How Attackers Use Request Bots to Bypass Legacy Bot Mitigation Solutions

Request bots are a common means of bypassing legacy bot mitigation solutions. They exploit bot mitigation architectures with poorly obfuscated client-side JavaScript by applying automated scripts that replay legitimate requests against static detection scripts.

1. Reverse Engineer Client Script

Attackers reverse engineer client-side JavaScript code used by bot mitigation providers to collect telemetry. Bypass methods are shared within communities including GitHub and Discord groups.

2. Generate Request Bot

The bot operator builds a request bot with non-browser based scripts to submit telemetry to the bot provider based on what’s been learned from reverse engineering. This will replay the anti-bot system with seemingly legitimate data and tricks the bot mitigation system to validate the request as human.

3. Dynamic Challenge

Some bot mitigation providers also apply “dynamic” challenges to continually revalidate that the requests are being sent from within a browser. For example, a commonly used dynamic challenge is to monitor mouse clicks, movements, and screen interactions.

4. Challenge Bypass

A bot operator generates or buys gesture data. This can be easily accomplished using a self-generating randomized human activity script, recording legitimate activity, or by paying for a subscription. They submit the activity data via their request bot.

5. Residential Proxy Networks

The use of residential proxy networks allow bot operators to randomize the submission of data from their request bot and fly beneath the radar of detection methods used by bot mitigation providers that rely on known bad IP addresses and user agents.

6. Outcome

Adversaries monetize attacks and/or extract valuable data before most businesses are aware their bot mitigation solution has been bypassed.