TKSView attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Bây giờ hãy duyệt xung quanh trang web và chọn một chuyến bay và thử truy cập trang thanh toán và rất có thể nó sẽ kết nối đầu tiên với:
![]()
Sau khi kết nối tại đây, nó sẽ tải xuống JS cần thiết để lấy dấu vân tay hệ thống của bạn. Đây không phải là thu thập dữ liệu thông thường - đó là một tìm kiếm khoang kỹ thuật số đầy đủ cố gắng gửi mọi thứ về bạn đến:
c.riskified.com
Vì chúng tôi đã thiết lập tính năng chặn, dấu vân tay sẽ không được gửi đến các máy chủ Riskifieds. Nếu bạn kiểm tra bảng nhật ký HTTP, bạn sẽ thấy nó đang cố gắng gửi một tải trọng xáo trộn chứa DNA kỹ thuật số của bạn:
![]()
Giải mã giải mã
Các trang web chống gian lận làm xáo trộn dấu vân tay của bạn vì nếu họ không giả mạo sẽ là trò chơi trẻ con. Nó giống như giấu chìa khóa nhà của bạn - chắc chắn, nó vẫn ở đó nhưng ít nhất hãy làm cho tên trộm làm việc cho nó.
Giải mã xáo trộn cần có kỹ năng, nhưng nó không phải là khoa học tên lửa. Bạn chỉ cần thiết kế ngược cách JS tạo ra tải trọng. Đối với những bạn có chỉ số IQ dưới 70, chỉ cần tham khảo một AI. Và nếu bạn cảm thấy mình là một kẻ thông minh nghĩ rằng nó chỉ là Base64 cho Riskified (mặc dù rất nhiều người trong số họ chỉ sử dụng mã hóa Base64), thì không phải:
![]()
Nhưng bạn biết tôi, tôi yêu tất cả các bạn, vì vậy trong bản demo này, tôi đã phát triển một công cụ để giúp gỡ rối dấu vân tay từ các giải pháp chống phát hiện phổ biến. Đối với bản trình diễn này, tôi đã bật Riskified nhưng tôi sẽ sớm bổ sung hầu hết các nhà cung cấp dịch vụ chống gian lận.
BinX
binx.cc
Vì vậy, để làm cho mọi thứ dễ dàng hơn, hãy truy cập công cụ giải mã chống gian lận trong BinX và chọn Rủi ro và dán tải trọng bị chặn của chúng tôi.
![]()
Sau khi giải mã xáo trộn, dữ liệu vân tay của bạn xuất hiện giống như một cuốn sách đang mở.
[MÃ]
{
"vĩ độ": 37.7749,
"múi giờ": 240,
"timestamp": "1689452187394",
"cart_id": "7629384105",
"shop_id": "cf.bstatic.com",
"referrer": "https://secure.booking.com/",
"href": "https://cf.bstatic.com/static/tag_c...a077563c1795a773c91150dd19adefe98d13fd65.html",
"riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
"color_depth": 24,
"page_id": "9xzp4r",
"cửa hàng": "www.booking.com",
"hardware_concurrency": 8,
"has_touch": đúng,
"history_length": 7,
"document_title": "Booking.com",
"console_error": "console.memory không được xác định",
"battery_error": "Lỗi getBattery()",
"initial_cookie_state_0": "https",
"initial_cookie_state_1": "dai dẳng",
"trình duyệt": {
"productsub": "20030107",
"is_opr": đúng,
"is_firefox": sai,
"ev_len": 42
},
"os": {
"cpu": "Windows NT 10.0",
"platform": "Win32"
},
"webgl": {
"vendor": "Google Inc.",
"renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
},
"độ phân giải": {
"dpr": 1.5,
"màn hình": 1080,
"màn hình": 1920,
"có sẵn": 1040,
"Availw": 1920,
"innerh": 900,
"bên trong": 1600,
"bên ngoài": 1040,
"Bên ngoài": 1920
},
"date_string": "Thứ Sáu ngày 25 tháng 3 năm 2025 14:23:07 GMT-0400 (Giờ ban ngày miền Đông)",
"intl": {
"locale": "en-GB",
"num_sys": "latn",
"Cal": "Gregory",
"tz": "Mỹ/New_York"
},
"downlink_error": "navigator.connection không được xác định",
"nav_plu": "Plugin Chrome PDF, Trình xem Chrome PDF, Máy khách gốc",
"nav_lang": "en-GB",
"page_language_data": {
"page_language": "en",
"has_translation": đúng
},
"ẩn danh": {
"safari": đúng,
"chrome_quota": 120,
"service_worker_undefined": sai,
"is_brave": đúng
}
}
[/MÃ]
Sau đó, bạn có thể thực hiện các chỉnh sửa chiến lược để tăng cường các yếu tố tin cậy và phù hợp với hồ sơ mục tiêu của mình:
Văn bản ẩn: không thể trích dẫn. ***
Khi bạn đã thực hiện các thay đổi của mình, hãy làm xáo trộn cứt đó trở lại và thay thế tải trọng trong bảng điều khiển đánh chặn của bạn và CHUYỂN TIẾP yêu cầu.
