@webdecoy/fcaptcha 1.0.3 → 1.1.0

package/detection.js

@@ -431,6 +431,317 @@ function analyzeFormInteraction(formAnalysis) {
   return detections;
 }
 
+// =============================================================================
+// Advanced Fingerprint Detection Functions
+// =============================================================================
+
+/**
+ * Analyze WebRTC signals for headless browser and VM detection
+ */
+function analyzeWebRTC(webrtcInfo) {
+  if (!webrtcInfo || !webrtcInfo.supported) return [];
+
+  const detections = [];
+
+  // Check media devices - headless browsers typically have 0 devices
+  const mediaDevices = webrtcInfo.mediaDevices || {};
+  if (mediaDevices.supported && mediaDevices.totalDevices === 0) {
+    detections.push({
+      category: 'headless',
+      score: 0.7,
+      confidence: 0.75,
+      reason: 'No media devices detected (typical of headless browsers)'
+    });
+  }
+
+  // Suspicious: has video inputs but no audio (unusual)
+  if (mediaDevices.supported && mediaDevices.videoInputs > 0 && mediaDevices.audioInputs === 0) {
+    detections.push({
+      category: 'bot',
+      score: 0.4,
+      confidence: 0.5,
+      reason: 'Has video devices but no audio devices (unusual configuration)'
+    });
+  }
+
+  // Check local IP detection - VMs and some headless setups may not expose local IPs
+  if (webrtcInfo.hasLocalIP === false && !webrtcInfo.localIPError) {
+    detections.push({
+      category: 'headless',
+      score: 0.4,
+      confidence: 0.5,
+      reason: 'No local IP addresses detected via WebRTC'
+    });
+  }
+
+  return detections;
+}
+
+/**
+ * Analyze Speech API signals - voices are OS/browser specific and hard to spoof
+ */
+function analyzeSpeechAPI(speechInfo) {
+  if (!speechInfo || !speechInfo.supported) return [];
+
+  const detections = [];
+
+  // No voices at all - suspicious
+  if (speechInfo.totalVoices === 0) {
+    detections.push({
+      category: 'headless',
+      score: 0.6,
+      confidence: 0.7,
+      reason: 'No speech synthesis voices available'
+    });
+  }
+
+  // Very few voices (less than 5) - could be headless or minimal VM
+  if (speechInfo.totalVoices > 0 && speechInfo.totalVoices < 5) {
+    detections.push({
+      category: 'headless',
+      score: 0.3,
+      confidence: 0.4,
+      reason: `Very few speech voices available (${speechInfo.totalVoices})`
+    });
+  }
+
+  // No local voices - all remote/network voices suggests unusual setup
+  if (speechInfo.localVoices === 0 && speechInfo.totalVoices > 0) {
+    detections.push({
+      category: 'bot',
+      score: 0.3,
+      confidence: 0.4,
+      reason: 'No local speech synthesis voices'
+    });
+  }
+
+  return detections;
+}
+
+/**
+ * Analyze Worker consistency - spoofed values often don't match between contexts
+ */
+function analyzeWorkerConsistency(workerConsistency) {
+  if (!workerConsistency || !workerConsistency.supported) return [];
+
+  const detections = [];
+
+  // Mismatches indicate fingerprint spoofing
+  if (!workerConsistency.consistent && workerConsistency.mismatchCount > 0) {
+    const score = Math.min(0.9, 0.3 + (workerConsistency.mismatchCount * 0.15));
+    detections.push({
+      category: 'bot',
+      score: score,
+      confidence: 0.85,
+      reason: `Worker/main thread mismatch detected: ${workerConsistency.mismatches.join(', ')}`
+    });
+  }
+
+  return detections;
+}
+
+/**
+ * Analyze CSS Media Queries for environment consistency
+ */
+function analyzeCSSMediaQueries(cssMedia, signals) {
+  if (!cssMedia || !cssMedia.supported) return [];
+
+  const detections = [];
+  const nav = (signals.environmental || {}).navigator || {};
+
+  // Check pointer consistency with touch capability
+  const maxTouch = nav.maxTouchPoints || 0;
+  if (cssMedia.pointer === 'coarse' && maxTouch === 0) {
+    detections.push({
+      category: 'bot',
+      score: 0.5,
+      confidence: 0.6,
+      reason: 'CSS reports coarse pointer but no touch support'
+    });
+  }
+
+  // Check hover capability - headless browsers may have unusual values
+  if (cssMedia.hover === false && cssMedia.pointer === 'fine') {
+    detections.push({
+      category: 'bot',
+      score: 0.3,
+      confidence: 0.4,
+      reason: 'Fine pointer reported but no hover capability'
+    });
+  }
+
+  // Forced colors mode with reduced motion - accessibility features
+  // Note: These are NOT suspicious on their own, just for fingerprinting
+  // Don't penalize accessibility users
+
+  return detections;
+}
+
+/**
+ * Analyze font detection results for consistency
+ */
+function analyzeFonts(fontsInfo, userAgent) {
+  if (!fontsInfo || !fontsInfo.supported) return [];
+
+  const detections = [];
+
+  // Very few fonts detected could indicate headless browser
+  if (fontsInfo.count < 3) {
+    detections.push({
+      category: 'headless',
+      score: 0.5,
+      confidence: 0.5,
+      reason: `Very few fonts detected (${fontsInfo.count})`
+    });
+  }
+
+  // Check OS-specific fonts against UA
+  const ua = (userAgent || '').toLowerCase();
+
+  // Windows UA but no Segoe UI
+  if (ua.includes('windows') && fontsInfo.hasSegoeUI === false && fontsInfo.count > 5) {
+    detections.push({
+      category: 'bot',
+      score: 0.5,
+      confidence: 0.6,
+      reason: 'Windows UA but Segoe UI font not detected'
+    });
+  }
+
+  // Mac UA but no SF Pro (modern macOS)
+  if ((ua.includes('mac os x') || ua.includes('macintosh')) && fontsInfo.hasSFPro === false &&
+      ua.includes('10_15') === false && ua.includes('10_14') === false && fontsInfo.count > 5) {
+    // SF Pro is on macOS 10.15+ (Catalina and later)
+    detections.push({
+      category: 'bot',
+      score: 0.3,
+      confidence: 0.4,
+      reason: 'Modern macOS UA but SF Pro font not detected'
+    });
+  }
+
+  // Linux UA but no DejaVu Sans (very common on Linux)
+  if (ua.includes('linux') && !ua.includes('android') &&
+      fontsInfo.hasDejaVuSans === false && fontsInfo.count > 5) {
+    detections.push({
+      category: 'bot',
+      score: 0.4,
+      confidence: 0.5,
+      reason: 'Linux UA but DejaVu Sans font not detected'
+    });
+  }
+
+  return detections;
+}
+
+/**
+ * Analyze permissions/API availability for headless detection
+ */
+function analyzePermissions(permissionsInfo) {
+  if (!permissionsInfo || !permissionsInfo.supported) return [];
+
+  const detections = [];
+
+  // Count available APIs
+  const apiKeys = [
+    'hasPermissionsAPI', 'hasClipboard', 'hasShare', 'hasCredentials',
+    'hasBluetooth', 'hasUsb', 'hasSerial', 'hasHid', 'hasXR',
+    'hasGeolocation', 'hasMIDI'
+  ];
+
+  const availableApis = apiKeys.filter(key => permissionsInfo[key] === true).length;
+
+  // Very few APIs available could indicate minimal/headless browser
+  if (availableApis < 3) {
+    detections.push({
+      category: 'headless',
+      score: 0.4,
+      confidence: 0.5,
+      reason: `Very few navigator APIs available (${availableApis})`
+    });
+  }
+
+  return detections;
+}
+
+/**
+ * Analyze DOMRect/geometry fingerprint for rendering anomalies
+ */
+function analyzeDOMRect(domRectInfo) {
+  if (!domRectInfo || !domRectInfo.supported) return [];
+
+  const detections = [];
+
+  // Check for zero or very small dimensions (rendering issues)
+  if (domRectInfo.rectAWidth === 0 || domRectInfo.rectBWidth === 0) {
+    detections.push({
+      category: 'headless',
+      score: 0.6,
+      confidence: 0.7,
+      reason: 'DOMRect rendering returned zero-width elements'
+    });
+  }
+
+  // Check for exact integer values (unusual in real browsers)
+  if (domRectInfo.rectAWidth === Math.floor(domRectInfo.rectAWidth) &&
+      domRectInfo.rectBWidth === Math.floor(domRectInfo.rectBWidth) &&
+      domRectInfo.rangeWidth === Math.floor(domRectInfo.rangeWidth)) {
+    detections.push({
+      category: 'bot',
+      score: 0.3,
+      confidence: 0.4,
+      reason: 'DOMRect measurements are all exact integers (unusual)'
+    });
+  }
+
+  return detections;
+}
+
+/**
+ * Master function to analyze all advanced fingerprint signals
+ */
+function analyzeAdvancedSignals(signals, userAgent) {
+  const detections = [];
+  const env = signals.environmental || {};
+
+  // WebRTC analysis
+  if (env.webrtcInfo) {
+    detections.push(...analyzeWebRTC(env.webrtcInfo));
+  }
+
+  // Speech API analysis
+  if (env.speechInfo) {
+    detections.push(...analyzeSpeechAPI(env.speechInfo));
+  }
+
+  // Worker consistency analysis
+  if (env.workerConsistency) {
+    detections.push(...analyzeWorkerConsistency(env.workerConsistency));
+  }
+
+  // CSS Media Queries analysis
+  if (env.cssMediaQueries) {
+    detections.push(...analyzeCSSMediaQueries(env.cssMediaQueries, signals));
+  }
+
+  // Font analysis
+  if (env.fontsInfo) {
+    detections.push(...analyzeFonts(env.fontsInfo, userAgent));
+  }
+
+  // Permissions analysis
+  if (env.permissionsInfo) {
+    detections.push(...analyzePermissions(env.permissionsInfo));
+  }
+
+  // DOMRect analysis
+  if (env.domRectFingerprint) {
+    detections.push(...analyzeDOMRect(env.domRectFingerprint));
+  }
+
+  return detections;
+}
+
 module.exports = {
   isDatacenterIP,
   checkIPReputation,
@@ -438,5 +749,14 @@ module.exports = {
   parseUserAgent,
   checkBrowserConsistency,
   checkJA3Fingerprint,
-  analyzeFormInteraction
+  analyzeFormInteraction,
+  // Advanced fingerprint detection functions
+  analyzeWebRTC,
+  analyzeSpeechAPI,
+  analyzeWorkerConsistency,
+  analyzeCSSMediaQueries,
+  analyzeFonts,
+  analyzePermissions,
+  analyzeDOMRect,
+  analyzeAdvancedSignals
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@webdecoy/fcaptcha",
-  "version": "1.0.3",
+  "version": "1.1.0",
   "description": "Open source CAPTCHA with PoW, bot detection, and Vision AI protection",
   "main": "index.js",
   "exports": {

