Credential stuffing occurs when an attacker uses a batch of hacked user credentials to gain access to a system. This happens after all the credentials they need were obtained from a data breach at a different provider and are now being utilized to access the target system. This article provides an in-depth look into OWASP credential stuffing and how it works in cyber security, as well as effective tools and measures to prevent it from affecting your organization.
What is credential stuffing in cyber security?
Credential stuffing is a type of cyberattack in cyber security in which login information from one company is stolen and then used to get into a user account at another company. The stolen information is seen in a breach or on the dark web.
Because 64% of people use the same password for multiple (and sometimes all) accounts, credential stuffing attacks are one of the most common reasons for data breaches. Credential stuffing is so common on Auth0’s platform that almost half of all login requests we get every day are attempts to do it.
That is to say, the more credentials become visible through leaks, cybercriminals will have more chances to use credential stuffing. Bills of stolen credentials are floating around on the dark web. You can stop credential stuffing threats, though, if you take the right cybersecurity steps.
What is credential stuffing in cyber security?: How It Works
To execute a credential stuffing attack in cyber security, criminals add a list of stolen username and password pairs to a botnet, which then automatically tries those credentials on a bunch of different websites at once. Websites can get up to 180 times their normal traffic during an attack from a botnet, which can overwhelm a business’s IT system. Cybercriminals will have full access to a user’s account and personal information once they discover a website that accepts their passwords. This most commonly includes:
#1. Selling Access to Compromised Accounts
For media streaming sites, this happens a lot. Attacks where hackers sold access to user accounts for less than the price of a ticket have affected Disney+, Netflix, and Spotify.
#2. Fraud in Electronic Commerce
Hackers create fake accounts on stores’ websites to buy expensive items for themselves or to sell them again. As a result of this common (and possibly profitable for thieves) type of identity theft, Akamai’s research shows that retail is the most likely industry aimed at credential stuffing.
#3. Corporate/Institutional Theft and Espionage`
All of the above crimes are very bad for businesses and their customers, but this third type of attack could be the worst for employers. Attackers who successfully take over an employee or administrator’s account could get private personal information like credit card numbers, social security numbers, addresses, and login credentials, which they could then sell to anyone who pays the most money.
How to Prevent Credential Stuffing: Best Tools To Use
Most people know password reuse is unsafe but choose to use the same password on multiple sites anyway because they have roughly 100 passwords to remember. Password managers are an option, but adoption rates are low.
So to prevent credential stuffing attacks in cyber security, it’s up to organizations to take measures—such as removing passwords altogether—to ensure cybercriminals can’t use stolen credentials to access their users’ accounts. Based on OWASP’s Credential Stuffing Prevention Cheat Sheet, below are several tools and methods for doing so.
How to Prevent Credential Stuffing: Step-by-step Guide
As scary as it may sound, many easy steps can be taken to significantly decrease the risk of credential stuffing. Some of the tools require the efforts of service providers, while others require account users to bear a bit of inconvenience.
#1. Credential Hashing
Credential hashing is the first step to protecting your user’s credentials from theft. Hashing scrambles a user’s password before you store it in your database so that if it is stolen, a hacker won’t be able to use it (in theory, at least). In practice, not all password hashing is uncrackable. Rick Redman, a penetration tester at KoreLogic, explains, “The strength of the hash is the insurance policy. It tells you how much time users have to change their passwords after a data breach before they come to harm. So although hashing user passwords won’t prevent a credential stuffing attack, it will limit what a cybercriminal can do with those passwords once they’ve stolen them.
#2. Create Strong Passwords
Cybercriminals are banking on the fact that people are guilty of password reuse. A Google survey found that 65% of all people use the same username and password combination on multiple accounts. Don’t be a statistic. Practice good password hygiene by creating unique passwords for each account. Use a password manager that offers a random password generator tool. A password management tool can create strong passwords for you and store them in an encrypted digital vault, protecting them from unauthorized users.
#3. Use Multi-Factor Authentication (MFA)
MFA adds an extra layer of security to your login process, requiring users to provide two or more forms of identification before granting access to their accounts. This can include something the user knows, such as a password, and something they have, such as a security token or fingerprint.
While MFA is an effective tool for preventing credential stuffing attacks, it is not the final answer. Man-in-the-middle (MITM) phishing attacks can compromise or bypass MFA and gain access to users’ accounts. So, it’s important for users to only enter their credentials on websites they trust and for companies to use a strong bot management solution that protects against MITM attacks.
#4. Use a Web Application Firewall (WAF)
A web application firewall can come in the form of software, an appliance, or a service. WAFs protect your applications by filtering, monitoring, and blocking any malicious traffic traveling to the web app. They can detect suspicious login attempts and abnormal traffic from bots. They do this by following policies that determine what traffic is malicious and what traffic is safe. For example, multiple login requests from multiple sites or unfamiliar IP addresses can trigger a WAF.
