Bot Arena
Selector resistance · Level 2 View on report ↗

Dynamic selectors

Real form, but every identifier rerolls on each request.

What's measured on this page
- The form is a real HTML form with real <input> elements — but every id, name, and class is randomised on every page request. - There are no <label> elements (and no aria-label, no placeholder) — the "Email" and "Password" text are plain <div>s that the input has no programmatic link to. - Playwright's accessibility-based locators (getByLabel, getByRole('textbox', { name }), getByPlaceholder) all return empty. - A test could fall back to brittle structural selectors (input:nth-of-type(1)) — until the form reorders or grows. - An image-aware automation tool reads "Email" off the screen and clicks the input box right under it. The DOM mess is invisible to it.

Sign in

Demo target — credentials are not checked.

Email
Password

Refresh the page. Every id, name, and class on the form is different. There are no <label> elements at all — just <div>s.

Production apps using this technique

  • Material UI (MUI), Chakra UI, Mantine CSS-in-JS frameworks generate hashed class names like css-1abc23 on every build. Selectors written against those classes break with every release.
    Market MUI ~22% of React UI libraries (largest) Users MUI ~5M weekly npm downloads; Mantine 300K+; Chakra 500K+
  • styled-components, emotion Every styled element ships a generated hash class. Many production React apps (Stripe Dashboard, Notion, Vercel, GitHub Primer-styled surfaces) ride on these.
    Market ~30% of React styling solutions combined Users emotion ~16M + styled-components ~7M weekly npm downloads
  • Vue scoped CSS, Angular emulated encapsulation Vue injects a per-component data-v-XXXXXXX hash; Angular adds _ngcontent-c123 attributes. Hashes change between builds.
    Market Vue ~17%, Angular ~17% of frontend framework market Users ~4M Vue devs + ~2M Angular devs (StackOverflow 2024)
  • Salesforce Lightning / ServiceNow Both generate per-instance IDs (lightning-id-…, sn-id-…) and rotate them across releases. Cross-tenant test recordings always break.
    Market Salesforce ~20% CRM; ServiceNow ~45% ITSM Users Salesforce 150K+ orgs / 300M+ end users; ServiceNow 8K+ enterprise / ~85% of Fortune 500
  • ASP.NET WebForms Postback IDs like __ctl00$ContentPlaceHolder1$gv$ctl05 change as soon as the page tree is edited in Visual Studio. Still in heavy use across enterprise back-office portals.
    Market ~3% of all websites (BuiltWith); large legacy install base Users Tens of thousands of enterprise back-office and government portals
  • Anti-bot WAFs (Cloudflare Bot Management, Akamai Bot Manager, DataDome, HUMAN/PerimeterX) Edge workers inject per-session attribute randomisation in front of any site — used heavily by airlines, ticketing platforms, and high-value retail.
    Market Cloudflare fronts ~20% of all websites; Akamai ~25–30% of enterprise WAF Users HUMAN protects $5T+ annual transactions; DataDome ~10K customers
  • Banking & ticketing login flows Many banks rotate input name= attributes every session to defeat credential stuffing. Ticketmaster / Live Nation are famous for rotating selectors during high-demand sales.
    Market Ticketmaster ~70% of US primary ticketing Users Ticketmaster ~230M tickets/year; major retail banks reach hundreds of millions of customers

Figures are approximate / company-disclosed (~2024–2025). Sources: company filings, industry reports (Gartner, IDC, BuiltWith, npm stats), and public DAU disclosures.