Allegorical
Newbie
- Joined
- 27.04.25
- Messages
- 20
- Reaction score
- 0
- Points
- 1
Epic
Thanks, the best carding masterView attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping β you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic β the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details β number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection β it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key β sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
![]()
Binx - Your BIN Lookup Tool
Lookup BIN details, check bank information, card type, brand, and more. Share and explore BIN lists.binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look β youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility β it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
View attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping β you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic β the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details β number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection β it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key β sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
![]()
Binx - Your BIN Lookup Tool
Lookup BIN details, check bank information, card type, brand, and more. Share and explore BIN lists.binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection khΓ΄ng Δược xΓ‘c Δα»nh", "nav_plu": "TrΓ¬nh cαΊ―m PDF cα»§a Chrome, TrΓ¬nh xem PDF cα»§a Chrome, MΓ‘y khΓ‘ch gα»c", "nav_lang": "vi-GB", "dα»― liα»u ngΓ΄n ngα»― trang": { "page_language": "vi", "has_translation": ΔΓΊng }, "αΊ©n danh": { "safari": ΔΓΊng, "chrome_quota": 120, "service_worker_undefined": sai, "is_brave": ΔΓΊng } } [/MΓ Sα»] Sau ΔΓ³, bαΊ‘n cΓ³ thα» thα»±c hiα»n cΓ‘c chα»nh sα»a chiαΊΏn lược Δα» tΔng cΖ°α»ng [COLOR=rgb(0, 255, 0)]cΓ‘c yαΊΏu tα» tin cαΊy[/COLOR] vΓ phΓΉ hợp vα»i hα» sΖ‘ mα»₯c tiΓͺu cα»§a mΓ¬nh: [B]* VΔn bαΊ£n αΊ©n: khΓ΄ng thα» trΓch dαΊ«n. *[/B] Sau khi thα»±c hiα»n thay Δα»i, hΓ£y lΓ m tα»i nghΔ©a lαΊ‘i vΓ thay thαΊΏ dα»― liα»u trong bαΊ£ng Δiα»u khiα»n chαΊ·n cα»§a bαΊ‘n vΓ CHUYα»N TIαΊΎP yΓͺu cαΊ§u. [CENTER] [IMG width="908px"]https://i.imgur.com/IQqqtYh.png[/IMG][/CENTER] QuΓ‘ trΓ¬nh nΓ y liΓͺn kαΊΏt dαΊ₯u vΓ’n tay giαΊ£ cα»§a bαΊ‘n vα»i cookie cα»§a bαΊ‘n. Hα» thα»ng nghΔ© rαΊ±ng bαΊ‘n chα» lΓ mα»t [COLOR=rgb(0, 255, 0)]khΓ‘ch hΓ ng hợp phΓ‘p[/COLOR] khΓ‘c thay vΓ¬ lΓ kαΊ» lα»«a ΔαΊ£o kα»Ή thuαΊt sα» thα»±c sα»±. [SIZE=6]PhαΊ§n kαΊΏt luαΊn[/SIZE] Thao tΓΊng cΓ‘c hα» thα»ng chα»ng gian lαΊn bαΊ±ng [COLOR=rgb(0, 191, 255)]Burp Suite[/COLOR] giα»ng nhΖ° cΓ³ mα»t bα» ngα»₯y trang kα»Ή thuαΊt sα». BαΊ‘n khΓ΄ng chα» thay Δα»i diα»n mαΊ‘o cα»§a mΓ¬nh β bαΊ‘n Δang thay Δα»i nhα»―ng gΓ¬ camera an ninh nhΓ¬n thαΊ₯y. BαΊ±ng cΓ‘ch ΔαΊ·t [COLOR=rgb(0, 191, 255)]Burp[/COLOR] giα»―a trΓ¬nh duyα»t cα»§a bαΊ‘n vΓ cΓ‘c hα» thα»ng nΓ y, bαΊ‘n cΓ³ thα» cung cαΊ₯p cho chΓΊng bαΊ₯t kα»³ dαΊ₯u vΓ’n tay nΓ o bαΊ‘n muα»n, thαΊm chΓ khΓ΄ng cαΊ§n sα» dα»₯ng antidetect. ThΓ nh cΓ΄ng phα»₯ thuα»c vΓ o viα»c hiα»u chΓnh xΓ‘c nhα»―ng gΓ¬ cΓ‘c hα» thα»ng nΓ y thu thαΊp vΓ cΓ‘ch chΓΊng diα» n giαΊ£i chΓΊng. PhΓ’n tΓch nhαΊt kΓ½ [COLOR=rgb(0, 191, 255)]Burp[/COLOR] cα»§a bαΊ‘n Δα» nghiΓͺn cα»©u cΓ‘c yΓͺu cαΊ§u chα»ng gian lαΊn trΖ°α»c khi can thiα»p vΓ o chΓΊng. TΓ¬m kiαΊΏm cΓ‘c mαΊ«u trong dα»― liα»u JSON. BαΊ‘n cΓ ng hiα»u rΓ΅ nhα»―ng gΓ¬ hα» Δang kiα»m tra thΓ¬ bαΊ‘n cΓ ng cΓ³ thα» thao tΓ‘c chΓnh xΓ‘c hΖ‘n. HΓ£y nhα»: sα»± lα»«a dα»i hiα»u quαΊ£ trΓͺn mαΊ‘ng khΓ΄ng phαΊ£i lΓ sα»± vΓ΄ hΓ¬nh β mΓ lΓ trΓ΄ng thαΊt bΓ¬nh thΖ°α»ng ΔαΊΏn nα»i hα» khΓ΄ng bao giα» nghΔ© ΔαΊΏn viα»c phαΊ£i nhΓ¬n lαΊ§n thα»© hai. HΓ£y nhα» rαΊ±ng chΓΊng ta mα»i chα» khai thΓ‘c Δược bα» nα»i nhα»―ng gΓ¬ [URL='https://portswigger.net/burp']Burp Suite[/URL] cΓ³ thα» lΓ m. CΓ΄ng cα»₯ khα»§ng nΓ y cΓ³ hΓ ng chα»₯c mΓ΄-Δun vΓ hΓ ng trΔm tΓnh nΔng mΓ tΓ΄i thαΊm chΓ cΓ²n chΖ°a Δα» cαΊp ΔαΊΏn - tα»« quΓ©t tα»± Δα»ng ΔαΊΏn tΓ¬m lα» hα»ng SQLi ΔαΊΏn fuzzing Δiα»m cuα»i. ΔΓ’y lΓ mα»t cΓ΄ng cα»₯ phα»©c tαΊ‘p, mang lαΊ‘i phαΊ§n thΖ°α»ng cho nhα»―ng ai ΔαΊ§u tΖ° thα»i gian Δα» thΓ nh thαΊ‘o. TΓ΄i sαΊ½ Δα» cαΊp ΔαΊΏn cΓ‘c kα»Ή thuαΊt nΓ’ng cao hΖ‘n trong cΓ‘c hΖ°α»ng dαΊ«n sau. HαΊΉn gαΊ·p lαΊ‘i sα»m. d0ctrine ra mαΊ―t. [/QUOTE] H
