The growing use of WebGL fingerprinting in bot detection is a big threat to web scraping. This detection technique is nothing like the others. It leverages unique hardware identifiers that are difficult to bypass.
You'll learn how WebGL fingerprinting works, its impact on data extraction, and how to bypass it reliably when scraping.
What Is WebGL Fingerprinting?
WebGL fingerprinting is a technique for uniquely identifying users based on how their machines produce interactive 2D and 3D graphics on a browser's HTML canvas. The outcome of WebGL fingerprinting relies heavily on the machine's graphics processing unit (GPU) configuration, which often varies across systems.
The following factors influence the WebGL fingerprinting output:
- Variation in the GPU model.
- The driver types and versions on the host machine's GPU.
- The number of GPUs on the device.
- The GPU's memory size and compute capabilities.
- GPU-to-motherboard connection pattern.
- Browser type, version, and rendering behavior.
Anti-bots leverage this information to track and identify users based on their device's WebGL output.
How Does WebGL Fingerprinting Work?
The smallest GPU configuration detail, such as pixel positioning, image texture, plugins, canvas size, and more, can be used to distinguish WebGL properties across various machines and browsers.
The entire WebGL fingerprinting process starts with a rendering test and ends with hashing and identification. Here's the typical WebGL fingerprinting workflow:
- Rendering test: The browser loads the WebGL fingerprinting script from the website and creates the WebGL context within a hidden HTML Canvas. The script then prompts the browser to produce a specific 2D or 3D graphic on the Canvas, with a scene capturing subtle details in rendering behavior.
- Reading pixel data: The next step is to extract pixel data from the rendered output. This includes capturing shader and texture information to analyze pixel color, image patterns, and shape gradients.
- WebGL parameter collection: The fingerprinting script queries various WebGL parameters generated throughout the rendering pipeline. These include supported extensions, maximum texture size, shading language version, vendor and renderer strings, and more.
- Fingerprint hashing: The generated parameters are combined and hashed into a unique value, making the fingerprint transferable to a server.
- Fingerprint identification: The hashed fingerprint is sent to a target website's server, which creates a unique identity for the incoming request. This way, the server can recognize the browser on subsequent visits.
Below is a sample WebGL fingerprinting test on BrowserLeaks, showing the WebGL image and hash string:
Most modern websites send the WebGL fingerprinting hash to an anti-bot service for further analysis. These protection services compare the incoming fingerprinting hash with those of known bots for suspicious patterns. If the fingerprinted client (browser) has patterns similar to a known bot, the anti-bot technology blocks its request.
What Information Is Collected Through WebGL Fingerprinting?
WebGL fingerprinting renders graphics in the browser to collect hardware information, including GPU and browser details. The following information is collected to form a WebGL fingerprint.
Browser and WebGL Context Details
WebGL fingerprinting first creates a context, defining the environment for rendering graphics. This environment describes shapes, textures, and shader programs that control how pixels are drawn on the screen. This context information is exposed during WebGL fingerprinting, allowing the server to determine the specific event leading to the creation of the final graphics output for a given device.
GPU and Driver Information
WebGL fingerprinting collects various hardware details, such as the GPU model, vendor, available memory, rendering capabilities, driver information, and sometimes even the number of GPUs present. These characteristics are often unique to each device.
For example, NVIDIA and AMD GPUs behave differently when rendering the same scene. Even if two machines have the same GPU model, differences in GPU memory, driver versions, rendering speed, or subtle hardware variations (like how the GPU is connected to the motherboard) can contribute to a unique fingerprint.
Rendered Outputs
Minor details in the generated image pixels, texture, color profile, shadows, canvas size, and patterns vary, depending on the GPU and browser configuration. WebGL fingerprinting uses the differences in these details to identify each device sending a request at a given time.
Why Is WebGL Fingerprinting Hard to Bypass?
One of the most common ways of bypassing fingerprinting is to spoof it. Unfortunately, unlike other fingerprinting techniques, WebGL fingerprinting is more difficult to bypass due to its reliance on hardware-level data, which is almost impossible to simulate.
Complete WebGL spoofing requires precisely matching each hardware input with its expected rendering behavior. Achieving this requires a significant amount of coding time and resources, which is often unsustainable due to hardware diversity and risks of mismatches in configuration.
While headless browsers like Selenium and Playwright can spoof browser-level information, they don't cover for hardware-level data collected by WebGL fingerprinting. This makes headless browsers unfit for spoofing WebGL fingerprints.
In the next section, you'll see how to bypass WebGL fingerprinting.
