hCaptcha on Clouflare-protected websites


What happened?
Recently Cloudflare changed the way of processing hCpatcha tokens after solving the captcha. Now tokens are not sent as plain text inside HTTP request to the back-end as it was before. Now tokens are encrypted with the javascript callback function before sending.

How does it work now?
When you bypass the hCaptcha challenge the token is passed to a callback function. The callback is defined inside obfuscated javascript code loaded from /cdn-cgi/challenge-platform/h/b/orchestrate/captcha/v1.

The callback function uses some additional data defined inside the javascript and applies some logic to encrypt the token and additional data before submitting it to the back-end on /cdn-cgi/challenge-platform/h/b/flow/ov1/

Can I bypass hCaptcha on Cloudflare-protected page with 2Captcha API?
Yes, you can. Our 2Captcha Solver extension for Google Chrome does this automatically. You can try to use it to make sure it works in your case.

Is there an easy way to bypass hCaptcha on Cloudflare-protected page?
No, it is no easy way anymore. To do so you have to understand how the token is encrypted by the javascript code. Our 2Captcha Solver extension for Google Chrome can help you to see the callback function code.

Just get the extension and enable it, then open a webpage where you want to bypass hCaptcha challenge and search for captcha-widget element. Inspect this element, it will have some attributes including data-callback which will contain the callback function copy. Now you can use callback function name in the javascript console to jump to the function definition and explore the code. The code is obfuscated, but you can set some breakpoints and define some watch expressions to make things more clear.

Can 2Captcha do all this complex things for me?
Unfortunately no, we can not do all these actions on our side. We can solve the captcha and provide you a valid token, the rest of the job must be done on your side.

What is the recommended approach?
Our opinion: the most effificient way is to use javascript injection to redefine hcaptcha.render(container, params) method.

Store the original render function inside a variable, then use your own function that will catch both arguments container and params and return the original render method.

Parse the arguments inside your function to get the callback definition from data-callback inside params. Then call the callback found passing the token as the only argument.

Another approach is to completely deobfuscate the callback code to understand what data the code consume and use to generate the data used in the request to /cdn-cgi/challenge-platform/h/b/flow/ov1/

We also recommend to check cfresearch repo where Steven scaredos publishes his research on CloudFlare's protection.