BottingRocks

I recently joined a rapidly growing startup that raised a Series A of $21,000,000. I joined 5 weeks ago and so far my experience has been a short of amazing. The founder, @pk_iv , likes to shoot for the fences, nah scratch that he likes to shoot for the stratosphere. My position was essentially to be part of a newly created stealth team that would match the likes of the top web scraping companies. As many of you guys know, I like reversing anti-bots, so much that I've barely used browsers to bypass anti-bots as my strength lies in reversing Javascript protections. When I joined Browserbase I had to roll up my sleeves and dig down into the Chromium source(something I've never done before) to patch all the leaks that Playwright, Selenium and Puppeteer leave. @pk_iv specifically wanted to meet the customer where they are and not force them to use any custom frameworks. That meant that the only way forward was to build our own custom chrome binaries. The ugly truth is that there is not a single entity where you can just license or buy all the stealth tools needed to effectively bypass a website's captcha and antibot protection. You have to build a lot of in-house and keep playing the cat-and-mouse game. When I originally joined my contract was to be remote for the initial 4-6 weeks, but after 4 days I decided to say screw it and drive down to San Francisco and just stay at a hostel near by so I can synchronize better with the team. I live in Davis,CA which is technically very close to San Francisco, but it is a nightmare to commute every day to be there at 9 AM in the office. That was the best decision ever as it wouldn't have worked out since a lot of my work needed to be integrated into the Browserbase product. We use Slack for communication, but waiting for a response back when you can just get help from your co-worker by going to their desk or scheduling a conference room is so much better. Now regarding @pk_iv , he doesn't have a personal office, desk or stationary place at the office where he works, yet he is there 6-7 days a week. He eats, lives, and breathes @browserbase and he is everywhere. I'm still amazed at the level of context he is able to hold as he moves from product to engineering to customer support all within a short time frame. He is answering customer queries, drafting documents on notion, pushing code to github, reviewing PRs, bringing in new customers. You can't barely see me in the picture, but I'm the guy on the very back with the white board in-front. The guys on the front are all working on stagehand. Yes, I do have a kid, but he is 7(not 9 @pk_iv lol) going to be 8 next year. I do get to spent time with him on the weekends grinding @fortnite on the Switch. Yeah, I know I work a lot but honestly I've grown so much in the past 5 weeks that I'm excited to see what the future holds. The hardest thing for me was working in a team where there are processes you have to follow, discussions that must be had with all the stake holders(people in the team), stand-up meetings where you report what you have done. I've always been sort-of a lone wolf doing my own thing. @pk_iv is currently looking for more amazing people to add to the team. He hires extremely fast though, you won't wait weeks or months to know if you are a good fit. I was hired under 1 week(but I was referred internally though). Don't be afraid though, @pk_iv, won't force you or make you work weekends. I actually did it on my own accord and I didn't mind at all as I was able to get way more help(I was stuck on the dev environment) from @pk_iv on the weekends as there were barely any people there. You will be provided with a: - MacBook Pro M3 - Unlimited Celsius, cold brew drinks, coconut water and sparking water - Unlimited snacks(beef jerky, bananas, nuts, goldfish crackers, popcorn) - Free lunch via DoorDash on Friday - And last but not least, tons of natural sunlight and beautiful plants that are nurtured and watered by our dedicated PlantLord that comes every week to keep them live and green. x.com/pk_iv/status/1…

Developers automated the web. Now everyone can. Announcing Director and our $40M Series 🅱️

I decided that Babel sometimes isn't the right tool for the job when it comes to speed. Here is a deobfuscator I was working on for Akamai's Javascript. github.com/BottingRocks/A… I'm in the process of switching everything over to tree-sitter for a much faster parsing both in the Web(via WASM) and on NodeJS(via nodejs bindings).

@scottdhooker Please find a me a site currently using it. I want to see their payloads live.

@BottingRocks Ha this the antibot I was querying as to whether they were new or rebranded?

