T 5.166 Misuse of a web application due to automated use

For the automated use of web applications, functions of the application are used in a computer-controlled manner, for example using scripts emulating the entries made by keyboard and mouse. This makes it possible that processes can be performed in a short time and attackers can thus efficiently carry out attacks on the web application that are based on repetition. Using a login process performed repeatedly, for example valid combinations consisting of user names and passwords can be determined systematically (brute-force) or lists with valid user names can be generated (enumeration).

In addition, calling up resource-intensive functions repeatedly (e.g. complex database queries) can be misused for denial-of-service attacks at the application level. Whereas denial-of-service attacks often require several connection attempts at the network level, attacks at the web application level can often be carried out more efficiently.

Examples:

• If a form can be filled out and sent automatically as part of an online survey, then an attacker can easily corrupt the survey result making use of automated voting via script.

• The information on registered users (e.g. profile names and email addresses) can be called up using an URL of the web application (e.g. http://host.tld/app/userDetails.php?UserID='"'). If this function is called up in an automated manner (for example by the simple incrementing of the numerical UserID), then a large number of user information can be collected with little effort (enumeration). The information collected can be used for sending SPAM, for instance.

• If the user accounts are locked after five failed login attempts for 10 minutes to make brute-force attacks more difficult and if an attacker knows the user names of the web application, then failed login attempts can be automatically provoked to these user accounts. As a result, these user accounts are permanently locked and the web application can no longer be used by the users.