19 OWASP Threats: Disrupt with Bot Mitigation

A Rise in Online Business Disruption from Automated Threats

Where there is money, there is greed. And where there is greed, there is exploitation. Such is the case with the rapidly growing eCommerce and online retail sector, which has experienced more than its fair share of automated threats that disrupt business operations. While there are plenty of good bots, such as search engine crawlers and chatbots that aid eCommerce operations, Forbes reports that 80% of eCommerce businesses have lost revenue to bad bots.

According to an article in Help Net Security, Advanced Persistent Bots (APBs) remained the majority of bad bot traffic over the past year, amounting to 57.1% of all bot traffic. These advanced bots are responsible for high-speed abuse and attacks on websites, mobile apps, and APIs. Because they closely mimic human behavior, they are harder to detect and stop, presenting a unique challenge for organizations that want to manage downtime, reduce bandwidth, and improve their overall digital experience. This blog post explores these disruptive behaviors through the lens of the OWASP Automated Threats to Web Applications framework. We’ll explain how these threats relate to each other, how they impact online businesses, and what eCommerce providers can do to effectively combat them. But first, let’s look at how we got here.

The Rapidly Evolving Sophistication of Bots

The past few years have been a pivotal period for bad bot builders, aided by the rise of bot marketplaces, Cook Groups (support communities for bot operators), and automation frameworks, such as Puppeteer and Playwright. While these frameworks are relatively new, bots themselves are not and neither are the defense systems against them, which were developed before many of these open source testing technologies existed.

Traditional web application firewalls (WAFs) that defend web apps from vulnerability-exploiting attacks, like SQL injection (SQLi) and cross-site scripting (XSS), may be able to block some basic automation using techniques such as IP address blocking and rate limiting, but weren’t designed to detect and stop advanced persistent bots. Bot builders have learned how to work around these defenses using techniques, such as hiding behind residential proxy networks and orchestrating low and slow attacks.

Similarly, the first generation of specialized bot detection systems were not architected to address how modern, sophisticated bots have evolved. These legacy solutions rely on detecting bad bots based on IP addresses and device fingerprinting, allowing bad bots into infrastructure to monitor their behavior and make decisions. In addition, weak JavaScript obfuscation is insufficient as a defense. Modern bot builders design bots that look and act just like legitimate customers through residential proxy network combined with a Puppeteer Extra Stealth script. They can also bypass defenses altogether by reverse engineering client-side code or by learning bypass tips within Cook Groups hosted on Discord, leaving businesses to play a frustrating and resource-intensive game of whack-a-mole. That’s why eCommerce and online retailers need modern bot mitigation to accurately detect and stop automated threats — over the long term, even as they evolve — without added friction to the customer experience. This is the key to maintaining competitive advantage, continued customer loyalty, and future revenue.

Now, let’s take a closer look at these automated threats.

Top 19 OWASP Automated Threats in eCommerce

OWASP (The Open Web Application Security Project) is a non-profit on a mission to improve software security. The foundation’s handbook provides detailed descriptions of 21 automated threats, 19 of which affect the eCommerce and retail industry. (The two that do not apply are OAT-12 Cashing Out and OAT-20 Account Aggregation).

Here’s a quick overview of these 19 OWASP Automated Threats (OAT) and how they apply to the digital customer journey:

Login & Account Fraud

• Automated Threats Related to Compromising Account Credentials:
  • OAT-007 Credential Cracking: Seeks to hijack customers’ accounts through multiple variations of credentials, and it can be identified by an increase in failed login attempts.
  • OAT-008 Credential Stuffing: Reuse of stolen credentials to see if they match the ones used on the site, leading to account takeover.
  • OAT-019 Account Creation: Creates new fake accounts for nefarious purposes, such as spreading malware or evading defenses by acting like a different user when carrying out automated attacks.

Inventory Abuse

• Automated Threats Related to Availability of Inventory to Legitimate Users:
  • OAT-005 Scalping: Checks on the availability of in-demand inventory. If you are experiencing unexplained traffic increases to low or limited availability inventory, you might be the subject of a scalping bot.
  • OAT-013 Sniping: Grabs inventory at the last minute. If you find that some of your “customers” are having amazing success at scooping up inventory at the last minute, you may be the target of a sniping bot.
  • OAT-021 Denial of Inventory: Ties up stock that never gets purchased, leading real customers to search elsewhere for their desired items.
• OAT-017 Spamming: Adds phony comments to forums and other messaging apps to falsify information or distribute malware.

If you’d like to learn more about the types of automated threats targeting the shopping experience, read our last blog post on the evolution and underground economy of sneaker bots.

Checkout Abuse

• Automated Threats Related to Payment Card or Gift Cards:
  • OAT-001 Carding: Similar to credential stuffing, except that it uses stolen credit card numbers to see which ones are valid. You can look for an increase in failed payments and chargebacks to identify a carding attack.
  • OAT-002 Token Cracking: Much like credential cracking, except that it tries out token codes in a bid to take advantage of discounts, coupons, etc.
  • OAT-010 Card Cracking: Tries to identify expiration dates, card security codes, and more via brute force attacks to complete the card info. This kind of automated threat is often combined with OAT-001 Carding to verify the card details and OAT-12 Cashing Out to purchase items.

The remaining automated threats relate to Web Apps and Infrastructure of eCommerce businesses:

• OAT-003 Ad Fraud: Falsifies the number of ad clicks or impressions to siphon off or deplete marketing budgets.
• OAT-004 Fingerprinting: Sends requests to infrastructure and profiles it for later exploitation.
• OAT-006 Expediting: Uses bots to speed up normal processes.
• OAT-009 CAPTCHA Defeat: Bots and services, such as CATPCHA farms, can solve CAPTCHA challenges and tests for humans to prove that they’re not robots.
• OAT-011 (Price and Content) Scraping: Lots of bots scrape data with intent to resell or even duplicate competitors’ content, leading to lower SEO rankings, among other things.
• OAT-014 Vulnerability Scanning: Unauthorized scanning that identifies vulnerabilities that malicious bot operators can exploit.
• OAT-015 (Application) Denial of Service (DoS): Deliberate, malicious overwhelming of the application’s resources, which can either slow down or render a website or web app unavailable for customers to use.
• OAT-016 Skewing: Fraudulent requests for content or synthetic bot traffic that degrades the accuracy of web metrics.
• OAT-018 Footprinting: Much like fingerprinting, but specific to probing the application itself to find out its vulnerabilities.

If your eCommerce site is experiencing unexplained increases in traffic for specific inventory, cart abandonment, or other skewed metrics and you suspect automated threats are to blame, OWASP has created a simple yet effective decision tree to help you pinpoint the source of the problem.

So What’s the Impact of Automated Threats?

Unfortunately, with the continuing increase in these kinds of automated threats, eCommerce companies have a lot to lose. While the cost of losing customer loyalty and gaining a reputation for a poor user experience can be difficult to calculate, we can put a price on costs from bot-driven attacks and the lost revenue associated with them.

In a report we recently released The Business Case for Stopping Malicious Bots, we provided the example of an eCommerce site that generates $100 million in revenue per year — that’s $274K per day. If bots and other automated threats overwhelm your site and take your online store down for just two days, you have easily lost a minimum of $548K in revenue. Suppose the same business protects just 50% of its traffic with a bot management solution. In that case, it’s $50 million (or $137K per day) that the organization can count on annually and not lose to downtime caused by bots, along with the additional financial impact associated with online fraud such as successful credential stuffing, carding and cracking attacks.

The list of potential business and financial impacts of bot attacks is endless. So what can you do to achieve peace of mind while automated threats continue to evolve and evade bot management solutions, including ineffective mitigative tactics?

What Can You Do About Automated Threats in eCommerce?

The only way to fight automation is with automation. That’s because adversaries adapt in seconds, and traditional bot detection solutions can’t keep up. What’s needed is an approach that instantly detects and defends against bots, even those not seen before, using a zero-trust approach to ensure that nothing unknown or untrusted gets in. Such a solution should operate without heuristics to learn, rules to manage, or risk scores to assign — and must be resilient to retooling and reverse-engineering efforts. Essentially, a tool that fights back and makes attacks too expensive to conduct and frustrates and deceives attackers, while adapting to new threats in real time. To win the game of whack-a-mole, you must architect your solution to be just as effective years from now as it is today, while eliminating the economic imbalance between attacks and defenders.

That solution is Kasada, which protects from the very first request so that your organization is defended even against bots not seen before. Kasada provides the industry’s most accurate bot detection solution and has flipped the bot mitigation approach on its head with a fundamentally different approach that identifies the presence of automation itself that exists WHENEVER bots interact with websites, mobile apps, and APIs. With Kasada’s lowest false positive rate in the industry, you won’t have to worry about your authentic customers being incorrectly blocked. Nor will you have to worry about introducing friction into the user experience because Kasada defends against bots invisibly without the use of CAPTCHAs.

In March, we announced the general availability of our new V2 platform, which bolsters customers’ real-time protection from the most advanced bots that are left undetected by other systems (even those not detected by other methods). Even though Kasada is lightweight to implement and support, its protection is anything but:

• First, we’ve increased the number of client-side sensors by 15x, accurately detecting in real-time the use of Puppeteer, Playwright, stealth plugins, other headless browser automation tools, and mobile app emulators and simulators.
• Second, we make it challenging for attackers to retool through a proprietary obfuscation method.
• Third, we make it financially unviable for attackers to continue their automated threats through a compute-intensive cryptographic challenge that exhausts resources and makes attacks too expensive to conduct.

Demand Better Protection from OWASP Automated Threats

See why more than 85% of our customers selected Kasada after using other bot mitigation platforms. Join the growing ranks of businesses demanding better protection from automated threats than what’s offered by rules-dependent, easy-to-bypass, and increasingly expensive solutions.

Request a demo today to see Kasada’s innovative bot management solution in action.