OWASP Automated Threats to Web Applications

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

Automated Threats to Web Applications
Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Some examples commonly referred to are:


 * Account enumeration
 * Click fraud
 * Comment spam
 * Content scraping
 * Data aggregation
 * Email address harvesting
 * Fake account creation
 * Password cracking
 * Payment card testing
 * Site crawling
 * Transaction automation

Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.

Licensing
All the materials are free to use. They are licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

&copy; OWASP Foundation


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

What Is This?
Information and resources to help web application owners defend against automated threats

What Isn't It?

 * Another vulnerability list
 * Threat modelling
 * Attack trees
 * Non web
 * Non application

Project Objective
This project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available.

Project Leader
[mailto:colin.watson@owasp.org Colin Watson]

Contributors
Please help and your name can appear here. The project needs web application owner's threat information and reviewers.

Related Projects

 * OWASP ModSecurity Core Rule Set Project
 * OWASP AppSensor Project


 * valign="top" style="padding-left:25px;width:200px;" |

News and Events

 * [20 May 2015] Meeting at project summit in Amsterdam
 * [27 Feb 2015] Work underway on the ontology

Classifications

 * }

=Ontology=

Work is currently underway on identifying automated threats to web applications, and determining the primary name used. This first part of the project intends to produce a consistent vocabulary for discussing the threats before moving onto other aspects.

= Project Scope and Definitions =

Automated Threats to Web Applications
Threat events to web applications undertaken using automated actions.

An attack that can be achieved without the web is out of scope.

Glossary

 * Action
 * An act taken against an asset by a threat agent. Requires first that contact occurs between the asset and threat agent (Ref 1)


 * Application
 * Software that performs a business process i.e. not system software (Ref 2)


 * Application layer
 * "Layer 7” in the OSI model (Ref 3) and “application layer” in the TCP/IP model (Ref 4)


 * Threat
 * Anything that is capable of acting in a manner resulting in harm to an asset and/or organization; for example, acts of God (weather, geological events, etc.); malicious actors; errors; failures (Ref 1)


 * Threat Agent
 * Any agent (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm (Ref 1)


 * Threat Event
 * Occurs when a threat agent acts against an asset (Ref 1)


 * Web
 * The World Wide Web (WWW, or simply Web) is an information space in which the items of interest, referred to as resources, are identified by global identifiers called Uniform Resource Identifiers (URI) (Ref 5)
 * The first three specifications for Web technologies defined URLs, HTTP, and HTML (Ref 6)


 * Web application
 * An application delivered over the web

Glossary references:
 * 1) Risk Taxonomy, Technical Standard, The Open Group, 2009
 * 2) [NIST SP-800-37 “A software program hosted by an information system”, see NISTIR 7298 rev 2, NIST
 * 3) OSI model, Wikipedia
 * 4) TCP/IP model, Wikipedia
 * 5) Architecture of the World Wide Web, Volume One, W3C
 * 6) Help and FAQ, W3C

= Project Bibliography =


 * 2012 Payment Card Threat Report	 https://www.securitymetrics.com/static/resources/orange/2012%20Payment%20Card%20Threat%20Report%20copy.pdf
 * 2014 Bot Traffic Report: Just the Droids You were Looking for	 http://www.incapsula.com/blog/bot-traffic-report-2014.html
 * 3 Types of ‘Return Fraud’ to Monitor this Holiday Season	 http://www.practicalecommerce.com/articles/3168-3-Types-of-%E2%80%98Return-Fraud-to-Monitor-this-Holiday-Season
 * A CAPTCHA in the Rye	 Hacker Intelligence Initiative	 Imperva	 http://www.imperva.com/docs/HII_a_CAPTCHA_in_the_Rye.pdf
 * A cheesy Apache / IIS DoS vuln (+a question) 	 http://www.securityfocus.com/archive/1/456339/30/0/threaded
 * Abusing HTML 5 Structured Client-side Storage	2008	 http://packetstorm.wowhacker.com/papers/general/html5whitepaper.pdf
 * An Anatomy of a SQL Injection Attack	 Hacker Intelligence Initiative	 Imperva	 	 http://www.imperva.com/docs/HII_An_Anatomy_of_a_SQL_Injection_Attack_SQLi.pdf
 * An Investigation into the Detection and Mitigation of Denial of Service (DoS) Attacks	 http://www.springer.com/gb/book/9788132202769
 * Anatomy of comment spam	 Hacker Intelligence Initiative	 Imperva	 http://www.imperva.com/docs/HII_Anatomy_of_Comment_Spam.pdf
 * Anti-Automation Monitoring and Prevention	2015	 https://www.clerkendweller.uk/2015/1/29/AntiAutomation-Monitoring-and-Prevention
 * Anti-DDoS Solution for Internet Corporation	 http://www.nsfocus.com/uploadfile/Solution/NSFOCUS%20Anti-DDoS%20Solution%20for%20Internet%20Corporation.pdf
 * Anti-Fraud Principles and Proposed Taxonomy	 Sep 2014	 http://www.iab.net/media/file/IAB_Anti_Fraud_Principles_and_Taxonomy.pdf
 * Apache Security	 Ivan Ristic
 * Attack & Defense Labs	 http://www.andlabs.org/html5.html
 * Attack categories	 OWASP	 https://www.owasp.org/index.php/Category:Attack
 * Attacking with HTML5	2010	 https://media.blackhat.com/bh-ad-10/Kuppan/Blackhat-AD-2010-Kuppan-Attacking-with-HTML5-wp.pdf
 * Automated attacks	 Hacker Intelligence Initiative	 Imperva	 http://www.imperva.com/docs/HII_Automation_of_Attacks.pdf
 * Avoiding the Top 10 Software Security Design Flaws	 http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
 * Bad Bots On The Rise	 Dec 2014	 http://www.darkreading.com/informationweek-home/bad-bots-on-the-rise/d/d-id/1318276
 * Blocking Brute Force Attacks	 http://www.cs.virginia.edu/~csadmin/gen_support/brute_force.php
 * Bot Traffic Growing Problem for Digital	 Oct 2014	 http://www.netnewscheck.com/article/36537/bot-traffic-growing-problem-for-digital
 * BotoPedia	 Incapsula	 http://www.botopedia.org/
 * Boy in the Browser	 Imperva	 http://www.imperva.com/DefenseCenter/ThreatAdvisories/Boy_in_the_Browser
 * Bypassing Client Application Protection Techniques	 http://www.securiteam.com/securityreviews/6S0030ABPE.html
 * Characterizing Large Scale Click fraud	 http://cseweb.ucsd.edu/~voelker/pubs/za-ccs14.pdf
 * Common Cyber Attacks: Reducing the Impact	 CERT-UK	 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf
 * Corporate espionage – the internet’s new growth industry	 http://www.itproportal.com/2015/03/19/corporate-espionage-internets-new-growth-industry/
 * CSA Top Threats to Cloud Computing	 https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
 * CSRF vulnerability in GMail service	 http://seclists.org/fulldisclosure/2009/Mar/29
 * Cyber Fraud - Tactics	 Techniques and Procedures	 http://www.crcpress.com/product/isbn/9781420091274
 * Data Breach Investigations Report (DBIR)	 http://www.verizonenterprise.com/DBIR/
 * Data Breaches Fuel Login Attacks	 Akamai	 Feb 2015	 http://www.stateoftheinternet.com/downloads/pdfs/2014-state-of-the-internet-threat-advisory-public-data-breaches-fuel-login-attacks.pdf
 * Data Scraping	 Wikipedia	 http://en.wikipedia.org/wiki/Data_scraping
 * DDoS Quick Guide	 https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf
 * Defending Against Application-Based DDoS Attacks with the Barracuda Web Application Firewall	 https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_Defending%20_Against_%20Application-Based_%20DDoS_%20Attacks.pdf
 * Demystifying HTML 5 Attacks	 http://resources.infosecinstitute.com/demystifying-html-5-attacks/
 * Denial of Service Attacks: A Comprehensive Guide to Trends	 Techniques	 and Technologies	 Hacker Intelligence Initiative	 Imperva	 http://www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf
 * Detecting and Blocking Site Scraping Attacks	 Imperva	 http://www.imperva.com/docs/WP_Detecting_and_Blocking_Site_Scraping_Attacks.pdf
 * Detecting Automation of Twitter Accounts: Are you a human	 cyborg	 or a bot?	 http://www.cs.wm.edu/~hnw/paper/tdsc12b.pdf
 * Detecting Malice	 Robert "RSnake" Hansen	2009	 http://www.detectmalice.com/
 * Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) 	 http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1414072277428&uri=CELEX:32002L0058
 * Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data 	 http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:31995L0046
 * Distributed Denial-of-Service (DDoS) Cyber-Attacks	 Risk Mitigation	 and Additional Resources	 Federal Financial Institutions Examination Council	 http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf
 * Do Evil - The Business of Social Media Bots	 Forbes	 http://www.forbes.com/sites/lutzfinger/2015/02/17/do-evil-the-business-of-social-media-bots/
 * DoS and DDoS Glossary of Terms	 prolexic	 http://www.prolexic.com/knowledge-center-dos-and-ddos-glossary.html#layer-7-ddos-attack
 * E-commerce Malware	 Trustwave	 https://gsr.trustwave.com/topics/placeholder-topic/e-commerce-malware/
 * How to Defend Against DDoS Attacks - Strategies for the Network	 Transport	 and Application Layers	 Prolexic	 http://www.prolexic.com/kcresources/white-paper/strategies-for-the-network-transport-and-application-layers-412/Strategies_for_the_Network_Transport_and_Application_Layers_Prolexic_White_Paper_A4_082412.pdf
 * How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores	 http://research.microsoft.com/pubs/145858/caas-oakland-final.pdf
 * HTML5 Overview	 A look at HTML5 Attack Scenarios	 Trend Micro	2011	 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_html5-attack-scenarios.pdf
 * HTML5 Top 10 Threats Stealth Attacks and Silent Exploits	2012	 https://media.blackhat.com/bh-eu-12/shah/bh-eu-12-Shah_HTML5_Top_10-WP.pdf
 * HTML5 web security	2011	 http://media.hacking-lab.com/hlnews/HTML5_Web_Security_v1.0.pdf
 * HTTPPOST - Slow POST	 Wong Onn Chee	 OWASP AppSec DC 2010	 https://www.owasp.org/images/4/43/Layer_7_DDOS.pdf
 * Is Your Data Center Ready for Today’s DDoS Threats? DDoS attack types	 protection methods and testing your detection and mitigation defenses	 http://www.fortinet.com/sites/default/files/whitepapers/WP-DDoS-Testing.pdf
 * Joomla Reflection DDoS-for-Hire	 Akamai	 Feb 2015	 http://www.stateoftheinternet.com/downloads/pdfs/2015-state-of-the-internet-threat-advisory-joomla-reflection-attack-ddos-for-hire.pdf
 * Layer 7 DDOS – Blocking HTTP Flood Attacks	 http://blog.sucuri.net/2014/02/layer-7-ddos-blocking-http-flood-attacks.html
 * Lenovo	 Superfish put smut on my system' – class-action lawsuit	 The Register	 http://www.theregister.co.uk/2015/02/23/lenovo_superfish_class_action_lawsuit/
 * Man in the Browser	 http://scisweb.ulster.ac.uk/~kevin/IJACI-Vol4No1-maninbrowser.pdf
 * Man in the Browser Attack	 https://www.owasp.org/index.php/Man-in-the-browser_attack
 * Massive Changes in the Criminal Landscape	 Europol	2015	 https://www.europol.europa.eu/content/massive-changes-criminal-landscape
 * Mitigating DDoS Attacks with F5 Technology	 F5	 https://f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology
 * ModSecurity Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks	 https://www.trustwave.com/Resources/SpiderLabs-Blog/(Updated)-ModSecurity-Advanced-Topic-of-the-Week--Mitigating-Slow-HTTP-DoS-Attacks/
 * New Wave of DDoS Attacks Launched	 BankInfoSecurity.com	 Mar 2013	 http://www.bankinfosecurity.com/new-wave-ddos-attacks-launched-a-5584/op-1
 * NOMAD: Toward Non-Invasive Moving Target Defense Against Web Bots	 http://faculty.cs.tamu.edu/guofei/paper/NOMAD_CNS13.pdf
 * Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year	 Sep 2014	 http://www.darkreading.com/analytics/threat-intelligence/online-ad-fraud-exposed-advertisers-losing-$63-billion-to-$10-billion-per-year/d/d-id/1317979
 * Optimal Airline Ticket Purchasing Using Automated User-Guided Feature Selection	 http://ijcai.org/papers13/Papers/IJCAI13-032.pdf
 * Payment Checkout Flaws and Bugs	2014	 https://www.clerkendweller.uk/2014/11/4/Payment-Checkout-Flaws-and-Bugs
 * PCI Compliance Report 2015	 Verizon	 http://www.verizonenterprise.com/pcireport/2015/
 * Pixel Perfect Timing Attacks with HTML5	2013	 http://www.contextis.com/services/research/white-papers/pixel-perfect-timing-attacks-html5/
