Captcha bypass tutorials

Was this helpful?

How to bypass Basilisk captcha

Gregory Fisher
Gregory Fisher

Technical engineer

Introduction

Basilisk is a token-based bot protection system that uses cryptographic checks to verify users. Unlike classic captchas with image selection, Basilisk works in the background and returns a token that needs to be passed to the target website. When automating, it is important not only to get the token but also to correctly synchronize the environment (in particular, the User-Agent) with the one used when generating the solution.

In this guide, we will break down how to automate bypassing Basilisk using the 2Captcha API.

How to Find the Parameters for Solving

To submit a task for solving, you need to extract critical parameters from the page or network requests.

You will need the following values:

  • websiteURL — the full address of the page where the captcha is loaded. Make sure you specify the exact URL visible in the browser address bar.
  • websiteKey — the unique key of the captcha.

How to find them in practice:

Method 1: Through HTML code

  1. Open Developer Tools (F12) and go to the Elements tab.
  2. Find the captcha container with the data-sitekey attribute.
  3. Copy the value of the data-sitekey attribute — this is your websiteKey.

Method 2: Through network requests

  1. Open the Network tab in developer tools.
  2. Filter requests by keywords site_key or basilisk.
  3. Find the POST request to https://basiliskcaptcha.com/challenge/check-site.
  4. In the request payload, find the site_key field — this is your websiteKey.

API Parameters

The 2Captcha API supports two task types for Basilisk: using our internal proxies (BasiliskTaskProxyless) and using your own proxies (BasiliskTask). All parameters that need to be passed when creating a task are presented in the table below:

Parameter Required Description
type Yes Task type. Specify BasiliskTaskProxyless or BasiliskTask
websiteURL Yes Full URL of the target web page
websiteKey Yes Unique captcha key obtained from the data-sitekey attribute or POST request
proxyType No Proxy type (http, socks4, socks5). Required for BasiliskTask type
proxyAddress No IP address or hostname of the proxy server
proxyPort No Proxy server port
proxyLogin No Login for proxy server authentication
proxyPassword No Password for proxy server authentication
userAgent No Browser User-Agent. It is recommended to pass the same one used in your script

JSON Request Examples

A request to create a task (Proxyless):

json Copy
{
    "clientKey": "YOUR_API_KEY",
    "task": {
        "type": "BasiliskTaskProxyless",
        "websiteURL": "https://example.com/page-with-basilisk",
        "websiteKey": "b7890hre5cf2544b2759c19fb2600897"
    }
}

A request using your own proxies:

json Copy
{
    "clientKey": "YOUR_API_KEY",
    "task": {
        "type": "BasiliskTask",
        "websiteURL": "https://example.com/page-with-basilisk",
        "websiteKey": "b7890hre5cf2544b2759c19fb2600897",
        "proxyType": "http",
        "proxyAddress": "1.2.3.4",
        "proxyPort": 8080,
        "proxyLogin": "user23",
        "proxyPassword": "p4$w0rd"
    }
}

A request to get the result is standard:

json Copy
{
    "clientKey": "YOUR_API_KEY",
    "taskId": "TASK_ID_FROM_CREATE_TASK"
}

A successful response from the API will contain the token (captcha_response) and headers, including the User-Agent that was used during solving:

json Copy
{
    "errorId": 0,
    "status": "ready",
    "solution": {
        "captcha_response": "5620301f30daf284b829fba66fa9b3d0",
        "headers": {
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36"
        }
    },
    "cost": "0.00299",
    "createTime": 1692863536,
    "endTime": 1692863556
}

Step-by-Step Implementation in Python

Getting the Solution and Preparing the Environment

The most important stage when working with Basilisk is correctly handling the response from the API. You need to extract the captcha_response to pass to the site and necessarily apply the User-Agent from the response headers.

python Copy
import requests
from twocaptcha import TwoCaptcha

API_KEY = "YOUR_API_KEY"

solver = TwoCaptcha(API_KEY)

try:
    result = solver.basilisk(
        website_key='b7890hre5cf2544b2759c19fb2600897',
        url='https://example.com/page-with-basilisk'
    )
    
    # Extract the captcha response and User-Agent from the solution
    captcha_response = result['captcha_response']
    required_user_agent = result['headers']['User-Agent']
    
    print(f"Token received: {captcha_response}")
    print(f"Required User-Agent: {required_user_agent}")
    
except Exception as e:
    print(f"Error solving: {e}")

Injecting the Solution into the Target Website

After you receive the response, you need to correctly pass it to the target website. There are two critical rules here.

