Cookies and Web Scraping

Share this post

02Jun

Cookies and Web Scraping

Case Studies

Welcome to the Ntrepid Podcast, Episode #4.

My name is Lance Cottrell, Chief Scientist for Ntrepid Corporation.

In this episode I will be talking about how cookies and other information you provide can impact your web scraping success.

When setting up a web scraping process, many people’s first instinct is to remove as much identifying information as possible in order to be more anonymous. Unfortunately, that actually can make you stand out even more, and cause you to be quickly flagged and blocked by the websites against which you are trying to collect.

Take cookies for example, the best known and easiest to remove identifiers. While they can be used to track visitors, they are often required for the website to function correctly. When a website tries to set a cookie, either in the response header or in JavaScript, that cookie should be accepted and returned to the website.

That is not to say that you should let them hang around forever, and therein lies the art. The key is to keep them around for a moderate number of queries, but only a number that a human might reasonably be expected to do in a single sitting.

Cookies need to be managed in concert with many other identifiers, and changed together between those sessions. The most important identifier after cookies are IP addresses. It is particularly important that these change together. Many websites will actually embed a coded version of the visitor’s IP address in a cookie, and then in every page, check that they still match. If you change IP mid stream while keeping the cookies, the website will flag your activity, and is likely to return an error page or bounce you back to the home page without the data you were looking for.

When switching to a new session, we suggest going back to an appropriate landing page, and working down through the website from there. Some websites will set a cookie on their landing pages. If they don’t see it when a visitor hits a deep page, it is evidence that the hit is from a scraper, and not from a real person who came to the website and navigated to that page.

When you change sessions, it is also a good time to change your browser fingerprint. Browsers and OS versions, supported languages, fonts, and plugins can collectively create an almost unique identifier of your computer. Changing these slightly between sessions reduces the likelihood of being detected and blocked.

Finally, you can get tripped up by the information that you explicitly pass to the target website. Many scraping activities require filling out search fields or other forms. We had one situation where a customer was tripped up because they used the same shipping zip code for every query. That zip became so dominant for the website that they investigated and discovered the scraping activity.

It is important to avoid detection if at all possible because it keeps the target at a lower level of alertness. Once they are aware of scraping activity, they are more likely to take countermeasures, and to look more carefully for future scraping. Staying below the radar from the start will make things much easier in the long run.

For more information about anonymous web scraping tools, best practices, and other Ntrepid products, please visit us on the web at ntrepidcorp.com, and follow us on Facebook, and on Twitter @ntrepidcorp.

You can reach me by email with any questions or suggestions for future topics through my email at lance.cottrell@ntrepidcorp.com.

Thanks for listening.

Related Posts

An image of a person on their phone, representing access of the Clubhouse feature.
28Sep

Clubhouse: Drop In and Speak Your Mind 

Clubhouse is an audio-based social app, originally built like an exclusive club, accessible on an iPhone by invite only. Today,... read more

An image of a laptop with a skull on the screen, representing an image of the dark web.
25Mar

OSINT Techniques Series: Avoiding the Bugged Website

The risk of human error remains the greatest liability to national security organizations. Our OSINT techniques blog series aims to... read more

A map representing Geolocation and image OSINT.
10Mar

OSINT Techniques Series: A Geolocation Case Study

For many analysts, the OSINT process starts with a request for information (RFI), which results in analysts immediately collecting as... read more

law enforcement vehicle with flashing lights
20Oct

Case Study: Managed Attribution for OSINT Operations

Code Name Osian Osian’s mission is to conduct online research, gathering OSINT to build a narrative about groups of interest. Prior... read more

man with glasses looking at a computer screen with blue overlay
15Jul

Mobile Operations Disclosed: A Case Study

Mobile devices have simplified how users access web-based services. Smartphone owners have a constant connection to the internet in their... read more

An image of a graph
17May

The Hidden Tracking Power of Metadata

If data is online information, then metadata is how this data is described. Metadata gives an overview of an item’s... read more

An image of a magnifying class and data, representing end of data tracking by third-party cookies.
31Mar

The Future of Ad Tracking

Google, Apple, and Firefox are each shutting down support for third-party cookies—also known as “tracking cookies”—citing an increased need for... read more

22Dec

Breaking Down the OSINT Cycle

Transforming open source data into intelligence, or OSINT, has become increasingly complex over the last decade. Although more open sources... read more