@fanboynz/network-scanner 3.0.2 → 3.0.3

package/CHANGELOG.md

@@ -2,6 +2,40 @@
 
 All notable changes to the Network Scanner (nwss.js) project.
 
+## [3.0.3] - 2026-05-26
+
+### Improved
+- **3 DataDome-targeted gaps closed in `lib/fingerprint.js`** (inside `applyFingerprintProtection`, so gated on `siteConfig.fingerprint_protection` like every other spoof in that function):
+  - **`Notification.permission` static property** now returns `'default'` (real Chrome's no-granted-permission state). Previously only `Notification.requestPermission()` (the method) was patched; the static property still returned the headless default `'denied'` — a live tell for DataDome and similar detectors that read it directly.
+  - **`screen.orientation` interface** is now provided as a stable `{type: 'landscape-primary', angle: 0, addEventListener, lock, unlock, ...}` object when missing. Modern browsers always expose ScreenOrientation; absence is a "real browser?" check signal.
+  - **`<html>` `webdriver` DOM attribute** stripped if present. Defensive — modern Puppeteer with `ignoreDefaultArgs: ['--enable-automation']` doesn't emit this, but older driver setups do, and detectors check both `navigator.webdriver` AND `documentElement.getAttribute('webdriver')`. Appended to the existing `'webdriver removal'` safeExecute block so all webdriver cleanup lives together.
+
+  Targeted at sites running DataDome's `ct.captcha-delivery.com/i.js` (and similar fingerprint suites: PerimeterX, Akamai Bot Manager). Most other surfaces these detectors probe were already covered (chrome.app/csi/loadTimes, userAgentData, maxTouchPoints, permissions.query, WebGL UNMASKED_VENDOR/RENDERER, etc.). `scripts/test-stealth.js sannysoft` regression smoke holds at 29 passed / 1 warn / 0 failed (the warn is `CHR_DEBUG_TOOLS`, a CDP-attached signal that's fundamental to Puppeteer and unrelated to these additions). JS-only spoofing can't address TLS fingerprint, HTTP/2 fingerprint, IP reputation, or behavioural analysis — those still depend on proxy choice and `interact` / `ghost-cursor` config.
+
+### Added
+- **`scripts/test-stealth.js` now reports warn-row labels** for sannysoft, not just failure-row labels. Previously a cell moving from `passed` → `warn` between runs was invisible (only the count changed), making soft-regression debugging require `--headful`. Now the warn-row table contents print inline so you can see e.g. `warn rows: CHR_DEBUG_TOOLS` directly. Schema additive: result object gains a `warnings: string[]` array alongside the existing `failures: string[]`.
+- **`scripts/test-stealth.js` extracts CreepJS's actual current metrics** instead of stale `Trust Score` regex that returned `n/a` for every field. New extracted fields: `fpId` (CreepJS's stable fingerprint hash, lets you A/B before/after a spoof change), `isChromium` (engine identification), `headlessPct` (HARD headless detection score, lower = better), `likeHeadlessPct` (SOFT headless signals), `stealthPct` (spoof-detection probes score, HIGHER = better since it means our spoofs LOOK convincing). Formatter prints all five with directionality hints inline. Excerpt now 40 lines / 2KB (was 15 / 400 bytes) so future UI rotations are debuggable from the output without `--headful`.
+- **Additional headless-mode spoofs in `lib/fingerprint.js`** (all inside `applyFingerprintProtection`, gated on `siteConfig.fingerprint_protection`):
+  - **`matchMedia` hover/pointer queries**: `(any-hover: hover)`, `(any-hover: none)`, `(any-pointer: fine)`, `(any-pointer: none)`, `(any-pointer: coarse)` plus the legacy non-`any-` aliases. Headless Chrome reports no hover device and no fine pointer (no mouse hardware); detectors probe these as a binary 'real desktop hardware?' signal. Pass-through for all other queries (responsive, color-scheme, reduced-motion, etc.).
+  - **`screenLeft` / `screenTop` mirror `screenX` / `screenY`**. Real Chrome exposes these as identical-value legacy aliases; spoofers often leave them undefined or 0, which is inconsistent with the non-zero `screenX/Y` our existing patch produces.