Thanks as always d0cView attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping β you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic β the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details β number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection β it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key β sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
![]()
Binx - Your BIN Lookup Tool
Lookup BIN details, check bank information, card type, brand, and more. Share and explore BIN lists.binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look β youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility β it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
View attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping β you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic β the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details β number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection β it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key β sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
![]()
Binx - Your BIN Lookup Tool
Lookup BIN details, check bank information, card type, brand, and more. Share and explore BIN lists.binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look β youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility β it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
thank you so much profView attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping β you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic β the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details β number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection β it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key β sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
![]()
Binx - Your BIN Lookup Tool
Lookup BIN details, check bank information, card type, brand, and more. Share and explore BIN lists.binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look β youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility β it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
View attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping β you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic β the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details β number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection β it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key β sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
![]()
Binx - Your BIN Lookup Tool
Lookup BIN details, check bank information, card type, brand, and more. Share and explore BIN lists.binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look β youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility β it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
ThanksView attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping β you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic β the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details β number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
[mΓ£]{"card_number":"41111111111111111","hαΊΏt hαΊ‘n":"25/12""cvv":"","billing_zip":"10001"}[/mΓ£]
NαΊΏu xΓ‘c thα»±c backend cα»§a thΖ°Ζ‘ng gia lΓ rΓ‘c (vΓ bαΊ‘n sαΊ½ ngαΊ‘c nhiΓͺn khi thαΊ₯y cΓ³ bao nhiΓͺu nhΓ bΓ‘n lαΊ» lα»n lΓ m hα»ng Δiα»u nΓ y) thΓ¬ thanh toΓ‘n vαΊ«n cΓ³ thα» xα» lΓ½. Mα»t sα» cα»ng thanh toΓ‘n Δα»nh cαΊ₯u hΓ¬nh CVV lΓ "tΓΉy chα»n" thay vΓ¬ bαΊ―t buα»c vΓ cΓ‘c nhΓ phΓ‘t triα»n lΖ°α»i biαΊΏng thΖ°α»ng khΓ΄ng thα»±c thi xΓ‘c thα»±c phΓΉ hợp. ChαΊΏt tiα»t, tΓ΄i ΔΓ£ tα»«ng thαΊ₯y cΓ‘c cα»a hΓ ng mΓ bαΊ‘n thαΊm chΓ cΓ³ thα» can thiα»p vΓ thay Δα»i giΓ‘ cα»§a cΓ‘c mαΊ·t hΓ ng bαΊ‘n Δang thanh toΓ‘n.
CΓ‘c nhΓ bΓ‘n lαΊ» lα»n khΓ‘c cΕ©ng cΓ³ lα» hα»ng tΖ°Ζ‘ng tα»± mΓ Binners khai thΓ‘c Δα» sα» dα»₯ng thαΊ» do hα» tαΊ‘o ra mΓ khΓ΄ng cαΊ§n bαΊ₯t kα»³ mΓ£ CVV nΓ o.
