Exposing the Invisible: Inspect Web Security with the Scrapfly Anti-bot Detector
Scrapfly Anti-bot Detector is a Manifest V3 Chrome extension that helps security researchers, web developers, and bot detection enthusiasts identify and analyze:
- CAPTCHAs: reCAPTCHA, hCaptcha, FunCaptcha, GeeTest, Cloudflare Turnstile
- Anti-bot systems: Cloudflare, Akamai, DataDome, PerimeterX, Shape Security, AWS WAF, Imperva, Kasada, and more
- Fingerprinting techniques: Canvas, WebGL, Audio, Font, WebRTC, Performance, Navigator, Storage, and other browser fingerprinting methods
Features
- DOM Analysis: Detects scripts, classes, and HTML elements
- Network Monitoring: Analyzes cookies, headers, and URLs
- Payload Analysis: Inspects request bodies with URL pattern and HTTP method filtering
- JavaScript Hooks: Intercepts 21 fingerprinting API categories (Canvas, WebGL, Audio, Performance, etc.)
- Window Properties: Checks for anti-bot objects in the global scope
- Real-time Detection: Live detection results with confidence scores
- Badge Indicator: Shows detection count on the extension icon
- Detection History: Track detected systems across browsing sessions
- Advanced Capture Tools: Specialized tools for reCAPTCHA, hCaptcha, FunCaptcha, GeeTest, Akamai, DataDome, Cloudflare Turnstile, Imperva, Shape Security, and AWS WAF
- Intermediate Page Handling: Automatically captures data from challenge pages before redirect
- Rules Editor: Customize and manage detection rules with full CRUD operations
- Settings Panel: Configure cache duration, history limits, URL blacklists, and debug mode
- Smart Caching: 12-hour detection cache with sessionStorage sync for instant refresh
- Pattern Caching: LRU cache for compiled regex patterns (60-80% faster)
- Early Exit: Stops detection after finding high-confidence matches
- Lazy Evaluation: On-demand data collection based on enabled detectors
- Batched Operations: Optimized DOM traversal and storage writes
- Hook Completion: 2-second inactivity timeout with 8-second maximum window
- No Data Collection: All detection happens locally in your browser
- CSP Compliant: No inline event handlers or unsafe-eval
- Context Isolation: Proper separation between MAIN and ISOLATED worlds
- Safe Conditions: Pre-compiled evaluators (no eval/arbitrary code execution)
- Navigate to a Website: The extension automatically scans pages
- Open Popup: Click the extension icon to view results
- View Details: Click on any detection card to see full details
- Copy Results: Use the copy button to export detection data
| System | Features |
|---|---|
| reCAPTCHA | Start Capture, Obtain Selector, Extract SiteKey, Callback Detection |
| Akamai | Start Capture, Extract Sensor Data |
| Imperva | Check Cookies, Analyze Scripts, Start Capture |
| Shape Security | Check Headers, Analyze Scripts, Start Capturing |
| AWS WAF | Check Cookies, Analyze Scripts |
| hCaptcha | Extract SiteKey, Analyze Scripts |
| FunCaptcha | Extract Public Key, Analyze Scripts |
| GeeTest | Extract Challenge Parameters, Analyze Scripts |
| DataDome | Check Cookies, Analyze Scripts |
| Cloudflare Turnstile | Extract SiteKey, Analyze Scripts |
- Browse Detectors: View all detection rules by category (Anti-Bot, CAPTCHA, Fingerprinting)
- Edit Rules: Modify detection patterns, confidence scores, and settings
- Add Methods: Create new detection methods (Cookie, Header, URL, Content, DOM, Window, JS Hooks, Payload)
- Pattern Options: Configure regex, whole-word, and case-sensitive matching
- Import/Export: Share rules via JSON files
- Cache Duration: Set detection cache expiry (1-24 hours)
- History Limit: Control max history items (10-500)
- URL Blacklist: Exclude specific domains from detection
- Debug Mode: Enable verbose logging to Service Worker console
- Auto-cleanup: Automatic history expiration
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
