Explore the vulnerabilities in fraud and bot detection solutions in this 52-minute conference talk from APPSEC Cali 2018. Delve into browser fingerprinting and user behavior tracking techniques, understanding their implementation as JavaScript snippets in user browsers. Discover why these signals are unreliable and learn about potential attacks against defenses that rely on them. Witness demonstrations of proof-of-concept attacks as presented by Mayank Dhiman, Principal Security Researcher at Stealth Security. Gain insights into online fraud and internet abuse mitigation, with a focus on detecting and countering malicious automation attacks. Cover topics such as deployment models, attacker goals, fundamental issues in sensor data, browser fingerprinting techniques, and user behavior analysis. Understand the limitations of current anti-fraud measures and explore strategies to enhance security in web applications.
Overview
Syllabus
Introduction
Agenda
Define the problem
Deployment Model
Inline Deployment Model
Attacker Goal
Browser Control
Network Control
Fundamental Issues
Sensor
Browser Fingerprint
Browser Audio
Normal Browser Data
Browser Fingerprints
Device accelerometer
Antitamper
payload
no guarantees
headless browsers
stripping attack
inline device
replay attacks
dynamic fingerprint
dynamic random token
Browser fingerprinting
Fake browser fingerprints
Canvas fingerprinting
Safari source code
Anti detect
User behavior
Authentication flows
Finger Print
Taught by
OWASP Foundation