Thay Δα»i yΓͺu cαΊ§u chα»ng gian lαΊn
BΓ’y giα» bαΊ‘n ΔΓ£ hiα»u nhα»―ng Δiα»u cΖ‘ bαΊ£n vα» chαΊ·n bαΊ―t, hΓ£y cΓΉng tiαΊΏn lΓͺn. ChΓΊng ta Δα»u biαΊΏt cΓ‘c hα» thα»ng chα»ng gian lαΊn hiα»n ΔαΊ‘i lΓ nhα»―ng kαΊ» gian xαΊ£o . ChΓΊng ΔΖ°a mΓ£ JavaScript vΓ o cΓ‘c trang bαΊ‘n duyα»t, Γ’m thαΊ§m thu thαΊp hΓ ng nΓΊi dα»― liα»u vα» bαΊ‘n. CΓ‘c tαΊp lα»nh nΓ y theo dΓ΅i mα»i thα»© tα»« cαΊ₯u hΓ¬nh thiαΊΏt bα» cα»§a bαΊ‘n ΔαΊΏn cΓ‘ch bαΊ‘n di chuyα»n chuα»t.
Sau ΔΓ’y lΓ nhα»―ng gΓ¬ cΓ‘c tαΊp lα»nh nΓ y thΖ°α»ng thu thαΊp:
- DαΊ₯u vΓ’n tay trΓ¬nh duyα»t (Δα» phΓ’n giαΊ£i mΓ n hΓ¬nh tΓ‘c nhΓ’n ngΖ°α»i dΓΉng, phΓ΄ng chα»― ΔΓ£ cΓ i ΔαΊ·t)
- Chi tiαΊΏt phαΊ§n cα»©ng (thΓ΄ng tin GPU qua lΓ΅i CPU kαΊΏt xuαΊ₯t WebGL)
- Chuyα»n Δα»ng cα»§a chuα»t vΓ kiα»u nhαΊ₯p chuα»t (tα»c Δα», Δα» rung tα»± nhiΓͺn so vα»i ΔΖ°α»ng dαΊ«n giα»ng bot)
- Nhα»p Δα» gΓ΅ phΓm (tα»c Δα» nhαΊp dα»― liα»u, thα»i gian dα»«ng giα»―a cΓ‘c lαΊ§n nhαΊ₯n phΓm)
- Cho dΓΉ bαΊ‘n Δang sα» dα»₯ng trΓ¬nh duyα»t khΓ΄ng cΓ³ giao diα»n hay cΓ΄ng cα»₯ tα»± Δα»ng hΓ³a (Selenium, v.v.)
TαΊ₯t cαΊ£ dα»― liα»u nΓ y Δược ΔΓ³ng gΓ³i vΓ gα»i ΔαΊΏn mΓ‘y chα»§ cα»§a hα» (nhΖ° m.stripe.com dΓ nh cho Stripe hoαΊ·c Δiα»m cuα»i forter.com), tαΊ‘i ΔΓ³ hα» thα»ng AI sαΊ½ quyαΊΏt Δα»nh xem bαΊ‘n cΓ³ hợp phΓ‘p hay khΓ΄ng.
CΓ‘c hα» thα»ng nΓ y biαΊΏt rαΊ±ng dα»― liα»u cα»§a hα» cΓ³ thα» bα» can thiα»p, vΓ¬ vαΊy hα» cα» gαΊ―ng αΊ©n dα»― liα»u khα»i nhα»―ng con mαΊ―t tΓ² mΓ². Hα» sαΊ½:
NhΖ°ng ΔΓ’y lΓ sα»± thαΊt phΕ© phΓ ng: bαΊ£o mαΊt thΓ΄ng qua sα»± mΖ‘ hα» cΕ©ng hiα»u quαΊ£ nhΖ° 414720 mΓ bαΊ‘n mua vα»i giΓ‘ 1 ΔΓ΄ la. CΓ‘c hα» thα»ng nΓ y phαΊ£i gα»i dα»― liα»u theo Δα»nh dαΊ‘ng mΓ trΓ¬nh duyα»t cα»§a bαΊ‘n cΓ³ thα» xα» lΓ½, nghΔ©a lΓ bαΊ‘n cΓ³ thα» lαΊ₯y dα»― liα»u nαΊΏu biαΊΏt tΓ¬m α» ΔΓ’u.
