-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Major updates have arrived in 4.28.0
(mostly for UC Mode)
#2865
Comments
4.28.0
(mostly for UC Mode)4.28.0
(mostly for UC Mode)
The Examples of bypassing the Brotector CAPTCHA with UC Mode:
Examples of how the Brotector CAPTCHA detects regular Selenium: |
✅ I can confirm that my issue on headless Linux Ubuntu was solved by Appreciate your work sir @mdmintz |
This comment was marked as resolved.
This comment was marked as resolved.
Hey @mdmintz , do you think you will be working on making the |
@goldananas If using the With the |
This comment was marked as outdated.
This comment was marked as outdated.
Windows users should upgrade to |
macOS: ✅ So much for the free pass on GitHub Actions CAPTCHA bypassing. 😄 I didn't expect that loophole to last long. |
@mdmintz I forgot to mention that I am running an Ubuntu server, no GUI |
@JimKarvo Residential IP or non-residential? |
@mdmintz In my case I also have some issues with the bypass. My user agent on both Linux machines is: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 // |
The last successful GitHub Actions run for bypassing Cloudflare's Turnstile was https://github.com/mdmintz/undetected-testing/actions/runs/9748457978/job/26903480495 8 hours ago. Likely their QA Team did not initially catch that their Turnstiles were getting bypassed on GitHub Actions until they came over to the SeleniumBase repo and read the notes. |
@mdmintz fyi, Linux without GUI on residential IPs still works for me |
@gabrielsim That's good news: That means the algorithm works right now when the IP Address hasn't been blocked already. When it worked earlier on GitHub Actions, it was due to a bug on Cloudflare's end when then forget to check IP ranges for known non-residential server addresses. They finally fixed it: Likely after reading this thread and learning about the loophole. No changes are needed for UC Mode at this time. However, Brotector still has some bot-checks that Cloudflare hasn't picked up yet. This would allow them to detect switching into an iframe, as well the JavaScript for making an element the active one. There's already a plan in place for that scenario, involving |
That's very strange, however any website that I test now, bypass seems to be working properly... Idk what CF team is doing, but I believe the prepare another big update for us. |
Hey guys, just to add to this discussion, CF is now detecting residential proxies with ML: https://blog.cloudflare.com/residential-proxy-bot-detection-using-machine-learning The residential proxies I used became pretty much useless since mid June :/ |
Hey guys can somebody help me i am trying on macos to get the dexscreener and to bypass cloudflare but it doesnt work import time from seleniumbase import SB with SB(uc=True, xvfb=True) as sb:
|
Updates: Nothing to do with blocked IP or proxies. I have scripts running on Windows machines (headed) on my home IP. |
test.mov |
@amberbor The best user-agent to use is the default one that SeleniumBase sets for you automatically. |
github.movI will not reveal all the cards, but it's possible. We managed to bypass everything. We don't disconnect CDP session, don't use image to find checkbox by pattern. Also we have custom recorded mouse movements which we slightly modify each time and replicate (but looks like it's not required for cloudflare, but useful for recaptcha). The only problem is running chrome inside docker. It would be better to manage everything, but I wasn't able to understand what's exactly they are detecting and what's leaking. So for me ubuntu + headfull + isp/residential ips works stable now. |
gj, but bypassing their captcha through their callback is still the best option :) |
@OpsecGuy Thanks, probably yes, but making universal logic is better for me, because it will require less changes when cloudflare changes something from their side. Also it can bypass other smart captchas. |
Here's where we're at: macOS with residential IP: ✅ Based on my observations (and others above) there are no problems when using residential IPs. You may need to adjust some timings (eg. My tests for non-residential IPs have only used GitHub Actions so far, and the CAPTCHAs haven't been bypassed since 3 days ago when CF made some changes. Some people above have claimed that those non-residential IP CAPTCHAs can be bypassed if using pyautogui mouse actions for clicking, rather than the spacebar. I have yet to observe that behavior myself, but I'm still investigating. I'll probably add a pyautogui mouse-clicking method in the next release, although I'm not sure it will be any better than the current Keep in mind some of the methods that are currently available: uc_open_with_reconnect(url, reconnect_time=None)
uc_open_with_disconnect(url, timeout=None)
reconnect(timeout)
disconnect()
connect()
uc_click(selector, by="css selector") # Partially obsolete due to uc_gui_handle_cf()
uc_gui_press_key(key)
