How OpenBullet is used to attack websites, and how to block it.

OpenBullet is an automation suite intended to be used for scraping and parsing data, automated pentesting, and much more. It is used by bot developers to perform automated attacks such as credential stuffing. OpenBullet is released under an open source MIT license on Github, and it is currently in its second version.

Is OpenBullet popular?

As of March 2023, OpenBullet2 had more than 1.1K stars and was forked ~370 times on Github.

It does not require programming knowledge to perform simple actions, which makes it uncomplicated to install and use. Several different configurations—sequences of actions to perform activity (such as scraping) on a website—can be found online. Therefore, OpenBullet is typically used by  people who want to create bots but lack strong programming knowledge.

When OpenBullet is used to create automated sequences of actions to perform on a website, the possible actions depend on the framework and library used. We can distinguish three types of actions:

1. Browser Actions: Open the browser, open tabs, maximize and minimize the browser window, etc.
2. Page Actions: Visit a page, get page attributes, clear or set cookies, click on elements in the page, take a screenshot, etc.
3. Element Actions: Get or set element attributes, click on them, check if they’re enabled, write in text forms, and more.

Some fraudsters that use OpenBullet prefer it because its configurations can be exported and shared freely. Several forums publish configurations for credential stuffing or scraping online, and some of the most advanced configurations are even for sale. In fact, ready-to-use configurations are easier to find than guides on how to use the software, which could indicate that most OpenBullet users do not have advanced knowledge of the software and depend on others’ work to scrape websites.

For example, a web search on hacking forums shows how easy it can be to obtain an OpenBullet configuration for popular websites and mobile applications:

The software has become so common in the credential stuffing community that some scam websites try to sell it, even though it can be found for free on Github.

How does OpenBullet differ from other types of testing suites or automation frameworks?

The big difference is in the ease of use. Everything can be done in visual mode in OpenBullet—meaning there’s a simple UI to work with, rather than lines of code. This appeals to people who would otherwise be limited by their programming knowledge.

Nevertheless, OpenBullet also provides a kind of high-level programming language that can be used to fine-tune some operations. It does not offer the same level of configuration that a bad actor would have working directly with the frameworks it is based on, but it’s enough to cause trouble for most of the web.

What makes OpenBullet dangerous?

Ease of Use

The simple UI helps non-programmers build automations for all kinds of web attacks, such as scraping and credential stuffing.

Free Configurations Available on the Web

Anyone who wants to perform an attack can likely find a configuration that works for their purposes.

Integrated CAPTCHA Solver

Even the most simple configurations include a tool to solve traditional CAPTCHAs, as well as integrations with CAPTCHA farms. For websites that only use traditional CAPTCHAs to protect against bots and fraud, even though they’ve proven unreliable for bot protection, this tool makes accessing even “protected” websites easier.

How do attackers use OpenBullet?

Installation

OpenBullet is straightforward for fraudsters to install. On Windows, they only need to download the executable and launch it—and it only requires ASP.NET Core. After the first launch, a setup page is presented to choose the language and configure remote access.

OpenBullet also offers a native Windows client, which is more responsive but lacks some features. 

How easy is it to set up an attack?

First, an attacker would need to create or import a configuration. A configuration requires some settings to manage the bot behavior. Then, attackers can configure proxies to distribute their attacks across thousands of IP addresses, which enables them to hide their real IP addresses and avoid traditional rate limiting techniques present on most login forms and APIs. Attackers can also set low-level Puppeteer and Headless Chrome options to avoid basic blocking software.

OpenBullet also has a series of integrations to make attacks like credential stuffing easier—by adding new credentials to test and saving valid credentials on their device of choice, for example. Once the attacker’s configuration is complete, they can set it to run automatically for as long as they want.

How to detect OpenBullet?

Signature- and Fingerprint-Based Detection

We can block the usage of OpenBullet by detecting and blocking the frameworks on which it is based.

