPEC is a dictionary and classification taxonomy of known attacks on software. Its primary classification structures are:

* [https://capec.mitre.org/data/definitions/3000.html Domains of attack] (3000) - Social Engineering (403), [https://capec.mitre.org/data/definitions/437.html Supply Chain] (437), Communications (512), [https://capec.mitre.org/data/definitions/513.html Software] (513), Physical Security (514), Hardware (515)
* Mechanism of Attack (1000) - Gather Information (118), Deplete Resources (119), Injection (152), Deceptive Interactions (156), Manipulate Timing and State (172), Abuse of Functionality (210), Probabilistic Techniques (223), Exploitation of Authentication (225), Exploitation of Authorization (232), Manipulate Data Structures (255), Manipulate Resources (262), Analyze Target (281), Gain Physical Access (436), Malicious Code Execution (525), Alter System Components (526), Manipulate System Users (527)

===[http://projects.webappsec.org/w/page/13246978/Threat%20Classification WASC Threat Classification]===

[[File:Ontology-chart-wasc-wiki.png|link=]]

The WASC Threat Classification classifies weaknesses and attacks that can lead to the compromise of a website, its data, or its users.

===[[OWASP WASC Web Hacking Incidents Database Project]] (WHID)===

WHID [https://www.google.com/fusiontables/DataSource?snapid=S1536501YnLo classifies] publicly known incidents using:

* attack methods e.g. ARP spoofing, abuse of functionality, account compromise, administration error, automation, backdoor, banking trojan, brute force, clickjacking, code injection, content injection, content spoofing, credential/session prediction, cross site request forgery (CSRF), cross-site scripting (XSS), denial of service, directory traversal, domain hijacking, DNS hijacking, forceful browsing, HTTP response splitting, hidden parameter manipulation, hosting malicious code, information leakage, insufficient authentication, known vulnerability, local file inclusion (LFI), malvertising, malware, malware injection, mass assignment, misconfiguration, OS commanding, parameter manipulation, path traversal, phishing, predictable resource location, process automation, redirection, remote file inclusion (RFI), rogue 3rd party app, scaping, search engine poisoning, shell injection, social engineering, stolen credentials, SQL injection, unintentional information disclosure, weak password recovery validation, worm
* weakness e.g. abuse of functionality, application misconfiguration, directory indexing, improper filesystem permissions, improper input handling, improper output handling, information leakage, insecure indexing, insufficient anti-automation, insufficient authentication, insufficient authorization, insufficient entropy, insufficient password recovery, insufficient process validation, insufficient session expiration, insufficient transport layer protection, misconfiguration, predictable resource location, weak password
* outcome account hijacking, account takeover, botnet participation, chaos, credit card leakage, data loss, defacement, DDoS attacks, DNS hijacking, DNS redirection, disinformation, disclosure only, downtime, extortion, fraud, information warfare, leakage of information, link spam, loss of sales, malware distribution, monetary loss, phishing, planting of malware, service disruption, session hijacking, spam, spam links, stolen credentials, worm

Plus other/various/unknown.

= Bibliography =

The following academic, open source, commercial and news sources were used in the research on automated threats to web applications. OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. We operate under a vendor neutral policy and we do not endorse products or services.

* 10 years of Application Security, Denyall http://www.denyall.com/resources/whitepapers/?aliId=3438442
* 2012 Payment Card Threat Report https://www.securitymetrics.com/static/resources/orange/2012%20Payment%20Card%20Threat%20Report%20copy.pdf
* 2014 Bot Traffic Report: Just the Droids You were Looking for http://www.incapsula.com/blog/bot-traffic-report-2014.html
* 3 Types of ‘Return Fraud’ to Monitor this Holiday Season http://www.practicalecommerce.com/articles/3168-3-Types-of-%E2%80%98Return-Fraud-to-Monitor-this-Holiday-Season
* 7 Ways Bots Hurt Your Website, Distil Networks http://www.distilnetworks.com/7-ways-bots-hurt-website-whitepaper/
* Abusing HTML 5 Structured Client-side Storage 2008 http://packetstorm.wowhacker.com/papers/general/html5whitepaper.pdf
* Acquiring Experience with Ontology and Vocabularies, Walt Melo, Risa Mayan and Jean Stanford, 2011 http://www.omg.org/news/meetings/workshops/SOA-HC/presentations-2011/13_SC-6_Melo_Stanford_Mayan.pdf
* An Anatomy of a SQL Injection Attack Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf
* The Anatomy of Clickbot.A https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/daswani/daswani.pdf
* Anatomy of comment spam Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Anatomy_of_Comment_Spam.pdf
* Anti-Automation Monitoring and Prevention 2015 https://www.clerkendweller.uk/2015/1/29/AntiAutomation-Monitoring-and-Prevention
* Anti-DDoS Solution for Internet Corporation http://www.nsfocus.com/uploadfile/Solution/NSFOCUS%20Anti-DDoS%20Solution%20for%20Internet%20Corporation.pdf
* Anti-Fraud Principles and Proposed Taxonomy Sep 2014 http://www.iab.net/media/file/IAB_Anti_Fraud_Principles_and_Taxonomy.pdf
* Apache Security Ivan Ristic
* Application Security Desk Reference, OWASP https://www.owasp.org/index.php/Category:OWASP_ASDR_Project
* Application Security Guide For CISOs, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf
* AppSensor, OWASP https://www.owasp.org/index.php/OWASP_AppSensor_Project
* Attack & Defense Labs http://www.andlabs.org/html5.html
* Attack categories OWASP https://www.owasp.org/index.php/Category:Attack
* Attack Trees, Schneier, Dr. Dobb's Journal, December 1999 https://www.schneier.com/paper-attacktrees-ddj-ft.html
* Attacking with HTML5 2010 https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-wp.pdf
* Automated attacks Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Automation_of_Attacks.pdf
* Avoiding the Top 10 Software Security Design Flaws http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* Bad Bots On The Rise Dec 2014 http://www.darkreading.com/informationweek-home/bad-bots-on-the-rise/d/d-id/1318276
* Banking Botnets Persist Despite Takedowns, Dell SecureWorks, 2015 http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets-persist-despite-takedowns/
* The Barracuda Web Application Firewall: XML Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_XML_Firewall.pdf
* Blocking Brute Force Attacks http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php
* Bot Traffic Growing Problem for Digital Oct 2014 http://www.netnewscheck.com/article/36537/bot-traffic-growing-problem-for-digital
* BotoPedia Incapsula http://www.botopedia.org/
* Boy in the Browser Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser
* Business Logic Attacks - Bots and BATs, Eldad Chai, 2009 http://www.owasp.org/images/9/96/AppSecEU09_BusinessLogicAttacks_EldadChai.ppt
* Bypassing Client Application Protection Techniques http://www.securiteam.com/securityreviews/6S0030ABPE.html
* A CAPTCHA in the Rye Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_a_CAPTCHA_in_the_Rye.pdf
* Characterizing Large Scale Click fraud http://cseweb.ucsd.edu/~voelker/pubs/za-ccs14.pdf
* Charter Addition Proposal: "Trusted Code" for the Web https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0150.html
* A cheesy Apache / IIS DoS vuln (+a question) http://www.securityfocus.com/archive/1/456339/30/0/threaded
* China's Man-on-the-Side Attack on GitHub http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub
* The CISO Survey and Report, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-report-2013-1.0.pdf
* Common Attack Pattern Enumeration and Classification (CAPEC), Mitre https://capec.mitre.org/
* Common Cyber Attacks: Reducing the Impact CERT-UK https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf
* Corporate espionage – the internet’s new growth industry http://www.itproportal.com/2015/03/19/corporate-espionage-internets-new-growth-industry/
* CSA Top Threats to Cloud Computing https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
* CSRF vulnerability in GMail service http://seclists.org/fulldisclosure/2009/Mar/29
* CWE/SANS Top 25 Most Dangerous Software Errors, 2011 http://cwe.mitre.org/top25/
* Cyber Fraud - Tactics Techniques and Procedures http://www.crcpress.com/product/isbn/9781420091274
* Cybercrime Report: Q1 2015, ThreatMetrix, 2015 http://info.threatmetrix.com/WP-2015Q1CybercrimeReport_WP-LP.html
* Data Breach Investigations Report (DBIR), 2014 http://www.verizonenterprise.com/DBIR/2014/
* Data Breach Investigations Report (DBIR), 2015 http://www.verizonenterprise.com/DBIR/2015/
* Data Breaches Fuel Login Attacks Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2014-state-of-the-internet-threat-advisory-public-data-breaches-fuel-login-attacks.pdf
* Data Scraping Wikipedia http://en.wikipedia.org/wiki/Data_scraping
* DDoS Quick Guide https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
* DDoS Threat Landscape Report, 2013-2014 http://lp.incapsula.com/rs/incapsulainc/images/2013-14_ddos_threat_landscape.pdf
* Defending Against an Internet-based Attack on the Physical World http://avirubin.com/scripted.attacks.pdf
* Defending Against Application-Based DDoS Attacks with the Barracuda Web Application Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_Defending%20_Against_%20Application-Based_%20DDoS_%20Attacks.pdf
* Demystifying HTML 5 Attacks http://resources.infosecinstitute.com/demystifying-html-5-attacks/
* Denial of Service Attacks: A Comprehensive Guide to Trends Techniques and Technologies Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf
* Detecting and Blocking Site Scraping Attacks Imperva http://www.imperva.com/docs/WP_Detecting_and_Blocking_Site_Scraping_Attacks.pdf
* Detecting Automation of Twitter Accounts: Are you a human cyborg or a bot? http://www.cs.wm.edu/~hnw/paper/tdsc12b.pdf
* Detecting Malice Robert "RSnake" Hansen 2009 http://www.detectmalice.com/
* Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1414072277428&uri=CELEX:32002L0058
* Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046
* Distributed Denial-of-Service (DDoS) Cyber-Attacks Risk Mitigation and Additional Resources Federal Financial Institutions Examination Council http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf
* Do Evil - The Business of Social Media Bots Forbes http://www.forbes.com/sites/lutzfinger/2015/02/17/do-evil-the-business-of-social-media-bots/
* DoS and DDoS Glossary of Terms prolexic http://www.prolexic.com/knowledge-center-dos-and-ddos-glossary.html#layer-7-ddos-attack
* E-commerce Malware Trustwave https://gsr.trustwave.com/topics/placeholder-topic/e-commerce-malware/
* Exploiting Software, G. Hoglund and G. McGraw, Addison-Wesley, 2004
* Five Trends to Track in E-Commerce Fraud, ThreatMetrix, 2013 http://info.threatmetrix.com/rs/threatmetrix/images/Five_Trends_eCommerce_Fraud_WP.pdf
* Hacker builds cheatbot for hit app Trivia Crack http://www.theregister.co.uk/2015/03/26/hacker_builds_trivia_crack_cheat_app/
* Has Walmart opened itself up to “Denial of inventory” attacks? https://arstechnica.com/business/2012/05/has-walmart-opened-itself-up-to-denial-of-inventory-attacks/
* How Hoarder Bots Steal sales from Online Retailers https://www.internetretailer.com/mobile/2016/12/16/how-hoarder-bots-steal-sales-online-retailers
* How to Defend Against DDoS Attacks - Strategies for the Network Transport and Application Layers Prolexic http://www.prolexic.com/kcresources/white-paper/strategies-for-the-network-transport-and-application-layers-412/Strategies_for_the_Network_Transport_and_Application_Layers_Prolexic_White_Paper_A4_082412.pdf
* How to Defend Online Travel Websites in the Era of Site Scraping, Distil Networks http://www.distilnetworks.com/defend-online-travel-websites-era-site-scraping-download/
* How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
* HTML5 Overview A look at HTML5 Attack Scenarios Trend Micro 2011 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf
* HTML5 Top 10 Threats Stealth Attacks and Silent Exploits 2012 https://media.blackhat.com/bh-eu-12/shah/bh-eu-12-Shah_HTML5_Top_10-WP.pdf
* HTML5 web security 2011 http://media.hacking-lab.com/hlnews/HTML5_Web_Security_v1.0.pdf
* HTTPPOST - Slow POST Wong Onn Chee OWASP AppSec DC 2010 https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
* If you've got @British_Airways account may make sense to change your password. Just had all my Avios cleared out! https://twitter.com/suttonnick/status/581556027948195840/photo/1
* Internet Security Threat Report, Volume 19, 2014 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
* An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks http://www.springer.com/gb/book/9788132202769
* Is Your Data Center Ready for Today’s DDoS Threats? DDoS attack types protection methods and testing your detection and mitigation defenses http://www.fortinet.com/sites/default/files/whitepapers/WP-DDoS-Testing.pdf
* Joomla Reflection DDoS-for-Hire Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2015-state-of-the-internet-threat-advisory-joomla-reflection-attack-ddos-for-hire.pdf
* Layer 7 DDOS – Blocking HTTP Flood Attacks http://blog.sucuri.net/2014/02/layer-7-ddos-blocking-http-flood-attacks.html
* Lenovo Superfish put smut on my system' – class-action lawsuit The Register http://www.theregister.co.uk/2015/02/23/lenovo_superfish_class_action_lawsuit/
* List of Attack Vectors Relative Vulnerability Rating TECAPI http://www.tecapi.com/public/relative-vulnerability-rating-gui.jsp#
* Man in the Browser http://scisweb.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf
* Man in the Browser Attack https://www.owasp.org/index.php/Man-in-the-browser_attack
* Mapping and Measuring Cybercrime, Oxford Internet Institute http://www.oii.ox.ac.uk/publications/FD18.pdf
* Massive Changes in the Criminal Landscape Europol 2015 https://www.europol.europa.eu/content/massive-changes-criminal-landscape
* Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs http://collaboration.csc.ncsu.edu/laurie/Papers/ICSE_Final_MCG_LW.pdf
* Mitigating DDoS Attacks with F5 Technology F5 https://f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology
* Mitigating the DoS/DDosS Threat, Radware, 2012 http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452061
* Modern Web Attacks, Sophos, 2007 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/modern-web-attacks.aspx
* ModSecurity Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-ModSecurity-Advanced-Topic-of-the-Week--Mitigating-Slow-HTTP-DoS-Attacks/
* Most common attacks on web applications https://ipsec.pl/web-application-security/most-common-attacks-web-applications.html
* Multi-dimensional Vulnerability Hierarchies Daniel Miessler https://danielmiessler.com/study/multi-dimensional-vulnerability-hierarchies/
* New Wave of DDoS Attacks Launched BankInfoSecurity.com Mar 2013 http://www.bankinfosecurity.com/new-wave-ddos-attacks-launched-a-5584/op-1
* NOMAD: Toward Non-Invasive Moving Target Defense Against Web Bots http://faculty.cs.tamu.edu/guofei/paper/NOMAD_CNS13.pdf
* Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year Sep 2014 http://www.darkreading.com/analytics/threat-intelligence/online-ad-fraud-exposed-advertisers-losing-$63-billion-to-$10-billion-per-year/d/d-id/1317979
* Online Data Companies versus Bots: The Fight is on for Control of Online Data, Distil Networks http://www.distilnetworks.com/online-data-companies-vs-bots-download/
* Optimal Airline Ticket Purchasing Using Automated User-Guided Feature Selection http://ijcai.org/papers13/Papers/IJCAI13-032.pdf
* Payment Checkout Flaws and Bugs 2014 https://www.clerkendweller.uk/2014/11/4/Payment-Checkout-Flaws-and-Bugs
* PCI Compliance Report 2015 Verizon http://www.verizonenterprise.com/pcireport/2015/
* Pixel Perfect Timing Attacks with HTML5 2013 http://www.contextis.com/services/research/white-papers/pixel-perfect-timing-attacks-html5/
* Polymorphism as a Defense for Automated Attack of Websites http://link.springer.com/chapter/10.1007%2F978-3-319-07536-5_30
* Preventing Web Scraping: Best Practice https://creativedigitalideas.files.wordpress.com/2014/11/best-practice-to-prevent-web-scraping.pdf
* Profile: Automated Credit Card Fraud http://old.honeynet.org/papers/profiles/cc-fraud.pdf
* Protecting Against Web Floods, Radware http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452968
* Q4 2014 State of the Internet Security Report prolexic http://www.stateoftheinternet.com/downloads/pdfs/2014-internet-security-report-q4.pdf
* Reflection injection http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* A Report on taxonomy and evaluation of existing inventories, ENISAhttp://ecrime-project.eu/wp-content/uploads/2015/02/E-Crime-Deliverable-2-1-20141128_FINAL.pdf
* Reporting Intellectual Property Crime: A Guide for Victims of Copyright Infringement, Trademark Counterfeiting, and Trade Secret Theft, Dept of Justice http://www.justice.gov/criminal/cybercrime/docs/ip-victim-guide-and-checklist-march-2013.pdf
* SANS Top 20 Critical Controls https://www.sans.org/critical-security-controls/
* Securing Websites, Sophos, 2011 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/securing-websites.aspx
* Security Insights: Defending Against Automated Threats http://www.securityweek.com/security-insights-defending-against-automated-threats
* Server side DDoS Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/DDOS_Attack_Method_Payload_05182010
* Slow Read Denial of Service attack https://code.google.com/p/slowhttptest/wiki/SlowReadTest
* Slow-Read DoS Attack https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Mitigation-of--Slow-Read--Denial-of-Service-Attack/
* Slowloris HTTP DoS http://ha.ckers.org/slowloris/
* So what are the "most critical" application flaws? On new OWASP Top 10 https://ipsec.pl/application-security/2013/so-what-are-most-critical-application-flaws-new-owasp-top-10.html
* Social Media Bots Offer Phony Friends and Real Profit NY Times http://www.nytimes.com/2014/11/20/fashion/social-media-bots-offer-phony-friends-and-real-profit.html?_r=1
* Software Vulnerability Analysis, Krsul, 1998 http://www.krsul.org/ivan/articles/main.pdf
* Sophos Security Threat Report http://blogs.sophos.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/
* SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/#.VSuiEhPSngM
* State of Software Security Report, Volume 5, Veracode, 2013 https://info.veracode.com/state-of-software-security-report-volume5.html
* Stopping Automated Attack Tools http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html
* Taxonomy on Online Game Security http://www.math.snu.ac.kr/~jhcheon/publications/2004/Taxonomy%20on%20online%20game%20security_EL.pdf
* A Taxonomy of Computer Program Security Flaws, with Examples, Landwehr https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
* A Taxonomy of Security Faults in the UNIX Operating System, Aslam, 1995 https://cwe.mitre.org/documents/sources/ATaxonomyofSecurityFaultsintheUNIXOperatingSystem%5BAslam95%5D.pdf
* Testing Guide, v4, OWASP, 2014 https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
* The Bot Baseline: Fraud in Digital Advertising https://s3.amazonaws.com/whiteops-public/WO-ANA-Baseline-Study-of-Bot-Fraud.pdf
* The Internet Organised Crime Threat Assessment (iOCTA) 2014 https://www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta
* The Notorious Nine Cloud Computing Top Threats in 2013 CSA https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
* The Risks of Content Management Systems, IBM, 2015 https://portal.sec.ibm.com/mss/html/en_US/support_resources/pdf/CMS_Threats_MSS_Threat_Report.pdf
* The Spy in the Sandbox – Practical Cache Attacks in Javascript http://iss.oy.ne.ro/SpyInTheSandbox.pdf
* Thousands of Hacked Uber Accounts Selling on Dark Web for $1 http://thehackernews.com/2015/03/thousands-of-hacked-uber-accounts_30.html?m=1
* Threat Intelligence Quarterly, IBM, 1Q 2015 https://www.ibm.com/services/forms/signup.do?source=swg-WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101
* Threat Modeling: Designing for Security, Adam Shostack, Wiley, April 2014 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118809998.html
* Threats and Mitigations: A Guide to Multi-Layered Web Security - eBook Prolexic http://www.prolexic.com/knowledge-center/prolexic-download/guide-multi-layered-web-security-ebook.pdf
* Trapping Unknown Malware in a Context Web, Sophos http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/HuqSzabo-VB2013.pdf?la=en.pdf
* Trustwave Global Security Report 2014 https://www2.trustwave.com/GSR2014.html?utm_source=redirect&utm_medium=web&utm_campaign=GSR2014
* TurboTax’s Anti-Fraud Efforts Under Scrutiny http://krebsonsecurity.com/2015/02/turbotaxs-anti-fraud-efforts-under-scrutiny/
* Two Security Vulnerabilities in the Spring Framework’s MVC pdf (from 2008) http://blog.diniscruz.com/2011/07/two-security-vulnerabilities-in-spring.html
* The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns http://static.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf
* Understanding Web Bots and How They Hurt Your Business Encapsula http://www.slideshare.net/Incapsula/understanding-web-bots-and-how-they-hurt-your-business
* Use of A Taxonomy of Security Faults, Taimur Aslam, Ivan Krsul and Eugene H Spafford, 1996 http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=2304&context=cstech
* The WASC Threat Classification v2.0 http://projects.webappsec.org/w/page/13246978/Threat%20Classification
* Warhol Worms: The Potential for Very Fast Internet Plagues http://www.iwar.org.uk/comsec/resources/worms/warhol-worm.htm
* Web Application Attack Report #5 Imperva http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed5.pdf
* Web Application Defender's Cookbook: Battling Hackers and Protecting Users, Ryan Barnett, Wiley, December 2012 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html
* Web Attacks in the Wild Corsaire https://www.owasp.org/images/a/a7/Web_attacks_in_the_wild_-_ap.pdf
* Web Automation Friend or Foe? https://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf
* Web Spambot Detection Based on Web Navigation Behaviour http://pedramhayati.com/papers/Web_Spambot_Detection_Based_on_Web_Usage_Behaviour.pdf
* Website Security Statistics Report, 2014 http://info.whitehatsec.com/rs/whitehatsecurity/images/statsreport2014-20140410.pdf
* What is Zeus? http://www.sophos.com/medialibrary/pdfs/technical%20papers/sophos%20what%20is%20zeus%20tp.pdf
* When Web 2.0 Attacks! Understanding Ajax Flash and other highly interactive web technologies… https://www.owasp.org/images/f/fc/When_Web_2.0_Attacks_-_Understanding_Security_Implications_of_Highly_Interactive_Technologies-Rafal_Los.pdf
* Where have all of our Passwords Gone? Gartner 2015 http://blogs.gartner.com/avivah-litan/2015/01/22/where-have-all-our-passwords-gone/
* WS-Attacks.org http://www.ws-attacks.org/index.php/Main_Page

