Logo of «2Captcha»
Captcha bypass tutorials

How to bypass Cloudflare captcha

How to bypass Cloudflare captcha

Introduction

Cloudflare CAPTCHA is a popular protection mechanism designed to safeguard websites from bots. Cloudflare Turnstile can be used in conjunction with other technologies, such as Cloudflare WAF (Web Application Firewall), which filters suspicious traffic at the request level, providing an additional layer of security. While effective, it can pose challenges for developers working on automation or bots that need to interact with such protected websites. This article offers a clear and concise guide to bypassing Cloudflare CAPTCHA using the captcha solver API of a Cloudflare captcha solver. Regardless of your skill level, this guide will simplify the process.

There are two types of Cloudflare CAPTCHA that require different approaches:

  • Cloudflare Captcha - the CAPTCHA widget is placed on the website page, see our Turnstile demo page
  • Cloudflare Challenge page - the CAPTCHA is displayed on the Cloudflare verification page. When encountering this type of CAPTCHA, it blocks interaction with the site until you solve it. Cloudflare Challenge page demo

This article describes the solution for Cloudflare Captcha.

The bypass for Cloudflare Challenge page is described in the articles:

After reading this article, you will learn:

  • Why solving CAPTCHAs is important for certain cases.
  • How to use API v2 from 2Captcha to bypass Cloudflare Turnstile CAPTCHA.
  • Practical steps and code examples to implement this solution.

What is Cloudflare's Turnstile CAPTCHA?

Cloudflare's Turnstile CAPTCHA is a modern verification solution designed to identify bots. Unlike traditional CAPTCHAs, it often works in the background but can still create issues when using automation tools.

Key features of Turnstile CAPTCHA:

  • Lightweight and privacy-focused.
  • Effective in preventing automated access.
  • Frequently used on modern websites.

Why bypass Cloudflare Turnstile CAPTCHA?

Developers and others may encounter the need to bypass CAPTCHAs for the following reasons:

  • Automating routine tasks.
  • Data collection or analysis.
  • Testing web applications.

Quick start

2Captcha is a service where CAPTCHAs are solved by a team of workers. Using the 2Captcha service allows you to automate the solution of Cloudflare Turnstile CAPTCHA. The 2Captcha service provides a convenient API v2 for integration into your applications or code.

Prerequisites

  1. An account on captcha solver
  2. An API key from your 2Captcha account settings.
  3. Basic programming knowledge (e.g., Python, JavaScript, Go, or other languages).
    If you don't have programming knowledge, we recommend using our 2captcha-solver extension. More details on using the extension can be found on the captcha-bypass-extension page.

Understanding the API

API v2 from 2Captcha simplifies the process of solving CAPTCHAs through structured endpoints. The interaction algorithm with the API can be divided into two stages:

  1. Sending CAPTCHA data: Submit the site key using the websiteKey parameter and the URL of the page protected by the CAPTCHA using the websiteURL parameter to the API.
  2. Getting the solution: Wait for the CAPTCHA to be solved and receive a token (solution).

API Endpoints (v2)

  • Requesting CAPTCHA solution:
    • API Endpoint: https://api.2captcha.com/createTask
    • Documentation: https://2captcha.com/api-docs/create-task
  • Getting the solution:
    • API Endpoint: https://api.2captcha.com/getTaskResult
    • Documentation: https://2captcha.com/api-docs/get-task-result

For details, refer to the API v2 documentation.

Cloudflare Solving Process Algorithm:

  1. Create a 2Captcha account
  2. Send CAPTCHA to the API: Submit the identified Cloudflare Turnstile CAPTCHA parameters to the API.
  3. Get the solution from the API: Use the task ID to get the CAPTCHA response.
  4. Apply the obtained solution: Apply the received response on the page.

Below, we will break down each step in detail.

Step 1: Create API key

Registration and Account Funding:

  1. Create an account on 2Captcha.
  2. Fund your account balance, as solving CAPTCHAs is a paid service.

Getting the API Key:

  1. Log in to your account.
  2. Copy the API key, which will be used for authentication. The API key is located on the Dashboard or the settings page.

Example of an API key: 1abc234de56fab7c89012d34e56fa7b8

Screenshot - get your API key:
apikey example

Step 2: Send CAPTCHA to the API

To send the CAPTCHA to API v2, you first need to identify the parameters of your CAPTCHA and then send a request to API v2 with the identified parameters.