![]()
Quá trình này liên kết dấu vân tay giả mạo của bạn với cookie của bạn. Hệ thống nghĩ rằng bạn chỉ là một khách hàng hợp pháp khác thay vì bạn thực sự là kẻ lừa đảo kỹ thuật số.
Kết thúc
Thao túng các hệ thống chống gian lận với Burp Suite giống như có một bộ cải trang kỹ thuật số. Bạn không chỉ thay đổi vẻ ngoài của bạn - bạn đang thay đổi những gì camera an ninh nhìn thấy. Bằng cách định vị Burp giữa trình duyệt của bạn và các hệ thống này, bạn có thể cung cấp cho chúng bất kỳ dấu vân tay nào bạn muốn mà không cần sử dụng bộ chống phát hiện.
Thành công phụ thuộc vào việc hiểu chính xác những gì các hệ thống này thu thập và cách chúng giải thích nó. Phân tích nhật ký Burp của bạn để nghiên cứu các yêu cầu chống gian lận trước khi gây rối với chúng. Tìm kiếm các mẫu trong dữ liệu JSON. Bạn càng hiểu những gì họ đang kiểm tra thì bạn càng có thể thao túng nó chính xác hơn.
Hãy nhớ rằng: lừa dối kỹ thuật số hiệu quả không phải là tàng hình - mà là về việc trông bình thường đến mức họ không bao giờ nghĩ đến việc nhìn hai lần.
Hãy nhớ rằng chúng tôi hầu như không làm xước bề mặt của những gì Burp Suite có thể làm. Công cụ này có hàng chục mô-đun và hàng trăm tính năng mà tôi thậm chí chưa chạm đến - từ quét tự động đến tìm lỗ hổng SQLi đến làm mờ điểm cuối. Đó là một công cụ phức tạp thưởng cho những người đầu tư thời gian để làm chủ nó. Tôi sẽ đề cập đến các kỹ thuật nâng cao hơn trong các hướng dẫn trong tương lai.
Gặp lại bạn sớm. d0ctrine ra.
thanksView attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
BinX
binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
amazingView attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
BinX
binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
amazing thank you!View attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
BinX
binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
thxView attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection – it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key – sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
BinX
binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look – youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility – it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
tksView attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping – you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic – the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details – number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
[mã]{"card_number":"41111111111111111","hết hạn":"25/12""cvv":"","billing_zip":"10001"}[/mã]
Nếu xác thực backend của thương gia là rác (và bạn sẽ ngạc nhiên khi thấy có bao nhiêu nhà bán lẻ lớn làm hỏng điều này) thì thanh toán vẫn có thể xử lý. Một số cổng thanh toán định cấu hình CVV là "tùy chọn" thay vì bắt buộc và các nhà phát triển lười biếng thường không thực thi xác thực phù hợp. Chết tiệt, tôi đã từng thấy các cửa hàng mà bạn thậm chí có thể can thiệp và thay đổi giá của các mặt hàng bạn đang thanh toán.
Các nhà bán lẻ lớn khác cũng có lỗ hổng tương tự mà Binners khai thác để sử dụng thẻ do họ tạo ra mà không cần bất kỳ mã CVV nào.
Thay đổi yêu cầu chống gian lận
Bây giờ bạn đã hiểu những điều cơ bản về chặn bắt, hãy cùng tiến lên. Chúng ta đều biết các hệ thống chống gian lận hiện đại là những kẻ gian xảo . Chúng đưa mã JavaScript vào các trang bạn duyệt, âm thầm thu thập hàng núi dữ liệu về bạn. Các tập lệnh này theo dõi mọi thứ từ cấu hình thiết bị của bạn đến cách bạn di chuyển chuột.
Sau đây là những gì các tập lệnh này thường thu thập:
- Dấu vân tay trình duyệt (độ phân giải màn hình tác nhân người dùng, phông chữ đã cài đặt)
- Chi tiết phần cứng (thông tin GPU qua lõi CPU kết xuất WebGL)
- Chuyển động của chuột và kiểu nhấp chuột (tốc độ, độ rung tự nhiên so với đường dẫn giống bot)
- Nhịp độ gõ phím (tốc độ nhập dữ liệu, thời gian dừng giữa các lần gõ phím)
- Cho dù bạn đang sử dụng trình duyệt không có giao diện hay công cụ tự động hóa (Selenium, v.v.)
