Was this helpful?
How to bypass Imperva (Incapsula) captcha
Technical engineer
Introduction
Imperva (also known as Incapsula) is a powerful Web Application Firewall (WAF) solution used to protect websites from bots, DDoS attacks, and automated scraping. Unlike classic captchas with widgets, Imperva often works invisibly by analyzing network fingerprints or blocks access at the network level by returning a page with a JavaScript challenge.
For automation, this means we don't just need to get a token; we need to successfully pass the network challenge and obtain specific protection cookies that are tied to an IP address. In this guide, we will break down how to automate bypassing Imperva using the 2Captcha API.
How to Find the Parameters for Solving
Since Imperva is a WAF, you need to extract several critical parameters from the page and network requests.
How to find them in practice:
- Open Developer Tools (F12) and go to the Network tab.
- Refresh the page and look at the Response Headers. If you see the X-CDN: Incapsula or X-Iinfo header, the site uses Imperva.
- Go to the Application (or Storage) -> Cookies tab. If you see cookies starting with incap or visid_incap_, this confirms the use of Incapsula.
- Copy the full page URL from the address bar. This will be your websiteURL.
- Find the script tag loading the Incapsula script in the page source code (Elements or Sources tab). Usually, it's a URL like https://example.com/_Incapsula_Resource?SCRIPT_NAME=.... This will be your incapsulaScriptUrl.
- Copy all Incapsula-related cookies (usually incap_Session, visid_incap_, incap_ses_, etc.). This will be your incapsulaCookies.
- If the site uses additional Reese84 protection, find the URL related to Reese84 in network requests (usually contains the word reese84). This will be your reese84UrlEndpoint.
The main rule for Imperva: the protection strictly ties the issued cookies to the IP address from which the request was made. Therefore, using a proxy is not just a recommendation, but a mandatory requirement.
API Parameters
The 2Captcha API uses the ImpervaTask task type. Since the protection is tied to the IP, passing proxy parameters is mandatory. All parameters are presented in the table below:
| Parameter | Required | Description |
|---|---|---|
| type | Yes | Task type. Always specify ImpervaTask |
| websiteURL | Yes | Full URL of the target web page protected by the WAF |
| userAgent | Yes | Browser User-Agent used to open the page. Must match the one used in your script |
| incapsulaScriptUrl | Yes | URL of the Incapsula script loaded on the page. Usually contains _Incapsula_Resource. Can be found in the page source code or the Network tab |
| incapsulaCookies | Yes | All Incapsula cookies received during the initial request to the page. String format name=value; name2=value2. Usually includes incap_Session, visid_incap_, incap_ses_, etc. |
| reese84UrlEndpoint | No | Reese84 endpoint URL if the site uses this additional protection type |
| proxyType | Yes | Proxy type (http, socks4, socks5) |
| proxyAddress | Yes | IP address or hostname of the proxy server |
| proxyPort | Yes | Proxy server port |
| proxyLogin | No | Login for proxy server authentication |
| proxyPassword | No | Password for proxy server authentication |
JSON Request Examples
A request to create a task looks like this:
json
{
"clientKey": "YOUR_API_KEY",
"task": {
"type": "ImpervaTask",
"websiteURL": "https://example.com/protected-page",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"incapsulaScriptUrl": "https://example.com/_Incapsula_Resource?SCRIPT_NAME=Incapsula_js.js",
"incapsulaCookies": "_incap_Session_abc123=xyz789; visid_incap_def456=uvw012; incap_ses_ghi789=rst345",
"reese84UrlEndpoint": "https://example.com/reese84/endpoint",
"proxyType": "http",
"proxyAddress": "1.2.3.4",
"proxyPort": 8080,
"proxyLogin": "user23",
"proxyPassword": "p4$w0rd"
}
}
A request to get the result is standard:
json
{
"clientKey": "YOUR_API_KEY",
"taskId": "TASK_ID_FROM_CREATE_TASK"
}
A successful response from the API will contain the cookies necessary to bypass the protection:
json
{
"errorId": 0,
"status": "ready",
"solution": {
"cookies": "_incap_Session_...=...; visid_incap_...=...; incap_ses_...=..."
},
"cost": "0.00299",
"createTime": 1692863536,
"endTime": 1692863556
}
Manual implementation via requests
If you want to control the process manually or are not using the SDK, you can send requests directly:
python
import requests
import time
API_KEY = "YOUR_API_KEY"
API_HOST = "api.2captcha.com"
# Create a task
create_payload = {
"clientKey": API_KEY,
"task": {
"type": "ImpervaTask",
"websiteURL": "https://example.com/protected-page",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"incapsulaScriptUrl": "https://example.com/_Incapsula_Resource?SCRIPT_NAME=Incapsula_js.js",
"incapsulaCookies": "_incap_Session_abc123=xyz789; visid_incap_def456=uvw012",
"proxyType": "http",
"proxyAddress": "1.2.3.4",
"proxyPort": 8080,
"proxyLogin": "user23",
"proxyPassword": "p4$w0rd"
}
}
response = requests.post(f"https://api.2captcha.com/createTask", json=create_payload)
task_id = response.json()["taskId"]
print(f"Task created: {task_id}")
# Wait for the result
while True:
time.sleep(3)
result_payload = {
"clientKey": API_KEY,
"taskId": task_id
}
response = requests.post(f"https://api.2captcha.com/getTaskResult", json=result_payload)
result = response.json()
if result.get("status") == "ready":
cookies = result["solution"]["cookies"]
print(f"Cookies received: {cookies}")
break
elif result.get("errorId") != 0:
raise Exception(f"API error: {result.get('errorDescription')}")
Injecting the Solution into the Target Website
After you get the cookies string from the API response, you need to inject them into your session. Imperva doesn't use hidden input fields for tokens like regular captchas do. Instead, it checks for the presence of specific cookies in the headers of your HTTP requests.
