4

Let's say I have element A and an element B. I've fired up Selenium or PhantomJS, which also has the capability to move the mouse via coordinate sets.

I locate the shape of element A (a link) and element B (a submit button). I draw a bezier curve or transform a pre-recorded human mouse movement to go from element A to element B.

My intuition is that mouseMove() simply "teleports" the cursor to that coordinate set. How is this different than actually using a mouse?

If I track users' mouse movements on my site, will I be able to tell, assuming they use sophisticated movement curves, that they are using an automation tool?

dsp_099
  • 5,801
  • 17
  • 72
  • 128
  • Selenium merely simulates mouse inputs using JavaScript. – Thibstars Sep 26 '16 at 08:43
  • Good question. Are you trying to prevent bots from accessing your website? Maybe tracking the times of requests sent to your server is an option also. In general bots should "click-through" (or input) a webpage much faster than a human user would. – JDelorean Sep 26 '16 at 08:49
  • 1
    Related, but kind of from a different perspective: [Human-like mouse movements via Selenium](http://stackoverflow.com/questions/39422453/human-like-mouse-movements-via-selenium). – alecxe Sep 29 '16 at 22:40

1 Answers1

2

From my experience if you track the mouse from JS and a bot simply uses selenium to move the mouse pointer without a "sophisticated movement curves" the answer is yes.

But,

if the 'bot' is specifically designed to create a "sophisticated movement curves" or for example "replay a recorded movement data set", i think you cannot. (Similar question also with negative answer).

So,

You can just devise an "heuristic solution" but not a perfect one. If it is what you want i can try to give you some ideas. Otherwise, if you can follow other paths i would advise you some sort of selenium detection or captcha.

Community
  • 1
  • 1
Mirko Conti
  • 588
  • 4
  • 17
  • I'm very curious about selenium detection. Captcha is not an option in my case I'm afraid. – dsp_099 Oct 01 '16 at 05:43
  • I'm interested in any and all ideas you might have on how to catch VERY sophisticated botters. I'm defending against zombie bnets here – dsp_099 Oct 01 '16 at 05:55
  • first, i need some further information: are you sure the botnet use just selenium? what does your website? or more precisely, what does the botnet on your website? we also could try to match the 'behavior' of those machine or fingerprinting them. – Mirko Conti Oct 01 '16 at 09:04
  • 1
    I pulled some strings through a friend of a friend to run a little test to see how many I could detect using third party tools. Out of 12,000 hits only 18.8% were recognized as bots by a industry-leading firm. I want to increase this number. I visited the site using PhantomJS of my own and it didn't block me or make me solve a captcha. I'd like the traffic to flow through uninterrupted. The breakdown looked like this: http://i.imgur.com/IyY4s8F.png so it's safe to say the net (not that I can confirm or deny that) used Chromes only. The other 0.2% or whatever is me because I use Opera :) – dsp_099 Oct 01 '16 at 10:12
  • Ok. Interesting research but nasty situation, considers that what you ask (bot detection) is one of the main problems of web security world. Anyway.. some time ago there was a way to detect firefox (but not Chrome from what I remember) but that is not your case. I haven't the direct algorith to detect selenium / PhantomJS but my main idea is use the trial of some already existing service, like this one http://www.distilnetworks.com/block-bot-detection/ (it looks very promising), look the code they use (client side) and reverse it! – Mirko Conti Oct 01 '16 at 11:17
  • From what I understood they do not fingerprint the clients but use JS to detect the use of a webdriver (maybe with machine learning given a big set of data). – Mirko Conti Oct 01 '16 at 11:17