An automated threat is a type of computer security threat to a computer network or web application, characterised by the malicious use of automated tools such as Internet bots.[1] Automated threats are popular on the internet as they can complete large amounts of repetitive tasks with almost no cost to execute.[2]

Threat ontology

The OWASP Automated Threat Handbook provides a threat ontology list for classifying automated threats, which are enumerated below.

Identity CodeNameDefining characteristics
OAT-020Account AggregationUse by an intermediary application that collects together multiple accounts

and interacts on their behalf

OAT-019Account CreationCreate multiple accounts for subsequent misuse
OAT-003Ad FraudFalse clicks and fraudulent display of web-placed advertisements
OAT-009CAPTCHA BypassSolve anti-automation tests
OAT-001CardingMultiple payment authorisation attempts used to verify the validity of bulk

stolen payment card data

OAT-010Card CrackingIdentify missing start/expiry dates and security codes for stolen payment card

data by trying different values

OAT-012Cashing OutBuy goods or obtain cash utilising validated stolen payment card or other user

account data

OAT-007Credential CrackingIdentify valid login credentials by trying different values for usernames and/or

passwords

OAT-015Denial of ServiceTarget resources of the application and database servers, or individual user

accounts, to achieve denial of service (DoS)

OAT-006ExpeditingPerform actions to hasten progress of usually slow, tedious or time-consuming

actions

OAT-004FingerprintingElicit information about the supporting software and framework types and

versions

OAT-018FootprintingProbe and explore application to identify its constituents and properties
OAT-005ScalpingObtain limited-availability and/or preferred goods/services by unfair methods
OAT-011ScrapingCollect application content and/or other data for use elsewhere
OAT-016SkewingRepeated link clicks, page requests or form submissions intended to alter some

metric

OAT-013SnipingLast minute bid or offer for goods or services
OAT-017SpammingMalicious or questionable information addition that appears in public or

private content, databases or user messages

OAT-002Token CrackingMass enumeration of coupon numbers, voucher codes, discount tokens, etc.
OAT-014Vulnerability ScanningCrawl and fuzz application to identify weaknesses and possible vulnerabilities

References

  1. Watson, Colin (2015-10-26). "OWASP Automated Threat Handbook" (PDF). OWASP. OWASP. Retrieved 2016-09-10.
  2. "Security Insights: Defending Against Automated Threats | SecurityWeek.Com". www.securityweek.com. Retrieved 2016-09-18.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.