abrahamjuliot / creepjs

Creepy device and browser fingerprinting
MIT License
1.57k stars 195 forks source link

just opening one for my research on bot detection and stuff #190

Open vis2021t opened 2 years ago

vis2021t commented 2 years ago

I looked over the tls fingerprinting, You talked about but there is something I read at akamai research where they stated that bot are able to bypass to get on gud side :- https://www.akamai.com/blog/security/bots-tampering-with-tls-to-avoid-detection

I came across a 2 step tls fingerprinting but I lost that pdf 🥲🥲 dammit

Will try to find it but do u know about it?

abrahamjuliot commented 2 years ago

True, bots can still bypass it. I have some good resources. Have not heard of the 2 step.

vis2021t commented 2 years ago

True, bots can still bypass it. I have some good resources. Have not heard of the 2 step.

Everything is bypassable in the world of Javascript well Thanks for resources I am looking into them just now

vis2021t commented 2 years ago

1-s2 0-S0167404821003990-ga1_lrg

I found this chart which maybe something of our interest

vis2021t commented 2 years ago

I was wondering to look over CVE for specific browser and it's version,

If for demo purpose we can proceed ahead and identify too much info on the device/browser

I know it's actually creepy but comeon it's in the name too lol

It's not a bad idea u know We can identify many things if we play well but I'm not sure it's a gud idea to implement but it's a definitely gud section to look still not sure for implementation.

What do u feel?

abrahamjuliot commented 2 years ago

Not a bad idea. Maybe start with a test page. What I sometimes do is begin with a test page and experiment/research there. If we get stable results, we can release on the main page. If it has good performance and good fingerprinting, we can implement it in the main fingerprint.

Platform lies part of bot lies

I like this idea. I will look into it.

vis2021t commented 2 years ago

I am really interested in chrome://chrome-urls/ There are many thing which can make things go really really really deep

++ I am looking over cve which can verify the browser version for us but I was thinking over more of the section of bot detection, hmm and yea I saw there are Many features which are not supported in Chrome android at the section of Chrome flags there is a section for what is not supported on my device maybe can be something of notice? I guess So maybe we can look Into it

abrahamjuliot commented 2 years ago

This one is interesting… till it gets patched. In Chrome, it can be used to validate if a device is really on macOS.

https://developer.mozilla.org/en-US/docs/Web/API/Web_Share_API#api.navigator.canshare https://bugs.chromium.org/p/chromium/issues/detail?id=1144920

vis2021t commented 2 years ago

See I told u Cve and bugs are great place for us to look even if it will be patched for later versions it will still be there for people who don't usually update ( I was one of them ) And I know many who don't update

vis2021t commented 2 years ago

Btw Do u have anything in mind for bot detection ahead?

I mean in the end Creepjs is a bot detection repo sort of itself,

from the section of lies till loosing their expected features

So I was curious if u had something in research lately

Note:- Android and iOs devices never come with Angle as their gpu if they are real, Google emulator Friendly web test had the same thing and I have seen it only in bots till yet when it comes to these 2 os,

It can be a small point

I mean Imagine seeing intel as the gpu of Android device user 😂 aah dude nevermind just want to convey that hardware filter are an essential parts in gpu to

combining confidence methodology it can be a gud charm

vis2021t commented 2 years ago

I think I will love to go ahead at bugs amd cve section for creepjs Look at this:- 😈

This place is really a treasure for us

Screenshot_20220714-105929_Kiwi Browser

vis2021t commented 2 years ago

mmm don't u think we should bring up geckodriver too in headless section as Till yet it is focused on chromedriver

abrahamjuliot commented 2 years ago

Good idea. We should absolutely include geckodriver and more.

abrahamjuliot commented 2 years ago

bot detection and research

Nothing on my mind, atm. But, ideas are welcome.

gpu hardware filter

This is on my mind. I've been slow to get to it. We should definitely look out for GPU lies in reported mobile devices. Samsung Xclipse 920 has Angle, but I think we can determine Angle is not iOS.

vis2021t commented 2 years ago

bot detection and research

Nothing on my mind, atm. But, ideas are welcome.

