Interacted with a honeypot bait element a human cannot reach (off-screen + aria-hidden + tabindex -1)

br.honeypot_interaction  ·  convicts

browserlayer
automationcategory
1evaders caught

What it catches

Classic honeypot (OWASP/Project-Honeypot bait-field technique). The collector injects a bait <a href=/account/verify> and <input name=email_confirm> inside an aria-hidden, off-screen (left:-9999px), tabIndex=-1 wrapper appended at DOMContentLoaded. A human literally cannot reach it — it is not rendered, not in the tab order, and hidden from assistive tech (link prefetchers fetch href without a click event; password managers fill visible login fields, not an off-screen aria-hidden one) — so a click on the bait link OR a value in the bait input is a programmatic DOM-enumeration interaction: a 'click/fill everything' scraper or form-spammer (querySelectorAll().forEach(click/fill)) trips it. AUTOMATION (a real browser driven by a human produces neither event); conservative — fires ONLY on a definitive hit (click event / non-empty value), never on absence, so a passive load never trips it. GROUNDED: a real headful Chromium/Firefox/WebKit navigated normally through the edge (corpus/calibration/headful/) never touches the bait → no fire. Fires in-context via the stealth HONEYPOT=1 evader (the naive interact-with-everything bot). Catalog gap bh.honeypot_interaction.

Signals it reads

browser.honeypot_interacted

How it fires

present

Evaders it caught 1

Bypassed by 10

Frontier evaders that reach the detector uncaught (scored only suspicious, defeating every convicting tell) — this check is not one that stops them. The red-team frontier this detection still has to convict.

← all detections