From its original release in 2015, the OWASP Automated Threat Handbook has now become a de facto industry standard in detecting and mitigating threats by malicious web automation. Every bot mitigation vendor and many buyers of these services now use the ontology defined in this handbook. In this new version of the OWASP Automated Threat Handbook , the previously named automated threat event OAT-009 CAPTCHA Bypass has been renamed OAT-009 CAPTCHA Defeat, and a new threat event OAT-021 Denial of Inventory has been added.
CAPTCHA Bypass was originally used for OAT-009 since this is by far the most common name used.
However, subsequent feedback suggests this is confusing, since the puzzle is not actually bypassed, but is solved in an automated manner – not because the CAPTCHA was implemented improperly, but because the CAPTCHA itself is simply not effective against motivated attackers.
The name CAPTCHA Defeat has therefore been adopted. Denial of Inventory has been added since its defining characteristics do not match any of the 20 previously defined automated threat events. This threat is often seen in ecommerce applications where attackers add items to their basket to deny them to other users through the creation of a stock-out condition, and never actually check out. Similar allocation without purchase, or payment, or transaction completion, also occur in some non-ecommerce applications. In addition to these changes, we have acknowledged additional contributors and reviewers, updated the countermeasures copy, added other names and examples to several threat events, and made numerous corrections to grammar, spelling mistakes, and typographical errors.
