SlideShare una empresa de Scribd logo

Bots and Carts - AppSec IL 2017

A
Amir Shaked

A Presentation I gave at OWASP AppSec IL on October 2017. Showcasing automated attacks targeting commerce websites and specifically the cart and checkout flow.

Internet
1 de 25
Bots and your Cart OWASP AppSecIL – October 2017 Amir Shaked, VP Research
© 2017 PerimeterX™ - Automated scripts and devices accessing services - Make up ~50% of website visitors - Responsible for legitimate automated transactions What are bots? 2
© 2017 PerimeterX™ 3 Automated Threats to Web Apps •OAT-020 Account Aggregation •OAT-019 Account Creation •OAT-003 Ad Fraud •OAT-009 CAPTCHA Defeat •OAT-010 Card Cracking •OAT-001 Carding •OAT-012 Cashing Out •OAT-007 Credential Cracking •OAT-008 Credential Stuffing •OAT-021 Denial of Inventory •OAT-015 Denial of Service •OAT-006 Expediting •OAT-004 Fingerprinting •OAT-018 Footprinting •OAT-005 Scalping •OAT-011 Scraping •OAT-016 Skewing •OAT-013 Sniping •OAT-017 Spamming •OAT-002 Token Cracking •OAT-014 Vulnerability Scanning https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
© 2017 PerimeterX™ 4 Bot evolution: bots are evolving rapidly Gen 4 Bots - Infected Users Hijacked Browsers, Fake Extensions Gen 3 Bots - Headless Browsers Javascript, Cookies, Engine Automation Gen 2 Bots - Scripts + State No Javascript, Cookies Gen 1 Bots - Scripts No Javascript, No Cookies
© 2017 PerimeterX™ - Who added the item to the cart? - Are they going to buy? - Who really gets the product? - Who gets a commission? 5 The bot-cart relationship
© 2017 PerimeterX™ Scraping - Growing business in low margin industries - Highly distributed - Anonymized scraping networks - Can cause Application DDOS 6
© 2017 PerimeterX™ Scraping – Done Right - Visit a product 7
© 2017 PerimeterX™ Scraping – Done Right - Visit a product - Add to cart - Add a shipping address - And won’t buy Price scraping can be up to 20% of cart traffic 8
© 2017 PerimeterX™ 9 Limited Edition!
© 2017 PerimeterX™ Scalping - In demand tickets - Limited availability items - High demand items on release 10
© 2017 PerimeterX™ Bots are coming Checking if the sale started Sale begins, some human manage to buy Sale continues, no humans left 11
© 2017 PerimeterX™ The legal battle 12
© 2017 PerimeterX™ - Isn’t it fair game to buy and sell high? - Here come the hoarders - Controlling item availability - Denial of purchase Hoarding 13
© 2017 PerimeterX™ Where did my inventory go? Visiting the page Add to cart attempts Item available 14
© 2017 PerimeterX™ 15 Affiliate Fraud Man in the browser attack 1 Malware in browser extension 2 Watches sites, gets referral id, associates with user (overwrites other referral if present)3
© 2017 PerimeterX™ 16 Lifecycle of a malicious extension Wait for user to access targeted site Executes background click and referral links Get fraud campaign instructions from C&C Dormant waiting period Delay user from accessing the page Retrieves payload of target websites “Release” user to load site, claiming attribution Published in browser store Downloaded by real user
© 2017 PerimeterX™ Malicious extension – part 1 https://CUSTOMER_WEBSITE/?SSAID=AFFILATE_ID 51K target domains 117 6
© 2017 PerimeterX™ Malicious extension– part 2 60K target domains 17K in Alexa top 1M 18 “jquery.js”
© 2017 PerimeterX™ 19 Finalizing the story - Scrapers - Up to date price matching - Traffic burden - Hoarding - Denial of product availability - Scalping - Brand reputation - Affiliate fraud - Faulty revenue sharing
© 2017 PerimeterX™ How To Fight Back 20
© 2017 PerimeterX™ Captcha ? - Hurts conversion (~30%) - Cheap to bypass (~3$ for 1000 solves, 60% success rate) 21
© 2017 PerimeterX™ Monitor ▪ Log everything you can in a single place ▪ Track cart paths usage for anomalies and spikes ▪ Add some fake out of canvas products ▪ Hide them using client side code ▪ If they are accessed you are under attack 22
© 2017 PerimeterX™ HTTP Detection 23 ▪ Anomalies and missing values in HTTP headers ▪ Track legitimate flow ▪ Missing XHRs ▪ Lookup suspicious user-agents in github/twitter/reddit (and not just google) http://mstajbakhsh.github.io/Microbot/ ▪ Don’t rely too much on IP reputation
© 2017 PerimeterX™ Javascript Detection 24 ▪ Validate user is running javascript ▪ Device fingerprint (https://github.com/Valve/fingerprintjs2)
© 2017 PerimeterX™ Amir Shaked amirshk@perimeterx.com 25 Interesting? We are hiring!

