Skip links

Skip to primary navigation
Skip to content
Skip to footer

Matrix
Phases
Tactics
Techniques
Kill Chains
Resources
Contribute

Home

>

Kill chains

>

Credential Stuffing Bot

Credential Stuffing Bot

A credential stuffing bot is used to test previously leaked credentials (typically username and password pairs) to determine if they are valid on a target webservice or API. These bots validate credential pairs against their target webservice or API by automating login attempts, allowing adversaries to test and validate credentials at mass scale.

Show Techniques

Hide Techniques

Resource Development 3 Tactics

Credential Acquisition

Data Dumps

Infrastructure Acquisition

Botnet
Command & Control
Proxies

Tool Development

Development of Tools
Campaign Reuse

Reconnaissance 1 Tactics

Specific Target

Technical Reconnaissance

Defence Bypass 4 Tactics

Mitigation Bypass

CAPTCHA Farm
Automated CAPTCHA Bypass
MFA Bypass

Human Emulation

User Agent Spoofing

Proxying

Botnet
User Agent Spoofing
IP Rotation

Smokescreening

Volumetric Traffic Disguise
Target Diversification

Attack Execution 1 Tactics

Account Takeover

Credential Stuffing

Actions on the Objective 1 Tactics

Exfiltration

Credential Dumping

Post-Attack 1 Tactics

Sale

Information Brokerage
Automated Sale
Manual Sale

Updated: June 19, 2025

Enter your search term...

© 2025 OWASP BLADE: Business Logic Attack Definition Framework.

GitHub

Cookie Policy

This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.