0

I came across the following ways PhantomJS can open a website without being detected as PhantomJS if the website only tests for these ways separately:

                             Can fool Website
“User-agent” via HTTP          Yes
Client-side User-agent 
check                          Yes
Inspect PluginArray            No
Timed alert()                  No
HTTP Header order              Yes
window.callPhantom             Yes
HTML5 features                 No
Function.prototype.bind        Yes
Stack trace                    No

Just wanted to confirm if the latest version of PhantomJS still loses in the areas mentioned above. Is spoofing the following information still not possible?

  1. HTML5 features
  2. Stack Trace generated by PhantomJS
  3. Plugin information
  4. Timed alert

References: http://www.slideshare.net/SergeyShekyan/shekyan-zhang-owasp, http://engineering.shapesecurity.com/2015/01/detecting-phantomjs-based-visitors.html

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
TechyHarry
  • 301
  • 2
  • 8
  • 25
  • @ArtjomB. I guess "win" for PhantomJS and "lose" for a website mean PhantomJS can fool a site and be considered a real browser with a human user. – Vaviloff May 13 '16 at 16:30
  • @ArtjomB. Yes what is said by Vaviloff is right! – TechyHarry May 13 '16 at 19:46
  • I've clarified your question, but you might want to add a proper title. Anyway, numbers 3 and 4 could be "easily" fixed by meddling with the source code and re-compiling. This is plainly wrong and was possible before and now. – Artjom B. May 13 '16 at 20:00
  • Ok, without modifying PhantomJS source, isn't possible to achieve 3, 4? Also could you please share any examples with Java & PhantomJS for achieving 3, 4. Regarding options 1, 2 are they entirely out of scope before and now? – TechyHarry May 14 '16 at 12:27
  • @ArtjomB. Thanks for taking time and responding to my question. Could you please answer my clarification question mentioned above – TechyHarry May 14 '16 at 14:13

0 Answers0