Kasada Bot Mitigation: An Overview and its Implications

What is Kasada and how it works?

5488ca97 432d 4ae6 990c
Kasada Bot Mitigation: An Overview and its Implications 5

Kasada is one of the newest players in the anti-bot solutions market and has some peculiar features that make it different.

You cannot identify a Kasada-protected website from Wappalyzer (probably the userbase is not so wide) but the typical behavior when browsing them is the following.

Network Tab of a Kasada website
Kasada Bot Mitigation: An Overview and its Implications 6

First of all, Kasada doesn’t throw any challenge in form of Captchas but the very first request to the website returns a 429 error. If this challenge is solved correctly, then the page reloads and you are redirected to the original website.

This is basically what they call on their website the Zero-Trust philosophy.

Kasada assumes all requests are guilty until proven innocent by inspecting traffic for automation with a process that’s invisible to humans.

And again

Automated threats are detected on the first request, without ever letting requests into your infrastructure, including new bots never seen before.  

To bypass these anti-bots there are usually two ways:

  • reverse engineering the JS challenges, deobfuscating the code

  • make our scrapers indistinguishable from humans browsing the web

Since the first option, while it’s great for understanding what’s happening under the hood, it’s time-consuming and does work only until the code is not changed, and always from their website, it seems that this happens frequently.

Kasada is always changing to maximize difficulty and enable long-term efficacy.

Our own proprietary interpretive language runs within the browser to deter attackers from deciphering client-side code. Resilient obfuscation levels the playing field by shifting the skillset from easy to reverse engineer JS to our own polymorphic method.

Obfuscated code and the detection logic within are randomized and change dynamically to nullify prior learnings. All communications between the client and Kasada are encrypted

To understand better how it works, here’s a promotional video of Kasada with a live demo.

But given all this information, how can we bypass Kasada Bot mitigation?

This post is written by Pierluigi Vinciguerra (pier@thewebscraping.club)

If you liked this post and want to want to receive in your inbox a weekly article about web scraping, please consider subscribing to The Web Scraping Club for free.

Liked the article? Subscribe for free to The Web Scraping Club to receive twice a week a new one in your inbox.