2Captcha provides a demo page to test solutions for Cloudflare's Turnstile CAPTCHA. You can use it to verify your implementation before deploying in real conditions.

Identifying CAPTCHA Parameters

Identify the required parameters for sending the request:

  1. Identify the CAPTCHA sitekey:
    • Open the web page where the Cloudflare Turnstile CAPTCHA is displayed.
    • Use the browser's developer tools (e.g., the "Elements" or "Network" tab).
    • Find the HTML element associated with the CAPTCHA. It is usually a <div> tag with the data-sitekey attribute. Copy the value of the data-sitekey attribute — this is the sitekey.
    • This parameter is specified in the request as websiteKey.
      Example: "websiteKey":"3x00000000000000000000FF",
  2. Identify the pageurl:
    • Specify the URL of the page where the CAPTCHA is displayed. This parameter is specified in the request as websiteURL.
      Example: "websiteURL":"https://2captcha.com/demo/cloudflare-turnstile",

Once all parameters are identified, proceed to form the JSON required for submission with the task type TurnstileTaskProxyless. Insert your API key obtained in step 1 into the field clientKey.

TurnstileTaskProxyless is the task type for bypassing Cloudflare Turnstile CAPTCHA without using a proxy. If you need to use a proxy, use the task type TurnstileTask. Documentation for both task types is described on the cloudflare-turnstile page.

Form the JSON using the obtained data according to the documentation:

{
    "clientKey":"1abc234de56fab7c89012d34e56fa7b8",
    "task": {
        "type":"TurnstileTaskProxyless",
        "websiteURL":"https://2captcha.com/demo/cloudflare-turnstile",
        "websiteKey":"3x00000000000000000000FF"
    }
}

Send the Formed JSON to the API

Example Request

API Endpoint: https://api.2captcha.com/getTaskResult
Method: POST
Content-Type: application/json

{
    "clientKey":"1abc234de56fab7c89012d34e56fa7b8",
    "task": {
        "type":"TurnstileTaskProxyless",
        "websiteURL":"https://2captcha.com/demo/cloudflare-turnstile",
        "websiteKey":"3x00000000000000000000FF"
    }
}

Example Response

{
  "errorId": 0,
  "taskId": "123456789"
}

In the next step, use the obtained taskId value to get the CAPTCHA solution.

Step 3: Get the Solution from the API

Use the API endpoint https://api.2captcha.com/getTaskResult to get the CAPTCHA solution. Pass the taskId from the previous step in the request to get the solution.

Example Request

API Endpoint: https://api.2captcha.com/getTaskResult
Method: POST
Content-Type: application/json

{
  "clientKey": "1abc234de56fab7c89012d34e56fa7b8",
  "taskId": "123456789"
}

Solving the CAPTCHA takes some time, usually from 3 to 15 seconds, depending on the service load and the number of available workers.

At this stage, we check whether the Cloudflare Turnstile CAPTCHA has been solved. To do this, you need to send the getTaskResult request with the value taskId at intervals of about 3-5 seconds.

Depending on the CAPTCHA status, you may receive one of three types of responses: processing, ready, or ERROR_CAPTCHA_UNSOLVABLE. Below is a more detailed description of each status.

Example Responses

Example Response processing (in process):

This status indicates that the CAPTCHA has not yet been solved. You need to pause and then repeat the request.

Example response with processing status:

{
    "errorId": 0,
    "status": "processing"
}

Example Response ready (solution ready):

Your CAPTCHA has been successfully solved. The response contains a solution object, including two values: token and userAgent. The value token represents the CAPTCHA solution and should be used later. The value of userAgent contains User-Agent used when solving the captcha. Detailed information on applying the CAPTCHA solution is provided in the next step.

{
    "errorId": 0,
    "status": "ready",
    "solution": {
        "token": "0.zrSnRHO7h0HwSjSCU8oyzbjEtD8p.d62306d4ee00c77dda697f959ebbd7bd97",
        "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
    },
    "cost": "0.00145",
    "ip": "1.2.3.4",
    "createTime": 1692863536,
    "endTime": 1692863556,
    "solveCount": 1
}

After receiving a response with the ready status, you can proceed to the next step.

Example Response ERROR_CAPTCHA_UNSOLVABLE (CAPTCHA unsolvable)

Your CAPTCHA cannot be solved. This can happen for various reasons, such as the worker being unable to solve your CAPTCHA. When you receive this status, you should resend a new task to solve the CAPTCHA.

