7–9 November 2016: Conference & Tutorials
9–10 November 2016: Training
Amsterdam, The Netherlands

Don't lose performance talking to a bot

Jasvir Nagra (Instart Logic)
14:40–15:20 Tuesday, 8/11/2016
Reimaging DevOps, security, and infrastructure Automation, Security Emerald Room & Lounge Audience level: Intermediate
Average rating: ****.
(4.50, 8 ratings)

Prerequisite knowledge

  • A general understanding of JavaScript (useful but not required)

What you'll learn

  • Understand what makes bots such a serious problem and why it's difficult to detect and block bots
  • Learn statistical methods that identify bots and the more resilient semantic preserving transforms that make it possible to defend against these bots more systematically


Bots pose an interesting challenge for modern web applications. They not only result in increased load on servers but also scrape content, brute force credit card numbers, passwords, and gift cards, and automate the exploit of individual vulnerabilities to turn them into large-scale attacks. The resulting load on servers has a measurable impact on performance.

Traditional methods of applying machine learning and statistical analysis of network traffic, IP blocking, and browser fingerprinting have not scaled well to the growing sophistication of botnets, which use real browsers and browser automation frameworks.

Jasvir Nagra explores the ways in which existing server and client-side bot-detection systems work and where their strengths and weaknesses lie. Jasvir then describes two novel techniques—one which uses signals based on the behavior of web applications and another based on morphing a web application—which together can dramatically reduce both the false positive and false negative rates of bot detection and outlines in detail the kind of HTML, CSS, and JavaScript analysis of a web application and DOM interception necessary in order to virtualize an application such that it can be transformed into a semantically equivalent application that is resilient to bots. Along the way, you’ll learn about several challenges involved in rolling out such a solution in production, some unsolved problems that remain, and some of the ways that botnet operators adapt to being blocked.

Photo of Jasvir Nagra

Jasvir Nagra

Instart Logic

Jasvir Nagra is the product security lead at Instart Logic. Jasvir is an internationally published author, security researcher, and speaker who loves tinkering with, designing, and breaking software security systems. He is the coauthor of Surreptitious Software, a book on obfuscation, software watermarking, and tamper proofing, and the former technical lead for Caja, an open source pure JavaScript sandbox for HTML, CSS, and JavaScript, widely used at companies like Google, MySpace, Yahoo, and Magento. Jasvir’s proudest achievement is building a working tic-tac-toe player from a model railroad.