ASM and targeted form exploatation
Hi,
I am looking for real life experiences/advice related to protecting against very precise automation based form filling. Main point here is that whole process is not violating any application logic, is not using fake data, is not used to exhaust server resources. This is completely legitimate transaction using real data to fill form. People behind are very skilled in circumventing any new protections. All build in features of ASM/LTM are already deployed - security policies (not of great use as there are not really any serious attacks launched), DoS profiles, Web Scraping (those are catching some attempts to auto fill and post forms), connection limits on virtual etc. We are not talking about some generic bots or scripts used to detect from and fill it with some crap data. All kinds of default challenges like redirect, java script, capthcha are circumvented very fast. I suspect that headless browsers are used for that (like PhantomJS or CasperJS) so mouse movements or keystrokes with randomization can be used here.
Any ideas/advises what kind of additional protection can be used? Especially how to reliably detect automation attempts using mentioned headless browsers?
Piotr