OWASP Automated Threats - Credential Stuffing (OAT-008)


In this OWASP Automated Threat Article we'll be highlighting OAT-008 Credentials Stuffing with some basic threat information as well as a recorded demo to dive into the concepts deeper. In our demo we'll show how Credential Stuffing works with Automation Tools to validate lists of stolen credentials leading to manual Account Takeover and Fraud. We'll wrap it up by highlighting F5 Bot Defense to show how we solve this problem for our customers.

Credential Stuffing Description:

Lists of authentication credentials stolen from elsewhere are tested against the application’s authentication mechanisms to identify whether users have re-used the same login credentials. The stolen usernames (often email addresses) and password pairs could have been sourced directly from another application by the attacker, purchased in a criminal marketplace, or obtained from publicly available breach data dumps. Unlike OAT-007 Credential Cracking, Credential Stuffing does not involve any bruteforcing or guessing of values; instead credentials used in other applications are being tested for validity

Likelihood & Severity

  • Credential stuffing is one of the most common techniques used to take-over user accounts.
  • Credential stuffing is dangerous to both consumers and enterprises because of the ripple effects of these breaches.

Anatomy of Attack

  1. The attacker acquires usernames and passwords from a website breach, phishing attack, password dump site.
  2. The attacker uses automated tools to test the stolen credentials against many websites (for instance, social media sites, online marketplaces, or web apps).
  3. If the login is successful, the attacker knows they have a set of valid credentials.

Now the attacker knows they have access to an account. Potential next steps include:

  1. Draining stolen accounts of stored value or making purchases.
  2. Accessing sensitive information such as credit card numbers, private messages, pictures, or documents.
  3. Using the account to send phishing messages or spam.
  4. Selling known-valid credentials to one or more of the compromised sites for other attackers to use.

OWASP Automated Threat (OAT) Identity Number


Threat Event Name

Credential Stuffing

Summary Defining Characteristics

Mass log in attempts used to verify the validity of stolen username/password pairs.


OAT-008 Attack Demographics:

Sectors Targeted Parties Affected Data Commonly Misused Other Names and Examples Possible Symptoms
Entertainment Many Users Authentication Credentials Account Checker Attack Sequential login attempts with different credentials from the same HTTP client (based on IP, User Agent, device, fingerprint, patterns in HTTP headers, etc.)
Financial Application Owner   Account Checking High number of failed login attempts
Government     Account Takeover Increased customer complaints of account hijacking through help center or social media outlets
Retail     Login Stuffing  
Social Networking     Password List Attack  
      Password re-use  
      Use of Stolen Credentials  


Credential Stuffing Demo:

In this demo we will be showing how attackers leverage automation tools with increasing sophistication to execute credential stuffing against the sign in page of a web application. We'll then have a look at the same attack with F5 Distributed Cloud Bot Defense protecting the application.




In Conclusion:

A common truism in the security industry says that there are two types of companies—those that have been breached, and those that just don’t know it yet. As of 2022, we should be updating that to something like “There are two types of companies—those that acknowledge the threat of credential stuffing and those that will be its victims.”

Credential stuffing will be a threat so long as we require users to log in to accounts online. The most comprehensive way to prevent credential stuffing is to use an anti-automation platform. 


OWASP Automated Threats to Web Applications Home Page

OWASP Automated Threats Identification Chart

OWASP Automated Threats to Web Applications Handbook

F5 Related Content


Updated Apr 23, 2024
Version 2.0

Was this article helpful?

No CommentsBe the first to comment