- Base64 mΓ£ hΓ³a cΓ‘c tαΊ£i trα»ng cα»§a chΓΊng
- Sα» dα»₯ng hoΓ‘n Δα»i kΓ½ tα»± (nhΖ° thay thαΊΏ a' bαΊ±ng x' vΓ ngược lαΊ‘i)
- LΓ m tα»i nghΔ©a mΓ£ JavaScript cα»§a hα»
- Chia dα»― liα»u thΓ nh nhiα»u yΓͺu cαΊ§u
- Sα» dα»₯ng cΓ‘c chΖ°Ζ‘ng trΓ¬nh mΓ£ hΓ³a tΓΉy chα»nh
VΓ dα»₯ thα»±c tαΊΏ: Riskified trong Booking.com
HΓ£y cΓΉng bαΊ―t tay vΓ o Riskified , mα»t trong nhα»―ng hα» thα»ng phΓ²ng chα»ng gian lαΊn khΓ©t tiαΊΏng nhαΊ₯t ΔΓ£ lΓ m nhα»―ng ngΖ°α»i chΖ‘i bΓ i phαΊ£i bα»i rα»i. KhΓ΄ng giα»ng nhΖ° mα»t sα» biα»n phΓ‘p bαΊ£o mαΊt nα»a vα»i, biα»n phΓ‘p nΓ y thα»±c sα»± cΓ³ mα»t sα» Δiα»m mαΊ‘nh.
ΔαΊ§u tiΓͺn, chΓΊng ta cαΊ§n thiαΊΏt lαΊp cΓ‘c quy tαΊ―c chαΊ·n trong Burp Suite :
- VΓ o Proxy > TΓΉy chα»n > ChαΊ·n yΓͺu cαΊ§u cα»§a mΓ‘y khΓ‘ch
- ThΓͺm quy tαΊ―c: VΓ tΓͺn miα»n khα»p vα»i c.riskified.com
- VΓ΄ hiα»u hΓ³a chαΊ·n phαΊ£n hα»i
![]()
BΓ’y giα» hΓ£y duyα»t quanh trang web vΓ chα»n mα»t chuyαΊΏn bay rα»i thα» truy cαΊp vΓ o trang thanh toΓ‘n vΓ rαΊ₯t cΓ³ thα» chuyαΊΏn bay sαΊ½ kαΊΏt nα»i ΔαΊ§u tiΓͺn ΔαΊΏn:
![]()
[URL mα» rα»ng="true"]https://beacon.riskified.com/[/URL]
Sau khi kαΊΏt nα»i α» ΔΓ’y, nΓ³ sαΊ½ tαΊ£i xuα»ng JS cαΊ§n thiαΊΏt Δα» lαΊ₯y dαΊ₯u vΓ’n tay hα» thα»ng cα»§a bαΊ‘n. ΔΓ’y khΓ΄ng phαΊ£i lΓ thu thαΊp dα»― liα»u thΓ΄ng thΖ°α»ng β mΓ lΓ tΓ¬m kiαΊΏm khoang kα»Ή thuαΊt sα» ΔαΊ§y Δα»§ cα» gαΊ―ng gα»i mα»i thα»© vα» bαΊ‘n ΔαΊΏn:
c.riskified.com
VΓ¬ chΓΊng tΓ΄i ΔΓ£ thiαΊΏt lαΊp chαΊ·n nΓͺn dαΊ₯u vΓ’n tay sαΊ½ khΓ΄ng Δược gα»i ΔαΊΏn mΓ‘y chα»§ Riskifieds . NαΊΏu bαΊ‘n kiα»m tra bαΊ£ng Δiα»u khiα»n nhαΊt kΓ½ HTTP, bαΊ‘n sαΊ½ thαΊ₯y nΓ³ Δang cα» gαΊ―ng gα»i mα»t tαΊ£i trα»ng Δược che giαΊ₯u cΓ³ chα»©a DNA kα»Ή thuαΊt sα» cα»§a bαΊ‘n:
![]()
GiαΊ£i mΓ£
CΓ‘c trang web chα»ng gian lαΊn che giαΊ₯u dαΊ₯u vΓ’n tay cα»§a bαΊ‘n vΓ¬ nαΊΏu khΓ΄ng thΓ¬ viα»c giαΊ£ mαΊ‘o sαΊ½ lΓ trΓ² trαΊ» con. Giα»ng nhΖ° viα»c giαΊ₯u chΓ¬a khΓ³a nhΓ cα»§a bαΊ‘n β chαΊ―c chαΊ―n, nΓ³ vαΊ«n α» ΔΓ³ nhΖ°ng Γt nhαΊ₯t hΓ£y bαΊ―t tΓͺn trα»m phαΊ£i lΓ m viα»c Δα» lαΊ₯y nΓ³.