Recomendados

Bots and Carts - OWASP Brooklyn meetup mashup
Bots and Carts - OWASP Brooklyn meetup mashupBots and Carts - OWASP Brooklyn meetup mashup
Bots and Carts - OWASP Brooklyn meetup mashupAmir Shaked
 
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days42Crunch
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 
Federation Services
Federation ServicesFederation Services
Federation ServicesEmpowerID
 
SSO Manager
SSO ManagerSSO Manager
SSO ManagerEmpowerID
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demoBertrand Carlier
 

Recomendados

Bots and Carts - OWASP Brooklyn meetup mashup
Bots and Carts - OWASP Brooklyn meetup mashupBots and Carts - OWASP Brooklyn meetup mashup
Bots and Carts - OWASP Brooklyn meetup mashupAmir Shaked
 
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat
 
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017
100 Percent Encrypted Web New Challenges For TLS RSA Conference 2017CASCouncil
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days42Crunch
 
WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 10WEBINAR: OWASP API Security Top 10
WEBINAR: OWASP API Security Top 1042Crunch
 
Federation Services
Federation ServicesFederation Services
Federation ServicesEmpowerID
 
SSO Manager
SSO ManagerSSO Manager
SSO ManagerEmpowerID
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demoBertrand Carlier
 
From AMP to PWA
From AMP to PWAFrom AMP to PWA
From AMP to PWAIdo Green
 
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...DataDome
 
Are Bad Bots Destroying Your Conversion Rate and Costing You Money?
Are Bad Bots Destroying Your Conversion Rate and Costing You Money?Are Bad Bots Destroying Your Conversion Rate and Costing You Money?
Are Bad Bots Destroying Your Conversion Rate and Costing You Money?Distil Networks
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM Patrick Harding
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Nordic APIs
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceKasun Indrasiri
 
Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
Digital Trust: How Identity Tackles the Privacy, Security and IoT ChallengeDigital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
Digital Trust: How Identity Tackles the Privacy, Security and IoT ChallengeForgeRock
 
How Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsHow Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsSajjad "JJ" Arshad
 
Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication ForgeRock
 
Payment gateway
Payment gatewayPayment gateway
Payment gatewayHananBahy
 
Software development
Software developmentSoftware development
Software developmentManekTech
 
Asp.net Web Application Development Services | ManekTech
Asp.net Web Application Development Services | ManekTechAsp.net Web Application Development Services | ManekTech
Asp.net Web Application Development Services | ManekTechManekTech
 
Umbraco CMS Development | ManekTech
Umbraco CMS Development | ManekTechUmbraco CMS Development | ManekTech
Umbraco CMS Development | ManekTechManekTech
 
Digital Identity
Digital IdentityDigital Identity
Digital IdentityZendCon
 
Implementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRockImplementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRockForgeRock Identity Tech Talks
 
Better Metrics, Less Hacks: Online Travel and The Future of Web Security
Better Metrics, Less Hacks: Online Travel and The Future of Web SecurityBetter Metrics, Less Hacks: Online Travel and The Future of Web Security
Better Metrics, Less Hacks: Online Travel and The Future of Web SecurityDistil Networks
 
How E-Commerce Providers Can Remove ATO from Their Carts
How E-Commerce Providers Can Remove ATO from Their CartsHow E-Commerce Providers Can Remove ATO from Their Carts
How E-Commerce Providers Can Remove ATO from Their CartsTransUnion
 
Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)ForgeRock
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...apidays
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 

Más contenido relacionado

Similar a Bots and Carts - AppSec IL 2017

From AMP to PWA
From AMP to PWAFrom AMP to PWA
From AMP to PWAIdo Green
 
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...DataDome
 
Are Bad Bots Destroying Your Conversion Rate and Costing You Money?
Are Bad Bots Destroying Your Conversion Rate and Costing You Money?Are Bad Bots Destroying Your Conversion Rate and Costing You Money?
Are Bad Bots Destroying Your Conversion Rate and Costing You Money?Distil Networks
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCloudIDSummit
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM Patrick Harding
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Nordic APIs
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceKasun Indrasiri
 
Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
Digital Trust: How Identity Tackles the Privacy, Security and IoT ChallengeDigital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
Digital Trust: How Identity Tackles the Privacy, Security and IoT ChallengeForgeRock
 
How Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsHow Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsSajjad "JJ" Arshad
 
Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication ForgeRock
 
Payment gateway
Payment gatewayPayment gateway
Payment gatewayHananBahy
 
Software development
Software developmentSoftware development
Software developmentManekTech
 
Asp.net Web Application Development Services | ManekTech
Asp.net Web Application Development Services | ManekTechAsp.net Web Application Development Services | ManekTech
Asp.net Web Application Development Services | ManekTechManekTech
 
Umbraco CMS Development | ManekTech
Umbraco CMS Development | ManekTechUmbraco CMS Development | ManekTech
Umbraco CMS Development | ManekTechManekTech
 
Digital Identity
Digital IdentityDigital Identity
Digital IdentityZendCon
 
Better Metrics, Less Hacks: Online Travel and The Future of Web Security
Better Metrics, Less Hacks: Online Travel and The Future of Web SecurityBetter Metrics, Less Hacks: Online Travel and The Future of Web Security
Better Metrics, Less Hacks: Online Travel and The Future of Web SecurityDistil Networks
 
How E-Commerce Providers Can Remove ATO from Their Carts
How E-Commerce Providers Can Remove ATO from Their CartsHow E-Commerce Providers Can Remove ATO from Their Carts
How E-Commerce Providers Can Remove ATO from Their CartsTransUnion
 
Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)ForgeRock
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...apidays
 

Similar a Bots and Carts - AppSec IL 2017 (20)

From AMP to PWA
From AMP to PWAFrom AMP to PWA
From AMP to PWA
 
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...
 
Are Bad Bots Destroying Your Conversion Rate and Costing You Money?
Are Bad Bots Destroying Your Conversion Rate and Costing You Money?Are Bad Bots Destroying Your Conversion Rate and Costing You Money?
Are Bad Bots Destroying Your Conversion Rate and Costing You Money?
 
CIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul MeyerCIS 2015 Extreme OAuth - Paul Meyer
CIS 2015 Extreme OAuth - Paul Meyer
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
 
API, Integration, and SOA Convergence
API, Integration, and SOA ConvergenceAPI, Integration, and SOA Convergence
API, Integration, and SOA Convergence
 
Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
Digital Trust: How Identity Tackles the Privacy, Security and IoT ChallengeDigital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
 
How Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsHow Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSockets
 
Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication Identity Live Sydney: Intelligent Authentication
Identity Live Sydney: Intelligent Authentication
 
Payment gateway
Payment gatewayPayment gateway
Payment gateway
 
Software development
Software developmentSoftware development
Software development
 
Asp.net Web Application Development Services | ManekTech
Asp.net Web Application Development Services | ManekTechAsp.net Web Application Development Services | ManekTech
Asp.net Web Application Development Services | ManekTech
 
Umbraco CMS Development | ManekTech
Umbraco CMS Development | ManekTechUmbraco CMS Development | ManekTech
Umbraco CMS Development | ManekTech
 
Digital Identity
Digital IdentityDigital Identity
Digital Identity
 
Implementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRockImplementing Open Banking with ForgeRock
Implementing Open Banking with ForgeRock
 
Better Metrics, Less Hacks: Online Travel and The Future of Web Security
Better Metrics, Less Hacks: Online Travel and The Future of Web SecurityBetter Metrics, Less Hacks: Online Travel and The Future of Web Security
Better Metrics, Less Hacks: Online Travel and The Future of Web Security
 
How E-Commerce Providers Can Remove ATO from Their Carts
How E-Commerce Providers Can Remove ATO from Their CartsHow E-Commerce Providers Can Remove ATO from Their Carts
How E-Commerce Providers Can Remove ATO from Their Carts
 
Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)Intelligent Authentication (Identity Live Berlin 2018)
Intelligent Authentication (Identity Live Berlin 2018)
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
 

Último

定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 

Último (20)