If you are using the requests library, simply add the received cookies to the session:
python
import requests
# Create a session
session = requests.Session()
# Set the User-Agent (must be the exact same one passed to the API)
session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
})
# Parse the cookies string from the API response and add them to the session
cookies_string = "_incap_Session_...=...; visid_incap_...=..."
for cookie in cookies_string.split(';'):
if '=' in cookie:
name, value = cookie.strip().split('=', 1)
session.cookies.set(name, value)
# Set up the proxy (must be the exact same one!)
proxies = {
'http': 'http://user23:p4$w0rd@1.2.3.4:8080',
'https': 'http://user23:p4$w0rd@1.2.3.4:8080'
}
# Send a request to the protected page
response = session.get('https://example.com/protected-page', proxies=proxies)
print("Response status:", response.status_code)
If you are using Selenium or Playwright, you will need to add these cookies to the browser profile before navigating to the protected page, using the driver.add_cookie() methods or browser context.
Important Nuances and Best Practices
Imperva is incredibly sensitive to IP addresses and network fingerprints. If you solve the challenge from one IP address and send the final request from another, the protection will instantly notice and block access, as the incap cookies will be tied to a different IP.
Always use the same residential proxies at all stages: when passing parameters to the API and when making the final request to the site. Datacenter proxies are often blocked by Imperva at the challenge issuance stage, so it is highly recommended to use high-quality residential IPs.
Synchronize the User-Agent. Pass the same User-Agent in the API task parameters that you use in your HTTP client or browser.
Be sure to pass incapsulaScriptUrl and incapsulaCookies. These parameters are critical for successfully passing the protection, as the service uses them to emulate a real browser session. Without them, the solution might fail.
If the site uses Reese84 protection, be sure to pass reese84UrlEndpoint. Without this parameter, the solution might fail.
Do not delay using the cookies. Imperva sessions have a limited lifespan. As soon as you receive the solution, immediately use the cookies to access the site.
Solution Accuracy Reports
If the site rejects the solution and returns the blocking page again, be sure to report it. This helps the service improve its algorithms and refunds your funds for the failed attempt. You can submit a report via the dashboard or directly via the API.
Sending Reports via HTTP Requests
The 2Captcha API provides two endpoints for submitting reports:
- https://api.2captcha.com/reportIncorrect — for incorrect solutions
- https://api.2captcha.com/reportCorrect — for correct solutions
Report for an incorrect solution (reportIncorrect)
Used when the site rejects the cookies or returns the blocking page again. Funds for the task will be refunded to your balance.
JSON request:
json
{
"clientKey": "YOUR_API_KEY",
"taskId": "TASK_ID_FROM_CREATE_TASK"
}
Report for a correct solution (reportCorrect)
Used when the site accepts the cookies without errors and you gain access to the protected content. This helps the service maintain high recognition quality.
JSON request:
json
{
"clientKey": "YOUR_API_KEY",
"taskId": "TASK_ID_FROM_CREATE_TASK"
}
Troubleshooting Common Issues
If the API returns an ERROR_CAPTCHA_UNSOLVABLE error, the proxy you are using is most likely already on the Imperva blacklist, or the datacenter IP is being blocked at the network level. Try using a different residential proxy.
If the site accepts the cookies but then still blocks you when navigating links within the site, check that you are using the same IP for all requests. Imperva may require passing the challenge again when changing IPs or drastically changing network fingerprints.
If you are using Selenium and see an infinite page reload, make sure you correctly injected the cookies before the browser started loading the protected domain, and that the proxy is configured at the browser level itself.
If the site uses Reese84 and you didn't pass reese84UrlEndpoint, the protection might not let you through even with the correct Incapsula cookies. Be sure to check for this additional protection.
If you get an error about invalid parameters, make sure incapsulaScriptUrl and incapsulaCookies are passed correctly. These parameters are mandatory and must be extracted immediately before submitting the task.
Useful Links
- Imperva API Documentation: https://2captcha.com/api-docs/imperva-incapsula
- Submit incorrect solution report: https://api.2captcha.com/reportIncorrect
- Submit correct solution report: https://api.2captcha.com/reportCorrect
- Reports documentation: https://2captcha.com/api-docs/report-correct and https://2captcha.com/api-docs/report-incorrect
- Detailed guide on submitting reports: https://2captcha.com/h/how-to-submit-reports
- Upload statistics and dashboard reporting: https://2captcha.com/statistics/uploads
- Support Center: https://2captcha.com/support/tickets/new
- Code examples on GitHub: https://github.com/2captcha
Conclusion
Bypassing Imperva (Incapsula) via 2Captcha boils down to sending the page URL, proxy parameters, mandatory incapsulaScriptUrl and incapsulaCookies parameters, and, if necessary, reese84UrlEndpoint to the API, receiving specific protection cookies, and injecting them into your HTTP session. The main thing to remember is the critical importance of using the same residential proxy at all stages and strictly synchronizing the User-Agent, as this protection tightly binds the session to network fingerprints.