OpenBullet relies on well-known bot automation libraries and frameworks to provide different functionalities and different level of customization:

• Requests is a Python module that makes simple HTTP requests with forged attributes, such as headers and cookies. It is scalable and dangerous on websites protected by traditional CAPTCHAs, because bots can leverage external CAPTCHA farm services to bypass them. However, it is not very effective on highly protected websites and mobile applications.
• Selenium is a browser automation framework originally developed to test web applications. It can interact with a web service like a real user: filling out forms, clicking on buttons, and more—which helps malicious actors hide their bots behind a “human” behavior mask. Selenium automation can be paired with code that analyzes a web page and decides what actions to take, and its support for many programming languages make it very common among bot developers.
• Puppeteer is a node.js library that allows developers to control Chromium-based browsers like Google Chrome and Microsoft Edge. Its functionalities overlap almost completely with Selenium, but Puppeteer is lighter and much faster, allowing it to run a lot more parallel requests. For an experienced JavaScript developer, this tool might also represent easier access to bot development.

DataDome analyzes and monitors each bot automation framework to be sure they’re always properly blocked in real time every time.

Behavioral Detection

By default, OpenBullet does not try to simulate human behavior, which must instead be done by the bot developer. When analyzing configurations present online, we noticed that most of them do not implement any fake human behavior features. However, it is possible to do with OpenBullet features, since users can execute ad hoc JavaScript code.

When it comes to behavioral analysis, we distinguish between two categories of behavioral signals:

1. Client-Side Behavioral Signals: Signals related to mouse movements, typing speed, etc. are collected on the client side using JavaScript code, or using an SDK on mobile applications.
2. Server-Side Behavioral Signals: These signals are related to the time series of requests made by a user (how quickly they’ve made requests on web pages), as well as the browsing graph (what URLs they’ve visited). With server-side signals, we can monitor the behavior of a user session (based on the cookie) for suspicious actions. Is the user changing IP addresses or user-agent? Are they requesting only a single type of resource, or making many more requests than the average user? The same type of analysis can also be applied on the IP address granularity: How many users can we see behind an IP address on average? What kind of browsers do they use?

Reputational Detection

To perform a large number of requests and try to escape behavioral detection (not only linked to IP addresses), bot developers often use proxies. Proxies can be located in a data center, or on real-user devices (residential proxies). Thus, when an attacker uses proxies, it enables them to distribute their attack to make it look like it’s coming from a lot of devices.

Knowing whether or not a request originated from a proxy is key to detecting distributed attacks.

How to Protect Yourself From Fraudsters Using OpenBullet

Attackers are most likely to use OpenBullet for credential stuffing attacks. Protecting your website, mobile application, and/or API from credential stuffing attacks usually involves several layers, including: 

1. Strong password generation.
2. Not reusing the same password on multiple websites.
3. Using multifactor authentication (MFA).
4. Protecting your login with advanced, real-time bot detection (fingerprinting, behavioral analysis, IP/session reputation).

While some layers can be visible in your UI or require input from users, others (like advanced bot protection) can be completely seamless for end-users, collecting detection signals in the background and challenging users only when needed. In general, the best way to stop bot attacks is to have an effective solution that stops bots at the first request every time. The same goes for attacks perpetrated by OpenBullet’s automation framework. 

Conclusion

OpenBullet is an automation suite, used by malicious actors for credential stuffing and other attacks. It is based on well-known frameworks (Puppeteer, Selenium, requests, etc.), but does not add any detection bypass features to the frameworks. On the contrary, if bad actors want to do something more advanced, they need to code directly in one of the more low-level frameworks.

OpenBullet’s purpose and popularity lies in the fact that it helps users who don’t know anything about scripting to write bots. While it can be detected by most anti-bot vendors, it should not be underestimated—OpenBullet’s ease of use and free ready-to-use attack configurations make it an attractive choice for supporting malicious activity on less-protected websites. However, advanced bot developers are more likely to rely on the frameworks OpenBullet is based on, like Puppeteer and Selenium, to build their own custom bots.

For more info about how DataDome blocks bad bots before they can access your website, app, or API, try a 30-day free trial or book a demo.