Bot Arena

A live demo

Where automation gets caught — or can't even try.

Two sections, seven levels. The first five are about detection — the site sees you and refuses. The last two are about capability — selector-based automation cannot interact with what it cannot find.

Start at Level 1 → See the Playwright failure report Other use-cases →

Bot detection

The site detects automation through fingerprinting, behavioural signals, or third-party challenge.

  1. Level 1
    The honest tell

    navigator.webdriver and other passive Chrome flags.
  2. Level 2
    CDP attached

    Headless-window shape, missing chrome.app / chrome.csi.
  3. Level 3
    Mouse trajectory

    Mousemove density, click curvature, keystroke cadence.
  4. Level 4
    Fingerprint battery

    Canvas, audio, font, and WebGL signals.
  5. Level 5
    Cloudflare Turnstile

    Managed-mode widget with server-side verification.

Selector resistance

The DOM that selector-based automation depends on is absent, randomised, sealed, or in a different frame.

  1. Level 1
    Canvas-rendered login

    No DOM form — pixels only on a <canvas>.
  2. Level 2
    Dynamic selectors

    Real form, but every id/name/class rerolls per request.
  3. Level 3
    Closed Shadow DOM

    Form inside a web component with a sealed shadow root.
  4. Level 4
    Iframe-embedded form

    Form lives in a child frame; page-scoped locators miss it.