=FAQs=

; What do you mean by "web", "application" and "automated threat"?
: See the definitions in the project's {{#switchtablink:Project Scope and Definitions|glossary}}.

; What is an "ontology"?
: An ontology is a set of types, properties, and relationship. These together define a subject description language. This particular ontology is meant to represent what automated threats real world owners observe affecting their web applications in usual operations.

; Isn't this another bug (vulnerability) list?
: No, none of the named automated threat events are implementation bugs - they relate to abuse of functionality using automated means.

; I thought "so and so" already did that?
: We found that it did not exist. While many threats are mentioned in the sources researched, there was no overall list or definitions. We found the automated threat events tended to all be in a small number of definied items from Mitre CAPEC and WASC Threat Classification. If you know of other automated threat lists/taxonomies/ontologies, please share them.

; What is an "oat"?
: It is our abbreviation for OWASP Automated Threat (OAT).

; I am confused and don't know which OAT my problem is - how do I identify it?
: In 2017 we created a [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] to help identify the correct OAT, which can then be confirmed by reading the full description in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook]. The short summaries are important explanations of each OAT name.

; How can I help?
: Please join our mailing list, send ideas, contribute clarifications, corrections and improvement, and let other people know about the project and its handbook.

= Acknowledgements and Sponsors =

==Contributors==

* Sumit Agarwal
* Jason Chan
* Mark Hall
* Omri Iluz
* Andrew van der Stock
* Roland Weber
* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

Additionally other professional colleagues and website owners and operators who provided feedback.

==Reviewers==

* Igor Andriushchenko
* Gabriel Mendez Justiniano
* Matt Tesauro

== Sponsors ==

All OWASP Projects are run and developed by volunteers and rely on personal donations and sponsorship to continue their development. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. This project has received the sponsorship part of their Corporate OWASP membership fees from Verizon Digital Media Services in 2016 and Distil Networks in 2017, which has already contributed to the v1.2 production design costs, and will also be utilised to help promote knowledge of the project.

[[file:Verizon_Digital_Medial_Logo.jpg|size=150x45px|link=https://www.verizondigitalmedia.com]]

[[File:Distil-flat-logo-2.png|link=https://www.distilnetworks.com]]

= Road Map and Getting Involved =

Can you help? The project is looking for information on the prevalence and types of automated threats seen by web application owners in the real world. This will be used to refine and organise the information gathered from research papers, whitepapers, security reports and industry news. Please use the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:

* [https://lists.owasp.org/mailman/listinfo/automated_threats_to_web_applications Mailing list]

To share information confidentially, you can email the project leaders directly: [mailto:tin.zaw@owasp.org Tin Zaw] and [mailto:colin.watson@owasp.org Colin Watson].

== Completed Outputs==

* {{#switchtablink:Scope and Definitions|Glossary}}
* {{#switchtablink:Bibliography|Bibligraphy of information sources}}
* A [https://www.owasp.org/index.php/File:Automated-threats.pdf summary chart] has been published summarising the information gathered and work to date
* Identifying automated threats to web applications, and determining the primary name used. This first part of the project intends to produce a consistent vocabulary for discussing the threats before moving onto other aspects
* The primary terms have now been defined and described for the ontology
* A [https://www.owasp.org/index.php/File:Automation-briefing.pdf briefing document] was produced in May 2015
* Release [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Automated Threat Handbook] July 2015 [https://www.owasp.org/index.php/File:Owasp-automated-threat-handbook-source-files.zip source files], updated in November 2016
* Release [https://www.owasp.org/index.php/File:Automation-project-briefing.pdf project overview flyer] July 2015
* Release [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] December 2016

== Roadmap==

The project's roadmap was updated in October 2017.

===Q1 2015===
* <strike>Feb 2015: Define scope and terminology</strike> Done
* <strike>Mar 2015: Research prior work and reports about automated threats to web applications to create bibliography</strike> Done

===Q2 2015===
* <strike>Apr 2015: Assess threats/attacks and create ontology</strike> Done
* <strike>Apr 2015: Application owner interviews and creation of initial project outputs, to refine model</strike> Done
* <strike>May 2015: Publication of outputs and request for review/data</strike> Done
* <strike>May 2015: Summit session and survey at AppSec EU</strike> Done
* <strike>Jun 2015 Review</strike> Done
* <strike>Jun 2015 Write ontology document</strike> Done
* <strike>Jun Write 2-page project briefing</strike> Done
* <strike>Jun Publish project briefing</strike> Done
* <strike>Jul 2015: Publish v1.0 ontology</strike> Done

===Q3 2016===
* <strike>Jul-Sep 2016: Gathering of additional contributions and update handbook</strike> Done

===Q4 2016===
* <strike>Nov 2016: Release updated handbook</strike> Done
* <strike>Dec 2016: Threat identification chart</strike> Done

=== Q1 2017 ===
* <strike>Dec-Mar 2017: Further review and update to handbook</strike> Done
* <strike>Check against changes to CAPEC v2.9</strike> Done

=== Q2 2017 ===
* <strike>Apr-Jun 2017: Further review and update to handbook</strike> Done
* <strike>Project summit at AppSecEU</strike> Done

=== Q3 2017 ===
* <strike>Chase up ongoing project review</strike> Done
* <strike>Project summit at AppSecUS</strike> Done

=== Q4 2017 ===
* Release v1.2 (now due 15 Feb 2018)

=== Q1 2018 ===
* <strike>Create OAT wiki pages</strike> Done

=== Future ===
* Write executive summary
* Release executive summary document


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-SR-2]] [[Category:SAMM-TA-1]] [[Category:SAMM-EG-2]]

OWASP Automated Threats to Web Applications

2018-02-16T15:22:19Z

Clerkendweller: /* News and Events */ OAT wiki pages

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Automated-threats-header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Automated Threats to Web Applications==

The OWASP Automated Threats to Web Applications Project has completed a review of reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify, name and classify these scenarios – automated by software causing a divergence from accepted behavior producing one or more undesirable effects on a web application, but excluding tool-based exploitation of single-issue vulnerabilities. The initial objective was to produce an ontology providing a common language for developers, architects, operators, business owners, security engineers, purchasers and suppliers/ vendors, to facilitate clear communication and help tackle the issues.
The project also identifies symptoms, mitigations and controls in this problem area. Like all OWASP outputs, everything is free and published using an open source license.

[https://www.owasp.org/index.php/File:Automation-project-briefing.pdf Two page summary project briefing as a PDF].

== Description==

Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.

== Automated Threats ==

The list of threat events, defined in full in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| width="300" align="left" valign="top" |

* [[OAT-020 Account Aggregation]]
* [[OAT-019 Account Creation]]
* [[OAT-003 Ad Fraud]]
* [[OAT-009 CAPTCHA Defeat]]
* [[OAT-010 Card Cracking]]
* [[OAT-001 Carding]]
* [[OAT-012 Cashing Out]]
* [[OAT-007 Credential Cracking]]
* [[OAT-008 Credential Stuffing]]
* [[OAT-021 Denial of Inventory]]
* [[OAT-015 Denial of Service]]

| width="300" align="left" valign="top" |

* [[OAT-006 Expediting]]
* [[OAT-004 Fingerprinting]]
* [[OAT-018 Footprinting]]
* [[OAT-005 Scalping]]
* [[OAT-011 Scraping]]
* [[OAT-016 Skewing]]
* [[OAT-013 Sniping]]
* [[OAT-017 Spamming]]
* [[OAT-002 Token Cracking]]
* [[OAT-014 Vulnerability Scanning]]

|}

Not sure which is which? Use the [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] in conjunction with the full [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook].

==Licensing==

All the materials are free to use. They are licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What Is This? ==

Information and resources to help web application owners defend against [[:Category:Automated Threat|automated threats]]

== What Isn't It? ==

* Another vulnerability list
* Threat modelling
* Attack trees
* Non web
* Non application

==Project Objective==

This project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available.

== Presentation ==

[[File:Automatedthreats-presentation-small.jpg|link=media:Bots-AppSecUSA2017-Project-Summit.pptx]]

== Project Leaders ==

* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

== Related Projects ==

* [[OWASP WASC Web Hacking Incidents Database Project|OWASP WASC Web Hacking Incidents Database Project]]
* [[OWASP AppSensor Project|OWASP AppSensor Project]]
* [[OWASP ModSecurity Core Rule Set Project|OWASP ModSecurity Core Rule Set Project]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Download the free handbook as a PDF]

== News and Events ==

* [16 Feb 2018] OAT wiki pages created
* [15 Feb 2018] v1.2 Handbook published
* [25 Sep 2017] Promoted to Labs status
* [19-20 Sep 2017] Working session at the AppSecUSA 2017 Project Summit
* [15 May 2017] Draft feedback on Top Ten A7 shared
* [17 Apr 2017] [https://www.owasp.org/index.php/File:BadBots_OWASP_AppSec_CA_2017.pptx Slides] from AppSec California (2017)
* [20 Dec 2016] Threat identification chart [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf published]
* [03 Nov 2016] Presentation at [http://lascon.org/ LASCON 2016]
* [03 Nov 2016] v1.1 Handbook published
* [11-12 Oct 2016] Working session at the [https://docs.google.com/presentation/d/1iMQHTc-h5qcP7gBBRcPHGmVaTWqx3dpMwNMVlA--rqs/edit#slide=id.p3 AppSecUSA 2017 Project Summit]
* [04 Aug 2016] Project Q&A at Blackhat USA 2-5pm in the OWASP booth
* [26 Oct 2015] [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf v1.01 handbook] published
* [24 Sep 2015] [https://www.owasp.org/index.php/File:Colinwatson-a-new-ontology-of-unwanted-automation.pptx Presentation] at [https://2015.appsecusa.org/c/?page_id=896#a AppSec USA 2015]

==In Print==

[[File:AutomatedThreatHandbook_small.jpg|link=http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html]]

The [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html Automated Threat Handbook] can be purchased at cost as a print on demand book.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]

|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Scope and Definitions =

==Scope==

The aim was to create a listing of vendor-neutral and technology agnostic terms that describe real-world automated threats to web applications, at a level of abstraction that application owners can relate to. These terms are threat events to web applications undertaken using automated actions.

The focus is on abuse of functionality - misuse of inherent functionality and related design flaws, some of which are also referred to as business logic flaws. There is almost no focus on implementation bugs. It is not that the latter are not the target for attacks, but there is much more knowledge published in that area with a greater agreement on terminology. All the scenarios identified must require the web to exist for the threat to be materialised. Many of the scenarios have impacts upon the organisation that owns or operates web applications, but some scenarios have impacts more focused on individuals or other bodies. An attack that can be achieved without the web is out of scope.

==Definitions ==

=== Automated Threats to Web Applications ===

Threat events to web applications undertaken using automated actions.

An attack that can be achieved without the web is out of scope.

== Glossary ==

;Action
: An act taken against an asset by a threat agent. Requires first that contact occurs between the asset and threat agent (Ref 1)

; Application
: Software that performs a business process i.e. not system software
: A software program hosted by an information system (Ref 2)

; Application layer
: "Layer 7” in the OSI model (Ref 3) and “application layer” in the TCP/IP model (Ref 4)

;Threat
: Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures (Ref 1)

;Threat Agent
: Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm (Ref 1)

;Threat Event
: Occurs when a threat agent acts against an asset (Ref 1)

; Web
: The World Wide Web (WWW, or simply Web) is an information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI) (Ref 5)
: The first three specifications for Web technologies defined URLs, HTTP, and HTML (Ref 6)

; Web application
: An application delivered over the web

Glossary references:
# [http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf Risk Taxonomy, Technical Standard, The Open Group, 2009]
# [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2, NIST]
# [http://en.wikipedia.org/wiki/OSI_model OSI model, Wikipedia]
# [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP model, Wikipedia]
# [http://www.w3.org/TR/webarch/ Architecture of the World Wide Web, Volume One, W3C]
# [http://www.w3.org/Help/ Help and FAQ, W3C]

=Use Case Scanarios=

The following scenarios and organisation names are completely fictitious.

==Defining application development security requirements==

Cinnaminta SpA intends to build and launch a new multi-lingual and multi-currency ecommerce website. The development will be outsourced and Cinnaminta has been working on the functional design document. Among many other requirements, the application security specification requires that the website must not include any vulnerabilities identified in PCI DSS v3.1 Requirement 6.5, nor any other vulnerabilities that could affect the protection of payment cardholder data. Cinnaminta specifies that the website's payment functions must not be susceptible to the threat events '''OAT-001 Carding''' or '''OAT-010 Card Cracking''' as defined in the '''OWASP Automated Threat Handbook'''. In addition, the application must interact with the company's existing fraud detection system to counter '''OAT-012 Cashing Out'''. The requirements are specified in terms of these threat events, rather than particular product or service categories. Development houses responding to the call for bids use the ontology to focus their answers to these aspects appropriately.

