Skip to content

[BUG] Doesn't pass bot detection tests #46

Description

@bytedash-dev

https://pixelscan.net/bot-check

Image

https://www.browserscan.net/bot-detection

Image

To Reproduce

using var playwright = await Playwright.CreateAsync();
await using var browser = await playwright.Chromium.LaunchAsync(new BrowserTypeLaunchOptions
{
    Headless = false, // disable headless so that the website is visible
    Args = PlaywrightStealthExtensions.StealthArgs
});

var context = await browser.NewContextAsync();

var stealthConfig = new StealthConfig
{
    NavigatorHardwareConcurrency = 18 // let's spoof the hardware concurrency
    ChromeLoadTimes = false // need to disable this evasion for reasons explained below
};

// Apply stealth before creating pages.
await context.ApplyStealthAsync(stealthConfig);

var page = await context.NewPageAsync();
await page.GotoAsync("https://www.browserscan.net/bot-detection");
await page.PauseAsync();

ChromeLoadTimes has to be set to false because in the file chrome.load.times.js, on line 14 throws an error when viewed with headless == false thus exiting early effectively disabling all other evasions. When all evasions are disabled, the browser will pass anti-bots tests since there isn't any tampering/spoofing taking place giving a false sense of security. Since there isn't any tampering, the anti-bots are looking directly at the browser's original properties and will therefore be fingerprinted.

// That means we're running headful and don't need to mock anything
if ('loadTimes' in window.chrome) {
throw new Error('skipping chrome loadtimes update, running in headfull mode')
}

Expected behavior

Should pass anti-bots tests (anti-bot should not be able to tell if the browser is a bot) and evade detection.

Environment

  • ManagedCode.Playwright.Stealth Version: 1.0.0
  • Microsoft.Playwright Version: 1.58.0 and 1.60.0
  • .NET Version: 10
  • OS: Windows 11
  • Browser: Chromium and Chrome
  • Headless: false

Additional context

The moment an evasion technique is enabled (not only hardwareConcurrency), anti-bots are able to detect tampering and flag the browser as bot.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions