OWASP Automated Threats - Credential Stuffing (OAT-008)

Introduction:

In this OWASP Automated Threat Article we'll be highlighting OAT-008 Credentials Stuffing with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how Credential Stuffing works with Automation Tools to validate lists of stolen credentials leading to manual Account Takeover and Fraud. We'll wrap it up by highlighting F5 Bot Defense to show how we solve this problem for our customers.

Credential Stuffing Description:

Lists of authentication credentials stolen from elsewhere are tested against the application’s authentication mechanisms to identify whether users have re-used the same login credentials. The stolen usernames (often email addresses) and password pairs could have been sourced directly from another application by the attacker, purchased in a criminal marketplace, or obtained from publicly available breach data dumps. Unlike OAT-007 Credential Cracking, Credential Stuffing does not involve any bruteforcing or guessing of values; instead credentials used in other applications are being tested for validity

Likelihood & Severity

Credential stuffing is one of the most common techniques used to take-over user accounts.
Credential stuffing is dangerous to both consumers and enterprises because of the ripple effects of these breaches.

Anatomy of Attack

The attacker acquires usernames and passwords from a website breach, phishing attack, password dump site.
The attacker uses automated tools to test the stolen credentials against many websites (for instance, social media sites, online marketplaces, or web apps).
If the login is successful, the attacker knows they have a set of valid credentials.

Now the attacker knows they have access to an account. Potential next steps include:

Draining stolen accounts of stored value or making purchases.
Accessing sensitive information such as credit card numbers, private messages, pictures, or documents.
Using the account to send phishing messages or spam.
Selling known-valid credentials to one or more of the compromised sites for other attackers to use.

OWASP Automated Threat (OAT) Identity Number

OAT-008

Threat Event Name

Credential Stuffing

Summary Defining Characteristics

Mass log in attempts used to verify the validity of stolen username/password pairs.

OAT-008 Attack Demographics:

Sectors Targeted	Parties Affected	Data Commonly Misused	Other Names and Examples	Possible Symptoms
Entertainment	Many Users	Authentication Credentials	Account Checker Attack	Sequential login attempts with different credentials from the same HTTP client (based on IP, User Agent, device, fingerprint, patterns in HTTP headers, etc.)
Financial	Application Owner		Account Checking	High number of failed login attempts
Government			Account Takeover	Increased customer complaints of account hijacking through help center or social media outlets
Retail			Login Stuffing
Social Networking			Password List Attack
			Password re-use
			Use of Stolen Credentials

Credential Stuffing Demo:

In this demo we will be showing how attackers leverage automation tools with increasing sophistication to execute credential stuffing against the sign in page of a web application. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.

In Conclusion:

A common truism in the security industry says that there are two types of companies—those that have been breached, and those that just don’t know it yet. As of 2022, we should be updating that to something like “There are two types of companies—those that acknowledge the threat of credential stuffing and those that will be its victims.”

Credential stuffing will be a threat so long as we require users to log in to accounts online. The most comprehensive way to prevent credential stuffing is to use an anti-automation platform.