Viα»c giαΊ£i mΓ£ mΓ£ hΓ³a cαΊ§n cΓ³ kα»Ή nΔng, nhΖ°ng khΓ΄ng phαΊ£i lΓ khoa hα»c tΓͺn lα»a. BαΊ‘n chα» cαΊ§n ΔαΊ£o ngược kα»Ή thuαΊt Δα» tΓ¬m ra cΓ‘ch JS tαΊ‘o ra tαΊ£i trα»ng. Δα»i vα»i nhα»―ng ai cΓ³ IQ dΖ°α»i 70, hΓ£y tham khαΊ£o AI. VΓ nαΊΏu bαΊ‘n cαΊ£m thαΊ₯y mΓ¬nh thΓ΄ng minh khi nghΔ© rαΊ±ng chα» cΓ³ Base64 cho Riskified (mαΊ·c dΓΉ nhiα»u ngΖ°α»i trong sα» hα» chα» sα» dα»₯ng mΓ£ hΓ³a Base64), thΓ¬ khΓ΄ng phαΊ£i vαΊy:
![]()
NhΖ°ng bαΊ‘n biαΊΏt tΓ΄i mΓ , tΓ΄i yΓͺu tαΊ₯t cαΊ£ cΓ‘c bαΊ‘n nΓͺn Δα»i vα»i bαΊ£n demo nΓ y, tΓ΄i ΔΓ£ phΓ‘t triα»n mα»t cΓ΄ng cα»₯ giΓΊp giαΊ£i mΓ£ dαΊ₯u vΓ’n tay tα»« cΓ‘c giαΊ£i phΓ‘p chα»ng phΓ‘t hiα»n phα» biαΊΏn. Δα»i vα»i bαΊ£n demo nΓ y, tΓ΄i ΔΓ£ bαΊt Riskified nhΖ°ng tΓ΄i sαΊ½ sα»m thΓͺm hαΊ§u hαΊΏt cΓ‘c nhΓ cung cαΊ₯p chα»ng gian lαΊn.
[URL mα» rα»ng="true"]https://binx.cc/tools/antifraud-deobfuscate[/URL]
VΓ¬ vαΊy, Δα» mα»i viα»c dα» dΓ ng hΖ‘n, hΓ£y ΔαΊΏn cΓ΄ng cα»₯ giαΊ£i mΓ£ chα»ng gian lαΊn trong BinX vΓ chα»n Riskified , sau ΔΓ³ dΓ‘n dα»― liα»u ΔΓ£ chαΊ·n cα»§a chΓΊng tΓ΄i.
![]()
Sau khi giαΊ£i mΓ£, dα»― liα»u dαΊ₯u vΓ’n tay cα»§a bαΊ‘n sαΊ½ trΓ΄ng giα»ng nhΖ° mα»t cuα»n sΓ‘ch mα».
[MΓ Sα»]
{
"vΔ© Δα»": 37.7749,
"mΓΊi giα»": 240,
"dαΊ₯u thα»i gian": "1689452187394",
"cart_id": "7629384105",
"shop_id": "cf.bstatic.com",
"ngΖ°α»i giα»i thiα»u": "https://secure.booking.com/",
"href": "https://cf.bstatic.com/static/tag_c...a077563c1795a773c91150dd19adefe98d13fd65.html",
"riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6",
"color_depth": 24,
"page_id": "9xzp4r",
"cα»a hΓ ng": "www.booking.com",
"hardware_concurrency": 8,
"has_touch": ΔΓΊng,
"lα»ch sα»_chiα»u dΓ i": 7,
"document_title": "ΔαΊ·t phΓ²ng.com",
"console_error": "console.memory khΓ΄ng Δược xΓ‘c Δα»nh",
"battery_error": "Lα»i getBattery()",
"initial_cookie_state_0": "https",
"initial_cookie_state_1": "liΓͺn tα»₯c",
"trΓ¬nh duyα»t": {
"productsub": "20030107",
"is_opr": ΔΓΊng,
"is_firefox": sai,
"ev_len": 42
},
"hα» Δiα»u hΓ nh": {
"cpu": "Windows NT 10.0",
"nα»n tαΊ£ng": "Win32"
},
"webgl": {
"nhΓ cung cαΊ₯p": "Google Inc.",
"trΓ¬nh kαΊΏt xuαΊ₯t": "GΓC (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)"
},
"nghα» quyαΊΏt": {
"dpr": 1,5,
"mà n hình": 1080,
"mà n hình": 1920,
"cΓ³ sαΊ΅n": 1040,
"cΓ³ sαΊ΅n": 1920,
"bΓͺn trong": 900,
"bΓͺn trong": 1600,
"bΓͺn ngoΓ i": 1040,
"bΓͺn ngoΓ i": 1920
},
"date_string": "Thα»© sΓ‘u, ngΓ y 25 thΓ‘ng 3 nΔm 2025 14:23:07 GMT-0400 (Giα» ban ngΓ y miα»n ΔΓ΄ng)",
"quα»c tαΊΏ": {
"locale": "en-GB",
"num_sys": "vΔ© Δα»",
"cal": "gregory",
"tz": "Mα»Ή/New_York"
},
"downlink_error": "navigator.connection khΓ΄ng Δược xΓ‘c Δα»nh",
"nav_plu": "Plugin PDF cα»§a Chrome, TrΓ¬nh xem PDF cα»§a Chrome, MΓ‘y khΓ‘ch gα»c",
"nav_lang": "vi-GB",
"dα»― liα»u ngΓ΄n ngα»― trang": {
"page_language": "vi",
"has_translation": ΔΓΊng
},
"αΊ©n danh": {
"safari": ΔΓΊng,
"chrome_quota": 120,
"service_worker_undefined": sai,
"is_brave": ΔΓΊng
}
}
[/MΓ Sα»]
Sau ΔΓ³, bαΊ‘n cΓ³ thα» thα»±c hiα»n cΓ‘c chα»nh sα»a chiαΊΏn lược Δα» tΔng cΖ°α»ng cΓ‘c yαΊΏu tα» tin cαΊy vΓ phΓΉ hợp vα»i hα» sΖ‘ mα»₯c tiΓͺu cα»§a mΓ¬nh:
* VΔn bαΊ£n αΊ©n: khΓ΄ng thα» trΓch dαΊ«n. *
Sau khi thα»±c hiα»n thay Δα»i, hΓ£y lΓ m tα»i nghΔ©a lαΊ‘i vΓ thay thαΊΏ dα»― liα»u trong bαΊ£ng Δiα»u khiα»n chαΊ·n cα»§a bαΊ‘n vΓ CHUYα»N TIαΊΎP yΓͺu cαΊ§u.