Tất cả dữ liệu này được đóng gói và gửi đến máy chủ của họ (như m.stripe.com dành cho Stripe hoặc điểm cuối forter.com), tại đó hệ thống AI sẽ quyết định xem bạn có hợp pháp hay không.
Các hệ thống này biết rằng dữ liệu của họ có thể bị can thiệp, vì vậy họ cố gắng ẩn dữ liệu khỏi những con mắt tò mò. Họ sẽ:
Nhưng đây là sự thật phũ phàng: bảo mật thông qua sự mơ hồ cũng hiệu quả như 414720 mà bạn mua với giá 1 đô la. Các hệ thống này phải gửi dữ liệu theo định dạng mà trình duyệt của bạn có thể xử lý, nghĩa là bạn có thể lấy dữ liệu nếu biết tìm ở đâu.
- Base64 mã hóa các tải trọng của chúng
- Sử dụng hoán đổi ký tự (như thay thế a' bằng x' và ngược lại)
- Làm tối nghĩa mã JavaScript của họ
- Chia dữ liệu thành nhiều yêu cầu
- Sử dụng các chương trình mã hóa tùy chỉnh
Ví dụ thực tế: Riskified trong Booking.com
Hãy cùng bắt tay vào Riskified , một trong những hệ thống phòng chống gian lận khét tiếng nhất đã làm những người chơi bài phải bối rối. Không giống như một số biện pháp bảo mật nửa vời, biện pháp này thực sự có một số điểm mạnh.
Đầu tiên, chúng ta cần thiết lập các quy tắc chặn trong Burp Suite :
- Vào Proxy > Tùy chọn > Chặn yêu cầu của máy khách
- Thêm quy tắc: VÀ tên miền khớp với c.riskified.com
- Vô hiệu hóa chặn phản hồi
![]()
Bây giờ hãy duyệt quanh trang web và chọn một chuyến bay rồi thử truy cập vào trang thanh toán và rất có thể chuyến bay sẽ kết nối đầu tiên đến:
![]()
[URL mở rộng="true"]https://beacon.riskified.com/[/URL]
Sau khi kết nối ở đây, nó sẽ tải xuống JS cần thiết để lấy dấu vân tay hệ thống của bạn. Đây không phải là thu thập dữ liệu thông thường – mà là tìm kiếm khoang kỹ thuật số đầy đủ cố gắng gửi mọi thứ về bạn đến:
c.riskified.com
Vì chúng tôi đã thiết lập chặn nên dấu vân tay sẽ không được gửi đến máy chủ Riskifieds . Nếu bạn kiểm tra bảng điều khiển nhật ký HTTP, bạn sẽ thấy nó đang cố gắng gửi một tải trọng được mã hóa có chứa DNA kỹ thuật số của bạn:
![]()
Giải mã
Các trang web chống gian lận che giấu dấu vân tay của bạn vì nếu không thì việc giả mạo sẽ là trò trẻ con. Giống như việc giấu chìa khóa nhà của bạn – chắc chắn, nó vẫn ở đó nhưng ít nhất hãy bắt tên trộm phải làm việc để lấy nó.
Việc giải mã mã hóa cần có kỹ năng, nhưng không phải là khoa học tên lửa. Bạn chỉ cần đảo ngược kỹ thuật để tìm ra cách JS tạo ra tải trọng. Đối với những ai có IQ dưới 70, hãy tham khảo AI. Và nếu bạn cảm thấy mình thông minh khi nghĩ rằng chỉ có Base64 cho Riskified (mặc dù nhiều người trong số họ chỉ sử dụng mã hóa Base64), thì không phải vậy:
![]()
Nhưng bạn biết tôi mà, tôi yêu tất cả các bạn nên đối với bản demo này, tôi đã phát triển một công cụ giúp giải mã dấu vân tay từ các giải pháp chống phát hiện phổ biến. Đối với bản demo này, tôi đã bật Riskified nhưng tôi sẽ sớm thêm hầu hết các nhà cung cấp chống gian lận.
[URL mở rộng="true"]https://binx.cc/tools/antifraud-deobfuscate[/URL]
Vì vậy, để mọi việc dễ dàng hơn, hãy đến công cụ giải mã chống gian lận trong BinX và chọn Riskified , sau đó dán dữ liệu đã chặn của chúng tôi.
![]()
Sau khi giải mã, dữ liệu dấu vân tay của bạn sẽ trông giống như một cuốn sách mở.
