3

What tool or software should I look for to find out what "fingerprinting" data a website is tracking?

Like, I want to know, if website looks for a cache and/or fonts installed in system, or Canval, WebGL methods. There was a great project doing that called "OpenWPM" written in python, it used to track all that stuff with Mozilla driver and store it in an SQL database with pretty neat organization of the data.

I tried looking for OWASP Red Attack ZAP Proxy, but it is a tool to find vulnerabilities, not data what I want. There are a lot of plugins for OWASP but I don't know which ones to use.

Luca Kiebel
  • 103
  • 5
Anton
  • 141
  • 1
  • every site is different and they can change policies at any time; this is far too broad. – dandavis Aug 20 '18 at 19:31
  • what policies are you talking about ? i mean techniques of getting fingerprinting are known. I am searching for software that can track it – Anton Aug 21 '18 at 09:28
  • Well, they can recover a lot with just server-side analysis, which is completely undetectable to users. The client code will be bundled with the site's other operational code and hard to inspect, much less survey en-mass. Consider that they can tell computer speed, network speed, RAM, and aprox workload, just from analyzing how a streaming video is fetched by the browser; headers, timing, size, latency, etc. There's really no need to bother with font or GL fingerprints, and I fear a survey tool would only find low-effort attempts using common demonstration techniques, not real-world gathering. – dandavis Aug 21 '18 at 16:21
  • You are correct, all those techniques you mentioned, like latency, size, timings, etc are a possible and very good for hiding detecting activities. But website i want to test is mostly pretty simple, there is no need to buy/make such hard system analitics. It's not hard to find out what information website wants from you, since all fingerprinting for webgl, canvas, fonts use same JS requests, methods. OpenWPM was tracking it easily, but its deprecated. There should be some modern ways to track it – Anton Aug 21 '18 at 20:06

1 Answers1

2

No, there is not. While fingerprinting can be done by actively providing the browser with a resource that will allow for fingerprinting, it is also possible to fingerprint a client entirely passively. For example, the specific order that client headers are transmitted in gives away the web client you are using. Even if you spoof various headers like accept encoding and user agent, you are still giving away the order of the headers, which itself makes passive browser fingerprinting possible. Another example is analyzing the behavior of the client when fetching resources. In what order does it fetch resources? How many does it fetch in parallel? All of this data is routinely sent to any web server you connect to, and there is no way that you can tell if it is being used for fingerprinting purposes.

It is possible to detect if certain explicit and active fingerprinting attempts are made, for example AudioContext fingerprinting or, as you provided as an example in your question, WebGL-based fingerprinting, but detecting this will not allow you to conclude that the website is not engaging in fingerprinting activity. In addition, there are going to be numerous ways to covertly collect this information in a way that looks quite innocent to automated detection. As for specific software that is able to do this, explicit software recommendations are off-topic here (and I do not know of any specific pieces of software that can detect this, anyway).

You may want to check out AmIUnique, a proof-of-concept website that uses a variety of fingerprinting techniques, both active and passive, to uniquely identify a system. It uses not only primitive techniques such as UA fingerprinting, but more advanced techniques such as WebGL and AudioContext fingerprinting, font enumeration, browser window dimensions, etc.

forest
  • 64,616
  • 20
  • 206
  • 257
  • 1
    Thanks for answer. I'll note all info you have shared. Even though there are techniques that may fp user passively, for me its fine to just know common methods that websites applies on user. It would be just enuff to start off. – Anton Sep 15 '18 at 07:56