+  - **Modern Chrome API stubs**: `document.hasStorageAccess()` → `Promise<true>`, `navigator.userActivation` → `{hasBeenActive: true, isActive: true}`, `navigator.getInstalledRelatedApps()` → `Promise<[]>`. Each gated on absence check so real-Chrome paths skip the override.
+
+  Honest measurement: CreepJS's specific `headless score` did NOT move after these additions (stayed at 67%). My prior estimate of '~-10 to -15 percentage points' was over-optimistic — CreepJS apparently doesn't weight matchMedia hover/pointer heavily in its headless calculation. The additions are still correct spoofs that close real fingerprint gaps and likely help against DataDome / PerimeterX which use different scoring; they're net-positive but score-neutral against CreepJS specifically. The remaining ~67% headless detection is architectural (CDP attachment, software-rasterizer GPU, no real mouse cursor) and can't be lowered without `--headful`.
+
+### Security
+- **WebRTC public-IP leak closed** in `lib/fingerprint.js` (`applyFingerprintProtection`). The previous local-IP filter only stripped RFC1918 private ranges (`10.x / 172.16-31.x / 192.168.x`), missing `srflx` (STUN-discovered PUBLIC IP), `prflx`, `relay`, and host candidates with non-RFC1918 addresses (CGNAT 100.64.0.0/10, link-local IPv6, real public IPs on bare-metal hosts). STUN traffic is UDP and **bypasses the SOCKS5 proxy entirely**, so the leaked IP was the real host IP regardless of proxy config — visible to any page that listened on `icecandidate` events. Caught by `test-stealth.js creepjs` which surfaced the candidate string `122.252.155.250 typ srflx` and the corresponding `ip:` field in its WebRTC panel. Fix: strip EVERY ICE candidate; deliver only the null-candidate sentinel (end-of-gathering signal). Side note: the property-based `pc.onicecandidate = fn` setter was also broken (stored handler but never wired it up); now mirrors the same filter as the addEventListener path. Side effect: any site that REQUIRES functional WebRTC peer connections sees ICE gathering produce zero candidates. For nwss.js's scanning use case this is correct.
+
+### Stealth hardening (toString masking)
+- **Added 8 session-introduced spoofs to `Function.prototype.toString` bulk masking** (`matchMedia`, `hasStorageAccess`, `getInstalledRelatedApps`, `userActivation` getter, `Notification.permission` getter, `screen.orientation` getter, `screenLeft`/`screenTop` getters). Without this, each new spoof was detectable via `.toString()` returning the override source instead of `[native code]`.
+- **Masked per-instance WebRTC `onicecandidate` getter/setter + `addEventListener` wrap.** The bulk-mask block only runs once at injection; per-RTCPeerConnection closures created inside the factory weren't covered. A site doing `Object.getOwnPropertyDescriptor(pc, 'onicecandidate').get.toString()` could see the spoof.
+- **Spoofed `navigator.productSub` + `vendorSub`** (UA-aware: `'20030107'` for Chrome/Safari/etc., `'20100101'` for Firefox; `vendorSub` always `''`). Companion legacy properties to the already-spoofed `vendor`/`product`. Common bot-detection signal since anti-detection libraries often spoof UA but forget these. `vendor`/`product` getters also added to the maskAsNative list (pre-existing oversight folded in).
+
+### Fixed
+- **`validatePageForInjection`'s 1.5s race timer is now `unref`'d.** Last remaining Node-side `setTimeout` that wasn't unref'd; could hold the event loop alive for up to 1.5s past scan completion. All Node-side timers in `lib/fingerprint.js`, `lib/nettools.js`, and `lib/socks-relay.js` are now unref'd.
+
+### Performance
+- **Canvas noise application now cached per `HTMLCanvasElement`** via WeakMap. `toDataURL` and `toBlob` previously did a `getImageData` + `putImageData` round-trip on every call (~500k iterations for size-capped canvases) to bake noise into the export. Now the round-trip runs once per canvas; subsequent exports skip it (the canvas backing store still has the noised pixels from the first call). Trade-off: animated canvases that redraw between exports won't have new content re-noised — acceptable for the common fingerprinter pattern (single probe → single toDataURL).
+
 ## [3.0.2] - 2026-05-25
 
