DEV Community

Web Scraping Community
Web Scraping Community

Posted on • Originally published at webscraping.wiki on

How to bypass Akamai

Find out more about anti-bots on webscraping.wiki:
How to bypass Akamai and Discord

Akamai is renowned for its advanced anti-bot and anti-scraping solutions, widely adopted by major websites like Nike.com. The effectiveness of Akamai lies in its sophisticated approach that combines traditional fingerprinting techniques with behavioral analysis. This analysis involves tracking the JavaScript events that are triggered during a user's interaction with the website.

Recognizing Akamai

To identify Akamai's presence on a website, look for these characteristics:

  1. Endpoint Structure: Akamai typically operates without external servers, sending data to an endpoint on the website's domain. These endpoints are characterized by long, random character paths that change with every new page load. Each endpoint typically ends with a seven-character string, comprising a mix of random lowercase and uppercase letters. Example from Nike.com:
https://www.nike.com/-V9sK5EuHw5zf/s5azPS0VO0/SGj4/3z9ifbmQLb/M0lvcEBEAQ/a0tSI/UgeeikB
Enter fullscreen mode Exit fullscreen mode
  1. Sensor Data: Akamai sends a key JSON payload named sensor_data to these endpoints. This data is encoded or encrypted using a proprietary algorithm, making it distinct and recognizable. Example payload from Nike.com:
{"sensor_data":"2;4337974;4473908;15,0,0,0,2,0;E9_ 4*o9=r]a0cpl4wxD!z/b4xhdXjOQD4`,=D{bOJjj4:Ob&oj?(6D UK8,-@2;{*U1@Y2jjl+*Uu8=cbeB#HC$]^HeXmd%sZFm5K3rwzDK{=iw;HV}d;J+hn]wr43Y6F}[Q,TF&~?v*V3:q~+jbv7&jh])6JT^wcQF](wf|vPkOrG_(3QG>],jMSj/!Na*w>rh3]WAcv8YMnC) IJJBZKF8E9iPXh2)gmsEmv`@QSY?d:%0KgTC&R9Bj3ZqGX7>=9f2rjbf=X>.SExZq45>i1FGWkIf-Cl8]BL2ffk2g1l_8%aG^=5: Q[ct?Y*m(f%MFU}hlxNq[68ejD&W~27%jru9N5[>bJ[5;B~f|~i!sU^54s_0g}$w[_fDt<*R-v3by%gUu#d1w`Q52K2Y=`z[KevKiU*#X8X9HWG2hnUd`{q`jR[%q$M@$Si;l^.{iR$Sx&(~-W;z}l%q)lpP6Q}pd(E/RF+}dO8n,@M.n5|MhZgk}euOJqC5=^..."}
Enter fullscreen mode Exit fullscreen mode
  1. Cookies: Akamai set the following cookies on the client browser:
_abck
ak_bmsc
bm_mi
bm_sz
bm_sv
Enter fullscreen mode Exit fullscreen mode

Akamai's Device Fingerprinting

Akamai extensively uses techniques like Canvas Fingerprinting and WebGL fingerprinting to identify user devices. This is achieved using JavaScript, as illustrated in the provided scripts. These scripts create a unique identifier for each device based on how it renders certain elements.

var n = document.createElement("canvas");
if (n.width = 280, n.height = 60, n.style.display = "none", "function" == typeof n.getContext) {
  var o = n.getContext("2d");
  o.fillStyle = "rgb(102, 204, 0)",
    o.fillRect(100, 5, 80, 50),
    o.fillStyle = "#f60",
    o.font = "16pt Arial",
    o.fillText(t, 10, 40),
    o.strokeStyle = "rgb(120, 186, 176)",
    o.arc(80, 10, 20, 0, Math.PI, !1),
    o.stroke();
  var m = n.toDataURL();
  e = 0;
  for (var r = 0; r < m.length; r++) {
    e = (e << 5) - e + m.charCodeAt(r),
    e &= e
  }
  e = e.toString();
  var i = document.createElement("canvas");
  i.width = 16,
    i.height = 16;
  var c = i.getContext("2d");
  c.font = "6pt Arial",
    a.rVal = Math.floor(1e3 * Math.random()).toString(),
    c.fillText(a.rVal, 1, 12);
  for (var b = i.toDataURL(), d = 0, s = 0; s < b.length; s++) {
    d = (d << 5) - d + b.charCodeAt(s),
      d &= d
  }
  a.rCFP = d.toString()
}
Enter fullscreen mode Exit fullscreen mode
try {
  var t = document.createElement("canvas"),
    a = t.getContext("webgl");
      bmak.wv = "n",
      bmak.wr = "n",
      bmak.weh = "n",
      bmak.wl = 0,
    a && (bmak.wv = "b",
      bmak.wr = "b",
      bmak.weh = "b",
    a.getSupportedExtensions() && (bmak.weh = bmak.ats(bmak.mn_s(JSON.stringify(a.getSupportedExtensions().sort()))),
      bmak.wl = a.getSupportedExtensions().length,
      a.getSupportedExtensions().indexOf("WEBGL_debug_renderer_info") >= 0 && (bmak.wv = a.getParameter(a.getExtension("WEBGL_debug_renderer_info").UNMASKED_VENDOR_WEBGL),
      bmak.wr = a.getParameter(a.getExtension("WEBGL_debug_renderer_info").UNMASKED_RENDERER_WEBGL))))
} catch (t) {
   bmak.wv = "e",
   bmak.wr = "e",
   bmak.weh = "e",
   bmak.wl = 0
}
Enter fullscreen mode Exit fullscreen mode

Akamai Behavioral Analysis

In its highest security settings, Akamai can capture multiple sensor_data payloads per minute. This includes recording various user interactions like mouse movements, clicks, touch events, and keyboard inputs. The system also tracks the positions of these events on the page.

Here is the event it is listening to:

  • touchmove
  • touchstart
  • touchend
  • touchcancel
  • mousemove
  • click
  • mousedown
  • mouseup
  • pointerdown
  • pointerup
  • keydown
  • keyup
  • keypress
  • touchmove
  • touchstart
  • touchend
  • touchcancel
  • onmousemove
  • onclick
  • onmousedown
  • onmouseup
  • onpointerdown
  • onpointerup
  • onkeydown
  • onkeyup
  • onkeypress

Bypassing Akamai

Bypassing Akamai's security requires a nuanced approach, especially considering its reliance on GPU rendering information to determine the operating system and device type.

Here are some strategies:

  1. GPU Rendering: Emulate consumer-grade GPUs rather than professional hardware, as Akamai's algorithms are tuned to recognize and differentiate between them.
  2. Behavioral Analysis: Utilize tools like ghost-cursor (found at https://npmjs.com/package/ghost-cursor) to simulate human-like cursor movements and keystrokes. Timing is crucial here; movements or keystrokes that are too rapid can be flagged as suspicious.

Top comments (0)