uc_gui_press_keys(keys)
uc_gui_write(text)
uc_gui_handle_cf(frame="iframe") |
use https://github.com/kaliiiiiiiiii/Selenium-Driverless, https://github.com/g1879/DrissionPage or https://github.com/ultrafunkamsterdam/nodriver/issues |
@NCLnclNCL Show me the link to working code running successfully in GitHub Actions. If people make claims, they need to back up those claims with hard evidence. The non-residential IP space (eg. GitHub Actions) appears to be an issue for everyone because Cloudflare flags those IP ranges as non-human traffic, and then prevents bypass. As for the residential IP space, SeleniumBase is bypassing CAPTCHAs successfully with the right code. (Examples are listed in this thread.) |
Improvements and new methods are available in SeleniumBase In particular, there's from seleniumbase import SB
with SB(uc=True, test=True) as sb:
url = "https://www.virtualmanager.com/en/login"
sb.uc_open_with_reconnect(url, 4)
print(sb.get_page_title())
sb.uc_gui_click_cf() # Ready if needed!
print(sb.get_page_title())
sb.assert_element('input[name*="email"]')
sb.assert_element('input[name*="login"]')
sb.set_messenger_theme(location="bottom_center")
sb.post_message("SeleniumBase wasn't detected!") https://github.com/mdmintz/undetected-testing/actions/runs/9817403347/job/27108729362 New Status: macOS / Windows / Linux with residential IP: ✅ |
Thats what I like to see! I can confirm that Thanks once again @mdmintz - and also @chlwodud77 regarding using clicks work rather than keyboard actions :-) Bypass.mp4 |
Have you tried on the server with ubuntu and a fake display? |
No, I only use it for windows non-residential IP :-) |
Confirm of working in headless Ubuntu with server IP (for testing) |
I am testing the It seems to work, but there a couple of issues mostly related to the spinning bar image in the input box becomes it expects a user action:
The flow however seems to work if driven in debug mode triggering these actions manually, ideally there should be a wait condition in between that checks that the wheel is not spinning and the input box is empty/clickable, haven't figured out how to do it yet. |
Also looks like mouse movement is mandatory now, just clicking checkbox with system mouse isn't enough. |
CF Patched the solution for Ubuntu server (virtual monitor) systems |
Seems like Windows doesn't work as well anymore. |
Also turnstile iframe is behind shadow dom now, so I think patching required in this direction. |
I'm aware of the new ShadowDOM situation causing failures. No need for people to keep posting about it. |
Upgrade to Also added this new method: |
More info on the
https://github.com/mdmintz/undetected-testing/actions/runs/9847111425/job/27186339885 You can also use |
The new method is capable to pass the verification also with non residential, however this only happens when the button it's been clicked right after the spinning wheel disappears (and empty box appears). Not always though the click goes through, some times the cursor is positioned to the input box but not click gets dispatched |
@bjornkarlsson When you call |
Would this update be able to run headless on windows as well? or does |
Thanks that seems to do the trick most of the times, is there a way to wait for the input box to appear with the Shadowed DOM? I was able to implement that prior the changes of yesterday on the shadowed iframe |
@robertmaceda The @bjornkarlsson There's no way to wait for it specifically, so make sure to wait long enough. Separate from that, I had to temporarily disable interaction due to an overwhelming number of GitHub notifications (mostly off-topic), so opening new tickets and comments might not be possible at the moment. Refer to existing documentation. |
If you're using any of the following methods... sb.uc_gui_click_captcha()
sb.uc_gui_click_cf()
sb.uc_gui_handle_cf() ...then be sure to upgrade to CF made a big change to Turnstiles today... and we were ready for them! |
If you missed #3080, upgrade to And if you haven't seen Video 3 yet, here's the link: https://www.youtube.com/watch?v=-EpZlhGWo9k |
For anyone that hasn't been following #2842, CF pushed an update that prevented UC Mode from easily bypassing CAPTCHA Turnstiles on Linux servers. Additionally,
uc_click()
was rendered ineffective for clicking Turnstile CAPTCHA checkboxes when clicking the checkbox was required. I've been working on solutions to these situations.As I mentioned earlier in #2842 (comment), if CF detects either Selenium in the browser or JavaScript involvement in clicking the CAPTCHA, then they don't let the click through. (The JS-detection part is new.) I read online that CF employees borrowed ideas from https://github.com/kaliiiiiiiiii/brotector (a Selenium detector) in order to improve their CAPTCHA. Naturally, I was skeptical at first, but I have confirmed that the two algorithms do appear to get similar results. (Brotector was released 6 weeks ago, while the Cloudflare update happened 2 weeks ago.)