定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 

Bots and Carts - AppSec IL 2017

  • 1. Bots and your Cart OWASP AppSecIL – October 2017 Amir Shaked, VP Research
  • 2. © 2017 PerimeterX™ - Automated scripts and devices accessing services - Make up ~50% of website visitors - Responsible for legitimate automated transactions What are bots? 2
  • 3. © 2017 PerimeterX™ 3 Automated Threats to Web Apps •OAT-020 Account Aggregation •OAT-019 Account Creation •OAT-003 Ad Fraud •OAT-009 CAPTCHA Defeat •OAT-010 Card Cracking •OAT-001 Carding •OAT-012 Cashing Out •OAT-007 Credential Cracking •OAT-008 Credential Stuffing •OAT-021 Denial of Inventory •OAT-015 Denial of Service •OAT-006 Expediting •OAT-004 Fingerprinting •OAT-018 Footprinting •OAT-005 Scalping •OAT-011 Scraping •OAT-016 Skewing •OAT-013 Sniping •OAT-017 Spamming •OAT-002 Token Cracking •OAT-014 Vulnerability Scanning https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
  • 4. © 2017 PerimeterX™ 4 Bot evolution: bots are evolving rapidly Gen 4 Bots - Infected Users Hijacked Browsers, Fake Extensions Gen 3 Bots - Headless Browsers Javascript, Cookies, Engine Automation Gen 2 Bots - Scripts + State No Javascript, Cookies Gen 1 Bots - Scripts No Javascript, No Cookies
  • 5. © 2017 PerimeterX™ - Who added the item to the cart? - Are they going to buy? - Who really gets the product? - Who gets a commission? 5 The bot-cart relationship
  • 6. © 2017 PerimeterX™ Scraping - Growing business in low margin industries - Highly distributed - Anonymized scraping networks - Can cause Application DDOS 6
  • 7. © 2017 PerimeterX™ Scraping – Done Right - Visit a product 7
  • 8. © 2017 PerimeterX™ Scraping – Done Right - Visit a product - Add to cart - Add a shipping address - And won’t buy Price scraping can be up to 20% of cart traffic 8
  • 10. © 2017 PerimeterX™ Scalping - In demand tickets - Limited availability items - High demand items on release 10
  • 11. © 2017 PerimeterX™ Bots are coming Checking if the sale started Sale begins, some human manage to buy Sale continues, no humans left 11
  • 12. © 2017 PerimeterX™ The legal battle 12
  • 13. © 2017 PerimeterX™ - Isn’t it fair game to buy and sell high? - Here come the hoarders - Controlling item availability - Denial of purchase Hoarding 13
  • 14. © 2017 PerimeterX™ Where did my inventory go? Visiting the page Add to cart attempts Item available 14
  • 15. © 2017 PerimeterX™ 15 Affiliate Fraud Man in the browser attack 1 Malware in browser extension 2 Watches sites, gets referral id, associates with user (overwrites other referral if present)3
  • 16. © 2017 PerimeterX™ 16 Lifecycle of a malicious extension Wait for user to access targeted site Executes background click and referral links Get fraud campaign instructions from C&C Dormant waiting period Delay user from accessing the page Retrieves payload of target websites “Release” user to load site, claiming attribution Published in browser store Downloaded by real user
  • 17. © 2017 PerimeterX™ Malicious extension – part 1 https://CUSTOMER_WEBSITE/?SSAID=AFFILATE_ID 51K target domains 117 6
  • 18. © 2017 PerimeterX™ Malicious extension– part 2 60K target domains 17K in Alexa top 1M 18 “jquery.js”
  • 19. © 2017 PerimeterX™ 19 Finalizing the story - Scrapers - Up to date price matching - Traffic burden - Hoarding - Denial of product availability - Scalping - Brand reputation - Affiliate fraud - Faulty revenue sharing
  • 20. © 2017 PerimeterX™ How To Fight Back 20
  • 21. © 2017 PerimeterX™ Captcha ? - Hurts conversion (~30%) - Cheap to bypass (~3$ for 1000 solves, 60% success rate) 21
  • 22. © 2017 PerimeterX™ Monitor ▪ Log everything you can in a single place ▪ Track cart paths usage for anomalies and spikes ▪ Add some fake out of canvas products ▪ Hide them using client side code ▪ If they are accessed you are under attack 22
  • 23. © 2017 PerimeterX™ HTTP Detection 23 ▪ Anomalies and missing values in HTTP headers ▪ Track legitimate flow ▪ Missing XHRs ▪ Lookup suspicious user-agents in github/twitter/reddit (and not just google) http://mstajbakhsh.github.io/Microbot/ ▪ Don’t rely too much on IP reputation
  • 24. © 2017 PerimeterX™ Javascript Detection 24 ▪ Validate user is running javascript ▪ Device fingerprint (https://github.com/Valve/fingerprintjs2)
  • 25. © 2017 PerimeterX™ Amir Shaked amirshk@perimeterx.com 25 Interesting? We are hiring!