Bot protection instrumentation

A flow is a sensitive grouping of web pages and APIs susceptible to attacks. For example, the login flow is vulnerable to credential stuffing, while the checkout flow may be targeted by scaling and carding attacks.

When to Define a Flow

A flow should be defined when it carries specific contextual importance and requires protection against targeted attacks. For instance, if your platform is at risk of Carding, all relevant pages and APIs susceptible to this attack should be grouped as a defined flow. Similarly, different types of login mechanisms—such as web login, passwordless login, or mobile login—should be set up as distinct flows to ensure precise detection.

Define a flow when specific user interactions require protection against bot-driven attacks, such as:

• Login pages for Credential Stuffing Prevention

• Checkout flows to prevent Carding Attacks

• Search and pricing pages to mitigate Scraping Attempts

If multiple login methods exist (e.g., passwordless login, social login, mobile login), each should be configured separately to enhance detection accuracy.

How to define a Flow

To define a flow, follow these steps:

1. Identify the relevant pages and APIs that belong to the flow. For example, if users log in through login.html, and credentials are transmitted via POST /login, both the page and API should be part of the Login Flow.

2. Inform your Account Manager or Customer Success Manager, who will configure the flow within the Traceable platform.

3. Ensure separate configurations for flows with the same functionality but different implementations. For example, suppose login exists via multiple methods (web, passwordless, mobile) and each has a different API (or shares an API but with distinguishing request attributes). In that case, configuring them as distinct flows enhances detection efficacy.

4. Post-onboarding flow configuration: Additional flows can be set up after onboarding. However, it is recommended that all critical flows be defined during the initial onboarding process.

5. Generic protections for non-flow APIs: Traceable applies baseline security measures to APIs and web pages that are not explicitly assigned to a flow, ensuring broad protection against common bot threats.

6. Identify the pages and API endpoints that require bot protection.

7. Share this information with your Customer Success Manager for configuration in the Traceable platform.

8. Configure separate flows for different authentication and transaction types to improve detection precision.

Identifying APIs that are part of a Flow

To effectively protect user interactions, it is crucial to identify the APIs associated with each flow. Follow these steps to determine which APIs are involved:

Prerequisites

• A modern web browser (Chrome, Firefox, Edge, or Safari)

Steps to Identify API Calls

1. Open Developer Tools

   • Right-click anywhere on the page and select "Inspect" or "Inspect Element."

   • Alternatively, use the keyboard shortcut:

     • Windows/Linux: Ctrl + Shift + I

     • macOS: Cmd + Option + I

2. Navigate to the Network Tab

   • In the Developer Tools window, click on the "Network" tab.

3. Filter for API Calls

   • Locate the filter input field.

   • Type "XHR" or "Fetch" to display only API calls.

4. Clear Existing Logs

   • Click the "Clear" button (🚫 icon) to remove any previous network logs.

5. Interact with the Application

   • Perform the action you wish to investigate (e.g., clicking a button or submitting a form).

6. Examine the Network Requests

   • Review the list of requests in the Network tab.

   • API calls typically have names ending in .json or include "api" in the URL.

7. Analyze the API Call

   • Click on a request to view its details.

   • Check the "Headers" tab for the request method and URL.

In the Traceable platform, you can locate the endpoint associated with the URL. Typically, the endpoint contains just the path. For example, if the full API URL is https://www.xyz.co/auth-api/login and the method is POST, then the Traceable platform recognizes the endpoint as POST /auth-api/login.

Specific generic detections are automatically enabled after onboarding. These include:

• Identifying known good and bad bots across all user traffic.

• Validating the integrity of browser cookies to detect tampering.

However, taking action on these detections is not automatic and must be explicitly configured. This includes configuring responses for:

• Known bad bots (blocking, rate-limiting, or redirecting traffic).

• Handling cookie hijacking and replay attacks.

To configure these actions, contact your Account Manager or Customer Success Manager.

Once flows are defined, activate bot detection mechanisms. Some general detections, such as bot identification and browser integrity validation, are enabled by default. However, advanced protections require explicit configuration.

Configuring Advanced Protections

In addition to generic detections, specific attack detections must be explicitly enabled. These include:

• Credential Stuffing Detection: Identifies repeated login attempts using stolen credentials. This detection must be explicitly enabled.

• Carding Prevention: Detects unauthorized card testing attempts by monitoring payment APIs.

• Resource Abuse Mitigation: Defining traffic anomaly thresholds prevents excessive automated requests that consume system resources.

These detections can be activated simultaneously across multiple flows to ensure comprehensive protection. Your Customer Success Manager will assist in configuring these protections to align with your environment, and settings can be adjusted based on observed attack patterns.

Business Impact KPIs help track the level of exposure to bot-driven attacks and assess their financial and operational consequences. The Traceable platform allows organizations to monitor these KPIs alongside bot threat detections in near real-time, providing actionable insights to mitigate risks effectively.

To quantify the effects of bot attacks, Traceable enables tracking of key performance indicators (KPIs). These insights help adjust security policies and minimize financial losses.

Key Metrics

• Total Chargebacks due to fraudulent transactions

• Successful Card Testing Attempts

• Total Money Transferred Per Week

By tracking these KPIs alongside threat detections, organizations can comprehensively understand their exposure and implement data-driven security measures to mitigate bot-driven fraud in real-time.

Custom Entity Attribution allows security teams to designate specific attributes from API request and response schemas as first-class entities within their Traceable tenant. These entities can be leveraged to create workflows that validate chains of conditions and trigger automated actions when predefined criteria are met.

Traceable provides advanced customization through entity attribution, allowing security teams to define entities based on API requests and response data. These entities—such as user emails, transaction IDs, or order amounts—can be incorporated into automated workflows for proactive security actions.

Defining and Using Custom Entities

A limited set of custom entities should be initially defined to optimize detection accuracy. Additional entities can be configured at any time to enhance detection workflows.

Workflow Capabilities

• Flag suspicious activity when predefined conditions are met.

• Enforce rate limits for high-risk traffic patterns.

• Trigger additional verification steps for anomalous transactions.