Struggling with Custom Website Protection - Any Advice?

dollysheep

dollysheep

Newbie
Joined
Sep 8, 2022
Messages
15
Reaction score
2
I am developing a phishing mirror. This is essentially a layer between the client and the target website that can modify the request body sent to the target site as well as alter the response sent back to the client, depending on the needs. Since I have to proxy absolutely everything including styles, HTML, AJAX requests, etc., I cannot use a headless browser. Instead, I have to employ both an HTTP server and an HTTP client. Recently, the site I am working with introduced its own custom protection against software like mine. Somehow, "non-browser" traffic is very effectively recognized. I'm not talking about standard solutions like the Cloudflare challenge, etc. My program can bypass those. They have some sort of custom protection.
I am certain it can be bypassed because I've seen examples done by my competitors. But I just can't figure it out. What could be the key? The order of headers? Characteristics of the SSL connection? Has anyone encountered something similar?
 
Advertise on BHW
Currently, suspicion has fallen on the TLS fingerprint. I'll try using curl-impersonate. However, testing this hypothesis will take some time.
 
Yes it's TLS fingerprint, scramble the order of ciphers.
 
dollysheep said:
I am developing a phishing mirror. This is essentially a layer between the client and the target website that can modify the request body sent to the target site as well as alter the response sent back to the client, depending on the needs. Since I have to proxy absolutely everything including styles, HTML, AJAX requests, etc., I cannot use a headless browser. Instead, I have to employ both an HTTP server and an HTTP client. Recently, the site I am working with introduced its own custom protection against software like mine. Somehow, "non-browser" traffic is very effectively recognized. I'm not talking about standard solutions like the Cloudflare challenge, etc. My program can bypass those. They have some sort of custom protection.
I am certain it can be bypassed because I've seen examples done by my competitors. But I just can't figure it out. What could be the key? The order of headers? Characteristics of the SSL connection? Has anyone encountered something similar?
Click to expand...

These are called ja3 prints, (ja4 is a newer analog) here's how they work https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/

To summarize. Here is a list of what it is formed from (from the first ClientHello packet in a TLS connection):

  • TLS Version
  • Cipher Suites
  • TLS Extensions
  • Supported Groups (Elliptic Curves)
  • Elliptic Curve Point Formats
 
I recommend focusing on researching advanced anti-bot techniques like header fingerprinting, JavaScript challenges, and behavioral analysis.
 
Advertise on BHW
You must log in or register to reply here.
Sign up now!

Main Menu

Home Main Forum List Black Hat SEO White Hat SEO BHW Newbie Guide Blogging Black Hat Tools Social Networking Downloads

Marketplace

Content / Copywriting Hosting Images, Logos & Videos Proxies For Sale SEO - Link building SEO - Packages Social Media Social Media - Panels Web Design Misc

Making Money

Affiliate Programs Hire a Freelancer Making Money Pay Per Click Site Flipping

BlackHatWorld

BHW Merch Forum Suggestions & Feedback Introductions Lounge Dispute Resolution

Other

Domain Name Forum IM Journeys Web Hosting Newsletter
Back
Top