OWASP Automated Threats to Web Applications

Here is the list of automated threats identified and compiled by the OWASP Automated Threats to Web Application Project.   

1. Account aggregation. The goal of these attacks is to harvest user account credentials from multiple sites or platforms, often for malicious purposes such as identity theft, financial fraud, or unauthorized access to sensitive information. Account aggregation attacks are performed using automated bots or scripts that mimic human interactions with various web services or applications. 
   
2. Account creation. These attacks involve malicious actors using automated scripts or bots to create large numbers of fake user accounts on a platform or website. Attackers can use these fake accounts to flood the platform with spam content, advertisements, or malicious links, causing disruption and annoyance to legitimate users. Fake accounts can also be used to manipulate public sentiment and reviews/ratings on a website or application or impersonate real users or public figures to spread misinformation or cause reputational damage.  This threat can also result in new account opening fraud, also referred to as first-party fraud, and has ramifications across the entire digital world.
3. Ad fraud. Also known as click fraud, this threat involves deceptive activities to falsify the number of interactions with online advertisements, such as clicks or impressions. These fraudulent actions are typically performed through automated bots or scripts and aim to generate revenue for the fraudsters or manipulate advertising performance metrics. 
4. CAPTCHA defeat. This threat uses automated techniques to bypass or circumvent CAPTCHA challenges and is a significant concern for web application security, as it allows malicious actors to bypass a common defense against bots. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security control used to distinguish between human users and automated bots or scripts. Attackers can use image recognition software to solve visual CAPTCHAs and deploy machine learning algorithms to solve aural and puzzle CAPTCHAs. In some cases, attackers employ human CAPTCHA solvers who manually solve CAPTCHAs in real-time. While a commonly used security control, CAPTCHA can be bypassed and inserts friction into the customer experience for legitimate users, which can lead to transaction and revenue abandonment.   
5. Card cracking. This is an automated type of cybercrime that involves guessing or cracking the security features of a payment card, such as the card number, expiration date, and security code (CVV/CVC). Card cracking typically employs brute-force attacks, where automated bots or scripts systematically try numerous combinations of card details until they find a combination that matches a valid card. Once valid card details are identified, they can be used for various illegal activities, such as making unauthorized purchases or committing financial fraud. The attacker may grab a few unloaded physical gift cards from a physical store to see if the gift card issuer relied on sequential numbering patterns. 
6. Carding. This form of automated cybercrime involves the unauthorized use of stolen payment card information to make fraudulent transactions or purchases. Criminals use automated bots or scripts to test the stolen credit or debit card details on various websites or applications to identify those that accept the stolen information. Once the automated bots identify vulnerable targets, they use the stolen card information to make fraudulent purchases, often for high-value goods or digital services, or transfer the available value to other accounts.  
7. Cashing out. This refers to the conversion of illiquid assets or virtual currency into real-world funds or tangible goods. This threat often follows successful attacks that result in the theft of valuable assets from online platforms or accounts. When attackers take control of user accounts on web applications or online platforms, they may use these accounts to cash out the account owner's assets, such as gift cards, loyalty points, or virtual currency. Bots are often used to facilitate cashing out as they allow cybercriminals to perform these fraudulent activities at scale and with efficiency. 
8. Credential cracking. This threat is a type of brute force attack that targets the login mechanisms of web applications, such as login pages, user account portals, or authentication APIs. The attacker uses automation to systematically try common combinations of usernames and passwords until they find one that works to grant unauthorized access to user accounts. This allows the attacker to carry out malicious activities, such as identity theft, financial fraud, or other unauthorized actions.  
9. Credential Stuffing. One of the most common forms of web application threats, credential stuffing results when cybercriminals obtain lists of username/password pairs, often purchased on the dark web, and attempt to use the credential pair to gain access to other login-protected accounts. Because many people reuse usernames and passwords, these attacks (also called account takeover) can be remarkably effective, allowing criminals to take control of user accounts to steal assets or commit third-party fraud.  
10. Denial of inventory. This attack results when attackers take e-commerce merchandise out of circulation by using bots to add large numbers of items to a shopping cart, without proceeding to checkout to purchase them. This situation prevents other shoppers from buying the merchandise because the system registers a stock-out condition, and also denies the vendor the sale because the purchase is never completed. A variation of this automated threat results when bots are used to make reservations or place holds for hotel rooms, restaurant tables, or airline seats without completing the payment. 
