This is Part 3 of my series of reversing ShapeSecurity's VM. I have a few more to go. This will only talk about the VM and not the signals and if you need to catch up ready part 1 and 2 that are posted on my blog.
Here is some of the feedback. In terms of bot protection you would get a 1/10. Perhaps, a 2/10 on a good day.
First, your payload is being sent using base64 encoded using the default alphabet. You only need a simple atob() to decrypt your payload.
Second of all, your bot detection script is very readable making the job of the attacker relatively easy to reverse.
Third, but not least, you do not have enough signals/fingerprints which means that your false positives are going to sky-rocket.
Bots are not dumb, they are programmed by real humans, your site is extremely easy to reverse. You need to add more obfuscation, more signals, better client-side protection in order to quality for real "bot detection".
Source: I reverse antibots for fun and profit, is literally all I've been doing for the past 2 years straight.
I believe that in the last couple of years the line between donation and begging has been blurred.
You have things on the extreme side like people begging on tiktok live doing shoutouts to every viewer that donates a significant gift.On the IRL side you also have people donating to the craziest streamers doing the most outrageous stuff outside. Then you also have super donations on Youtube on live podcasts.
When donations are incorporated on a social app it fosters an environment that makes donating acceptable and fun. Hardly anyone is going to trust their debit card/credit card details to a random site, but the masses will trust buying credits/donations/subscriptions through tiktok,youtube, twitch, patreon etc.
