cancel
Showing results for 
Search instead for 
Did you mean: 
Kyle_Roberts
F5 Employee
F5 Employee

Introduction

Many of us have heard of OWASP in the context of the OWASP Top 10. In this article series we will take a look at another very important threat classification list called the OWASP Automated Threats (OAT) Project and provide a foundational overview. The terms Malicious Bot and Automated Threat can be used interchangeably throughout. In future articles we'll dive deeper into individual key threats called OATs and demonstrate how these attacks work and how to defend against them.

Why should we care about the OWASP Automated Threats Project?

Web security is no longer constrained to inadvertent vulnerabilities and attackers are abusing inherent functionality to conduct Automated and Manual Fraud.​ Existing technologies are not capable of detecting advanced automated abuse, fraud teams can’t keep up with new fraud mechanisms, while web users are increasingly adverse to encountering Authentication Friction created by legacy or traditional bot defenses like CAPTCHAs. From its original release in 2015, the OWASP Automated Threat Handbook has now become a de facto industry standard in classifying Bots and better understanding all aspects of Malicious Web Automation.

What OATs Are Not

- Not another vulnerability list

- Not an OWASP Top N List

- Not threat modelling

- Not attack trees

- Not non web

- Not non application

What Are OATs (aka Malicous Bots)?

In order to quantify these threats, it is necessary to be able to name them. OAT stands for OWASP Automated Threat and there are currently 21 attack vectors defined.

Currently OAT codes 001 to 021 are used. Within each OAT the Threat definition contains a description, the sectors targeted, parties affected, the data commonly misused, and external cross mappings to other lists like CAPEC Category, possible symptoms, suggested countermeasures, etc...

Here is the Full List of OATs ordered by ascending name:

Identifier OAT Name Summary Defining Characteristics
OAT-020 Account Aggregation Use by an intermediary application that collects together multiple accounts and interacts on their behalf
OAT-019 Account Creation Create multiple accounts for subsequent misuse
OAT-003 Ad Fraud False clicks and fraudulent display of web-placed advertisements
OAT-009 CAPTCHA Defeat Solve anti-automation tests
OAT-010 Card Cracking Identify missing start/expiry dates and security codes for stolen payment card data by trying different values
OAT-001 Carding Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data
OAT-012 Cashing Out Buy goods or obtain cash utilising validated stolen payment card or other user account data
OAT-007 Credential Cracking Identify valid login credentials by trying different values for usernames and/or passwords
OAT-008 Credential Stuffing Mass log in attempts used to verify the validity of stolen username/password pairs
OAT-021 Denial of Inventory Deplete goods or services stock without ever completing the purchase or committing to the transaction
OAT-015 Denial of Service Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS)
OAT-006 Expediting Perform actions to hasten progress of usually slow, tedious or time-consuming actions
OAT-004 Fingerprinting Elicit information about the supporting software and framework types and versions
OAT-018 Footprinting Probe and explore application to identify its constituents and properties
OAT-005 Scalping Obtain limited-availability and/or preferred goods/services by unfair methods
OAT-011 Scraping Collect application content and/or other data for use elsewhere
OAT-016 Skewing Repeated link clicks, page requests or form submissions intended to alter some metric
OAT-013 Sniping Last minute bid or offer for goods or services
OAT-017 Spamming Malicious or questionable information addition that appears in public or private content, databases or user messages
OAT-002 Token Cracking Mass enumeration of coupon numbers, voucher codes, discount tokens, etc
OAT-014 Vulnerability Scanning Crawl and fuzz application to identify weaknesses and possible vulnerabilities

Automated Threats Breakdown By Industry

Within each OAT definition there is a section for the Sectors Targeted for that particular attack vector. For example, a Carding Attack would be seen on ecommerce and retail type of sites with payment card processing. Here they would be able to validate a list of stolen credit card numbers to identify the working ones from non working.

Example: OAT-001 Carding Attack example highlighting "Sectors Targeted" for this type of attack. This exists for each attack definition.

Screen Shot 2022-04-19 at 1.49.13 PM.png

OWASP Defined Countermeasures

Countermeasure Classes:

The technology and vendor agnostic countermeasure classes attempt to group together the types of design, development and operational controls identified from research that are being used to partially or fully mitigate the likelihood and/or impact of automated threats to web applications. In all applications, builder-defender collaboration is key in controlling and mitigating automated threats – the best protected applications do not rely solely upon standalone external operational protections, but also have integrated protection built into the design. Similarly to other types of application security threat, it is important to build consideration of automated threats into multiple phases of a secure software development lifecycle (S-SDLC).

14 Countermeasure Classes:

Value

Authentication

Requirements

Rate

Testing

Monitoring

Capacity

Instrumentation

Obfuscation

Contract

Fingerprinting

Response

Reputation

Sharing

Countermeasure Controls

Countermeasures are controls that attempt to mitigate the identified automated threats in three ways:

  1. Prevent - Controls to reduce the susceptibility to automated threats

  2. Detect - Controls to identify whether a user is an automated process rather than a human, and/or to identify if an automated attack is occurring, or occurred in the past

  3. Recover - Controls to assist response to incidents caused by automated threats, including to mitigate the impact of the attack, and to to assist return of the application to its normal state. 

Cross References Other Threat Mappings

Each OAT Threat is cross referenced with other external threat lists to provide and understanding of how this OAT Handbook can be integrated with other works.

Example, OAT Threat below shows the cross referenced CAPEC, CWE, and WASC Threat ID's

Source: OWASP Automated Threats to Web Applications Cross Referenced Attack ID'sSource: OWASP Automated Threats to Web Applications Cross Referenced Attack ID's

You can find links to each of the external classification models below:

Mitre CAPEC - best full and/or partial match CAPEC category IDs and/or attack pattern IDs

WASC Threat Classification - best match to threat IDs

Mitre Common Weakness Enumeration - closely related base, class & variant weakness IDs

Matching pages defining terms classified as Attacks on the OWASP wiki


Conclusion

In conclusion, the OWASP Automated Threat Handbook has now become a de facto industry standard in classifying and better understanding all aspects of malicious web automation. We can use this handbook to build secure software development lifecycles around our web properties and implement the appropriate countermeasure to prevent unwanted automation against them.

OWASP Links

OWASP Automated Threats to Web Applications Home Page

OWASP Automated Threats Identification Chart

OWASP Automated Threats to Web Applications Handbook

F5 Related Content

How Attacks Evolve From Bots to Fraud Part: 1

How Attacks Evolve From Bots to Fraud Part: 2

F5 Distributed Cloud Bot Defense

F5 Labs 2021 Credential Stuffing Report

Version history
Last update:
‎21-Apr-2022 16:22
Updated by:
Contributors