This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Automated Threats to Web Applications

From OWASP
Revision as of 13:29, 28 April 2017 by Clerkendweller (talk | contribs) (Automated Threats: OAT-021 added)

Jump to: navigation, search
Automated-threats-header.jpg

Automated Threats to Web Applications

The OWASP Automated Threats to Web Applications Project has completed a review of reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify, name and classify these scenarios – automated by software causing a divergence from accepted behavior producing one or more undesirable effects on a web application, but excluding tool-based exploitation of single-issue vulnerabilities. The initial objective was to produce an ontology providing a common language for developers, architects, operators, business owners, security engineers, purchasers and suppliers/ vendors, to facilitate clear communication and help tackle the issues. The project also identifies symptoms, mitigations and controls in this problem area. Like all OWASP outputs, everything is free and published using an open source license.

Two page summary project briefing as a PDF.

Description

Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.

Automated Threats

The list of threat events, defined in full in the OWASP Automated Threat Handbook, is:

  • OAT-020 Account Aggregation
  • OAT-019 Account Creation
  • OAT-003 Ad Fraud
  • OAT-009 CAPTCHA Bypass
  • OAT-010 Card Cracking
  • OAT-001 Carding
  • OAT-012 Cashing Out
  • OAT-007 Credential Cracking
  • OAT-008 Credential Stuffing
  • OAT-021 Denial o fInventory
  • OAT-015 Denial of Service
  • OAT-006 Expediting
  • OAT-004 Fingerprinting
  • OAT-018 Footprinting
  • OAT-005 Scalping
  • OAT-011 Scraping
  • OAT-016 Skewing
  • OAT-013 Sniping
  • OAT-017 Spamming
  • OAT-002 Token Cracking
  • OAT-014 Vulnerability Scanning

Not sure which is which? Use the new threat identification chart in conjunction with the full handbook.

Licensing

All the materials are free to use. They are licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

What Is This?

Information and resources to help web application owners defend against automated threats

What Isn't It?

  • Another vulnerability list
  • Threat modelling
  • Attack trees
  • Non web
  • Non application

Project Objective

This project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available.

Presentation

Automatedthreats-presentation-small.jpg

Project Leaders

Related Projects

Quick Links

News and Events

  • [17 Apr 2017] Slides from AppSec California (2017)
  • [09-10 May 2017] Session at OWASP AppSecEU project summit
  • [20 Dec 2016] Threat identification chart published
  • [03 Nov 2016] Presentation at LASCON 2016
  • [03 Nov 2016] v1.1 Handbook published
  • [11-12 Oct 2016] Working session at the AppSecUSA Project Summit
  • [04 Aug 2016] Project Q&A at Blackhat USA 2-5pm in the OWASP booth
  • [15 Jul 2016] Tin Zaw becomes co project leader
  • [12 Jul 2016] Work on v1.1 begun
  • [26 Oct 2015] v1.01 handbook published
  • [24 Sep 2015] Presentation at AppSec USA 2015

In Print

AutomatedThreatHandbook small.jpg

The Automated Threat Handbook can be purchased at cost as a print on demand book.

Classifications

New projects.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg