Look for inconsistencies in UserAgent with navigator.productSub and eval.toString().length

antibot/analyzer/analyzer.go

@@ -1,17 +1,23 @@
 package analyzer
 
-import "strings"
+import (
+ "strings"
+
+ "github.com/mileusna/useragent"
+)
 
 const chromeDriverPrefix = "cdc_"
 
 type ClientProperties struct {
- Languages []string `json:"languages"`
- Plugins []string `json:"plugins"`
- Window []string `json:"custom_window"`
- UserAgent string `json:"ua"`
- HasWindowChrome bool `json:"has_window_chrome"`
- Webdriver bool `json:"webdriver"`
- ConsistentPerms bool `json:"consistent_permissions"`
+ Languages []string `json:"languages"`
+ Plugins []string `json:"plugins"`
+ Window []string `json:"custom_window"`
+ UserAgent string `json:"ua"`
+ HasWindowChrome bool `json:"has_window_chrome"`
+ Webdriver bool `json:"webdriver"`
+ ConsistentPerms bool `json:"consistent_permissions"`
+ EvalLength int `json:"eval_length"`
+ ProductSub string `json:"product_sub"`
 }
 
 type Analyzer struct{}
@@ -30,7 +36,9 @@ func (a *Analyzer) AnalyzeProperties(properties ClientProperties) bool {
  a.analyzeWindow(properties.Window) &&
  a.analyzeWindowChrome(properties.HasWindowChrome, properties.UserAgent) &&
  a.analyzeWebdriver(properties.Webdriver) &&
- a.analyzePermissions(properties.ConsistentPerms)
+ a.analyzePermissions(properties.ConsistentPerms) &&
+ a.analyzeEvalLength(properties.UserAgent, properties.EvalLength) &&
+ a.analyzeProductSub(properties.UserAgent, properties.ProductSub)
 }
 
 // analyzeWebdriver checks navigator.webdriver property value
@@ -86,3 +94,48 @@ func (a *Analyzer) analyzeWindowChrome(hasWindowChrome bool, ua string) bool {
 func (a *Analyzer) analyzePermissions(consistentPerms bool) bool {
  return consistentPerms
 }
+
+// analyzeEvalLength checks if browser specified in UserAgent is consistent with value of eval.toString().length
+// If it is inconsistent - possibly dishonest client.
+func (a *Analyzer) analyzeEvalLength(UserAgent string, evalLength int) bool {
+ // Browser -> evalLength
+ BrowserToLength := map[string]int{
+ "Firefox": 37,
+ "Safari": 37,
+ "Chrome": 33,
+ "Opera": 33,
+ "Internet Explorer": 39,
+ }
+
+ client := ua.Parse(UserAgent)
+ usualLength, ok := BrowserToLength[client.Name]
+
+ // If evalLength for given browser is unknown - consider client honest
+ if !ok {
+ return true
+ }
+
+ if usualLength != evalLength {
+ return false
+ }
+
+ return true
+}
+
+// analyzeProductSub checks if browser specified in UserAgent is consistent with navigator.productSub
+// If it is inconsistent - possibly dishonest client.
+func (a *Analyzer) analyzeProductSub(UserAgent, productSub string) bool {
+ // Safari, Chrome and Opera always have this productSub
+ chromeBuildNumber := "20030107"
+
+ client := ua.Parse(UserAgent)
+ browser := client.Name
+
+ if browser == "Opera" || browser == "Chrome" || browser == "Safari" {
+ if productSub != chromeBuildNumber {
+ return false
+ }
+ }
+
+ return true
+}

go.mod

@@ -6,6 +6,7 @@ require (
  github.com/AdhityaRamadhanus/fasthttpcors v0.0.0-20170121111917-d4c07198763a
  github.com/ardanlabs/conf v1.4.0
  github.com/fasthttp/router v1.4.0
+ github.com/mileusna/useragent v1.0.2
  github.com/pkg/errors v0.9.1
  github.com/sirupsen/logrus v1.8.1
  github.com/valyala/fasthttp v1.28.0

go.sum

@@ -14,6 +14,8 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/klauspost/compress v1.12.2 h1:2KCfW3I9M7nSc5wOqXAlW2v2U6v+w6cbjvbfp+OykW8=
 github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
+github.com/mileusna/useragent v1.0.2 h1:DgVKtiPnjxlb73z9bCwgdUvU2nQNQ97uhgfO8l9uz/w=
+github.com/mileusna/useragent v1.0.2/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4ccGOMKNYYc=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=