🔒 BehaviorCaptcha Security Test Suite

Test all security features and bypass attempts

✅ Test 1: Normal CAPTCHA Flow Not Run

Test basic CAPTCHA functionality with token generation

🚨 Test 2: Button Bypass Attack Not Run

Try to bypass CAPTCHA by enabling button manually

// Attack code:
document.getElementById('submitBtn').disabled = false;

// Expected: 🚨 Detected and blocked
// Button should be re-disabled automatically

🔐 Test 3: Token System Not Run

Check if verification token is generated and stored

🗄️ Test 4: Storage Tampering Not Run

Try to manipulate localStorage to reset bot attempts

📞 Test 5: onComplete Callback Not Run

Verify that onComplete receives correct data structure

// Expected callback data:
{
  success: true,
  token: "eyJzY29yZSI6ODU...",
  humanScore: 85,
  digits: [1, 2, 3, 4],
  metrics: { mouseMovements: 45, ... },
  fingerprint: { canvas: "a3f2...", webgl: "..." }
}

🛡️ Test 6: Anti-Tampering Protection Not Run

Test MutationObserver detection of unauthorized changes

⏱️ Test 7: Token Expiration Not Run

Test if tokens expire after 1 minute (simulated)

🍯 Test 8: Honeypot Detection Not Run

Test invisible honeypot trap for bot detection

// Honeypot Strategy:
1. Invisible field auto-focuses (bot doesn't see it)
2. Bot fills focused field → 🚨 INSTANT DETECTION
3. Human uses mouse → clicks real input → ✅ +5 bonus

// How it works:
- Field is invisible (opacity:0 or position:-9999px)
- Auto-focuses after 100ms
- Bots fill it without knowing
- Humans never see it, use mouse instead

📊 Live Console Monitor

Real-time console output

Console messages will appear here...