ubdem
Offline browser fingerprinting analyzer with Ed25519 + HMAC signed evidence
v1.0.1
Linux
Quick Start
Install via jcli
jcli install ubdemScan
# Single file
ubdem scan suspect.js
# HAR (network capture)
ubdem scan capture.har --output json
# Recursive (parallel via rayon)
ubdem scan ./bundles/ --directory --output markdown
# Add a custom rule pack alongside the vendored set
ubdem --rules-file my-rules.json scan suspect.js
# Defensive — verify someone else's evidence
ubdem evidence verify report.signed.jsonWhat it does
UBDEM is an offline static analyzer. It reads JS / HTML / HAR bytes, runs them through a curated rule registry, and emits findings classified into three tiers. No browser, no MITM, no network. The Rust v1.0 port is a clean rewrite of the Python tool with five improvements:
- Dual-signed evidence — HMAC-SHA256 (compatible with the Python schema) plus a new Ed25519 detached signature. The HMAC is fast and local; the Ed25519 is transferable (recipient verifies with the analyst's public key — no shared secret).
- Rayon-parallel directory walk — Python ran single-threaded; a 10k-file repo now parallelises across cores.
- IoC pivot URLs — when a finding's matched snippet contains a known tracker / fingerprinting service domain, the report emits URLscan, VirusTotal, and abuse.ch ThreatFox pre-formatted search URLs.
- External rule pack loader —
--rules-file path.jsonmerges blue-team-authored rules into the vendored set without recompiling. Rules with an existing id are replaced; new ones appended. - Worst-tier exit codes — exit 0 (clean) / 1 (SUSPICIOUS present) / 2 (CLEAR_HOSTILE present), so a CI gate can fail on the worst tier seen.
Subcommands
| Command | What it does |
|---|---|
scan <PATH> | Scan a file or directory; emit findings per source |
rules list / show <ID> / categories | Inspect the rule registry |
evidence make <PATH> | Build a signed forensic record (HMAC + Ed25519) |
evidence verify <FILE> | Verify a signed record; reports both signatures |
db list / stats / purge / check | Query / maintain the local SQLite threat database |
report <PATH> | Render the scan output as a markdown report |
Honest limits
UBDEM is a static analyzer. It will miss heavily obfuscated, eval-based, or runtime-assembled fingerprinting code. Per-rule evasion notes are printed by ubdem rules show <id>. Real-world detection hovers around 60% for obvious threats. The output is evidence, not a verdict: the tool produces findings; the analyst decides what they mean.