O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Bots and Carts - OWASP Brooklyn meetup mashup

Mais Conteúdo rRelacionado

Livros relacionados

Gratuito durante 30 dias do Scribd

Ver tudo

Bots and Carts - OWASP Brooklyn meetup mashup

  1. 1. Bots and Carts
  2. 2. About Me Amir Shaked VP Research @amirshaked amirshk@perimeterx.com
  3. 3. - Automated scripts and devices accessing services - Make up ~50% of website visitors - Responsible for legitimate automated transactions What are bots?
  4. 4. Automated threats to web apps •OAT-020 Account Aggregation •OAT-019 Account Creation •OAT-003 Ad Fraud •OAT-009 CAPTCHA Defeat •OAT-010 Card Cracking •OAT-001 Carding •OAT-012 Cashing Out •OAT-007 Credential Cracking •OAT-008 Credential Stuffing •OAT-021 Denial of Inventory •OAT-015 Denial of Service •OAT-006 Expediting •OAT-004 Fingerprinting •OAT-018 Footprinting •OAT-005 Scalping •OAT-011 Scraping •OAT-016 Skewing •OAT-013 Sniping •OAT-017 Spamming •OAT-002 Token Cracking •OAT-014 Vulnerability Scanning https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications
  5. 5. Bot evolution Gen 4 Bots - Infected Users Hijacked Browsers, Fake Extensions Gen 3 Bots - Headless Browsers Javascript, Cookies, Engine Automation Gen 2 Bots - Scripts + State No Javascript, Cookies Gen 1 Bots - Scripts No Javascript, No Cookies
  6. 6. The bot-cart relationship - Who added the item to the cart? - Are they going to buy? - Who really gets the product? - Who gets a commission?
  7. 7. Scraping - Growing business in low margin industries - Highly distributed - Targeted - Visit a product - Add to cart - Add a shipping address - And won’t buy
  8. 8. Scalping - In demand tickets - Limited availability items - High demand items on release
  9. 9. Bots are coming Checking if the sale started Sale begins, some human manage to buy Sale continues, no humans left
  10. 10. Hoarding - Isn’t it fair game to buy and sell high? - Here come the hoarders - Controlling item availability - Denial of purchase
  11. 11. Where did my inventory go? Visiting the page Add to cart attempts Item available
  12. 12. Man in the browser attack 1 Malware in browser extension 2 Watches sites, gets referral id, associates with user (overwrites other referral if present)3 Affiliate fraud
  13. 13. Malicious extension https://CUSTOMER_WEBSITE/?SSAID=AFFILATE_ID 51K target domains
  14. 14. Captcha ? - Hurts conversion (~30%) - Cheap to bypass (~3$ for 1000 solves, 60% success rate)
  15. 15. Fight back • Monitor • Http Detection • JavaScript Detection