Prevent Ad Fraud and Click Fraud

on preventing replay attacks

Button Solutions — Tue, 24 Mar 2026 15:38:33 GMT

Replay attacks are a constant threat for websites currently protected by typical bot management solutions.

Back when we started research into these products two years ago, the obfuscation on multi-billion dollar companies' solutions was laughable - a simple array of strings, maybe with a small shuffle operation. Many companies used javascript-obfuscator. (1)

The packets sent to the server though? Very easy to replace. Often, there wasn't even a timestamp included, which means that you can for as long as you want reuse a given packet to regenerate bypass cookies.

In other words, the website was not protected at all.

Soon though, companies like HUMAN security (nothing says humanity like having to say it explicitly in your name) implemented key obfuscation per-version, which did mitigate some replay attacks. No longer could you send PX503 and the like, but you actually had to parse out each version using regex if you like waking up at strange hours and all your bypass breaking, and AST if you are sane.

^(.*?,){11}P

Beautiful.

But the story doesn't stop there. I started pushing for antibots (colloquially called bot managers by the uninitiated) to use Javascript Virtual Machines here. Around this time, there were reports of some big companies whose researchers were finally able to convince their bosses to do the switch:

uh oh

Which is really good for everyone, if I'm being honest. Raising the bar makes good researchers better on all sides, and pushes the script kiddies further out.

Unfortunately the actual gathered data of these companies remained the same, and alas, as such, most are still vulnerable to replay attacks, advanced stealth browsers, and advanced request bots either parsing solver style, or executing in a crafted sandbox.

But at least one battle won.

Till next time!

(which now has vibe-coded VM protection, which is a bit sad as their obfuscation is quite good if not overused).

Stopping Excessive Bot Traffic

Button Solutions — Tue, 24 Mar 2026 08:32:02 GMT

To stop excessive bot traffic,implement a Web Application Firewall (WAF) like Cloudflare, enforce rate limiting to block high-frequency IPs, and deploy CAPTCHAs on all forms. Further steps include updating robots.txt to block known crawlers, using honeypots to identify bot behavior, and monitoring analytics for unnatural, identical user sessions. Top Strategies to Stop Bot Traffic:

Use a Web Application Firewall (WAF): Services like Cloudflare, Sitelock, or Sucuri can filter out malicious bot traffic before it reaches your site.
Implement Rate Limiting: Restrict the number of requests a single IP address can make within a specific timeframe to stop scraping and brute-force attempts.
Add CAPTCHA Challenges: Use tools like reCAPTCHA on login, registration, and comment forms to distinguish human users from automated bots.
Configure Robots.txt: Instruct well-behaved bots to avoid specific, sensitive areas of your website.
Block Malicious IPs and User Agents: Identify suspicious IP addresses in your server logs and use your .htaccess file or security plugins to block them.
Use Honeypots: Create hidden links or fields that are invisible to humans but enticing to bots; if something triggers that link, you know it is a bot and can block it.

How to Identify Bot Traffic:

Sudden Spikes: Unexplained traffic increases without corresponding conversions.
High Bounce Rate: Instant departure from a page without interaction.
Uniform Sessions: Identical session duration across thousands of visits.
Unexpected Geography: A high volume of traffic from countries outside your target audience.

For immediate relief, Button Solutions Toolbox is highly effective at detecting and mitigating automated attacks.

How Do I Protect My Website Against Bots?

Button Solutions — Tue, 24 Mar 2026 08:29:12 GMT

Protecting your website against malicious bots involves a multi-layered approach: implementing a Web Application Firewall (WAF) like Cloudflare or Sucuri, setting rate limits to throttle excessive requests, using CAPTCHAs on forms, and monitoring traffic for anomalies. These tools distinguish human behavior from automated scripts, blocking spam, scrapers, and credential stuffing. Key Bot Protection Techniques:

Web Application Firewalls (WAF): Use a WAF (e.g., Cloudflare, Imperva) to filter malicious traffic, block known bad IP addresses, and inspect HTTP/HTTPS requests before they reach your server.
Rate Limiting & Throttling: Limit the number of requests a single user or IP can make in a given timeframe to prevent content scraping and brute-force login attempts.
CAPTCHA and Challenges: Implement CAPTCHA (e.g., reCAPTCHA, Friendly Captcha) on login, comment, and contact forms to distinguish humans from bots.
Behavioral Analysis & Machine Learning: Use advanced bot management solutions that analyze mouse movements, navigation, and scroll patterns to identify non-human traffic.
Honeypots: Create hidden fields or links in your HTML that are invisible to humans but visible to bots. When a bot interacts with these "traps," they can be identified and blocked.
Review robots.txt: Use robots.txt to guide good bots (like search engines) away from sensitive areas, though malicious bots often ignore this file.
Block Known Bad User Agents & Hosting Providers: Block requests from outdated browsers and known data center proxy networks used for launching attacks.
Device Fingerprinting: Identify bots by detecting patterns in browser characteristics, such as screen resolution, installed fonts, and plugins.
Monitor Analytics: Watch for sudden traffic spikes, abnormally high bounce rates, and high numbers of failed login attempts, which often indicate bot activity.

