Anti-Bot Bypass Tools - Technical Deep Dives
Honest, no-BS technical analysis of web scraping and anti-bot bypass tools.
Learn what actually works, how it works under the hood, and which tool fits your use case.
Sponsored by Scrappey
Scrappey.com — Anti-bot bypass API that handles Cloudflare, DataDome, and more. Skip the browser automation complexity and let Scrappey handle the hard parts.
Why This Exists
Every anti-detection tool claims to be "undetectable" or bypass "all bot protection." Most of that is marketing.
This repository provides:
- Source code analysis - We read the actual code, not just the docs
- Technical breakdowns - How each evasion technique works at the protocol level
- Honest assessments - Real limitations, not just success stories
- Comparison guides - Pick the right tool for your specific use case
Tool Analyses
| Tool | Type | Language | Best For | Analysis |
|---|---|---|---|---|
| Camoufox | Custom Firefox build | Python | C++ level stealth, fingerprint rotation | Read → |
| Patchright | Playwright binary patch | Python, Node.js, .NET | Maximum stealth with Playwright API | Read → |
| SeleniumBase | Selenium + UC Mode | Python | CAPTCHA solving, testing framework | Read → |
| Botasaurus | Selenium wrapper | Python | Human-like mouse movements | Read → |
| XDriver | Playwright CDP patch | Python | Quick stealth without code changes | Read → |
| CloakBrowser | Custom Chromium build | Python, Node.js | C++ stealth + human behavior + Chromium API | Read → |
| Scrapling | All-in-one scraping framework | Python | TLS stealth + adaptive parsing + spider framework | Read → |
| Obscura | Custom Rust headless engine | Rust (CLI), Puppeteer/Playwright clients | Lightweight V8 scraper with CDP API | Read → |
Quick Comparison
Stealth Capabilities
| Feature | Camoufox | Patchright | SeleniumBase | Botasaurus | XDriver | CloakBrowser | Scrapling | Obscura |
|---|---|---|---|---|---|---|---|---|
navigator.webdriver bypass |
✅ C++ | ✅ | ✅ | ✅ | ✅ | ✅ C++ | ✅ (via Patchright/Camoufox) | ✅ JS shim |
Runtime.enable bypass |
✅ Juggler | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ (via Patchright) | N/A (custom engine) |
| Fingerprint rotation | ⭐⭐⭐⭐⭐ | ⭐⭐ | ⭐⭐ | ⭐⭐ | ❌ | ⭐⭐⭐⭐ | ❌ | ⭐⭐ (small pools) |
| Human mouse simulation | ⭐⭐⭐⭐ | ⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐ | ⭐⭐⭐⭐⭐ | ❌ | ❌ (no hit testing) |
| CDP fingerprint evasion | N/A | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ (via Patchright) | ⭐⭐⭐ (custom CDP server) |
| Cross-platform parity | ⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐ | ⭐ | ⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐ (UA hardcoded Linux) |
| CAPTCHA solving | ❌ | ❌ | ⭐⭐⭐⭐⭐ | ⭐⭐ | ❌ | ❌ | ⚠️ Cloudflare only | ❌ |
| Cloudflare bypass | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ (auto-solve) | ⭐⭐ (free tier only) |
| Ease of use | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ (single binary) |
| TLS fingerprint impersonation | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ curl_cffi (HTTP tier) | ⚠️ Optional (--features stealth, single profile) |
| Built-in parser | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ (784x faster than BS4) | ⚠️ html5ever + selectors |
| Spider/crawler framework | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ Scrapy-like | ❌ (CLI scrape only) |
| Real layout / rendering | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ (browser tier) | ❌ (no layout engine) |
| Memory footprint | ~200 MB | ~200 MB | ~200 MB | ~200 MB | ~200 MB | ~200 MB | ~10 MB (HTTP) | ~30 MB |
| Cost | Free | Free | Free | Free | Free | Free* | Free | Free |
* CloakBrowser wrapper is MIT open-source; the Chromium binary is proprietary but free to use. See security audit notes.
Anti-Bot Service Coverage
| Service | Camoufox | Patchright | SeleniumBase | Botasaurus | XDriver | CloakBrowser | Scrapling | Obscura |
|---|---|---|---|---|---|---|---|---|
| Cloudflare WAF | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ (Stealth) / ⚠️ (HTTP) | ⚠️ (free tier) |
| Cloudflare Turnstile | ⚠️ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ (auto-solve) | ❌ |
| DataDome | ✅ | ✅ | ✅ | ⚠️ | ✅ | ✅ | ✅ (via Patchright/Camoufox) | ❌ |
| Kasada | ⚠️ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ (via Patchright) | ❌ |
| PerimeterX | ✅ | ⚠️ | ✅ | ❌ | ✅ | ✅ | ⚠️ | ❌ |
| Akamai | ⚠️ | ⚠️ | ⚠️ | ❌ | ⚠️ | ⚠️ | ⚠️ | ❌ |
| Imperva | ✅ | ⚠️ | ✅ | ❌ | ✅ | ✅ | ⚠️ | ❌ |
✅ = Reliably bypasses | ⚠️ = Partial/conditional | ❌ = Not effective
Note: Camoufox uses Firefox (~3% market share). Some WAFs may flag Firefox users more aggressively.
