O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Bots and Carts - AppSec IL 2017

Mais Conteúdo rRelacionado

Livros relacionados

Gratuito durante 30 dias do Scribd

Ver tudo

Bots and Carts - AppSec IL 2017

  1. 1. Bots and your Cart OWASP AppSecIL – October 2017 Amir Shaked, VP Research
  2. 2. © 2017 PerimeterX™ - Automated scripts and devices accessing services - Make up ~50% of website visitors - Responsible for legitimate automated transactions What are bots? 2
  3. 3. © 2017 PerimeterX™ 3 Automated Threats to Web Apps •OAT-020 Account Aggregation •OAT-019 Account Creation •OAT-003 Ad Fraud •OAT-009 CAPTCHA Defeat •OAT-010 Card Cracking •OAT-001 Carding •OAT-012 Cashing Out •OAT-007 Credential Cracking •OAT-008 Credential Stuffing •OAT-021 Denial of Inventory •OAT-015 Denial of Service •OAT-006 Expediting •OAT-004 Fingerprinting •OAT-018 Footprinting •OAT-005 Scalping •OAT-011 Scraping •OAT-016 Skewing •OAT-013 Sniping •OAT-017 Spamming •OAT-002 Token Cracking •OAT-014 Vulnerability Scanning https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
  4. 4. © 2017 PerimeterX™ 4 Bot evolution: bots are evolving rapidly Gen 4 Bots - Infected Users Hijacked Browsers, Fake Extensions Gen 3 Bots - Headless Browsers Javascript, Cookies, Engine Automation Gen 2 Bots - Scripts + State No Javascript, Cookies Gen 1 Bots - Scripts No Javascript, No Cookies
  5. 5. © 2017 PerimeterX™ - Who added the item to the cart? - Are they going to buy? - Who really gets the product? - Who gets a commission? 5 The bot-cart relationship
  6. 6. © 2017 PerimeterX™ Scraping - Growing business in low margin industries - Highly distributed - Anonymized scraping networks - Can cause Application DDOS 6
  7. 7. © 2017 PerimeterX™ Scraping – Done Right - Visit a product 7
  8. 8. © 2017 PerimeterX™ Scraping – Done Right - Visit a product - Add to cart - Add a shipping address - And won’t buy Price scraping can be up to 20% of cart traffic 8
  9. 9. © 2017 PerimeterX™ 9 Limited Edition!
  10. 10. © 2017 PerimeterX™ Scalping - In demand tickets - Limited availability items - High demand items on release 10
  11. 11. © 2017 PerimeterX™ Bots are coming Checking if the sale started Sale begins, some human manage to buy Sale continues, no humans left 11
  12. 12. © 2017 PerimeterX™ The legal battle 12
  13. 13. © 2017 PerimeterX™ - Isn’t it fair game to buy and sell high? - Here come the hoarders - Controlling item availability - Denial of purchase Hoarding 13
  14. 14. © 2017 PerimeterX™ Where did my inventory go? Visiting the page Add to cart attempts Item available 14
  15. 15. © 2017 PerimeterX™ 15 Affiliate Fraud Man in the browser attack 1 Malware in browser extension 2 Watches sites, gets referral id, associates with user (overwrites other referral if present)3
  16. 16. © 2017 PerimeterX™ 16 Lifecycle of a malicious extension Wait for user to access targeted site Executes background click and referral links Get fraud campaign instructions from C&C Dormant waiting period Delay user from accessing the page Retrieves payload of target websites “Release” user to load site, claiming attribution Published in browser store Downloaded by real user
  17. 17. © 2017 PerimeterX™ Malicious extension – part 1 https://CUSTOMER_WEBSITE/?SSAID=AFFILATE_ID 51K target domains 117 6
  18. 18. © 2017 PerimeterX™ Malicious extension– part 2 60K target domains 17K in Alexa top 1M 18 “jquery.js”
  19. 19. © 2017 PerimeterX™ 19 Finalizing the story - Scrapers - Up to date price matching - Traffic burden - Hoarding - Denial of product availability - Scalping - Brand reputation - Affiliate fraud - Faulty revenue sharing
  20. 20. © 2017 PerimeterX™ How To Fight Back 20
  21. 21. © 2017 PerimeterX™ Captcha ? - Hurts conversion (~30%) - Cheap to bypass (~3$ for 1000 solves, 60% success rate) 21
  22. 22. © 2017 PerimeterX™ Monitor ▪ Log everything you can in a single place ▪ Track cart paths usage for anomalies and spikes ▪ Add some fake out of canvas products ▪ Hide them using client side code ▪ If they are accessed you are under attack 22
  23. 23. © 2017 PerimeterX™ HTTP Detection 23 ▪ Anomalies and missing values in HTTP headers ▪ Track legitimate flow ▪ Missing XHRs ▪ Lookup suspicious user-agents in github/twitter/reddit (and not just google) http://mstajbakhsh.github.io/Microbot/ ▪ Don’t rely too much on IP reputation
  24. 24. © 2017 PerimeterX™ Javascript Detection 24 ▪ Validate user is running javascript ▪ Device fingerprint (https://github.com/Valve/fingerprintjs2)
  25. 25. © 2017 PerimeterX™ Amir Shaked amirshk@perimeterx.com 25 Interesting? We are hiring!

×