Walking through how to clock 4 in-client bot detectors like Google reCAPTCHA and Akamai Bot Management SDK.
Scenario 1 - you are a person who writes bots (or OpenBullet configs or whatever) to yield 40,000 U.S. dollars per year that you live on.
Scenario 2 - you are an in-house security person who is trying to tell whether bot detection stuff the client team was supposed to put in actually went in.
- Google reCAPTCHA
- Akamai Bot Management SDK
- Shape Security
The easiest way to see this guy is to just open the Sources developer tool instead of Console.
Per the official installation instructions, users of reCAPTCHA – version 2, version 3, I don’t care – include the following.
If you’re really disappointed we’re not finding it with JS, then fine, we’ll go that way. Execute the following.
console.log(typeof grecaptcha !== 'undefined' && typeof grecaptcha.ready !== 'undefined')
The object that’s watching you screw around on the page is
grecaptcha and I threw in a function check just to avoid the most basic of fake-outs.
Try it on Google’s own demo form.
Akamai Bot Management SDK
This one’s a little tricker because often it gets injected by Akamai WAF itself. Magic!
What gets injected? At the time of this writing, it’s this
> console.log(bmak.get_telemetry()) 7a74G7m23Vrp0o5c9198171.64-1,2,-94,-100,Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36,uaend,12147,20030107,en-US,Gecko,3,0,0,0,393816,9227162,1920,1040,1920,1080,1904,952,1920,,cpen:0,i1:0,dm:0,cwen:0,non:1,opc:0,fc:0,sc:0,wrc:1,isc:0,vib:1,bat:1,x11:0,x12:1,8321,0.297870101148,800284613581,0,loc:-1,2,-94,-101,do_en,dm_en,t_en- ...
So if we’re going to straighten that out into a detection script, you might take this below.
console.log(typeof bmak !== 'undefined' && typeof bmak.get_telemetry !== 'undefined')
Akamai doesn’t provide a test form but at the time of this writing you can try
It seemed apt to include them as one of the older players in this space. They were also a stop on my 2019 job interview tour.
Reddit is one place I went looking for it. See the following accounts from someone who observed WhiteOps there a few months ago.
No dice for me though.
Some domains that may indicate the presence of WhiteOps –
adxyield.com adzmath.com whiteops.com
Some indicators for scripts –
*ozoki_tc *ozoki_os *ozoki_url *ozoki_ct ||ozoki_opt *ozoki_loaded *ozoki_call
My understanding is that Shape does some inject-o voodoo like Akamai BotMan too.
But, there’s some additional stuff going on that makes them the most cryptic product here.
- Sensor data is encoded with Superpack
- Superpack-encoded data is encrypted using a custom function
- Encrypted data is Base64-encoded but the standard Base64 alphabet is shuffled (!!)
Instead we’ll learn the other telltale signs from the developer tools still.
One check you can try by just viewing page source is Ctrl+F for
This is another Shape product that checks credentials for a risk score. It’s commonly in use on bot-prone endpoints.
The other, more reliable check is to eyeball the headers like the following on your login request. Run the network tool to record your login form submission.
x-XXXXXXXX-a x-XXXXXXXX-b x-XXXXXXXX-c x-XXXXXXXX-d x-XXXXXXXX-f x-XXXXXXXX-z
See the uppercase X’s in my code block will change depending on the target. Here’s another website below.
Shape doesn’t provide a test form either but you can try
If you’re trying to attack the bot detector then I’ll suggest the below GitHub repo as a starting point.
If these kind of detection tricks were out there already, I hadn’t seen them all grouped succinctly like this on the clear web. Shrug.
Obviously there is a server-side expectation of telemetry strings from these things. That’s why we are detecting here.
Go find an easier target in these cases. Ripping the stuff out or overriding their outputs is pointless.
Happy hacking/botting. 💻