Reverse engineering Twitter's new WASM-based "X-XP-Forwarded-For" antibot header
Twitter/X recently added a new header called X-XP-Forwarded-For, generated and encrypted by their own WASM-based fingerprinting system. This repo breaks down the entire flow: https://github.com/dsekz/twitter-x-xp-forwarded-for-header
In its current state, the protections are pretty weak. I’m sure they’ll update it, and we’ll see what changes they bring. If this header is meant to serve as an anti-bot measure, then there’s a lot more work they need to do both on the JS and WASM sides. On top of that, processing fingerprint data on the backend, like building user/fingerprint profiles, analyzing detailed browser, device and low level connection info, and using AI to spot patterns, makes the system a lot more complex. However, based on the current implementation, I anticipate they’ll likely stick to a relatively simplistic approach.
so the encryption is pretty much hardcoded making it more like an "obfuscation" ?
You’re right. In this case, just knowing the guest_id is enough to break down the header. Twitter’s main goal here is mostly to obfuscate the data and make the reverse engineering process more painful.
Reversing will always win