429:API Access Denied

[we1townof]

Hello,

For some fingerprint testing, I'm using https://abrahamjuliot.github.io/creepjs/. But if I send more than 100 requests, I get 429:API Access Denied. How can I get around this or give a special permission?

Thanks!

[abrahamjuliot]

Have you tried changing your network? It is likely the network you are on is too hot and has a higher token cost per request.

Most networks are auto-granted 500 tokens hourly, and each request costs 1 token, but you can spend more tokens by switching networks.

We currently do not have a special access setup, but could consider bumping this to 1000 tokens.

[kaliiiiiiiiii]

Got the same issue, but only when blocking the cookies:

[abrahamjuliot]

Cookies are not considered. If the origin header is blank, that could be the cause.

In the console, there should be an analysis response near the end. If it is marked abuse, there should be an abuse name. I can debug it based on the name. If there is no abuse name, it's probably a missing origin header.

[kaliiiiiiiiii]

Cookies are not considered. If the origin header is blank, that could be the cause.

In the console, there should be an analysis response near the end. If it is marked abuse, there should be an abuse name. I can debug it based on the name. If there is no abuse name, it's probably a missing origin header.

creep.js:14 
        
DOMException: Failed to register a ServiceWorker for scope ('https://abrahamjuliot.github.io/creepjs/') with script ('https://abrahamjuliot.github.io/creepjs/creep.js'): 
    The user denied permission to use Service Worker.
(anonym) @ creep.js:14
Promise.catch (asynchron)
(anonym) @ creep.js:14
Py @ creep.js:14
YZ @ creep.js:14
await in YZ (asynchron)
Py @ creep.js:293
(anonym) @ creep.js:293
await in (anonym) (asynchron)
(anonym) @ creep.js:537
(anonym) @ creep.js:537
creep.js:293 
        
DOMException: Failed to read the 'sessionStorage' property from 'Window': 
    Access is denied for this document.
at w3 (https://abrahamjuliot.github.io/creepjs/creep.js:293:38856)
at https://abrahamjuliot.github.io/creepjs/creep.js:508:1075
w3 @ creep.js:293
(anonym) @ creep.js:508
Promise.then (asynchron)
(anonym) @ creep.js:503
await in (anonym) (asynchron)
t @ creep.js:1
(anonym) @ creep.js:293
await in (anonym) (asynchron)
(anonym) @ creep.js:537
(anonym) @ creep.js:537
creep.js:520 
        
Error! Failed to read the 'sessionStorage' property from 'Window': 
    Access is denied for this document.
(anonym) @ creep.js:520
Promise.catch (asynchron)
(anonym) @ creep.js:520
await in (anonym) (asynchron)
t @ creep.js:1
(anonym) @ creep.js:293
await in (anonym) (asynchron)
(anonym) @ creep.js:537
(anonym) @ creep.js:537

• Browser: Microsoft-Edge: 111.0.1661.41 (Official Build) (64-Bit)
• Platform: Windows 10
• configuration: cookies for abrahamjuliot.github.io blocked

Note: This issue persists ONLY when the cookies are blocked

[abrahamjuliot]

I see. This is not a network error. That is just the prediction API blocked from execution due to no session storage. The code uses session storage to hold samples. I may change that at some point, but it's there for development. You can unpack in the console via...

JSON.parse(sessionStorage.samples)

[we1townof]

If you're sending too many requests, try changing your IP address. This is how we solved this problem.

@abrahamjuliot
@kaliiiiiiiiii

[abrahamjuliot]

Good tips.

I should note, there are some hidden rate limits, but these are only manually applied if the site is under attack, and are based on server-side analysis rather than networks.

Currently, the only data used to distinguish attack from testing is breaks vs. no breaks in a 24-hour timeframe. 8 hrs with no breaks is fine. If a fingerprint is tagged sus or bad under the analysis section, it means it is being supervised and serviced for testing.

[we1townof]

For a few days it was able to be used with the proxy without any problems. But now it cannot be used with proxy. So, do I need to change the computer?

[kaliiiiiiiiii]

For a few days it was able to be used with the proxy without any problems. But now it cannot be used with proxy. So, do I need to change the computer?

Did you try using different browsers? Edge, Chrome, Firefox.. ?

[abrahamjuliot]

Yep, different browser should work.

[abrahamjuliot]

It's likely your hidden browser fingerprint is too hot and unique, and generating too much traffic. The key to getting around this is to blend in with normal traffic or look as real and organic as possible. A high number of proxies and random/fake fingerprints work against this technique. Ideally, you want to be on the latest stable Chrome, Firefox, or WebKit. Custom chromium builds (such as anti-detection software) typically fail to blend in.

[kaliiiiiiiiii]

It's likely your hidden browser fingerprint is too hot and unique, and generating too much traffic. The key to getting around this is to blend in with normal traffic or look as real and organic as possible. A high number of proxies and random/fake fingerprints work against this technique. Ideally, you want to be on the latest stable Chrome, Firefox, or WebKit. Custom chromium builds (such as anti-detection software) typically fail to blend in.

Good tips.

I should note, there are some hidden rate limits, but these are only manually applied if the site is under attack, and are based on server-side analysis rather than networks.

Currently, the only data used to distinguish attack from testing is breaks vs. no breaks in a 24-hour timeframe. 8 hrs with no breaks is fine. If a fingerprint is tagged sus or bad under the analysis section, it means it is being supervised and serviced for testing.

@abrahamjuliot I just wanna note here, that you provide pretty accurate instructions for a potential attacker

[abrahamjuliot]

LOL, that is true. But new attacks are welcome to give it a try. It's how we improve and learn.