Today, as I was working on a new VM tracer for a super hard antibot, I came across this new anti-bot that I have never seen before. My interests were piqued and I quickly went to their website to see what all the buzz was about. I quickly went to their docs to understand what new technology they were bringing to the table. Then, within 4 minutes, I came across their StrongCaptcha technology. My heart was racing, I couldn't believe my eyes, a new type of Captcha. Did these new incumbents really come up with a novel, sophisticated, out-of-the box approach to a zero-friction user-experience using a Captcha? Within minutes I became a skeptic, how in the world did the big 4 antibots(or should we say top 5) couldn't come up with something this innovative? I then proceeded to load up my coffee mug with another extra coffee serving as I prepared to dig into their telemetry.js file. To my dismay, I discovered that their telemetry.js file wasn't obfuscated, nothing was dynamic. Didn't think much of it as my quest was to find out how their StrongCaptcha worked. Well ladies and gentleman, with the help of SourceGraph.com and their public search code, I searched for all of their TypeErrors strings to find any resemblence of open-source code that they might have used. Then within 30 seconds, I hit a match!. They are using webP encryption to encrypt the images through WASM using a public open-source repo from Google: github.com/GoogleChromeLa… My excitement wore off within the next 20 minutes as I quickly realized how their StrongCaptcha actually worked, and the "loophole" they seek to patch by creating this reCaptcha wrapper that in theory should work. Now, usually how 2captcha and other captcha solving services work is that they use your proxy(ip address) and the reCaptcha siteKey to solve the challenges(images) for you. The way this work is that on their backend they use their own AI and browser farms to click on the correct images, then they send you back the solved token that reCaptcha gives you upon success. Coincidentally, the solving IP will all look fine and dandy when the site administrator checks on reCaptcha backend for the device IP address that solve the challenge. This is because the captcha solving service used your IP to solve the captcha. What StrongCaptcha is attempting to do is to patch that loophole by becoming the "middleman". Yes, you heard that right, the FUCKING middleman. If you have read up to this point, you might be asking, how in the world does this work? Well is quite simple: They, Stytch, will pull the reCaptcha challenge from their end and send you the encrypted images using webP from their telemetry.js file to the Visitor. The Visitor cannot use the reCaptcha site key and their proxy to send it to a captcha solving service to solve because Stytch will be the one "proxying" the requests from each visitor to reCaptcha. This will mean that the solving device IP will always be Stytch's IP address. So then what happens when you can just decypt the images they send using webP on the client(your browser) and then just send the images to a captcha soving service to give you back a grid of the correct images, then submit those answers back "encrypted" to Stytch's StrongCaptcha backend?

Sneakers is dead and I have no intention on working anything related to ticket scalping, so logically the closest thing to profitable I see that is sustainable is focusing on airlines, or perhaps join the other team.

Scraping airlines is the new sneaker twitter 2017. It's just getting started, the only difference is that the threat actors all have previous knowledge about antibots.

I was just putting two and two together from what I've seen some of the close contacts of mine working on antibots were doing(working for companies scraping airlines), the handful of recent dms I have been getting if I have an Akamai and Kasada bypass for some airlines. Didn't think this tweet was gonna blow up.

@encrypted @browserbase @inducedai @ReworkdAI At least these new wave of LLM scrapers won't have to worry about tls libraries to mask their GET/POST requests to look like it came from a browser.

Antibot API's were not free and 99% of the people in sneakers were not writing their own bots or antibot API's. With an LLM and Puppeteer you can do 90% of what most people want to do for webscraping since antibot is mostly strict on post requests and there are a lot of resources for browser detection evasion that you can use with an LLM.

ChatGPT,Claude, Cursor etc. are all great at helping new comers build their first web scraping or bot script using Selenium/Puppeteer/Playwright. However, what happens when they hit a Datadome, Incapsula, or Cloudflare block? What's next do you roll-up your sleeves and learn about antibots or do you accept that probably web scraping and botting is not as easy as launching a headless chrome browser and using LLMs to automatically extract content?

@encrypted @browserbase @inducedai @ReworkdAI Exactly, so you still have to pay for a service to do your webscraping since the code that any LLM gives you won't be able to bypass an antibot.

It is as easy as launching a headless chrome browser and using LLMs to automatically extract content. Also there are many platforms like @browserbase @inducedai @ReworkdAI that make it very easy for new comers to not have to deal with WAF. This isn't like sneakers bots where you needed to handle scale or optimize for milliseconds in advantage.

@SolvingLenix That's easy to do with ChatGPT or Claude.

@daveflips_ Do you have a course on how to launch a course?

@BottingRocks launch a course

Every time I deobfuscate some new script and look at the contents being more than 50% dead-code, I ask myself what kind of gas were the developers smoking was it some Za or some NOS? Dead-code does nothing to impede someone from understanding your code, it just adds more bandwidth costs to your visitors and makes your site slower.

@SolvingLenix I guess I gotta lock-in for the next few days

Are there any public open-source deobfuscators for Akamai's JS script or do I have to create one? I have been searching for the past few days on github and I can't find anything that can deobfuscate this kind of script gist.github.com/pinyugi/be9364…

@notsocratese Not at all, I'm actually leaning more towards joining the other side in developing antibots technology.

@BottingRocks You haven’t found it yet?

Sneaker reselling & sneaker bot developing 2017-2022

@Truths Both. In the new versions they are using WebAssembly and because I want to learn Rust for AST transformations and to make a faster tracer in Rust.

@BottingRocks are they using webassembly now or are you using rust to decompile their "instructions"

Rust + WebAssembly here I come. Thanks ShapeSecurity for helping me make the change!