Bots, Fraud, and the OWASP Automated Threats Project (Overview)
Introduction
Many of us have heard of OWASP in the context of the OWASP Top 10. In this article series we will take a look at another very important threat classification list called the OWASP Automated Threats (OAT) Project and provide a foundational overview. The terms Malicious Bot and Automated Threat can be used interchangeably throughout. In future articles we'll dive deeper into individual key threats called OATs and demonstrate how these attacks work and how to defend against them.
Why should we care about the OWASP Automated Threats Project?
Web security is no longer constrained to inadvertent vulnerabilities and attackers are abusing inherent functionality to conduct Automated and Manual Fraud. Existing technologies are not capable of detecting advanced automated abuse, fraud teams can’t keep up with new fraud mechanisms, while web users are increasingly adverse to encountering Authentication Friction created by legacy or traditional bot defenses like CAPTCHAs. From its original release in 2015, the OWASP Automated Threat Handbook has now become a de facto industry standard in classifying Bots and better understanding all aspects of Malicious Web Automation.
What OATs Are Not
- Not another vulnerability list
- Not an OWASP Top N List
- Not threat modelling
- Not attack trees
- Not non web
- Not non application
What Are OATs (aka Malicous Bots)?
In order to quantify these threats, it is necessary to be able to name them. OAT stands for OWASP Automated Threat and there are currently 21 attack vectors defined.
Currently OAT codes 001 to 021 are used. Within each OAT the Threat definition contains a description, the sectors targeted, parties affected, the data commonly misused, and external cross mappings to other lists like CAPEC Category, possible symptoms, suggested countermeasures, etc...
Here is the Full List of OATs ordered by ascending name:
| Identifier | OAT Name | Summary Defining Characteristics |
| OAT-020 | Account Aggregation | Use by an intermediary application that collects together multiple accounts and interacts on their behalf |
| OAT-019 | Account Creation | Create multiple accounts for subsequent misuse |
| OAT-003 | Ad Fraud | False clicks and fraudulent display of web-placed advertisements |
| OAT-009 | CAPTCHA Defeat | Solve anti-automation tests |
| OAT-010 | Card Cracking | Identify missing start/expiry dates and security codes for stolen payment card data by trying different values |
| OAT-001 | Carding | Multiple payment authorisation attempts used to verify the validity of bulk stolen payment card data |
| OAT-012 | Cashing Out | Buy goods or obtain cash utilising validated stolen payment card or other user account data |
| OAT-007 | Credential Cracking | Identify valid login credentials by trying different values for usernames and/or passwords |
| OAT-008 | Credential Stuffing | Mass log in attempts used to verify the validity of stolen username/password pairs |
| OAT-021 | Denial of Inventory | Deplete goods or services stock without ever completing the purchase or committing to the transaction |
| OAT-015 | Denial of Service | Target resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS) |
| OAT-006 | Expediting | Perform actions to hasten progress of usually slow, tedious or time-consuming actions |
| OAT-004 | Fingerprinting | Elicit information about the supporting software and framework types and versions |
| OAT-018 | Footprinting | Probe and explore application to identify its constituents and properties |
| OAT-005 | Scalping | Obtain limited-availability and/or preferred goods/services by unfair methods |
| OAT-011 | Scraping | Collect application content and/or other data for use elsewhere |
| OAT-016 | Skewing | Repeated link clicks, page requests or form submissions intended to alter some metric |
| OAT-013 | Sniping | Last minute bid or offer for goods or services |
| OAT-017 | Spamming | Malicious or questionable information addition that appears in public or private content, databases or user messages |
| OAT-002 | Token Cracking | Mass enumeration of coupon numbers, voucher codes, discount tokens, etc |
| OAT-014 | Vulnerability Scanning | Crawl and fuzz application to identify weaknesses and possible vulnerabilities |
Automated Threats Breakdown By Industry
Within each OAT definition there is a section for the Sectors Targeted for that particular attack vector. For example, a Carding Attack would be seen on ecommerce and retail type of sites with payment card processing. Here they would be able to validate a list of stolen credit card numbers to identify the working ones from non working.
Example: OAT-001 Carding Attack example highlighting "Sectors Targeted" for this type of attack. This exists for each attack definition.
OWASP Defined Countermeasures
Countermeasure Classes:
The technology and vendor agnostic countermeasure classes attempt to group together the types of design, development and operational controls identified from research that are being used to partially or fully mitigate the likelihood and/or impact of automated threats to web applications. In all applications, builder-defender collaboration is key in controlling and mitigating automated threats – the best protected applications do not rely solely upon standalone external operational protections, but also have integrated protection built into the design. Similarly to other types of application security threat, it is important to build consideration of automated threats into multiple phases of a secure software development lifecycle (S-SDLC).
14 Countermeasure Classes:
|
Value |
Authentication |
|
Requirements |
Rate |
|
Testing |
Monitoring |
|
Capacity |
Instrumentation |
|
Obfuscation |
Contract |
|
Fingerprinting |
Response |
|
Reputation |
Sharing |
Countermeasure Controls
Countermeasures are controls that attempt to mitigate the identified automated threats in three ways:
-
Prevent - Controls to reduce the susceptibility to automated threats
-
Detect - Controls to identify whether a user is an automated process rather than a human, and/or to identify if an automated attack is occurring, or occurred in the past
-
Recover - Controls to assist response to incidents caused by automated threats, including to mitigate the impact of the attack, and to to assist return of the application to its normal state.
Cross References Other Threat Mappings
Each OAT Threat is cross referenced with other external threat lists to provide and understanding of how this OAT Handbook can be integrated with other works.
Example, OAT Threat below shows the cross referenced CAPEC, CWE, and WASC Threat ID's
Source: OWASP Automated Threats to Web Applications Cross Referenced Attack ID's
You can find links to each of the external classification models below:
Mitre CAPEC - best full and/or partial match CAPEC category IDs and/or attack pattern IDs
WASC Threat Classification - best match to threat IDs
Mitre Common Weakness Enumeration - closely related base, class & variant weakness IDs
Matching pages defining terms classified as Attacks on the OWASP wiki
Youtube
Conclusion
In conclusion, the OWASP Automated Threat Handbook has now become a de facto industry standard in classifying and better understanding all aspects of malicious web automation. We can use this handbook to build secure software development lifecycles around our web properties and implement the appropriate countermeasure to prevent unwanted automation against them.
OWASP Links
OWASP Automated Threats to Web Applications Home Page
F5 Related Content
How Attacks Evolve From Bots to Fraud Part: 1
How Attacks Evolve From Bots to Fraud Part: 2