ShieldSquare is now Radware Bot Manager

ShieldSquare is now Radware Bot Manager

How JavaScript Injection Helps In Building A Comprehensive Bot Detection Solution for Web Applications

August 22, 2018 | All Automated Threats Bot Prevention Technologies

js tag api

In recent years, the catastrophic advent of malicious bots and botnets have made advanced bot mitigation and management solutions a necessity for online businesses, not an option. Sophisticated bots are now capable of mutating their behavior and shifting through thousands of IP addresses. They are programmed to find loopholes in application security and exploit flaws to infiltrate into your internet properties. Effective bot defense helps security, marketing, and fraud detection teams with crucial data points needed to act against automated traffic. Online businesses rely on bot mitigation and management solutions to eradicate automated attacks by sophisticated bots. There are two types of detection approaches — one that is based on server-side integration — and the other on a combination of both server-side and client-side Javascript tag based integration.

Bot defense with only server-side integration

Server-side integration options depend on parameters such as payload and HTTP headers to detect automated activity. After deployment of a bot mitigation solution, the server makes API calls to bot detection servers for every HTTP request. The only limitation that server-side detection technologies have is that they can’t collect client-side data points. Such data are helpful in identifying sophisticated non-human behavior that is difficult to detect using server-side bot detection solutions. Let’s take a closer look at this in the next section on how data collected from client-side integration helps in detecting sophisticated non-human traffic.

Bot defense with a combination of server-side and JavaScript integration

JS tag-based defenses are easy to integrate into web pages through server plugins. Hence no additional integration is needed if server-side integration is already in place. JS tags can also be managed directly using a tag manager without requiring the help from a developer. JavaScript-based solutions collect client-side parameters to identify anomalies in user behavior, collect fingerprints, and filter bad bots. For example, ShieldSquare’s JS tag integration collects over 250 parameters including events like page scroll, touch, button clicks, mouse movements, keystrokes, sensor data, and URL traversal. In websites with CDN, only a portion of the requests reach the origin servers, thereby limiting the amount of data which can be collected from server-side alone. Data can be easily collected through JS in these cases.

The latest breed of deep learning based bot detection systems, like ShieldSquare’s IDBA technology, can process a diverse range of signals (like server and client-side parameters) and perform bot detection with higher accuracy. It is widely known in the machine learning space richer data/signals help in improving the machine learning model’s accuracy. JS/SDK combined with server-side integration gives a superset of data compared to server-only integration. Thus, the JS tag complements server-side bot defense to improve accuracy and adaptability in stopping evolving bot attacks. This also helps JavaScript-based solutions backed by server-side detection technologies to accurately detect attacks where bots are assisted by humans to bypass reCAPTCHA-like defenses.

Furthermore, bots identified through JS/SDK can be studied further and their latent server-side patterns can be derived. Such patterns augment server-side-only detection, where JS integration is not possible. Fraudsters, who are incentivized to attack your property, can change the bots as soon as they get blocked at server-side. For example, they can change the HTTP headers of their bots several times per day. Deep learning-based detection engines which use a rich combination of device, browser, and user behavior-related data can detect such mutations early.

Evidently, server-side and JS-side data collection help in both fraud detection (historical analysis) and security (proactive mitigation). This multi-pronged approach strengthens visitor tracking capabilities at both origin and edge levels. JavaScript-based solutions backed by server-side detection technologies are more accurate, adaptive, and can even detect mutations and captcha-solving bots.

Scorecard of detection approaches


Server-side detection

Combination of Server-side and JS tag (e.g. ShieldSquare)

Real-time Data Collection and Analysis

  • Collects payload and HTTP requests
  • Collect hundreds of additional parameters from the end user’s browser and device
  • Data streams are sent back to the ML models to dynamically improve algorithms

No Impact On Genuine User Experience — False Positives

Accuracy of Detection — False Negatives

Tags: , , ,

Subscribe to Radware Research and Blog
Thank you for subscribing
Thanks. Sent confirmation email.

Related Content

April 15, 2020
Here’s How Bots Are Exploiting Coronavirus Fears
March 31, 2020
The Contrast Between ‘Low & Slow’ and DDoS Attacks
February 13, 2020
Key Findings: 2019-2020 Radware Global Application & Network Security Report

Step Up and Take Action

Powered by Think201