 * Polymorphism as a Defense for Automated Attack of Websites	 http://link.springer.com/chapter/10.1007%2F978-3-319-07536-5_30
 * Preventing Web Scraping: Best Practice 	 https://creativedigitalideas.files.wordpress.com/2014/11/best-practice-to-prevent-web-scraping.pdf
 * Profile: Automated Credit Card Fraud	 http://old.honeynet.org/papers/profiles/cc-fraud.pdf
 * Q4 2014 State of the Internet Security Report	 prolexic	 http://www.stateoftheinternet.com/downloads/pdfs/2014-internet-security-report-q4.pdf
 * Reflection injection	 http://cybersecurity.ieee.org/images/files/images/pdf/CybersecurityInitiative-online.pdf
 * SANS Top 20 Critical Controls	 https://www.sans.org/critical-security-controls/
 * Security Insights: Defending Against Automated Threats	 http://www.securityweek.com/security-insights-defending-against-automated-threats
 * Server side DDoS	 Imperva	 http://www.imperva.com/DefenseCenter/ThreatAdvisories/DDOS_Attack_Method_Payload_05182010
 * Slow Read Denial of Service attack	 https://code.google.com/p/slowhttptest/wiki/SlowReadTest
 * Slow-Read DoS Attack	 https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Mitigation-of--Slow-Read--Denial-of-Service-Attack/
 * Slowloris HTTP DoS	 http://ha.ckers.org/slowloris/
 * Social Media Bots Offer Phony Friends and Real Profit	 NY Times	 http://www.nytimes.com/2014/11/20/fashion/social-media-bots-offer-phony-friends-and-real-profit.html?_r=1
 * Sophos Security Threat Report	 http://blogs.sophos.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/
 * Stopping Automated Attack Tools	 http://www.technicalinfo.net/papers/StoppingAutomatedAttackTools.html
 * The Anatomy of Clickbot.A	 https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/daswani/daswani.pdf
 * The Barracuda Web Application Firewall: XML Firewall	 https://www.barracuda.com/assets/docs/White_Papers/Barracuda_Web_Application_Firewall_WP_XML_Firewall.pdf
 * The Bot Baseline: Fraud in Digital Advertising	 https://s3.amazonaws.com/whiteops-public/WO-ANA-Baseline-Study-of-Bot-Fraud.pdf
 * The Heartbleed Bug	 http://heartbleed.com/
 * The Internet Organised Crime Threat Assessment (iOCTA) 2014	 https://www.europol.europa.eu/content/internet-organised-crime-threat-assesment-iocta
 * The Notorious Nine	 Cloud Computing Top Threats in 2013	 CSA	 https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
 * The Underground Economy of Spam: A Botmaster’s Perspective of Coordinating Large-Scale Spam Campaigns	 http://static.usenix.org/events/leet11/tech/full_papers/Stone-Gross.pdf
 * The WASC Threat Classification v2.0	 http://projects.webappsec.org/w/page/13246978/Threat%20Classification
 * Threats and Mitigations: A Guide to Multi-Layered Web Security - eBook	 Prolexic	 	 http://www.prolexic.com/knowledge-center/prolexic-download/guide-multi-layered-web-security-ebook.pdf
 * Trustwave Global Security Report	2014	 https://www2.trustwave.com/GSR2014.html?utm_source=redirect&utm_medium=web&utm_campaign=GSR2014
 * TurboTax’s Anti-Fraud Efforts Under Scrutiny	 http://krebsonsecurity.com/2015/02/turbotaxs-anti-fraud-efforts-under-scrutiny/
 * Two Security Vulnerabilities in the Spring Framework’s MVC pdf (from 2008)	 http://blog.diniscruz.com/2011/07/two-security-vulnerabilities-in-spring.html
 * Understanding Web Bots and How They Hurt Your Business	 Encapsula	 http://www.slideshare.net/Incapsula/understanding-web-bots-and-how-they-hurt-your-business
 * Web Application Attack Report #5	 Imperva	 http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed5.pdf
 * Web Attacks in the Wild	 Corsaire	 https://www.owasp.org/images/a/a7/Web_attacks_in_the_wild_-_ap.pdf
 * Web Automation	 Friend or Foe?	 https://www.owasp.org/images/5/58/OWASP_Israel_-_May_2009_-_Ofer_Shezaf_-_Automation_Attacks.pdf
 * Web Spambot Detection Based on Web Navigation Behaviour 	 http://pedramhayati.com/papers/Web_Spambot_Detection_Based_on_Web_Usage_Behaviour.pdf
 * What is Zeus?	 http://www.sophos.com/medialibrary/pdfs/technical%20papers/sophos%20what%20is%20zeus%20tp.pdf
 * When Web 2.0 Attacks! Understanding Ajax	 Flash and other highly interactive web technologies…	 https://www.owasp.org/images/f/fc/When_Web_2.0_Attacks_-_Understanding_Security_Implications_of_Highly_Interactive_Technologies-Rafal_Los.pdf
 * Where have all of our Passwords Gone?	 Gartner	2015	 http://blogs.gartner.com/avivah-litan/2015/01/22/where-have-all-our-passwords-gone/
 * WS-Attacks.org	 http://www.ws-attacks.org/index.php/Main_Page