11. Denial of Service (DoS) and Distributed Denial of Service (DDoS). These attacks are malicious attempts to disrupt the normal functioning of a target system or network, making it unavailable to legitimate users. In a DDoS attack, the attacker overwhelms the target with a massive volume of traffic or resource requests, causing server overloads and rendering the service inaccessible. These attacks can be carried out using various methods, such as flooding the target with packets or sending specially crafted requests. DoS and DDoS attacks are similar, but with DDoS, the attack involves multiple sources, usually coordinated through botnets, which are a network of compromised computers or devices under the control of the attacker. The attacker coordinates these multiple sources to simultaneously launch the attack against the target. By leveraging the combined resources of the botnet, the attacker can generate a massive amount of traffic or requests, overwhelming the target system’s capacity and causing a denial of service. These attacks can overwhelm firewall state tables, CPU resources, and infrastructure bandwidth. A DoS attack can be executed with a single, well-crafted request to a web application, for example, a complex SQL query that results in high CPU and performance degradation.
12. Expediting. This threat involves using automated bots or scripts to rapidly complete a series of application processes, bypassing normal restrictions or checks in place. By automating processes, attackers or malicious users can gain an unfair advantage over other legitimate users. This activity is often associated with deceit and can result in losses for other parties.  
13. Fingerprinting. Threat actors use fingerprinting as an information-gathering technique to collect and analyze unique characteristics or attributes of a user’s web browser or device to create a distinctive “fingerprint.” This allows threat actors to identify and track individual users across different websites and online platforms, or to profile and subsequently attack an application. 
14. Footprinting. This is not an automated threat in and of itself, but rather a preliminary phase of a hacking process or reconnaissance. Footprinting involves using bots or scripts to gather information about a target web application’ s composition, configuration, and security mechanisms, allowing attackers to better plan subsequent attacks, such as launching targeted exploits to gain unauthorized access or exploit specific vulnerabilities. 
15. Scalping or inventory hoarding. This is a form of purchase automation in which attackers use bots to purchase large quantities of limited-inventory goods or services the moment they go on sale online (think concert tickets and limited-edition sneakers). By completing the checkout process instantaneously, criminals gain mass control of valuable inventory, which is usually resold on secondary markets at a significant mark-up, leading to artificial scarcity, denial of inventory, and consumer frustration.  
16. Scraping. Although not inherently malicious, scraping is the automated process of extracting data from websites or web applications. Scraping becomes an automated threat when used for unauthorized or malicious purposes, such as when bots are used to collect content from a target website to analyze, reuse, or engage in price manipulation, especially in competitive markets. Scraping also can impact site performance and prevent legitimate users from accessing a site. 
17. Skewing. This results when malicious actors repetitively click, request, or submit content on a web application, intentionally affecting application-based metrics such as counts, likes, impressions, poll results, frequency, or rates. Skewing can be carried out using automated bots that mimic human behavior to generate artificial interactions with the web application. The goal of skewing is to manipulate and distort the data generated by application-based metrics, leading to inaccurate or misleading results. 
18. Sniping. This is a type of malicious activity that involves using automated bots or scripts to gain a competitive advantage in online auctions, sales, or reservation systems. The term “sniping” is commonly used in the context of timed events or limited availability items where speed and precise timing play a crucial role, leaving insufficient time for another user to bid or make an offer. Sniping allows attackers to gain a competitive advantage over human users who are manually participating in the event, as bots can execute actions faster and with more accuracy. 
19. Spamming. This refers to malicious content or questionable information distributed by bots that appears in public or private content, databases, or user messages on web applications. The malicious content can include malware, IFRAME popups, photographs, videos, advertisements, and tracking/surveillance code. Attackers also use spamming to add phony comments to forums and other messaging apps to falsify information or distribute malware. 
20. Token Cracking. This automated attack is the result of criminals performing mass enumeration of coupon numbers, voucher codes, and discount tokens. The benefit received may be a discount, a cash alternative, a credit, or access to a special offer.
21. Vulnerability Scanning. This threat refers to using automated tools or scripts to identify and exploit vulnerabilities in web applications. Unlike legitimate vulnerability scanning, which aims to identify weaknesses for the purpose of improving security, vulnerability scanning as an automated threat is carried out with malicious intent to compromise the application’s security. Criminals use automated scanning tools or scripts to systematically scan applications exposed on the Internet, typically immediately after a vulnerability is disclosed. Once vulnerabilities are identified, criminals attempt to exploit them to gain unauthorized access to the application, sensitive data, or the underlying server infrastructure.