Though, you could always rely on https://button.solutions 😄

FPScanner : a great starting point

Button Solutions — Thu, 19 Mar 2026 11:05:28 GMT

Live Demo | FPScanner

See FPScanner in action. Collect your browser fingerprint and view the decrypted results.

FPScanner

The awesome Antonie Vastel focuses mostly in his research on reported browser javascript -level signal inconsistencies.

For instance, hasMismatchLanguages has been a favorite for datadome for some time (Antonie was the primary researcher up until recently there). It is often a problem for scrapers that they are using outdated or incorrect ip information, placing a given ip in Nebraska so the timezone will not match its real location in New York. This can help, but it's not a strong signal by itself.

There are often inconsistencies when using CDP to spoof the browser overrides, and this is something that is very old and Google has no incentive to fix it, as it is one of the primary means of detecting automation: https://issues.chromium.org/issues/40236995 (WorkerNavigator.platform still leaks original value, TL;DR)

You might notice going over the fingerprint json at fpscanner.com the automation signals - these are the strongest signals in the book - however, to implement this properly you need a lot more signals, for instance, nightmare is an indicator of https://github.com/segment-boneyard/nightmare.

These signals are great and all, but all of them can be spoofed in the hands of the right bypass researcher (yes, scraping has researchers: https://nullpt.rs/reverse-engineering-tiktok-vm-1).

If you're still blocking by IP and User-Agent, you are very, very behind.

the non-obvious obvious

Button Solutions — Thu, 19 Mar 2026 10:38:26 GMT

Let's talk about the obvious.

CreepJS

Intro

If you don't know what this is, you don't really know how to block bots.

There are a lot of good sensors here - and it is very hard to spoof them all, perfectly.

But there's another issue here, and that is that if you're only blocking on signals like these, you end up with an ml nightmare classifier that gives you a bot score - a percentage likelihood.

These statistically based bot scores are not so useful without honeypots, because most of the internet access is now automated (Imperva Bot Report, 2025)

Browser Fingerprinting 101

Each section in the creepjs check page is a tool with which we can see bots. Which we do want to see, unless you like flying blind, wondering why half your users bounce with zero time interaction - even though they are from the United States rather than China.

The most obvious, and strongest signals, are those in this section (from a Linux Chrome browser):

Compare this to an emulated iOS based visit (browserstack):

And a Brave browser visit:

we already have some tools just from one section. It's really important when doing fingerprinting to know:

Where you are running - is it an ip that is compromised in some way, or low trust?
1. Is it a datacenter ip?
2. Is there some sort of indication of proxy usage, like tor or residential proxies?
3. Most importantly, is it some trusted ip, like google's crawler ips? (One such range is here: https://developers.google.com/static/search/apis/ipranges/googlebot.json)
What claims does the browser environment have?
1. Connection claims, like tls - is it really a browser? What type?
2. Header claims, which can include ordering of headers and inconsistencies in content
3. And most importantly for us, javascript / wasm claims. These are the most commonly spoofed, with tools like puppeteer stealth doing a lot of heavy lifting for you.

The rest is commentary.

on canvas fingerprinting

Button Solutions — Thu, 19 Mar 2026 10:17:11 GMT

The first rule about canvas fingerprinting is you don't talk about canvas fingerprinting.

Visualizing canvas fingerprinting

A look at some common JavaScript fingerprinting libraries, focusing on the specific images that they use in their canvas fingerprinting routines.

a blog by aleksejs

This is a post from Aleksejs Popovs - not my original work, though I am familiar with all the fingerprints except the very convoluted shape one.

Some notes!

F5 shape is spot on (I know from my decompilation with help from colleagues) which is very cool. (though I have some ideas on how to improve that pixel check)

My experience before I set out on the defense side was that pretty much everyone copies everything from each other. And it's not for a lack of good ideas! There are some some cool proposals out there. There are a few gems not mentioned here, but as it is obfuscated I'm not going to reveal them

Our approach is slightly different - we are making replay attacks far more difficult.

coming soon

Button Solutions — Tue, 17 Mar 2026 11:51:31 GMT

This is the bot blog, a brand new site by button ^ solutions that's just getting started. Things will be up and running here shortly, but you can subscribe in the meantime if you'd like to stay up to date and receive emails when new content is published!