=FAQs=

This page is in the process of creation


 * How do you define "web", "application" and "automated threat"?
 * See the definitions in the project's.


 * What is an "ontology"?
 * Answer


 * Isn't this another bug (vulnerability) list?
 * Answer


 * I thought "XYZ" already did that?
 * Answer


 * How can I help?
 * Answer

= Acknowledgements =

Contributors
[mailto:colin.watson@owasp.org Colin Watson]

= Road Map and Getting Involved =

The project's roadmap was updated in March 2015:


 * Feb 2015: Define scope and terminology Done
 * March 2015: Research prior work and reports about automated threats to web applications to create bibliography Done
 * April 2015: Assess threats/attacks and create ontology
 * April 2015: Application owner interviews and creation of initial project outputs, to refine model
 * May 2015: Publication of outputs and request for review/data
 * Jun-Sep 2015: Gathering of additional contributions, updates to outputs, and translations.

Can you help? The project is looking for information on the prevalence and types of automated threats seen by web application owners in the real world. This will be used to refine and organise the information gathered from research papers, whitepapers, security reports and industry news. If you would like to find out more, or have knowledge to contribute, please contact, me directly or using the project's mailing list:


 * [mailto:colin.watson@owasp.org Colin Watson]
 * (awaiting project mailing list to be set up)