 ### Security

package/lib/fingerprint.js

@@ -248,7 +248,15 @@ async function validatePageForInjection(page, currentUrl, forceDebug) {
     }
     await Promise.race([
       page.evaluate(() => document.readyState || 'loading'),
-      new Promise((_, reject) => setTimeout(() => reject(new Error('Page evaluation timeout')), 1500))
+      new Promise((_, reject) => {
+        // unref so a still-pending race timer (page.evaluate won) doesn't
+        // hold the Node event loop alive for up to 1.5s past scan exit.
+        // Same pattern as the nettools timer unrefs in 83209d4 / 0c5d644;
+        // closes the last known node-side unref'd setTimeout in the
+        // fingerprint module.
+        const t = setTimeout(() => reject(new Error('Page evaluation timeout')), 1500);
+        if (typeof t.unref === 'function') t.unref();
+      })
     ]);
     return true;
   } catch (validationErr) {
@@ -506,6 +514,21 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             configurable: true,
             enumerable: true
           });
+
+          // Belt-and-suspenders: some older Chromium-driver setups leave a
+          // `webdriver` attribute on the <html> element (different surface
+          // from navigator.webdriver). DataDome and similar detectors
+          // check both. Modern Puppeteer with ignoreDefaultArgs:
+          // ['--enable-automation'] (set in nwss.js's createBrowser) doesn't
+          // emit this attribute, so this is defensive against rare edge
+          // cases. documentElement should exist by evaluateOnNewDocument
+          // time; wrapped in optional-chaining + try/catch for the contexts
+          // where it doesn't.
+          try {
+            if (document?.documentElement?.hasAttribute('webdriver')) {
+              document.documentElement.removeAttribute('webdriver');
+            }
+          } catch (_) {}
         }, 'webdriver removal');
 
         // Remove automation properties
@@ -814,16 +837,27 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
         safeExecute(() => {
           let vendor = 'Google Inc.';
           let product = 'Gecko';
-          
+          // productSub is a legacy Mozilla-era property: '20030107' for
+          // every browser EXCEPT Firefox (which uses '20100101'). Real
+          // Chrome / Safari / etc. all report '20030107'. Real Firefox
+          // reports '20100101'. Common bot-detection signal because
+          // anti-detection libraries often spoof UA but forget this.
+          // vendorSub is always '' across all browsers (legacy/unused).
+          let productSub = '20030107';
+          const vendorSub = '';
+
           if (userAgent.includes('Firefox')) {
             vendor = '';
+            productSub = '20100101';
           } else if (userAgent.includes('Safari') && !userAgent.includes('Chrome')) {
             vendor = 'Apple Computer, Inc.';
           }
-          
+
           const vendorProps = {
             vendor: { get: () => vendor },
-            product: { get: () => product }
+            product: { get: () => product },
+            productSub: { get: () => productSub },
+            vendorSub: { get: () => vendorSub }
           };
           spoofNavigatorProperties(navigator, vendorProps);
         }, 'vendor/product spoofing');
@@ -1270,6 +1304,23 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           if (window.Notification && Notification.requestPermission) {
             Notification.requestPermission = () => Promise.resolve('default');
           }
+
+          // Notification.permission STATIC PROPERTY — distinct from the
+          // requestPermission() method patched above. DataDome and similar
+          // detectors read Notification.permission directly. Real Chrome
+          // with no granted permission returns 'default'; headless Chrome
+          // returns 'denied'. Without this override the prior block (which
+          // only patched the method) leaves the static property as a live
+          // headless tell. Wrapped in try/catch because some embedded
+          // contexts make Notification non-configurable.
+          if (window.Notification) {
+            try {
+              Object.defineProperty(Notification, 'permission', {
+                get: () => 'default',
+                configurable: true
+              });
+            } catch (_) {}
+          }
         }, 'permissions API spoofing');
 
         // Media Device Spoofing
@@ -1299,9 +1350,105 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             const sY = Math.floor(Math.random() * 50) + 20;
             Object.defineProperty(window, 'screenX', { get: () => sX });
             Object.defineProperty(window, 'screenY', { get: () => sY });
+            // screenLeft / screenTop are the legacy IE-era aliases for
+            // screenX / screenY; real Chrome exposes them as identical
+            // values. Headless / spoofers often leave them undefined or 0,
+            // which is a tell since the screenX/Y patch above changed
+            // those values to be non-zero. Mirror them explicitly so the
+            // four properties stay consistent.
+            Object.defineProperty(window, 'screenLeft', { get: () => sX });
+            Object.defineProperty(window, 'screenTop', { get: () => sY });
           }
         }, 'window dimension spoofing');
 