== Sharing intelligence within a sector==

Unlimited Innovations Inc develops and supports patient-facing software solutions to a range of healthcare providers, many of which participate in the National Health Service Cyber Intelligence Sharing Center (NHS-CISC). Unlimited Innovations already builds continuous monitoring capabilities into its software and decides to provide an optional enhancement so that customers could choose to share their misuse event data with each other, to benefit from the combined threat intelligence. Rather than sharing large quantities of low-level data, Unlimited Innovations aggregates information and broadcasts validated and categorised threat data amongst the participating organisations. Automation attacks are classified according to the threat events defined in the '''OWASP Automated Threat Handbook''' so that each receiving party understands the nature of the threat. Even organisations that do not want to take part in this information sharing can benefit, since their own categorised information is made available to internal business management in the form of an easy-to-comprehend monitoring dashboard. The information gathered can also be fed into their other business information management systems to help improve patient service.

== Exchanging threat data between CERTs==

National Computer Emergency Response Teams (CERTs) recognise that sharing of local information can contribute to worldwide prevention of cyber attacks. Despite advances in cooperation between CERTs, anything to increase continuity and interoperability, such as standards for data exchange, is encouraged. CERT Zog is concerned about the sparsity of application-specific data it receives, and also the classification of that data. It has a particular concern about attacks and breaches that affect sectors defined in Zog's 2015 national cyber security strategy. CERT Zog and its neighbour CERT Tarset agree to tag threat events using the '''OWASP Automated Threat Handbook''' in order to add greater context to existing solutions being used for threat data exchange between them. The programme also collects sector metadata, so that all organisations within these can benefit from the centralised intelligence.

== Enhancing application penetration test findings==

Specialist application security penetration testing firm Cherak Industries Pte Ltd works primarily for financial services companies in the banking and insurance sectors, and is looking to expand its business throughout Asia. Cherak has some innovative pen test result reporting systems which integrate with client software fault and vulnerability tracking systems, and it actively looks for methods to provide additional value to its clients. Cherak has identified that pen test clients would benefit from help to in understanding the effects of combinations of vulnerabilities, especially design flaws, and has decided to utilise the '''OWASP Automated Threat Handbook''' to define and explain the automation-related threats. The individual vulnerabilities were scored as normal using CVSSv2 and v3, the matching CWEs identified, and mitigations in place documented. In addition, Cherak uses the threat events defined in the '''OWASP Automated Threat Handbook''' to help create a new section in the executive summary that explains how combinations of the issues found could lead to automation threats and the possible technical and business impacts. For example, an assessment for one client had identified weaknesses in authentication so that there is a risk of '''OAT-008 Credential Stuffing'''. The defined identifier was provided to the client, so its technical staff could refer to additional information on the OWASP website.

== Specifying service acquisition needs==

Falstone Paradise Inc is concerned about malicious use of their portfolio of hotel and resort websites. The majority of the websites use a shared application platform, but there are some unique applications and a large number of other micro-sites, some of which use generic content management systems such as Wordpress and Drupal. Falstone Paradise has identified that its IT operations team are spending too much time dealing with the effects of automated misuse, such as cleaning up data, resetting customer accounts and providing extra capacity during attacks. Furthermore, the unwanted automation is also causing some instabilities leading to negative feedback from customers. Therefore Falstone Paradise decides to go out to the security marketplace to identify, assess and select products or services that might help address these automation issues for all its websites. Their buying team works with their information technology colleagues to write the detailed requirements in an Invitation to Tender (ITT) document. This describes the types of attacks its web applications are receiving, their frequency of occurrence and their magnitudes. These are defined according to the '''OWASP Automated Threat Handbook''', so that vendors do not misunderstand the requirements, and each vendor's offering can be assessed against the particular automation threat events of concern.

== Characterising vendor services ==

Better Best Ltd has developed an innovative technology to help gaming companies defend against a range of automated threats that can otherwise permit cheating and distortion of the game, leading to disruption for normal players. The solution can be deployed on premises, but is also available in the cloud as a service. But Better Best is finding difficulty explaining its solution in the market place, especially since it does not fit into any conventional product category. Better Best decide to use the terminology and threat events listed in the '''OWASP Automated Threat Handbook''' to define their product's capabilities. They hope this will provide some clarity about their offering, and also demonstrate how their product can be used to replace more than one other conventional security device. Additionally, Better Best writes a white paper describing how their product has been successfully used by one of their reference customers Hollybush Challenge Games to protect against '''OAT-006 Expediting''', '''OAT-005 Scalping''', '''OAT-016 Skewing''' and '''OAT-013 Sniping'''.

=Ontology=

==Introduction==

The list of [[:Category:Automated Threat|automated threat events]] and summary descriptions, defined in full in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| align="left" valign="top" |
'''OAT-020''' Account Aggregation
| align="left" valign="top" |
Use by an intermediary application that collects together multiple accounts and interacts on their behalf.
|-
| align="left" valign="top" |
'''OAT-019''' Account Creation
| align="left" valign="top" |
Create multiple accounts for subsequent misuse.
|-
| align="left" valign="top" |
'''OAT-003''' Ad Fraud
| align="left" valign="top" |
False clicks and fraudulent display of web-placed advertisements.
|-
| align="left" valign="top" |
'''OAT-009''' CAPTCHA Defeat
| align="left" valign="top" |
Solve anti-automation tests.
|-
| align="left" valign="top" |
'''OAT-010''' Card Cracking
| align="left" valign="top" |
Identify missing start/expiry dates and security codes for stolen payment card data by trying different values.
|-
| align="left" valign="top" |
'''OAT-001''' Carding
| align="left" valign="top" |
Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.
|-
| align="left" valign="top" |
'''OAT-012''' Cashing Out
| align="left" valign="top" |
Buy goods or obtain cash utilising validated stolen payment card or other user account data.
|-
| align="left" valign="top" |
'''OAT-007''' Credential Cracking
| align="left" valign="top" |
Identify valid login credentials by trying different values for usernames and/or passwords.
|-
| align="left" valign="top" |
'''OAT-008''' Credential Stuffing
| align="left" valign="top" |
Mass log in attempts used to verify the validity of stolen username/password pairs.
|-
| align="left" valign="top" |
'''OAT-021''' Denial of Inventory
| align="left" valign="top" |
Deplete goods or services stock without ever completing the purchase or committing to the transaction.
|-
| align="left" valign="top" |
'''OAT-015''' Denial of Service
| align="left" valign="top" |
Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS).
|-
| align="left" valign="top" |
'''OAT-006''' Expediting
| align="left" valign="top" |
Perform actions to hasten progress of usually slow, tedious or time-consuming actions.
|-
| align="left" valign="top" |
'''OAT-004''' Fingerprinting
| align="left" valign="top" |
Elicit information about the supporting software and framework types and versions.
|-
| align="left" valign="top" |
'''OAT-018''' Footprinting
| align="left" valign="top" |
Probe and explore application to identify its constituents and properties.
|-
| align="left" valign="top" |
'''OAT-005''' Scalping
| align="left" valign="top" |
Obtain limited-availability and/or preferred goods/services by unfair methods.
|-
| align="left" valign="top" |
'''OAT-011''' Scraping
| align="left" valign="top" |
Collect application content and/or other data for use elsewhere.
|-
| align="left" valign="top" |
'''OAT-016''' Skewing
| align="left" valign="top" |
Repeated link clicks, page requests or form submissions intended to alter some metric.
|-
| align="left" valign="top" |
'''OAT-013''' Sniping
| align="left" valign="top" |
Last minute bid or offer for goods or services.
|-
| align="left" valign="top" |
'''OAT-017''' Spamming
| align="left" valign="top" |
Malicious or questionable information addition that appears in public or private content, databases or user messages.
|-
| align="left" valign="top" |
'''OAT-002''' Token Cracking
| align="left" valign="top" |
Mass enumeration of coupon numbers, voucher codes, discount tokens, etc.
|-
| align="left" valign="top" |
'''OAT-014''' Vulnerability Scanning
| align="left" valign="top" |
Crawl and fuzz application to identify weaknesses and possible vulnerabilities.
|}

==Comparison with other dictionaries, taxonomies and lists==

===[https://capec.mitre.org/ Common Attack Pattern Enumeration and Classification] (CAPEC)===

[[File:Ontology-chart-capec-wiki.png|link=]]

CAPEC is a dictionary and classification taxonomy of known attacks on software. Its primary classification structures are:

* [https://capec.mitre.org/data/definitions/3000.html Domains of attack] (3000) - Social Engineering (403), [https://capec.mitre.org/data/definitions/437.html Supply Chain] (437), Communications (512), [https://capec.mitre.org/data/definitions/513.html Software] (513), Physical Security (514), Hardware (515)
* Mechanism of Attack (1000) - Gather Information (118), Deplete Resources (119), Injection (152), Deceptive Interactions (156), Manipulate Timing and State (172), Abuse of Functionality (210), Probabilistic Techniques (223), Exploitation of Authentication (225), Exploitation of Authorization (232), Manipulate Data Structures (255), Manipulate Resources (262), Analyze Target (281), Gain Physical Access (436), Malicious Code Execution (525), Alter System Components (526), Manipulate System Users (527)

===[http://projects.webappsec.org/w/page/13246978/Threat%20Classification WASC Threat Classification]===

[[File:Ontology-chart-wasc-wiki.png|link=]]

The WASC Threat Classification classifies weaknesses and attacks that can lead to the compromise of a website, its data, or its users.

===[[OWASP WASC Web Hacking Incidents Database Project]] (WHID)===

WHID [https://www.google.com/fusiontables/DataSource?snapid=S1536501YnLo classifies] publicly known incidents using:

* attack methods e.g. ARP spoofing, abuse of functionality, account compromise, administration error, automation, backdoor, banking trojan, brute force, clickjacking, code injection, content injection, content spoofing, credential/session prediction, cross site request forgery (CSRF), cross-site scripting (XSS), denial of service, directory traversal, domain hijacking, DNS hijacking, forceful browsing, HTTP response splitting, hidden parameter manipulation, hosting malicious code, information leakage, insufficient authentication, known vulnerability, local file inclusion (LFI), malvertising, malware, malware injection, mass assignment, misconfiguration, OS commanding, parameter manipulation, path traversal, phishing, predictable resource location, process automation, redirection, remote file inclusion (RFI), rogue 3rd party app, scaping, search engine poisoning, shell injection, social engineering, stolen credentials, SQL injection, unintentional information disclosure, weak password recovery validation, worm
* weakness e.g. abuse of functionality, application misconfiguration, directory indexing, improper filesystem permissions, improper input handling, improper output handling, information leakage, insecure indexing, insufficient anti-automation, insufficient authentication, insufficient authorization, insufficient entropy, insufficient password recovery, insufficient process validation, insufficient session expiration, insufficient transport layer protection, misconfiguration, predictable resource location, weak password
* outcome account hijacking, account takeover, botnet participation, chaos, credit card leakage, data loss, defacement, DDoS attacks, DNS hijacking, DNS redirection, disinformation, disclosure only, downtime, extortion, fraud, information warfare, leakage of information, link spam, loss of sales, malware distribution, monetary loss, phishing, planting of malware, service disruption, session hijacking, spam, spam links, stolen credentials, worm

Plus other/various/unknown.

= Bibliography =

The following academic, open source, commercial and news sources were used in the research on automated threats to web applications. OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. We operate under a vendor neutral policy and we do not endorse products or services.

