FAQ stubs created / Ontology and Bibliography tabs added
← Older revision
Revision as of 18:31, 26 March 2015
(4 intermediate revisions by the same user not shown)
Line 7:
Line 7:
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
+
== Automated Threats to Web Applications==
+
Web applications are subjected to unwanted automated usage – day in, day out. Often these events relate to misuse of inherent valid functionality, rather than the attempted exploitation of unmitigated vulnerabilities. Also, excessive misuse is commonly mistakenly reported as application denial-of-service (DoS) like HTTP-flooding, when in fact the DoS is a side-effect instead of the primary intent. Some examples commonly referred to are:
−
==The OWASP Automation Threats to Web Applications==
+
* Account enumeration
+
* Click fraud
+
* Comment spam
+
* Content scraping
+
* Data aggregation
+
* Email address harvesting
+
* Fake account creation
+
* Password cracking
+
* Payment card testing
+
* Site crawling
+
* Transaction automation
−
This project brings together research and analysis
of
real world automated attacks against
web
applications
, to
produce documentation to assist operators defend against these
threats
. Sector-specific guidance is available
.
+
Frequently these have sector-specific names. Most
of
these problems seen regularly by
web
application owners are not listed in any OWASP Top Ten or other top issue list. Furthermore
,
they are not enumerated or defined adequately in existing dictionaries. These factors have contributed
to
inadequate visibility, and an inconsistency in naming such
threats
, with a consequent lack of clarity in attempts to address the issues
.
−
==Description==
+
Without sharing a common language between devops, architects, business owners, security engineers, purchasers and suppliers/vendors, everyone has to make extra effort to communicate clearly. Misunderstandings can be costly. The adverse impacts affect the privacy and security of individuals as well as the security of the applications and related system components.
+
==Licensing==
+
All the materials are free to use. They are licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
−
==Licensing==
+
© OWASP Foundation
−
+
−
Creative Commons Attribution ShareAlike 3.0
+
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
−
== What
is OWASP Automation Threats to Web Applications
? ==
+
== What
Is This
? ==
+
Information and resources to help web application owners defend against automated threats
+
== What Isn't It? ==
−
== Presentation ==
+
* Another vulnerability list
+
* Threat modelling
+
* Attack trees
+
* Non web
+
* Non application
−
* Due May 2015
+
==Project Objective==
+
+
This project brings together research and analysis of real world automated attacks against web applications, to produce documentation to assist operators defend against these threats. Sector-specific guidance will be available.
== Project Leader ==
== Project Leader ==
Line 36:
Line 56:
[mailto:colin.watson@owasp.org Colin Watson]
[mailto:colin.watson@owasp.org Colin Watson]
+
== Contributors ==
+
+
[https://www.owasp.org/index.php?title=OWASP_Automation_Threats_to_Web_Applications&action=submit#Road_Map_and_Getting_Involved Please help] and your name can appear here. The project needs web application owner's threat information and reviewers.
== Related Projects ==
== Related Projects ==
−
+
* [[OWASP ModSecurity Core Rule Set Project|OWASP ModSecurity Core Rule Set Project]]
−
+
* [[OWASP AppSensor Project|OWASP AppSensor Project]]
−
== Openhub ==
+
−
+
−
+
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE -->
| valign="top" style="padding-left:25px;width:200px;" |
| valign="top" style="padding-left:25px;width:200px;" |
−
−
== Quick Download ==
−
== News and Events ==
== News and Events ==
* [20 May 2015] Meeting at project summit in Amsterdam
* [20 May 2015] Meeting at project summit in Amsterdam
−
+
* [27 Feb 2015] Work underway
−
== In Print ==
+
−
+
−
+
==Classifications==
==Classifications==
−
Line 76:
Line 89:
|}
|}
+
+
=Ontology=
+
+
= Bibliography =
=FAQs=
=FAQs=
+
''This page is in the process of creation''
+
; How do you define "web"?
+
: Answer
+
+
; How do you define "application"?
+
: Answer
+
+
; How do you define "automated threat"?
+
: Answer
+
+
; What is an "ontology"?
+
: Answer
+
+
; Isn't this another bug (vulnerability) list?
+
: Answer
+
+
; I thought "XYZ" already did that?
+
: Answer
+
+
; How can I help?
+
: Answer
= Acknowledgements =
= Acknowledgements =
Line 89:
Line 127:
= Road Map and Getting Involved =
= Road Map and Getting Involved =
−
Feb-
March 2015:
Research;
+
The project's roadmap was updated in
March 2015:
−
April 2015: Creation of outputs;
+
−
May 2015: Publication and promotion;
+
−
Jun-Sep 2015: Gathering of additional contributions, updates to outputs, and translations.
+
−
+
+
* Feb-March 2015: Research on automated threats to web applications
+
* April 2015: Application owner interviews and creation of initial project outputs
+
* May 2015: Publication of outputs and request for review/data
+
* Jun-Sep 2015: Gathering of additional contributions, updates to outputs, and translations.
+
Can you help? The project is looking for information on the prevalence and types of automated threats seen by web application owners in the real world. This will be used to refine and organise the information gathered from research papers, whitepapers, security reports and industry news. If you would like to find out more, or have knowledge to contribute, please contact, me directly or using the project's mailing list:
+
* [mailto:colin.watson@owasp.org Colin Watson]
+
* (awaiting project mailing list to be set up)