Cloudflare captcha stuck
506 views
Skip to first unread message
braty
Jul 23, 2021, 12:04:49 PM7/23/21
to OWASP ZAP User Group
For some websites cloudlare detects owasp zap and I cant even enter the website, it keeps renewing capthca. I tried chaining another proxy but did not help. Is there a work around for this ?
Simon Bennetts
Jul 26, 2021, 3:51:08 AM7/26/21
to OWASP ZAP User Group
I dont know how CloudFlare is detecting ZAP but it might be worth changing the user agent string https://www.zaproxy.org/docs/desktop/ui/dialogs/options/connection/ or trying the latest development version of ZAP. Thats got this change in: #6692 which _might_ be how they are doing it.
If that doesnt work try proxying a request from a browser - if that works then compare the requests and try tweaking the ZAP one until it works ... then let us know what you had to do :)
Cheers,
Simon
braty
Jul 26, 2021, 7:48:08 PM7/26/21
to OWASP ZAP User Group
I changed user agent string manually and have latest version zap. Also tried adding upstream proxy but cloudflare detects zap no matter what. For a simple example, cant enter https://whatismyipaddress.com/ It is no so much of a big deal since it gets detected by a really few sites. For example I tried domains in bug bounty programs and only 2-3 doesnt let me enter the site because of cloudflare. Could be nice if there is a workaround tho. Or maybe there is but I couldnt manage to do it I dont know
Simon Bennetts
Jul 27, 2021, 3:27:59 AM7/27/21
to OWASP ZAP User Group
I've just tried that IP address with the latest ZAP dev version (which includes the fix I mentioned above) and I'm getting the captcha too :(
Theres a bit of info about this on the Cloudflare site but no technical detail https://support.cloudflare.com/hc/en-us/articles/200170136-Understanding-Cloudflare-Captchas-and-Challenge-Passage
As this is intended to block automation I suspect they wont be too keen to go into the full technical details of exactly what they are testing :/
Cheers,
Simon
thc...@gmail.com
Aug 13, 2021, 9:56:51 AM8/13/21
to zaprox...@googlegroups.com
Hopefully this should be fixed for the next weekly.
Best regards.
On 27/07/2021 08:27, Simon Bennetts wrote:
> I've just tried that IP address with the latest ZAP dev version (which
> includes the fix I mentioned above) and I'm getting the captcha too :(
> Theres a bit of info about this on the Cloudflare site but no technical
> detail
> https://support.cloudflare.com/hc/en-us/articles/200170136-Understanding-Cloudflare-Captchas-and-Challenge-Passage
> As this is intended to block automation I suspect they wont be too keen to
> go into the full technical details of exactly what they are testing :/
>
> Cheers,
>
> Simon
>
> On Tuesday, 27 July 2021 at 01:48:08 UTC+2 braty wrote:
>
>>
>> I changed user agent string manually and have latest version zap. Also
>> tried adding upstream proxy but cloudflare detects zap no matter what. For
>> a simple example, cant enter https://whatismyipaddress.com/ It is no so
>> much of a big deal since it gets detected by a really few sites. For
>> example I tried domains in bug bounty programs and only 2-3 doesnt let me
>> enter the site because of cloudflare. Could be nice if there is a
>> workaround tho. Or maybe there is but I couldnt manage to do it I dont know
>> On Monday, July 26, 2021 at 10:51:08 AM UTC+3 psi...@gmail.com wrote:
>>
>>> I dont know how CloudFlare is detecting ZAP but it might be worth
>>> changing the user agent string
>>> https://www.zaproxy.org/docs/desktop/ui/dialogs/options/connection/ or
>>> trying the latest development version of ZAP. Thats got this change in:
>>> #6692 <https://github.com/zaproxy/zaproxy/pull/6692> which _might_ be
Best regards.
On 27/07/2021 08:27, Simon Bennetts wrote:
> I've just tried that IP address with the latest ZAP dev version (which
> includes the fix I mentioned above) and I'm getting the captcha too :(
> Theres a bit of info about this on the Cloudflare site but no technical
> detail
> https://support.cloudflare.com/hc/en-us/articles/200170136-Understanding-Cloudflare-Captchas-and-Challenge-Passage
> As this is intended to block automation I suspect they wont be too keen to
> go into the full technical details of exactly what they are testing :/
>
> Cheers,
>
> Simon
>
> On Tuesday, 27 July 2021 at 01:48:08 UTC+2 braty wrote:
>
>>
>> I changed user agent string manually and have latest version zap. Also
>> tried adding upstream proxy but cloudflare detects zap no matter what. For
>> a simple example, cant enter https://whatismyipaddress.com/ It is no so
>> much of a big deal since it gets detected by a really few sites. For
>> example I tried domains in bug bounty programs and only 2-3 doesnt let me
>> enter the site because of cloudflare. Could be nice if there is a
>> workaround tho. Or maybe there is but I couldnt manage to do it I dont know
>> On Monday, July 26, 2021 at 10:51:08 AM UTC+3 psi...@gmail.com wrote:
>>
>>> I dont know how CloudFlare is detecting ZAP but it might be worth
>>> changing the user agent string
>>> https://www.zaproxy.org/docs/desktop/ui/dialogs/options/connection/ or
>>> trying the latest development version of ZAP. Thats got this change in:
Reply all
Reply to author
Forward
0 new messages