Home Resources Blog Latest Bot Trends and OWASP (Open Web Application Security Project)

Latest Bot Trends and OWASP (Open Web Application Security Project)

Dr. Eduardo Rocha, Senior Solutions Engineer & Security Analyst @ GlobalDots
image 6 Min read

Considering that half of the Internet traffic is generated by bots of which 29% is represented by “bad bots” (according to Incapsula 2015 Bot Report), it’s fair to say they form a force to be reckoned when talking about online security.

Tweet this: Half of the internet traffic is generated by bots

While good bots are information gatherers used by organizations, bad bots are considered unlawful tools used by cyber-criminals. With the rise of “impersonator” bots capable of bypassing security solutions bot abuses have become more automated, increasingly sophisticated and as damaging to the business as the conventional vulnerability exploits such as SQL injection and XSS.

From false clicks and fraudulent display of web placed advertisements, solving of anti-automation CAPTCHA tests and launching DDoS attacks to scraping, spamming, sniping and skewing, or even token cracking, automated bots are the preferred tool. Bot operators continue to improve their software, creating more advanced persistent bots (APBs).

Bad Bot

Image Source

The increase of automated bot abuses has since alerted the Open Web Application Security Project (OWASP) online community which has been creating methodologies, documentation, tools and technologies in the field of web application security since 2001. Many business look to OWASP for direction on what threats are being posed to their web applications. Along with their well known yearly “Top 10 threats” list, the community has launched a complementary project called Automated Threats to Web Applications Project in order to better understand and respond to the bot trend. Beside all the threats that we mentioned before, the OWASP Automated Threat Handbook profiled three major subsets of automated threats. Based on common targets, bot pose threats respectively to account credentials, payment cardholder data and vulnerability identification.

Tweet this: OWASP – Open Web Application Security Project

1. Threat subset: Account Credentials

Automated bots can execute account aggregations, which mainly consists of gathering multiple accounts and then interacting on their behalf by using an intermediary application. They are often used for creating multiple ghost accounts for subsequent misuse (account creation), identifying valid login credentials by trying different values for username and/or passwords (credential cracking) or for mass log in order to verify the validity of stolen username/password pairs (credential stuffing).

Image Source

A synchronized bot network can practically harvest enough credentials to create a serious security and privacy issue with consequences ranging from fake traffic and stolen data to scams and identity theft.

Tweet this: What is Credential Cracking?

Tweet this: What is Credential Stuffing?

2. Threat subset: Payment Cardholder Data

If automated bots can easily gather account credentials then its obvious they can be used by cybercriminals to target payment cardholder data as well. Bots can often be deployed to spy sensitive data and launch multiple authorisation attempts to verify the validity of bulk stolen payment card data with the ultimate goal of trafficking credit card, bank account and other personal information online, a process also known as carding.

OWASP also reports an increased usage of automated bots used in common card cracking, also referred to as card popping. Card cracking is a debit card fraud scheme in which the perpetrators recruit bank account owners to share their debit card number and PIN in exchange for a compensation. Card-cracking fraudsters leverage the sharing culture of today’s social media community to recruit accomplices in order to execute those frauds. Bots have been used to identify missing start/expiry dates and security codes for payment card data by trying different values but also to automate and further leverage social media exposure which is considered the main recruiting channel.


Image Source

Beside carding and card cracking bots are being used for cashing out too. Automated procedures can be instructed to acquire goods or obtain cash utilising validated stolen payment card or other user account data. Theoretically, if a well deployed bad bot setup targets you, it could easily gather your cardholder data, steal your allowance and resell your personal accounts before you get the chance to even notice it or react.

Tweet this: What is Carding?

3. Threat subset: Vulnerability Identification

According to OWASP, there are hundreds of issues that could affect the security of a web application, and it only takes the discovery of one to allow a hacker an access path to valuable customer or business information. The process of finding potential targets is ideally suited to automation and automated attacks.

In order to trace application vulnerabilities bots have been used to collect and simulate digital footprints which is the data that exists as a result of actions and communications online that can in some way be traced back to an individual.

