DataDome

Tracking Modified Selenium ChromeDriver

Table of contents
Antoine Vastel, VP of Research
24 Feb, 2022
|
min

What is Selenium?

Selenium is a popular framework released in 2004 that uses code to instrument browsers. Bot developers use Selenium to tell browsers what actions to perform automatically (e.g. click on a link, load a page, make a login attempt, add a product to a cart, etc.).

Selenium can be used to instrument various browsers, such as Chrome, Firefox, Opera, and Safari. This article focuses on Selenium used with Chrome. 

DataDome’s client-side JS tag detects the ChromeDriver modification applied by bot developers, which allows us to track each bot’s activity across different customers. Here’s a look at how and why this works, and what it might mean for you.

Use of Selenium

Although many bot developers have moved to more recent frameworks, such as Puppeteer and Playwright, Selenium remains a common choice. Released in 2004, Selenium is wildly popular due to its age and its capacity to be used to instrument different browsers such as Chrome, Firefox, Opera, and Safari.

Modified ChromeDriver

ChromeDriver is the piece of code contained inside of headless Chrome that listens to and executes Selenium instructions. Non-modified Selenium Chrome that uses the default ChromeDriver can be easily identified because of discriminating attributes that make it differ from genuine Chrome browsers used by humans. 

One of the built-in JavaScript objects present in the browser (document object) has a discriminating property named “$cdc_asdjflasutopfhvcZLmcfl_” that can be used to detect ChromeDriver’s presence. There are sources available that tell bot developers/fraudsters how to modify the ChromeDriver binary to avoid being detected.

Although users can modify ChromeDriver by recompiling Chromium, blog posts propose to simply locating the discriminating string ($cdc_asdjflasutopfhvcZLmcfl_) in the ChromeDriver binary and replacing it with a different one to bypass common bot detection techniques.

However, our detection engine can identify changes that have been made on the ChromeDriver binary, which enables us to:

  1. Detect modified Selenium Chrome in real time using a JavaScript-based approach we developed that is resilient to modified ChromeDriver binaries. 
  2. Keep track of different actors based on the modification they applied to their ChromeDriver binary. The modification used is often stable (not changed frequently) for a given bot developer, so it can be linked to an individual/small group of attackers.

Moreover, because the modified string tends to be unique for a given bot, we can search its origin on GitHub, Google, and other search engines. Searching the modified string helps us to understand where the attackers might come from. For example, this blog post on a Chinese website shows how to replace the original ChromeDriver string with “$abc_asdjflasutopfhvcZLmcfl_”.

 

Modified Selenium ChromeDriver in the Wild

The graph below shows how we can track malicious actors that leverage Selenium with a modified ChromeDriver. You can see the distinct number of DataDome customers with websites/applications on which we detect each modified ChromeDriver signature:

Selenium Modified ChromeDriver on DataDome Customers Graph

Most Popular: E-Commerce & Classified Scrapers

The most popular modified ChromeDriver signature, as identified by its overridden attribute “$mks_xsdrpotbutorXXXXXXXXXX”, is present on ~20 websites (mostly e-commerce and classifieds) and mobile applications protected by DataDome. The bots conduct scraping to extract information about products, such as product description, price, and rating.

Sneaker Scalpers

The second most common modified ChromeDriver bot, “$abc_asdjflasutopfhXXXXXXXXX”, is present on five distinct customer sites, all linked to the sneaker industry. Our analysis shows that the bots are conducting scalping attacks from clean residential proxies, trying to buy limited-edition sneakers.

Fake Influencers

The third modified ChromeDriver signature, “$dog_asdjflasutopfXXXXXXXXX”, is used on three of our customers to execute vote manipulation. These bots up-vote posts and trigger fake views/listens to manipulate the rankings of articles, songs, and videos.

 

Conclusion

Attackers go a long way to avoid being detected. However, thanks to the advanced signals collected by our client-side JS tag, we can detect the modification applied by bot developers to track their activity across different customers. This helps us understand the bots’ intent and modus operandi.

The examples above show the importance of having client-side detection in addition to server-side detection to best secure your sites and understand what attackers are doing on your website.

DataDome
Antoine Vastel
VP of Research
Antoine Vastel is VP of Research at DataDome, overseeing the SOC and threat research team. In this role, he focuses on improving DataDome’s real-time bot detection engine through different approaches, including behavioral detection, HTTP/browser fingerprinting, (residential) proxies/infected IP detection, and CAPTCHA farm detection. Antoine holds a PhD in computer science with a focus on browser fingerprinting.

Related posts

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.

Watch a demo