+        // Modern Chrome API stubs — these APIs exist in real desktop
+        // Chrome but may be missing or wrong in headless. Detectors check
+        // presence + minimal shape as a 'real browser?' signal. Each one
+        // is wrapped individually so a failure on one doesn't break the
+        // others, and the existence checks let real-Chrome paths
+        // (where the property already exists with the right value) skip
+        // the override entirely.
+        safeExecute(() => {
+          // Document.hasStorageAccess() — Storage Access API. Real Chrome
+          // returns a Promise<boolean>; resolve with true to mimic the
+          // common 'storage already accessible (top-level context)' state.
+          if (document && typeof document.hasStorageAccess !== 'function') {
+            try {
+              Object.defineProperty(document, 'hasStorageAccess', {
+                value: () => Promise.resolve(true),
+                configurable: true,
+                writable: true
+              });
+            } catch (_) {}
+          }
+        }, 'document.hasStorageAccess stub');
+
+        safeExecute(() => {
+          // navigator.userActivation — UserActivation interface tracking
+          // whether the page has had a user gesture. Real Chrome exposes
+          // {hasBeenActive: bool, isActive: bool}. After interaction
+          // simulation (interact / ghost-cursor) both should be true; we
+          // default to true so a site checking before our synthetic
+          // gestures fire still sees a 'user activated' page.
+          if (navigator && !navigator.userActivation) {
+            try {
+              const userActivation = {
+                hasBeenActive: true,
+                isActive: true
+              };
+              Object.defineProperty(navigator, 'userActivation', {
+                get: () => userActivation,
+                configurable: true
+              });
+            } catch (_) {}
+          }
+        }, 'navigator.userActivation stub');
+
+        safeExecute(() => {
+          // navigator.getInstalledRelatedApps() — Chrome-specific API
+          // returning installed PWAs/native apps related to the current
+          // origin. Real Chrome has this as a function; absence is a tell
+          // for non-Chrome / headless. Return empty array (the common
+          // no-related-apps case) — same as a fresh real-Chrome profile.
+          if (navigator && typeof navigator.getInstalledRelatedApps !== 'function') {
+            try {
+              Object.defineProperty(navigator, 'getInstalledRelatedApps', {
+                value: () => Promise.resolve([]),
+                configurable: true,
+                writable: true
+              });
+            } catch (_) {}
+          }
+        }, 'navigator.getInstalledRelatedApps stub');
+
+        // screen.orientation — modern browsers expose a ScreenOrientation
+        // interface ({type, angle, addEventListener, lock, unlock, ...}).
+        // Missing entirely in some headless contexts; presence + shape are
+        // checked by DataDome and similar detectors as a "real browser"
+        // signal. The values below mirror real desktop Chrome's landscape
+        // primary orientation; lock()/unlock() match real-Chrome behaviour
+        // when no fullscreen element is active (lock rejects with
+        // NotSupportedError, unlock is a no-op). Object identity is stable
+        // (hoisted out of the getter) so reference-equality checks pass.
+        safeExecute(() => {
+          if (!window.screen.orientation) {
+            const orientation = {
+              type: 'landscape-primary',
+              angle: 0,
+              onchange: null,
+              addEventListener: () => {},
+              removeEventListener: () => {},
+              dispatchEvent: () => false,
+              lock: () => Promise.reject(new Error('NotSupportedError')),
+              unlock: () => {}
+            };
+            Object.defineProperty(window.screen, 'orientation', {
+              get: () => orientation,
+              configurable: true
+            });
+          }
+        }, 'screen.orientation spoofing');
+
         // navigator.connection — missing or incomplete in headless.
         // Object literal hoisted out of the getter so identity is stable
         // across reads. Real Chrome's NetworkInformation instance has
@@ -1447,50 +1594,143 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'image loading obfuscation');
 
