This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Automated Threats to Web Applications

Revision as of 15:19, 16 May 2015 by Clerkendweller (talk | contribs) (Additions to bibliography)

Jump to: navigation, search

Automated Threats to Web Applications

Please help by completing our new Web Application Owner Survey, released on 21st April 2015. Help identify real-world automated threats using this Google Form:

The survey sheet, used at AppSec EU, is also available as a PDF.


Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Some examples commonly referred to are:

  • Account enumeration
  • Click fraud
  • Comment spam
  • Content scraping
  • Data aggregation
  • Email address harvesting
  • Fake account creation
  • Password cracking
  • Payment card testing
  • Site crawling
  • Transaction automation

Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.


All the materials are free to use. They are licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation

What Is This?

Information and resources to help web application owners defend against automated threats

What Isn't It?

  • Another vulnerability list
  • Threat modelling
  • Attack trees
  • Non web
  • Non application

Project Objective

This project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available.

Project Leader

Colin Watson


Please help and your name can appear here. The project needs web application owner's threat information and reviewers.

Related Projects

News and Events

  • [20 May 2015] Meeting at project summit in Amsterdam
  • [12 May 2015] Discussion document published
  • [27 Apr 2015] Final summary of research published
  • [21 Apr 2015] Notice in OWASP Connector
  • [21 Apr 2015] Web Application Owner Survey published
  • [04 Apr 2015] Bibliography published
  • [02 Apr 2015] Scope and definitions published
  • [27 Feb 2015] Work underway on research


New projects.png
Project Type Files DOC.jpg

Automated Threats to Web Applications

Threat events to web applications undertaken using automated actions.

An attack that can be achieved without the web is out of scope.


An act taken against an asset by a threat agent. Requires first that contact occurs between the asset and threat agent (Ref 1)
Software that performs a business process i.e. not system software
A software program hosted by an information system (Ref 2)
Application layer
"Layer 7” in the OSI model (Ref 3) and “application layer” in the TCP/IP model (Ref 4)
Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures (Ref 1)
Threat Agent
Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm (Ref 1)
Threat Event
Occurs when a threat agent acts against an asset (Ref 1)
The World Wide Web (WWW, or simply Web) is an information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI) (Ref 5)
The first three specifications for Web technologies defined URLs, HTTP, and HTML (Ref 6)
Web application
An application delivered over the web

Glossary references:

  1. Risk Taxonomy, Technical Standard, The Open Group, 2009
  2. NISTIR 7298 rev 2, NIST
  3. OSI model, Wikipedia
  4. TCP/IP model, Wikipedia
  5. Architecture of the World Wide Web, Volume One, W3C
  6. Help and FAQ, W3C


The aim is to create a listing of vendor-neutral and technology agnostic terms that describe real-world automated threats to web applications, at a level of abstraction that application owners can relate to. These terms are threat events to web applications undertaken using automated actions.

The focus is on abuse of functionality - misuse of inherent functionality and related design flaws, some of which are also referred to as business logic flaws. There is almost no focus on implementation bugs. It is not that the latter are not the target for attacks, but there is much more knowledge published in that area with a greater agreement on terminology. All the scenarios identified must require the web to exist for the threat to be materialised. Many of the scenarios have impacts upon the organisation that owns or operates web applications, but some scenarios have impacts more focused on individuals or other bodies. An attack that can be achieved without the web is out of scope.


In progress:

  • Work is currently underway on identifying automated threats to web applications, and determining the primary name used. This first part of the project intends to produce a consistent vocabulary for discussing the threats before moving onto other aspects
  • A briefing document has been produced to show a summary of the current ontology state
  • The primary terms are now being defined and described for the ontology

Comparison with other dictionaries, taxonomies and lists

OWASP WASC Web Hacking Incidents Database Project (WHID)

WHID classifies publicly known incidents using:

  • attack methods e.g. ARP spoofing, abuse of functionality, account compromise, administration error, automation, backdoor, banking trojan, brute force, clickjacking, code injection, content injection, content spoofing, credential/session prediction, cross site request forgery (CSRF), cross-site scripting (XSS), denial of service, directory traversal, domain hijacking, DNS hijacking, forceful browsing, HTTP response splitting, hidden parameter manipulation, hosting malicious code, information leakage, insufficient authentication, known vulnerability, local file inclusion (LFI), malvertising, malware, malware injection, mass assignment, misconfiguration, OS commanding, parameter manipulation, path traversal, phishing, predictable resource location, process automation, redirection, remote file inclusion (RFI), rogue 3rd party app, scaping, search engine poisoning, shell injection, social engineering, stolen credentials, SQL injection, unintentional information disclosure, weak password recovery validation, worm
  • weakness e.g. abuse of functionality, application misconfiguration, directory indexing, improper filesystem permissions, improper input handling, improper output handling, information leakage, insecure indexing, insufficient anti-automation, insufficient authentication, insufficient authorization, insufficient entropy, insufficient password recovery, insufficient process validation, insufficient session expiration, insufficient transport layer protection, misconfiguration, predictable resource location, weak password
  • outcome account hijacking, account takeover, botnet participation, chaos, credit card leakage, data loss, defacement, DDoS attacks, DNS hijacking, DNS redirection, disinformation, disclosure only, downtime, extortion, fraud, information warfare, leakage of information, link spam, loss of sales, malware distribution, monetary loss, phishing, planting of malware, service disruption, session hijacking, spam, spam links, stolen credentials, worm

Plus other/various/unknown.

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC is a dictionary and classification taxonomy of known attacks on software. Its primary classification structures are:

  • Domains of attack (3000) - Social Engineering (403), Supply Chain (437), Communications (512), Software (513), Physical Security (514), Hardware (515)
  • Mechanism of Attack (1000) - Gather Information (118), Deplete Resources (119), Injection (152), Deceptive Interactions (156), Manipulate Timing and State (172), Abuse of Functionality (210), Probabilistic Techniques (223), Exploitation of Authentication (225), Exploitation of Authorization (232), Manipulate Data Structures (255), Manipulate Resources (262), Analyze Target (281), Gain Physical Access (436), Malicious Code Execution (525), Alter System Components (526), Manipulate System Users (527)

The following academic, open source, commercial and news sources were used in the research on automated threats to web applications. OWASP is a worldwide not-for-profit charitable organization focused on improving the security of software. We operate under a vendor neutral policy and we do not endorse products or services.

in E-Commerce Fraud, ThreatMetrix, 2013

This page is in the process of creation

How do you define "web", "application" and "automated threat"?
See the definitions in the project's glossary.
What is an "ontology"?
An ontology is a set of types, properties, and relationship. These together define a subject description language. This particular ontology is meant to represent what automated threats real world owners observe affecting their web applications in usual operations.
Isn't this another bug (vulnerability) list?
I thought "XYZ" already did that?
How can I help?


Colin Watson

Can you help? The project is looking for information on the prevalence and types of automated threats seen by web application owners in the real world. This will be used to refine and organise the information gathered from research papers, whitepapers, security reports and industry news. Please use the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:

To share information confidentially, you can email the project leader directly: Colin Watson.


The project's roadmap was updated in March 2015.

Q1 2015

  • Feb 2015: Define scope and terminology Done
  • March 2015: Research prior work and reports about automated threats to web applications to create bibliography Done

Q2 2015

  • April 2015: Assess threats/attacks and create ontology
  • April 2015: Application owner interviews and creation of initial project outputs, to refine model
  • May 2015: Publication of outputs and request for review/data

Q3 2015

  • Jun-Sep 2015: Gathering of additional contributions, updates to outputs, and translations.