New CF technique: cvId 2, non-interactive

Question

New CF technique: cvId 2, non-interactive

AltayAkkus opened this issue a year ago · 5 comments

So a lot of issues have been stacking up for the challenge type, and I have looked into it:
https://gist.github.com/AltayAkkus/591dbef9872c9148d6effb06bcc5417b
The html returned has a huge array that stores user-specific options, the website, the time started, a random nonce, how long the delay should be etc.

This is deposited into window._cf_chl_opt and read by the javascript that is imported via the cpo element.
Looking at it, it is randomly generating, reads the clouflare challenge options, and generates a hash which is appended to the URI.
The js changes for different rayIds, so yeah well fuck.

Answer 1 · 2023-12-21T20:42:17.000Z

Hi, I was looking at your repo because I have the same problem as you are mentionning here. I havn't been able to find any solution to resolve this challenge yet. Were you able to work on it ? Do you think that cfscrape could be adapted to bypass this challenge ?

Answer 2 · 2024-01-23T08:19:53.000Z

if you add a whole javascript environment which simulates your browser and passes the checks, yes.

Answer 3 · 2024-01-24T13:06:57.000Z

@AltayAkkus And if you exceed some rate limit and trigger captcha then you will need to use a captcha solver service (which is usually paid)

Answer 4 · 2024-01-24T23:23:30.000Z

yea they have essentially won.

Answer 5 · 2024-06-10T14:08:35.000Z

closing because they won