-        // CSS Media Query Spoofing
+        // CSS Media Query Spoofing — specifically the hardware-presence
+        // queries that distinguish a real desktop browser from headless.
+        //
+        // Headless Chrome reports NO hover device and NO fine pointer
+        // (there's no mouse hardware attached). matchMedia('(any-hover:
+        // hover)') returns matches=false in headless, matches=true in
+        // real desktop. CreepJS and DataDome both probe these queries
+        // explicitly as a hard binary 'is this real browser hardware?'
+        // signal — one of the biggest single contributors to CreepJS's
+        // headless-detection score.
         //
-        // CSS media query — pass through normally. Screen dimensions are already spoofed
-        // so matchMedia results will naturally reflect the spoofed values.
-        // No modification needed here.
+        // Pass-through for all OTHER queries (max-width, prefers-color-
+        // scheme, etc.) so legitimate responsive-design checks still work.
+        // Screen-dimension queries naturally reflect the already-spoofed
+        // screen.width/height — no extra handling needed for those.
+        safeExecute(() => {
+          if (typeof window.matchMedia !== 'function') return;
+          const origMatchMedia = window.matchMedia;
+          // Make a fake MediaQueryList that quacks like the real thing.
+          // Real Chrome's MediaQueryList implements EventTarget, so the
+          // listener methods need to exist as callable no-ops.
+          const fakeMql = (query, matches) => ({
+            matches,
+            media: query,
+            onchange: null,
+            addEventListener: () => {},
+            removeEventListener: () => {},
+            addListener: () => {},      // deprecated alias but still present in Chrome
+            removeListener: () => {},
+            dispatchEvent: () => false
+          });
+          window.matchMedia = function(query) {
+            const q = String(query || '').toLowerCase();
+            // Spoof to "yes, mouse + hover hardware present" — the real
+            // desktop answer. Match both `(any-hover: hover)` and the
+            // legacy `(hover: hover)`; same for pointer.
+            if (q.includes('any-hover: hover') || q.includes('hover: hover')) {
+              return fakeMql(query, true);
+            }
+            if (q.includes('any-hover: none') || q.includes('hover: none')) {
+              return fakeMql(query, false);
+            }
+            if (q.includes('any-pointer: fine') || q.includes('pointer: fine')) {
+              return fakeMql(query, true);
+            }
+            if (q.includes('any-pointer: none') || q.includes('pointer: none')) {
+              return fakeMql(query, false);
+            }
+            if (q.includes('any-pointer: coarse') || q.includes('pointer: coarse')) {
+              return fakeMql(query, false);  // desktop = no coarse touch pointer
+            }
+            // Anything else falls through to real matchMedia (responsive
+            // queries, color-scheme, reduced-motion, etc. all behave normally).
+            return origMatchMedia.call(this, query);
+          };
+        }, 'matchMedia hover/pointer spoofing');
 
         // Enhanced WebRTC Spoofing
         //
+        // Previously stripped only RFC1918 private IPs from ICE candidates,
+        // which leaked the STUN-discovered public IP (`typ srflx`) — visible
+        // in CreepJS's WebRTC section and trivially also probed by DataDome
+        // and other modern fingerprint suites. STUN traffic is UDP, so it
+        // bypasses the SOCKS5 proxy entirely, meaning the real host IP
+        // reaches the fingerprinter regardless of proxy config.
+        //
+        // Fix: strip EVERY ICE candidate (host / srflx / prflx / relay /
+        // mDNS). The scanner never needs functional WebRTC peer connections,
+        // so complete suppression is the right trade-off — the page sees
+        // ICE gathering complete with zero candidates, indistinguishable
+        // from a real browser with no usable network interfaces. The
+        // null-candidate sentinel (end-of-gathering signal) still fires so
+        // calling code that awaits ICE-complete doesn't hang.
         safeExecute(() => {
           if (window.RTCPeerConnection) {
             const OriginalRTC = window.RTCPeerConnection;
+            // Filter helper hoisted so both addEventListener and the
+            // property-handler paths apply identical filtering.
+            const stripCandidate = (event) => !event.candidate;
+
             window.RTCPeerConnection = function(...args) {
               const pc = new OriginalRTC(...args);
-              
-              // Intercept onicecandidate to strip local IP addresses
+
               const origAddEventListener = pc.addEventListener.bind(pc);
-              pc.addEventListener = function(type, listener, ...rest) {
+              // Named function (not anonymous) so maskAsNative gets a sensible
+              // 'addEventListener' name when reporting [native code]. The
+              // bulk-mask block at end of applyFingerprintProtection masks
+              // window-level functions ONCE; per-instance functions created
+              // inside this factory (one new closure per `new RTCPeerConnection()`)
+              // would slip through unmasked — detectable via
+              // pc.addEventListener.toString(). Mask each per-instance to
+              // close that.
+              const addEventListenerWrap = function(type, listener, ...rest) {
                 if (type === 'icecandidate') {
                   const wrappedListener = function(event) {
-                    if (event.candidate && event.candidate.candidate) {
-                      // Strip candidates containing local/private IPs
-                      const c = event.candidate.candidate;
-                      if (c.includes('.local') || /(?:10|172\.(?:1[6-9]|2\d|3[01])|192\.168)\./.test(c)) {
-                        return; // suppress local IP candidates
-                      }
-                    }
-                    listener.call(this, event);
+                    if (stripCandidate(event)) listener.call(this, event);
                   };
                   return origAddEventListener(type, wrappedListener, ...rest);
                 }
                 return origAddEventListener(type, listener, ...rest);
               };
-              
-              // Also intercept the property-based handler
-              let _onicecandidateHandler = null;
+              maskAsNative(addEventListenerWrap, 'addEventListener');
+              pc.addEventListener = addEventListenerWrap;
+
+              // Property-based handler. Previously this just stored the
+              // handler in a local variable and never wired it up — pages
+              // setting `pc.onicecandidate = fn` got NO events at all,
+              // detectable as a mismatch vs addEventListener (which DID
+              // fire). Now we forward the wrapped handler to the underlying
+              // setter so both paths behave identically: the page sees only
+              // the null-candidate sentinel. Both get/set extracted to named
+              // consts so maskAsNative can wrap them — without this, a probe
+              // doing `Object.getOwnPropertyDescriptor(pc, 'onicecandidate').get.toString()`
+              // would see the arrow-function source instead of [native code].
+              let _userHandler = null;
+              const getOnIceCandidate = function() { return _userHandler; };
+              const setOnIceCandidate = function(handler) {
+                _userHandler = handler;
+                // Use the prototype setter so we don't infinite-loop on
+                // our own defineProperty. The wrapped handler applies
+                // the same filter as addEventListener.
+                const proto = Object.getPrototypeOf(pc);
+                const desc = Object.getOwnPropertyDescriptor(proto, 'onicecandidate');
+                if (desc && desc.set) {
+                  desc.set.call(pc, typeof handler === 'function'
+                    ? function(event) { if (stripCandidate(event)) handler.call(this, event); }
+                    : handler);
+                }
+              };
+              maskAsNative(getOnIceCandidate, 'get onicecandidate');
+              maskAsNative(setOnIceCandidate, 'set onicecandidate');
               Object.defineProperty(pc, 'onicecandidate', {
-                get: () => _onicecandidateHandler,
-                set: (handler) => {
-                  _onicecandidateHandler = handler;
-                  // No-op — the addEventListener wrapper above handles filtering
-                },
+                get: getOnIceCandidate,
+                set: setOnIceCandidate,
                 configurable: true
               });
-              
+
               return pc;
             };
             Object.setPrototypeOf(window.RTCPeerConnection, OriginalRTC);
@@ -1635,29 +1875,46 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             return imageData;
           };
 