1. Passing the captcha_response

The captcha_response value needs to be passed to the target website as the Basilisk response. Depending on how the widget is integrated on the page, this is done in one of two ways:

Through a hidden field (if a form is used):

python Copy
# Find the hidden field and insert the token
driver.execute_script(f"""
    let tokenInput = document.querySelector('input[name="captcha_response"]'); // The field name may vary
    if (tokenInput) {{
        tokenInput.value = '{captcha_response}';
    }}
""")

Through a POST request (if you send data directly via requests):

python Copy
payload = {
    'username': 'my_user',
    'password': 'my_password',
    'captcha_response': captcha_response # Pass the token in the request body
}

2. Synchronizing the User-Agent

If the solution from the API includes headers.User-Agent, you must use exactly the same User-Agent in the final request to the site. Basilisk ties the cryptographic proof to a specific User-Agent. If you submit the form with a different User-Agent, the server will notice and reject the token.

python Copy
# Create a session and set the User-Agent from the API response
session = requests.Session()
session.headers.update({
    'User-Agent': required_user_agent,
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
})

# Send the final request with the token and the correct User-Agent
response = session.post('https://example.com/login', data=payload)
print("Response status:", response.status_code)

If you are using Selenium or Playwright, you will need to restart the browser or update the profile with the User-Agent that came in the API response before submitting the form.

Important Nuances and Best Practices

Basilisk is highly sensitive to network fingerprints. If you solve the captcha from one IP address and submit the form from another, the protection will instantly notice.

Always use high-quality residential proxies if the target website strictly checks IP addresses. To do this, use the BasiliskTask type and pass the proxy parameters directly to the API. The proxy used for solving and the proxy used for the final request must be identical.

Do not delay submitting the form. Basilisk tokens have a limited lifespan. As soon as you receive the captcha_response, immediately inject it and submit the form using the correct User-Agent.

Solution Accuracy Reports

If the website rejects the received token, be sure to report it. This helps the service improve its algorithms and refunds your funds for the failed attempt. You can submit a report through the dashboard or directly via the API.

Sending Reports via HTTP Requests

The 2Captcha API provides two endpoints for submitting reports.

Report for an incorrect solution (reportIncorrect)

Used when the website rejects the token. Funds for the task will be refunded to your balance.

JSON request:

json Copy
{
    "clientKey": "YOUR_API_KEY",
    "taskId": "TASK_ID_FROM_CREATE_TASK"
}

Report for a correct solution (reportCorrect)

Used when the website accepts the token without errors. This helps the service maintain high recognition quality.

JSON request:

json Copy
{
    "clientKey": "YOUR_API_KEY",
    "taskId": "TASK_ID_FROM_CREATE_TASK"
}

Troubleshooting Common Issues

If the API returns an ERROR_CAPTCHA_UNSOLVABLE error, you most likely copied the websiteKey incorrectly or specified the wrong page URL. Check the source code again.

If the site accepts the token but then still blocks you or asks you to pass the captcha again, the problem is almost certainly the User-Agent or IP address. Make sure you are using the exact User-Agent that came in the headers.User-Agent field of the API response, and that the final request goes through the same proxy as the solution.

Conclusion

Bypassing Basilisk via 2Captcha requires attention to environment details. The process boils down to extracting the websiteKey from the data-sitekey attribute or network request, sending them to the API, receiving the captcha_response, and necessarily applying the User-Agent from the response for the final request. The main thing to remember is the strict binding of the token to the User-Agent: environment synchronization is the key to successfully passing the protection.