Most anti-bot providers also include “dynamic” challenges to continually revalidate that the requests are being sent from within a browser. In order to effectively identify and stop sophisticated bot attacks, accurate real-time defensible client-side detection and server-side detection are both required - and need to work together to disrupt attackers.Įxample data flow of a modern anti-bot provider: (1) Client-side scripts execute inside the browser, (2) The browser sends signal data to the telemetry endpoint of the bot mitigation solution, and (3) Server-side detection logic leverages telemetry and threat intelligence to determine whether the request is from a human or bot. The truth is that there is no silver bullet when it comes to bot detection. These criticisms largely come from anti-bot vendors who only use server-side detection, arguing that JS client-side detection is the old way of identifying advanced persistent bots. There are a range of defence techniques required, including sophisticated obfuscation and dynamic detection logic. Modern defensible JavaScript inspection is designed to prevent bot operators from reverse engineering the detection logic. By using fake data, the bots are polluting the data sets used to differentiate between bots and humans. Once a bot understands the detection logic they can send fake data to bypass the detection and successfully launch automated attacks and commit fraud. Successfully passing these tests generates a “human” token that provides access to the protected website.įirst-generation anti-bot solutions have been criticized for their use of JavaScript code in client-side detection due to the bot operators’ ability to reverse engineer their detection logic. Such client-side data collection is designed to detect the trace elements of browser automation frameworks that are indicative of a bot. This is because without client-side detection, you’ll need to build a profile of the request data before you can have confidence in your detection decision – it’s already too late.
Without JS in the browser to accurately and quickly collect telemetry, you’ll always be at a severe disadvantage.
Why is this so important? Client-side JS inspection exposes a different dimension of data that allows for detecting bots in real-time before a session is established. All serious bot mitigation providers inject JavaScript (JS) into the browser to capture data and send it back to detection logic for decisioning.
0 kommentar(er)