package/server.js

@@ -171,6 +171,35 @@ const fingerprintStore = {
   }
 };
 
+// Token Store - prevents token replay attacks
+const tokenStore = {
+  usedTokens: new Set(),
+
+  // Mark a token as used (returns false if already used)
+  markUsed(tokenSig) {
+    if (this.usedTokens.has(tokenSig)) {
+      return false; // Already used
+    }
+    this.usedTokens.add(tokenSig);
+
+    // Cleanup old tokens periodically (tokens expire after 5 min anyway)
+    if (Math.random() < 0.1) this._cleanup();
+    return true;
+  },
+
+  isUsed(tokenSig) {
+    return this.usedTokens.has(tokenSig);
+  },
+
+  _cleanup() {
+    // In production with Redis, use TTL instead
+    // For in-memory, just clear if too large (tokens expire in 5 min)
+    if (this.usedTokens.size > 50000) {
+      this.usedTokens.clear();
+    }
+  }
+};
+
 // =============================================================================
 // Detection Patterns
 // =============================================================================
@@ -629,7 +658,7 @@ function generateToken(ip, siteKey, score) {
   return Buffer.from(JSON.stringify(data)).toString('base64url');
 }
 
-function verifyToken(token) {
+function verifyToken(token, ip = null) {
   try {
     const decoded = JSON.parse(Buffer.from(token, 'base64url').toString());
 
@@ -648,11 +677,28 @@ function verifyToken(token) {
       return { valid: false, reason: 'invalid_signature' };
     }
 
+    // Check for token replay (single-use tokens)
+    if (tokenStore.isUsed(sig)) {
+      return { valid: false, reason: 'token_already_used' };
+    }
+
+    // Verify IP matches (if provided)
+    if (ip) {
+      const expectedIpHash = crypto.createHash('sha256').update(ip).digest('hex').slice(0, 8);
+      if (decoded.ip_hash !== expectedIpHash) {
+        return { valid: false, reason: 'ip_mismatch' };
+      }
+    }
+
+    // Mark token as used (prevents replay)
+    tokenStore.markUsed(sig);
+
     return {
       valid: true,
       site_key: decoded.site_key,
       timestamp: decoded.timestamp,
-      score: decoded.score
+      score: decoded.score,
+      ip_hash: decoded.ip_hash
     };
   } catch (e) {
     return { valid: false, reason: e.message };
@@ -731,6 +777,10 @@ function runVerification(signals, ip, siteKey, userAgent, headers = {}, ja3Hash
     detections.push(...formDetections);
   }
 
+  // Add advanced fingerprint detection analysis
+  const advancedDetections = detection.analyzeAdvancedSignals(signals, userAgent);
+  detections.push(...advancedDetections);
+
   const categoryScores = calculateCategoryScores(detections);
   const finalScore = calculateFinalScore(categoryScores);
 
@@ -816,7 +866,19 @@ app.post('/api/score', (req, res) => {
 
 app.post('/api/token/verify', (req, res) => {
   const { token } = req.body;
-  res.json(verifyToken(token));
+
+  // Extract client IP for verification
+  let ip = req.headers['x-real-ip'] || '';
+  if (!ip) {
+    const forwarded = req.headers['x-forwarded-for'];
+    if (forwarded) {
+      ip = forwarded.split(',')[0].trim();
+    } else {
+      ip = req.socket.remoteAddress;
+    }
+  }
+
+  res.json(verifyToken(token, ip));
 });
 
 // PoW Challenge endpoint - client fetches this on page load