The Best Way to Bypass WebGL Fingerprinting
Unless adequately spoofed to evade the initial anti-bot checks, WebGL fingerprinting is a great challenge to sustainable web scraping. Manual reverse WebGL fingerprint engineering yields some results but fails after a few requests.
The best way to reliably bypass WebGL fingerprinting and other anti-bot measures at scale is to use a scraping solution, such as the ZenRows Universal Scraper API. ZenRows proactively handles fingerprinting and other blockers, such as CAPTCHAs, IP bans, geo-blocking, and more, under the hood. This lets you focus on data collection rather than wasting time, resources, and effort debugging scraper failures.
ZenRows is compatible with any programming language, and all you need to power your web scraper is a single API call.
Let's see how ZenRows' Universal Scraper API works by scraping the Antibot Challenge page, a heavily protected website.
Sign up and go to the Request Builder. Then, paste the target URL in the link box and activate Premium Proxies and JS Rendering.
Select your preferred programming language (Python, in this case) and choose the API connection mode. Copy the generated code and paste it into your scraper.
The generated Python code should look like this:
# pip3 install requests
import requests
url = "https://www.scrapingcourse.com/antibot-challenge"
apikey = "<YOUR_ZENROWS_API_KEY>"
params = {
"url": url,
"apikey": apikey,
"js_render": "true",
"premium_proxy": "true",
}
response = requests.get("https://api.zenrows.com/v1/", params=params)
print(response.text)
The above code bypasses the anti-bot challenge and outputs the protected site's full-page HTML, as shown:
<html lang="en">
<head>
<!-- ... -->
<title>Antibot Challenge - ScrapingCourse.com</title>
<!-- ... -->
</head>
<body>
<!-- ... -->
<h2>
You bypassed the Antibot challenge! :D
</h2>
<!-- other content omitted for brevity -->
</body>
</html>
Congratulations! 🎉 You just used ZenRows to bypass an advanced anti-bot protection. You can now say goodbye to getting blocked during web scraping.
Other Methods to Bypass WebGL Detection
We've provided the most reliable solution for bypassing WebGL fingerprinting above. However, you might want to tread the following open-source paths if you don't mind the technicalities involved.
- WebGL Spoofing Extensions: Browser extensions like WebGL Fingerprint Defender modify Chrome's WebGL properties with fake data. This can prevent web servers from uniquely identifying your device through its WebGL information. You can configure tools like Selenium to use this extension with your native browser by loading the extension path from its installation location. That said, advanced anti-bot measures can still detect that you're using a spoofed WebGL fingerprint and block your scraper.
- Custom Browser Profiles: Stealth tools like Puppeteer Stealth and SeleniumBase with Undetected ChromeDriver can help evade anti-bots by spoofing the native browser runtime. However, these tools are often unreliable against hardware-based checks like WebGL fingerprinting. And considering they're open-source, anti-bot technologies often quickly clamp down on their evasion strategies.
- GPU Virtualization: Another way to bypass WebGL fingerprinting is by running scraping requests on virtualized GPUs. These GPUs often share similar WebGL data, making them less susceptible to fingerprinting. The limitation of this approach is that it can be costly, and worse, it has the possibility of failure.
Although these open-source solutions can be handy, they're usually unreliable, especially when scraping on a large scale. Implementing them is also often challenging and time-consuming.
WebGL Fingerprinting vs. Canvas Fingerprinting
WebGL fingerprinting and Canvas fingerprinting are closely related because they both check rendering behavior.
Canvas fingerprinting is a technique that analyzes how a browser renders 2D graphics on the HTML5 Canvas. Unlike WebGL, Canvas fingerprinting is mainly influenced by the browser's graphics stack and rendering engine. Canvas fingerprinting is relatively easier to bypass than WebGL fingerprinting.
Conversely, WebGL fingerprinting analyzes how the machine renders both 2D and 3D graphics on the browser based on its GPU properties. It provides lower-level details about the rendering device, including browser and hardware properties, making it more accurate and difficult to bypass during web scraping.
For instance, you can simply spoof the Canvas fingerprint by intercepting its script to read data from a custom static image. WebGL fingerprints aren't as easy to simulate as they require accurately mimicking the behavior of specific graphics hardware, drivers, and rendering pipelines.
Conclusion
WebGL fingerprinting is a powerful and accurate technique for tracking unique GPU properties. Bypassing it during scraping is challenging due to its dependence on the device's hardware data. And while open-source solutions can help, they either don't work at all or fail after a few requests.
We recommend using the Universal Scraper API to bypass all anti-bot measures at scale. ZenRows is your one-stop solution for scraping any website without limitations.