Bots, Fraud, and the OWASP Automated Threats Project (Overview)

Introduction

Many of us have heard of OWASP in the context of the OWASP Top 10. In this article series we will take a look at another very important threat classification list called the OWASP Automated Threats (OAT) Project and provide a foundational overview. The terms Malicious Bot and Automated Threat can be used interchangeably throughout. In future articles we'll dive deeper into individual key threats called OATs and demonstrate how these attacks work and how to defend against them.

Why should we care about the OWASP Automated Threats Project?

Web security is no longer constrained to inadvertent vulnerabilities and attackers are abusing inherent functionality to conduct Automated and Manual Fraud.​ Existing technologies are not capable of detecting advanced automated abuse, fraud teams can’t keep up with new fraud mechanisms, while web users are increasingly adverse to encountering Authentication Friction created by legacy or traditional bot defenses like CAPTCHAs. From its original release in 2015, the OWASP Automated Threat Handbook has now become a de facto industry standard in classifying Bots and better understanding all aspects of Malicious Web Automation.

What OATs Are Not

- Not another vulnerability list

- Not an OWASP Top N List

- Not threat modelling

- Not attack trees

- Not non web

- Not non application

What Are OATs (aka Malicous Bots)?

In order to quantify these threats, it is necessary to be able to name them. OAT stands for OWASP Automated Threat and there are currently 21 attack vectors defined.

Currently OAT codes 001 to 021 are used. Within each OAT the Threat definition contains a description, the sectors targeted, parties affected, the data commonly misused, and external cross mappings to other lists like CAPEC Category, possible symptoms, suggested countermeasures, etc...

Here is the Full List of OATs ordered by ascending name:

IdentifierOAT NameSummary Defining Characteristics
OAT-020Account AggregationUse by an intermediary application that collects together multiple accounts and interacts on their behalf
OAT-019Account CreationCreate multiple accounts for subsequent misuse
OAT-003Ad FraudFalse clicks and fraudulent display of web-placed advertisements
OAT-009CAPTCHA DefeatSolve anti-automation tests
OAT-010Card CrackingIdentify missing start/expiry dates and security codes for stolen payment card data by trying different values
OAT-001CardingMultiple payment authorisation attempts used to verify the validity of bulk stolen payment card data
OAT-012Cashing OutBuy goods or obtain cash utilising validated stolen payment card or other user account data
OAT-007Credential CrackingIdentify valid login credentials by trying different values for usernames and/or passwords
OAT-008Credential StuffingMass log in attempts used to verify the validity of stolen username/password pairs
OAT-021Denial of InventoryDeplete goods or services stock without ever completing the purchase or committing to the transaction
OAT-015Denial of ServiceTarget resources of the application and database servers, or individual user accounts, to achieve denial of service (DoS)
OAT-006ExpeditingPerform actions to hasten progress of usually slow, tedious or time-consuming actions
OAT-004FingerprintingElicit information about the supporting software and framework types and versions
OAT-018FootprintingProbe and explore application to identify its constituents and properties
OAT-005ScalpingObtain limited-availability and/or preferred goods/services by unfair methods
OAT-011ScrapingCollect application content and/or other data for use elsewhere
OAT-016SkewingRepeated link clicks, page requests or form submissions intended to alter some metric
OAT-013SnipingLast minute bid or offer for goods or services
OAT-017SpammingMalicious or questionable information addition that appears in public or private content, databases or user messages
OAT-002Token CrackingMass enumeration of coupon numbers, voucher codes, discount tokens, etc
OAT-014Vulnerability ScanningCrawl and fuzz application to identify weaknesses and possible vulnerabilities

Automated Threats Breakdown By Industry

Within each OAT definition there is a section for the Sectors Targeted for that particular attack vector. For example, a Carding Attack would be seen on ecommerce and retail type of sites with payment card processing. Here they would be able to validate a list of stolen credit card numbers to identify the working ones from non working.

Example: OAT-001 Carding Attack example highlighting "Sectors Targeted" for this type of attack. This exists for each attack definition.

OWASP Defined Countermeasures

Countermeasure Classes:

The technology and vendor agnostic countermeasure classes attempt to group together the types of design, development and operational controls identified from research that are being used to partially or fully mitigate the likelihood and/or impact of automated threats to web applications. In all applications, builder-defender collaboration is key in controlling and mitigating automated threats – the best protected applications do not rely solely upon standalone external operational protections, but also have integrated protection built into the design. Similarly to other types of application security threat, it is important to build consideration of automated threats into multiple phases of a secure software development lifecycle (S-SDLC).

14 Countermeasure Classes:

Value

Authentication

Requirements

Rate

Testing

Monitoring

Capacity

Instrumentation

Obfuscation

Contract

Fingerprinting

Response

Reputation

Sharing

Countermeasure Controls

Countermeasures are controls that attempt to mitigate the identified automated threats in three ways:

  1. Prevent - Controls to reduce the susceptibility to automated threats

  2. Detect - Controls to identify whether a user is an automated process rather than a human, and/or to identify if an automated attack is occurring, or occurred in the past

  3. Recover - Controls to assist response to incidents caused by automated threats, including to mitigate the impact of the attack, and to to assist return of the application to its normal state. 

Cross References Other Threat Mappings

Each OAT Threat is cross referenced with other external threat lists to provide and understanding of how this OAT Handbook can be integrated with other works.

Example, OAT Threat below shows the cross referenced CAPEC, CWE, and WASC Threat ID's

Source: OWASP Automated Threats to Web Applications Cross Referenced Attack ID's

You can find links to each of the external classification models below:

Mitre CAPEC - best full and/or partial match CAPEC category IDs and/or attack pattern IDs

WASC Threat Classification - best match to threat IDs

Mitre Common Weakness Enumeration - closely related base, class & variant weakness IDs

Matching pages defining terms classified as Attacks on the OWASP wiki

Youtube

Conclusion

In conclusion, the OWASP Automated Threat Handbook has now become a de facto industry standard in classifying and better understanding all aspects of malicious web automation. We can use this handbook to build secure software development lifecycles around our web properties and implement the appropriate countermeasure to prevent unwanted automation against them.

OWASP Links

OWASP Automated Threats to Web Applications Home Page

OWASP Automated Threats Identification Chart

OWASP Automated Threats to Web Applications Handbook

F5 Related Content

Updated Sep 17, 2025
Version 7.0
bot defense
bot-management
F5 Distributed Cloud
F5 Distributed Cloud WAAP
OWASP-Automated-Threats
security
series-bot-management
series-f5-distributed-cloud
series-owasp-oat
Verified Designs
No CommentsBe the first to comment