11

I'm doing a research on anti-bot measures that websites can use to prevent automation. I came across a JavaScript library and I'm trying to identify its origin. At first I thought it's a site specific library but after further research I found that many e-commerce websites use the exact library, but still I couldn't find this library's origin company (author). Here's what I know that can help identify it:

  • The library is usually stored as follows:

    http://www.example.com/_bm/async.js

  • Once it's required, the library sends a post request to

    http://www.example.com/_bm/_data

    which sets a cookie named _abck.

So basically this library determines if the user is an automation bot or a real human.

Which company owns this library (website if possible) and how can I reach them to implement it on my own websites?

Edit for more clarification:

Some examples include but not limited to:

Reyno
  • 213
  • 1
  • 2
  • 7
  • 1
    So how did you find this library? And are there perhaps some notes in the js file itself? – mad_manny Apr 04 '18 at 12:39
  • i work in the automation industry as a developer and i was analyzing a website where i encountered this library. no notes/comments/leads as to where this script originated from. Here's a [pastebin](https://pastebin.com/YUbuJHGs) of the obfuscated raw content in case it helps. – Reyno Apr 04 '18 at 14:34
  • Ok, this is pretty obfuscated. I can only think of asking the owner of the site, where you found the script, or trying to find a library fitting your needs by searching for this **kind of** lib and not specifically **this** lib.. – mad_manny Apr 05 '18 at 05:12

2 Answers2

11

This anti-bot library belongs to Akamai. Clients execute the javascript and post to /_bm/data on a site behind the Akamai CDN. The CDN's bot manager (bm) then makes decisions based on the submitted data such as slowing down responses to suspected bot clients, or downright returning 403s. The abck cookie is returned upon submission to the /_bm/data endpoint.

You can read more about it here <=

edit: this anti-bot library was written by Cyberfend which was purchased by Akamai in 2016

dan
  • 211
  • 2
  • 5
2

I de-obfuscated it (see coffeescript code below) and ran it through jsbeautifier.org

stringList = [ ... list went here ]

tCode = '''
... code went here
'''

tIn = tCode
tOut = ""
while tIn != tOut
  tIn = tCode
  for x in [0...stringList.length]
    console.log("_ac[#{x}]", stringList[x])
    tCode = tCode.replace("_ac[#{x}]", stringList[x])
  tOut = tCode

results are here

from a brief look through the code it looks like they are doing things w/ checking plugins and messing w/ canvas ... aka things that would break most bots

part of the code mentions a public key cf[api_public_key] = afSbep8yjnZUjq3aL010jO15Sawj2VZfdYK8uY90uxq ... google search of that public key yielded some code that might bypass this anti-bot detection

more info on the domain listed in the code can be found here

   Domain Name: CFORMANALYTICS.COM
   Registry Domain ID: 1897860898_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.godaddy.com
   Registrar URL: http://www.godaddy.com
   Updated Date: 2018-01-08T20:17:08Z
   Creation Date: 2015-01-24T01:00:53Z
   Registry Expiry Date: 2020-01-24T01:00:53Z
   Registrar: GoDaddy.com, LLC
   Registrar IANA ID: 146
   Registrar Abuse Contact Email: abuse@godaddy.com
   Registrar Abuse Contact Phone: 480-624-2505
   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
   Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Name Server: BONNIE.NS.CLOUDFLARE.COM
   Name Server: DOM.NS.CLOUDFLARE.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2018-04-06T08:28:19Z <<<

code possibly owned by godaddy?

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40
  • +1 very interesting finds.. especially that your deobfuscated code mentions a site called cformanalytics.com. a quick google search showed https://cdn.cformanalytics.com/cfwu.js but the domain itself is available which is weird. this still doesn't show the origin of the script tho – Reyno Apr 06 '18 at 08:23
  • 1
    best guess is cfwu.js is a newer version or newer obfuscation of the code – CaffeineAddiction Apr 06 '18 at 08:34
  • 2
    I've de-obfuscated this script even further (by replacing all the _ac[...] lookups with their actual string, and simplifying syntax a bit further), the result is here: [Bot Detection Script](https://gist.github.com/jd20/b49941c1cff23fc566222223b96281af) I was tripping up on this script when using Chrome in headless mode, but once de-obfuscated, was pretty easy to track down what the cause was. – jd20 Jul 04 '18 at 04:49
  • 1
    It's possible this code is related to the Akamai Bot Manager to restrict bots from accessing your site. https://www.akamai.com/us/en/products/cloud-security/bot-manager.jsp –  Apr 11 '18 at 17:49