It was found that in the application and in the API even an unauthorized user can make a request to add goods to the basket. Thus, the attacker has the opportunity to manipulate the goods and immediately “buy them up”.

After adding any goods to the basket, the application launches BotProtection, which collects patterns of behavior and sends them to the bp.site.ru server.

Further, after adding the product, after the set time, Online shop asks site by an identifier to get the result of processing the behavioral pattern. There are several scenarios:

• The percentage is close to 0 - this identifier is most likely a person;

• The percentage is close to 100 - this identifier is most likely a bot;

• null - the user did not pass the "challenge" Bot Protection (most likely, the client made the addition of goods through the API directly).

After that, the server decides what to do with the product next: leave it in the basket or remove it. This will allow the company to quickly respond to possible DDoS attacks and not allow bots to manipulate their goods.