![]()
QuΓ‘ trΓ¬nh nΓ y liΓͺn kαΊΏt dαΊ₯u vΓ’n tay giαΊ£ cα»§a bαΊ‘n vα»i cookie cα»§a bαΊ‘n. Hα» thα»ng nghΔ© rαΊ±ng bαΊ‘n chα» lΓ mα»t khΓ‘ch hΓ ng hợp phΓ‘p khΓ‘c thay vΓ¬ lΓ kαΊ» lα»«a ΔαΊ£o kα»Ή thuαΊt sα» thα»±c sα»±.
PhαΊ§n kαΊΏt luαΊn
Thao tΓΊng cΓ‘c hα» thα»ng chα»ng gian lαΊn bαΊ±ng Burp Suite giα»ng nhΖ° cΓ³ mα»t bα» ngα»₯y trang kα»Ή thuαΊt sα». BαΊ‘n khΓ΄ng chα» thay Δα»i diα»n mαΊ‘o cα»§a mΓ¬nh β bαΊ‘n Δang thay Δα»i nhα»―ng gΓ¬ camera an ninh nhΓ¬n thαΊ₯y. BαΊ±ng cΓ‘ch ΔαΊ·t Burp giα»―a trΓ¬nh duyα»t cα»§a bαΊ‘n vΓ cΓ‘c hα» thα»ng nΓ y, bαΊ‘n cΓ³ thα» cung cαΊ₯p cho chΓΊng bαΊ₯t kα»³ dαΊ₯u vΓ’n tay nΓ o bαΊ‘n muα»n, thαΊm chΓ khΓ΄ng cαΊ§n sα» dα»₯ng antidetect.
ThΓ nh cΓ΄ng phα»₯ thuα»c vΓ o viα»c hiα»u chΓnh xΓ‘c nhα»―ng gΓ¬ cΓ‘c hα» thα»ng nΓ y thu thαΊp vΓ cΓ‘ch chΓΊng diα» n giαΊ£i chΓΊng. PhΓ’n tΓch nhαΊt kΓ½ Burp cα»§a bαΊ‘n Δα» nghiΓͺn cα»©u cΓ‘c yΓͺu cαΊ§u chα»ng gian lαΊn trΖ°α»c khi can thiα»p vΓ o chΓΊng. TΓ¬m kiαΊΏm cΓ‘c mαΊ«u trong dα»― liα»u JSON. BαΊ‘n cΓ ng hiα»u rΓ΅ nhα»―ng gΓ¬ hα» Δang kiα»m tra thΓ¬ bαΊ‘n cΓ ng cΓ³ thα» thao tΓ‘c chΓnh xΓ‘c hΖ‘n.
HΓ£y nhα»: sα»± lα»«a dα»i hiα»u quαΊ£ trΓͺn mαΊ‘ng khΓ΄ng phαΊ£i lΓ sα»± vΓ΄ hΓ¬nh β mΓ lΓ trΓ΄ng thαΊt bΓ¬nh thΖ°α»ng ΔαΊΏn nα»i hα» khΓ΄ng bao giα» nghΔ© ΔαΊΏn viα»c phαΊ£i nhΓ¬n lαΊ§n thα»© hai.
HΓ£y nhα» rαΊ±ng chΓΊng ta mα»i chα» khai thΓ‘c Δược bα» nα»i nhα»―ng gΓ¬ Burp Suite cΓ³ thα» lΓ m. CΓ΄ng cα»₯ khα»§ng nΓ y cΓ³ hΓ ng chα»₯c mΓ΄-Δun vΓ hΓ ng trΔm tΓnh nΔng mΓ tΓ΄i thαΊm chΓ cΓ²n chΖ°a Δα» cαΊp ΔαΊΏn - tα»« quΓ©t tα»± Δα»ng ΔαΊΏn tΓ¬m lα» hα»ng SQLi ΔαΊΏn fuzzing Δiα»m cuα»i. ΔΓ’y lΓ mα»t cΓ΄ng cα»₯ phα»©c tαΊ‘p, mang lαΊ‘i phαΊ§n thΖ°α»ng cho nhα»―ng ai ΔαΊ§u tΖ° thα»i gian Δα» thΓ nh thαΊ‘o. TΓ΄i sαΊ½ Δα» cαΊp ΔαΊΏn cΓ‘c kα»Ή thuαΊt nΓ’ng cao hΖ‘n trong cΓ‘c hΖ°α»ng dαΊ«n sau.