* 10 years of Application Security, Denyall http://www.denyall.com/resources/whitepapers/?aliId=3438442
* 2012 Payment Card Threat Report https://www.securitymetrics.com/static/resources/orange/2012%20Payment%20Card%20Threat%20Report%20copy.pdf
* 2014 Bot Traffic Report: Just the Droids You were Looking for http://www.incapsula.com/blog/bot-traffic-report-2014.html
* 3 Types of ‘Return Fraud’ to Monitor this Holiday Season http://www.practicalecommerce.com/articles/3168-3-Types-of-%E2%80%98Return-Fraud-to-Monitor-this-Holiday-Season
* 7 Ways Bots Hurt Your Website, Distil Networks http://www.distilnetworks.com/7-ways-bots-hurt-website-whitepaper/
* Abusing HTML 5 Structured Client-side Storage 2008 http://packetstorm.wowhacker.com/papers/general/html5whitepaper.pdf
* Acquiring Experience with Ontology and Vocabularies, Walt Melo, Risa Mayan and Jean Stanford, 2011 http://www.omg.org/news/meetings/workshops/SOA-HC/presentations-2011/13_SC-6_Melo_Stanford_Mayan.pdf
* An Anatomy of a SQL Injection Attack Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf
* The Anatomy of Clickbot.A https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/daswani/daswani.pdf
* Anatomy of comment spam Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Anatomy_of_Comment_Spam.pdf
* Anti-Automation Monitoring and Prevention 2015 https://www.clerkendweller.uk/2015/1/29/AntiAutomation-Monitoring-and-Prevention
* Anti-DDoS Solution for Internet Corporation http://www.nsfocus.com/uploadfile/Solution/NSFOCUS%20Anti-DDoS%20Solution%20for%20Internet%20Corporation.pdf
* Anti-Fraud Principles and Proposed Taxonomy Sep 2014 http://www.iab.net/media/file/IAB_Anti_Fraud_Principles_and_Taxonomy.pdf
* Apache Security Ivan Ristic
* Application Security Desk Reference, OWASP https://www.owasp.org/index.php/Category:OWASP_ASDR_Project
* Application Security Guide For CISOs, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf
* AppSensor, OWASP https://www.owasp.org/index.php/OWASP_AppSensor_Project
* Attack & Defense Labs http://www.andlabs.org/html5.html
* Attack categories OWASP https://www.owasp.org/index.php/Category:Attack
* Attack Trees, Schneier, Dr. Dobb's Journal, December 1999 https://www.schneier.com/paper-attacktrees-ddj-ft.html
* Attacking with HTML5 2010 https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-wp.pdf
* Automated attacks Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Automation_of_Attacks.pdf
* Avoiding the Top 10 Software Security Design Flaws http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* Bad Bots On The Rise Dec 2014 http://www.darkreading.com/informationweek-home/bad-bots-on-the-rise/d/d-id/1318276
* Banking Botnets Persist Despite Takedowns, Dell SecureWorks, 2015 http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets-persist-despite-takedowns/
* The Barracuda Web Application Firewall: XML Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_XML_Firewall.pdf
* Blocking Brute Force Attacks http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php
* Bot Traffic Growing Problem for Digital Oct 2014 http://www.netnewscheck.com/article/36537/bot-traffic-growing-problem-for-digital
* BotoPedia Incapsula http://www.botopedia.org/
* Boy in the Browser Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser
* Business Logic Attacks - Bots and BATs, Eldad Chai, 2009 http://www.owasp.org/images/9/96/AppSecEU09_BusinessLogicAttacks_EldadChai.ppt
* Bypassing Client Application Protection Techniques http://www.securiteam.com/securityreviews/6S0030ABPE.html
* A CAPTCHA in the Rye Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_a_CAPTCHA_in_the_Rye.pdf
* Characterizing Large Scale Click fraud http://cseweb.ucsd.edu/~voelker/pubs/za-ccs14.pdf
* Charter Addition Proposal: "Trusted Code" for the Web https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0150.html
* A cheesy Apache / IIS DoS vuln (+a question) http://www.securityfocus.com/archive/1/456339/30/0/threaded
* China's Man-on-the-Side Attack on GitHub http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub
* The CISO Survey and Report, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-report-2013-1.0.pdf
* Common Attack Pattern Enumeration and Classification (CAPEC), Mitre https://capec.mitre.org/
* Common Cyber Attacks: Reducing the Impact CERT-UK https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf
* Corporate espionage – the internet’s new growth industry http://www.itproportal.com/2015/03/19/corporate-espionage-internets-new-growth-industry/
* CSA Top Threats to Cloud Computing https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
* CSRF vulnerability in GMail service http://seclists.org/fulldisclosure/2009/Mar/29
* CWE/SANS Top 25 Most Dangerous Software Errors, 2011 http://cwe.mitre.org/top25/
* Cyber Fraud - Tactics Techniques and Procedures http://www.crcpress.com/product/isbn/9781420091274
* Cybercrime Report: Q1 2015, ThreatMetrix, 2015 http://info.threatmetrix.com/WP-2015Q1CybercrimeReport_WP-LP.html
* Data Breach Investigations Report (DBIR), 2014 http://www.verizonenterprise.com/DBIR/2014/
* Data Breach Investigations Report (DBIR), 2015 http://www.verizonenterprise.com/DBIR/2015/
* Data Breaches Fuel Login Attacks Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2014-state-of-the-internet-threat-advisory-public-data-breaches-fuel-login-attacks.pdf
* Data Scraping Wikipedia http://en.wikipedia.org/wiki/Data_scraping
* DDoS Quick Guide https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
* DDoS Threat Landscape Report, 2013-2014 http://lp.incapsula.com/rs/incapsulainc/images/2013-14_ddos_threat_landscape.pdf
* Defending Against an Internet-based Attack on the Physical World http://avirubin.com/scripted.attacks.pdf
* Defending Against Application-Based DDoS Attacks with the Barracuda Web Application Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_Defending%20_Against_%20Application-Based_%20DDoS_%20Attacks.pdf
* Demystifying HTML 5 Attacks http://resources.infosecinstitute.com/demystifying-html-5-attacks/
* Denial of Service Attacks: A Comprehensive Guide to Trends Techniques and Technologies Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf
* Detecting and Blocking Site Scraping Attacks Imperva http://www.imperva.com/docs/WP_Detecting_and_Blocking_Site_Scraping_Attacks.pdf
* Detecting Automation of Twitter Accounts: Are you a human cyborg or a bot? http://www.cs.wm.edu/~hnw/paper/tdsc12b.pdf
* Detecting Malice Robert "RSnake" Hansen 2009 http://www.detectmalice.com/
* Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1414072277428&uri=CELEX:32002L0058
* Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046
* Distributed Denial-of-Service (DDoS) Cyber-Attacks Risk Mitigation and Additional Resources Federal Financial Institutions Examination Council http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf
* Do Evil - The Business of Social Media Bots Forbes http://www.forbes.com/sites/lutzfinger/2015/02/17/do-evil-the-business-of-social-media-bots/
* DoS and DDoS Glossary of Terms prolexic http://www.prolexic.com/knowledge-center-dos-and-ddos-glossary.html#layer-7-ddos-attack
* E-commerce Malware Trustwave https://gsr.trustwave.com/topics/placeholder-topic/e-commerce-malware/
* Exploiting Software, G. Hoglund and G. McGraw, Addison-Wesley, 2004
* Five Trends to Track in E-Commerce Fraud, ThreatMetrix, 2013 http://info.threatmetrix.com/rs/threatmetrix/images/Five_Trends_eCommerce_Fraud_WP.pdf
* Hacker builds cheatbot for hit app Trivia Crack http://www.theregister.co.uk/2015/03/26/hacker_builds_trivia_crack_cheat_app/
* Has Walmart opened itself up to “Denial of inventory” attacks? https://arstechnica.com/business/2012/05/has-walmart-opened-itself-up-to-denial-of-inventory-attacks/
* How Hoarder Bots Steal sales from Online Retailers https://www.internetretailer.com/mobile/2016/12/16/how-hoarder-bots-steal-sales-online-retailers
* How to Defend Against DDoS Attacks - Strategies for the Network Transport and Application Layers Prolexic http://www.prolexic.com/kcresources/white-paper/strategies-for-the-network-transport-and-application-layers-412/Strategies_for_the_Network_Transport_and_Application_Layers_Prolexic_White_Paper_A4_082412.pdf
* How to Defend Online Travel Websites in the Era of Site Scraping, Distil Networks http://www.distilnetworks.com/defend-online-travel-websites-era-site-scraping-download/
* How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
* HTML5 Overview A look at HTML5 Attack Scenarios Trend Micro 2011 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf
* HTML5 Top 10 Threats Stealth Attacks and Silent Exploits 2012 https://media.blackhat.com/bh-eu-12/shah/bh-eu-12-Shah_HTML5_Top_10-WP.pdf
* HTML5 web security 2011 http://media.hacking-lab.com/hlnews/HTML5_Web_Security_v1.0.pdf
* HTTPPOST - Slow POST Wong Onn Chee OWASP AppSec DC 2010 https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
* If you've got @British_Airways account may make sense to change your password. Just had all my Avios cleared out! https://twitter.com/suttonnick/status/581556027948195840/photo/1
* Internet Security Threat Report, Volume 19, 2014 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
* An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks http://www.springer.com/gb/book/9788132202769
* Is Your Data Center Ready for Today’s DDoS Threats? DDoS attack types protection methods and testing your detection and mitigation defenses http://www.fortinet.com/sites/default/files/whitepapers/WP-DDoS-Testing.pdf
* Joomla Reflection DDoS-for-Hire Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2015-state-of-the-internet-threat-advisory-joomla-reflection-attack-ddos-for-hire.pdf
* Layer 7 DDOS – Blocking HTTP Flood Attacks http://blog.sucuri.net/2014/02/layer-7-ddos-blocking-http-flood-attacks.html
* Lenovo Superfish put smut on my system' – class-action lawsuit The Register http://www.theregister.co.uk/2015/02/23/lenovo_superfish_class_action_lawsuit/
* List of Attack Vectors Relative Vulnerability Rating TECAPI http://www.tecapi.com/public/relative-vulnerability-rating-gui.jsp#
* Man in the Browser http://scisweb.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf
* Man in the Browser Attack https://www.owasp.org/index.php/Man-in-the-browser_attack
* Mapping and Measuring Cybercrime, Oxford Internet Institute http://www.oii.ox.ac.uk/publications/FD18.pdf
* Massive Changes in the Criminal Landscape Europol 2015 https://www.europol.europa.eu/content/massive-changes-criminal-landscape
* Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs http://collaboration.csc.ncsu.edu/laurie/Papers/ICSE_Final_MCG_LW.pdf
* Mitigating DDoS Attacks with F5 Technology F5 https://f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology
* Mitigating the DoS/DDosS Threat, Radware, 2012 http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452061
* Modern Web Attacks, Sophos, 2007 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/modern-web-attacks.aspx
* ModSecurity Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-ModSecurity-Advanced-Topic-of-the-Week--Mitigating-Slow-HTTP-DoS-Attacks/
* Most common attacks on web applications https://ipsec.pl/web-application-security/most-common-attacks-web-applications.html
* Multi-dimensional Vulnerability Hierarchies Daniel Miessler https://danielmiessler.com/study/multi-dimensional-vulnerability-hierarchies/
* New Wave of DDoS Attacks Launched BankInfoSecurity.com Mar 2013 http://www.bankinfosecurity.com/new-wave-ddos-attacks-launched-a-5584/op-1
* NOMAD: Toward Non-Invasive Moving Target Defense Against Web Bots http://faculty.cs.tamu.edu/guofei/paper/NOMAD_CNS13.pdf
* Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year Sep 2014 http://www.darkreading.com/analytics/threat-intelligence/online-ad-fraud-exposed-advertisers-losing-$63-billion-to-$10-billion-per-year/d/d-id/1317979
* Online Data Companies versus Bots: The Fight is on for Control of Online Data, Distil Networks http://www.distilnetworks.com/online-data-companies-vs-bots-download/
* Optimal Airline Ticket Purchasing Using Automated User-Guided Feature Selection http://ijcai.org/papers13/Papers/IJCAI13-032.pdf
* Payment Checkout Flaws and Bugs 2014 https://www.clerkendweller.uk/2014/11/4/Payment-Checkout-Flaws-and-Bugs
* PCI Compliance Report 2015 Verizon http://www.verizonenterprise.com/pcireport/2015/
* Pixel Perfect Timing Attacks with HTML5 2013 http://www.contextis.com/services/research/white-papers/pixel-perfect-timing-attacks-html5/
* Polymorphism as a Defense for Automated Attack of Websites http://link.springer.com/chapter/10.1007%2F978-3-319-07536-5_30
* Preventing Web Scraping: Best Practice https://creativedigitalideas.files.wordpress.com/2014/11/best-practice-to-prevent-web-scraping.pdf
* Profile: Automated Credit Card Fraud http://old.honeynet.org/papers/profiles/cc-fraud.pdf
* Protecting Against Web Floods, Radware http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452968
* Q4 2014 State of the Internet Security Report prolexic http://www.stateoftheinternet.com/downloads/pdfs/2014-internet-security-report-q4.pdf
* Reflection injection http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* A Report on taxonomy and evaluation of existing inventories, ENISAhttp://ecrime-project.eu/wp-content/uploads/2015/02/E-Crime-Deliverable-2-1-20141128_FINAL.pdf
* Reporting Intellectual Property Crime: A Guide for Victims of Copyright Infringement, Trademark Counterfeiting, and Trade Secret Theft, Dept of Justice http://www.justice.gov/criminal/cybercrime/docs/ip-victim-guide-and-checklist-march-2013.pdf
* SANS Top 20 Critical Controls https://www.sans.org/critical-security-controls/
* Securing Websites, Sophos, 2011 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/securing-websites.aspx
* Security Insights: Defending Against Automated Threats http://www.securityweek.com/security-insights-defending-against-automated-threats
* Server side DDoS Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/DDOS_Attack_Method_Payload_05182010
* Slow Read Denial of Service attack https://code.google.com/p/slowhttptest/wiki/SlowReadTest
* Slow-Read DoS Attack https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Mitigation-of--Slow-Read--Denial-of-Service-Attack/
* Slowloris HTTP DoS http://ha.ckers.org/slowloris/
* So what are the "most critical" application flaws? On new OWASP Top 10 https://ipsec.pl/application-security/2013/so-what-are-most-critical-application-flaws-new-owasp-top-10.html
* Social Media Bots Offer Phony Friends and Real Profit NY Times http://www.nytimes.com/2014/11/20/fashion/social-media-bots-offer-phony-friends-and-real-profit.html?_r=1
* Software Vulnerability Analysis, Krsul, 1998 http://www.krsul.org/ivan/articles/main.pdf
* Sophos Security Threat Report http://blogs.sophos.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/
* SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/#.VSuiEhPSngM
* State of Software Security Report, Volume 5, Veracode, 2013 https://info.veracode.com/state-of-software-security-report-volume5.html
* Stopping Automated Attack Tools http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html
* Taxonomy on Online Game Security http://www.math.snu.ac.kr/~jhcheon/publications/2004/Taxonomy%20on%20online%20game%20security_EL.pdf
* A Taxonomy of Computer Program Security Flaws, with Examples, Landwehr https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
* A Taxonomy of Security Faults in the UNIX Operating System, Aslam, 1995 https://cwe.mitre.org/documents/sources/ATaxonomyofSecurityFaultsintheUNIXOperatingSystem%5BAslam95%5D.pdf
* Testing Guide, v4, OWASP, 2014 https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
* The Bot Baseline: Fraud in Digital Advertising https://s3.amazonaws.com/whiteops-public/WO-ANA-Baseline-Study-of-Bot-Fraud.pdf
* The Internet Organised Crime Threat Assessment (iOCTA) 2014 https://www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta
* The Notorious Nine Cloud Computing Top Threats in 2013 CSA https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
* The Risks of Content Management Systems, IBM, 2015 https://portal.sec.ibm.com/mss/html/en_US/support_resources/pdf/CMS_Threats_MSS_Threat_Report.pdf
* The Spy in the Sandbox – Practical Cache Attacks in Javascript http://iss.oy.ne.ro/SpyInTheSandbox.pdf
* Thousands of Hacked Uber Accounts Selling on Dark Web for $1 http://thehackernews.com/2015/03/thousands-of-hacked-uber-accounts_30.html?m=1
* Threat Intelligence Quarterly, IBM, 1Q 2015 https://www.ibm.com/services/forms/signup.do?source=swg-WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101
* Threat Modeling: Designing for Security, Adam Shostack, Wiley, April 2014 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118809998.html
* Threats and Mitigations: A Guide to Multi-Layered Web Security - eBook Prolexic http://www.prolexic.com/knowledge-center/prolexic-download/guide-multi-layered-web-security-ebook.pdf
* Trapping Unknown Malware in a Context Web, Sophos http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/HuqSzabo-VB2013.pdf?la=en.pdf
* Trustwave Global Security Report 2014 https://www2.trustwave.com/GSR2014.html?utm_source=redirect&utm_medium=web&utm_campaign=GSR2014
* TurboTax’s Anti-Fraud Efforts Under Scrutiny http://krebsonsecurity.com/2015/02/turbotaxs-anti-fraud-efforts-under-scrutiny/
* Two Security Vulnerabilities in the Spring Framework’s MVC pdf (from 2008) http://blog.diniscruz.com/2011/07/two-security-vulnerabilities-in-spring.html
* The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns http://static.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf
* Understanding Web Bots and How They Hurt Your Business Encapsula http://www.slideshare.net/Incapsula/understanding-web-bots-and-how-they-hurt-your-business
* Use of A Taxonomy of Security Faults, Taimur Aslam, Ivan Krsul and Eugene H Spafford, 1996 http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=2304&context=cstech
* The WASC Threat Classification v2.0 http://projects.webappsec.org/w/page/13246978/Threat%20Classification
* Warhol Worms: The Potential for Very Fast Internet Plagues http://www.iwar.org.uk/comsec/resources/worms/warhol-worm.htm
* Web Application Attack Report #5 Imperva http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed5.pdf
* Web Application Defender's Cookbook: Battling Hackers and Protecting Users, Ryan Barnett, Wiley, December 2012 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html
* Web Attacks in the Wild Corsaire https://www.owasp.org/images/a/a7/Web_attacks_in_the_wild_-_ap.pdf
* Web Automation Friend or Foe? https://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf
* Web Spambot Detection Based on Web Navigation Behaviour http://pedramhayati.com/papers/Web_Spambot_Detection_Based_on_Web_Usage_Behaviour.pdf
* Website Security Statistics Report, 2014 http://info.whitehatsec.com/rs/whitehatsecurity/images/statsreport2014-20140410.pdf
* What is Zeus? http://www.sophos.com/medialibrary/pdfs/technical%20papers/sophos%20what%20is%20zeus%20tp.pdf
* When Web 2.0 Attacks! Understanding Ajax Flash and other highly interactive web technologies… https://www.owasp.org/images/f/fc/When_Web_2.0_Attacks_-_Understanding_Security_Implications_of_Highly_Interactive_Technologies-Rafal_Los.pdf
* Where have all of our Passwords Gone? Gartner 2015 http://blogs.gartner.com/avivah-litan/2015/01/22/where-have-all-our-passwords-gone/
* WS-Attacks.org http://www.ws-attacks.org/index.php/Main_Page

=FAQs=

; What do you mean by "web", "application" and "automated threat"?
: See the definitions in the project's {{#switchtablink:Project Scope and Definitions|glossary}}.

; What is an "ontology"?
: An ontology is a set of types, properties, and relationship. These together define a subject description language. This particular ontology is meant to represent what automated threats real world owners observe affecting their web applications in usual operations.

; Isn't this another bug (vulnerability) list?
: No, none of the named automated threat events are implementation bugs - they relate to abuse of functionality using automated means.

; I thought "so and so" already did that?
: We found that it did not exist. While many threats are mentioned in the sources researched, there was no overall list or definitions. We found the automated threat events tended to all be in a small number of definied items from Mitre CAPEC and WASC Threat Classification. If you know of other automated threat lists/taxonomies/ontologies, please share them.

; What is an "oat"?
: It is our abbreviation for OWASP Automated Threat (OAT).

; I am confused and don't know which OAT my problem is - how do I identify it?
: In 2017 we created a [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] to help identify the correct OAT, which can then be confirmed by reading the full description in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook]. The short summaries are important explanations of each OAT name.

; How can I help?
: Please join our mailing list, send ideas, contribute clarifications, corrections and improvement, and let other people know about the project and its handbook.

= Acknowledgements and Sponsors =

==Contributors==

* Sumit Agarwal
* Jason Chan
* Mark Hall
* Omri Iluz
* Andrew van der Stock
* Roland Weber
* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

Additionally other professional colleagues and website owners and operators who provided feedback.

==Reviewers==

* Igor Andriushchenko
* Gabriel Mendez Justiniano
* Matt Tesauro

== Sponsors ==

All OWASP Projects are run and developed by volunteers and rely on personal donations and sponsorship to continue their development. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. This project has received the sponsorship part of their Corporate OWASP membership fees from Verizon Digital Media Services in 2016 and Distil Networks in 2017, which has already contributed to the v1.2 production design costs, and will also be utilised to help promote knowledge of the project.

[[file:Verizon_Digital_Medial_Logo.jpg|size=150x45px|link=https://www.verizondigitalmedia.com]]

[[File:Distil-flat-logo-2.png|link=https://www.distilnetworks.com]]

= Road Map and Getting Involved =

Can you help? The project is looking for information on the prevalence and types of automated threats seen by web application owners in the real world. This will be used to refine and organise the information gathered from research papers, whitepapers, security reports and industry news. Please use the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:

* [https://lists.owasp.org/mailman/listinfo/automated_threats_to_web_applications Mailing list]

To share information confidentially, you can email the project leaders directly: [mailto:tin.zaw@owasp.org Tin Zaw] and [mailto:colin.watson@owasp.org Colin Watson].

== Completed Outputs==

* {{#switchtablink:Scope and Definitions|Glossary}}
* {{#switchtablink:Bibliography|Bibligraphy of information sources}}
* A [https://www.owasp.org/index.php/File:Automated-threats.pdf summary chart] has been published summarising the information gathered and work to date
* Identifying automated threats to web applications, and determining the primary name used. This first part of the project intends to produce a consistent vocabulary for discussing the threats before moving onto other aspects
* The primary terms have now been defined and described for the ontology
* A [https://www.owasp.org/index.php/File:Automation-briefing.pdf briefing document] was produced in May 2015
* Release [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Automated Threat Handbook] July 2015 [https://www.owasp.org/index.php/File:Owasp-automated-threat-handbook-source-files.zip source files], updated in November 2016
* Release [https://www.owasp.org/index.php/File:Automation-project-briefing.pdf project overview flyer] July 2015
* Release [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] December 2016

== Roadmap==

The project's roadmap was updated in October 2017.