Usually, the ERROR_CAPTCHA_UNSOLVABLE status does not cause problems, as the percentage of such cases is small.

If all your CAPTCHAs are unsolved, and you receive the ERROR_CAPTCHA_UNSOLVABLE status for each of them, this may indicate an error on your part. This means that the CAPTCHA with the parameters you specified cannot be solved. In this case, you need to check the correctness of all the parameters.

Example response with status ERROR_CAPTCHA_UNSOLVABLE:

{
    "errorId": 12,
    "errorCode": "ERROR_CAPTCHA_UNSOLVABLE",
    "errorDescription": "Workers could not solve the Captcha"
}

Step 4: Apply the Obtained Solution (Use the Token)

Use the token obtained from the API to interact with the target website.

Usually, the token is submitted through an input field with the attribute name="cf-turnstile-response", and if reCAPTCHA compatibility mode is enabled, the field with the attribute name="g-recaptcha-response" may also be used.
Additionally, the token can be processed using a callback function specified in the turnstile.render call or through the data-callback attribute.

On the demo page, an input field is used, which can be modified as follows():

document.querySelector('[name="cf-turnstile-response"]').value = 'TOKEN';

Sometimes the using of the token can be customized, in such cases, you need to find out how to correctly use the token.

To determine how to apply the token on the page, you can start with the following steps:

  1. Analyze network requests:
    Use the browser's developer tools (e.g., the "Network" tab in Chrome DevTools) to track the requests sent after solving the CAPTCHA. This will help determine where the token is used.
  2. Analyze JavaScript code:
    Look for scripts on the page related to the CAPTCHA. Tokens are often inserted into the form before submission or included in HTTP request headers. Study the code to understand the mechanism.
  3. Check page elements:
    Check HTML elements, such as hidden form fields (<input type="hidden">), where the token may be stored. The token is often added to these fields after the CAPTCHA is successfully solved.
  4. Refer to documentation:
    Study the official CAPTCHA documentation, which usually contains details on implementing and using the token on the server side.
  5. Test the token:
    Copy the token and manually submit a request to ensure it works correctly. This will help confirm how the server processes the provided token.

Best Practices and Recommendations

  1. Adhere to website terms of use: Ensure you are not violating any legal agreements.
  2. Optimize API requests: Avoid unnecessary requests to reduce the load on the 2Captcha API.
  3. Error handling: Implement robust error handling for production environments.
  4. Protect your API key: Never publish your API key in public repositories.
  5. Use official libraries: For interacting with the 2Captcha API, official libraries are available. List of official libraries: python | javascript | go | ruby | php | java | csharp | c++

How to Avoid Cloudflare's Turnstile CAPTCHA

To reduce the likelihood of encountering Cloudflare's Turnstile CAPTCHA, it is recommended to follow these guidelines:

  1. Avoid excessive requests:
    Do not send requests too frequently or in large volumes. Cloudflare monitors unusual spikes in activity and may flag them as suspicious. Use intervals between requests to make them appear more natural.

  2. Use proper HTTP headers:
    Ensure your requests include correct and plausible headers, such as User-Agent, which should mimic standard browsers. Additionally, include necessary headers like Accept, Accept-Language, and Referer to make the traffic appear legitimate.

  3. Utilize proxies or IP rotation:
    Frequent requests from a single IP address may be flagged as suspicious. Use proxy services or IP rotation to distribute requests. Avoid IP addresses associated with data centers or known VPNs, as they are more likely to be blacklisted. Residential or mobile IP addresses, such as residential proxies, are recommended.

  4. Emulate user behavior:
    Add human-like interaction patterns to your requests, such as delays, page navigation, or scrolling actions. This helps make your activity appear more natural and less automated.

  5. Work with cookies and sessions:
    Save and reuse session cookies to avoid creating unnecessary new sessions. Cloudflare often tracks session consistency, so maintaining a steady session can help reduce CAPTCHA triggers.

By implementing these recommendations, you can minimize the chances of being blocked or encountering Cloudflare's Turnstile CAPTCHA.

Conclusion

Bypassing Cloudflare's Turnstile CAPTCHA becomes simple using API v2 from 2Captcha. This guide provided an overview of the process — from submitting the CAPTCHA to receiving the solution, with practical examples to get started.

If you have any questions or comments, feel free to share them. For more complex use cases or troubleshooting, refer to the official Cloudflare Turnstile documentation.