A few questions about CreepJS code

[toleblanc]

Hi!

I'm a second year CS student trying to understand your code. Can I ask a few questions?

I'm asking about your Puppeteer Extra detection, where you're checking various APIs (throwing errors etc.) to see if we can detect Puppeteer Extra is being used.

1. Why are you using such a complex set of iframes for the tests? (creating an iframe in the main window document, then creating another iframe (getPhantomIframe), then another (getBehemothIframe)...) Why not just create one iframe in the main window document and do the tests there?

2. How did you choose which API functions to test? I find it hard to believe you tested every possible API and its functions and properties, checked the results in Chrome, and then checked them in Puppeteer Extra. If you can recall and share your process on this I'd really appreciate it! Also I notice you're only looking at a subset of the test for FakeBrowser - can you remember why that is?

3. The code is a little bit complex and hard to understand. Is all this complexity necessary, or is the code in an experimental "needs to be cleaned up" state? I'm not criticising anything, the problem is probably me, but I'm curious as to your opinion on the current state of the code.

4. Could your logic be applied to other bots? For example, if we got the hashes of Selenium bots, could we use your code to check for them too, or is there a reason this wouldn't work?

Thank you for your time!

[abrahamjuliot]

Sure.

1. Uniquely generated iframes can reveal the true native code, which can then be compared against the top-level code to reveal discrepancies. It's not a given that all forms of iframes will be patched by evasion techniques.
2. The functions were chosen based on APIs that are known to be used for or against fingerprinting. As we discover fingerprinting issues related to web APIs, we add the functions. The subset decided for FakeBrowser is based on the matching fingerprint.
3. It's intentional that it's complicated and doesn't explain much. We would like there to be some big challenges in reversing the code, and we wouldn't want the code to be easy to use in the real world.
4. This only detects inconsistencies in function code. We do some labelling of the patterns, but the labels do not mean it is in fact use of WebDriver, automated, or any specific automation script. Think of it as just a name for a distinct fingerprint, and it's ok if the name is not 100% accurate.

Bot detection is a much broader subject and not something we focus heavily on detecting.