Project: WASC Threat Classification

Threat Type: Weakness

Reference ID: WASC-21


Insufficient Anti-automation

Insufficient Anti-automation occurs when a web application permits an attacker to automate a process that was originally designed to be performed only in a manual fashion, i.e. by a human web user.


Web application functionality that is often a target for automation attacks may include:

  • Application login forms – attackers may automate brute force login requests in an attempt to guess user credentials
  • Service registration forms – attackers may automatically create thousands of new accounts
  • Email forms – attackers may exploit email forms as spam relays or for flooding a certain user’s mailbox
  • Account maintenance – attackers may perform mass DoS against an application, by flooding it with numerous requests to disable or delete user accounts
  • Account information forms – attackers may perform mass attempts to harvest user personal information from a web application
  • Comment forms / Content Submission forms – these may be used for spamming blogs, web forums and web bulletin boards by automatically submitting contents such as spam or even web-based malware
  • Forms tied to SQL database queries – these may be exploited in order to perform a denial of service attack against the application. The attack is performed by sending numerous heavy SQL queries in a short period of time, hence denying real users from service.
  • eShopping / eCommerce – eShopping and eCommerce applications that do not enforce human-only buyers, can be exploited in order to buy preferred items in large amounts, such as sporting events tickets. These are later sold by scalpers for higher prices.
  • Online polls – polls and other types of online voting systems can be automatically subverted in favor of a certain choice.
  • Web-based SMS message sending – attackers may exploit SMS message sending systems in order to spam mobile phone users