An under the hood look at Polyform in action
A critical part of Kasada’s product development and R&D process involves building bots to stress test our platform. This allows us to observe our detection platform and isolate its components as we add and improve new functionality.
Where possible we will take characteristics of attacks in the wild to replicate the real world scenarios. We recently built a bot (nicknamed k2-bot) to specifically test the different layers of our platform.
This was the second iteration of this test. On this occasion we upped the ante and increased the sophistication of our bot.
Our goal was to build a tool that would easily evade static tools such as web application firewalls and basic bot detection vendors. We configured a customised version of puppeteer to control headless chrome over the DevTools protocol. This allowed us to obfuscate and anonymise key elements that can be used by bot detection vendors. We then connected this to a global proxy network and delivered 28 requests /second to our testing application. Each request was a test username/password set which mimicked a credential abuse attack.
K2-bot versus Standard WAF protection
We built our bot to automatically avoid detection of any static WAF configuration. We randomly cycled through user agent strings,distributed the attack across 5-600 nodes, rapidly rotated proxy nodes in short bursts and maintained rate limits below levels able to use controlled without impacting real users.
K-bot detection with WAF: 0-5%
IP reputation ability: low
False positive risk: high
Basically, WAF’s are not capable of defending these attacks. A WAF is a static configuration that is looking for known bad behaviour. Our ‘payload’ was benign: a username/password and our tactics evaded any form of network / request analysis. Any attempt to control this attack with a WAF would result in an unacceptably high number of false positives – denying real users access to their account.

