我一直在用Chromedriver测试Selenium,我注意到一些页面可以检测到你正在使用Selenium,即使根本没有自动化。甚至当我手动使用Chrome通过Selenium和Xephyr浏览时,我经常会看到一个页面说检测到可疑活动。我已经检查了我的用户代理和浏览器指纹,它们都与正常的Chrome浏览器完全相同。

当我在普通的Chrome浏览器中浏览这些网站时,一切都很好,但当我使用Selenium时,我被检测到。

理论上,chromedriver和Chrome在任何web服务器上看起来应该是完全一样的,但不知何故它们可以检测到它。

如果你想要一些测试代码,试试这个:

from pyvirtualdisplay import Display
from selenium import webdriver

display = Display(visible=1, size=(1600, 902))
display.start()
chrome_options = webdriver.ChromeOptions()
chrome_options.add_argument('--disable-extensions')
chrome_options.add_argument('--profile-directory=Default')
chrome_options.add_argument("--incognito")
chrome_options.add_argument("--disable-plugins-discovery");
chrome_options.add_argument("--start-maximized")
driver = webdriver.Chrome(chrome_options=chrome_options)
driver.delete_all_cookies()
driver.set_window_size(800,800)
driver.set_window_position(0,0)
print 'arguments done'
driver.get('http://stubhub.com')

如果你在stubhub周围浏览,你会在一两个请求内被重定向和“阻止”。我一直在研究这个问题,但我不知道他们是如何判断用户正在使用Selenium的。

他们是怎么做到的?

我在Firefox中安装了Selenium IDE插件,当我在普通的Firefox浏览器中只使用附加插件访问stubhub.com时,我被禁止了。

当我使用Fiddler查看来回发送的HTTP请求时,我注意到“假浏览器”的请求经常在响应头中有“无缓存”。

是否有一种方法可以从JavaScript检测我是否在Selenium Webdriver页面中?建议当你在使用网络驱动程序时没有办法检测。但这些证据表明情况并非如此。

该网站将指纹上传到他们的服务器上,但我检查了一下,Selenium的指纹与使用Chrome时的指纹是相同的。

这是他们发送到服务器上的指纹载荷之一:

{"appName":"Netscape","platform":"Linuxx86_64","cookies":1,"syslang":"en-US","userlang":"en-
US","cpu":"","productSub":"20030107","setTimeout":1,"setInterval":1,"plugins":
{"0":"ChromePDFViewer","1":"ShockwaveFlash","2":"WidevineContentDecryptionMo
dule","3":"NativeClient","4":"ChromePDFViewer"},"mimeTypes":
{"0":"application/pdf","1":"ShockwaveFlashapplication/x-shockwave-
flash","2":"FutureSplashPlayerapplication/futuresplash","3":"WidevineContent
DecryptionModuleapplication/x-ppapi-widevine-
cdm","4":"NativeClientExecutableapplication/x-
nacl","5":"PortableNativeClientExecutableapplication/x-
pnacl","6":"PortableDocumentFormatapplication/x-google-chrome-
pdf"},"screen":{"width":1600,"height":900,"colorDepth":24},"fonts":
{"0":"monospace","1":"DejaVuSerif","2":"Georgia","3":"DejaVuSans","4":"Trebu
chetMS","5":"Verdana","6":"AndaleMono","7":"DejaVuSansMono","8":"LiberationM
ono","9":"NimbusMonoL","10":"CourierNew","11":"Courier"}}

它在Selenium和Chrome中是相同的。

vpn只用于一次使用,但在加载第一个页面后就会被检测到。显然,正在运行一些JavaScript代码来检测Selenium。


当前回答

Chromium开发人员最近在2021年增加了第二个无头模式,不再将HeadlessChrome添加到用户代理字符串中。看到https://bugs.chromium.org/p/chromium/issues/detail?id=706008 c36

他们后来在2023年为Chrome 109重命名了该选项-> https://github.com/chromium/chromium/commit/e9c516118e2e1923757ecb13e6d9fff36775d1f4

新的——headless=new标志现在可以让你在新的无头模式下获得Chrome的全部功能,你甚至可以在这个模式下运行Chrome 109及以上版本的扩展。(如果使用Chrome 96到108,使用旧的——headless= Chrome选项。)

用法:(Chrome 109及以上):

options.add_argument("--headless=new")

用法:(Chrome 96到Chrome 108):

options.add_argument("--headless=chrome")

这种新的无头模式使Chrome浏览器像普通模式一样工作,这意味着它们不像旧版无头模式的Chrome浏览器那样容易被检测到。

将其与其他工具(如未检测的chromedriver)结合起来,以最大限度地逃避硒检测。

其他回答

正如我们已经在问题和发布的答案中发现的那样,这里有一个名为“蒸馏网络”的反网络抓取和机器人检测服务。根据该公司CEO的采访:

