How Sneaker Bots Work Part 1

What Are Bots?

Have you ever tried to purchase sneakers, clothes, maybe PlayStation 5s and the website said they sold out in seconds? You were probably in shock as to how that could even happen. Well, you were most likely competing in the same checkout process as bots that are specifically designed to be faster than you.

Sneaker bots are software applications that use either automated browsers or API requests to purchase products from online stores faster than humans can. They can be built using a variety of programming languages such as Golang, C#, Python, and JavaScript to name a few.

How Do They Work?

To explain how bots work, you first need to understand how websites are built. Websites have a frontend and backend; what you can see and the stuff that happens behind the scenes. As a customer, you interact with the frontend when you shop around, click on products, etc. However, the backend is what allows you to login, add items to your cart and come back to them, or submit your checkout after entering credit card information. Bots interact with the backend instead of the frontend, which is why they can be faster than humans. They don't need to load images, CSS, or JavaScript, they just need to send the right requests to the server.

HTTP Requests

To communicate with their backend, websites use HTTP requests. If you open devtools on a store like Nike, you can see the thousands of requests the website makes to their servers to load images, information about sneakers, etc.

Bots use these same requests to automate the checkout process. They send requests to the store's server to add items to their cart and eventually checkout. For example, if a bot wants to add to cart sneakers on Nike, it replicates the same request that Nike's website makes when you click the "Add to Cart" button.

You may be wondering how you can actually do this with code. Certain languages like Python and Javascript have libraries called request clients that allow you to send HTTP requests. Popular ones include Axios for Javascript and Requests for Python.

Seems simple enough. Just find what requests you want to make, write code using a request library, and you made your first bot. Unfortunately, it's not that easy. 99% of the time, websites don't want people botting their products and have measures in place to attempt to stop them. Websites, like Nike, use antibots to detect bots making malicious requests and block them. They also serve to stop cases of fraud, DDoS attacks, and other malicious activity. However, despite the efforts of these sites, bots are often able to bypass these measures.

Antibots

Antibots are a set of measures that websites use to detect and block bots. They can be client side JavaScript files that run in your browser and send information about your browser back to the server, or server side scripts that analyze the requests you make to the server. But how do bots bypass these measures?

Different antibots work in different ways, so bots use different methods to bypass them. For instance, a very popular antibot now is Akamai. Major sites across the internet use Akamai to protect their servers. Akamai uses a client side script that checks your browser's properties, mouse movement or keyboard input, and then sends that information back to their server where they check its validity to decide if you are a bot or not. The server then sends back a cookie that is checked on protected endpoints, such as when you add to cart or checkout. If the cookie is not present or invalid, the request is blocked.

Bots replicate this process in their own code just like the browser would. A developer looks at how the client side script sends HTTP requests to the antibot's server and replicates it in their bot to get a valid cookie. Sounds simple enough...until you look at what a client side antibot script looks like.

Looks like a bunch of nonsense, which is because the code is obfuscated. Humans can't easily read the code and understand what it's doing. Therefore, bot developers use reverse engineering to try to understand what is going on in the script. Tools like deobfuscators, debuggers, and disassemblers are used to understand the code and replicate it in their bot.

Deobfuscators

Most antibot deobfuscators use a mixture of static and dynamic analysis to deobfuscate code. A very popular method now is to use JavaScript parsers, such as Babel's parser or Esprima, which parse the code into an abstract syntax tree (AST).

For example, if the same script as above is turned into an AST, it would look like this:

Still seems confusing, but it's a lot easier to understand the overall structure of the code in this form than the obfuscated code. Popular obfuscation techniques like control flow flattening, string encoding, and variable renaming are all used to make the code harder to read. However, deobfuscators use the AST to perform transformations on the code to find patterns and extract important parts of the antibot.

For example, a "deobfuscator" could look something like this. The linked code is a deobfuscator I wrote to bypass an antibot that used to be on Supreme's (street clothing brand) web store. I would input the obfuscated antibot script into my deobfuscator, and it would output a key that I could use in my bot to generate valid cookies. However, all antibots are different and require different methods to bypass them.

Conclusion

This blog was a very simple introduction to how sneaker bots actually work. A TLDR is that bots send HTTP requests to the backend of websites to automate the checkout process. Websites use antibots to detect and block bots, but bots use reverse engineering to bypass them. However, there is a whole rabbit hole of information about bots that I didn't cover in this blog. Topic ranging from how bots sometimes require custom request clients to bypass request fingerprinting, how to scale a bot to be able to run thousands of requests a second, or how to use machine learning to bypass captchas. I hope to cover these topics in future blogs.

Anyways, thanks for reading ❤️

- Nate

How Sneaker Bots Work Part 2 - How Are Bots Scaled?