Project: WASC Threat Classification
Threat Type: Weakness
Reference ID: WASC-21
Insufficient Anti-automation
Insufficient Anti-automation occurs when a web application permits an attacker to automate a process that was originally designed to be performed only in a manual fashion, i.e. by a human web user.
Web application functionality that is often a target for automation attacks may include:
- Application login forms – attackers may automate brute force login requests in an attempt to guess user credentials
- Service registration forms – attackers may automatically create thousands of new accounts
- Email forms – attackers may exploit email forms as spam relays or for flooding a certain user’s mailbox
- Account maintenance – attackers may perform mass DoS against an application, by flooding it with numerous requests to disable or delete user accounts
- Account information forms – attackers may perform mass attempts to harvest user personal information from a web application
- Comment forms / Content Submission forms – these may be used for spamming blogs, web forums and web bulletin boards by automatically submitting contents such as spam or even web-based malware
- Forms tied to SQL database queries – these may be exploited in order to perform a denial of service attack against the application. The attack is performed by sending numerous heavy SQL queries in a short period of time, hence denying real users from service.
- eShopping / eCommerce – eShopping and eCommerce applications that do not enforce human-only buyers, can be exploited in order to buy preferred items in large amounts, such as sporting events tickets. These are later sold by scalpers for higher prices.
- Online polls – polls and other types of online voting systems can be automatically subverted in favor of a certain choice.
- Web-based SMS message sending – attackers may exploit SMS message sending systems in order to spam mobile phone users