Fabien Vauchelles

Cracking the Code: Decoding Anti-Bot Systems!

How do anti-bot systems use your GPU rendering and browser plugins to decide if you're human? This talk shows how to reverse-engineer their logic.

Cracking the Code: Decoding Anti-Bot Systems!
#1about 5 minutes

The fundamental challenge of web scraping as a turing test

Web scraping is fundamentally a Turing test where automated scripts must mimic natural human behavior to avoid detection by anti-bot systems.

#2about 10 minutes

How anti-bot systems analyze the browser stack for signals

Anti-bot systems analyze signals from the entire browser stack, including IP address, TCP/TLS/HTTP2 fingerprints, JavaScript execution, and user navigation patterns.

#3about 2 minutes

Exploiting the business need to minimize false positives

The necessity for websites to avoid blocking real customers (false positives) forces anti-bot systems to focus on a limited set of the most effective signals.

#4about 5 minutes

Tools and techniques to identify anti-bot systems

Use tools like Wappalyzer, browser dev tools, and proxy interceptors to identify the specific anti-bot protection and analyze its architecture and encrypted payloads.

#5about 7 minutes

A step-by-step methodology for building robust scrapers

Follow an incremental approach to bypass protections, starting with basic scraper tuning and progressively adding proxies, headless browsers, and unblocker APIs.

#6about 4 minutes

Designing a scalable architecture for data collection

Build a scalable scraping infrastructure using a central data store, an orchestrator, a proxy management layer, and a farm of diverse browsers.

#7about 7 minutes

Decoding common javascript obfuscation techniques

Anti-bot systems use JavaScript obfuscation techniques like string concealing, code flow confusion, and control flow flattening to make their code unreadable.

#8about 3 minutes

Identifying the five key signal types after deobfuscation

After deobfuscating the code, identify the five main types of signals collected: configuration details, automation flags, rendering fingerprints, reverse engineering checks, and integrity controls.

#9about 1 minute

The next frontier in anti-bot is javascript virtual machines

The next evolution in anti-bot technology involves JavaScript virtual machines that execute proprietary, undocumented bytecode, making reverse engineering significantly more difficult.

#10about 14 minutes

Answering questions on scraping legality, VPNs, and rate limits

The Q&A session addresses common questions about the legality of web scraping, the effectiveness of VPNs, managing rate limits, and the cat-and-mouse game with anti-bot providers.

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Videos

See all videos
The attacker's footprint2:08:06

The attacker's footprint

Antonio de Mello & Amine Abed

Getting under the skin: The Social Engineering techniques43:56

Getting under the skin: The Social Engineering techniques

Mauro Verderosa

Skynet wants your Passwords! The Role of AI in Automating Social Engineering31:19

Skynet wants your Passwords! The Role of AI in Automating Social Engineering

Wolfgang Ettlinger & Alexander Hurbean

Typed Security: Preventing Vulnerabilities By Design58:19

Typed Security: Preventing Vulnerabilities By Design

Michael Koppmann

Can Machines Dream of Secure Code? Emerging AI Security Risks in LLM-driven Developer Tools35:37

Can Machines Dream of Secure Code? Emerging AI Security Risks in LLM-driven Developer Tools

Liran Tal

Cyber Security: Small, and Large!37:32

Cyber Security: Small, and Large!

Martin Schmiedecker

Cyber Sleuth: Finding Hidden Connections in Cyber Data1:00:19

Cyber Sleuth: Finding Hidden Connections in Cyber Data

Jennifer Reif

Let’s write an exploit using AI21:01

Let’s write an exploit using AI

Julian Totzek-Hallhuber

From learning to earning

Jobs that call for the skills explored in this talk.