Web Application Owner Survey

JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

This survey is to collect data for the OWASP Automated Threats to Web Applications Project https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications

There is significant knowledge about application vulnerability types, and some general consensus about identification and naming. Issues relating to the misuse of valid functionality, which may be related to design flaws rather than implementation bugs, are less well defined. Yet these problems are seen day-in day-out by web application owners. Excessive abuse of functionality is commonly mistakenly reported as application denial-of-service (DoS) such as HTTP-flooding or application resource exhaustion, when in fact the DoS is a side-effect. Some examples are blog & comment spam, fake account creation, password cracking, web scraping, etc. Most of these problems seen regularly by web application owners are not listed in any OWASP Top Ten or other top issue list or dictionary.

These factors have contributed to inadequate visibility, and an inconsistency in naming such threats, with a consequent lack of clarity in attempts to address the issues. The OWASP Automated Threats to Web Applications Project is in the process of reviewing reports, academic and other papers, news stories and vulnerability taxonomies/listings to identify and name classes of these - threat events to web applications that are undertaken using automated actions. The aim is to produce an ontology providing a common language for devops, architects, business owners, security engineers, purchasers and suppliers/vendors, to facilitate clear communication and help tackling the issues. The project also intends to identify symptoms, mitigations and controls in this problem area.

The project would like to receive real-world experience on the prevalence and naming of such threats - especially from those responsible for the ongoing operation of web applications. Please provide your experience below.

You can submit the survey multiple times for different sectors or different applications, if you prefer. You can also edit your response after submission. You can be completely anonymous.

This survey was opened on 21st April 2015 and is still running through AppSec EU to the end of May 2015.

1. What industry sector does the application/your experience relates to?

E.g. Technology, Ecommerce, Financial, Government.

2. Can you tell us anything about the web application(s) this information refers to?

For example, whether users can log in, whether payments are collected, the general type (e.g. a conventional website, an API, a single page application), types of users (e.g. citizens, employees, customers, clients), primary user geographic locations (e.g. worldwide, Asia, Iceland) and its scale.

3. What is your role in relation to the application(s)?

E.g. Business owner, Operations, DevOps lead, CIO, CTO, CISO.

5. Your comments and suggestions

Are any automated attacks that your application is affected by missing? For anything missing, how often does the threat materialise? Can you suggest names you are familiar with instead?

6. Did you want to mention anything else?

Please let us know. For example, provide your name and contact details if you would like to help further.

4. Which of the following threats affect your application, and how frequently?

There may be overlaps. The names are not finalised - please provide suggestions and comments at the bottom of the page.

[Don't know what this is]

[Never]

Rarely (1 -2 times/yr)

Quarterly

Every month

Every week

Every day

More than once/day

Continuously

Credential Cracking (Identify valid log in credentials by trying different values for usernames and/or passwords)

CAPTCHA Cracking (Solve anti-automation tests)

Fake Account Creation (Create accounts for subsequent misuse)

Credential Stuffing (Mass log in attempts used to verify the validity of stolen username/password pairs)

Account Aggregation (Use by an intermediary application to collect together and interact with accounts related to many other applications)

Payment Card Fraud (Buy goods or obtain cash from stolen payment cards)

Card Verification (Small purchases used to verify the validity of bulk stolen payment card data)

Card Cracking (Identify missing payment card details by trying different values for expiry date and security code)

Data Harvesting (Read application content and data, copying it elsewhere)

Content Aggregation (Use of an intermediary application to collect together and consume content from many application sources, republishing it as content on the web)

Cheating (Violate explicit or implicit assumption(s) about the application's use to achieve unfair individual gain, often associated with deceit and loss to some other party)

Click Fraud (False click throughs)

Impression Fraud (False content impressions)

Man-in-the-Browser (Compromise of web browser)

Code Alteration (Modify application source code, or executing code, or configuration)

Content Spam (Information addition that appears in content, or alters metrics or statistical data)

Application Consumption (Misuse of the application to perform calculations, or process data, or perform other actions against other applications, hosts, or in the physical world)

Fingerprinting (Requests used to illicit information about the supporting web, application and database server and framework types and versions)

Footprinting (Probing and exploration to identify constituents and properties of the application)

Vulnerability Scanning (Application crawling and fuzzing in an attempt to identify weaknesses and possible vulnerabilities)

Reverse Engineering (Exercise an application, or part of an application, with the intent to gain insight how it is constructed and operates)

HTTP Flood DoS (High rate or number of HTTP requests)

HTTP Slow DoS (Partial HTTP request headers sent, or fragmented request bodies sent, or slow response read)

Web Application (layer 7) DoS (Denial of service achieved by targeting resources of the application and database servers)

User DoS (Individual users locked out or unable to register/use the application)