Testing invisible reCAPTCHA

So first things first - this isnā€™t a guide to ā€˜Testing invisible reCAPTCHAā€™ - itā€™s actually a call for any useful information, resources on doing this. But with your help, it may turn into a guideā€¦

A website project Iā€™m working on has moved the signup form away from the reCAPTCHA (with a tickbox) to invisible reCAPTCHA. This means that the method of proving a human is operating the form has moved from a visible tickbox thatā€™s always there to something behind the scenes deciding this - and if it thinks its a bot, it produces a challenge that has to be completed before the form can be submitted.

Which brings us onto how to test this.

Google does have some resources available for this - urls below - but theyā€™re not that informative.
https://developers.google.com/recaptcha/docs/invisible
https://www.google.com/recaptcha/intro/invisible.html
https://developers.google.com/recaptcha/

I was hoping for some info on how it works, suggestions on how to test it and any possible edge cases - but couldnā€™t find any of this information.

I did see a question in Google Groups on how to test Invisible Recaptcha but the only answer was to use Edge browser while not being signed into Google account and that should trigger the challenge. I tried that but it didnā€™t work.

Therefore, Iā€™m now opening up the question to the Clubā€¦

2 Likes

So hereā€™s an update on what Iā€™ve found out so far:

  • Google donā€™t really tell us how it works (for security/secrecy) just how to implement it
  • Basic operation is that if it thinks thereā€™s a human using the form, they can submit the form without a problem
  • but if it thinks thereā€™s a bot using the form, a captcha challenge is issued, in the form of the images you normally have to click to progress (like the previous reCAPTCHA)

From various chats in different Slack workspaces (thanks to all who offered info) the best approach to testing it is to try one path where you use the form in a standard way (as a human operator) and to try another path where you force the captcha to trigger.

One way of forcing the captcha to trigger is to use Chrome browser, then in Developer Tools use Network Conditions and set User agent to Googlebot and then load the relevant form you want to test.

1 Like

Does this work for a honeypot captcha?

I recently had to test reCaptcha, but the tickbox followed by pictures of traffic lights and stuff. Obviously, I had to do some research. Amongst other things, I found that the precision of cursor movement was relevant. If the cursor describes a perfect line to the tickbox and if the click is in the middle of the box. Invisible reCaptcha may do the same - a perfect line between buttons and fields, and clicking directly in the centre. Oh, and speed of movement of the cursor might be a thing too. Essentially, I think you want to test perfect mouse movement results in a denial, and perfect mouse movement results in a pass, as well as a mixture. Hope this helps and Iā€™m not just waffling.

1 Like