The solution to bypassing the improved CAPTCHAs requires using
pyautogui
to stay undetected. There was also the matter of how to makepyautogui
work well on headless Linux servers. (Thanks to some ideas by @EnmeiRyuuDev in #2842 (comment), that problem was overcome by settingpyautogui._pyautogui_x11._display
toXlib.display.Display(os.environ['DISPLAY'])
on Linux in order to sync uppyautogui
with theX11
virtual display.)The improved SeleniumBase UC Mode will have these new methods:
It'll probably be easier to understand how those work via examples. Here's one for
uc_gui_handle_cf
based on the example in #2842 (comment):Above, I deliberately gave it an incomplete UserAgent so that CAPTCHA-clicking is required to advance. On macOS and Windows, the default UserAgent that SeleniumBase gives you is already enough to bypass the CAPTCHA screen entirely. The
uc_gui_handle_cf()
method is designed such that if there's no CAPTCHA that needs to be clicked on the page you're on, then nothing happens. Therefore, you can add the line whenever you think you'll encounter a CAPTCHA or not. In case there's more than one iframe on a website, you can specify the CSS Selector of the iframe as an arg when callinguc_gui_handle_cf()
. There will be new examples in theSeleniumBase/examples/
folder for all the new UC Mode methods. To sum up, you may need to use the neweruc_gui_*
methods in order to get past some CAPTCHAs on Linux whereuc_click()
worked previously.On the topic of Brotector, (which is the open source bot-detector library that CF borrowed ideas from), there is a huge opportunity: Now that effective bot-detection software is available to the general public (all the code is open source!), anyone can now build their own CAPTCHA services (or just add CAPTCHAs to sites without the "service" part). I've already jumped on this with the Brotector CAPTCHA: https://seleniumbase.io/apps/brotector. I've also created a few test sites that utilize it:
That covers the major updates from
4.28.0
(with the exception of Brotector CAPTCHA test sites, which were already available to the public at the URLs listed above).There will also be some other improvements:
sb
methods added directly into thedriver
.Now, when using UC Mode on Linux, the default setting is NOT using headless mode. If for some reason you decide to use UC Mode and Headless Mode together, note that although Chrome will launch, you'll definitely be detected by anti-bots, and on top of that,
pyautogui
methods won't work. Usexvfb=True
/--xvfb
in order to be sure that the improved X11 virtual display on Linux activates. You'll need that for theuc_gui_*
methods to work properly.Much of that will get covered in the 3rd UC Mode video tutorial on YouTube (expected sometime in the near future).
In case anyone has forgotten, SeleniumBase is still a Test Automation Framework at heart, (which includes an extremely popular feature for stealth called "UC Mode"). UC Mode has gathered a lot of the attention, but SeleniumBase is more than just that.
The text was updated successfully, but these errors were encountered: