Disecting Perimeter X Fingerprinting

Working on an account generator for Walmart, I was running into some trouble with Perimeter X. For other sites, I had success with fresh chromium browsers launched with CDP then playwright would connect and inject the scripts I needed to run. That works fine for most of my needs, but their anti-bot was giving me trouble. Naturally, the first thing I did was open dev tools.

I noticed that one of the first requests made was a post request made to this endpoint:

https://collector-pxu6b0qd2s.px-cloud.net/api/v2/collector

As far as abstract naming conventions go, this one is obviously some type of sensor. Following that request, is a sequential one made to perimeter x once again.

https://collector-pxu6b0qd2s.px-client.net/b/g?payload=....

This request failed, so our payload contained something that triggered a challenge. Going back to the collector, I decided to check the initiator and check the call stack. We stop at this block of code where the payload is sent.

try {
    var m = sp(e.postData);
    e[Rn] && (Mu = fi()),
    h.send(m)

Looking at this block here, I suspect that sp(e.postData) is some sort of encoding step right before the payload gets sent. Then visiting the sp function, we see that is just appending a counter parameter and not doing any real encoding, so that likely means that the payload is already encoded by the time that we reach e.postData.

function sp(t) {
    return t += "&" + ma + ++lp
}

I need to see where this data is being encoded so I set an XHR breakpoint on URLs containing collector to get a clean trace. Refreshing the page, we stop at the same h.send(m) line, but the call stack is much clearer now.

Call stack after XHR breakpoint

Up in the call stack, we stop at this line here:

return fp(t, qp(t), cg, og, ng, ag, $p)

zp constructs the object and then passes it to fp, by this point postData is already built in t.

t = {PX561: true, postData: 'payload=aUkQ...', FrON: true, ...}

So this means that we need to go up in the call stack again, this time to (anonymous).

Command dispatcher code

We stop on this ugly chunk of code which looks eerily like a command dispatcher, so we’re getting into some real logic here. We can see that we’re iterating through an array of command objects O, matching on B.t and then calling Mp(t,e) to build the payload for each one. The key line is at the bottom in which zp(X) is called, where X is our object being built through the loop. So at this point, postData is already set on X before zp is called and we need to look at where C is assigned, as that is our encoded payload string.

for (var x = uh(O, Kp), C = x[w(p)]("&")

Deciding next to look into the uh function, we arrive here.

Payload assembly function

Now we’re at the core of the payload assembly function. The top section enriches each data object a.d with additional fingerprint values like our px cookies, session data, etc. All the encoded keys map to fingerprint properties.

This line here, var l, s, f = _o(), h = Qt(st(t), (l = e[yn] I assume serializes the collected fingerprint array t into a string. Zs(t,d) likely encodes the serialized data with the metadata in d, and v becomes the encoded payload blob that gets prepended with ta.

I want to see the raw fingerprint data before encoding so I set a breakpoint here:

}, v = Zs(t, d), m = [ta + v, ea + e[gn], na + e[yn], ra + Ma(),
oa + e[Tn], ia + ch++, va + ih, Ta + bt], p = xa();

and inspect t.

Fingerprint data array

We now see that t is an array of 6 data collection objects where each one has a t and d property.

All of these are base64 encoded and the values are the actual data collected from my browser.

This data isn’t really useable in this format, so we decided to stay paused at the aforementioned line and dump it using this command.

t.forEach((item, i) => console.log(`--- Item ${i} (${item.t}) ---`, JSON.stringify(item.d, null, 2)))

The data obtained with this method had all the values, but a lot of the keys were still obfuscated. Some of these keys could be inferred, while others came from the obfuscated source code. Below you can find an interactive tool that uses a lookup table to decode the keys if youd like to try for yourself. Already in there, is array[1] of my browser fingerprint. Not all keys are present if you decide to decode items 5 and 6 (or 4/5 with a 0 index). Additionally, this is for PX SDK 2.7.7, so these values could very likely change in the future.

