SHAPE ADVANCED APPLICATION DEFENSE Harden your web and mobile applicaons against automated aacks Automated aacks on enterprise web and mobile applicaons have dramacally increased over the past few years. Prominent aacks, including the Uber account hijacking and the IRS/Intuit tax fraud, highlight the new reality of web security: a breach anywhere is a breach everywhere. When a site is breached, cyber-criminals will use automaon to aempt to validate customer credenals on other websites. With password reuse by customers a common occurrence, it's not a queson of whether they'll gain access to user accounts on other websites -- it's how many accounts can be accessed. Automated aacks are the #1 web security threat, according to Verizon’s 2015 Data Breach report, and these aacks are evading exisng security protecons. How Does Shape Defeat Automated Aacks? The Shape soluon comprises a high performance security appliance and a sophiscated machine-learning back end. Shape’s world class team of security and web experts develops and deploys countermeasures that deflect automated aacks at all three levels of the web applicaon. How Do Aackers Use Automaon to Succeed? Automated aacks on web and mobile applicaons are commonly enabled by automaon and AI techniques aimed at mimicking human behavior to successfully defeat exisng defenses. User Interface The aacker simulates interacon with the user interface. Example tools: Selenium and Sikuli. Browser/App Aacker uses a headless browser to interact with the target webpage. Example tool: PhantomJS. Network The aacker automates HTTP(S) GET or POST requests. Example tools: cURL and Wget. • Credenal Stuffing & Account Takeover–The aacker tests a list of authencaon credenals, taken from a secondary marketplace or large-scale breaches, to discover where users have reused the credenals. Credenal stuffing aacks lead to account hijacking and online fraud acvies. • Content Scraping–The aacker scrapes valuable informaon from an enterprise website and sells it to the enterprise’s competors or to industry aggregators. An example is when an aacker uses content scraping to aggregate informaon about certain fare codes from an airline website, and then sells that informaon to passengers who can use those special fares. • Applicaon DDoS–The aacker launches a large number of transacons that exercise resource-intensive business logic. For example, automated transacons that add items to a shopping cart on an online retail website can oſten slow down or completely deny access to the website. • Man in the Browser (MitB)–In banking, MitB malware residing in the browser waits unl a user has authencated, and then automates the creaon of new payees, checks account balances, and automacally transfers funds to accounts controlled by the aacker Shape Security is the best defense against these and many other automated aacks on web applicaons and API services.