尽管他们可以创造新的机器人,但我们找到了识别的方法 硒是他们使用的一个工具,所以我们阻止硒不 不管他们在机器人上迭代了多少次。我们现在正在做 使用Python和许多不同的技术。一旦我们发现了规律 从一种机器人中脱颖而出,然后我们对其进行逆向工程 他们使用的技术并将其识别为恶意的。

要了解他们究竟是如何检测硒的,还需要时间和更多的挑战,但目前我们可以肯定地说:

it's not related to the actions you take with Selenium. Once you navigate to the site, you get immediately detected and banned. I've tried to add artificial random delays between actions, take a pause after the page is loaded - nothing helped it's not about browser fingerprint either. I tried it in multiple browsers with clean profiles and not, incognito modes, but nothing helped since, according to the hint in the interview, this was "reverse engineering", I suspect this is done with some JavaScript code being executed in the browser revealing that this is a browser automated via Selenium WebDriver

我决定把它作为一个答案,因为很明显:

当你用chromedriver使用selenium时,网站能检测到吗?

Yes.


Also, I haven't experimented with older Selenium and older browser versions. In theory, there could be something implemented/added to Selenium at a certain point that Distil Networks bot detector currently relies on. Then, if this is the case, we might detect (yeah, let's detect the detector) at what point/version a relevant change was made, look into changelog and changesets and, may be, this could give us more information on where to look and what is it they use to detect a webdriver-powered browser. It's just a theory that needs to be tested.

它适用于一些网站,从导航器中删除属性webdriver

from selenium import webdriver
driver = webdriver.Chrome()
driver.execute_cdp_cmd("Page.addScriptToEvaluateOnNewDocument", {
    "source":
        "const newProto = navigator.__proto__;"
        "delete newProto.webdriver;"
        "navigator.__proto__ = newProto;"
    })

我所要做的就是

my_options = webdriver.ChromeOptions()
my_options.add_argument( '--disable-blink-features=AutomationControlled' )

Some more information to this: This relates to website skyscanner.com. In the past I have been able to scrape it. Yes, it did detect the browser automation and it gave me a captcha to press and hold a button. I used to be able to complete the captcha manually, then search flights and then scrape. But this time around after completing the captcha I get the same captcha again and again, just can't seem to escape from it. I tried some of the most popular suggestions to avoid automation being detected, but they didn't work. Then I found this article which did work, and by process of elimination I found out it only took the option above to get around their browser automation detection. Now I don't even get the captcha and everything else seems to be working normally.

我目前正在运行的版本:

操作系统:Windows 7 64位 win32上的Python 3.8.0 (tags/v3.8.0:fa919fd, 2019-10-14) (MSC v.1916 64位(AMD64)) 浏览器:Chrome版本100.0.4896.60(官方 构建)(64位) 4.1.3硒 ChromeDriver 100.0.4896.60 chromedriver_win32.zip 930ff33ae8babeaa74e0dd1ce1dae7ff

据说Firefox在使用webdriver时设置window.navigator.webdriver === true。这是根据一个旧的规格(例如:archive.org),但我无法在新的附录中找到它,除了一些非常模糊的措辞。

它的测试是在文件fingerprint_test.js中的selenium代码中,其中末尾的注释说“目前仅在firefox中实现”,但我无法通过一些简单的greping识别该方向的任何代码,无论是在当前(41.0.2)firefox发布树中还是在chromium树中。

我还发现了一个关于2015年1月firefox驱动程序b82512999938中指纹识别的旧提交的评论。该代码仍然在昨天从javascript/firefox-driver/extension/content/server.js下载的Selenium GIT-master中,并附有一个链接到当前w3c webdriver规范中措辞略有不同的附录的注释。

除此之外,Erti-Chris Eelmaa给出了一个很好的答案——恼人的window.navigator.webdriver,而且它是只读的。即使你把它的值改为false,它仍然是true。这就是为什么由自动化软件驱动的浏览器仍然可以被检测到。

MDN

该变量由chrome中的——enable-automation标志管理。chromedriver启动Chrome时带有这个标志,Chrome将window.navigator.webdriver设置为true。你可以在这里找到它。您需要添加“排除开关”标志。例如(Go):

package main

import (
    "github.com/tebeka/selenium"
    "github.com/tebeka/selenium/chrome"
)

func main() {

caps := selenium.Capabilities{
    "browserName": "chrome",
}

chromeCaps := chrome.Capabilities{
    Path:            "/path/to/chrome-binary",
    ExcludeSwitches: []string{"enable-automation"},
}
caps.AddChrome(chromeCaps)

wd, err := selenium.NewRemote(caps, fmt.Sprintf("http://localhost:%d/wd/hub", 4444))
}