{"GwJrAV5razM=": "9a17852f4605a385dc40cec6bdd42770",
  "PkdOBHgoTDQ=": "f1b218478d268063dec4ab19157e27e8",
  "OSwJb3xCB18=": "WebKit",
  "RTg1ewNRNE4=": "WebKit WebGL",
  "JDlUOmFVUAo=": "WebGL 1.0 (OpenGL ES 2.0 Chromium)",
  "S3I7MQ0bPwU=": [
    "ANGLE_instanced_arrays",
    "EXT_blend_minmax",
    "EXT_clip_control",
    "EXT_color_buffer_half_float",
    "EXT_depth_clamp",
    "EXT_disjoint_timer_query",
    "EXT_float_blend",
    "EXT_frag_depth",
    "EXT_polygon_offset_clamp",
    "EXT_shader_texture_lod",
    "EXT_texture_compression_bptc",
    "EXT_texture_compression_rgtc",
    "EXT_texture_filter_anisotropic",
    "EXT_texture_mirror_clamp_to_edge",
    "EXT_sRGB",
    "KHR_parallel_shader_compile",
    "OES_element_index_uint",
    "OES_fbo_render_mipmap",
    "OES_standard_derivatives",
    "OES_texture_float",
    "OES_texture_float_linear",
    "OES_texture_half_float",
    "OES_texture_half_float_linear",
    "OES_vertex_array_object",
    "WEBGL_blend_func_extended",
    "WEBGL_color_buffer_float",
    "WEBGL_compressed_texture_s3tc",
    "WEBGL_compressed_texture_s3tc_srgb",
    "WEBGL_debug_renderer_info",
    "WEBGL_debug_shaders",
    "WEBGL_depth_texture",
    "WEBGL_draw_buffers",
    "WEBGL_lose_context",
    "WEBGL_multi_draw",
    "WEBGL_polygon_mode"
  ],
  "WQwpDxxhKjQ=": [
    "[1, 1]",
    "[1, 1024]",
    8,
    "yes",
    8,
    24,
    8,
    16,
    32,
    16384,
    1024,
    16384,
    16,
    16384,
    30,
    16,
    16,
    4095,
    "[32767, 32767]",
    "no_fp",
    23,
    127,
    127,
    23,
    127,
    127,
    23,
    127,
    127,
    23,
    127,
    127,
    23,
    127,
    127,
    23,
    127,
    127,
    23,
    127,
    127,
    23,
    127,
    127,
    23,
    127,
    127,
    23,
    127,
    127,
    23,
    127,
    127,
    23,
    127,
    127
  ],
  "ZHkUeiEWFko=": "Google Inc. (NVIDIA)",
  "YQRRBydsUzA=": "ANGLE (NVIDIA, NVIDIA GeForce GTX 1080 Ti (0x00001B06) Direct3D11 vs_5_0 ps_5_0, D3D11)",
  "UTQhdxddJUE=": "WebGL GLSL ES 1.0 (OpenGL ES GLSL ES 1.0 Chromium)",
  "AzpzeUZTdEg=": "96ff435b6ebac2817a4d5bfc475aa8e4",
  "PAFMQnloS3I=": "931fc10c8a3da4140c796dbaf146decc",
  "V04nTRErIng=": "3dd1f983c3209fbae2663671f6e27193",
  "GUxpT1wlaX8=": "dc48534c89e1c5eca8c70c5338a18eea",
  "QltyGAcwdi4=": "[63,63,63,63,0,191,191,191,191,0,191,191,191,191,191,191,191,191,191,127,127,127,127,127,127,127]",
  "AzpzeUVSc0w=": "126.86972438948578",
  "W0IrQR4vLHo=": "2dce8c55c6897067fdf0c76ddf6e6d50",
  "fyZPZTpJTVM=": "67bfe197bce62dde937880b3c32ceebf",
  "Z15XXSI0Um0=": "016beb17dd57a6e446b36265284c0c9c",
  "PkdOBHsqSjY=": [
    "_PXETnJ2Y5H",
    "a0_0x349d",
    "a0_0x3986"
  ],
  "LDFcMmlYWQU=": "9a1f14dbcec17f462191c2f67265e6d9",
  "Nk9GDHMmQzg=": "d41d8cd98f00b204e9800998ecf8427e",
  "bjceNChSHQ4=": 1,
  "WiNqIBxGZRQ=": true,
  "CXx5P0wSdwQ=": true,
  "HmcuZFsIKlc=": false,
  "T3Y/NQkZOQE=": false,
  "PSANY3tIDlk=": true,
  "fEEMAjksAjY=": "missing",
  "UTQhdxRcJEI=": [
    "_pxAppId",
    "_pxJsClientSrc",
    "_pxFirstPartyEnabled",
    "_pxHostUrl",
    "_pxreCaptchaTheme",
    "_PXETnJ2Y5H",
    "_pxUuid",
    "_pxAction",
    "_pxMobile",
    "_u6b0qd2Shandler",
    "_pxInit"
  ],
  "IntSeGQfUUg=": [],
  "BXh1O0AQcQA=": [
    "PDF Viewer::Portable Document Format::application/pdf~pdf::text/pdf~pdf",
    "Chrome PDF Viewer::Portable Document Format::application/pdf~pdf::text/pdf~pdf",
    "Chromium PDF Viewer::Portable Document Format::application/pdf~pdf::text/pdf~pdf",
    "Microsoft Edge PDF Viewer::Portable Document Format::application/pdf~pdf::text/pdf~pdf",