gpu hardware filter

This is on my mind. I've been slow to get to it. We should definitely look out for GPU lies in reported mobile devices. Samsung Xclipse 920 has Angle, but I think we can determine Angle is not iOS.

mm but expect that device almost every device comes with real like mediatek helio or Qualcomm

vis2021t commented 2 years ago

Hi, was busy with something well let's get back to research

I found something interesting to look at:-

https://github.com/mdn/content/pull/6849

vis2021t commented 2 years ago

https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=927531

found something to look at

it's regarding 2 step tls fingerprinting

abrahamjuliot commented 2 years ago

Nice. I wonder if TLS fingerprint is distinct on mobile devices vs desktop. I presume no.

vis2021t commented 2 years ago

Do u have a report of what is the top 5 browser version Creepjs usually gets to see

I am curious if people use older version as there are bugs and vulnerability if old one is there _ that might be an interesting approach if we go in ethical way

abrahamjuliot commented 2 years ago

It depends on the date, but the top 5 versions usually consist of versions at or near the latest stable releases of Blink, Gecko, and WebKit. Here's yesterday, for example:

image

We do get a lot of older browsers, though. The window test page contains a pool of browser versions seen in the last 40 days.

I'm sure we would see even older browsers if the code was geared for ES5. Right now, the target is ES2019.

vis2021t commented 2 years ago

found something

Navigator.connection.type only there for android and ios

can be a part as it is something quite not people hide

if windows and Linux it's not there they says privacy issues........ Like they gave it to android and ios well better for us enj0y

abrahamjuliot commented 2 years ago

Nice. I plan to add this. Looks like type is only on Android and Chrome OS, but we could use this to determine if a device is really Android/Chrome OS. There are a lot of interesting ways this API can be used for fingerprinting. These are also in client hint headers.

https://wicg.github.io/netinfo/#privacy-considerations https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#network_client_hints

rtt in Headless Chrome is 0, but I'm not sure if that is always the case and exclusive to headless.

vis2021t commented 2 years ago

I wanna test the networkinformation type to Google mobile friendly display test

I think majority of the big brand bots uses simulation instead of emulation so it could be a part in terms of bot who are stating to be android but They are not , can be considered as suspicious by us

I am currently learn typescript for js as we are switching at that

I will explore Navigator more deep into every inner parts of it

vis2021t commented 2 years ago

What is your net speed hope it's not in gbps lol rtt? I checked on my chrome browser ( Kiwi browser [ Android Chromium based browser with pc dev tools ] to look at navigation.connection and research )

here is my result:- Screenshot_20220807-065732_Kiwi Browser

abrahamjuliot commented 2 years ago

I need to test more in Kiwi. Here's Chrome canary

image

Chrome OS

image

vis2021t commented 2 years ago

mm I wonder if brave mobile is different from normal brave in a way

I wasn't aware of jsconsole.com so I was using this for other browsers

javascript:(function () { 
    var script =  document.createElement('script');
    script.src="//cdn.jsdelivr.net/npm/eruda"; 
    document.body.appendChild(script);
    script.onload = function () { 
        eruda.init() 
    } 
})();
vis2021t commented 2 years ago

I need to test more in Kiwi. Here's Chrome canary

Does it mean headless rtt is 0 as a special case?

I tested on Chrome, Brave, Kiwi , Chromium on both Android and Windows and Linux

All results are more than 0 in rtt normally

abrahamjuliot commented 2 years ago

Does it mean headless rtt is 0 as a special case?

I imagine 0 is very rare. I read somewhere that 0 was seen in some Edge browsers. Not sure if that is accurate, though. 0 could be a result of dev tools network emulation or other rare network patterns. I have a commit incoming soon that will include network info and more.

abrahamjuliot commented 2 years ago

I did some research on 192.168... and it seems to be exclusive to home WIFI networks. Something very interesting is the first set of characters following candidate:... is a hash string that actually contains the base IP address, but only on the host connection and only in Chrome and more recent versions of Safari.

