User Agent Spoofing

When a browser or bot requests a webpage, it sends a User-Agent HTTP header containing a string of text that describes the client. So, if you are using Firefox on Windows to browse the web, it is sending this string of text to every website you visit, where it is visible by the server and any embedded third-party scripts like banner advertising:

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0

Fortunately, these things are very easy to change on your end before they are sent out. By the end of this article, you will have learned multiple ways how.

To view your own User-Agent as seen by our server (or test to see if you have spoofed yours correctly) please visit the ORL's Triangulation Station to orient yourself.

If you can't guess why using your naked User-Agent might be a bad idea during operations, consider the following examples:

• You are artificially increasing the amount of views on a page to trick an advertising company into paying you more money. They see all the impressions are using the same User-Agent and obviously coming from the same person, and kick you off the platform.

• You are committing some kind of serious crime on the internet. The User-Agent you passed when committing the crime is used as correlating evidence against you in court, after they get a warrant to seize & examine your computer.

• You're using a crude curl or wget script to DDOS someone's website. You've even figured out how to make it look like the attack is coming from multiple addresses, but you never changed the User-Agent. The system administrator who is called in to look at it sees that all these requests are being sent using an obscure command-line utility, blocks your entire network at the firewall level, and then starts warning others about your botnet.

All of these problems could have been avoided by simply manipulating HTTP headers before they are sent out!

If you need valid User-Agent strings to use in your spoofing adventures, here are some resources:

• WhatIsMyBrowser.com has a pretty comprehensive set of pages covering a wide variety of user agents.

Since User-Agent strings are set on the application level, how to spoof it depends on the type of software you are using. If you have multiple programs, you will have to spoof them all individually:

Changing your browser's User-Agent is incredibly simple. Web developers need to make sure their applications work in multiple browsers, and will oftentimes spoof User-Agent strings with tools & extensions (see below) to test for compatibility.

IMPORTANT NOTE: The following browser extensions have not been fully vetted by the Anonymous Military Institute and should be run with caution. Please inform the Dean if you find any of these to present major security risks!

This is by no means an exhaustive list, and we have not tried all of these, but it should be enough to get you started:

• https://addons.mozilla.org/en-US/firefox/addon/chrome-mask/
• https://addons.mozilla.org/en-US/firefox/addon/uaswitcher/
• https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/
• https://addons.mozilla.org/en-US/firefox/addon/random_user_agent/

There are several extensions in the Chrome web store for these browsers:

• https://chromewebstore.google.com/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg
• https://chromewebstore.google.com/detail/user-agent-switcher/kchfmpdcejfkipopnolndinkeoipnoia
• https://chromewebstore.google.com/detail/random-user-agent-switche/einpaelgookohagofgnnkcfjbkkgepnp

• https://microsoftedge.microsoft.com/addons/detail/useragent-switcher-and-m/cnjkedgepfdpdbnepgmajmmjdjkjnifa
• https://microsoftedge.microsoft.com/addons/detail/useragent-switcher/kfhpbcjoekokcapipficfgjadanhfmjb
• https://microsoftedge.microsoft.com/addons/detail/switch-useragents/ipacohcfiahhblhbpdnnmnolcakgooci
• https://microsoftedge.microsoft.com/addons/detail/useragent-switcher/npjnioaeoicmjokbdpfiecnbildopjad

You can also create shortcuts that, when opened, tell Edge to use a custom user agent:

1. Right-click the Microsoft Edge shortcut
2. Select “Properties”
3. In the “Target” field, add a space and then the command-line argument –user-agent=“MyCustomAgent/1.0”
4. Click “Apply” and then “OK”

1. Click Safari > Preferences
2. Click Advanced.
3. Enable Show Developer menu in menu bar.
4. Click Develop > User Agent > Other….
5. Enter the custom UA string and click OK.

By default, curl sends a User-Agent string in the format curl/X.Y.Z, where X.Y.Z represents the version of curl installed on your system. For example, curl/8.4.0. There are several ways you can pass custom User-Agent strings:

Use the -a flag to directly set the User-Agent:

$ curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0" https://example.com

You can make up an entirely custom User-Agent as well. Be forewarned however that it works better if you set one that lets you blend in with the crowd:

$ curl --user-agent "MyCustomAgent/1.0" https://example.com

Use the –user-agent flag, which works the same way as -a:

$ curl --user-agent "MyCustomAgent/1.0" https://example.com

Since the User-Agent is passed as an HTTP header, you can also change the User-Agent by using the -H or –header flag, which lets you manipulate headers:

$ curl --header "User-Agent: MyCustomAgent/1.0" https://example.com
- or -
$ curl -H "User-Agent: MyCustomAgent/1.0" https://example.com

To spoof the User-Agent in Newsboat, add the following line to your .config/newsboat/config file:

user-agent "MyCustomAgent/1.0"

By default, Wget sends a User-Agent string in the format Wget/X.Y.Z, where X.Y.Z represents the installed version of Wget. For example, if you have Wget version 1.21.4, the default User-Agent would be Wget/1.21.4.

To set a custom User-Agent, use the -u or –user-agent flags:

$ wget --user-agent="MyCustomAgent/1.0" https://example.com
- or -
$ wget -u="MyCustomAgent/1.0" https://example.com

For more information on how to use wget, read the Wget article.