Testing invisible reCAPTCHA

email1 · March 8, 2018, 10:52pm

So first things first - this isn’t a guide to ‘Testing invisible reCAPTCHA’ - it’s actually a call for any useful information, resources on doing this. But with your help, it may turn into a guide…

A website project I’m working on has moved the signup form away from the reCAPTCHA (with a tickbox) to invisible reCAPTCHA. This means that the method of proving a human is operating the form has moved from a visible tickbox that’s always there to something behind the scenes deciding this - and if it thinks its a bot, it produces a challenge that has to be completed before the form can be submitted.

Which brings us onto how to test this.

Google does have some resources available for this - urls below - but they’re not that informative.
https://developers.google.com/recaptcha/docs/invisible
https://www.google.com/recaptcha/intro/invisible.html
https://developers.google.com/recaptcha/

I was hoping for some info on how it works, suggestions on how to test it and any possible edge cases - but couldn’t find any of this information.

I did see a question in Google Groups on how to test Invisible Recaptcha but the only answer was to use Edge browser while not being signed into Google account and that should trigger the challenge. I tried that but it didn’t work.

Therefore, I’m now opening up the question to the Club…

email1 · March 9, 2018, 6:12pm

So here’s an update on what I’ve found out so far:

Google don’t really tell us how it works (for security/secrecy) just how to implement it
Basic operation is that if it thinks there’s a human using the form, they can submit the form without a problem
but if it thinks there’s a bot using the form, a captcha challenge is issued, in the form of the images you normally have to click to progress (like the previous reCAPTCHA)

From various chats in different Slack workspaces (thanks to all who offered info) the best approach to testing it is to try one path where you use the form in a standard way (as a human operator) and to try another path where you force the captcha to trigger.

One way of forcing the captcha to trigger is to use Chrome browser, then in Developer Tools use Network Conditions and set User agent to Googlebot and then load the relevant form you want to test.

jaclyn_johnsen · October 30, 2018, 9:08pm

Does this work for a honeypot captcha?

chris_dabnor · October 31, 2018, 9:49am

I recently had to test reCaptcha, but the tickbox followed by pictures of traffic lights and stuff. Obviously, I had to do some research. Amongst other things, I found that the precision of cursor movement was relevant. If the cursor describes a perfect line to the tickbox and if the click is in the middle of the box. Invisible reCaptcha may do the same - a perfect line between buttons and fields, and clicking directly in the centre. Oh, and speed of movement of the cursor might be a thing too. Essentially, I think you want to test perfect mouse movement results in a denial, and perfect mouse movement results in a pass, as well as a mixture. Hope this helps and I’m not just waffling.