Skip to content

Puliczek/undetected-chromedriver-bot-detection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 
easy.py
easy.py
 
 
index.html
index.html
 
 

Repository files navigation

Detecting Undetected-Chromedriver: A Security Interview Task

Background

This was my interview take-home task for a security company. I'm publishing it three years later, after the vulnerability has been patched. It demonstrates techniques for browser bot detection.

Task

  • Find a method to detect undetected-chromedriver (an open-source tool)
  • No third-party libraries allowed for bot detection (e.g., BotD, invisible captcha)
  • It is allowed to explore the source code of libraries and self-implementation of the methods found there
  • Time limit: 10 days maximum, with no more than 8 hours of implementation time - I returned it the next day, after 3 hours of researching

My Solution

undetected-chromedriver adds objectToInspect and result variables to the global scope of every page.

Based on that, we can detect undetected chromedrive. Please check a undetected-chromedriver source code

I wrote a simple solution:

if (objectToInspect === null && result && Array.isArray(result) && result.includes('Array')) {
    await botDetected()
} else {
    await notDetected()
}

The method works since 3.1.0rc1 version (Dec 16, 2021) - commit

Tests

Tested without any bot on:

  • (Chrome - 107.0.5304.107) My profile - result: Not Detected
  • (Brave - Version 1.45.123 Chromium: 107.0.5304.110) My profile - result: Not Detected
  • (Opera - 92.0.4561.61 - Chromium version:106.0.5249.168) My profile - result: Not Detected
  • (Firefox - 105.0.1) My profile - result: Not Detected
  • (Edge - 107.0.1418.42) My profile - result: Not Detected

Tested with undetected_chromedriver version: 3.1.6(newest), 3.1.5, 3.1.3, 3.1.2, 3.1.1, 3.1.0, 3.1.0rc1

  • (headful-Chrome) default profile - result: Bot detected
  • (headless-Chrome) default profile - result: Bot detected
  • (headful-Chrome) different profile - result: Bot detected
  • (headful-Brave) default profile - result: Bot detected

Extra things worth to check

  • undetected-chromedriver run chrome with args: --enable_cdp_events --no-sandbox there should be a way to detect them on the website.
  • Other fingerprinting opportunities:
    • Languages are sorted differently in automated browsers
    • Missing speech voices from Google
    • Bots typically don't use ad blockers
    • Various other fingerprinting techniques

Note

This represents just one day of research on this topic, demonstrating that even a brief investigation can yield effective detection methods for sophisticated browser automation tools.

About

Detecting undetected-chromedrive - (Patched)

pulik.dev

Topics

undetectable botdetection

Resources

Readme
Activity

Stars

5 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages