OAT-019 Account Creation

This is an automated threat. To view all automated threats, please see the Automated Threat Category page. The OWASP Automated Threat Handbook - Wed Applications (, print), an output of the OWASP Automated Threats to Web Applications Project, provides a fuller guide to each threat, detection methods and countermeasures. The helps to correctly identify the automated threat.

OWASP Automated Threat (OAT) Identity Number
OAT-019

Threat Event Name
Account Creation

Summary Defining Characteristics
Create multiple accounts for subsequent misuse.

Description
Bulk account creation, and sometimes profile population, by using the application's account sign-up processes. The accounts are subsequently misused for generating content spam, laundering cash and goods, spreading malware, a ecting reputation, causing mischief, and skewing search engine optimisation (SEO), reviews and surveys.

Account Creation generates new accounts - see OAT-007 Credential Cracking and OAT-008 Credential Stuffing for threat events that use existing accounts.

Other Names and Examples
Account pharming; Fake account; Fake social media account creation; Impersonator bot; Massive account registration; New account creation; Registering many user accounts

CAPEC Category / Attack Pattern IDs

 * 210 Abuse of Functionality

CWE Base / Class / Variant IDs

 * 799 Improper Control of Interaction Frequency
 * 837 Improper Enforcement of a Single, Unique Action
 * 841 Improper Enforcement of Behavioral Workflow

WASC Threat IDs

 * 21 Insufficient Anti-Automation
 * 42 Abuse of Functionality

OWASP Attack Category / Attack IDs

 * Abuse of Functionality