Anti-Automation, also known as rate limiting prevents attackers from using tools and bots to repeatedly conduct actions within a platform. For example, a web application may resell event tickets which are posted by application users.

A bot may be executed by an attacker to repeatedly use the search functionality until a set of tickets are available to buy. This would strain the web servers computing resources but also be an unfair advantage to the attacker by gaining the ability to buy the tickets quicker than others

To prevent this occurrence, anti-automation could be used to ensure malicious users are not able to automate a process that should be performed via manual interactions. Anti-automation may be present in various forms. For example, Completely Automated Public Turing Test To Tell Computers and Humans Apart (CAPTCHA), WAF, API Request limiting and more.

CAPTCHAS ARE NOT EFFECTIVE

It is really easy to bypass CAPTCHA services that use picture or audio puzzles. Very commonly, Google CAPTCHA V2 is used on web platforms and is vulnerable to bypass due to one of several reasons. These being CAPTCHA farms, Optical Character Recognition and audio to text services.

In this article, we're going to use 'buster', a tool in the Google Chrome and Firefox add-on stores that will easily bypass CAPTCHA services:

• Buster for Chrome

• Buster for Firefox

Using this tool with along with Google's own speech-to-text service, we will bypass CAPTCHAs:

1. Sign up to G-Cloud and enable Speech-To-Text

   1. https://console.cloud.google.com/speech/

2. Create G-Cloud API Key

3. Download Buster Firefox plugin

   1. https://addons.mozilla.org/en-US/firefox/addon/buster-captcha-solver

4. Set G-Cloud API Key within Buster options

5. Bypass captcha, as shown in the video below

If you want to see this in practice, check out the video below:

Recommendation

Various types of anti-automation mitigation exist to rate limit, restrict traffic, and prevent bots from scraping web applications. In many cases, a CAPTCHA would be enough to deter basic automation and manual attackers. However, when you are faced with advanced attackers looking to access the web application, an advanced bot protection solution must be used.

Advanced bot protections do not typically use any form of CAPTCHA or user input data. Rather, an advanced bot protection solution secures the access points of the website by analyzing the traffic. It categorizes the traffic as a human, a good bot, or a bad bot. Thereafter, it collects and analyzes the bot traffic and finds anomalies in them using machine learning.

Various data models identify real-time bot behavior through comparison with a vendors own violator database, as well as other detection parameters like device fingerprints. This helps determine malicious bots that are hidden behind shared IP space.