or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

chrome-evasions.mdcore-plugin.mdfingerprinting-evasions.mdindex.mdmisc-evasions.mdnavigator-evasions.mdwindow-frame-evasions.md

misc-evasions.mddocs/

0
# Miscellaneous Evasions
1


2
Additional evasion techniques for launch arguments modification and source code obfuscation. These evasions address various detection methods that don't fit into other categories but are important for comprehensive stealth operation.
3


4
## Capabilities
5


6
### Default Arguments Evasion
7


8
Modifies default Puppeteer launch arguments to prevent detection through command-line argument analysis.
9


10
```javascript { .api }
11
// Evasion name: 'defaultArgs'
12
// Modifies: Default Chrome launch arguments to remove automation indicators
13
```
14


15
This evasion:
16
- Removes or modifies Chrome launch arguments that indicate automation
17
- Adds arguments that make the browser appear more like a regular user's browser
18
- Handles arguments that could reveal headless or automated operation
19
- Ensures the browser is launched with stealth-friendly default arguments
20


21
**Common Argument Modifications:**
22
- Removes `--enable-automation` flag
23
- Modifies `--disable-blink-features` to hide automation features
24
- Adjusts user data directory settings
25
- Configures extension and plugin arguments for realistic behavior
26


27
**Detection Method Prevented:**
28
```javascript
29
// Process inspection that could detect automation arguments
30
// This happens outside the browser context, in the system process list
31
// Example: ps aux | grep chrome | grep "enable-automation"
32
// The evasion ensures such automation indicators are not present
33
```
34


35
**Usage Examples:**
36


37
```javascript
38
const puppeteer = require('puppeteer-extra');
39
const StealthPlugin = require('puppeteer-extra-plugin-stealth');
40


41
// Enable default arguments evasion
42
const argsStealth = StealthPlugin({
43
  enabledEvasions: new Set(['defaultArgs'])
44
});
45


46
puppeteer.use(argsStealth);
47


48
// Launch arguments will be automatically modified
49
const browser = await puppeteer.launch({
50
  headless: true,
51
  // The evasion will modify the final launch arguments
52
  // to remove automation indicators
53
});
54
```
55


56
### Source URL Evasion
57


58
Removes source URL traces from injected JavaScript code to prevent detection through source inspection.
59


60
```javascript { .api }
61
// Evasion name: 'sourceurl'
62
// Removes: //# sourceURL= comments from injected scripts
63
```
64


65
This evasion:
66
- Strips `//# sourceURL=` comments from injected JavaScript
67
- Removes file path traces that could reveal automation
68
- Cleans up source mapping information that indicates injection
69
- Prevents detection through JavaScript source inspection
70


71
**Detection Method Prevented:**
72
```javascript
73
// This detection method will be fooled:
74
const scripts = Array.from(document.scripts);
75
const hasSourceURL = scripts.some(script => 
76
  script.innerHTML.includes('sourceURL=')
77
);
78


79
if (hasSourceURL) {
80
  // Would detect injected code with source URL traces
81
} else {
82
  // Assumes naturally loaded scripts
83
}
84
```
85


86
**Source URL Examples:**
87


88
Before evasion:
89
```javascript
90
// Injected code might contain:
91
function myFunction() { /* code */ }
92
//# sourceURL=__puppeteer_evaluation_script__
93
```
94


95
After evasion:
96
```javascript
97
// Clean code without source traces:
98
function myFunction() { /* code */ }
99
```
100


101
**Usage Examples:**
102


103
```javascript
104
const puppeteer = require('puppeteer-extra');
105
const StealthPlugin = require('puppeteer-extra-plugin-stealth');
106


107
// Enable source URL evasion
108
const sourceStealth = StealthPlugin({
109
  enabledEvasions: new Set(['sourceurl'])
110
});
111


112
puppeteer.use(sourceStealth);
113


114
const browser = await puppeteer.launch();
115
const page = await browser.newPage();
116


117
// Injected code will not contain source URL traces
118
await page.evaluate(() => {
119
  // This code injection will not leave sourceURL traces
120
  return document.title;
121
});
122


123
// Check for source URL traces (will find none with evasion enabled)
124
const hasTraces = await page.evaluate(() => {
125
  return Array.from(document.scripts).some(script => 
126
    script.innerHTML.includes('sourceURL=') || 
127
    script.innerHTML.includes('puppeteer')
128
  );
129
});
130


131
console.log('Has source traces:', hasTraces); // false
132
```
133


134
## Implementation Details
135


136
### Default Arguments Processing
137


138
The default arguments evasion works during the browser launch phase:
139


140
1. **Argument Interception**: Captures the default Chrome launch arguments
141
2. **Automation Flag Removal**: Removes `--enable-automation` and similar flags
142
3. **Stealth Argument Addition**: Adds arguments that improve stealth operation
143
4. **User Agent Coordination**: Ensures arguments align with user agent settings
144
5. **Extension Handling**: Configures extension-related arguments appropriately
145