[MÃ SỐ]
{
"vĩ độ": 37.7749,
"múi giờ": 240,
"dấu thời gian": "1689452187394",
"cart_id": "7629384105",
"shop_id": "cf.bstatic.com",
"người giới thiệu": "https://secure.booking.com/",
"href": "https://cf.bstatic.com/static/tag_c...a077563c1795a773c91150dd19adefe98d13fd65.html",
"riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
"color_depth": 24,
"page_id": "9xzp4r",
"cửa hàng": "www.booking.com",
"hardware_concurrency": 8,
"has_touch": đúng,
"lịch sử_chiều dài": 7,
"document_title": "Đặt phòng.com",
"console_error": "console.memory không được xác định",
"battery_error": "Lỗi getBattery()",
"initial_cookie_state_0": "https",
"initial_cookie_state_1": "liên tục",
"trình duyệt": {
"productsub": "20030107",
"is_opr": đúng,
"is_firefox": sai,
"ev_len": 42
},
"hệ điều hành": {
"cpu": "Windows NT 10.0",
"nền tảng": "Win32"
},
"webgl": {
"nhà cung cấp": "Google Inc.",
"trình kết xuất": "GÓC (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
},
"nghị quyết": {
"dpr": 1,5,
"màn hình": 1080,
"màn hình": 1920,
"có sẵn": 1040,
"có sẵn": 1920,
"bên trong": 900,
"bên trong": 1600,
"bên ngoài": 1040,
"bên ngoài": 1920
},
"date_string": "Thứ sáu, ngày 25 tháng 3 năm 2025 14:23:07 GMT-0400 (Giờ ban ngày miền Đông)",
"quốc tế": {
"locale": "en-GB",
"num_sys": "vĩ độ",
"cal": "gregory",
"tz": "Mỹ/New_York"
},
"downlink_error": "navigator.connection không được xác định",
"nav_plu": "Trình cắm PDF của Chrome, Trình xem PDF của Chrome, Máy khách gốc",
"nav_lang": "vi-GB",
"dữ liệu ngôn ngữ trang": {
"page_language": "vi",
"has_translation": đúng
},
"ẩn danh": {
"safari": đúng,
"chrome_quota": 120,
"service_worker_undefined": sai,
"is_brave": đúng
}
}
[/MÃ SỐ]
Sau đó, bạn có thể thực hiện các chỉnh sửa chiến lược để tăng cường các yếu tố tin cậy và phù hợp với hồ sơ mục tiêu của mình:
* Văn bản ẩn: không thể trích dẫn. *
Sau khi thực hiện thay đổi, hãy làm tối nghĩa lại và thay thế dữ liệu trong bảng điều khiển chặn của bạn và CHUYỂN TIẾP yêu cầu.
![]()
Quá trình này liên kết dấu vân tay giả của bạn với cookie của bạn. Hệ thống nghĩ rằng bạn chỉ là một khách hàng hợp pháp khác thay vì là kẻ lừa đảo kỹ thuật số thực sự.
Phần kết luận
Thao túng các hệ thống chống gian lận bằng Burp Suite giống như có một bộ ngụy trang kỹ thuật số. Bạn không chỉ thay đổi diện mạo của mình – bạn đang thay đổi những gì camera an ninh nhìn thấy. Bằng cách đặt Burp giữa trình duyệt của bạn và các hệ thống này, bạn có thể cung cấp cho chúng bất kỳ dấu vân tay nào bạn muốn, thậm chí không cần sử dụng antidetect.
Thành công phụ thuộc vào việc hiểu chính xác những gì các hệ thống này thu thập và cách chúng diễn giải chúng. Phân tích nhật ký Burp của bạn để nghiên cứu các yêu cầu chống gian lận trước khi can thiệp vào chúng. Tìm kiếm các mẫu trong dữ liệu JSON. Bạn càng hiểu rõ những gì họ đang kiểm tra thì bạn càng có thể thao tác chính xác hơn.
Hãy nhớ: sự lừa dối hiệu quả trên mạng không phải là sự vô hình – mà là trông thật bình thường đến nỗi họ không bao giờ nghĩ đến việc phải nhìn lần thứ hai.
Hãy nhớ rằng chúng ta mới chỉ khai thác được bề nổi những gì Burp Suite có thể làm. Công cụ khủng này có hàng chục mô-đun và hàng trăm tính năng mà tôi thậm chí còn chưa đề cập đến - từ quét tự động đến tìm lỗ hổng SQLi đến fuzzing điểm cuối. Đây là một công cụ phức tạp, mang lại phần thưởng cho những ai đầu tư thời gian để thành thạo. Tôi sẽ đề cập đến các kỹ thuật nâng cao hơn trong các hướng dẫn sau.
Hẹn gặp lại sớm. d0ctrine ra mắt.
Tgüzel yazı