Imperva Cyber Community

Multiple Advanced Bot Protection domains and clearing captcha

  • 1.  Multiple Advanced Bot Protection domains and clearing captcha

    Imperva Employee
    Posted 12-02-2020 14:43
    It is important to understand how your implementation of the Advanced Bot Protection can impact user workflow. For this brief post, I will go over how distinct domain can interact with each other.

    Assumptions.

    • Within Website Group Foo, I have the domain foo.badbotjail.com and it uses encryption key ABC.
    • Within Website Group Bar, I have the domain bar.badbotjail.com and it also is configured to use encryption key ABC.
    • Both domains have the reese84 cookie scoped to badbotjail.com
    • Both website groups use the same policy which will captcha bad user agents, but allow for a cleared captcha to navigate the domain.
    User workflow.

    As a user, I start on foo.badbotjail.com and have a bad user-agent so I receive a captcha. I clear the captcha successfully at foo.badbotjail.com. I then navigate to bar.badbotjail.com with the same bad user-agent.

    What happens next?

    The expected behavior is that I will not receive a captcha when visiting bar.badbotjail.com. This is because the state of the captcha solve is keyed on the token as part of the reese84 cookie. If the encryption keys were different for the domains, then I should receive a captcha when going through the same workflow.
    #AdvancedBotProtection

    ------------------------------
    Brooks Cunningham
    ------------------------------