Contenu connexe Similaire à Bots and Carts - AppSec IL 2017 (20) Bots and Carts - AppSec IL 20171. Bots and your Cart
OWASP AppSecIL – October 2017
Amir Shaked, VP Research
2. © 2017 PerimeterX™
- Automated scripts and devices accessing services
- Make up ~50% of website visitors
- Responsible for legitimate automated transactions
What are
bots?
2
3. © 2017 PerimeterX™
3
Automated Threats to Web
Apps
•OAT-020 Account Aggregation
•OAT-019 Account Creation
•OAT-003 Ad Fraud
•OAT-009 CAPTCHA Defeat
•OAT-010 Card Cracking
•OAT-001 Carding
•OAT-012 Cashing Out
•OAT-007 Credential Cracking
•OAT-008 Credential Stuffing
•OAT-021 Denial of Inventory
•OAT-015 Denial of Service
•OAT-006 Expediting
•OAT-004 Fingerprinting
•OAT-018 Footprinting
•OAT-005 Scalping
•OAT-011 Scraping
•OAT-016 Skewing
•OAT-013 Sniping
•OAT-017 Spamming
•OAT-002 Token Cracking
•OAT-014 Vulnerability Scanning
https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
4. © 2017 PerimeterX™
4
Bot evolution: bots are evolving rapidly
Gen 4 Bots - Infected Users
Hijacked Browsers, Fake Extensions
Gen 3 Bots - Headless Browsers
Javascript, Cookies, Engine Automation
Gen 2 Bots - Scripts + State
No Javascript, Cookies
Gen 1 Bots - Scripts
No Javascript, No Cookies
5. © 2017 PerimeterX™
- Who added the item to the cart?
- Are they going to buy?
- Who really gets the product?
- Who gets a commission?
5
The bot-cart relationship
6. © 2017 PerimeterX™
Scraping
- Growing business in low margin industries
- Highly distributed
- Anonymized scraping networks
- Can cause Application DDOS
6
8. © 2017 PerimeterX™
Scraping – Done Right
- Visit a product
- Add to cart
- Add a shipping address
- And won’t buy
Price scraping can be up to 20% of cart
traffic
8
11. © 2017 PerimeterX™
Bots are coming
Checking if the
sale started
Sale begins, some
human manage to buy
Sale continues,
no humans left
11
13. © 2017 PerimeterX™
- Isn’t it fair game to buy and sell high?
- Here come the hoarders
- Controlling item availability
- Denial of purchase
Hoarding
13
15. © 2017 PerimeterX™
15
Affiliate Fraud
Man in the browser attack
1
Malware in browser extension
2
Watches sites, gets referral id, associates with user
(overwrites other referral if present)3
16. © 2017 PerimeterX™
16
Lifecycle of a malicious
extension
Wait for user
to access
targeted site
Executes
background
click and
referral links
Get fraud
campaign
instructions
from C&C
Dormant
waiting period
Delay user from
accessing the page
Retrieves payload
of target websites
“Release” user to
load site, claiming
attribution
Published in
browser store
Downloaded by real
user
19. © 2017 PerimeterX™
19
Finalizing the story
- Scrapers
- Up to date price matching
- Traffic burden
- Hoarding
- Denial of product availability
- Scalping
- Brand reputation
- Affiliate fraud
- Faulty revenue sharing
22. © 2017 PerimeterX™
Monitor
▪ Log everything you can in a single place
▪ Track cart paths usage for anomalies and spikes
▪ Add some fake out of canvas products
▪ Hide them using client side code
▪ If they are accessed you are under attack
22
23. © 2017 PerimeterX™
HTTP Detection
23
▪ Anomalies and missing values in HTTP headers
▪ Track legitimate flow
▪ Missing XHRs
▪ Lookup suspicious user-agents in github/twitter/reddit (and not just google)
http://mstajbakhsh.github.io/Microbot/
▪ Don’t rely too much on IP reputation
24. © 2017 PerimeterX™
Javascript Detection
24
▪ Validate user is running javascript
▪ Device fingerprint (https://github.com/Valve/fingerprintjs2)