===Q1 2015===
* <strike>Feb 2015: Define scope and terminology</strike> Done
* <strike>Mar 2015: Research prior work and reports about automated threats to web applications to create bibliography</strike> Done

===Q2 2015===
* <strike>Apr 2015: Assess threats/attacks and create ontology</strike> Done
* <strike>Apr 2015: Application owner interviews and creation of initial project outputs, to refine model</strike> Done
* <strike>May 2015: Publication of outputs and request for review/data</strike> Done
* <strike>May 2015: Summit session and survey at AppSec EU</strike> Done
* <strike>Jun 2015 Review</strike> Done
* <strike>Jun 2015 Write ontology document</strike> Done
* <strike>Jun Write 2-page project briefing</strike> Done
* <strike>Jun Publish project briefing</strike> Done
* <strike>Jul 2015: Publish v1.0 ontology</strike> Done

===Q3 2016===
* <strike>Jul-Sep 2016: Gathering of additional contributions and update handbook</strike> Done

===Q4 2016===
* <strike>Nov 2016: Release updated handbook</strike> Done
* <strike>Dec 2016: Threat identification chart</strike> Done

=== Q1 2017 ===
* <strike>Dec-Mar 2017: Further review and update to handbook</strike> Done
* <strike>Check against changes to CAPEC v2.9</strike> Done

=== Q2 2017 ===
* <strike>Apr-Jun 2017: Further review and update to handbook</strike> Done
* <strike>Project summit at AppSecEU</strike> Done

=== Q3 2017 ===
* <strike>Chase up ongoing project review</strike> Done
* <strike>Project summit at AppSecUS</strike> Done

=== Q4 2017 ===
* Release v1.2 (now due 15 Feb 2018)

=== Q1 2018 ===
* <strike>Create OAT wiki pages</strike> Done

=== Future ===
* Write executive summary
* Release executive summary document


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-SR-2]] [[Category:SAMM-TA-1]] [[Category:SAMM-EG-2]]

OWASP Automated Threats to Web Applications

2018-02-16T15:21:14Z

Clerkendweller: /* News and Events */ v1.2 and wiki pages

=Main=

<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: lab_big.jpg|link=OWASP_Project_Stages#tab.3DLab_Projects]]</div>

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Automated-threats-header.jpg|link=]]</div>


{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== Automated Threats to Web Applications==

The OWASP Automated Threats to Web Applications Project has completed a review of reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify, name and classify these scenarios – automated by software causing a divergence from accepted behavior producing one or more undesirable effects on a web application, but excluding tool-based exploitation of single-issue vulnerabilities. The initial objective was to produce an ontology providing a common language for developers, architects, operators, business owners, security engineers, purchasers and suppliers/ vendors, to facilitate clear communication and help tackle the issues.
The project also identifies symptoms, mitigations and controls in this problem area. Like all OWASP outputs, everything is free and published using an open source license.

[https://www.owasp.org/index.php/File:Automation-project-briefing.pdf Two page summary project briefing as a PDF].

== Description==

Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.

== Automated Threats ==

The list of threat events, defined in full in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| width="300" align="left" valign="top" |

* [[OAT-020 Account Aggregation]]
* [[OAT-019 Account Creation]]
* [[OAT-003 Ad Fraud]]
* [[OAT-009 CAPTCHA Defeat]]
* [[OAT-010 Card Cracking]]
* [[OAT-001 Carding]]
* [[OAT-012 Cashing Out]]
* [[OAT-007 Credential Cracking]]
* [[OAT-008 Credential Stuffing]]
* [[OAT-021 Denial of Inventory]]
* [[OAT-015 Denial of Service]]

| width="300" align="left" valign="top" |

* [[OAT-006 Expediting]]
* [[OAT-004 Fingerprinting]]
* [[OAT-018 Footprinting]]
* [[OAT-005 Scalping]]
* [[OAT-011 Scraping]]
* [[OAT-016 Skewing]]
* [[OAT-013 Sniping]]
* [[OAT-017 Spamming]]
* [[OAT-002 Token Cracking]]
* [[OAT-014 Vulnerability Scanning]]

|}

Not sure which is which? Use the [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] in conjunction with the full [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook].

==Licensing==

All the materials are free to use. They are licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation


| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What Is This? ==

Information and resources to help web application owners defend against [[:Category:Automated Threat|automated threats]]

== What Isn't It? ==

* Another vulnerability list
* Threat modelling
* Attack trees
* Non web
* Non application

==Project Objective==

This project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available.

== Presentation ==

[[File:Automatedthreats-presentation-small.jpg|link=media:Bots-AppSecUSA2017-Project-Summit.pptx]]

== Project Leaders ==

* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

== Related Projects ==

* [[OWASP WASC Web Hacking Incidents Database Project|OWASP WASC Web Hacking Incidents Database Project]]
* [[OWASP AppSensor Project|OWASP AppSensor Project]]
* [[OWASP ModSecurity Core Rule Set Project|OWASP ModSecurity Core Rule Set Project]]


| valign="top" style="padding-left:25px;width:200px;" |

== Quick Links ==

* [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Download the free handbook as a PDF]

== News and Events ==

* [15 Jan 2018] v1.2 Handbook published
* [25 Sep 2017] Promoted to Labs status
* [19-20 Sep 2017] Working session at the AppSecUSA 2017 Project Summit
* [15 May 2017] Draft feedback on Top Ten A7 shared
* [17 Apr 2017] [https://www.owasp.org/index.php/File:BadBots_OWASP_AppSec_CA_2017.pptx Slides] from AppSec California (2017)
* [20 Dec 2016] Threat identification chart [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf published]
* [03 Nov 2016] Presentation at [http://lascon.org/ LASCON 2016]
* [03 Nov 2016] v1.1 Handbook published
* [11-12 Oct 2016] Working session at the [https://docs.google.com/presentation/d/1iMQHTc-h5qcP7gBBRcPHGmVaTWqx3dpMwNMVlA--rqs/edit#slide=id.p3 AppSecUSA 2017 Project Summit]
* [04 Aug 2016] Project Q&A at Blackhat USA 2-5pm in the OWASP booth
* [26 Oct 2015] [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf v1.01 handbook] published
* [24 Sep 2015] [https://www.owasp.org/index.php/File:Colinwatson-a-new-ontology-of-unwanted-automation.pptx Presentation] at [https://2015.appsecusa.org/c/?page_id=896#a AppSec USA 2015]

==In Print==

[[File:AutomatedThreatHandbook_small.jpg|link=http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html]]

The [http://www.lulu.com/shop/owasp-foundation/automated-threat-handbook/paperback/product-22932107.html Automated Threat Handbook] can be purchased at cost as a print on demand book.

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[Image:Owasp-labs-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Lab_Projects]]

|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]]
|}

|}

= Scope and Definitions =

==Scope==

The aim was to create a listing of vendor-neutral and technology agnostic terms that describe real-world automated threats to web applications, at a level of abstraction that application owners can relate to. These terms are threat events to web applications undertaken using automated actions.

The focus is on abuse of functionality - misuse of inherent functionality and related design flaws, some of which are also referred to as business logic flaws. There is almost no focus on implementation bugs. It is not that the latter are not the target for attacks, but there is much more knowledge published in that area with a greater agreement on terminology. All the scenarios identified must require the web to exist for the threat to be materialised. Many of the scenarios have impacts upon the organisation that owns or operates web applications, but some scenarios have impacts more focused on individuals or other bodies. An attack that can be achieved without the web is out of scope.

==Definitions ==

=== Automated Threats to Web Applications ===

Threat events to web applications undertaken using automated actions.

An attack that can be achieved without the web is out of scope.

== Glossary ==

;Action
: An act taken against an asset by a threat agent. Requires first that contact occurs between the asset and threat agent (Ref 1)

; Application
: Software that performs a business process i.e. not system software
: A software program hosted by an information system (Ref 2)

; Application layer
: "Layer 7” in the OSI model (Ref 3) and “application layer” in the TCP/IP model (Ref 4)

;Threat
: Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures (Ref 1)

;Threat Agent
: Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm (Ref 1)

;Threat Event
: Occurs when a threat agent acts against an asset (Ref 1)

; Web
: The World Wide Web (WWW, or simply Web) is an information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI) (Ref 5)
: The first three specifications for Web technologies defined URLs, HTTP, and HTML (Ref 6)

; Web application
: An application delivered over the web

Glossary references:
# [http://pubs.opengroup.org/onlinepubs/9699919899/toc.pdf Risk Taxonomy, Technical Standard, The Open Group, 2009]
# [http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf NISTIR 7298 rev 2, NIST]
# [http://en.wikipedia.org/wiki/OSI_model OSI model, Wikipedia]
# [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP model, Wikipedia]
# [http://www.w3.org/TR/webarch/ Architecture of the World Wide Web, Volume One, W3C]
# [http://www.w3.org/Help/ Help and FAQ, W3C]

=Use Case Scanarios=

The following scenarios and organisation names are completely fictitious.

==Defining application development security requirements==

Cinnaminta SpA intends to build and launch a new multi-lingual and multi-currency ecommerce website. The development will be outsourced and Cinnaminta has been working on the functional design document. Among many other requirements, the application security specification requires that the website must not include any vulnerabilities identified in PCI DSS v3.1 Requirement 6.5, nor any other vulnerabilities that could affect the protection of payment cardholder data. Cinnaminta specifies that the website's payment functions must not be susceptible to the threat events '''OAT-001 Carding''' or '''OAT-010 Card Cracking''' as defined in the '''OWASP Automated Threat Handbook'''. In addition, the application must interact with the company's existing fraud detection system to counter '''OAT-012 Cashing Out'''. The requirements are specified in terms of these threat events, rather than particular product or service categories. Development houses responding to the call for bids use the ontology to focus their answers to these aspects appropriately.

== Sharing intelligence within a sector==

Unlimited Innovations Inc develops and supports patient-facing software solutions to a range of healthcare providers, many of which participate in the National Health Service Cyber Intelligence Sharing Center (NHS-CISC). Unlimited Innovations already builds continuous monitoring capabilities into its software and decides to provide an optional enhancement so that customers could choose to share their misuse event data with each other, to benefit from the combined threat intelligence. Rather than sharing large quantities of low-level data, Unlimited Innovations aggregates information and broadcasts validated and categorised threat data amongst the participating organisations. Automation attacks are classified according to the threat events defined in the '''OWASP Automated Threat Handbook''' so that each receiving party understands the nature of the threat. Even organisations that do not want to take part in this information sharing can benefit, since their own categorised information is made available to internal business management in the form of an easy-to-comprehend monitoring dashboard. The information gathered can also be fed into their other business information management systems to help improve patient service.

== Exchanging threat data between CERTs==

National Computer Emergency Response Teams (CERTs) recognise that sharing of local information can contribute to worldwide prevention of cyber attacks. Despite advances in cooperation between CERTs, anything to increase continuity and interoperability, such as standards for data exchange, is encouraged. CERT Zog is concerned about the sparsity of application-specific data it receives, and also the classification of that data. It has a particular concern about attacks and breaches that affect sectors defined in Zog's 2015 national cyber security strategy. CERT Zog and its neighbour CERT Tarset agree to tag threat events using the '''OWASP Automated Threat Handbook''' in order to add greater context to existing solutions being used for threat data exchange between them. The programme also collects sector metadata, so that all organisations within these can benefit from the centralised intelligence.

== Enhancing application penetration test findings==

Specialist application security penetration testing firm Cherak Industries Pte Ltd works primarily for financial services companies in the banking and insurance sectors, and is looking to expand its business throughout Asia. Cherak has some innovative pen test result reporting systems which integrate with client software fault and vulnerability tracking systems, and it actively looks for methods to provide additional value to its clients. Cherak has identified that pen test clients would benefit from help to in understanding the effects of combinations of vulnerabilities, especially design flaws, and has decided to utilise the '''OWASP Automated Threat Handbook''' to define and explain the automation-related threats. The individual vulnerabilities were scored as normal using CVSSv2 and v3, the matching CWEs identified, and mitigations in place documented. In addition, Cherak uses the threat events defined in the '''OWASP Automated Threat Handbook''' to help create a new section in the executive summary that explains how combinations of the issues found could lead to automation threats and the possible technical and business impacts. For example, an assessment for one client had identified weaknesses in authentication so that there is a risk of '''OAT-008 Credential Stuffing'''. The defined identifier was provided to the client, so its technical staff could refer to additional information on the OWASP website.

== Specifying service acquisition needs==

Falstone Paradise Inc is concerned about malicious use of their portfolio of hotel and resort websites. The majority of the websites use a shared application platform, but there are some unique applications and a large number of other micro-sites, some of which use generic content management systems such as Wordpress and Drupal. Falstone Paradise has identified that its IT operations team are spending too much time dealing with the effects of automated misuse, such as cleaning up data, resetting customer accounts and providing extra capacity during attacks. Furthermore, the unwanted automation is also causing some instabilities leading to negative feedback from customers. Therefore Falstone Paradise decides to go out to the security marketplace to identify, assess and select products or services that might help address these automation issues for all its websites. Their buying team works with their information technology colleagues to write the detailed requirements in an Invitation to Tender (ITT) document. This describes the types of attacks its web applications are receiving, their frequency of occurrence and their magnitudes. These are defined according to the '''OWASP Automated Threat Handbook''', so that vendors do not misunderstand the requirements, and each vendor's offering can be assessed against the particular automation threat events of concern.

== Characterising vendor services ==

Better Best Ltd has developed an innovative technology to help gaming companies defend against a range of automated threats that can otherwise permit cheating and distortion of the game, leading to disruption for normal players. The solution can be deployed on premises, but is also available in the cloud as a service. But Better Best is finding difficulty explaining its solution in the market place, especially since it does not fit into any conventional product category. Better Best decide to use the terminology and threat events listed in the '''OWASP Automated Threat Handbook''' to define their product's capabilities. They hope this will provide some clarity about their offering, and also demonstrate how their product can be used to replace more than one other conventional security device. Additionally, Better Best writes a white paper describing how their product has been successfully used by one of their reference customers Hollybush Challenge Games to protect against '''OAT-006 Expediting''', '''OAT-005 Scalping''', '''OAT-016 Skewing''' and '''OAT-013 Sniping'''.

=Ontology=

==Introduction==

The list of [[:Category:Automated Threat|automated threat events]] and summary descriptions, defined in full in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf OWASP Automated Threat Handbook], is:

{| cellpadding="2"
|-
| align="left" valign="top" |
'''OAT-020''' Account Aggregation
| align="left" valign="top" |
Use by an intermediary application that collects together multiple accounts and interacts on their behalf.
|-
| align="left" valign="top" |
'''OAT-019''' Account Creation
| align="left" valign="top" |
Create multiple accounts for subsequent misuse.
|-
| align="left" valign="top" |
'''OAT-003''' Ad Fraud
| align="left" valign="top" |
False clicks and fraudulent display of web-placed advertisements.
|-
| align="left" valign="top" |
'''OAT-009''' CAPTCHA Defeat
| align="left" valign="top" |
Solve anti-automation tests.
|-
| align="left" valign="top" |
'''OAT-010''' Card Cracking
| align="left" valign="top" |
Identify missing start/expiry dates and security codes for stolen payment card data by trying different values.
|-
| align="left" valign="top" |
'''OAT-001''' Carding
| align="left" valign="top" |
Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data.
|-
| align="left" valign="top" |
'''OAT-012''' Cashing Out
| align="left" valign="top" |
Buy goods or obtain cash utilising validated stolen payment card or other user account data.
|-
| align="left" valign="top" |
'''OAT-007''' Credential Cracking
| align="left" valign="top" |
Identify valid login credentials by trying different values for usernames and/or passwords.
|-
| align="left" valign="top" |
'''OAT-008''' Credential Stuffing
| align="left" valign="top" |
Mass log in attempts used to verify the validity of stolen username/password pairs.
|-
| align="left" valign="top" |
'''OAT-021''' Denial of Inventory
| align="left" valign="top" |
Deplete goods or services stock without ever completing the purchase or committing to the transaction.
|-
| align="left" valign="top" |
'''OAT-015''' Denial of Service
| align="left" valign="top" |
Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS).
|-
| align="left" valign="top" |
'''OAT-006''' Expediting
| align="left" valign="top" |
Perform actions to hasten progress of usually slow, tedious or time-consuming actions.
|-
| align="left" valign="top" |
'''OAT-004''' Fingerprinting
| align="left" valign="top" |
Elicit information about the supporting software and framework types and versions.
|-
| align="left" valign="top" |
'''OAT-018''' Footprinting
| align="left" valign="top" |
Probe and explore application to identify its constituents and properties.
|-
| align="left" valign="top" |
'''OAT-005''' Scalping
| align="left" valign="top" |
Obtain limited-availability and/or preferred goods/services by unfair methods.
|-
| align="left" valign="top" |
'''OAT-011''' Scraping
| align="left" valign="top" |
Collect application content and/or other data for use elsewhere.
|-
| align="left" valign="top" |
'''OAT-016''' Skewing
| align="left" valign="top" |
Repeated link clicks, page requests or form submissions intended to alter some metric.
|-
| align="left" valign="top" |
'''OAT-013''' Sniping
| align="left" valign="top" |
Last minute bid or offer for goods or services.
|-
| align="left" valign="top" |
'''OAT-017''' Spamming
| align="left" valign="top" |
Malicious or questionable information addition that appears in public or private content, databases or user messages.
|-
| align="left" valign="top" |
'''OAT-002''' Token Cracking
| align="left" valign="top" |
Mass enumeration of coupon numbers, voucher codes, discount tokens, etc.
|-
| align="left" valign="top" |
'''OAT-014''' Vulnerability Scanning
| align="left" valign="top" |
Crawl and fuzz application to identify weaknesses and possible vulnerabilities.
|}

==Comparison with other dictionaries, taxonomies and lists==

===[https://capec.mitre.org/ Common Attack Pattern Enumeration and Classification] (CAPEC)===

[[File:Ontology-chart-capec-wiki.png|link=]]

CAPEC is a dictionary and classification taxonomy of known attacks on software. Its primary classification structures are:

* [https://capec.mitre.org/data/definitions/3000.html Domains of attack] (3000) - Social Engineering (403), [https://capec.mitre.org/data/definitions/437.html Supply Chain] (437), Communications (512), [https://capec.mitre.org/data/definitions/513.html Software] (513), Physical Security (514), Hardware (515)
* Mechanism of Attack (1000) - Gather Information (118), Deplete Resources (119), Injection (152), Deceptive Interactions (156), Manipulate Timing and State (172), Abuse of Functionality (210), Probabilistic Techniques (223), Exploitation of Authentication (225), Exploitation of Authorization (232), Manipulate Data Structures (255), Manipulate Resources (262), Analyze Target (281), Gain Physical Access (436), Malicious Code Execution (525), Alter System Components (526), Manipulate System Users (527)

===[http://projects.webappsec.org/w/page/13246978/Threat%20Classification WASC Threat Classification]===

[[File:Ontology-chart-wasc-wiki.png|link=]]

The WASC Threat Classification classifies weaknesses and attacks that can lead to the compromise of a website, its data, or its users.

