Combating client fingerprinting through the real-time detection and analysis of tailored web content

Abstract

The web is no longer composed of static resources. Technology and demand have driven the web towards a complex, dynamic model that tailors content toward specific client fingerprints. Servers now commonly modify responses based on the browser, operating system, or location of the connecting client. While this information may be used for legitimate purposes, malicious adversaries can also use this information to deliver misinformation or tailored exploits. Currently, there are no tools that allow a user to detect when a response contains tailored content. Developing an easily configurable multiplexing system solved the problem of detecting tailored web content. In this solution, a custom proxy receives the initial request from a client, duplicating and modifying it in many ways to change the browser, operating system, and location-based client fingerprint. All of the requests with various client fingerprints are simultaneously sent to the server. As the responses are received back at the proxy, they are aggregated and analyzed against the original response. The results of the analysis are then sent to the user along with the original response. This process allowed the proxy to detect tailored content that was previously undetectable through casual browsing. Theoretical and empirical analysis was performed to ensure the multiplexing proxy detected tailored content at an acceptable false alarm rate. Additionally, the tool was analyzed for its ability to provide utility to open source analysts, cyber analysts, and reverse engineers. The results showed that the proxy is an essential, scalable tool that provides capabilities that were not previously available.