7

I'd like to make sure that my website blocks automation tools like Selenium and QTP. Is there a way to do that ? What settings on a website is Selenium bound to fail with ?

KJW
  • 15,035
  • 47
  • 137
  • 243
sms169
  • 143
  • 2
  • 8
  • 12
    Why would you do that ? Since automation tools are made to mimic users, the best way to blocks them is to unplug your web server, to pour concrete on it, then run away. But maybe you have a good reason. – Scharron Jul 24 '10 at 21:41
  • 2
    more of a question for serverfault - if you have a good firewall - limit the amount of TCP connections per / second (or X time) per IP or user. might be an Apache plug in also. – EdH Jul 24 '10 at 21:46
  • I agree with @Scharron - what are you trying to achieve? If somehow you block Selenium/QTP, what's to stop people trying with another tool, or writing their own with `curl`, `wget`, or Apache `HttpClient`? – pdbartlett Jul 24 '10 at 21:56
  • I think the best idea is to make your user/users use some browser that is not supported by selenium and than check the user-agent. – IAdapter Jul 25 '10 at 01:00
  • I dont think some hacker will go for DOS attack with a testing tool. One would rather curl your server in a sh loop, way easier. – javadude Jul 26 '10 at 06:51
  • 2
    For the record I think this is a valid question. As tools like Selenium are simple to use it's possible for a user with little technical knowledge could write a script that violates the site owner's terms. Examples include entering a competition, submitting a vote, commenting, or scraping content. Once a script is written for these it could easily be run repeatedly. – Dave Hunt Jul 26 '10 at 08:35
  • Its not valid question, user could also ask his friends to click for him. if page is not secured than blocking selenium will give you nothing. – IAdapter Jul 27 '10 at 08:25
  • My reason of asking the question is similar to what Dave mentioned. Automated tools like selenium can be run in a loop and I wanted to see if there is any way to block that. As long as a human is clicking, its fine for me. From the answers it seems like Captcha is the only solution out. Thanks much. – sms169 Aug 15 '10 at 17:20
  • I think what he means is how to block automated scripts running on his website. – KJW Nov 10 '11 at 14:32

3 Answers3

3

With due consideration to the comments on the original question asking "why on earth would you do this?", you basically need to follow the same strategy that any site uses to verify that a user is actually human. Methods such as asking users to authenticate or enter text from images or the like will probably work, but this will likely have the effect of blocking google crawlers and everything else.

Doing anything based on user agent strings or anything like that is mostly useless. Those are trivial to fake.

Rate-limiting connections or similar might have limited effectiveness, but it seems like you're going to inadvertently block any web crawlers too.

Gian
  • 13,735
  • 44
  • 51
  • 1
    I agree with @Gian the best way to prevent somebody from automating user interaction with your site is to introduce something like a captcha. http://en.wikipedia.org/wiki/CAPTCHA – Dave Hunt Jul 26 '10 at 08:25
  • 1
    Take it to the next level by using REcaptcha (http://en.wikipedia.org/wiki/ReCAPTCHA). Then you prevent automated interaction while at the same time helping digitize old books and newspaper! – Aaron Silverman Jul 27 '10 at 18:44
  • 1
    I don't think CAPTCHA is the best solution because they are very cheap to break. Someone runnign automated scripts can easily bypass it. If you don't want anyone running automated scripts on your website the solution is to not have a website in the first place. – KJW Nov 10 '11 at 14:35
  • 2
    What a strange suggestion. Your solution to preventing automated access to a website is to not have a website? – Gian Nov 16 '11 at 21:27
3

While this questions seems to be strange it is funny, so I tried to investigate possibilities

Besides adding a CAPTCHA which is the best and the only ultimate solution, you can block Selenium by adding the following JavaScript to your pages (this example will redirect to the Google page, but you can do anything you want):

<script>
var loc = window.parent.location.toString();
if (loc.indexOf("RemoteRunner.html")!=-1) {
  // It is run in Selenium RC, so do something
  document.location="http://www.google.com";
}
</script>

I do not know how can you block other automation tools and I am not sure if this will not block Selenium IDE

Sergii Pozharov
  • 17,366
  • 4
  • 29
  • 30
-2

to be 100% certain that no automated bots/scripts can be run against your websites, don't have a website online. This will meet your requirement with certainty.

CAPTCHA are easy to break if not cheap, thanks to crowdsourcing and OCR methods.

Proxies can be found in the wild for free or bulk are available at extremely low costs. Again, useless to limit connection rates or detect bots.

One possible approach can be in your application logic, implement ways to increase time and cost for access to the site by having things like phone verification, credit card verification. Your website will never get off the ground because nobody will trust your site at it's infancy.

Solution: Do not put your website online and expect to be able to effectively eliminate bots and scripts from running.

KJW
  • 15,035
  • 47
  • 137
  • 243