===[[OWASP WASC Web Hacking Incidents Database Project]] (WHID)===

WHID [https://www.google.com/fusiontables/DataSource?snapid=S1536501YnLo classifies] publicly known incidents using:

* attack methods e.g. ARP spoofing, abuse of functionality, account compromise, administration error, automation, backdoor, banking trojan, brute force, clickjacking, code injection, content injection, content spoofing, credential/session prediction, cross site request forgery (CSRF), cross-site scripting (XSS), denial of service, directory traversal, domain hijacking, DNS hijacking, forceful browsing, HTTP response splitting, hidden parameter manipulation, hosting malicious code, information leakage, insufficient authentication, known vulnerability, local file inclusion (LFI), malvertising, malware, malware injection, mass assignment, misconfiguration, OS commanding, parameter manipulation, path traversal, phishing, predictable resource location, process automation, redirection, remote file inclusion (RFI), rogue 3rd party app, scaping, search engine poisoning, shell injection, social engineering, stolen credentials, SQL injection, unintentional information disclosure, weak password recovery validation, worm
* weakness e.g. abuse of functionality, application misconfiguration, directory indexing, improper filesystem permissions, improper input handling, improper output handling, information leakage, insecure indexing, insufficient anti-automation, insufficient authentication, insufficient authorization, insufficient entropy, insufficient password recovery, insufficient process validation, insufficient session expiration, insufficient transport layer protection, misconfiguration, predictable resource location, weak password
* outcome account hijacking, account takeover, botnet participation, chaos, credit card leakage, data loss, defacement, DDoS attacks, DNS hijacking, DNS redirection, disinformation, disclosure only, downtime, extortion, fraud, information warfare, leakage of information, link spam, loss of sales, malware distribution, monetary loss, phishing, planting of malware, service disruption, session hijacking, spam, spam links, stolen credentials, worm

Plus other/various/unknown.

= Bibliography =

The following academic, open source, commercial and news sources were used in the research on automated threats to web applications. OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. We operate under a vendor neutral policy and we do not endorse products or services.

* 10 years of Application Security, Denyall http://www.denyall.com/resources/whitepapers/?aliId=3438442
* 2012 Payment Card Threat Report https://www.securitymetrics.com/static/resources/orange/2012%20Payment%20Card%20Threat%20Report%20copy.pdf
* 2014 Bot Traffic Report: Just the Droids You were Looking for http://www.incapsula.com/blog/bot-traffic-report-2014.html
* 3 Types of ‘Return Fraud’ to Monitor this Holiday Season http://www.practicalecommerce.com/articles/3168-3-Types-of-%E2%80%98Return-Fraud-to-Monitor-this-Holiday-Season
* 7 Ways Bots Hurt Your Website, Distil Networks http://www.distilnetworks.com/7-ways-bots-hurt-website-whitepaper/
* Abusing HTML 5 Structured Client-side Storage 2008 http://packetstorm.wowhacker.com/papers/general/html5whitepaper.pdf
* Acquiring Experience with Ontology and Vocabularies, Walt Melo, Risa Mayan and Jean Stanford, 2011 http://www.omg.org/news/meetings/workshops/SOA-HC/presentations-2011/13_SC-6_Melo_Stanford_Mayan.pdf
* An Anatomy of a SQL Injection Attack Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf
* The Anatomy of Clickbot.A https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/daswani/daswani.pdf
* Anatomy of comment spam Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Anatomy_of_Comment_Spam.pdf
* Anti-Automation Monitoring and Prevention 2015 https://www.clerkendweller.uk/2015/1/29/AntiAutomation-Monitoring-and-Prevention
* Anti-DDoS Solution for Internet Corporation http://www.nsfocus.com/uploadfile/Solution/NSFOCUS%20Anti-DDoS%20Solution%20for%20Internet%20Corporation.pdf
* Anti-Fraud Principles and Proposed Taxonomy Sep 2014 http://www.iab.net/media/file/IAB_Anti_Fraud_Principles_and_Taxonomy.pdf
* Apache Security Ivan Ristic
* Application Security Desk Reference, OWASP https://www.owasp.org/index.php/Category:OWASP_ASDR_Project
* Application Security Guide For CISOs, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-guide.pdf
* AppSensor, OWASP https://www.owasp.org/index.php/OWASP_AppSensor_Project
* Attack & Defense Labs http://www.andlabs.org/html5.html
* Attack categories OWASP https://www.owasp.org/index.php/Category:Attack
* Attack Trees, Schneier, Dr. Dobb's Journal, December 1999 https://www.schneier.com/paper-attacktrees-ddj-ft.html
* Attacking with HTML5 2010 https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-wp.pdf
* Automated attacks Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Automation_of_Attacks.pdf
* Avoiding the Top 10 Software Security Design Flaws http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* Bad Bots On The Rise Dec 2014 http://www.darkreading.com/informationweek-home/bad-bots-on-the-rise/d/d-id/1318276
* Banking Botnets Persist Despite Takedowns, Dell SecureWorks, 2015 http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets-persist-despite-takedowns/
* The Barracuda Web Application Firewall: XML Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_XML_Firewall.pdf
* Blocking Brute Force Attacks http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php
* Bot Traffic Growing Problem for Digital Oct 2014 http://www.netnewscheck.com/article/36537/bot-traffic-growing-problem-for-digital
* BotoPedia Incapsula http://www.botopedia.org/
* Boy in the Browser Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser
* Business Logic Attacks - Bots and BATs, Eldad Chai, 2009 http://www.owasp.org/images/9/96/AppSecEU09_BusinessLogicAttacks_EldadChai.ppt
* Bypassing Client Application Protection Techniques http://www.securiteam.com/securityreviews/6S0030ABPE.html
* A CAPTCHA in the Rye Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_a_CAPTCHA_in_the_Rye.pdf
* Characterizing Large Scale Click fraud http://cseweb.ucsd.edu/~voelker/pubs/za-ccs14.pdf
* Charter Addition Proposal: "Trusted Code" for the Web https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0150.html
* A cheesy Apache / IIS DoS vuln (+a question) http://www.securityfocus.com/archive/1/456339/30/0/threaded
* China's Man-on-the-Side Attack on GitHub http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub
* The CISO Survey and Report, OWASP, 2013 https://www.owasp.org/index.php/File:Owasp-ciso-report-2013-1.0.pdf
* Common Attack Pattern Enumeration and Classification (CAPEC), Mitre https://capec.mitre.org/
* Common Cyber Attacks: Reducing the Impact CERT-UK https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf
* Corporate espionage – the internet’s new growth industry http://www.itproportal.com/2015/03/19/corporate-espionage-internets-new-growth-industry/
* CSA Top Threats to Cloud Computing https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
* CSRF vulnerability in GMail service http://seclists.org/fulldisclosure/2009/Mar/29
* CWE/SANS Top 25 Most Dangerous Software Errors, 2011 http://cwe.mitre.org/top25/
* Cyber Fraud - Tactics Techniques and Procedures http://www.crcpress.com/product/isbn/9781420091274
* Cybercrime Report: Q1 2015, ThreatMetrix, 2015 http://info.threatmetrix.com/WP-2015Q1CybercrimeReport_WP-LP.html
* Data Breach Investigations Report (DBIR), 2014 http://www.verizonenterprise.com/DBIR/2014/
* Data Breach Investigations Report (DBIR), 2015 http://www.verizonenterprise.com/DBIR/2015/
* Data Breaches Fuel Login Attacks Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2014-state-of-the-internet-threat-advisory-public-data-breaches-fuel-login-attacks.pdf
* Data Scraping Wikipedia http://en.wikipedia.org/wiki/Data_scraping
* DDoS Quick Guide https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
* DDoS Threat Landscape Report, 2013-2014 http://lp.incapsula.com/rs/incapsulainc/images/2013-14_ddos_threat_landscape.pdf
* Defending Against an Internet-based Attack on the Physical World http://avirubin.com/scripted.attacks.pdf
* Defending Against Application-Based DDoS Attacks with the Barracuda Web Application Firewall https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_Defending%20_Against_%20Application-Based_%20DDoS_%20Attacks.pdf
* Demystifying HTML 5 Attacks http://resources.infosecinstitute.com/demystifying-html-5-attacks/
* Denial of Service Attacks: A Comprehensive Guide to Trends Techniques and Technologies Hacker Intelligence Initiative Imperva http://www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf
* Detecting and Blocking Site Scraping Attacks Imperva http://www.imperva.com/docs/WP_Detecting_and_Blocking_Site_Scraping_Attacks.pdf
* Detecting Automation of Twitter Accounts: Are you a human cyborg or a bot? http://www.cs.wm.edu/~hnw/paper/tdsc12b.pdf
* Detecting Malice Robert "RSnake" Hansen 2009 http://www.detectmalice.com/
* Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1414072277428&uri=CELEX:32002L0058
* Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046
* Distributed Denial-of-Service (DDoS) Cyber-Attacks Risk Mitigation and Additional Resources Federal Financial Institutions Examination Council http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf
* Do Evil - The Business of Social Media Bots Forbes http://www.forbes.com/sites/lutzfinger/2015/02/17/do-evil-the-business-of-social-media-bots/
* DoS and DDoS Glossary of Terms prolexic http://www.prolexic.com/knowledge-center-dos-and-ddos-glossary.html#layer-7-ddos-attack
* E-commerce Malware Trustwave https://gsr.trustwave.com/topics/placeholder-topic/e-commerce-malware/
* Exploiting Software, G. Hoglund and G. McGraw, Addison-Wesley, 2004
* Five Trends to Track in E-Commerce Fraud, ThreatMetrix, 2013 http://info.threatmetrix.com/rs/threatmetrix/images/Five_Trends_eCommerce_Fraud_WP.pdf
* Hacker builds cheatbot for hit app Trivia Crack http://www.theregister.co.uk/2015/03/26/hacker_builds_trivia_crack_cheat_app/
* Has Walmart opened itself up to “Denial of inventory” attacks? https://arstechnica.com/business/2012/05/has-walmart-opened-itself-up-to-denial-of-inventory-attacks/
* How Hoarder Bots Steal sales from Online Retailers https://www.internetretailer.com/mobile/2016/12/16/how-hoarder-bots-steal-sales-online-retailers
* How to Defend Against DDoS Attacks - Strategies for the Network Transport and Application Layers Prolexic http://www.prolexic.com/kcresources/white-paper/strategies-for-the-network-transport-and-application-layers-412/Strategies_for_the_Network_Transport_and_Application_Layers_Prolexic_White_Paper_A4_082412.pdf
* How to Defend Online Travel Websites in the Era of Site Scraping, Distil Networks http://www.distilnetworks.com/defend-online-travel-websites-era-site-scraping-download/
* How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
* HTML5 Overview A look at HTML5 Attack Scenarios Trend Micro 2011 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf
* HTML5 Top 10 Threats Stealth Attacks and Silent Exploits 2012 https://media.blackhat.com/bh-eu-12/shah/bh-eu-12-Shah_HTML5_Top_10-WP.pdf
* HTML5 web security 2011 http://media.hacking-lab.com/hlnews/HTML5_Web_Security_v1.0.pdf
* HTTPPOST - Slow POST Wong Onn Chee OWASP AppSec DC 2010 https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
* If you've got @British_Airways account may make sense to change your password. Just had all my Avios cleared out! https://twitter.com/suttonnick/status/581556027948195840/photo/1
* Internet Security Threat Report, Volume 19, 2014 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
* An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks http://www.springer.com/gb/book/9788132202769
* Is Your Data Center Ready for Today’s DDoS Threats? DDoS attack types protection methods and testing your detection and mitigation defenses http://www.fortinet.com/sites/default/files/whitepapers/WP-DDoS-Testing.pdf
* Joomla Reflection DDoS-for-Hire Akamai Feb 2015 http://www.stateoftheinternet.com/downloads/pdfs/2015-state-of-the-internet-threat-advisory-joomla-reflection-attack-ddos-for-hire.pdf
* Layer 7 DDOS – Blocking HTTP Flood Attacks http://blog.sucuri.net/2014/02/layer-7-ddos-blocking-http-flood-attacks.html
* Lenovo Superfish put smut on my system' – class-action lawsuit The Register http://www.theregister.co.uk/2015/02/23/lenovo_superfish_class_action_lawsuit/
* List of Attack Vectors Relative Vulnerability Rating TECAPI http://www.tecapi.com/public/relative-vulnerability-rating-gui.jsp#
* Man in the Browser http://scisweb.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf
* Man in the Browser Attack https://www.owasp.org/index.php/Man-in-the-browser_attack
* Mapping and Measuring Cybercrime, Oxford Internet Institute http://www.oii.ox.ac.uk/publications/FD18.pdf
* Massive Changes in the Criminal Landscape Europol 2015 https://www.europol.europa.eu/content/massive-changes-criminal-landscape
* Matching Attack Patterns to Security Vulnerabilities in Software-Intensive System Designs http://collaboration.csc.ncsu.edu/laurie/Papers/ICSE_Final_MCG_LW.pdf
* Mitigating DDoS Attacks with F5 Technology F5 https://f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology
* Mitigating the DoS/DDosS Threat, Radware, 2012 http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452061
* Modern Web Attacks, Sophos, 2007 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/modern-web-attacks.aspx
* ModSecurity Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-ModSecurity-Advanced-Topic-of-the-Week--Mitigating-Slow-HTTP-DoS-Attacks/
* Most common attacks on web applications https://ipsec.pl/web-application-security/most-common-attacks-web-applications.html
* Multi-dimensional Vulnerability Hierarchies Daniel Miessler https://danielmiessler.com/study/multi-dimensional-vulnerability-hierarchies/
* New Wave of DDoS Attacks Launched BankInfoSecurity.com Mar 2013 http://www.bankinfosecurity.com/new-wave-ddos-attacks-launched-a-5584/op-1
* NOMAD: Toward Non-Invasive Moving Target Defense Against Web Bots http://faculty.cs.tamu.edu/guofei/paper/NOMAD_CNS13.pdf
* Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year Sep 2014 http://www.darkreading.com/analytics/threat-intelligence/online-ad-fraud-exposed-advertisers-losing-$63-billion-to-$10-billion-per-year/d/d-id/1317979
* Online Data Companies versus Bots: The Fight is on for Control of Online Data, Distil Networks http://www.distilnetworks.com/online-data-companies-vs-bots-download/
* Optimal Airline Ticket Purchasing Using Automated User-Guided Feature Selection http://ijcai.org/papers13/Papers/IJCAI13-032.pdf
* Payment Checkout Flaws and Bugs 2014 https://www.clerkendweller.uk/2014/11/4/Payment-Checkout-Flaws-and-Bugs
* PCI Compliance Report 2015 Verizon http://www.verizonenterprise.com/pcireport/2015/
* Pixel Perfect Timing Attacks with HTML5 2013 http://www.contextis.com/services/research/white-papers/pixel-perfect-timing-attacks-html5/
* Polymorphism as a Defense for Automated Attack of Websites http://link.springer.com/chapter/10.1007%2F978-3-319-07536-5_30
* Preventing Web Scraping: Best Practice https://creativedigitalideas.files.wordpress.com/2014/11/best-practice-to-prevent-web-scraping.pdf
* Profile: Automated Credit Card Fraud http://old.honeynet.org/papers/profiles/cc-fraud.pdf
* Protecting Against Web Floods, Radware http://www.radware.com/PleaseRegister.aspx?returnUrl=6442452968
* Q4 2014 State of the Internet Security Report prolexic http://www.stateoftheinternet.com/downloads/pdfs/2014-internet-security-report-q4.pdf
* Reflection injection http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
* A Report on taxonomy and evaluation of existing inventories, ENISAhttp://ecrime-project.eu/wp-content/uploads/2015/02/E-Crime-Deliverable-2-1-20141128_FINAL.pdf
* Reporting Intellectual Property Crime: A Guide for Victims of Copyright Infringement, Trademark Counterfeiting, and Trade Secret Theft, Dept of Justice http://www.justice.gov/criminal/cybercrime/docs/ip-victim-guide-and-checklist-march-2013.pdf
* SANS Top 20 Critical Controls https://www.sans.org/critical-security-controls/
* Securing Websites, Sophos, 2011 http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/securing-websites.aspx
* Security Insights: Defending Against Automated Threats http://www.securityweek.com/security-insights-defending-against-automated-threats
* Server side DDoS Imperva http://www.imperva.com/DefenseCenter/ThreatAdvisories/DDOS_Attack_Method_Payload_05182010
* Slow Read Denial of Service attack https://code.google.com/p/slowhttptest/wiki/SlowReadTest
* Slow-Read DoS Attack https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Mitigation-of--Slow-Read--Denial-of-Service-Attack/
* Slowloris HTTP DoS http://ha.ckers.org/slowloris/
* So what are the "most critical" application flaws? On new OWASP Top 10 https://ipsec.pl/application-security/2013/so-what-are-most-critical-application-flaws-new-owasp-top-10.html
* Social Media Bots Offer Phony Friends and Real Profit NY Times http://www.nytimes.com/2014/11/20/fashion/social-media-bots-offer-phony-friends-and-real-profit.html?_r=1
* Software Vulnerability Analysis, Krsul, 1998 http://www.krsul.org/ivan/articles/main.pdf
* Sophos Security Threat Report http://blogs.sophos.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/
* SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/#.VSuiEhPSngM
* State of Software Security Report, Volume 5, Veracode, 2013 https://info.veracode.com/state-of-software-security-report-volume5.html
* Stopping Automated Attack Tools http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html
* Taxonomy on Online Game Security http://www.math.snu.ac.kr/~jhcheon/publications/2004/Taxonomy%20on%20online%20game%20security_EL.pdf
* A Taxonomy of Computer Program Security Flaws, with Examples, Landwehr https://cwe.mitre.org/documents/sources/ATaxonomyofComputerProgramSecurityFlawswithExamples%5BLandwehr93%5D.pdf
* A Taxonomy of Security Faults in the UNIX Operating System, Aslam, 1995 https://cwe.mitre.org/documents/sources/ATaxonomyofSecurityFaultsintheUNIXOperatingSystem%5BAslam95%5D.pdf
* Testing Guide, v4, OWASP, 2014 https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
* The Bot Baseline: Fraud in Digital Advertising https://s3.amazonaws.com/whiteops-public/WO-ANA-Baseline-Study-of-Bot-Fraud.pdf
* The Internet Organised Crime Threat Assessment (iOCTA) 2014 https://www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta
* The Notorious Nine Cloud Computing Top Threats in 2013 CSA https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
* The Risks of Content Management Systems, IBM, 2015 https://portal.sec.ibm.com/mss/html/en_US/support_resources/pdf/CMS_Threats_MSS_Threat_Report.pdf
* The Spy in the Sandbox – Practical Cache Attacks in Javascript http://iss.oy.ne.ro/SpyInTheSandbox.pdf
* Thousands of Hacked Uber Accounts Selling on Dark Web for $1 http://thehackernews.com/2015/03/thousands-of-hacked-uber-accounts_30.html?m=1
* Threat Intelligence Quarterly, IBM, 1Q 2015 https://www.ibm.com/services/forms/signup.do?source=swg-WW_Security_Organic&S_PKG=ov33510&S_TACT=C327017W&dynform=18101
* Threat Modeling: Designing for Security, Adam Shostack, Wiley, April 2014 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118809998.html
* Threats and Mitigations: A Guide to Multi-Layered Web Security - eBook Prolexic http://www.prolexic.com/knowledge-center/prolexic-download/guide-multi-layered-web-security-ebook.pdf
* Trapping Unknown Malware in a Context Web, Sophos http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/HuqSzabo-VB2013.pdf?la=en.pdf
* Trustwave Global Security Report 2014 https://www2.trustwave.com/GSR2014.html?utm_source=redirect&utm_medium=web&utm_campaign=GSR2014
* TurboTax’s Anti-Fraud Efforts Under Scrutiny http://krebsonsecurity.com/2015/02/turbotaxs-anti-fraud-efforts-under-scrutiny/
* Two Security Vulnerabilities in the Spring Framework’s MVC pdf (from 2008) http://blog.diniscruz.com/2011/07/two-security-vulnerabilities-in-spring.html
* The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns http://static.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf
* Understanding Web Bots and How They Hurt Your Business Encapsula http://www.slideshare.net/Incapsula/understanding-web-bots-and-how-they-hurt-your-business
* Use of A Taxonomy of Security Faults, Taimur Aslam, Ivan Krsul and Eugene H Spafford, 1996 http://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=2304&context=cstech
* The WASC Threat Classification v2.0 http://projects.webappsec.org/w/page/13246978/Threat%20Classification
* Warhol Worms: The Potential for Very Fast Internet Plagues http://www.iwar.org.uk/comsec/resources/worms/warhol-worm.htm
* Web Application Attack Report #5 Imperva http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed5.pdf
* Web Application Defender's Cookbook: Battling Hackers and Protecting Users, Ryan Barnett, Wiley, December 2012 http://eu.wiley.com/WileyCDA/WileyTitle/productCd-1118362187.html
* Web Attacks in the Wild Corsaire https://www.owasp.org/images/a/a7/Web_attacks_in_the_wild_-_ap.pdf
* Web Automation Friend or Foe? https://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf
* Web Spambot Detection Based on Web Navigation Behaviour http://pedramhayati.com/papers/Web_Spambot_Detection_Based_on_Web_Usage_Behaviour.pdf
* Website Security Statistics Report, 2014 http://info.whitehatsec.com/rs/whitehatsecurity/images/statsreport2014-20140410.pdf
* What is Zeus? http://www.sophos.com/medialibrary/pdfs/technical%20papers/sophos%20what%20is%20zeus%20tp.pdf
* When Web 2.0 Attacks! Understanding Ajax Flash and other highly interactive web technologies… https://www.owasp.org/images/f/fc/When_Web_2.0_Attacks_-_Understanding_Security_Implications_of_Highly_Interactive_Technologies-Rafal_Los.pdf
* Where have all of our Passwords Gone? Gartner 2015 http://blogs.gartner.com/avivah-litan/2015/01/22/where-have-all-our-passwords-gone/
* WS-Attacks.org http://www.ws-attacks.org/index.php/Main_Page