Here's the ComputeFoundation function in the Chromium source code which contains this method, base_address.ipaddr().ToString().

the draft outlines the computation in greater detail (section "5.1.1.3. Computing Foundations") https://datatracker.ietf.org/doc/id/draft-ietf-ice-rfc5245bis-16.txt

vis2021t commented 2 years ago

I imagine 0 is very rare. I read somewhere that 0 was seen in some Edge browsers. Not sure if that is accurate, though. 0 could be a result of dev tools network emulation or other rare network patterns. I have a commit incoming soon that will include network info and more.

Hmm what can we do I think we can take it as a suspicious point maybe

if it's unusually rare, it can be a thing, but I'm not sure if we should

it's sort of similar to :- likeHeadless one in our creepjs we can do likeUnusal or something

abrahamjuliot commented 2 years ago

Good idea. Added to like headless.

image

vis2021t commented 2 years ago

Good idea. Added to like headless.

I wanna ask u something

Explanation regarding Phantoms and Behemoths

I want to deeply understand to explore things deeper

One more info In brave I noticed one the thing :- Screenshot_20220809-151056_Brave

vis2021t commented 2 years ago

I forgot to tell prefers light theme is in literally all my normal fresh install browsers ( Chrome , Kivi etc)

abrahamjuliot commented 2 years ago

Phantoms and Behemoths

I might need to change the names. These are just nested iframes. I had too much fun naming these. At one point, I think I had one called dragonOfDeath, which was the final boss. They're useful to catch and bypass anti-fingerprinting scripts that don't patch all frames, and then when all frames are patched, we can trap them with JS tampering detection.

prefers light

I think it's good as a light hint to headless. If headless mode is enabled, it will use the light color preference and a standard set of CSS system colors, even if the system dark mode is on or color contrast settings are changed. However, the dark/light preference can be overridden with the DevTools protocol.

abrahamjuliot commented 2 years ago

DuckDuckGo Privacy Browser on Android returns 0 for rtt, and removes window.chrome.

vis2021t commented 2 years ago

Phantoms and Behemoths

I might need to change the names. These are just nested iframes. I had too much fun naming these. At one point, I think I had one called dragonOfDeath, which was the final boss. They're useful to catch and bypass anti-fingerprinting scripts that don't patch all frames, and then when all frames are patched, we can trap them with JS tampering detection.

...... LoL, What about workerscope, I have seen u mentioning It's hard to tamper with shared ones, do u have deep info on then?

vis2021t commented 2 years ago

DuckDuckGo Privacy Browser on Android returns 0 for rtt, and removes window.chrome.

Hmm maybe that Browser have some other clues

I will look deep don't worry

vis2021t commented 2 years ago

Phantoms and Behemoths

I might need to change the names. These are just nested iframes. I had too much fun naming these. At one point, I think I had one called dragonOfDeath, which was the final boss. They're useful to catch and bypass anti-fingerprinting scripts that don't patch all frames, and then when all frames are patched, we can trap them with JS tampering detection.

What are all the bypasses we have I'm aware with all the types of iframes which we used ( which I now understand how they works )

are there more? or do u have any other methodology in mind

vis2021t commented 2 years ago

In duckduckgo privacy browser, I saw there are Many features few core info undefined such as in navigator UserAgentData is missing etc

abrahamjuliot commented 2 years ago

workerscope

Most of what I've gathered about workers is from the specification and MDN docs. Service and shared workers are great because they are unaffected by Dev Tools, so we can get the true platform and version there. However, it is possible to intercept these scopes (so I've heard), but it requires JS tampering which we can detect. I have a few concepts here. In Chrome, we can do a lot of fingerprinting there. Canvas and WebGL are limited to offscreen. I'm not certain the offscreen rendering yields the same hardware/gpu entropy (I don't think it does), but we can still get platform and version entropy from text and emojis.

