[Owasp-topten] RC feedback - Missing "Lack of anti-automation"

Colin Watson colin.watson at owasp.org
Thu Apr 13 18:59:39 UTC 2017

Thank you to everyone in the Top Ten project for all the effort in creating
this RC.

Last year when the data call was announced, we had some discussion on the
Leaders' List about "lack of anti-automation":


As pointed out to me in that discussion, "lack of anti-automation" was
included in the the 2013 Top 10 "Additional Risks to Consider":


This item has been dropped from the 2017 RC1 completely - it is not in the
top 10 or in the additional risks. And none of the other 2013 risks include
these types of attack.

I wonder if it is somehow meant to be included in A7 - the Automated
Threats Project is mentioned as a reference for A7. However, I feel this
may be incorrect since none of the threats in the scope of the Automated
Threats project appear to be mentioned in the description, explanation or
example attack scenarios for A7 in 2017 RC1. A7 seems to relate to
exploitation of vulnerabilities.

Our project's unwanted automated usage are not about exploitation of
vulnerabilities, but instead often relate to misuse of inherent valid
functionality. To that end I feel it odd that such automated threats appear
neither in the 2017 RC1 Top 10, nor in the “additional risks to consider”.

Whilst breach reporting does not provide comprehensive or representative
coverage of attacks, the following recent major incidents indicate the
types of issue:

Tesco Bank account enumeration (40,000 accounts)

Credential stuffing attacks on other sites following LinkedIn and Yahoo

Some developers and testers ignore or do not think about such threats, and
therefore there is under reporting of these issues in many organisation’s
pen test reports and issue logging, yet lead to significant ongoing pain to
application owners/operators. I have never found any web application that
isn't at risk from some automated threat (we have listed 20 types of
threats, soon to be 21). The ease of exploitation is typically EASY
(because the functionality is inherently built into the web application).
Since automated threats can be a risk for many different types of
functionality, my belief is the prevalence is just as common as XSS, so
prevalence is WIDESPREAD and detectability is EASY. If exploited the impact
is typically MODERATE, often affecting the application’s owner, and users
and other parties.

Regarding protections, in our project's Automated Threat Handbook we
document 14 classes of countermeasures for automated threats – only a
couple of which might be provided by something such as a WAF. Most
countermeasure classes are actually much more relevant to development
processes. Most do not appear in the "how do I prevent this" for A7, or any
other risk, in 2017 RC1.

Colin Watson
Project co-leader
OWASP Automated Threats to Web Applications Project

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20170413/1e3797ed/attachment.html>

More information about the Owasp-topten mailing list