Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Block Detection by using WEBGL

Jonathan | Last updated: May 21, 2021 09:36PM UTC

I have been working on a Hermes fake scam website. It however quickly detected me. An interesting article by https://blog.malwarebytes.com/scams/2021/05/royal-mail-phish-deploys-evasion-tricks-to-avoid-analysis/ shows some new interesting techniques. So one of them was using below javascript: var gl = canvas.getContext('webgl'); var debugInfo = gl.getExtension('WEBGL_debug_renderer_info'); var vendor = gl.getParameter(debugInfo.UNMASKED_VENDOR_WEBGL); var renderer = gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL); console.log(debugInfo) console.log(vendor) console.log(renderer); var width = screen.width; var height = screen.height; var color_depth = screen.colorDepth; console.log(width,height,color_depth); setTimeout( function() { if (true) { if (/swiftshader/i.test(renderer.toLowerCase()) || /llvmpipe/i.test(renderer.toLowerCase()) || /virtualbox/i.test(renderer.toLowerCase()) || !renderer) { console.log("VIRTUAL MACHINE!!!!"); } else if (/nvidia/i.test(renderer.toLowerCase())) { console.log("Cool Nvida detected"); } else if (color_depth < 24 || width < 100 || height < 100 || !color_depth) { console.log("Bot Detected!"); } } },200); This means if you are running Burp Suite inside a Virtual Machine ie Kali on a virtual machine. You will get detected by the Javascript. You are often then thrown to the proper website as another way of hiding their true identity. If we could pre-scan the javascript looking for the getContext('webgl'); Then introduce at request a fake one overriding convincingly a fake GL giving less detectable entries. Would this be possible?

Uthman, PortSwigger Agent | Last updated: May 24, 2021 10:32AM UTC

Hi Jonathan, To clarify, are you looking for a way to grep "getContext('webgl');" in the response and then change it? Can you provide more context on this, please? Do you want the scanner to handle this? An extension?

Jonathan | Last updated: May 29, 2022 06:51PM UTC

Being doing further work on this. This time with a PCR Scammer. So a website when you access by a desktop browser gives you a different page then if you access by a Mobile browser. From further research the same is true of Bot's. So I thought an extension to effectively lie to the web browser. Since it is a Javascript you can over write. For example one of the tests is the size of the screen. For example: else if (color_depth < 24 || width < 100 || height < 100 || !color_depth) { It gets the value from this: var width = screen.width; var height = screen.height; var color_depth = screen.colorDepth; So the screen effectively give it away. There are numerous other tests. if (/swiftshader/i.test(renderer.toLowerCase()) || /llvmpipe/i.test(renderer.toLowerCase()) || /virtualbox/i.test(renderer.toLowerCase()) || !renderer) { This is the anti bot testing. Checking the value from here. var renderer = gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL); These then change a cookie and then a path. Since this above pattern is quite common is there away, or could there be a way for Burp Suite to notice and intercept the request? That would be quite useful. Any thoughts?

Liam, PortSwigger Agent | Last updated: May 30, 2022 09:19AM UTC