=FAQs=

; What do you mean by "web", "application" and "automated threat"?
: See the definitions in the project's {{#switchtablink:Project Scope and Definitions|glossary}}.

; What is an "ontology"?
: An ontology is a set of types, properties, and relationship. These together define a subject description language. This particular ontology is meant to represent what automated threats real world owners observe affecting their web applications in usual operations.

; Isn't this another bug (vulnerability) list?
: No, none of the named automated threat events are implementation bugs - they relate to abuse of functionality using automated means.

; I thought "so and so" already did that?
: We found that it did not exist. While many threats are mentioned in the sources researched, there was no overall list or definitions. We found the automated threat events tended to all be in a small number of definied items from Mitre CAPEC and WASC Threat Classification. If you know of other automated threat lists/taxonomies/ontologies, please share them.

; What is an "oat"?
: It is our abbreviation for OWASP Automated Threat (OAT).

; I am confused and don't know which OAT my problem is - how do I identify it?
: In 2017 we created a [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] to help identify the correct OAT, which can then be confirmed by reading the full description in the [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf handbook]. The short summaries are important explanations of each OAT name.

; How can I help?
: Please join our mailing list, send ideas, contribute clarifications, corrections and improvement, and let other people know about the project and its handbook.

= Acknowledgements and Sponsors =

==Contributors==

* Sumit Agarwal
* Jason Chan
* Mark Hall
* Omri Iluz
* Andrew van der Stock
* Roland Weber
* [mailto:colin.watson@owasp.org Colin Watson]
* [mailto:tin.zaw@owasp.org Tin Zaw]

Additionally other professional colleagues and website owners and operators who provided feedback.

==Reviewers==

* Igor Andriushchenko
* Gabriel Mendez Justiniano
* Matt Tesauro

== Sponsors ==

All OWASP Projects are run and developed by volunteers and rely on personal donations and sponsorship to continue their development. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. This project has received the sponsorship part of their Corporate OWASP membership fees from Verizon Digital Media Services in 2016 and Distil Networks in 2017, which has already contributed to the v1.2 production design costs, and will also be utilised to help promote knowledge of the project.

[[file:Verizon_Digital_Medial_Logo.jpg|size=150x45px|link=https://www.verizondigitalmedia.com]]

[[File:Distil-flat-logo-2.png|link=https://www.distilnetworks.com]]

= Road Map and Getting Involved =

Can you help? The project is looking for information on the prevalence and types of automated threats seen by web application owners in the real world. This will be used to refine and organise the information gathered from research papers, whitepapers, security reports and industry news. Please use the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:

* [https://lists.owasp.org/mailman/listinfo/automated_threats_to_web_applications Mailing list]

To share information confidentially, you can email the project leaders directly: [mailto:tin.zaw@owasp.org Tin Zaw] and [mailto:colin.watson@owasp.org Colin Watson].

== Completed Outputs==

* {{#switchtablink:Scope and Definitions|Glossary}}
* {{#switchtablink:Bibliography|Bibligraphy of information sources}}
* A [https://www.owasp.org/index.php/File:Automated-threats.pdf summary chart] has been published summarising the information gathered and work to date
* Identifying automated threats to web applications, and determining the primary name used. This first part of the project intends to produce a consistent vocabulary for discussing the threats before moving onto other aspects
* The primary terms have now been defined and described for the ontology
* A [https://www.owasp.org/index.php/File:Automation-briefing.pdf briefing document] was produced in May 2015
* Release [https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf Automated Threat Handbook] July 2015 [https://www.owasp.org/index.php/File:Owasp-automated-threat-handbook-source-files.zip source files], updated in November 2016
* Release [https://www.owasp.org/index.php/File:Automation-project-briefing.pdf project overview flyer] July 2015
* Release [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] December 2016

== Roadmap==

The project's roadmap was updated in October 2017.

===Q1 2015===
* <strike>Feb 2015: Define scope and terminology</strike> Done
* <strike>Mar 2015: Research prior work and reports about automated threats to web applications to create bibliography</strike> Done

===Q2 2015===
* <strike>Apr 2015: Assess threats/attacks and create ontology</strike> Done
* <strike>Apr 2015: Application owner interviews and creation of initial project outputs, to refine model</strike> Done
* <strike>May 2015: Publication of outputs and request for review/data</strike> Done
* <strike>May 2015: Summit session and survey at AppSec EU</strike> Done
* <strike>Jun 2015 Review</strike> Done
* <strike>Jun 2015 Write ontology document</strike> Done
* <strike>Jun Write 2-page project briefing</strike> Done
* <strike>Jun Publish project briefing</strike> Done
* <strike>Jul 2015: Publish v1.0 ontology</strike> Done

===Q3 2016===
* <strike>Jul-Sep 2016: Gathering of additional contributions and update handbook</strike> Done

===Q4 2016===
* <strike>Nov 2016: Release updated handbook</strike> Done
* <strike>Dec 2016: Threat identification chart</strike> Done

=== Q1 2017 ===
* <strike>Dec-Mar 2017: Further review and update to handbook</strike> Done
* <strike>Check against changes to CAPEC v2.9</strike> Done

=== Q2 2017 ===
* <strike>Apr-Jun 2017: Further review and update to handbook</strike> Done
* <strike>Project summit at AppSecEU</strike> Done

=== Q3 2017 ===
* <strike>Chase up ongoing project review</strike> Done
* <strike>Project summit at AppSecUS</strike> Done

=== Q4 2017 ===
* Release v1.2 (now due 15 Feb 2018)

=== Q1 2018 ===
* <strike>Create OAT wiki pages</strike> Done

=== Future ===
* Write executive summary
* Release executive summary document


__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:SAMM-SR-2]] [[Category:SAMM-TA-1]] [[Category:SAMM-EG-2]]

OAT-021 Denial of Inventory

2018-02-16T15:15:48Z

Clerkendweller: /* Indicative Diagram */

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-021

===Threat Event Name===

Denial of Inventory

=== Summary Defining Characteristics===

Deplete goods or services stock without ever completing the purchase or committing to the transaction.

===Indicative Diagram===

[[File:OAT-021_Denial_of_Inventory.png|500px|link=]]

=== Description ===

Selection and holding of items from a limited inventory or stock, but which are never actually bought, or paid for, or confirmed, such that other users are unable to buy/ pay/confirm the items themselves. It differs from [[OAT-005 Scalping]] in that the goods or services are never actually acquired by the attacker.

Denial of Inventory is most commonly thought of as taking ecommerce items out of circulation by adding many of them to a cart/basket; the attacker never actually proceeds to checkout to buy them but contributes to a possible stock-out condition. A variation of this automated threat event is making reservations (e.g. hotel rooms, restaurant tables, holiday bookings, flight seats), and/or click-and-collect without payment. But this exhaustion of inventory availability also occurs in other types of web application such as in the assignment of non-goods like service allocations, product rations, availability slots, queue positions, and budget apportionments.

If server resources are reduced see [[OAT-015 Denial of Service]] instead. Like [[OAT-005 Scalping]] , Denial of Inventory also reduces the availability of goods or services.

=== Other Names and Examples ===

Hoarding; Hold all attack; Inventory depletion; Inventory exhaustion; Stock exhaustion

=== See Also ===

* [[OAT-005 Scalping]]
* [[OAT-013 Sniping]]
* [[OAT-015 Denial of Service]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* 210 Abuse of Functionality

=== CWE Base / Class / Variant IDs ===

* 799 Improper Control of Interaction Frequency
* 841 Improper Enforcement of Behavioral Workflow

=== WASC Threat IDs ===

* 21 Insufficient Anti-Automation
* 42 Abuse of Functionality

=== OWASP Attack Category / Attack IDs ===

* [[:Category:Abuse of Functionality|Abuse of Functionality]]

[[Category: Automated Threat]]

OAT-020 Account Aggregation

2018-02-16T15:15:15Z

Clerkendweller: /* Indicative Diagram */

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-020

===Threat Event Name===

Account Aggregation

=== Summary Defining Characteristics===

Use by an intermediary application that collects together multiple accounts and interacts on their behalf.

===Indicative Diagram===

[[File:OAT-020_Account_Aggregation.png|500px|link=]]

=== Description ===

Compilation of credentials and information from multiple application accounts into another system. This aggregation application may be used by a single user to merge information from multiple applications, or alternatively to merge information of many users of a single application. Commonly used for aggregating social media accounts, email accounts and financial accounts in order to obtain a consolidated overview, to provide integrated reporting and analysis, and to simplify usage and consumption by the user and/or their professional advisors. May include making changes to account properties and interacting with the aggregated application's functionality.

For other forms of data harvesting, including the distribution of content, see [[OAT-011 Scraping]]. For hastening progress, see [[OAT-006 Expediting]] instead.

=== Other Names and Examples ===

Aggregator; Brokering; Client aggregator; Cloud services brokerage; Data aggregation; Financial account aggregator; Intermediarisation; Intermediation

=== See Also ===

* [[OAT-006 Expediting]]
* [[OAT-011 Scraping]]
* [[OAT-019 Account Creation]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* 167 Lifting Sensitive Data from the Client
* 210 Abuse of Functionality

=== CWE Base / Class / Variant IDs ===

* 799 Improper Control of Interaction Frequency

=== WASC Threat IDs ===

* 21 Insufficient Anti-Automation
* 42 Abuse of Functionality

=== OWASP Attack Category / Attack IDs ===

* [[:Category:Abuse of Functionality|Abuse of Functionality]]

[[Category: Automated Threat]]

OAT-019 Account Creation

2018-02-16T15:14:34Z

Clerkendweller: /* Indicative Diagram */

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-019

===Threat Event Name===

Account Creation

=== Summary Defining Characteristics===

Create multiple accounts for subsequent misuse.

===Indicative Diagram===

[[File:OAT-019_Account_Creation.png|500px|link=]]

=== Description ===

Bulk account creation, and sometimes profile population, by using the application's account sign-up processes. The accounts are subsequently misused for generating content spam, laundering cash and goods, spreading malware, a ecting reputation, causing mischief, and skewing search engine optimisation (SEO), reviews and surveys.

Account Creation generates new accounts - see [[OAT-007 Credential Cracking]] and [[OAT-008 Credential Stuffing]] for threat events that use existing accounts.

=== Other Names and Examples ===

Account pharming; Fake account; Fake social media account creation; Impersonator bot; Massive account registration; New account creation; Registering many user accounts

=== See Also ===

* [[OAT-007 Credential Cracking]]
* [[OAT-008 Credential Stuffing]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* 210 Abuse of Functionality

=== CWE Base / Class / Variant IDs ===

* 799 Improper Control of Interaction Frequency
* 837 Improper Enforcement of a Single, Unique Action
* 841 Improper Enforcement of Behavioral Workflow

=== WASC Threat IDs ===

* 21 Insufficient Anti-Automation
* 42 Abuse of Functionality

=== OWASP Attack Category / Attack IDs ===

* [[:Category:Abuse of Functionality|Abuse of Functionality]]

[[Category: Automated Threat]]

OAT-018 Footprinting

2018-02-16T15:13:58Z

Clerkendweller: /* Indicative Diagram */

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-018

===Threat Event Name===

Footprinting

=== Summary Defining Characteristics===

Probe and explore application to identify its constituents and properties.

===Indicative Diagram===

[[File:OAT-018_Footprinting.png|500px|link=]]

=== Description ===

Information gathering with the objective of learning as much as possible about the composition, configuration and security mechanisms of the application. Unlike Scraping, Footprinting is an enumeration of the application itself, rather than the data. It is used to identify all the URL paths, parameters and values, and process sequences (i.e. to determine entry points, also collectively called the attack surface). As the application is explored, additional paths will be identified which in turn need to be examined.

Footprinting can also include brute force, dictionary and guessing of file and directory names. Fuzzing may also be used to identify further application resources and capabilities. However, it does not include attempts to exploit weaknesses.

=== Other Names and Examples ===

Application analysis; API discovery; Application enumeration; Automated scanning; CGI scanning; Crawler; Crawling; Excavation; Forced browsing; Forceful browsing; Fuzzing; Micro service discovery; Scanning; Spidering; WSDL scanning

=== See Also ===

* [[OAT-004 Fingerprinting]]
* [[OAT-011 Scraping]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* 169 Footprinting

=== CWE Base / Class / Variant IDs ===

* 200 Information Exposure

=== WASC Threat IDs ===

* 45 Fingerprinting

=== OWASP Attack Category / Attack IDs ===

* -

[[Category: Automated Threat]]

OAT-017 Spamming

2018-02-16T15:13:28Z

Clerkendweller: /* Indicative Diagram */

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-017

===Threat Event Name===

Spamming

=== Summary Defining Characteristics===

Malicious or questionable information addition that appears in public or private content, databases or user messages.

