This was my interview take-home task for a security company. I'm publishing it three years later, after the vulnerability has been patched. It demonstrates techniques for browser bot detection.
Task
- Find a method to detect undetected-chromedriver (an open-source tool)
- No third-party libraries allowed for bot detection (e.g., BotD, invisible captcha)
- It is allowed to explore the source code of libraries and self-implementation of the methods found there
- Time limit: 10 days maximum, with no more than 8 hours of implementation time - I returned it the next day, after 3 hours of researching
My Solution
undetected-chromedriver adds objectToInspect and result variables to the global scope of every page.
Based on that, we can detect undetected chromedrive. Please check a undetected-chromedriver source code
I wrote a simple solution:
if (objectToInspect === null && result && Array.isArray(result) && result.includes('Array')) {
await botDetected()
} else {
await notDetected()
}The method works since 3.1.0rc1 version (Dec 16, 2021) - commit
Tests
Tested without any bot on:
- (Chrome - 107.0.5304.107) My profile - result: Not Detected
- (Brave - Version 1.45.123 Chromium: 107.0.5304.110) My profile - result: Not Detected
- (Opera - 92.0.4561.61 - Chromium version:106.0.5249.168) My profile - result: Not Detected
- (Firefox - 105.0.1) My profile - result: Not Detected
- (Edge - 107.0.1418.42) My profile - result: Not Detected
Tested with undetected_chromedriver version: 3.1.6(newest), 3.1.5, 3.1.3, 3.1.2, 3.1.1, 3.1.0, 3.1.0rc1
- (headful-Chrome) default profile - result: Bot detected
- (headless-Chrome) default profile - result: Bot detected
- (headful-Chrome) different profile - result: Bot detected
- (headful-Brave) default profile - result: Bot detected
Extra things worth to check
- undetected-chromedriver run chrome with args:
--enable_cdp_events--no-sandboxthere should be a way to detect them on the website. - Other fingerprinting opportunities:
- Languages are sorted differently in automated browsers
- Missing speech voices from Google
- Bots typically don't use ad blockers
- Various other fingerprinting techniques
Note
This represents just one day of research on this topic, demonstrating that even a brief investigation can yield effective detection methods for sophisticated browser automation tools.