Eugene Zhang

Validating and Enforcing End-User Workflow for a Web Application

Blog Post created by Eugene Zhang Employee on Dec 22, 2014

Modern web applications frequently implement complex control flows, which require the users to perform actions in a given order. Users interact with a web application by sending HTTP requests with parameters and in response receive web pages with hyperlinks that indicate the expected next actions. One example of workflow control system is breadcrumb navigation control. It shows users which step they are on, which steps they've completed, and which steps they have yet to complete. It allows them to navigate to next step and previous steps, but does not allow them to click on future steps to skip ahead.


Bots are most of the time after specific information and will usually not follow the typical web flow from a normal user. For example, sites that provide tickets and/or reservations are often the target of such abuse. Botnets are employed against entertainment event-ticketing sites to buy concert seats. These seats are often merely bought by ticket brokers, who resell the tickets at an inflated price. They employ scripted bots to automate the purchasing/reservation process. The bot runs through the purchase process and obtains seats by grabbing as many seats as it can within a very short period of time. A bot client can complete high-speed transactions in fractions of a second and outcompete human clients. In this way, ticket brokers are able to unfairly obtain seats for themselves while depriving the general public from having a chance to obtain seats (or at least the more desired seats).


This solution to provide a method to detect and address such abuses by validating and enforcing a workflow on web application users. It utilizes a set of transparent challenges (e.g., cookie support, client JavaScript execution, etc.) to provide identification of the client (human or bot, "good" or "bad"). Therefore it can deny clients that bypass certain steps in application logic attempt to reach end point.


The system flow diagrams below illustrates major components of this solution.


  • Workflow Definition Engine

            - flexible definition of many-to-many source and designation mapping

            - Work definition can be store in variety ways    

  • Client Request Validation

            - Validates the incoming request conforms to defined workflow policy

            - Inspect digital fingerprint to detect potential request forgery

  • Secure Navigation Session Management

            - Manages session by construct and reset secure navigation session cookie

  • WAF/Reporting Integration

            - When detecting abuse, trigger WAF event to deny request and serve counter measure

            - Send beacons to SIEM and reporting engine

Screen Shot 2014-12-22 at 12.38.40 PM.png


Solution Highlights


- Provides mechanism to enforce client to execute designed/required web page flow by stepping through mandatory steps

- Provides flexible control of define many-to-many source/destination associations.

- Use a combination of client and server computation methods to identify bot signature

- Implementation of time-based secure fingerprint to prevent referrer spoofing or URL deep linking.

- Full integration with other products such as WAF and Cloud Monitor

- Client/Device agnostic, this solution can be deployed on edge with no client/server side custom logic





- It wouldn't be impossible for a bot operator to bypass the control by updating his script to follow the expected workflow. But this solution would help raise the bar and discourage the least persistent attacker and confuse more motivated attackers by sending a response that doesn't necessarily indicate that the request was intercepted.

- The feature may not be appropriate for some web site or for some market such as Europe where cookie is tightly regulated.


Contact Akamai Professional Services today to arrange a technical call to discuss how Akamai can help protect your application and make it scale.

This is a post from Patrice Boffa, senior director of global service delivery, and Eugene Zhang, senior enterprise architect at Akamai.