In this OWASP Automated Threat Article we'll be highlighting OAT-008 Credentials Stuffing with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how Credential Stuffing works with Automation Tools to validate lists of stolen credentials leading to manual Account Takeover and Fraud. We'll wrap it up by highlightingF5 Bot Defenseto show how we solve this problem for our customers.
Credential Stuffing Description:
Lists of authentication credentials stolen from elsewhere are tested against the application’s authentication mechanisms to identify whether users have re-used the same login credentials. The stolen usernames (often email addresses) and password pairs could have been sourced directly from another application by the attacker, purchased in a criminal marketplace, or obtained from publicly available breach data dumps. Unlike OAT-007 Credential Cracking, Credential Stuffing does not involve any bruteforcing or guessing of values; instead credentials used in other applications are being tested for validity
Likelihood & Severity
Credential stuffing is one of the most common techniques used to take-over user accounts.
Credential stuffing is dangerous to both consumers and enterprises because of the ripple effects of these breaches.
Anatomy of Attack
The attacker acquires usernames and passwords from a website breach, phishing attack, password dump site.
The attacker uses automated tools to test the stolen credentials against many websites (for instance, social media sites, online marketplaces, or web apps).
If the login is successful, the attacker knows they have a set of valid credentials.
Now the attacker knows they have access to an account. Potential next steps include:
Draining stolen accounts of stored value or making purchases.
Accessing sensitive information such as credit card numbers, private messages, pictures, or documents.
Using the account to send phishing messages or spam.
Selling known-valid credentials to one or more of the compromised sites for other attackers to use.
Mass log in attempts used to verify the validity of stolen username/password pairs.
OAT-008 Attack Demographics:
Data Commonly Misused
Other Names and Examples
Account Checker Attack
Sequential login attempts with different credentials from the same HTTP client (based on IP, User Agent, device, fingerprint, patterns in HTTP headers, etc.)
High number of failed login attempts
Increased customer complaints of account hijacking through help center or social media outlets
Password List Attack
Use of Stolen Credentials
Credential Stuffing Demo:
In this demo we will be showing how attackers leverage automation tools with increasing sophistication to execute credential stuffing against the sign in page of a web application. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.
A common truism in the security industry says that there are two types of companies—those that have been breached, and those that just don’t know it yet. As of 2022, we should be updating that to something like “There are two types of companies—those that acknowledge the threat of credential stuffing and those that will be its victims.”
Credential stuffing will be a threat so long as we require users to log in to accounts online. The most comprehensive way to prevent credential stuffing is to use an anti-automation platform.