-          const originalToDataURL = HTMLCanvasElement.prototype.toDataURL;
-          HTMLCanvasElement.prototype.toDataURL = function(...args) {
-            // Apply same deterministic noise by reading through spoofed getImageData
+          // Cache of canvases already noised in their current bytes. toDataURL
+          // and toBlob both do a getImageData + putImageData round-trip to
+          // bake noise into the canvas before the actual export. Each
+          // round-trip is O(width × height) -- ~2M iterations for a 1920x1080
+          // canvas, capped at 500k pixels via the size guard below.
+          //
+          // Repeated calls on the SAME canvas don't need re-noising: the
+          // first call already wrote noised pixel data into the canvas via
+          // putImageData. Skip the round-trip for subsequent calls; the
+          // canvas backing store still has the noised content. Trade-off:
+          // if a page redraws between calls (canvas.drawImage, fillRect,
+          // etc.), the new content won't be re-noised. Acceptable for the
+          // common fingerprinter pattern (draw probe content -> single
+          // toDataURL -> compare to known signature); pathological for
+          // animated canvases that re-toDataURL per frame. WeakMap so a
+          // GC'd canvas drops its noise-cache entry automatically.
+          const noisedCanvases = new WeakMap();
+
+          const applyCanvasNoise = function(canvas) {
+            if (noisedCanvases.has(canvas)) return;
             try {
-              const ctx = this.getContext('2d');
-              if (ctx && this.width > 0 && this.height > 0 && this.width * this.height < 500000) {
-                const imageData = ctx.getImageData(0, 0, this.width, this.height);
+              const ctx = canvas.getContext('2d');
+              if (ctx && canvas.width > 0 && canvas.height > 0 && canvas.width * canvas.height < 500000) {
+                const imageData = ctx.getImageData(0, 0, canvas.width, canvas.height);
                 ctx.putImageData(imageData, 0, 0);
+                noisedCanvases.set(canvas, true);
               }
             } catch (e) {} // WebGL or other context — skip
+          };
+
+          const originalToDataURL = HTMLCanvasElement.prototype.toDataURL;
+          HTMLCanvasElement.prototype.toDataURL = function(...args) {
+            applyCanvasNoise(this);
             return originalToDataURL.apply(this, args);
           };
 
