What is user agent spoofing? And what are user agents in the first place? Is it a good or a bad thing?
If you’re curious about answers to these questions, you’re in luck. In this article, we’re addressing them all.
User Agent – definition
User Agent is software that uses a specific network protocol (eg. HTTP) and represents a user. One of its uses is to communicate between web servers and users.
Think of it like this – there’s you, the human using a computer. On that computer, you have a browser that you’re using to access various sites. Whenever you try to access a certain website, your browser sends some information to that website’s server in order for you to be able to access it. In this case, the user agent is your browser.
Let’s get a bit more specific. In the process of communicating with web servers, user agents use what is referred to as a User Agent String (UAS). User Agent Strings are part of an HTTP request header.
User Agent String is a piece of information (textual, usually) that lets the server know the user’s browser type and its version, operating system, device (it’s usually important if it’s a desktop or a mobile device), and a software vendor.
Here’s an example of how it looks like –
Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405
If you’re interested in what your browser’s user agent looks like, you can check one of the numerous websites that will give you this information.
User Agent Spoofing – what is it?
When talking about user agent spoofing it’s important to mention that all of the information in the UAS can be modified relatively easily.
And this is actually what’s usually meant when someone mentions user agent spoofing. It refers to a process of changing information in the UAS to not reflect the genuine user’s details.
For example, someone could easily change the part of their UAS referring to the device type. This way, they’d be able to visit mobile versions of websites on desktop and vice versa. More on the reasons why someone would do this later.
As we can see, user agent spoofing in itself doesn’t really mean anything inherently good or bad. It’s a neutral, technical term.
User Agent Spoofing – is it bad?
Many people, when they first hear the term user agent spoofing relate it to something negative. After all, spoofing does mean something silly, irritating, or simply a trick.
However, as we’ve already mentioned, user agent spoofing is a neutral term on its own. It depends on what you do with the ability to change your user agent information.
Certain web browsers are essentially forced to change their user agent string because otherwise, servers wouldn’t send them any content. This is a case when Android browsers identify themselves as Safari in order to aid compatibility.
Another use case of user agent spoofing would be by marketing specialists. For example, a certain campaign could be targeting mobile users only. A marketing specialist could quickly change their UAS in order to be able to check if the relevant content is being shown on devices other than mobile.
However, there is a malicious use case for user agent spoofing. It’s done by web scrapers in order to mask themselves from the website’s bot protection solutions. Web scrapers can cloak themselves in order to appear as regular website visitors. This is done so they can access the website and gather the data on it.
What’s important here is that filtering out malicious traffic as a bot protection measure is very inefficient. As we have already shown, user agent spoofing is very easy to do. Believe it or not – even Google has released a Chrome extension so that Chrome users can change their UAS.
They’ve done this so that, among other things, developers can change user agents on the fly when developing websites for mobile and desktop versions.
As we have seen user agent spoofing should first and foremost be looked at as a technical tool.
The use cases can differ, and they can indeed be used for malicious purposes. In some cases even, bots can spoof their user agents as a method of conducting DDoS attacks more easily.
On the other hand, it’s something that can be used by marketing specialists and web developers in order to check if their campaigns or websites are working as intended.
If you’re a website owner who is concerned about malicious bots that can change their user agent when visiting your site, there’s one thing you should consider doing.
You can diagnose your website’s bot protection using BotMeNot. You’ll see your strong points and weak points and be able to improve your bot protection accordingly.