on 30-Aug-2022 05:00
In this OWASP Automated Threat Article we'll be highlighting OAT-008 Credentials Stuffing with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how Credential Stuffing works with Automation Tools to validate lists of stolen credentials leading to manual Account Takeover and Fraud. We'll wrap it up by highlighting F5 Bot Defense to show how we solve this problem for our customers.
Lists of authentication credentials stolen from elsewhere are tested against the application’s authentication mechanisms to identify whether users have re-used the same login credentials. The stolen usernames (often email addresses) and password pairs could have been sourced directly from another application by the attacker, purchased in a criminal marketplace, or obtained from publicly available breach data dumps. Unlike OAT-007 Credential Cracking, Credential Stuffing does not involve any bruteforcing or guessing of values; instead credentials used in other applications are being tested for validity
Now the attacker knows they have access to an account. Potential next steps include:
Credential Stuffing
Mass log in attempts used to verify the validity of stolen username/password pairs.
Sectors Targeted | Parties Affected | Data Commonly Misused | Other Names and Examples | Possible Symptoms |
Entertainment | Many Users | Authentication Credentials | Account Checker Attack | Sequential login attempts with different credentials from the same HTTP client (based on IP, User Agent, device, fingerprint, patterns in HTTP headers, etc.) |
Financial | Application Owner | Account Checking | High number of failed login attempts | |
Government | Account Takeover | Increased customer complaints of account hijacking through help center or social media outlets | ||
Retail | Login Stuffing | |||
Social Networking | Password List Attack | |||
Password re-use | ||||
Use of Stolen Credentials | ||||
In this demo we will be showing how attackers leverage automation tools with increasing sophistication to execute credential stuffing against the sign in page of a web application. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.
A common truism in the security industry says that there are two types of companies—those that have been breached, and those that just don’t know it yet. As of 2022, we should be updating that to something like “There are two types of companies—those that acknowledge the threat of credential stuffing and those that will be its victims.”
Credential stuffing will be a threat so long as we require users to log in to accounts online. The most comprehensive way to prevent credential stuffing is to use an anti-automation platform.
OWASP Automated Threats to Web Applications Home Page
OWASP Automated Threats Identification Chart
OWASP Automated Threats to Web Applications Handbook
F5 Labs "I Was a Human CATPCHA Solver"
The OWASP Automated Threats Project
OWASP Automated Threats - CAPTCHA Defeat (OAT-009)
How Attacks Evolve From Bots to Fraud Part: 1
How Attacks Evolve From Bots to Fraud Part: 2
F5 Distributed Cloud Bot Defense
F5 Labs 2021 Credential Stuffing Report