Decision Guide
When to Use What
| Your Situation | Recommended Tool | Why |
|---|---|---|
| Undetectable fingerprint spoofing | Camoufox | C++ level = truly native, JS can't detect |
| Need fingerprint rotation | Camoufox | BrowserForge statistical accuracy |
| Enterprise-level anti-bot (Akamai, DataDome) | Patchright + Camoufox | Combine protocol stealth with fingerprint rotation |
| Need CAPTCHA solving | SeleniumBase | Built-in Turnstile/reCAPTCHA handling |
| Maximum Chromium stealth + free | Patchright | Protocol-level CDP bypass |
| C++ Chromium stealth + Playwright API | CloakBrowser | 33 source-level patches, 0.9 reCAPTCHA score |
| Human-like behavior (one flag) | CloakBrowser | humanize=True — Bézier mouse, typing, scroll |
| Human-like mouse movements | Botasaurus | Best Bézier curve implementation |
| Existing Playwright code | XDriver or CloakBrowser | No code changes needed (drop-in replacement) |
| Quick prototype | Botasaurus | Simplest API |
| Node.js / TypeScript | Patchright or CloakBrowser | Multi-language support |
| Testing framework needed | SeleniumBase | pytest/unittest integration |
| All-in-one scraping framework | Scrapling | Fetching + parsing + crawling + stealth in one package |
| HTTP-only stealth (no browser) | Scrapling | TLS impersonation via curl_cffi — fastest option |
| Adaptive scraping (sites change often) | Scrapling | Auto-relocates selectors when DOM changes |
| AI-integrated scraping | Scrapling | MCP server for Claude/Cursor workflows |
| Lightweight high-concurrency scraping | Obscura | ~30 MB / ~85 ms page load, single Rust binary |
| Server-rendered HTML at scale | Obscura | V8 + html5ever, no Chrome dependency |
How Bot Detection Actually Works
Understanding detection helps you choose the right tool:
┌──────────────────────────────────────────────────────────────────────┐
│ DETECTION LAYERS │
├──────────────────────────────────────────────────────────────────────┤
│ Layer 1: Protocol Detection │
│ ├─ Runtime.enable timing [Patchright, XDriver, CloakBrowser]│
│ ├─ Execution context leaks [Patchright] │
│ ├─ Binding exposure [XDriver] │
│ ├─ CDP input behavior mimicking [CloakBrowser - 5 C++ patches] │
│ └─ Juggler isolation (Firefox) [Camoufox - unique] │
├──────────────────────────────────────────────────────────────────────┤
│ Layer 2: Browser Fingerprinting │
│ ├─ navigator.webdriver [All tools] │
│ ├─ Canvas/WebGL fingerprints [Camoufox C++, CloakBrowser C++] │
│ ├─ Screen/Window properties [Camoufox C++, CloakBrowser C++] │
│ ├─ Audio context spoofing [Camoufox C++, CloakBrowser C++] │
│ └─ Font enumeration [Camoufox, CloakBrowser] │
├──────────────────────────────────────────────────────────────────────┤
│ Layer 3: Behavioral Analysis │
│ ├─ Mouse movement patterns [Botasaurus, Camoufox, CloakBrowser]│
│ ├─ Click timing distribution [Botasaurus, SeleniumBase, CloakBrowser]│
│ └─ Scroll/navigation patterns [Botasaurus, CloakBrowser] │
├──────────────────────────────────────────────────────────────────────┤
│ Layer 4: Network Analysis │
│ ├─ TLS fingerprinting (JA3/JA4) [Scrapling Fetcher - curl_cffi, │
│ │ Obscura --features stealth (wreq)]│
│ ├─ WebRTC/UDP leakage [Camoufox, XDriver, Scrapling] │
│ ├─ IP reputation scoring [Use proxies] │
│ └─ DNS leakage [Use SOCKS5H proxies] │
├──────────────────────────────────────────────────────────────────────┤
│ Layer 5: Layout & Rendering Probes │
│ ├─ getBoundingClientRect checks [Real browsers only — Obscura returns 0s]│
│ ├─ getComputedStyle queries [Real browsers only — Obscura stubs]│
│ └─ Real canvas/WebGL output [Camoufox, CloakBrowser, all real-browser tools]│
└──────────────────────────────────────────────────────────────────────┘The Hard Truth
No tool is truly undetectable. Here's what the marketing won't tell you:
| Reality | Implication |
|---|---|
| Detection is an arms race | What works today may fail tomorrow |