146
**Common Arguments Modified:**
147
```javascript
148
// Arguments that may be removed or modified:
149
'--enable-automation'                    // Removed (automation indicator)
150
'--disable-blink-features=AutomationControlled'  // Added by other evasions
151
'--disable-default-apps'                 // May be modified
152
'--disable-extensions'                   // May be modified for realism
153
```
154


155
### Source URL Cleaning
156


157
The source URL evasion processes injected code:
158


159
1. **Code Injection Interception**: Monitors all `page.evaluate()` and similar calls
160
2. **Source URL Detection**: Finds `//# sourceURL=` comments in injected code
161
3. **Trace Removal**: Strips source URL comments before execution
162
4. **Clean Execution**: Runs the code without detectable injection traces
163
5. **Error Preservation**: Maintains error handling while removing traces
164


165
**Source URL Patterns Removed:**
166
```javascript
167
//# sourceURL=__puppeteer_evaluation_script__
168
//# sourceURL=pptr:evaluate
169
//# sourceURL=playwright:evaluate
170
//# sourceURL=/tmp/temporary-script
171
```
172


173
## Advanced Configuration
174


175
### Selective Argument Control
176


177
```javascript
178
// Enable only default arguments evasion
179
const argsOnly = StealthPlugin({
180
  enabledEvasions: new Set(['defaultArgs'])
181
});
182


183
// Combine with other evasions for comprehensive stealth
184
const fullStealth = StealthPlugin({
185
  enabledEvasions: new Set([
186
    'defaultArgs',      // Clean launch arguments
187
    'sourceurl',        // Clean injected code
188
    'navigator.webdriver', // Remove webdriver property
189
    'user-agent-override'  // Clean user agent
190
  ])
191
});
192
```
193


194
### Manual Launch Argument Override
195


196
Even with the default arguments evasion, you can still provide custom arguments:
197


198
```javascript
199
const browser = await puppeteer.launch({
200
  headless: true,
201
  args: [
202
    '--no-sandbox',
203
    '--disable-setuid-sandbox',
204
    '--custom-argument'
205
  ]
206
  // The evasion will still process and clean these arguments
207
});
208
```
209


210
## Security and Debugging Considerations
211


212
### Source URL Impact on Debugging
213


214
The source URL evasion removes debugging information that could be useful during development:
215


216
```javascript
217
// For development, you might want to disable source URL evasion
218
const devStealth = StealthPlugin({
219
  enabledEvasions: new Set([
220
    'navigator.webdriver',
221
    'user-agent-override'
222
    // 'sourceurl' disabled for easier debugging
223
  ])
224
});
225
```
226


227
### Launch Arguments and Security
228


229
The default arguments evasion modifies security-related arguments:
230


231
- **Removes automation flags**: Improves stealth but may affect some automation features
232
- **Modifies extension settings**: May impact extension-based functionality
233
- **Changes default policies**: Could affect browser security posture
234


235
### Production Usage
236


237
For production environments, both evasions are recommended:
238


239
```javascript
240
// Production stealth configuration
241
const productionStealth = StealthPlugin({
242
  enabledEvasions: new Set([
243
    'defaultArgs',        // Clean launch arguments
244
    'sourceurl',          // Remove code injection traces
245
    'navigator.webdriver', // Remove automation indicators
246
    'user-agent-override', // Clean user agent
247
    'chrome.runtime'      // Provide Chrome APIs
248
  ])
249
});
250
```
251


252
## Browser Compatibility
253


254
Miscellaneous evasions are designed for:
255
- **Chrome/Chromium**: Primary target for launch argument modification
256
- **Puppeteer**: Full compatibility with all Puppeteer launch options
257
- **Playwright**: Compatible with playwright-extra argument handling
258
- **Cross-Platform**: Works across different operating systems and environments
259


260
## Troubleshooting
261


262
### Launch Arguments Issues
263


264
If you experience issues with modified launch arguments:
265


266
```javascript
267
// Debug launch arguments
268
const browser = await puppeteer.launch({
269
  headless: true,
270
  dumpio: true // Enable console output to see actual arguments
271
});
272
```
273


274
### Source URL Detection Issues
275


276
If source URL cleaning affects debugging:
277


278
```javascript
279
// Temporarily disable for debugging
280
const debugStealth = StealthPlugin({
281
  enabledEvasions: new Set(['navigator.webdriver']) // Minimal set
282
});
283


284
// Or check if source URLs are being properly cleaned
285
await page.evaluate(() => {
286
  return document.documentElement.innerHTML.includes('sourceURL=');
287
});
288
```