如何防止网页检测到我正在运行脚本? [英] How can I prevent a webpage from detecting I am running a script?
问题描述
在facebook.com上尝试使用脚本后,我注意到几分钟后它不允许我连接到facebook.com。这发生了不止一次,所以我怀疑Facebook不喜欢使用用户脚本搞乱他们的代码。
After experimenting with scripts on facebook.com, I noticed that for a couple of minutes it didn't allow me to connect to facebook.com. This happened more than one time so I suspect that Facebook doesn't like to mess with their code using userscripts.
Stack Overflow问题 可以通过网站了解我是否正在运行用户脚本? / em>回答网站可以检测脚本的多种方式。
The Stack Overflow question Can a website know if I am running a userscript? answers the multiple ways a website can detect scripts.
现在我想知道如何欺骗网站不检测我可能正在运行的任何脚本。
有没有办法知道我的用户脚本HTML更改在网站上触发了什么?
Now I want to know how I can fool a website to not detect any scripts I may be running. Is there a way to know what my userscript HTML changes trigger on the website?
推荐答案
对于Firefox和Chrome那里不是防止检测的灵丹妙药,它是一个过程和艺术......
For Firefox and Chrome there is no magic bullet to prevent detection, it is a process and an art...
3 原则网站检测到的方式脚本是:
The 3 principle ways that a site would detect a script are:
-
无序或过于频繁的AJAX请求。
Out of sequence or too-frequent AJAX requests.
页面代码的更改(HTML,全局JS,甚至CSS)。
Changes to the page's code (HTML, global JS, or even CSS).
不自然的鼠标或键盘操作。
Unnatural mouse or keyboard action.
请参阅网站是否可以知道我正在运行用户手册?以获取更多信息。
See "Can a website know if I am running a userscript?" for more information.
一些对策:
-
对于您的脚本所做的AJAX请求:
For AJAX requests that your script makes:
- 使用 Wireshark 或类似的,来分析正常AJAX的流量调用。请确保以相同的顺序发送相同类型的电话。
- 确保您的请求显示与页面相同的标题和数据。
- 不要比用户可以合理触发的页面正常或更快地发送AJAX请求。
- 考虑在脚本的请求中添加随机延迟,以便它们不是统一定时的。
- 注意页面请求中不断更改的字段。确保您知道如何生成正确的值;不只是剪切和粘贴。
- Use Wireshark, or similar, to analyze the traffic of normal AJAX calls. Make sure that you send the same type of calls, in the same order.
- Make sure that your requests show the same headers and data as the page's.
- Do not send AJAX requests faster than the page does normally or faster than a user could reasonably trigger.
- Consider adding random delays to your script's requests, so that they are not uniformly timed.
- Beware of constantly changing fields in the page's requests. Be sure that you know how to generate the correct value; don't just cut and paste.
对于您所做的更改页面的代码:
页面可以完全在本地处理它们,使用它自己的javascript,也可以将状态或代码片段发送回服务器。
For changes that you make to the page's code:
The page can handle these either entirely locally, with it's own javascript, or it can also send back status or code fragments to the server.
-
阻止并替换页面的javascript。可以使用NoScript,RequestPolicy,防火墙和代理等工具来阻止JS。
然后使用Greasemonkey添加页面JS的 已编辑 版本。即使所有页面的JS都被禁用,Greasemonkey也会运行。
Block and replace the page's javascript. Tools like NoScript, RequestPolicy, firewalls and proxies can be used to block the JS.
Then use Greasemonkey to add your edited version of the page's JS. Greasemonkey will run even if all of a page's JS is disabled.
如果页面电话状态为home,并且该状态随脚本的更改而变化,则截取并替换这些消息。 (如果使用上一种方法,则不需要这样做。)您需要使用自定义防火墙,代理或路由器来执行此操作。
If the page phones status home, and that status changes in response to your script's changes, Intercept and replace those messages. (This is not needed if you used the previous method.) You will need a custom firewall, proxy, or router to do this.
对于您触发的事件(鼠标点击,填写字段,等。):
For events that you trigger (mouse clicks, filling out fields, etc.):
- 如果页面检查了这一点,请给它寻找它。例如,代替
点击事件,您可能需要鼠标悬停,mousedown,mouseup,mouseoutsequence。 - 如果是这还不够,那么对策与对页面代码所做的更改相同(替换JS,拦截状态消息)。
- If the page checks for this, give it what it looks for. For example, instead of a
clickevent, you may need amouseover,mousedown,mouseup,mouseoutsequence. - If that is not enough, then the countermeasures are the same as for changes made to the page's code (replace JS, intercept status messages).
重要!
在极少数情况下,你 与一个试图阻止用户脚本的网站作战,这就像一场战争。网站管理员可以适应您的工作,环境可以不断变化。因此,为这样的网站编写脚本是一个持续的过程。
Important!
In the rare event that you are battling a site that tries to thwart userscripts, it is like a war. The webmaster can adapt to what you are doing, and the environment can constantly change. So scripting for such a site is an ongoing process.
这篇关于如何防止网页检测到我正在运行脚本?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