| Enterprise ≠ Free tier | Cloudflare Free vs Enterprise are different beasts |
| IP reputation matters most | Best stealth fails with datacenter IPs |
| Behavioral patterns accumulate | Same scraping pattern = eventual detection |
| TLS fingerprinting exists | Browser TLS signatures are nearly impossible to spoof |
Realistic Success Rates
| Protection Level | Tools Alone | + Residential Proxies |
|---|---|---|
| Basic (CF Free, simple checks) | 90%+ | 99%+ |
| Medium (CF Pro, PerimeterX) | 60-80% | 90%+ |
| Enterprise (Akamai, DataDome) | 20-40% | 70-85% |
| Custom ML-based | <20% | 50-70% |
Detection Test Sites
Test your setup against these:
| Test | What It Checks | URL |
|---|---|---|
| Sannysoft | Automation detection | bot.sannysoft.com |
| BrowserScan | Comprehensive fingerprint | browserscan.net |
| Fingerprint.com | Bot detection | fingerprint.com |
| CreepJS | Browser fingerprint | abrahamjuliot.github.io/creepjs |
| Pixelscan | Leak detection | pixelscan.net |
Tool Combination Strategies
For maximum effectiveness, consider combining tools:
Strategy 1: Undetectable Fingerprint Rotation
Camoufox (C++ spoofing + BrowserForge) + Residential Proxies
= Statistically accurate fingerprints + clean IPs
= Best for: High-volume scraping with identity rotationStrategy 2: Behavioral + Protocol Stealth
Botasaurus (human mouse) + Patchright (CDP stealth)
= Human-like behavior + protocol-level evasionStrategy 3: CAPTCHA + Stealth
SeleniumBase UC Mode + Residential Proxies
= Automatic CAPTCHA solving + clean IP reputationStrategy 4: Quick Testing
XDriver (one-command activation) + Sannysoft test
= Fast iteration on stealth configurationStrategy 5: Firefox-based Maximum Stealth
Camoufox (Juggler isolation) + geoip auto-detection
= No automation artifacts visible + locale consistency
= Best for: Sites that don't discriminate against FirefoxStrategy 6: Chromium C++ Stealth + Human Behavior
CloakBrowser (33 C++ patches + humanize=True) + Residential Proxies
= Source-level fingerprint spoofing + behavioral evasion + clean IPs
= 0.9 reCAPTCHA v3 score + Cloudflare Turnstile pass
= Best for: Chromium-required sites with behavioral detectionStrategy 7: All-in-One Pipeline with Tiered Stealth
Scrapling (Fetcher for bulk HTTP + StealthyFetcher for protected pages)
= TLS-impersonated HTTP for 90% of pages + browser stealth for the rest
= Adaptive selectors survive site redesigns + spider handles crawling
= Best for: Large-scale scraping with mixed protection levelsStrategy 8: Lightweight V8 Scraper + Real Browser Fallback
Obscura (--features stealth) for unprotected JS-rendered pages
+ Patchright/Camoufox for the protected ones
= 30 MB resident workers handle the bulk + heavy browsers reserved for hard targets
= Best for: High-concurrency scraping where most pages are easy and only some need real ChromeContributing
Found a tool worth analyzing? Open an issue with:
- Tool name and repository URL
- What anti-detection approach it uses
- What protection systems it claims to bypass
Disclaimer
This repository is for educational and legitimate purposes:
- Security research and testing
- Academic study
- Authorized penetration testing
- Personal data retrieval from your own accounts
Always respect robots.txt, rate limits, and terms of service.
GitHub Topics
Add these topics to your GitHub repository for better SEO:
web-scraping, anti-detection, bot-bypass, cloudflare-bypass, captcha-bypass,
playwright, selenium, puppeteer, browser-automation, fingerprint-spoofing,
anti-bot, stealth-browser, datadome-bypass, kasada-bypass, akamai-bypass,
camoufox, patchright, seleniumbase, botasaurus, undetected-chromedriver,
cloakbrowser, scrapling, obscura, web-automation, scraping-tools, antibot-bypass, turnstile-bypass,
browser-fingerprinting, cdp-stealth, perimeter-x, imperva-bypassStop believing marketing claims. Read the source code.