github.com/onlpsec/fingerprint

Wasm Web Fingerprinting library

Js/Wasm Obfuscated fingerprinting, bot detection & API protection library

state: Pre-alpha

To implement:

• Canvas Fp
• Implement ProtoBuf protocol for communication
• If not switching to another languge/compiling method, optimise wasm loading and glue code
• Advanced Canvas Fp
• WebGl Fp & Params Fp
• Screen Fp / Browser properties
• Audio Fp
• Css / Js and other fp techniques
• Bot / Automation detection
• Use mouse movements & bezier
• Tls and Ja3 Fingerprinting
• Make a Browser fp (finegrained) and Device fp (large grained, targets device)
• Implement Obfuscation (although wasm is a first step) and Encryption
• Implement an api that gets the fingerprint and processes data
• Implement all fp's natively (without go) to increase speed (rust ?)
• Train a model on recognising bad fp's
• Implement techniques to make fp as authentic as possible and difficult to fake

Compiling golang to wasm

navigate to ./scripts and run:

make

Running the script

navigate to ./test and run:

go run serve.go

You can then open localhost:8080 and the Fingerprint will be logged to console
The fingerprints can be Accessible through calling getFp()

Performance

• Fp takes ~ 15ms to compute (on apple m2 air)
• Wasm size is 80kb and 28kb, before and after compression

Optimizing compiled wasm from golang (both tinygo and gzip are used here)

• using tinygo ~ 75% filesize reduction

// using -no-debug and -opt=z to strip debug info and minimize filesize
tinygo build -o output.wasm -target wasm -no-debug -opt=z input.go

drawback: limited library implementation - solution: implement libraries natively like HexEncode.

• using gzip ~ 50% filesize reduction

gzip -9 -v -c input.wasm > output.min.wasm

drawbacks: + 21kb from gzip javascript library

VsCode settings (for gopls):

 GOOS=js GOARCH=wasm

• if not, you will get an annoying (fake) error for including syscall/js

Credits

• https://newassets.hcaptcha.com/c/ac578c1/hsw.js
• https://github.com/fingerprintjs/fingerprintjs