AppSecUSA 2015

Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Some examples commonly referred to are:

* Account enumeration
* Click fraud
* Comment spam
* Content scraping
* Data aggregation
* Email address harvesting
* Fake account creation
* Password cracking
* Payment card testing
* Site crawling
* Transaction automation

Frequently these have sector-specific names. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore, they are not enumerated or defined adequately in existing dictionaries. These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues.

Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.

This presentation for the first time describes the work undertaken earlier this year and the concrete outputs completed including a new ontology of web application automation threats. Additionally the talk describes the primary and secondary symptoms, and current efforts to document and map relevant mitigations and protections. Attendees who own or operate production web sites, web APIs and other web applications will gain knowledge gathered from research and their peers about these threats, attack vectors, detection methods and protections against the unwanted automations.

To develop the ontology, research was undertaken to identify prior work and existing information about the types of automated threats to web applications using academic papers, breach reports, security incidents, and existing attack and vulnerability taxonomies. This has been refined using insider knowledge from application security experts and using interviews with web application owners. The initial objective was to assess and define a shared vocabulary about these sorts of "attacks", so that the problem can be defined and addressed further. The analysis focused on real-world external threats and attack vectors, although the impacts on individuals, intermediaries, partners and third party organisations are also being considered. Common Misuse Scoring System (CMSS) has been used in the analysis. The generated web application-specific ontology has also been mapped to other relevant sources including Security Content Automation Protocol (SCAP) components and the relevant parts of Mitre's Common Weakness Enumeration and Common Attack Pattern Enumeration and Classification (CAPEC).

The ontology has been published by the "OWASP Automation Threats to Web Applications Project" and is free to download and use. This OWASP project is intended to be an information hub for web application owners, providing practical resources to help them to protect their systems against these automated processes. The project is also seeking input in the form of event data that can be used to rank the threats for sectors such as financial services, ecommerce, hotel, travel, government, social media, gaming and gambling.