HαΊΉn gαΊ·p lαΊ‘i sα»m. d0ctrine ra mαΊ―t.
immpressive.View attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping β you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic β the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details β number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection β it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key β sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
![]()
Binx - Your BIN Lookup Tool
Lookup BIN details, check bank information, card type, brand, and more. Share and explore BIN lists.binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look β youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility β it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
cool.View attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping β you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic β the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details β number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection β it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key β sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
![]()
Binx - Your BIN Lookup Tool
Lookup BIN details, check bank information, card type, brand, and more. Share and explore BIN lists.binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look β youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility β it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
docdocView attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping β you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic β the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details β number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection β it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key β sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
![]()
Binx - Your BIN Lookup Tool
Lookup BIN details, check bank information, card type, brand, and more. Share and explore BIN lists.binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look β youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility β it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
wwView attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping β you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic β the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details β number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection β it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key β sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
![]()
Binx - Your BIN Lookup Tool
Lookup BIN details, check bank information, card type, brand, and more. Share and explore BIN lists.binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look β youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility β it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
oh yes fuck meView attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping β you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic β the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details β number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection β it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key β sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
![]()
Binx - Your BIN Lookup Tool
Lookup BIN details, check bank information, card type, brand, and more. Share and explore BIN lists.binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look β youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility β it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.
holy crapView attachment 8294Tampering Antifraud Requests using Burp Suite
Lots of people have been requesting me for some time now some more guides on how to use Burp. So I figured Id finally cave and drop some knowledge on one of the most powerful tools in your digital arsenal.
Burp is a versatile tool with hundreds of nifty features that can be used beyond just assessing sites - you can check vulnerabilities find hidden endpoints, manipulate web traffic and fuck with those pesky antifraud systems blocking your cards. When you know what you're doing, the possibilities are extensive.
Intercepting Requests
See when you browse any website, theres a constant back-and-forth conversation happening. Your browser (the frontend) sends requests to the website's servers (the backend) which processes them and sends back responses. Its a digital conversation where your browser requests to view products or make purchases, and the server responds accordingly.
Burp Suite plants itself right in the middle of this conversation as a proxy. It's digital eavesdropping β you see every request leaving your browser and every response coming back. More importantly you can pause this conversation, edit whats being transmitted and then let it continue. The server has no fucking clue you just rewrote the script.
This matters because when shopping online your browser isn't just talking to the main website. Its also sending data to hidden antifraud systems like Stripe Radar or Forter that analyze whether you're legitimate or some bot-using scammer. With Burp, you can intercept and manipulate both types of traffic β the main site requests and the sneaky antifraud callbacks happening behind the scenes.
Bypassing CVV Requirement via Intercept
One common application of Burp especially among autistic Binners, is forcing sites to accept cards without CVV. Binners generate cards in bulk and test them using public checkers but most sites require CVV, which is why Burp became such a valuable tool.
Heres the dirty little secret: When you submit payment info at checkout your browser sends a POST request containing all your card details β number, expiry CVV, the works. Using Burp's Intercept feature you can catch this request before it reaches the server and edit that shit however you want.
![]()
The trick is to either remove the CVV field entirely:
Code:{"card_number":"4111111111111111","expiry":"12/25""billing_zip":"10001"}
Or replace it with an empty value:
Code:{"card_number":"4111111111111111","expiry":"12/25""cvv":"","billing_zip":"10001"}
If the merchants backend validation is garbage (and you'd be amazed how many major retailers fuck this up) the payment might still process. Some payment gateways configure CVV as "optional" rather than required, and lazy developers often dont enforce proper validation. Heck, I've seen shops before where you can even tamper and change the prices of the items you are checking out.
Other major retailers have similar vulnerabilities that Binners exploit to use their generated cards without any CVVs.
Altering Antifraud Request
Now that you understand the basics of interception let's step it up. We all know modern antifraud systems are sneaky motherfuckers. They inject JavaScript code into the pages you browse, silently collecting mountains of data about you. These scripts track everything from your device configuration to how you move your mouse.
Heres what these scripts typically gather:
- Browser fingerprints (user agent screen resolution, installed fonts)
- Hardware details (GPU info via WebGL rendering CPU cores)
- Mouse movements and click patterns (speed, jitter natural vs. bot-like paths)
- Typing rhythm (how fast you enter data, pauses between keystrokes)
- Whether you're using a headless browser or automation tools (Selenium etc.)
All this data gets packaged and sent to their servers (like m.stripe.com for Stripe or forter.com endpoints) where AI systems decide if youre legit or sketchy.
These systems know their data can be tampered with, so they try to hide it from prying eyes. They'll:
But heres the dirty truth: security through obscurity is about as effective as that 414720 you bought for $1. These systems must send data in a format your browser can process which means it's there for the taking if you know where to look.