           const originalToBlob = HTMLCanvasElement.prototype.toBlob;
           if (originalToBlob) {
             HTMLCanvasElement.prototype.toBlob = function(callback, ...args) {
-              try {
-                const ctx = this.getContext('2d');
-                if (ctx && this.width > 0 && this.height > 0 && this.width * this.height < 500000) {
-                  const imageData = ctx.getImageData(0, 0, this.width, this.height);
-                  ctx.putImageData(imageData, 0, 0);
-                }
-              } catch (e) {}
+              applyCanvasNoise(this);
               return originalToBlob.call(this, callback, ...args);
             };
           }
@@ -1856,10 +2113,17 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           if (typeof window.fetch === 'function') maskAsNative(window.fetch, 'fetch');
           if (typeof window.PointerEvent === 'function') maskAsNative(window.PointerEvent, 'PointerEvent');
           if (typeof console.debug === 'function') maskAsNative(console.debug, 'debug');
+          // Methods added in this session — same toString-tampering concern.
+          if (typeof window.matchMedia === 'function') maskAsNative(window.matchMedia, 'matchMedia');
+          if (typeof document.hasStorageAccess === 'function') maskAsNative(document.hasStorageAccess, 'hasStorageAccess');
+          if (typeof navigator.getInstalledRelatedApps === 'function') maskAsNative(navigator.getInstalledRelatedApps, 'getInstalledRelatedApps');
 
           // Mask property getters on navigator
+          // 'userActivation' added in this session; 'productSub'/'vendorSub'
+          // are this commit's additions alongside the existing vendor/product.
           const navProps = ['userAgentData', 'connection', 'pdfViewerEnabled', 'webdriver',
-                            'hardwareConcurrency', 'deviceMemory', 'platform', 'maxTouchPoints'];
+                            'hardwareConcurrency', 'deviceMemory', 'platform', 'maxTouchPoints',
+                            'userActivation', 'vendor', 'product', 'productSub', 'vendorSub'];
           navProps.forEach(prop => {
             // Check both instance and prototype (webdriver lives on prototype)
             const desc = Object.getOwnPropertyDescriptor(navigator, prop)
@@ -1867,8 +2131,18 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             if (desc?.get) maskAsNative(desc.get, 'get ' + prop);
           });
 
-          // Mask window property getters
-          ['screenX', 'screenY', 'outerWidth', 'outerHeight'].forEach(prop => {
+          // Mask Notification.permission getter (static property, added this session).
+          if (typeof Notification !== 'undefined') {
+            const npDesc = Object.getOwnPropertyDescriptor(Notification, 'permission');
+            if (npDesc?.get) maskAsNative(npDesc.get, 'get permission');
+          }
+
+          // Mask screen.orientation getter (added this session).
+          const orientDesc = Object.getOwnPropertyDescriptor(window.screen, 'orientation');
+          if (orientDesc?.get) maskAsNative(orientDesc.get, 'get orientation');
+
+          // Mask window property getters — screenLeft/Top added this session.
+          ['screenX', 'screenY', 'screenLeft', 'screenTop', 'outerWidth', 'outerHeight'].forEach(prop => {
             const desc = Object.getOwnPropertyDescriptor(window, prop);
             if (desc?.get) maskAsNative(desc.get, 'get ' + prop);
           });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fanboynz/network-scanner",
-  "version": "3.0.2",
+  "version": "3.0.3",
   "description": "A Puppeteer-based network scanner for analyzing web traffic, generating adblock filter rules, and identifying third-party requests. Features include fingerprint spoofing, Cloudflare bypass, content analysis with curl/grep, and multiple output formats.",
   "main": "nwss.js",
   "scripts": {

