mgreensmith/BotD

Bot detection library that runs in the browser. Identify JavaScript bots, browser spoofing, virtual machines and much more.

BotD (currently in beta)

# Before

- 40% of your website traffic is from bots
- They're taking over accounts, scraping prices and ruining your website reputation

# After

+ BotD is a browser library for JavaScript bot detection
+ Easily add ability to detect automation tools, browser spoofing and virtual machines
+ Requires adding only 3 lines of JavaScript on your website

🔩 Try Demo - see the live demo running in your browser

BotD runs in the browser; additionally you can harden it by using our open source cloud integrations.

Cloud Integrations ☁️

• CloudFlare - runs in CloudFlare workers for increased accuracy and security.
• Fastly - runs in Fastly Compute@Edge high-performance WASM edge
• Next.js/Vercel^{3rd party} - runs as a Next.js edge middleware

Install from CDN

<script>
    // Initialize an agent at application startup.
    const botdPromise = import('https://openfpcdn.io/botd/v0.1')
        .then( Botd => Botd.load({ publicKey: '<your-public-key>' }))
    // Get the bot detection result when you need it.
    // Result will contain the `requestId` property, that you can securely verify on the server.
    botdPromise
        .then(botd => botd.detect())
        .then(result => console.log(result))
        .catch(error => console.error(error))
</script>

Run this code

Install from NPM to use with Webpack/Rollup/Browserify

npm i @fpjs-incubator/botd-agent
# or
yarn add @fpjs-incubator/botd-agent

import Botd from '@fpjs-incubator/botd-agent';

// Initialize an agent at application startup.
const botdPromise = Botd.load({ publicKey: '<your-public-key>' });

(async () => {
  // Get the bot detection result when you need it.
  // Result will contain the `requestId` property, that you can securely verify on the server.
  const botd = await botdPromise;
  const result = await botd.detect();
  console.log(result);
})();

Run this code

📕 Full documentation

Authentication

You need a pair of keys to use BotD:

• publicKey for making bot detection requests from browser. This key can be used publicly on your websites.
• secretKey for verifying bot detection requests on the server. This key must be kept secret.

Please use the following form on our BotD product page to generate your keys.

Request Limit

The free keys are limited to 3M API calls per month and 10 calls per second while in beta.

Supported detection scenarios

Automation Tools & Frameworks

• Headless Browsers (Chrome, Firefox)
• SeleniumHQ/selenium is an umbrella project encapsulating a variety of tools and libraries enabling web browser automation.
• microsoft/playwright is a Node.js library to automate Chromium, Firefox and WebKit with a single API.
• ariya/phantomjs is a headless WebKit scriptable with JavaScript.
• segmentio/nightmare is a high-level browser automation library.
• electron/electron framework lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
• geb/geb (pronounced “jeb”) is a browser automation solution.
• macbre/phantomas Headless Chromium-based modular web performance metrics collector.
• casperjs/casperjs is a navigation scripting & testing utility for PhantomJS and SlimerJS.
• laurentj/slimerjs is a scriptable browser.

Stealth plugins

• berstend/puppeteer-extra/packages/puppeteer-extra-plugin-stealth a plugin for puppeteer-extra to prevent detection.
• microlinkhq/browserless is an efficient driver for controlling headless browsers built on top of puppeteer developed for scenarios where performance matters.
• ultrafunkamsterdam/undetected-chromedriver Optimized Selenium Chromedriver patch which does not trigger anti-bot services.
• MeiK2333/pyppeteer_stealth is a stealth plugin for pyppeteer

Vulnerability scanners

• beefproject/beef is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
• ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework.
• Netflix-Skunkworks/sleepy-puppy is a cross-site scripting (XSS) payload management framework which simplifies the ability to capture, manage, and track XSS propagation over long periods of time.
• echo-devim/xbackdoor is a tool to take advantage of a persistent XSS vulnerability.

Browser spoofing

Browser spoofing - is a technique that helps users fake that they are using a different browser configuration by changing the browsers features.

The BotD helps to detect the following types of spoofing:

• User Agent spoofing
• Operating System spoofing
• Hardware spoofing
• etc.

VM detection

The BotD helps to detect if the browser is running inside one of the popular virtual machines, like VirtualBox, VmWare, Parallels, Hyper-V, etc.

Search bots

Google Bot, Bing Bot, Baidu Spider, Yahoo Bot, Alexa Bot, Apple Bot, Facebook Bot, Twitter Bot, Pinterest Bot, DuckDuckGo Bot, Coccoc Bot, Yandex Bot, Telegram Bot, Kiwi Status Spider, Naver Spider, Sputnik Bot, Petal Bot, Aspiegel Bot, Seznam Bot, Sogou Bot, DuckDuckGo Bot, Rackspace Bot, Pingdom Bot, WebPageTest.org crawlers, StatusCakeBot, Nutch-based Bot, Genieo Web filter, etc.

Many more tools and configurations are supported

Documentation links:

• Browser API

• Server API

• Error Handling

• FAQ

Contributing

See the contributing guidelines to learn how to start a playground, test, and build.

License

MIT

© 2022 FingerprintJS, Inc