===Indicative Diagram===

[[File:OAT-017_Spamming.png|500px|link=]]

=== Description ===

Malicious content can include malware, IFRAME distribution, photographs & videos, advertisements, referrer spam and tracking/surveillance code. The content might be less overtly malicious but be an attempt to cause mischief, undertake search engine optimisation (SEO) or to dilute/hide other posts.

The mass abuse of broken form-to-email and form-to-SMS functions to send messages to unintended recipients is not included in this threat event, or any other in this ontology, since those are considered to be the exploitation of implementation flaws alone.

For multiple use that distorts metrics, see [[OAT-016 Skewing]] instead.

=== Other Names and Examples ===

Blog spam; Bulletin board spam; Click-bait; Comment spam; Content spam; Content spoofing; Fake news; Form spam; Forum spam; Guestbook spam; Referrer spam; Review spam; SEO spam; Spam crawlers; Spam 2.0; Spambot; Twitter spam; Wiki spam

=== See Also ===

* [[OAT-015 Denial of Service]]
* [[OAT-016 Skewing]]
* [[OAT-019 Account Creation]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* 210 Abuse of Functionality

=== CWE Base / Class / Variant IDs ===

* 506 Embedded Malicious Code
* 799 Improper Control of Interaction Frequency
* 837 Improper Enforcement of a Single, Unique Action

=== WASC Threat IDs ===

* 21 Insufficient Anti-Automation
* 42 Abuse of Functionality

=== OWASP Attack Category / Attack IDs ===

* [[:Category:Abuse of Functionality|Abuse of Functionality]]

[[Category: Automated Threat]]

OAT-016 Skewing

2018-02-16T15:12:56Z

Clerkendweller:

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-016

===Threat Event Name===

Skewing

=== Summary Defining Characteristics===

Repeated link clicks, page requests or form submissions intended to alter some metric.

===Indicative Diagram===

[[File:OAT-016_Skewing.png|500px|link=]]

=== Description ===

Automated repeated clicking or requesting or submitting content, a ecting application-based metrics such as counts and measures of frequency and/or rate. The metric or measurement may be visible to users (e.g. betting odds, likes, market/ dynamic pricing, visitor count, poll results, reviews) or hidden (e.g. application usage statistics, business performance indicators). Metrics may affect individuals as well as the application owner, e.g. user reputation, influence others, gain fame, or undermine someone else's reputation.

For malicious alteration of digital advertisement metrics, see [[OAT-003 Ad Fraud]] instead.

=== Other Names and Examples ===

Biasing KPIs; Boosting friends, visitors, and likes; Click fraud; Dynamic pricing hacking; Election fraud; Hit count fraud; Market distortion; Metric and statistic skewing; Page impression fraud; Poll fraud; Poll skewing; Poll/voting subversion; Rating/review skewing; SEO; Stock manipulation; Survey skewing

=== See Also ===

* [[OAT-003 Ad Fraud]]
* [[OAT-017 Spamming]]
* [[OAT-019 Account Creation]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* 210 Abuse of Functionality

=== CWE Base / Class / Variant IDs ===

* 799 Improper Control of Interaction Frequency
* 837 Improper Enforcement of a Single, Unique Action

=== WASC Threat IDs ===

* 21 Insufficient Anti-Automation
* 42 Abuse of Functionality

=== OWASP Attack Category / Attack IDs ===

* [[:Category:Abuse of Functionality|Abuse of Functionality]]

[[Category: Automated Threat]]

OAT-015 Denial of Service

2018-02-16T15:12:05Z

Clerkendweller: /* Indicative Diagram */

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-015

===Threat Event Name===

Denial of Service

=== Summary Defining Characteristics===

Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS).

===Indicative Diagram===

[[File:OAT-015_Denial_of_Service.png|500px|link=]]

=== Description ===

Usage may resemble legitimate application usage, but leads to exhaustion of resources such as file system, memory, processes, threads, CPU, and human or financial resources. The resources might be related to web, application or databases servers or other services supporting the application, such as third party APIs, included third-party hosted content, or content delivery networks (CDNs). The application may be affected as a whole, or the attack may be against individual users such as account lockout.

This ontology’s scope excludes other forms of denial of service that a ect web applications, namely HTTP Flood DoS (GET, POST, Header with/without TLS), HTTP Slow DoS, IP layer 3 DoS, and TCP layer 4 DoS. Those protocol and lower layer aspects are covered adequately in other taxonomies and lists.

=== Other Names and Examples ===

Account lockout; App layer DDoS; Asymmetric resource consumption (amplification); Business logic DDoS; Cash overflow; Forced deadlock; Hash DoS; Inefficient code; Indexer DoS; Large files DoS; Resource depletion, locking or exhaustion; Sustained client engagement

=== See Also ===

* [[OAT-005 Scalping]]
* [[OAT-013 Sniping]]
* [[OAT-017 Spamming]]
* [[OAT-019 Account Creation]]
* [[OAT-021 Denial of Inventory]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* 2 Inducing Account Lockout
* 25 Forced Deadlock
* 119 Deplete Resources

=== CWE Base / Class / Variant IDs ===

* 399 Resource Management Errors
* 645 Overly Restrictive Account Lockout Mechanism

=== WASC Threat IDs ===

* 10 Denial of Service

=== OWASP Attack Category / Attack IDs ===

* Account Lockout Attack
* [[Cash Overflow]]
* [[Denial of Service]]
* [[:Category:Resource Depletion|Resource Depletion]]

[[Category: Automated Threat]]

OAT-014 Vulnerability Scanning

2018-02-16T15:11:30Z

Clerkendweller: /* Indicative Diagram */

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-014

===Threat Event Name===

Vulnerability Scanning

=== Summary Defining Characteristics===

Crawl and fuzz application to identify weaknesses and possible vulnerabilities.

===Indicative Diagram===

[[File:OAT-014_Vulnerability_Scanning.png|500px|link=]]

=== Description ===

Systematic enumeration and examination of identifiable, guessable and unknown content locations, paths, file names, parameters, in order to find weaknesses and points where a security vulnerability might exist. Vulnerability Scanning includes both malicious scanning and friendly scanning by an authorised vulnerability scanning engine. It differs from [[OAT-011 Scraping]] in that its aim is to identify potential vulnerabilities.

The exploitation of individual vulnerabilities is not included in the scope of this ontology, but this process of scanning, along with [[OAT-018 Footprinting]], [[OAT-004 Fingerprinting]] and [[OAT-011 Scraping]] often form part of application penetration testing.

=== Other Names and Examples ===

Active/Passive scanning; Application-specific vulnerability discovery; Identifying vulnerable content management systems (CMS) and CMS components; Known vulnerability scanning; Malicious crawling; Vulnerability reconnaissance

=== See Also ===

* [[OAT-004 Fingerprinting]]
* [[OAT-011 Scraping]]
* [[OAT-018 Footprinting]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* -

=== CWE Base / Class / Variant IDs ===

* 799 Improper Control of Interaction Frequency

=== WASC Threat IDs ===

* 21 Insufficient Anti-Automation

=== OWASP Attack Category / Attack IDs ===

* -

[[Category: Automated Threat]]

OAT-013 Sniping

2018-02-16T15:10:54Z

Clerkendweller: /* Indicative Diagram */

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-013

===Threat Event Name===

Sniping

=== Summary Defining Characteristics===

Last minute bid or offer for goods or services.

===Indicative Diagram===

[[File:OAT-013_Sniping.png|500px|link=]]

=== Description ===

The defining characteristic of Sniping is an action undertaken at the latest opportunity to achieve a particular objective, leaving insufficient time for another user to bid/offer. Sniping can also be the automated exploitation of system latencies in the form of timing attacks. Careful timing and prompt action are necessary parts. It is most well known as auction sniping, but the same threat event can be used in other types of applications. Sniping normally leads to some disbenefit for other users, and sometimes that might be considered a form of denial of service.

In contrast, [[OAT-005 Scalping]] is the acquisition of limited availability of sought-a er goods or services, and [[OAT-006 Expediting]] is the general hastening of progress.

=== Other Names and Examples ===

Auction sniping; Bid sniper; Front- running; Last look; Last minute bet; Timing attack

=== See Also ===

* [[OAT-005 Scalping]]
* [[OAT-006 Expediting]]
* [[OAT-015 Denial of Service]]
* [[OAT-021 Denial of Inventory]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* 210 Abuse of Functionality

=== CWE Base / Class / Variant IDs ===

* -

=== WASC Threat IDs ===

* 21 Insu icient Anti-Automation
* 42 Abuse of Functionality

=== OWASP Attack Category / Attack IDs ===

* [[:Category:Abuse of Functionality|Abuse of Functionality]]

[[Category: Automated Threat]]

OAT-012 Cashing Out

2018-02-16T15:10:11Z

Clerkendweller: /* Indicative Diagram */

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-012

===Threat Event Name===

Cashing Out

=== Summary Defining Characteristics===

Buy goods or obtain cash utilising validated stolen payment card or other user account data.

===Indicative Diagram===

[[File:OAT-012_Cashing_Out.png|500px|link=]]

=== Description ===

Obtaining currency or higher-value merchandise via the application using stolen, previously validated payment cards or other account login credentials. Cashing Out sometimes may be undertaken in conjunction with product return fraud. For financial transactions, this is usually a transfer of funds to a mule’s account. For payment cards, this activity may occur following [[OAT-001 Carding]] of bulk stolen data, or [[OAT-010 Card Cracking]], and the goods are dropped at a reshipper's address. The refunding of payments via non-financial applications (e.g. tax refunds, claims payment) is also included in Cashing Out.

Obtaining other information of value from the application is instead [[OAT-011 Scraping]].

=== Other Names and Examples ===

Deetsing; Money laundering; Online credit card fraud; Online payment card fraud; Refund fraud; Stolen identity refund fraud (SIRF)

=== See Also ===

* [[OAT-001 Carding]]
* [[OAT-011 Scraping]]
* [[OAT-010 Card Cracking]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* 210 Abuse of Functionality

=== CWE Base / Class / Variant IDs ===

* 799 Improper Control of Interaction Frequency
* 837 Improper Enforcement of a Single, Unique Action

=== WASC Threat IDs ===

* 21 Insufficient Anti-Automation
* 42 Abuse of Functionality

=== OWASP Attack Category / Attack IDs ===

* [[:Category:Abuse of Functionality|Abuse of Functionality]]

[[Category: Automated Threat]]

OAT-011 Scraping

2018-02-16T15:09:26Z

Clerkendweller: /* Indicative Diagram */

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-011

===Threat Event Name===

Scraping

=== Summary Defining Characteristics===

Collect application content and/or other data for use elsewhere.

===Indicative Diagram===

[[File:OAT-011_Scraping.png|500px|link=]]

=== Description ===

Collecting accessible data and/or processed output from the application. Some scraping may use fake or compromised accounts, or the information may be accessible without authentication. The scraper may attempt to read all accessible paths and parameter values for web pages and APIs, collecting the responses and extracting data from them. Scraping may occur in real time, or be more periodic in nature. Some Scraping may be used to gain insight into how it is constructed and operates - perhaps for cryptanalysis, reverse engineering, or session analysis.

When another application is being used as an intermediary between the user(s) and the real application, see [[OAT-020 Account Aggregation]]. If the intent is to obtain cash or goods, see [[OAT-012 Cashing Out]] instead.

=== Other Names and Examples ===

API provisioning; Bargain hunting; Comparative shopping; Content scraping; Data aggregation; Database scraping; Farming; Harvesting; Meta search scraper; Mining; Mirroring; Pagejacking; Powering APIs; Ripping; Scraper bot; Screen scraping; Search / social media bot

=== See Also ===

* [[OAT-012 Cashing Out]]
* [[OAT-018 Footprinting]]
* [[OAT-020 Account Aggregation]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* 167 Lifting Sensitive Data from the Client
* 210 Abuse of Functionality
* 281 Analyze Target

=== CWE Base / Class / Variant IDs ===

* 799 Improper Control of Interaction Frequency

=== WASC Threat IDs ===

* 21 Insufficient Anti-Automation
* 42 Abuse of Functionality

=== OWASP Attack Category / Attack IDs ===

* [[:Category:Abuse of Functionality|Abuse of Functionality]]

[[Category: Automated Threat]]

OAT-010 Card Cracking

2018-02-16T15:08:49Z

Clerkendweller: /* Indicative Diagram */

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-010

===Threat Event Name===

Card Cracking

=== Summary Defining Characteristics===

Identify missing start/expiry dates and security codes for stolen payment card data by trying different values.

===Indicative Diagram===

[[File:OAT-010_Card_Cracking.png|500px|link=]]

=== Description ===

Brute force attack against application payment card processes to identify the missing values for start date, expiry date and/or card security code (CSC), also referred to in many ways, including card validation number 2 (CVN2), card validation code (CVC), card verification value (CV2) and card identification number (CID).

When these values are known as well as the Primary Account Number (PAN), [[OAT-001 Carding]] is used to validate the details, and [[OAT-012 Cashing Out]] to obtain goods or cash.

=== Other Names and Examples ===

Brute forcing credit card information; Card brute forcing; Credit card cracking; Distributed guessing attack

=== See Also ===

* [[OAT-001 Carding]]
* [[OAT-012 Cashing Out]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* 112 Brute Force
* 210 Abuse of Functionality

=== CWE Base / Class / Variant IDs ===

* 799 Improper Control of Interaction Frequency
* 837 Improper Enforcement of a Single, Unique Action

=== WASC Threat IDs ===

* 11 Brute Force
* 21 Insufficient Anti-Automation
* 42 Abuse of Functionality

=== OWASP Attack Category / Attack IDs ===

* [[:Category:Abuse of Functionality|Abuse of Functionality]]
* [[Brute force attack|Brute Force Attack]]

[[Category: Automated Threat]]

OAT-009 CAPTCHA Defeat

2018-02-16T15:08:06Z

Clerkendweller: /* Indicative Diagram */

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-009

===Threat Event Name===

CAPTCHA Defeat

=== Summary Defining Characteristics===

Solve anti-automation tests.

===Indicative Diagram===

[[File:OAT-009_CAPTCHA_Defeat.png|500px|link=]]

=== Description ===

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) challenges are used to distinguish normal users from bots. Automation is used in an attempt to analyse and determine the answer to visual and/or aural CAPTCHA tests and related puzzles. Apart from conventional visual and aural CAPTCHA, puzzle solving mini games or arithmetical exercises are sometimes used. Some of these may include context-specific challenges.

The process that determines the answer may utilise tools to perform optical character recognition, or matching against a prepared database of pre-generated images, or using other machine reading, or human farms.

=== Other Names and Examples ===

Breaking CAPTCHA; CAPTCHA breaker; CAPTCHA breaking; CAPTCHA bypass; CAPTCHA decoding; CAPTCHA solver; CAPTCHA solving; Puzzle solving

=== See Also ===

* [[OAT-006 Expediting]]
* [[OAT-011 Scraping]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* -

=== CWE Base / Class / Variant IDs ===

* 804 Guessable CAPTCHA
* 841 Improper Enforcement of Behavioral Workflow

=== WASC Threat IDs ===

* 21 Insufficient Anti-Automation
* 42 Abuse of Functionality

=== OWASP Attack Category / Attack IDs ===

* -

[[Category: Automated Threat]]

OAT-008 Credential Stuffing

2018-02-16T15:07:21Z

Clerkendweller: /* Indicative Diagram */

__NOTOC__

This is an automated threat. To view all automated threats, please see the [[:Category:Automated Threat|Automated Threat Category]] page. The OWASP Automated Threat Handbook - Wed Applications ([https://www.owasp.org/index.php/File:Automated-threat-handbook.pdf pdf], print), an output of the [[OWASP Automated Threats to Web Applications|OWASP Automated Threats to Web Applications Project]], provides a fuller guide to each threat, detection methods and countermeasures. The [https://www.owasp.org/index.php/File:Oat-ontology-decision-chart.pdf threat identification chart] helps to correctly identify the automated threat.

== Definition ==

===OWASP Automated Threat (OAT) Identity Number ===

OAT-008

===Threat Event Name===

Credential Stuffing

=== Summary Defining Characteristics===

Mass log in attempts used to verify the validity of stolen username/password pairs.

===Indicative Diagram===

[[File:OAT-008_Credential_Stuffing.png|500px|link=]]

=== Description ===

Lists of authentication credentials stolen from elsewhere are tested against the application’s authentication mechanisms to identify whether users have re-used the same login credentials. The stolen usernames (often email addresses) and password pairs could have been sourced directly from another application by the attacker, purchased in a criminal marketplace, or obtained from publicly available breach data dumps.

Unlike [[OAT-007 Credential Cracking]], Credential Stuffing does not involve any brute-forcing or guessing of values; instead credentials used in other applications are being tested for validity.

=== Other Names and Examples ===

Account checker attack; Account checking; Account takeover; Account takeover attack; Login Stuffing; Password list attack; Password re-use; Stolen credentials; Use of stolen credentials

=== See Also ===

* [[OAT-007 Credential Cracking]]
* [[OAT-019 Account Creation]]

== Cross-References ==

=== CAPEC Category / Attack Pattern IDs ===

* 210 Abuse of Functionality

=== CWE Base / Class / Variant IDs ===

* 799 Improper Control of Interaction Frequency
* 837 Improper Enforcement of a Single, Unique Action

=== WASC Threat IDs ===

* 21 Insufficient Anti-Automation
* 42 Abuse of Functionality

=== OWASP Attack Category / Attack IDs ===

* [[:Category:Abuse of Functionality|Abuse of Functionality]]
* [[Credential stuffing|Credential Stuffing]]

[[Category: Automated Threat]]