Here’s Why JavaScript-Based Bot Detection Doesn’t Work. Is Your Site Listed Here?

August 23, 2020

We’ve been working with a client who was getting hit with wave after wave of bot attacks that were easily bypassing their JavaScript-based Bot Detection tools. It seemed odd that they had such a wide array of attackers, and started researching if there were some new attack configs for sale that would target them.

Unlike in the past when we’d have to make our way to some of the seedier sides of the web, a Google search yielded several online stores selling ‘guaranteed to work’ configs, courses, how-to guides and even offering support.
Now, hacker tools have always existed. You just needed to know where to look. They are commercially available from a variety of marketplaces with 100s of bots and configurations available to perform any sort of action needed. Do you need a bot to emulate human movement? Do you need a specialty bot to navigate a particular website or form? Do you need something to help you snag the latest sneakers? These marketplaces will have what you need to make your life as a hacker — or cybercriminal if that’s your leaning — as easy as can be.

You’ll find that the tools are readily available for purchase – pay, click, download — and they’re constantly updated with improvements to reflect the changes that are happening on the target sites, or the defenses that the sites are building in to block the bots.

One particularly malicious tool that we’ve been tracking is OpenBullet. It’s well known and is a feature-rich hacking toolkit – we see it used by bad actors mostly for Account Takeover attacks, credential stuffing or fake account creation. It’s customizable, has built-in Captcha and JavaScript bypass features, a well-maintained GitHub repo, and there’s even a community of builders and users who support each other in their efforts.

The builders are creating OpenBullet configurations for specific target sites – in fact, if you google OpenBullet and your business name, you may find that there are OpenBullet configs available to target you.

Why is OpenBullet so successful at defeating first-generation Bot Detection?

OpenBullet is successful because there is money to be made and it’s relatively easy to bypass existing protection mechanisms. First-gen Bot detection tools address the automated attack problem by collecting signals from the client by injecting JavaScript code into each of your web applications. The JavaScript is posted in the web page and is easily analyzed by attackers to figure out how to bypass mitigation efforts. Alternatively, attackers will target the APIs supporting the mobile or web app directly, which typically interact using XML/JSON and do not support JavaScript or an SDK.

Credit: openbullet.store

Another problem is that first-generation Bot Mitigation solutions require instrumentation for every entry point for complete protection. Having even one entry point or API exposed only ensures that it will be quickly detected and attacked. OpenBullet makes it easy to test endpoints in a methodical and streamlined fashion. And, don’t forget, attackers can find any number of tutorials on YouTube or on a marketplace that will teach them how to do it – and how to make the most of an attack.

The Cequence Application Security Platform was designed from the start to not be hindered by a reliance on JavaScript or SDKs for detection, protection, or mitigation. The CQAI engine continuously discovers new applications across all of your web, mobile and APIs allowing you to apply policies to prevent business logic abuse and API misuse.

Credit: crackingpro.com

Check if your site is an OpenBullet target

With the prevalence of tools and bots targeting specific sites – and more and more coming available each day – we caution our clients to always be on the lookout for them. (Especially if you have a product or service that would be of interest to teens, young adults and hackers.) A simple Google Search with OpenBullet and your brand name will likely turn up a few hits. First, try the basic search and for more accurate results, use the all in text variation shown below.

  • YOURCOMPANY openbullet
  • allintext: “YOURCOMPANY openbullet”

Just be careful about where you click and what you download. If there are OpenBullet configs for your site and you’d like to get better visibility into the malicious bot traffic contact us about setting up a free trial.

Another best practice is to get visibility into your API security posture, which is where a tool like API Sentinel can help. Just getting a catalog of all your exposed APIs and understanding which ones may have vulnerabilities is an important step towards protecting your data and IP from harm.

If you’d like to learn more about OpenBullet, check out this video:

About the Author

The CQ Prime Team

The CQ Prime Team

22 September 2020

Cequence Security Named a 2021 TAG Cyber Distinguished Vendor

Read More
17 September 2020

Get Ready— It’s Almost Bots Attack Week!

Read More
2 September 2020

Aite Group Research Validates API Security Gaps

Read More
4 August 2020

API Security Need to Know: Questions Every Executive Should Ask About Their APIs

Read More
20 July 2020

Help! There’s an OpenBullet Attack Config for Our Site – What Should we Do?

Read More

Subscribe to our blog