The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Browsers are powerful computer program applications that may request and execute instructions received from a web server to generate complex user interfaces that are presented to a user through one or more devices, such as a monitor or speakers. In response to input from a user, such as a mouse click indicating that the user selected a link, a browser may send a request based on the selected link to the web server. The request may be a request for data and/or include data to be processed by the web server.
A malicious user may use software, often referred to as a “bot”, which imitates a browser by receiving instructions from a web server and generating requests based on those instructions. For example, a bot may receive a web page, and generate a request based on a link defined in the web page, as if the link was selected by a user. Also for example, a bot generate and send a request with data assigned to one or more parameters to simulate a user submitting data to a web server through a browser.
Malicious users may use bots to commit many types of unauthorized acts, crimes or computer fraud, such as content scraping, ratings manipulation, fake account creation, reserving rival goods attacks, ballot stuffing attacks, password snooping, web site scraping attacks, vulnerability assessments, and stack fingerprinting attacks. As a specific example, a malicious user may cause a bot to traverse through pages of a web site and collect private and/or proprietary data, such as who is connected with whom on a particular social networking web site.
Web server administrators may wish to prevent malicious users from attacking the site, while allowing legitimate users to use the site as intended. However, determining which requests are generated by a legitimate user using a web browser and a malicious user using a bot may be difficult.
Many presently implemented websites are vulnerable to attacks that are carried in browser-executed script code, such as Selenium, Sikuli and PhantomJS, in part because the HTML source code is readable by any browser user who invokes the VIEW SOURCE or INSPECT ELEMENT commands of the browser. Adversaries can write brief scripts which, when executed on an end user computer using the browser, can access static HTML elements such as form fields and embedded URLs to launch sophisticated attacks. These malicious scripts can generate protocol-compliant network traffic that appears legitimate to most existing security products, including firewalls, intrusion protection systems, and web application firewalls. Differentiating malicious scripts from legitimate human users is difficult.
One approach to computer security introduces static real-time polymorphism to web pages by transforming HTML form field attributes, such as field names and identifiers, to randomized string values. A “botwall” implementing this technique will change the form field name an ID for each client access to the same web page. This approach is effective to defeat malicious scripts that rely on static form field attributes. However, because the form field transformation does not change once the web content is delivered to the browser—that is, the polymorphism here is static—using a sufficient amount of reverse engineering effort, malicious users may be able to understand how the polymorphism was implemented and attempt to evade it.