    "WebKit built-in PDF::Portable Document Format::application/pdf~pdf::text/pdf~pdf"
  ],
  "dg8GTDBqCH0=": "1774309832605",
  "T3Y/NQoYOg8=": "TypeError: Cannot read properties of null (reading '0') at Ur (https://client.px-cloud.net/PXu6b0qd2S/main.min.js:2:21459) at func (https://client.px-cloud.net/PXu6b0qd2S/main.min.js:3:115387) at Jt (https://client.px-cloud.net/PXu6b0qd2S/main.min.js:2:12349) at https://client.px-cloud.net/PXu6b0qd2S/main.min.js:4:2447",
  "cypDaTZETFM=": true,
  "DFE8Ekk5PyY=": 33,
  "SB14Xg1zfGo=": "fd7149bbfb316699ef918fa7bb7510a8",
  "LVAdU2s/Gmg=": "d41d8cd98f00b204e9800998ecf8427e",
  "Bz53fUFXdU4=": "fd7149bbfb316699ef918fa7bb7510a8",
  "fEEMAjkoAzY=": 3,
  "Rl92HAA7dS0=": 2560,
  "bRBdEyt7UiA=": 1440,
  "R343PQITMg4=": 2560,
  "XQAtAxhvIjY=": "2560X1440",
  "IntSeGQUXUo=": 32,
  "IxoTGWZ2FCg=": 32,
  "GmMqYF8OL1o=": 1440,
  "Fm8mbFALJVc=": "10207b2f",
  "MktCCHQiTTk=": "en-US",
  "VQglCxBgJzE=": "Win32",
  "Zj8WPCBUFAo=": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36",
  "X0YvRRksIHY=": [
    "en-US",
    "en"
  ],
  "CF04Hk0xPCs=": true,
  "Z15XXSE0Um4=": 8,
  "Nk9GDHAlSTs=": 24,
  "YjsSOCRUHAo=": 420,
  "Y1pTWSUwU2M=": false,
  "MktCCHQvQTo=": "Mon Mar 23 2026 16:50:33 GMT-0700 (Pacific Daylight Time)",
  "IUQRR2ctEnU=": true,
  "Rl92HAA2cic=": "64556c77",
  "eWxJLz8FSxg=": 4294967296,
  "SB14Xg51em4=": "7c5f9724",
  "CzJ7cU5bfkQ=": "d4acbe702b2ce9d7b185cbf0062c8dea",
  "T3Y/NQoeMAE=": null,
  "SB14Xg1yeW4=": "ad21294dc73d2a406f4c9362059e6172",
  "ICBRJmVMVBY=": {
    "wm_cid": "",
    "wm_vtc": "Zy6wbY2Eqn-pkvRNKDccQk"
  },
  "PAFMQnloS3E=": "32446445a6394eddd7b4e9d1706eb090",
  "fEEMAjokCzI=": 3,
  "Zj8WPCBWFw4=": 2536,
  "R343PQEVMQY=": true,
  "CzJ7cU5cdEM=": 1774309858472,
  "X0YvRRkuIXE=": "0be86778-2713-11f1-a1f9-32ad2c4ad4b1",
  "XGFsYhkIbVQ=": "viwZbsaYYWgqNmIm8Yci718Zgk4WSONswDQLGDqkDAJFZqnM5w1JcwGmRN1MM-sWqw-C9S7sNEsERs2Y4m5x_XeKNdasEW6yNPlzqh8DP3dhuGGKZChSaEfQ9eWRXNrrc3_4wDTm-77hw9IhDO_oSM4AZO0iXpBkMKC9Du4=",
  "VGlkahEAZV0=": 91.69999998807907,
  "EXRhN1cbYQw=": false,
  "W0IrQR4tLHQ=": "PX11745",
  "IntSeGQRU0I=": "pxhc",
  "ZRhVGyB3ViE=": false,
  "Jx4XHWJ1ECw=": "46ad399e551839405be5c3ccc4a0c984f619040daaaa78cf03e261c014057389:dszPgPruKlYbrmPuW4idYK8I2R5lIM8Yjm3XovrRq+JrMu17KObuLlPNWu13Wv1TSkpAChroRwo6X1JBIhZgWA==:1000:xChDQIa8tyV6Rgc4xsasztF66M/1e6M+U1V00/Si+93MW5dBNT/k9w8favZX/N1moJQdikTqZjqdosIXEye1oQmgyy2gFVAe8F7UDnP85srh2a7a2zemR2o3Hfyh1iCGe3JFWNExvoja7+S3RisQcOToB0n+9kk12dP25ecYHVGuQ0KxlDbMw+pRUszP7URo1LjrkSTBUA8xNPndd/1eqDrm+ErKb7QURHWbIsPIXnBXPEpWpalyhce9qb8WOkuMapVTCwPXHzKkwNie5bKkRNdWetRAHFX+AjZssqpsWuYMg6Z6EHzjZWEw8Nh05v/iTmpMuDkFK02MutZZf9p/aJ3Xm2RUz3+pJv4GeV/vQgTEhq2Ws3W2xyZYYgDtaZR1dcW0aYKlxvSX10u93cBP0Nhw2mf6kGlQJjWZpTE59ckmSFU7il3ZsijW0OkgcwgxQzBJDSJmzHGU57ueDsOIfhOEReqLp4pTaNjHQCKWn4RNXwYCcBgkfq/qwjadREBX"
}

As I mentioned at the beginning of this post, this fingerprint analysis was a tangent from my goal of automating account creation. I get why anti-bot’s exist, to stop things exactly like this. Without them, sites are susceptible to a variety of malicious attacks. This is expecially important in the age of AI. But on the other hand as you can see, they often rely on extremely agressive fingerprinting tactics and judge whether you are human enough. With privacy focused browser like Brave, or smaller browsers that arent mainstream, sometimes these methods result in false negatives. I worry that they could eventually push the web into a state where only certain browser/OS combos pass these checks.