Differences

This shows you the differences between two versions of the page.

--- diy:user-agent-spoofing [2025/09/10 14:33] – Humphrey Boa-Gart
+++ diy:user-agent-spoofing [2025/10/03 08:17] (current) – [User Agent Spoofing] Humphrey Boa-Gart
@@ Line 1: / Line 1: @@
 ====== User Agent Spoofing ======
-When a browser or bot requests a webpage, it sends a User-Agent [[tools:http-header|HTTP header]] containing a string of text that describes the client. So, if you are using **Firefox** on Windows to browse the web, it is sending this string of text to every website you visit, where it is visible by the server and any embedded scripts like banner advertising:
+When a browser or bot requests a webpage, it sends a User-Agent [[tools:http-headers|HTTP header]] containing a string of text that describes the client. So, if you are using **Firefox** on Windows to browse the web, it is sending this string of text to every website you visit, where it is visible by the server and any embedded third-party scripts like banner advertising:
   Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0
+Fortunately, these things are very easy to change on your end before they are sent out. By the end of this article, you will have learned multiple ways how.
+To view your own User-Agent as seen by our server //(or test to see if you have spoofed yours correctly)// please visit the ORL's [[https://whereami.bestpoint.institute|Triangulation Station]] to orient yourself.
+===== Why It's Important =====
+If you can't guess why using your naked User-Agent might be a bad idea during [[:op|operations]], consider the following examples:
+  * You are artificially increasing the amount of views on a page to trick an advertising company into paying you more money. They see all the impressions are using the same User-Agent and obviously coming from the same person, and kick you off the platform.
+  * You are committing some kind of serious crime on the internet. The User-Agent you passed when committing the crime is used as correlating evidence against you in court, after they get a warrant to seize & examine your computer.
+  * You're using a crude ''curl'' or ''wget'' script to [[tactics:ddos|DDOS]] someone's website. You've even figured out how to make it look like the attack is coming from multiple addresses, but you never changed the User-Agent. The system administrator who is called in to look at it sees that all these requests are being sent using an obscure command-line utility, blocks your entire network at the firewall level, and then starts warning others about your botnet.
+All of these problems could have been avoided by simply manipulating HTTP headers before they are sent out!
+===== Example Strings =====
+If you need valid User-Agent strings to use in your spoofing adventures, here are some resources:
+  * [[https://www.whatismybrowser.com/guides/the-latest-user-agent/|WhatIsMyBrowser.com]] has a pretty comprehensive set of pages covering a wide variety of user agents.
+===== Application Specific Instructions =====
+Since User-Agent strings are set on the application level, how to spoof it depends on the type of software you are using. If you have multiple programs, you will have to spoof them all individually:
+==== Web Browsers ====
+Changing your browser's User-Agent is incredibly simple. Web developers need to make sure their applications work in multiple browsers, and will oftentimes spoof User-Agent strings with [[tools:developer-tools|tools]] & extensions //(see below)// to test for compatibility.
+//**IMPORTANT NOTE:** The following browser extensions have not been fully vetted by the **Anonymous Military Institute** and should be run with caution. Please inform the [[user:generowl|Dean]] if you find any of these to present major security risks!//
+=== Firefox ===
+This is by no means an exhaustive list, and we have not tried all of these, but it should be enough to get you started:
+  * [[https://addons.mozilla.org/en-US/firefox/addon/chrome-mask/]]
+  * [[https://addons.mozilla.org/en-US/firefox/addon/uaswitcher/]]
+  * [[https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/]]
+  * [[https://addons.mozilla.org/en-US/firefox/addon/random_user_agent/]]
+=== Brave & Chrome ===
+There are several extensions in the Chrome web store for these browsers:
+  * [[https://chromewebstore.google.com/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg]]
+  * [[https://chromewebstore.google.com/detail/user-agent-switcher/kchfmpdcejfkipopnolndinkeoipnoia]]
+  * [[https://chromewebstore.google.com/detail/random-user-agent-switche/einpaelgookohagofgnnkcfjbkkgepnp]]
+=== Edge ===
+  * [[https://microsoftedge.microsoft.com/addons/detail/useragent-switcher-and-m/cnjkedgepfdpdbnepgmajmmjdjkjnifa]]
+  * [[https://microsoftedge.microsoft.com/addons/detail/useragent-switcher/kfhpbcjoekokcapipficfgjadanhfmjb]]
+  * [[https://microsoftedge.microsoft.com/addons/detail/switch-useragents/ipacohcfiahhblhbpdnnmnolcakgooci]]
+  * [[https://microsoftedge.microsoft.com/addons/detail/useragent-switcher/npjnioaeoicmjokbdpfiecnbildopjad]]
+You can also create shortcuts that, when opened, tell Edge to use a custom user agent:
+  - Right-click the Microsoft Edge shortcut
+  - Select "Properties"
+  - In the "Target" field, add a space and then the command-line argument ''--user-agent="MyCustomAgent/1.0"''
+  - Click "Apply" and then "OK"
+=== Safari ===
+  - Click Safari > Preferences
+  - Click Advanced.
+  - Enable Show Developer menu in menu bar.
+  - Click Develop > User Agent > Other....
+  - Enter the custom UA string and click OK.
+==== Terminal Utilities ====
+=== cURL ===
+By default, curl sends a User-Agent string in the format ''curl/X.Y.Z'', where ''X.Y.Z'' represents the version of curl installed on your system. For example, ''curl/8.4.0''. There are several ways you can pass custom User-Agent strings:
+== -a ==
+Use the ''-a'' flag to directly set the User-Agent:
+  $ curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:142.0) Gecko/20100101 Firefox/142.0" https://example.com
+You can make up an entirely custom User-Agent as well. Be forewarned however that it works better if you set one that lets you [[tactics:lurk-moar|blend in]] with the crowd:
+  $ curl --user-agent "MyCustomAgent/1.0" https://example.com
+== --user-agent ==
+Use the ''--user-agent'' flag, which works the same way as ''-a'':
+  $ curl --user-agent "MyCustomAgent/1.0" https://example.com
+== -H ==
+Since the User-Agent is passed as an [[tools:http-headers|HTTP header]], you can also change the User-Agent by using the ''-H'' or ''--header'' flag, which lets you manipulate headers:
+  $ curl --header "User-Agent: MyCustomAgent/1.0" https://example.com
+  - or -
+  $ curl -H "User-Agent: MyCustomAgent/1.0" https://example.com
+=== Newsboat ===
+To spoof the User-Agent in [[tools:rss#newsboat|Newsboat]], add the following line to your ''.config/newsboat/config'' file:
+  user-agent "MyCustomAgent/1.0"
+=== wget ===
+By default, [[tools:wget|Wget]] sends a User-Agent string in the format ''Wget/X.Y.Z'', where ''X.Y.Z'' represents the installed version of Wget. For example, if you have Wget version 1.21.4, the default User-Agent would be ''Wget/1.21.4''.
+To set a custom User-Agent, use the ''-u'' or ''--user-agent'' flags:
+  $ wget --user-agent="MyCustomAgent/1.0" https://example.com
+  - or -
+  $ wget -u="MyCustomAgent/1.0" https://example.com
+For more information on how to use ''wget'', read the [[tools:wget|Wget article]].
 {{tag>Tutorials Security}}

User Tools

Site Tools

Differences