Recaptcha 3如何知道我正在使用硒/chromedriver? [英] How does recaptcha 3 know I'm using selenium/chromedriver?
问题描述
我很好奇Recaptcha v3的工作方式.具体来说就是浏览器的指纹.
I'm curious how Recaptcha v3 works. Specifically the browser fingerprinting.
当我通过selenium/chromedriver启动chrome实例并针对ReCaptcha 3进行测试时(
When I launch a instance of chrome through selenium/chromedriver and test against ReCaptcha 3 (https://recaptcha-demo.appspot.com/recaptcha-v3-request-scores.php) I always get a score of 0.1 when using selenium/chromedriver.
在普通实例中使用隐身模式时,我得到0.3.
When using incognito with a normal instance I get 0.3.
我已经击败其他检测系统,方法是注入JS并修改Web驱动程序对象,然后从源代码重新编译WebDriver并修改$ cdc_变量.
I've beaten other detection systems by injecting JS and modifying the web driver object and recompiling webdriver from source and modifying the $cdc_ variables.
我可以看到看起来有些混乱的POST返回到服务器,所以我将开始在那里进行挖掘.
I can see what looks like some obfuscated POST back to the server so I'm going to start digging there.
我只是想检查是否有人愿意首先与它分享任何建议或经验,以决定我是否正在运行selenium/chromedriver?
I just wanted to check if anyone was willing to share any advice or experience with this first about what it may be looking for to determine if I'm running selenium/chromedriver?
推荐答案
reCaptcha
网站可以轻松检测网络流量并将您的程序标识为 BOT . Google 已发布 5(五) reCAPTCHA 在创建新网站时可以选择.其中四个处于活动状态,而 reCAPTCHA v1 正在关闭.
reCaptcha
Websites can easily detect the network traffic and identify your program as a BOT. Google have already released 5(five) reCAPTCHA to choose from when creating a new site. While four of them are active and reCAPTCHA v1 being shutdown.
- reCAPTCHA v3 (使用分数验证请求):reCAPTCHA v3允许您在没有任何用户交互的情况下验证交互是否合法.它是一个纯JavaScript API,可返回分数,使您能够在网站的上下文中采取措施:例如,需要其他身份验证因素,发送帖子以进行审核或限制可能抓取内容的漫游器.
- reCAPTCHA v2 -我不是机器人"复选框:我不是机器人"复选框要求用户单击一个指示用户的复选框不是机器人.这将立即使用户(没有CAPTCHA)通过,或者要求他们验证他们是否是人类.这是与之集成的最简单的选项,只需要两行HTML即可呈现该复选框.
- reCAPTCHA v3 (verify requests with a score): reCAPTCHA v3 allows you to verify if an interaction is legitimate without any user interaction. It is a pure JavaScript API returning a score, giving you the ability to take action in the context of your site: for instance requiring additional factors of authentication, sending a post to moderation, or throttling bots that may be scraping content.
- reCAPTCHA v2 - "I'm not a robot" Checkbox: The "I'm not a robot" Checkbox requires the user to click a checkbox indicating the user is not a robot. This will either pass the user immediately (with No CAPTCHA) or challenge them to validate whether or not they are human. This is the simplest option to integrate with and only requires two lines of HTML to render the checkbox.
- reCAPTCHA v2 -不可见的reCAPTCHA徽章:不可见的reCAPTCHA徽章不需要用户单击复选框,而是在用户单击网站上现有的按钮,也可以通过JavaScript API调用来调用. reCAPTCHA验证完成后,集成需要JavaScript回调.默认情况下,只会提示最可疑的流量来解决验证码.要更改此行为,请在高级设置下编辑您的站点安全首选项.
- reCAPTCHA v2 - Invisible reCAPTCHA badge: The invisible reCAPTCHA badge does not require the user to click on a checkbox, instead it is invoked directly when the user clicks on an existing button on your site or can be invoked via a JavaScript API call. The integration requires a JavaScript callback when reCAPTCHA verification is complete. By default only the most suspicious traffic will be prompted to solve a captcha. To alter this behavior edit your site security preference under advanced settings.
- reCAPTCHA v2 - Android :reCAPTCHA Android库是Google Play服务SafetyNet API的一部分.该库提供了本机Android API,您可以将它们直接集成到应用程序中.您应该在应用中设置Google Play服务,并连接到GoogleApiClient,然后再调用reCAPTCHA API.这将立即使用户通过(没有CAPTCHA提示),或者要求用户验证他们是否是人类.
- reCAPTCHA v1 :reCAPTCHA v1自2018年3月以来已关闭.
- reCAPTCHA v2 - Android: The reCAPTCHA Android library is part of the Google Play services SafetyNet APIs. This library provides native Android APIs that you can integrate directly into an app. You should set up Google Play services in your app and connect to the GoogleApiClient before invoking the reCAPTCHA API. This will either pass the user through immediately (without a CAPTCHA prompt) or challenge them to validate whether they are human.
- reCAPTCHA v1: reCAPTCHA v1 has been shut down since March 2018.
但是,有一些通用的方法可以避免在抓取网页时被检测到
However there are some generic approaches to avoid getting detected while web-scraping:
- 网站可以通过您的监视器大小来确定您的脚本/程序的首要属性.因此,建议不使用常规的视口.
- 如果您需要向网站发送多个请求,请继续对每个请求更改用户代理.在这里,您可以找到有关方法的详细讨论.更改Selenium中的Google Chrome用户代理?
- 要模拟类似的行为,您甚至可能需要降低脚本执行速度,甚至超出如何休眠Webdriver的详细讨论python中的毫秒数
- The first and foremost attribute a website can determine your script/program is through your monitor size. So it is recommended not to use the conventional Viewport.
- If you need to send multiple requests to a website keep on changing the User Agent on each request. Here you can find a detailed discussion on Way to change Google Chrome user agent in Selenium?
- To simulate human like behavior you may require to slow down the script execution even beyond WebDriverWait and expected_conditions inducing
time.sleep(secs). Here you can find a detailed discussion on How to sleep webdriver in python for milliseconds
一些值得深思的地方:
- Selenium webdriver: Modifying navigator.webdriver flag to prevent selenium detection
- Unable to use Selenium to automate Chase site login
- Confidence Score of the request using reCAPTCHA v3 API
这篇关于Recaptcha 3如何知道我正在使用硒/chromedriver?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