package/scripts/test-stealth.js

@@ -70,7 +70,7 @@ const TARGETS = [
     extract: async (page) => {
       return await page.evaluate(() => {
         const cells = Array.from(document.querySelectorAll('td'));
-        const out = { passed: 0, failed: 0, warn: 0, total: 0, failures: [] };
+        const out = { passed: 0, failed: 0, warn: 0, total: 0, failures: [], warnings: [] };
         for (const c of cells) {
           const cls = c.className || '';
           if (cls.includes('passed')) { out.passed++; out.total++; }
@@ -81,7 +81,14 @@ const TARGETS = [
             const label = row?.querySelector('td')?.textContent?.trim() || '?';
             out.failures.push(label);
           }
-          else if (cls.includes('warn')) { out.warn++; out.total++; }
+          else if (cls.includes('warn')) {
+            out.warn++; out.total++;
+            // Capture warn-row labels too so a soft regression (cell moving
+            // passed -> warn) is debuggable without --headful.
+            const row = c.closest('tr');
+            const label = row?.querySelector('td')?.textContent?.trim() || '?';
+            out.warnings.push(label);
+          }
         }
         return out;
       });
@@ -97,15 +104,29 @@ const TARGETS = [
       await new Promise(r => setTimeout(r, 8000)); // give async tests time
       return await page.evaluate(() => {
         const text = document.body.innerText || '';
-        // CreepJS reports a "Trust Score" percentage and individual signal entries.
-        const trustMatch = text.match(/Trust Score[:\s]+(\d+(?:\.\d+)?)\s*%/i);
-        const lieMatch = text.match(/lies[:\s]+(\d+)/i);
-        const botMatch = text.match(/bot[:\s]+(true|false)/i);
+        // CreepJS's actual stealth-relevant outputs are in a "Headless"
+        // section as percentages (e.g. "67% headless", "40% stealth",
+        // "44% like headless"), not the "Trust Score" label the old
+        // regex expected. Engine identification comes from "chromium:
+        // true/false" in the same block. Lower headless % and higher
+        // stealth % are better for evasion.
+        const headlessMatch = text.match(/(\d+(?:\.\d+)?)\s*%\s+headless\b/i);
+        const likeHeadlessMatch = text.match(/(\d+(?:\.\d+)?)\s*%\s+like\s+headless/i);
+        const stealthMatch = text.match(/(\d+(?:\.\d+)?)\s*%\s+stealth\b/i);
+        const chromiumMatch = text.match(/chromium\s*:\s*(true|false)/i);
+        // FP ID is CreepJS's stable fingerprint hash — same value across
+        // reloads if the fingerprint is unchanged; lets you A/B before
+        // and after a spoof change.
+        const fpIdMatch = text.match(/FP\s*ID\s*:?\s*([0-9a-f]{16,})/i);
         return {
-          trustScore: trustMatch ? parseFloat(trustMatch[1]) : null,
-          lies: lieMatch ? parseInt(lieMatch[1], 10) : null,
-          botDetected: botMatch ? botMatch[1] === 'true' : null,
-          excerpt: text.split('\n').slice(0, 15).join('\n').slice(0, 400)
+          headlessPct: headlessMatch ? parseFloat(headlessMatch[1]) : null,
+          likeHeadlessPct: likeHeadlessMatch ? parseFloat(likeHeadlessMatch[1]) : null,
+          stealthPct: stealthMatch ? parseFloat(stealthMatch[1]) : null,
+          isChromium: chromiumMatch ? chromiumMatch[1] === 'true' : null,
+          fpId: fpIdMatch ? fpIdMatch[1].slice(0, 16) : null,
+          // Larger excerpt (40 lines, up to 2KB) so a future UI rotation
+          // is debuggable from the output without --headful.
+          excerpt: text.split('\n').slice(0, 40).join('\n').slice(0, 2000)
         };
       });
     }
@@ -165,10 +186,15 @@ function formatResult(target, result) {
     if (result.failures.length) {
       lines.push(`  failure rows: ${result.failures.slice(0, 10).join(', ')}${result.failures.length > 10 ? ` ... +${result.failures.length - 10} more` : ''}`);
     }
+    if (result.warnings && result.warnings.length) {
+      lines.push(`  warn rows: ${result.warnings.slice(0, 10).join(', ')}${result.warnings.length > 10 ? ` ... +${result.warnings.length - 10} more` : ''}`);
+    }
   } else if (target.name === 'creepjs') {
-    lines.push(`  trust score: ${result.trustScore ?? 'n/a'}%`);
-    lines.push(`  lies detected: ${result.lies ?? 'n/a'}`);
-    lines.push(`  bot flagged: ${result.botDetected ?? 'n/a'}`);
+    lines.push(`  FP ID: ${result.fpId ?? 'n/a'}  (stable across reloads if fingerprint unchanged)`);
+    lines.push(`  engine chromium: ${result.isChromium ?? 'n/a'}`);
+    lines.push(`  headless score: ${result.headlessPct ?? 'n/a'}%  (lower = better; 0% = real browser)`);
+    lines.push(`  like-headless: ${result.likeHeadlessPct ?? 'n/a'}%  (lower = better; soft headless signals)`);
+    lines.push(`  stealth score: ${result.stealthPct ?? 'n/a'}%  (lower = better; % likely to be using anti-detection tooling)`);
     if (result.excerpt) lines.push(`  excerpt:\n    ${result.excerpt.split('\n').join('\n    ')}`);
   } else if (target.name === 'browserleaks') {
     for (const [k, v] of Object.entries(result)) {