I assume it’s a bit too late for this post given that some of the more popular sites for “terms of service violations” have changed to Datadome and will probably keep it that way. Oh well, better late than never…
I see a lot of questions about, how to start looking at antibot, how to use requests to gen cookies, etc. Some people have never looked at Akamai (or any antibot script) in their life so they have no clue where to start. That’s okay, I’ll explain the basics.
The Concept
The basic concept of Akamai antibot is actually pretty simple. They collect some information from your browser, it’s formatted, and then sent to Akamai’s super fancy neural network to judge whether you are a bot or not. If your data is good enough, then it will hand you a valid cookie so you can continue on your way cooking, or destroying, or whatever words you want to advertise your bots with.
Maybe this helps visualize it a little more...
The Script
Okay I’m sorry, I lied, Akamai isn’t that easy. Let's make sure it becomes easy and get to some of the specifics. The antibot script is client side JS and we should be able to get to it relatively easily. So look through the sources tab in devtools on an Akamai protected site and do some looking around in files. If you find a JS file with the word bmak somewhere in it, good chance you found the collector script. Congrats!
You too can look like a hackerman, press F12
By now If you haven’t looked at what you just found, it looks like garbage no? What the hell are all these arrays! No worries, this is why premade de-obfuscators exist for lazy people like you and me. Here is one really popular JS deobfuscator everyone uses for this script. Okay, now what? Copy, paste, put the deobfuscator on array mode, and now you can without those annoying arrays bothering you. Look at all those functions wow!
Deobfuscators are cool I think
Arguably one of the most important parts of the akamai script is the bpd function or bmak.bpd(). This is the most important function in this script, or if you disagree, at least the one we care about a lot. I’ll show you why.
Go to some site that has Akamai protection, try not to move your mouse, and type bmak.sensor_data into the devtools console. Cool, a bunch of random junk we don’t care about yet. Now move your mouse around all over the page, go crazy, put your mouse on a treadmill for all I care. Now that that’s taken care of, call bpd by typing into the console bmak.bpd() and then show the sensor data again with another go at bmak.sensor_data. Okay, still spits out junk you can’t understand yet. However, it should have been different junk than what was initially given to you. Cool how we can make sensor data no?
Practicing our bpd skills
Keep in mind this is still relatively far from how difficult Akamai can get, but now you know the basics, not impossible right? I really want to talk about this topic more next post and explain some more of the finer details in the script, along with different ways to go about generating cookies.
If you need something to hold you over until then, I have a github repo that has an admittedly terrible way to generate Akamai cookies. It uses the terrible duo of Puppeteer and Ghost-Cursor but still shows off some of the basic concepts I talked about here. It also has a bit of a PDF that explains in a simpler manner and maybe has some pointers. See you for part II.
-XVI