Digital footprints are broken down into active and passive data traces. Active data traces are the ones that the user leaves intentionally. Social media and blog posts, social network connections, image and video uploads, email, phone calls and chats are among the ways users generate active digital footprints.

On the other hand, passive data traces connected to an individual are left by others or gathered through activities that the user does without purposefully putting out data. Sophisticated bots are then used in automated footprinting actions to probe and explore an application in order to identify its constituents and properties. By doing so the attacker gathers valuable info about security processes which can later be used for launching a quick and damaging attack.

Hackers use bots to uncover website security vulnerabilities on a large scale. Vulnerability scanning involves crawling and fuzzing an application by bots acting like humans in order to identify weaknesses and possible vulnerabilities. Any vulnerabilities found are potential targets for further exploration.

Vulnerability Scanning

Image Source

Tweet this: What is Vulnerability Scanning?

Automated threats consist in elicit digital fingerprinting too. Just like every person has a unique fingerprint, every piece of media or software has identifying features that can be spotted by another smart software. It’s the same approach with good and bad bots, with the key difference that bad bots fingerprinting consists in harvesting information about the supporting software and framework types and versions for future misuse.

To sum up

OWASP Handbook of automated Threats

Numerous reports over the last few years suggest that the level of bot sophistication has continuously risen. Thanks to the advent of cheap or free cloud computing resources, anyone with basic computer skills can download open source software and get into the bot game. The bad bot landscape continues to evolve rapidly, in relation to the sophistication of bot software but also with an increased number of bots coming from Chinese service providers. 2015 saw a dramatic increase in APBs which have “smart” capabilities.

Many analytic tools, such as Google Analytics, function via a JavaScript code snippet. If bots can load analytic tools resources, they easily end up skewing analytic tools and throwing o key business and operational metrics. According to Distil Networks 2016 Bad Bot Landscape Report, 53% of bad bots will end up falsely attributed as humans in Google Analytics and similar tools.     

According to the Distil Networks report, not only are the bad guys lying about who they are, they’re repeatedly changing their identities over and over again with around 36% of bad bots disguised using two or more user agents, with the worst APB cases that changed identities over 100 times.

Tweet this: 36% of Bots are “Bad Bots”

Meanwhile, IT teams are under increasing pressure to accurately forecast and provision web infrastructure to meet the speed and availability demands of legitimate users. And marketing teams seek accurate data on website and conversion metrics.

Yet most companies still have little or no control or even visibility over malicious bot website trac. Luckily, the OWASP and other good guys have kept pace and are now providing improved bot protection knowledge and solutions. If you suspect bad bot abuses you should always turn to experts like GlobalDots to quickly turn the tables. Contact us today to help you out with your performance and security needs.

Learn More

Long-Term LastPass Breach Sounds Alarm For Static Credentials
Identity & Access Management (IAM)
Dr. Eduardo Rocha, Senior Solutions Engineer & Security Analyst @ GlobalDots 02.03.23

LastPass’ password management service has introduced millions of users to the convenience and security of unique passwords. Across mobile and browser, LastPass promises a near-passwordless experience for millions of individuals and over 100,000 businesses. However, recent news threatens to drop a bombshell on credential-based security.  The Year-Long LastPass Dual Breach  In August 2022, LastPass released […]

Read more
You’ll Need Zero Trust, But You Won’t Get It with a VPN
Dr. Eduardo Rocha, Senior Solutions Engineer & Security Analyst @ GlobalDots 12.01.23

Properly implemented, a zero trust architecture provides much more granular and effective security than legacy security models. However, this is only true if a zero trust initiative is supported with the right tools. Legacy solutions, such as virtual private networks (VPNs), lack the capabilities necessary to implement a zero trust security strategy. Zero Trust Security is […]

Read more
4 Ways Where Remote Access VPNs Fall Short
Dr. Eduardo Rocha, Senior Solutions Engineer & Security Analyst @ GlobalDots 09.01.23

The Global Content Delivery Network (CDN) market is expected to grow by $42.4 billion between now and 2032.

Read more
Unlock Your Cloud Potential
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Book a Demo