[feature request] -> detect JS tampering

[unixfox]

Hero: https://github.com/ulixee/hero

Seems to claim that it is better than puppeteer, playwright when it comes to scraping: https://ulixee.org/docs/hero/overview/basic-concepts

For now, it doesn't get detected by brotector:

---

I tried to see if there were some things obvious by using https://deviceandbrowserinfo.com/info_device but couldn't find anything.

But creepjs detects it: https://abrahamjuliot.github.io/creepjs/ as "smart enemy".

---

Example code:

const Hero = require('@ulixee/hero-playground');

(async () => {
  const hero = new Hero();
  await hero.goto('https://kaliiiiiiiiii.github.io/brotector/');
  await new Promise(resolve => setTimeout(resolve, 5000));
  const tab = hero.activeTab;
  const screenshot = await tab.takeScreenshot();
  require("fs").writeFile("out.png", screenshot, 'base64', function(err) {
    console.log(err);
  });
  await hero.close();
})();

[kaliiiiiiiiii]

Thanks!

[kaliiiiiiiiii]

@unixfox Though, you've forgot to click the button at brotector. Does that cause detection?

[unixfox]

Thank you for your reply!

Indeed I clicked on the button using the documentation: https://ulixee.org/docs/hero/basic-client/interactions

const Hero = require('@ulixee/hero-playground');

(async () => {
  const hero = new Hero();
  await hero.goto('https://kaliiiiiiiiii.github.io/brotector/');
  const tab = hero.activeTab;
  await new Promise(resolve => setTimeout(resolve, 1000));
  const aElem = hero.document.querySelector('button');
  await hero.interact({ click: { element: aElem } })
  await new Promise(resolve => setTimeout(resolve, 3000));
  const screenshot = await tab.takeScreenshot({fullPage: true});
  require("fs").writeFile("out.png", screenshot, 'base64', function(err) {
    console.log(err);
  });
  await hero.close();
})();

And brotector found some interesting things.

But maybe we can detect it earlier like creepjs is doing?

[kaliiiiiiiiii]

But maybe we can detect it earlier like creepjs is doing?

Well, hero injects javascript into the main world which patches stuff.
Detection of JS patching is a cat-and-mouse game, unfortunately.

Usually smth specific to the framework, and code signature-based detection.
Example for reference: #6

brotector/brotector.js

Lines 1 to 4 in a39efef

	const chromedriverSourceMatches = [
	"WebDriver", "W3C", "Execute-Script", "cdc_adoQpoasnfa76pfcZLmcfl", "Chromium", "shadow-6066-11e4-a52e-4f735466cecf",
	"element-6066-11e4-a52e-4f735466cecf", "STALE_ELEMENT_REFERENCE", "crbug.com/40229283",
	"shadow root is detached from the current frame","stale element not found in the current frame"]

brotector/brotector.js

Lines 370 to 389 in a39efef

	hook_SeleniumScriptInjection(){
	this.hookFunc("Function", "apply", this.SeleniumScriptInjectionHandler.bind(this))
	}
	SeleniumScriptInjectionHandler(target, thisArg, argumentsList){
	let code = thisArg.toString()
	let matches = {}
	let testStr = undefined
	for (testStr of chromedriverSourceMatches){
	if(code.indexOf(testStr) !== -1){
	if (matches[testStr] == undefined){matches[testStr] = 0}
	matches[testStr] += 1
	}
	}
	const len = Object.keys(matches).length
	if (len > 0){
	this.log({"detection":"SeleniumScriptInjection", "score":0.9, data:{args:argumentsList,matches:matches}})
	if(this.crash){throw Error(brotectorBanner)}
	}
	}
	}

[unixfox]

Thank you for pointing in the right direction! That's indeed a good idea.

I think creepjs recognize that something is fishy pretty easily thanks to its good prediction mechanism.

Here is a portion of a screenshot taken with hero on creepjs:

Hero advertise itself as an Apple device:

Hard giveaway when it is ran on a Linux machine.

Lies reported by creepjs:

[kaliiiiiiiiii]

Lies reported by creepjs:

Uh yeah could definitely start implementing validation tests for:

1. Object.defineProperty
2. Function.prototype.toString
3. Proxy detection

each on the critical functions and properties

[kaliiiiiiiiii]

have added 49eba09#diff-5fcd26e1643bfe21d1ba6b43eff683cf5b09c8340adf89d61261ead09b8e01a0 for now

[kaliiiiiiiiii]

Lies reported by creepjs:

Uh yeah could definitely start implementing validation tests for:

1. Object.defineProperty
2. Function.prototype.toString
3. Proxy detection

each on the critical functions and properties

resources for that

• Question about lies abrahamjuliot/creepjs#147 (comment)
• https://github.com/abrahamjuliot/creepjs/blob/master/src/lies/index.ts

Maybe I should start implementing a proper framework with TS... don't really have the time tho