问题
We all know, sometimes cloudflare like to check their client visitor to make sure that the visitor isn't a real human. The security check require us to pass Google Recaptcha. What i want to ask is it possible to pass that in using our own server (Even with remote server and answer the captcha by ourself etc) and how?
回答1:
Of course it's possible in several ways. One of that would be using a "real simulated browser" which parses the javascript.
Another way is - if you run it on a headless server - to use a headless browser which does that for you. After the first request you can store the cookies and reuse it in a basic http client like jsoup (java).
Example using JBrowserDriver (headless) and java:
JBrowserDriver jBrowserDriver = null;
public JBrowserDriver getDriver(Boolean headless) {
if (jBrowserDriver == null) {
log.info("JBrowser was null, initalizing");
jBrowserDriver = new JBrowserDriver(Settings.builder()
.timezone(Timezone.EUROPE_BERLIN)
.ssl("compatible")
.cache(true)
.javascript(true)
.headless(headless)
.userAgent(UserAgent.CHROME)
.logTrace(true)
.loggerLevel(Level.ALL)
.build());
}
return jBrowserDriver;
}
private void testFunction() {
// ..
jDriver.get("https://cloudflare.site");
driverCookies = jDriver.manage().getCookies();
HashMap<String, String> cookieMap = new HashMap<>();
driverCookies.forEach(cookie -> cookieMap.put(cookie.getName(), cookie.getValue()));
Document document = Jsoup.connect(requestPage).cookies(cookieMap).get();
}
I am not responsible for any damage done by bypassing cloud flare, but aslong as human can bypass it, it will always be possible to do that with simulated clients.
Edit: If there is also a recaptcha behind, it might be hard to bypass that. But usually this happen if you are not logged in to a google account, or the server believe that you are a bot. Just reuse the cookies generated by a google auth and make sure that you always reuse and send the same cookies.
Cloudflare also checks -not sure about that- if your client is requesting the assets like css and javascripts.
You might need to request them aswell with a fake-client.
回答2:
When you visit a site which is protected by cloudflare, it would contain a security check which you cannot bypass and on failing eventually your access is denied and you are redirected to the captcha challenge page due to the requests from low reputation IP addresses.
IP Reputation is calculated based on Project Honeypot, external public IP information, as well as internal threat intelligence from the Web Application Firewall and DDoS.
Solution
In these cases the a potential solution would be to use the undetected-chromedriver to initialize the Chrome Browsing Context.
undetected-chromedriver is an optimized Selenium Chromedriver patch which does not trigger anti-bot services like Distill Network / Imperva / DataDome / Botprotect.io. It automatically downloads the driver binary and patches it.
Python Sample Code:
import undetected_chromedriver as uc from selenium import webdriver options = webdriver.ChromeOptions() options.add_argument("start-maximized") driver = uc.Chrome(options=options) driver.get('https://bet365.com')
Alternative
An alternate solution would be to whitelist your IP address through the Project Honey Pot website using the following steps:
- You have to edit the Page Rule which trigger certain actions whenever a request matches one of the URL patterns you define following two basic principals:
- Only the highest priority matching page rule takes effect on a request.
- Page rules are prioritized in descending order in the Cloudflare dashboard, with the highest priority rule at the top.
- Disabling the Under Attack mode(advanced DDOS protection) in the Settings tab of the Firewall app or via a Page Rule, Security Level presents a JS challenge page.
tl; dr
You can find the detailed end-to-end process in the video tittled Attention Required one more step captcha CloudFlare Error.
回答3:
For yourself, yes you can.
You can create a custom rule for your IP addresses and set the Security Level to Essentially Off.
The Security Level is what controls whether or not to present the challenge to a particular visitor.
By disabling the security level for your IP addresses you can effectively bypass this protection for yourself on your own site.
来源:https://stackoverflow.com/questions/50328849/is-there-any-possible-ways-to-bypass-cloudflare-security-checks