Breaking Fraud and Bot Detection Solutions

Breaking Fraud and Bot Detection Solutions

OWASP Foundation via YouTube Direct link

Cloud Deployment

7 of 17

7 of 17

Cloud Deployment

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

Breaking Fraud and Bot Detection Solutions

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 Bot Detection • Defend against bots trying to automate abuse activities e.g. test credential dumps, scraping etc. • Is this activity from a human or a bot?
  3. 3 Fraud Detection • Defend against fraudulent activities e.g. manual ATOs, credit card transactions etc. . Look for anomalies in activity of a given user, given past activity.
  4. 4 Inline Deployment
  5. 5 Attacker Goal • Conduct fraudulent activity • Automate abuse scripts without getting caught
  6. 6 Threat Model • Attacker has full control over the browser • Attacker can craft requests and modify responses according to the responses from the server
  7. 7 Cloud Deployment
  8. 8 Browser Fingerprinting
  9. 9 Anti-Tampering JavaScript Obfuscation • XOR based packed code • Randomize location of JavaScript file to load
  10. 10 Stripping Attack
  11. 11 Replay Attacks • No check on freshness of payload.
  12. 12 Dynamic JS Tokens • A dynamic token is generated, which is derived from the timestamp. • Same logic can be replicated in a script.
  13. 13 Headless Browsers • Browser without a GUI, often used for automation and testing . Either render full JS or run JS in a virtual DOM
  14. 14 Underground Tool • Anti-Detect $399 in the underground market
  15. 15 Architecture • Recompile mobile app with SDK .JS -Native Code
  16. 16 Android Fingerprinting
  17. 17 Takeaways • Implementation and architectural issues in multiple deployments • Not possible to win the race on web, given no root-of-trust via browsers • State of the world in mobile is better • Getti…

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.