- Base64 encode their payloads
- Use character swapping (like replacing a' with x' and vice versa)
- Obfuscate their JavaScript code
- Split data across multiple requests
- Use custom encoding schemes
Practical Example: Riskified in Booking.com
Lets get our hands dirty with Riskified, one of the more notorious fraud prevention systems that's been cockblocking carders left and right. Unlike some half-assed security measures this one actually has some teeth to it.
First, we need to set up interception rules in Burp Suite:
- Go to Proxy > Options > Intercept Client Requests
- Add a rule: AND domain name matches c.riskified.com
- Disable response interception
![]()
Now browse around the site and pick a flight and try getting to the checkout page and it will most likely connect first to:
![]()
After connecting here, it downloads the JS needed to fingerprint your system. This isnt casual data collection β it's a full digital cavity search that attempts to send everything about you to:
c.riskified.com
Since weve set up interception the fingerprint won't be sent to Riskifieds servers. If you check the HTTP logs panel, you'll see it trying to send an obfuscated payload containing your digital DNA:
![]()
Deobfuscation
Anti-fraud sites obfuscate your fingerprint because if they didnt tampering would be child's play. Its like hiding your house key β sure, it's still there but at least make the thief work for it.
Deobfuscating the code takes skill, but its not rocket science. You just need to reverse engineer how the JS created the payload. For those of you whose IQ is below 70 just consult an AI. And if you're feeling like a smartass thinking it's just Base64 for Riskified (though a lot of them just use Base64 encode), it isn't:
![]()
But you know me, I love all of you so for this demo I've developed a tool to help deobfuscate fingerprints from popular antidetect solutions. For this demonstration, Ive enabled Riskified but I'll be adding most anti-fraud providers soon.
![]()
Binx - Your BIN Lookup Tool
Lookup BIN details, check bank information, card type, brand, and more. Share and explore BIN lists.binx.cc
So to make things easier, head to the anti-fraud deobfuscation tool in BinX and select Riskified, and paste our intercepted payload.
![]()
After deobfuscation your fingerprint data appears like an open book.
Code:{ "lat": 37.7749, "timezone": 240, "timestamp": "1689452187394", "cart_id": "7629384105", "shop_id": "cf.bstatic.com", "referrer": "https://secure.booking.com/", "href": "https://cf.bstatic.com/static/tag_container/tag_container/a077563c1795a773c91150dd19adefe98d13fd65.html", "riskified_cookie": "p8jkl352qxnrtyuvcbm7fds9ghzwe6", "color_depth": 24, "page_id": "9xzp4r", "shop": "www.booking.com", "hardware_concurrency": 8, "has_touch": true, "history_length": 7, "document_title": "Booking.com", "console_error": "console.memory is undefined", "battery_error": "Error getBattery()", "initial_cookie_state_0": "https", "initial_cookie_state_1": "persistent", "browser": { "productsub": "20030107", "is_opr": true, "is_firefox": false, "ev_len": 42 }, "os": { "cpu": "Windows NT 10.0", "platform": "Win32" }, "webgl": { "vendor": "Google Inc.", "renderer": "ANGLE (Intel, Intel(R) UHD Graphics 620, OpenGL 4.5)" }, "resolution": { "dpr": 1.5, "screenh": 1080, "screenw": 1920, "availh": 1040, "availw": 1920, "innerh": 900, "innerw": 1600, "outerh": 1040, "outerw": 1920 }, "date_string": "Fri Mar 25 2025 14:23:07 GMT-0400 (Eastern Daylight Time)", "intl": { "locale": "en-GB", "num_sys": "latn", "cal": "gregory", "tz": "America/New_York" }, "downlink_error": "navigator.connection is undefined", "nav_plu": "Chrome PDF Plugin,Chrome PDF Viewer,Native Client", "nav_lang": "en-GB", "page_language_data": { "page_language": "en", "has_translation": true }, "incognito": { "safari": true, "chrome_quota": 120, "service_worker_undefined": false, "is_brave": true } }
You can then make strategic edits to boost trust factors and align with your target profile:
* Hidden text: cannot be quoted. *
Once you've made your changes, obfuscate that shit back and replace the payload in your interception dashboard and FORWARD the request.
![]()
This process links your fabricated fingerprint to your cookie. The system thinks youre just another legitimate customer instead of the digital con artist you truly are.
Conclusion
Manipulating antifraud systems with Burp Suite is like having a digital disguise kit. You're not just changing how you look β youre altering what the security cameras see. By positioning Burp between your browser and these systems you can feed them whatever fingerprint you want, without even using an antidetect.
Success depends on understanding exactly what these systems collect and how they interpret it. Analyze your Burp logs to study the antifraud requests before messing with them. Look for patterns in the JSON data. The more you understand what they're checking the more precisely you can manipulate it.
Remember: effective digital deception isnt about invisibility β it's about looking so normal they never think to look twice.
Keep in mind we hae barely scratched the surface of what Burp Suite can do. This beast of a tool has dozens of modules and hundreds of features I haven't even touched on - from automated scanning to finding SQLi vulnerabilities to fuzzing endpoints. Its a complex tool that rewards those who invest time mastering it. I'll be covering more advanced techniques in future guides.
See you soon. d0ctrine out.