#5. Use a Modern CAPTCHA
A CAPTCHA is a security test to distinguish humans from automated bots. Traditional CAPTCHAs may involve selecting images or entering text to prove the user’s identity. The problem is that traditional CAPTCHAs are not effective because bots can get around them. MatchKey, from Arkose Labs, is the ideal CAPTCHA. It prevents credential stuffing by using dynamic challenges that are tailored to a given attack. Websites can avoid credential stuffing attacks by asking users to complete a MatchKey challenge, which is possible even with strong passwords if they reuse them on several accounts.
#6. Educate Your Team
Social engineering is among the most prominent cybersecurity dangers facing small and large enterprises. Your employees are the first line of defense when protecting your organization. Unsure about your team’s knowledge of social engineering tactics? Conduct a phishing test to see which employees take the bait. Ensure that your team knows the latest social engineering tactics and enforces policies and best practices. For companies operating with remote workers or a hybrid work model, instill good password hygiene best practices so that you have trust in your employees even when outside of the office.
Credential Stuffing OWASP
The Open Web Application Security Project (OWASP) is a non-profit group created in 2001 to help website owners and security experts keep web applications safe from hackers. 32,000 people from all over the world volunteer with OWASP to do studies and security assessments. Also, the OWASP Software Assurance Maturity Model (SAMM), the OWASP Development Guide, the OWASP Testing Guide, and the OWASP Code Review Guide are some of OWASP’s most important products. We’ll talk more about the OWASP credential stuffing Top 10 below.
Also, the following training will get you started with ModSecurity and the CRS v3.
- Installing ModSecurity
- Including the OWASP ModSecurity Core Rule Set
- Handling False Positives with the OWASP ModSecurity Core Rule Set
These courses are part of a larger set of Apache/ModSecurity guidelines released by Netnea. Christian Folini, a co-leader of the CRS project, wrote them. More information about the rule set can be found on the official website.
Credential Stuffing OWASP: What’s New in the OWASP Top 10 2021?
Here’s what happened on the OWASP top 10 credential stuffing sites from 2017 to 2021: This list of the OWASP Top 10 is in order of how important they are. For example, OWASP says that A01 is the most important vulnerability, A02 is the second most important, and so on.
#1. A01:2021 Access Control Is Broken
Broken access control means attackers can enter user accounts and log in as users or administrators. It also means that normal users can get privileged functions without meaning to. Strong access controls make sure that each job has clear, separate permissions. It also moved up from #5 to #1 because OWASP discovered that 94% of applications have an access control weakness.
#2. (A02:2021). Cryptographic Failures
Cryptographic failures, which used to be called sensitive data exposure, protect data both while it’s being sent and while it’s being stored. Passwords, credit card numbers, health records, personal data, and other private data are all examples of this. It also moved from #3 to #2. This reflects the increasing importance of encryption in modern applications.
#3. (A03:2021) Injection
An injection vulnerability in a web application enables attackers to send harmful data to an interpreter, which compiles and runs that data on the server. SQL injection is a type of injection that is often used. Injection moved down from #1 to #3, even though 94% of applications tested had some type of injection vulnerability.
#4. A04: 2021 Insecure Design
Insecure design is a collection of flaws caused by insufficient or non-existent security measures. Some programs have been developed with no regard for security. Others have been designed to be secure, but they have flaws in their execution that allow hackers to gain access. Implementation of configuration errors, by definition, cannot repair an insecure system.
#5. A05:2021 Security Misconfiguration
The need for security misconfiguration means that the service stack is not secure enough. This includes setting up cloud service rights incorrectly, installing or turning on features that aren’t needed, and using the wrong admin account or password. XML External Entities (XXE), which used to be its own OWASP group, are now also part of this.
#6. A06:2021—Vulnerable and Outdated Components
Vulnerable and Outdated Components, formerly known as “Using Components with Known Vulnerabilities,” lists vulnerabilities caused by software that has not been updated or has passed its expiration date. Anyone who creates or uses an application without knowing what parts are inside, what versions they are, and whether they have been changed is vulnerable to this type of flaw.
#7. A07:2021: Failures in Authentication and Identification
Broken authentication, which is now identification and authentication failures, now includes security issues with user IDs as well. Protecting against many types of attacks and exploits requires confirming and verifying user identities and setting up private session management.
Credential Stuffing OWASP: Why It Is Important
OWASP Top 10 is a research project that ranks the top 10 most serious web application security risks and gives tips on how to fix them. Security experts from all over the world agreed on what was written in the study. There are different levels of risks based on how bad the weaknesses are, how often they happen, and how bad the effects could be.
The purpose of the study is to help web application security experts and developers understand the most common security risks so that they can use what they’ve learned in their security projects. In their web applications, this can help limit the appearance of known risks like these.
What causes credential stuffing?
Credential stuffing occurs as a result of data breaches at other companies.
What is credential stuffing analysis?
Credential stuffing is the automated injection of stolen username and password pairs (“credentials”) into website login forms to fraudulently gain access to user accounts.
What is the biggest credential stuffing attack?
Norton was hit but it was a brute force credential stuffing attack
What is the best solution to credential stuffing?
Multi-factor authentication (MFA) is a highly effective way to prevent credential stuffing
References
