New to group

Alycia DuBry

unread,

Jun 1, 2023, 2:25:05 PM6/1/23

to API Security Project

Hello!

I am joining this group to keep informed on OWASP Top 10 items. One of my big area of interests is how others are hardening themselves/protecting themselves from Credential Stuffing Attacks.

Respectfully,

Alycia DuBry

Sr Information Security Manager

Pushpay

mohit verma

unread,

Jun 1, 2023, 2:44:15 PM6/1/23

to Alycia DuBry, API Security Project

Hey Alycia,

You can try implementing 2FA, even if the creds stuffed are valid and are taken from any recent breaches you can prevent unauthorised access. There are a lot of methods to implement I prefer google authenticators as they are very cheap to implement.

Some best practices are to mask PII and PHI data, implement 2FA for payments processing and provide users option to terminate all active sessions.

Now in any worst case scenario if a user doesnt have 2FA you can share notification to user's email whenever he logs in but it you have wide application audience then it might cost you for resources.

Hope that helps and if there are any other alternatives please let me know.

Regards,

Mohit

--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/3ac011be-8616-42eb-b4ca-d9432f9f29d7n%40owasp.org.

Paulo Silva

unread,

Jun 1, 2023, 7:53:12 PM6/1/23

to mohit verma, Alycia DuBry, API Security Project

Hi Alycia,

Credential stuffing is one of the scenarios covered in API2:2019 Broken User Authentication [1]: check out the "How to Prevent" section [2].

To tackle credential stuffing you may want to consider login throttling [3] and account lock [4].

[1]: https://github.com/OWASP/API-Security/blob/3ef5e6da89a776a256fa5129c3ebe35ce364e2b8/2019/en/src/0xa2-broken-user-authentication.md#is-the-api-vulnerable

[2]: https://github.com/OWASP/API-Security/blob/3ef5e6da89a776a256fa5129c3ebe35ce364e2b8/2019/en/src/0xa2-broken-user-authentication.md#how-to-prevent

[3]: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#login-throttling

[4]: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#account-lockout

Cheers,

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAAw8e%3Dtuwox%2BUiqONjFCdH8x1yA9jK%3D9cTA4M5_s2nAv4a%2BkqQ%40mail.gmail.com.

Nick Rieniets

unread,

Oct 4, 2023, 8:38:08 AM10/4/23

to API Security Project, Paulo Silva, Alycia DuBry, API Security Project, mohit verma

As most credential abuse attacks are launched by tools such as OpenBullet (https://github.com/openbullet/OpenBullet2) many companies use bot mitigation to prevent credential abuse attacks. There is a substantial community and marketplace built around OB with crackers largely gravitating to Telegram to sell configs / cracked accounts, etc

W Rodriguez

unread,

Oct 4, 2023, 9:28:44 AM10/4/23

to Alycia DuBry, API Security Project

Loving the info !

Reply all

Reply to author

Forward