Keywords: Selenium | WebDriver | navigator.webdriver
Abstract: This paper explores techniques for modifying the navigator.webdriver flag in Selenium WebDriver to avoid detection by websites during web automation. Based on high-scoring answers from Stack Overflow, it analyzes the NavigatorAutomationInformation interface in the W3C specification and provides practical methods, including ChromeOptions parameters, execute_cdp_cmd commands, and JavaScript injection. Through code examples and theoretical explanations, the paper aims to help developers understand automation detection mechanisms and achieve more stealthy browser automation.
In web automation testing, Selenium WebDriver is a widely used tool, but many websites detect automated browsers and block requests. This is often achieved by checking the navigator.webdriver flag, which is defined in the W3C WebDriver specification to indicate whether the browser is under remote control. Based on best practices from the technical community, this paper discusses how to modify this flag to evade detection.
W3C Specification and Detection Mechanisms
According to the W3C Editor's Draft, the NavigatorAutomationInformation interface defines the webdriver property, which returns true when the webdriver-active flag is set, indicating automated control. This provides a standardized means for websites to detect automation. For example, in Selenium-driven Chrome, navigator.webdriver defaults to true, allowing sites to identify automated sessions via JavaScript checks.
Methods to Modify navigator.webdriver
Several methods can modify the navigator.webdriver flag to prevent detection. Below are key strategies, primarily for Python Selenium clients, with principles applicable to other languages.
Using ChromeOptions Parameters
By adding specific arguments via ChromeOptions, automation features can be disabled at browser startup. For instance, the --disable-blink-features=AutomationControlled argument prevents navigator.webdriver from showing as true. Example code:
from selenium import webdriver
options = webdriver.ChromeOptions()
options.add_argument('--disable-blink-features=AutomationControlled')
driver = webdriver.Chrome(options=options, executable_path=r'C:\WebDrivers\chromedriver.exe')
driver.get("https://www.website.com")Additionally, excluding the enable-automation switch and turning off useAutomationExtension can further reduce detection risks:
options.add_experimental_option("excludeSwitches", ["enable-automation"])
options.add_experimental_option('useAutomationExtension', False)Via execute_cdp_cmd Commands
Selenium provides the execute_cdp_cmd method, allowing execution of Chrome DevTools Protocol commands. This can dynamically modify the user agent or inject JavaScript to alter navigator.webdriver. For example, setting navigator.webdriver to undefined:
driver.execute_script("Object.defineProperty(navigator, 'webdriver', {get: () => undefined})")Simultaneously, the user agent can be overridden to mimic a regular browser:
driver.execute_cdp_cmd('Network.setUserAgentOverride', {
"userAgent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.53 Safari/537.36'
})Comprehensive Code Example
Combining the above methods, a complete Python example aims to maximize stealth:
from selenium import webdriver
options = webdriver.ChromeOptions()
options.add_argument("start-maximized")
options.add_experimental_option("excludeSwitches", ["enable-automation"])
options.add_experimental_option('useAutomationExtension', False)
options.add_argument('--disable-blink-features=AutomationControlled')
driver = webdriver.Chrome(options=options, executable_path=r'C:\WebDrivers\chromedriver.exe')
driver.execute_script("Object.defineProperty(navigator, 'webdriver', {get: () => undefined})")
driver.execute_cdp_cmd('Network.setUserAgentOverride', {
"userAgent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.53 Safari/537.36'
})
print(driver.execute_script("return navigator.userAgent;"))
driver.get('https://www.httpbin.org/headers')Implementations in Other Languages
These methods are also applicable in other programming languages. For example, in Java, similar configurations can be used:
System.setProperty("webdriver.chrome.driver", "C:\\Utility\\BrowserDrivers\\chromedriver.exe");
ChromeOptions options = new ChromeOptions();
options.setExperimentalOption("excludeSwitches", Collections.singletonList("enable-automation"));
options.setExperimentalOption("useAutomationExtension", false);
WebDriver driver = new ChromeDriver(options);
driver.get("https://www.google.com/");In Ruby, arguments can be added:
options = Selenium::WebDriver::Chrome::Options.new
options.add_argument("--disable-blink-features=AutomationControlled")
driver = Selenium::WebDriver.for :chrome, options: optionsConsiderations and Limitations
Modifying navigator.webdriver may violate website terms of service, and overuse could lead to enhanced detection. Based on community feedback, using the --disable-blink-features=AutomationControlled argument alone might suffice, but combining multiple methods increases success rates. Also, execute_cdp_cmd commands may cause inconsistencies, so startup parameters are recommended as a priority.
Conclusion
By understanding the W3C specification and Selenium's implementation, developers can effectively modify the navigator.webdriver flag to evade detection. The methods provided in this paper are based on practical experience and community validation, but ethical and legal boundaries should be noted. As browsers and detection technologies evolve, these strategies may require adjustments, but the core principles will remain relevant.