Curated List of Bot / Headless Chrome Detection Tests

v0.6.1 (29th June 2022) 🚀 [Changelog]

This page attempts to detect if you are a Bot or Not. The tests are constantly kept up to date, please check the changelog here.

1. Behavioral Classification
2. More Sources and Links
3. Bot Challenge
4. New Detection Tests
5. Old Detection Tests
6. Datacenter IP Address API
7. Proxy/VPN Detection Tests
8. Http Headers
9. TCP/IP Fingerprint
10. TLS Fingerprint
11. JA3 TLS Fingerprint
12. Browser Fingerprint
13. Canvas Fingerprint
14. WebGL Fingerprint
15. Web Worker
16. Service Worker
17. Browser Data

Behavioral Bot Classification

The test behavioralClassificationScore gives a rating between 0 (Bot) and 1 (Human) based on advanced behavioral heuristics. A score below 0.5 means that you are most likely a bot.

The first score is computed after 1,5 seconds of browsing on this site. Then, the behavioral score is updated after 4 seconds, 7 seconds, 10 seconds and 15 seconds.

Don't worry if you are browsing this page and you are given a score between 0.7 and 1.0, the behavioralClassificationScore consist of 30+ individual classificators and it is normal that there are false positives.

In order to test your bot with a real world problem, your bot has to solve the challenge below.

More Sources/Information

Resources and Sources

1. Kinda outdated (selenium, phantomjs): bot.sannysoft.com and a GitHub repo from early 2019 with similar detection techniques.
2. Headless detection GitHub Repo, last update in 2019
3. Lot of good stuff from here: puppeteer-extra-plugin-stealth
4. Antoine Vastel: antoinevastel.com/bots and a more recent detection page using HTTP Headers and his employers datadome detection page
5. Pretty active GitHub Gist about preventing puppeteer detection
6. Rather new detection method found on GitHub
7. Vastel is detecting puppeteer with HTTP headers in early 2019...
8. hacker news discussion started by Vastel
9. And the response from Evan Sangaline, where he passes the new detection again
10. Rather recent article (February 2020) about Bot Detection 101 principles
11. Very recent (31 January 2021) and powerful bot / headless / puppeteer detection techniques
12. Che Browser, is it any good?
13. SecretAgent, The Web Browser Built for Scraping
14. CanvasBlocker nice Firefox plugin to prevent canvas fingerprinting
15. A very good article from pixelprivacy.com about Browser Fingerprinting

Other Bot Detection Sites

• browserleaks.com (very valuable information)
• pixelscan (quite good and new)
• creepjs (this guy is crazy)
• f.vision (seems to do a very good job)
• whatleaks.com (focuses on proxy detection and the networking detection aspects)

The cats: Anti Bot Companies

The following Anti Bot companies are all using their custom JavaScript detection algorithms.

• Kasada
• Shape Security
• DataDome
• Distil Networks (Acuired)
• Imperva
• Incapsula (Imperva now)
• PerimeterX
• Akamai
• FingerprintJS

• WhiteOps
• ShieldSquare
• F5
• Cloudflare (The End Boss)
• Arkose Labs
• Forter Protection
• reCAPTCHA
• BioCatch

Mouses: Bot/Proxy Companies (Selection)

The following Bot/Proxy companies are either selling bot/scraping or anonymization technology (Proxies, VPN)

• ZenScrape
• Luminati.io / Brightdata
• Oxylabs
• Smartproxy
• Storm Proxies
• scraperapi.com
• scrapingrobot.com

• GeoSurf
• NetNut
• SOAX
• scrapinghub
• PacketStream
• Apify
• scrapingbee.com

---

Bot Challenge

Your bot has to fill out the form below and submit it. Then you are prompted to confirm the pop-up dialoge. After confirmation, you will see a table with basket items and prices. Update the prices of this table and scrape the data as a final step.

Completing all those steps provides enough behaviroal information in order to classify you as BotOrNot.

I maintain a public API to check whether an IP address belongs to a data center IP address range such as Azure, AWS, Digitalocean, Google Cloud Platform and many other cloud providers. Please read the full blog article for more a thorough introduction.

Visit the Proxy/VPN detection Test Page

The Proxy/VPN detection test can be found on a dedicated page because the large test battery would otherwise clog this detection page. Those techniques are:

• Latency Test: Compare ping from browser to server with ping from web server to external IP address
• WebRTC Test: Check if WebRTC leaks the real IP address
• TCP/IP Fingerprint Test: Compare the OS induced from the TCP/IP fingerprint with the OS advertised by the User-Agent
• Open Ports Test: Check if the host connecting to the web server has open ports
• Datacenter IP Test: Check if the IP address belongs to a datacenter
• DNS Leak Test: Check if the DNS server of the client leaks any data
• IP Timezone vs Browser Timezone Test: Compare the IP geolocation timezone with the browser timezone
• HTTP Proxy Headers Test: Look for suspicious proxy headers in the HTTP headers
• And many other tests that are constantly being updated!

Several fields such as TCP Options or TCP Window Size or IP Fragment Flag depend heavily on the OS type and version. Detecting operating systems by analyzing the first incoming SYN packet is surely no exact science, but it's better than nothing.

The TCP/IP fingerprinting API allows you to get your TCP/IP fingerprint. It can be used for various purposes such as: Networking traffic analysis, Malware detection, bot detection, Proxy / VPN detection and so on.

The TLS fingerprinting API allows you to get your TLS fingerprint. It can be used for various purposes such as: Networking traffic analyisis, Malware detection and Bot detection.