Top Automated Threats To
Web And Mobile Applications

Credential Stuffing, Account Takeover, Content Scraping, Application DDoS


Shape defends against increasingly sophisticated automated cyberattacks that employ advanced techniques to evade traditional security solutions such as WAFs, IPC, and DDoS tools. Automated threats are responsible for millions in cyberfraud losses per day and target web and mobile applications of retailers, banks, airlines, healthcare organizations and government agencies.

Credential Stuffing (Account Takeover)

Definition of Credential Stuffing: 

Credential Stuffing is the use of automation to test usernames and passwords stolen from one site on other sites with the intent of taking over a large set of accounts en masse.


Credential Stuffing (OAT-008)

Threat Mechanism: 

Large scale automated attacks test lists of stolen credentials to check for re-use of login credentials. Username and password pairs are tested against website and mobile app authentication mechanisms.


Take over accounts and fraudulently transfer assets for monetary gain.

Symptoms: Other Names:

Account Takeover, Fake Account Creation, Credential Stuffing, Account Checking, Login Stuffing, Password List Attack, Stolen Credentials

5 minute video

Rising Threat from the Darknet

Credential Stuffing Attacks

A quick primer video on credential stuffing attacks and how adversaries use stolen usernames and passwords to hijack accounts

Content Scraping

Definition of Content Scraping: 

Content Scraping is the use of automated scrapers to read and scrape valuable information into another application.


Content Scraping (OAT-011)

Threat Mechanism: 

Automated scraper attacks attempt to read all accessible website pages and parameter values, and scrape valuable information into another application.


Collect unprotected, proprietary information for reuse elsewhere.

Symptoms: Other Names:

Bargain hunting, Comparative Shopping, Data Aggregation, Database Scraping, Harvesting, Meta Search Scraper, Mining, Mirroring, Pagejacking, Scraper Bot, Search Engine Bot, Social Media Bot


Application-Layer Denial of Service

Definition of Application Layer DDoS: 

Application Layer DDoS is the use of automation to repeatedly query resource-intensive services until the website no longer has the capacity to support legitimate users.


Application Layer DDoS (OAT-015)

Threat Mechanism: 

Adversaries use automation to repeatedly query resource-intensive services until the website no longer has the capacity to support legitimate users.


Disable critical site functionality to extort money or advance social/political/competitive causes.

Symptoms: Other Names:

Account Lockout, App Layer DDoS, Business Logic DDoS, Cash Overflow, Forced Deadlock, Hash DoS, Indexer DoS, Resource Depletion, Sustained Client Engagement


OWASP Automated Threat List

Corporations and government agencies are increasingly vulnerable to automated cyberattacks. OWASP recently published a list of twenty automated threats. For detailed information download the OWASP Automated Threat Handbook.

Account Aggregation (OAT-020)

Account Creation (OAT-019)

Ad Fraud (OAT-003)

CAPTCHA Bypass (OAT-009)

Carding (OAT-001)

Card Cracking (OAT-010)

Cashing Out (OAT-012)

Credential Cracking (OAT-007)

Credential Stuffing (OAT-008)

Denial of Service (OAT-015)

Expediting (OAT-006)

Fingerprinting (OAT-004)

Footprinting (OAT-018)

Scalping (OAT-005)

Scraping (OAT-011)

Skewing (OAT-016)

Sniping (OAT-013)

Spamming (OAT-017)

Token Cracking (OAT-002)

Vulnerability Scanning & Exploitation (OAT-014)

For detailed information on all twenty listed OWASP automated threats download the OWASP Automated Threat Handbook.

3 minute preview

Avivah Litan:

VP Distinguished Analyst, Gartner

How to Stop Automated Attacks on Web Applications.
Learn how and why automation-based attacks pose serious threats to web applications.

View Full On-Demand Webinar

Assess your current automated threat level

Get Threat Assessment