That reminds me, I have a PC with dual graphics drivers and for some reason Brave defaults to the NVIDIA GPU and all the other Chromium browser including Edge use the INTEL CPU (which I think is more efficient). I noticed that the Canvas hashes are distinct for each graphics driver. Maybe we can estimate and predict the WebGL GPU brand based on the canvas paint rendering (with or without fonts).

bypasses

Iframes and workers give great bypasses. Getting the same value from a different API is one of the other bypasses. On mobile devices, we can get near the same entropy as screen resolution by detecting the window size. We can also measure platform fonts and unicode characters in many ways. Some scripts attempt to spoof the canvas API, but not the Offscreen Canvas API. Another method is to catch attempts to fake values and, instead of bypassing the value, generate higher entropy from their unique behavior. This greater fingerprint would not be accessible had they given us the true value.

vis2021t commented 2 years ago

I see, I understood well.

Currently I am looking over Web assembly, just to see Maybe this new section give something sneaky information to us

and also I haven't got time over trying to improve my browser js bugs collections well I will be looking soon

vis2021t commented 2 years ago

Hi, I am a little unsure if the proxy one is working.

it says 21 errors with 10%lag without vpn

and stays same using a vpn on android,

is it like desktop only?

abrahamjuliot commented 2 years ago

I think I may have caused some confusion in the name Proxy. It detects use of the JavaScript Proxy object, here. It's commonly used on Function.toString to hide developer code leaks. There's also a misconception that proxy objects cannot be detected, but they leak unique. Depending on how they are implemented, they are also very slow on performance.

In the test, we generate a series of errors. The hash will turn red if the errors are unknown. Works on mobile and desktop. I plan to add descriptions to the test to better outline what's going on.

abrahamjuliot commented 2 years ago

This article is a great explainer to leaks that Function.toString causes

https://adtechmadness.wordpress.com/2019/03/23/javascript-tampering-detection-and-stealth/

vis2021t commented 2 years ago

I was just looking around at Google mobile friendly test

Screenshot_20220816-092803_Kiwi Browser

abrahamjuliot commented 2 years ago

Google mobile friendly test

Looks good, as long the hash is not red.

intel as the gpu of Android

I noticed some Android emulators can utilize desktop GPUs like NVIDIA and Intel, but we could flag it as "moderate" confidence instead of "high" (I'm not sure about Intel on iPhone being possible). I wonder if Apple on Android is possible.

vis2021t commented 2 years ago

yes we should actually for gpu, it will make things look more accurate, Apple on android hmm Kernal changing, and much more thing is required but It require many hardware changes which I don't think so u would see, being honest It is possible but need a lot of changes, and I mean a lot

there are hardware and software differences, Apple is expert in creating an ecosystem which can't be accessed by others and its closed source too with many os level restrictions, as u may know even jail break have restrictions ( jailbreak is like root access at ios )

abrahamjuliot commented 2 years ago

Interesting, looks like Android emulator works on M1. Found the no longer needed preview here.

I got Android Subsystem running on Windows 11 (Microsoft WebGL vendor). Google Search on WebView is available (Chrome 101). window.chrome and Web Share API are absent and I'm now seeing WebView unsupport is noted on MDN🙃. rtt is 0. 😭

I might change the headless hints to exclude Android from the mix, but my only concern is that it will be easy to fake being Android. Maybe just leave as is and highlight that these are only hints.

vis2021t commented 2 years ago

hmm, I am not sure but my android phone webview support those things:- ( My default browser is Kiwi so I think the default main browser matters here maybe the emulator u were using didn't had any browser just raw webview

Screenshot_20220818-080603_Kiwi Browser

Screenshot_20220818-080608_Kiwi Browser

Screenshot_20220818-080823_Kiwi Browser Screenshot_20220818-081012_Google Play Store

abrahamjuliot commented 2 years ago

I'm guessing what I encountered is unique to the WebView build that the Amazon Appstore provides to the Windows SubSystem. Sadly, apps from Google Play are not officially supported.

vis2021t commented 2 years ago

I'm guessing what I encountered is unique to the WebView build that the Amazon Appstore provides to the Windows SubSystem. Sadly, apps from Google Play are not officially supported.

but u can still sideload many apps like play store as far as i have heard and more maybe try from there?

try maybe a different emulator and then check ? that was assure us with the answer