Sorting out web automation attacks

If anything makes  web applications security different, and more interesting, than traditional information security, those are threats to the application logic, i.e. attacks that abuse legitimate functionality. Such attacks often raise legal and ethical questions: if this is legitimate functionality, can it be an attack? Ethical questions a side, there is no question that click fraud, scraping and comment spam cause real pain and financial damage to web site owners.

The new OWASP automated threat handbook tries to sort out this field and define an ontology for web automation attacks and for countermeasures.

My own presentation on the topic takes a different approach: there is no real dividing line between valid and malicious automation. It is a continuum. I scored each such automation technique for “obviousness”, i.e. how clear it would be that this is automated and not and for maliciousness.  Based on the scores I split the techniques into obviously malicious, accepted and borderline. So for example, given a 1-5 scale (1 being not obvious/not malicious, 5 being obvious/malicious):

  • “Auction sniping” gets 2 for obviousness and 3 for maliciousness – which makes it borderline.
  • “Web spam” 3 for obviousness and 4 for maliciousness – the extra points puts it in the malicious category.
  • At the edges, Blind SQL injection gets 5 and 5 (so it is extra malicious) while comparative shopping gets 1 for maliciousness as it became a standard in the industry. Which does not imply the “attacked” web site is not negatively impacted.

Read the presentation to get the scored for all of them and learn what “Queue Jumping”, “auction sniping” and “web spam” are!

One thought on “Sorting out web automation attacks

  1. Pingback: Anatomy of a SIEM use case: the brute force example | InfoSec aXioms

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s