Is it possible to prevent a person from entering the browser on the server with a hardware device
I recently found a hardware device that can prevent a bot attack by modifying html DOM elements on the fly. Details are mentioned here
The html element input
id
and name
as well as form
element action
will be replaced with some random string before sending the page to the client. After sending the client, the hardware device replaces its values ββwith the originals. Thus, the server code will remain on change, and bots will not be able to work with a fixed input name, id.
It was a general idea, but they also argued that this product could solve a human in a browser attack.
http://techxplore.com/news/2014-01-world-botwall.html :
Shape Security claims that the added code to the website will not cause any noticeable delays to the user interface (or how it appears) and that it works against other types of attacks as well, such as account hijacking and human in the browser. They note that their approach works because it deflects real-time attacks, whereas the botnet code is only changed when it is installed (to change its signature).
Is it theoretically possible that someone can prevent a person in the browser from attacking on the server ?!
source to share
Is it theoretically possible that someone can prevent a person in the browser from attacking on the server ?!
Nope. Obviously, a compromised client can do anything that a real user can do.
Making pages more resistant to automation is potentially an arms race of updates and countermeasures. Obfuscation like this can, at best, make it annoying enough to automate your site so that it doesn't cost an attacker, meaning you're trying to make yourself no longer a "low hanging fruit".
They note that their approach works because it deflects real-time attacks, whereas the code for botnets only changes when it is installed (to change its signature).
It seems completely pointless. Bots can naturally update their own code. Indeed, banking Trojans typically update themselves to bypass changes to account login pages. If the service doesn't include live updates pushed into filter fields to bypass those updates, you still don't win.
(An automatic arms race like a service would be an interesting proposition. However, I will be worried about new obfuscation features breaking your applications. For example, imagine what happens for the noddy form-field-renaming example on a linked site if you have your own scripts on the side client, they relied on those names. Or, indeed, if your entire site was a one-way application for one page on the client side, that would have no effect.)
source to share