Selenium Webdriver is detectable

Question

I read everywhere that it is not possible for websites to detect that a user is using a selenium webdriver... but why?

For example the webdriver plugin in firefox adds an 'webdriver attribute' to the <html> element. So the <html>... goes to <html webdriver="true">...

I am confused... why it is not possible to detect the webdriver?

I wrote a little Javascript to get the document.outerHTML... and there is the webdriver attribute! = detected!?

Here is my code I tested in Browser with Webdriver and without:

<html>
<head>
  <script type="text/javascript">
  <!--
    function showWindow(){
      javascript:(alert(document.documentElement.outerHTML));
    }
  //-->
  </script>
</head>
<body>
  <form>
    <input type="button" value="Show outerHTML" onclick="showWindow()">
  </form>
</body>
</html>

Please can somebody explain me why it is not possible to detect the Webdriver?

Answer 1

Yes, Selenium can be detected. Bot detection evolves frequently so I wrote an updated article to explain how (headless) Chrome (even when modified) instrumented with Selenium can be detected as of June 2024.

Testing the presence of the HeadlessChrome substring in the user agent and verifying the value of navigator.webdriver is still helpful against bots that don't modify too much their fingerprint.

Otherwise, there is a new detection techniques that aims to detect CDP automation (Chrome devtool protocol) used by instrumentation frameworks like Selenium.

The new test looks as follows:

var cdpDetected = false;
var e = new Error();
Object.defineProperty(e, 'stack', {
   get() {
    cdpDetected = true;
   }
});

// This is part of the detection, the console.log shouldn't be removed!
console.log(e);

if (cdpDetected) {
    isBot = true;
}

Answer 2

Yes selenium is detectable.check Can a website detect when you are using selenium with chromedriver? If some one is using Firefox driver for automation then it is easy to detect if you put this code at your client side

        try{
        if(window.document.documentElement.getAttribute("webdriver"))
            alert("Caught in 1st case :- Selenium Webdriver is banned!!!");
        }
        catch(Exception){}
        try{
        if(navigator.webdriver)
            alert("Caught in 2nd case :- Selenium Webdriver is banned!!!");
        }
        catch(Exception){}`

But same code doesnt help if you are using chrome or IE driver.

Answer 3

The W3C draft spec states in Appendix E that drivers should provide a mechanism for fingerprinting that a browser is being driven by WebDriver. At the moment, no implementations comply with this section of the spec. The Firefox driver currently comes closest, adding an attribute to the html tag. Future versions and drivers of other browsers will likely implement methods of detection in line with the specification.

Answer 4

I'd have to side with SiKing in that whatever addon you're using isn't part of the actual Selenium tools. Can you post a link to your addon? Maybe that would shed some more light.

Generally speaking, WebDriver simply automates the usage of a browser with the intent of replicating the actions of a human user as closely as possible. This, in and of itself, will be invisible to the server. Unless you're altering your browser's user agent, there would be nothing for the server to easily see to indicate any sort of automation in use.

However, while I've only recently begun studying this, repeated automated usages of an application may present patterns in server logs that could be far more consistent than a human user as far as interactions with an application. If you're using Selenium to scrape a site, for example, you could be leaving some fingerprints just due to the nature of an automated session. Things like extremely consistent click, inputs, page requests, etc. could be forming noticeable log patterns that could potentially expose automation.

Now, unless you're generating a lot of traffic or a lot of repetitive actions on the system, you're unlikely to be noticed. It would take something generating fairly abnormal in the logs, or a very observant sysadmin to trigger any sort of manual investigation... and even then, someone would have to know what to look for to make an accurate determination.