Bots and java script

[John connor]

If one were to block all requests to a website except like the big three; Google, Bing and Yahoo, based on whether that connection had JS capability or not, would it work for security? I've heard that bots are smarter now and do indeed parse? JS. But it seems to me many bots don't and if one were to block connections based on whether they had JS capability or not, it could help with undesirable traffic. Granted there may in fact be some stupid browsers and what not out there that don't use JS. But given the fact damn near every site uses JS now a days and that most people use Chrome or Firefox, I think false positives would be in the minority.

Reason I ask is because I got the run around pertaining to a security script at Github. I thought that if a module could be added to this security script to block connections that don't use JS, it would greatly help in thwarting undesirable traffic.

Whats say you?

[vannilla]

Is it even possible to detect if someone attempting a connection supports javascript?
User agents are useless since they can be overridden, and feature detection works only when the connection is done.
Similarily, any other queries to the connectee(? is this a word?) can be answered with a lie, so that's not a method either.
Maybe using a proxy that does a preliminary scan before redirecting legit users to the actual site?

[karlkracher]

Is it even possible to detect if someone attempting a connection supports javascript?

Should be possible using https://www.w3schools.com/tags/tag_noscript.asp and checking if the gif was loaded.

Code: Select all

<noscript>
<img src="browser_without_javascript.gif">
</noscript>

[vannilla]

Should be possible using https://www.w3schools.com/tags/tag_noscript.asp and checking if the gif was loaded.

Code: Select all

<noscript>
<img src="browser_without_javascript.gif">
</noscript>

But that works only after the connection was done.
Unless I completely misunderstood the OP, he's asking what to do before the connection is completed, so as to block bots.

[Isengrim]

You can't really block clients that don't execute JavaScript without first trying to serve that client some JS to see if it executes properly, which involves allowing an initial connection. And as vannilla said, UAs are pretty much useless in trying to determine the client or what it's capable of. That doesn't stop webmasters from trying, though.

[John connor]

Is it even possible to detect if someone attempting a connection supports javascript?

Yes, it can be done. In fact, a block page from my site will auto play HTML5 audio of this if and only if the PHP script detects you have JS on.

This is not about UA's. It's about whether a bot has JS capability or not and block that request if there is no JS capability.

[vannilla]

Yes, it can be done. In fact, a block page from my site will auto play HTML5 audio of this if and only if the PHP script detects you have JS on.

This is not about UA's. It's about whether a bot has JS capability or not and block that request if there is no JS capability.

Sorry, I'm missing something here.
What you do is letting the bot connect, executing the PHP to generate the page you will serve to the bot, discover it can't evaluate javascript, serve it some specific content aimed at bots.
What I understood from the OP is that you want to stop the bots before the first step is completed.
Is it so or not? Please explain in greater details what you want to do exactly.

[John connor]

No.

Stop the bot from entering the website in the first place. No JS capability, 403.

[yami_]

So how is your PHP script going to determinate if the user agent supports ES if all the UA sends you is this:

Code: Select all

GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.9) Gecko/20100101 Goanna/4.1 Firefox/60.9 PaleMoon/28.3.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

[Isengrim]

If it were so simple, a lot more sites would be doing it. The reason UAs and the like are really useless for determining a client's capabilities is because the client can say whatever it wants; it's the same as trusting that someone is a doctor just by the fact that they have a nametag that says "Doctor" written on it. A client can say it supports JavaScript without actually doing so (or vice versa, a client can say it doesn't support JavaScript and then will start executing any JS you throw at it). This is actually one of many techniques bots and other malicious clients use to try to penetrate a server's defenses, by pretending to be something they're not. That's why checking user agents and other such data is a weak and frowned-upon method for determining a client's abilities.

The only thing you can reliably use to determine what a client can or cannot do is what it actually does when you serve it content. To determine if someone can run JavaScript, you have to try to serve them JavaScript and see what the result is. This is actually a very similar technique to how sites implement, among other things, anti-adblock measures.

[vannilla]

No.

Stop the bot from entering the website in the first place. No JS capability, 403.

Sorry I can't follow you at all.
Anyway it's as Insengrim said regardless of what you actually want to accomplish.
To find out if someone supports javascript, the only thing you can do is giving it some javascript and see what it does.