Under Attack?
Search
Menu

Bot Attacks Beware: The Power of Radware’s Bad Bot Vulnerability Scanner

By Zaid ImamOctober 18, 2023

What is Bot Vulnerability Scanner

Radware’s Bad Bot Vulnerability Scanner (BVS) is a free service designed to evaluate the security of websites by simulating various attack vectors using custom scripts. Like DAST tools (Pen Testing), the BVS attempts to exploit bot vulnerabilities, providing detailed insights into bad bot traffic and potential impact on business.

The BVS does not require additional integration on the website, making it convenient to assess the security posture of web applications. By executing custom scripts, the scanner can identify and analyze different generations of bots, helping users understand their behavior and response during bot attacks. This knowledge enables one to take proactive measures to strengthen security measures and protect digital assets from malicious bot activities.

What it takes to run Bot Vulnerability Scanner

To initiate the Bot Vulnerability Scanner, all we require is the customer’s URL and their consent to conduct a live attack on their site, although the attack itself is not intensive. Typically, we perform around 100 to 150 attacks as part of the scanning process. The entire procedure is completed within 4-5 hours, taking into account the complexity of the site. Our aim is to efficiently assess the vulnerabilities and potential weaknesses in the customer’s web application, ensuring a thorough evaluation while minimizing disruption to their operations.

The concept of the Bot Vulnerability Scanner was conceived to address the challenges customers face when collecting access logs for vulnerability analysis. With this tool, there is no longer a waiting period or dependency on external stakeholders. Any authorized stakeholder can simply confirm and proceed with performing the scan.

Explore the Scanner Outcome in Detail

Bot Vulnerability Scanner – Summary Analysis

Scanner Summary

The Bot Vulnerability Scanner Report offers valuable insights into the overall attacks conducted and the number of attacks that were bypassed for a given URL. During the scanning process, we cover a range of bot generations, from Gen-1 to Gen-4, and analyze the specific use cases present on the website. The report highlights the most common types of attacks encountered, such as content scraping, account takeover, and form spam.

Generation Based Attack

Gen 1 Bot

First-generation bots are characterized by their simplistic design and limited capabilities. These bots are typically developed using basic scripting tools and rely on cURL-like requests to interact with websites. They usually operate from a small number of IP addresses, often just one or two. Due to their limited functionality, first-generation bots lack the ability to store cookies or execute JavaScript. As a result, they lack the comprehensive capabilities of a genuine web browser. Their primary purpose is to perform basic tasks such as retrieving web page content or extracting specific information.

During the targeted URL attack, we conducted approximately 150 gen-1 bot attacks, employing cURL, wget, and scrapy. In addition to these tools, the Bot Vulnerability Scanner engine utilized three different User Agents and three Distinct IP addresses sourced from separate Data Centers. Our thorough analysis confirmed the successful execution of all these requests, indicating the presence of a high-risk vulnerability within the system. This penetration of the requests emphasizes the existence of potential security gaps that can be exploited by malicious actors.

Gen 2 Bot

Headless browsers like PhantomJS, Chrome, and Firefox in headless mode are popular among botmasters due to their GUI-less operation, JavaScript execution capability, and cookie management. They enable bots to handle websites with JavaScript challenges and mimic human behavior effectively. Headless browsers offer flexibility for automated testing, web development, and data scraping tasks by allowing programmable interactions without a visible browser window. However, this can also be exploited for malicious purposes.

During the Gen 2 testing phase, we initiated approximately 150 requests using the tools PhantomJS, Puppeteer, and Selenium. These requests were processed and completed within a span of 10 minutes. Notably, all 150 requests successfully bypassed. As a result, they were classified as a high-risk vulnerability within the system. The fact that all 150 requests went through without being blocked suggests potential security gaps within the system. This implies that the existing defense mechanisms were unable to detect or effectively mitigate the threats posed by these tools.

Gen 3 Bot

These bots are malware-hijacked full-fledged browsers to execute their operations. Additionally, they employ distributed IP addresses to launch volumetric attacks. However, their behavior may lack true randomness and fail to replicate natural human patterns convincingly.

Upon analyzing the attack trend, it becomes apparent that within a 15-minute timeframe, approximately 150 requests were generated. These requests originated from three different subnets, but interestingly, around 15 distinct IP addresses were utilized. However, all of these IP addresses were generated from the same automation or developer tool.

The attackers behind this campaign demonstrated a clever approach by attempting to deceive the system. They aimed to create the impression of different sources by using IP addresses from the same subnet but with varying timestamps. This tactic adds an extra layer of complexity and attempts to bypass security measures that may rely on IP-based reputation or blocking.

This sophisticated approach highlights the need for robust security measures that go beyond simple IP-based filtering. Implementing advanced techniques such as behavior-based analysis, anomaly detection, and user profiling can enhance the ability to detect and mitigate such attacks effectively.

Gen 4 Bot

The latest generation of bots have advanced human-like interaction characteristics — including moving the mouse pointer in a random, human-like pattern instead of in straight lines. These bots also can change their UAs while rotating through thousands of IP addresses. There is growing evidence that points to bot developers carrying out “behavior hijacking” — recording the way in which real users touch and swipe on hijacked mobile apps to more closely mimic human behavior on a website or app. Behavior hijacking makes them much harder to detect, as their activities cannot easily be differentiated from those of real users.

Despite the sophisticated nature of the attack, consisting of approximately 150 requests, all of them successfully bypassed the existing security measures.

Posted in: Application ProtectionTags:

Zaid Imam

With over 6 years in product management at Radware, Md Zaid Imam possesses extensive expertise in cybersecurity, specifically bot mitigation, and protection. Known for a dynamic approach that is both data-driven and analytical, Zaid's knowledge and experience provide a unique and informed perspective on the cybersecurity landscape. As a technical expert in the field, zaid consistently delivers innovative solutions to address complex cybersecurity challenges. Passion for and dedication to the industry make him a reliable resource for all things related to cybersecurity.

Related Articles

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Contact Us Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
Close

What are you looking for?