
Ask HN: Anyone familiar with Namecheap's JavaScript bot detection method? - redbarn
I noticed today that upon my initial visit to the Namecheap.com home page I was prompted with the message:<p>&quot;We&#x27;re just verifying you are a real human and not a bot. After a couple of seconds, our site will automatically load and the rest of your visit will be nice and fast. We apologize for the inconvenience.&quot;<p>Further inspection reveals some obfuscated JavaScript along with a base64 encoded .png image.<p>Anyone familiar with the method being used here and it&#x27;s level of effectiveness?
======
dividuum
That's cloudflare. Every cloudflare site has a virtual /cdn-cgi directory:
[https://news.ycombinator.com/cdn-
cgi/images/spinner-2013.gif](https://news.ycombinator.com/cdn-
cgi/images/spinner-2013.gif)

The obfuscated javascript seems to solve a challenge response riddle that is
then submitted back (to cloudflare) and confirmed to be correct on cloudflares
proxy servers. The obfuscation is probably there to prevent simple ddos attack
tools from just parsing out the response.

I built something similar to that for a client. When doing DDOS prevention you
have to detect malicious clients. In a simple setup you only have the very
first request and you have to decide whether to allow or deny it. So all you
have are request headers and various metadata (for example geoip, etc). It's
hard to do that.

What cloudflare does is to first serve the page you saw if the browser doesn't
provide a cookie that cloudflare sets (delete all cookies and the cloudflare
site appears again). Once a legitimate browser sends the response to the
challenge, cloudflare can set a cookie and then reloads the site. During that
second request a legitimate browser now sends cloudflares cookie. This can be
used as a powerful signal when deciding whether or not a request is forwarded
to the backend server.

------
joshmn
From first look (I just got it too, oddly enough), they have a
spinner-2013.gif: [http://www.namecheap.com/cdn-
cgi/images/spinner-2013.gif](http://www.namecheap.com/cdn-
cgi/images/spinner-2013.gif)

Type that into the Goog:
[https://www.google.com/search?q="spinner-2013.gif"&oq="spinn...](https://www.google.com/search?q="spinner-2013.gif"&oq="spinner-2013.gif")

Might be a good start.

~~~
mdisraeli
The Google results start with things like VirusTotal, which has several
scannners which declares the gif as being a malicious site.

The gif itself is almost certainly not malicious. There's probably two things
happening here. Firstly, the hosting domain of the gif scanned could be known
to be malicious. And secondly and more generally, Cloudflare is heavily used
by the criminal scene, so to play safe a number of scanners may flag any
cloudflare element as malicious.

~~~
joshmn
Oh I wasn't implying that the gif was malicious. I was just saying that
whatever script they're using for this is widely-used.

~~~
mdisraeli
I thought that was probably what you were doing, and it's a good check - one
of the ones I tend to do myself when investigating strange things!

Just thought I'd add for other readers some security industry commentary :)

