Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
|
Feb. 04, 2022, 10:54 AM
(This post was last modified: Feb. 05, 2022 05:36 PM by JJoe.)
Post: #1
|
|||
|
|||
Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
Here's another (but this one is probably to be expected), so we now have three URLs for this behavior -
https://offerup.com/ https://raybuck.com/firebird-vs-trans-am...ry-trivia/ https://support.cloudflare.com/ Thanks in advance if you are able to find anything. |
|||
Feb. 04, 2022, 04:19 PM
Post: #2
|
|||
|
|||
RE: prox-config-sidki_2019-01-26b1
So... We need the Proxomitron to share a browser's fingerprint.
blog.cloudflare.com/monsters-in-the-middleboxes/ Wrote:Introducing MITMEngine: Cloudflare’s HTTPS Interception Detector |
|||
Feb. 04, 2022, 04:46 PM
Post: #3
|
|||
|
|||
RE: prox-config-sidki_2019-01-26b1
Wow! Thanks!
My knowledge and insights were never as high as yours and sidki's - do you think we can "fake" a fingerprint that gets us past those cloudfare capcha's? |
|||
Feb. 05, 2022, 05:35 PM
Post: #4
|
|||
|
|||
RE: Cloudflare [split] prox-config-sidki_2019-01-26b1
(Feb. 04, 2022 04:46 PM)ProxRocks Wrote: do you think we can "fake" a fingerprint that gets us past those cloudfare capcha's? Maybe but it might not last long. A couple years ago, I didn't think there was a way for me to get around it. I came to the conclusion that I had to actually remove the Proxomitron from the chain and my IP was probably flagged. Fortunately, I didn't use the sites that complained. Now, I'm wondering if I missed something. I was very not well. So, this year, a site that I frequent started showing the captcha. This time, I quickly fixed an error in the user-agent header and the captcha went away. I could have missed that mistake before... Now, more sites are protected or broken (depending on point of view) by this and people are looking for a solution. My searches have not found an acceptable working solution. There is a game of whack-a-mole here but there are acceptable reasons to intercept https which may open a hole for 'unacceptable' access. However, modifying the Proxomitron could be a lot of work with no guarantee of success, long term or short. |
|||
Feb. 05, 2022, 10:09 PM
(This post was last modified: Feb. 05, 2022 10:19 PM by JJoe.)
Post: #5
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
I found https://httptoolkit.tech/blog/tls-fingerprinting-node-js/ interesting.
There must still be something wrong with me. The... other side https://github.com/cloudflare/mitmengine Be careful with ja3er.com. You wouldn't want to give them a new fingerprint. |
|||
Feb. 06, 2022, 10:21 AM
Post: #6
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
Quote:However, modifying the Proxomitron could be a lot of work with no guarantee of success, long term or short.Proxomitron Reborn can already specify the cipher configuration which OpenSSL will use. This is currently a static global option as is a little tricky to set it per-connection, but if the need arises, I will do it. If they are specifically looking for ciphersuites that OpenSSL doesn't have but browsers do (and hopefully they aren't ones that are actually going to be in use), that's going to be much harder to fix; but that doesn't mean I won't try either. Sorry if opinion/commentary is not welcome here, but I absolutely HATE what the web has become, and in particular the browser racket. Cloudf**re is complicit in that. If we don't continue fighting against it, we may not be allowed to use anything but the "approved" browsers controlled by corporate and government interests. "If we don't try, we have already lost." |
|||
The following 1 user says Thank You to amy for this post: rasczak |
Feb. 06, 2022, 10:43 AM
(This post was last modified: Feb. 06, 2022 12:03 PM by ProxRocks.)
Post: #7
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
(Feb. 06, 2022 10:21 AM)amy Wrote: ... I absolutely HATE what the web has become, and in particular the browser racket. Cloudfare is complicit in that. If we don't continue fighting against it, we may not be allowed to use anything but the "approved" browsers controlled by corporate and government interests. Agreed! I personally saw the writing on the wall way back in 2004! "SSL" used to be a bank-only "technologoy", it is broken now that even malware sites can "buy/use" that "technology". |
|||
Feb. 10, 2022, 01:34 AM
Post: #8
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
....I 100% don't understand all the technical stuff you guys are talking about, I just wanted to post to say that you're awesome............thank you........
|
|||
Feb. 14, 2022, 06:27 PM
Post: #9
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
(Feb. 06, 2022 10:21 AM)amy Wrote: Proxomitron Reborn can already specify the cipher configuration which OpenSSL will use. This is currently a static global option as is a little tricky to set it per-connection, but if the need arises, I will do it. If they are specifically looking for ciphersuites that OpenSSL doesn't have but browsers do (and hopefully they aren't ones that are actually going to be in use), that's going to be much harder to fix; but that doesn't mean I won't try either.I agree with you Amy. Also, thank you again for the work you've already done to improve proxomitron. Cloudflare is a problem for me because more than 2 businesses I interact with host their help pages using a separate domain (good for their security), but then put them behind cloudflare and configure it such that I get a 403 Forbidden + an hcaptcha for performing a single get request. I haven't figured out what is the root of the problem. I used to be able to use a proxy, such as https://en.wikipedia.org/wiki/Archive.today , but they now also show an hcaptcha. |
|||
Feb. 26, 2022, 03:50 AM
Post: #10
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
(Feb. 06, 2022 10:21 AM)amy Wrote: Proxomitron Reborn can already specify the cipher configuration which OpenSSL will use. What if we just relay the Client Hello from the browser to the remote server (for example Cloudflare CDN) and make sure we don't touch the browser's User Agent string? Though I'm not sure if Proxomitron Reborn can do this kind of low level stuff. |
|||
Feb. 27, 2022, 03:38 AM
Post: #11
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
(Feb. 05, 2022 05:35 PM)JJoe Wrote: Now, more sites are protected or broken (depending on point of view) by this and people are looking for a solution. My searches have not found an acceptable working solution. What if we provide an unknown user agent say "Chrome 222" so there isn't a match in the fingerprints database and they will let us pass? Maybe we also need to randomize the user agent because our request may lead to a record to be created in the database later. |
|||
Feb. 27, 2022, 05:19 AM
Post: #12
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
(Feb. 27, 2022 03:38 AM)whenever Wrote: What if we provide an unknown user agent say "Chrome 222" so there isn't a match in the fingerprints database and they will let us pass? Maybe we also need to randomize the user agent because our request may lead to a record to be created in the database later. It didn't work for me. But then, I didn't try SpaceBison. It may be that some Cloudflare instances deny access to unusual user agents. |
|||
Feb. 28, 2022, 04:01 AM
Post: #13
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
I can say from experience - trying to write a browser (long story...) - that having an "unusual" UA header, or even none at all, definitely sticks out like the proverbial sore thumb and gets you blocked from a lot of sites even beyond Cloudflare. The classic SpaceBison has already somehow become famous enough to be blacklisted by many "bot detectors".
(Feb. 26, 2022 03:50 AM)whenever Wrote:The ClientHello sets up the SSL/TLS handshake negotiation, so it could theoretically specify stuff that Proxo's OpenSSL doesn't know how to handle, like some ciphers, if the server decides to pick one.(Feb. 06, 2022 10:21 AM)amy Wrote: Proxomitron Reborn can already specify the cipher configuration which OpenSSL will use. This is an issue that has been on my mind for a while and unfortunately I currently don't have much time to work on it, but others have also been doing some work on beating TLS handshake fingerprinting: Code: https://github.com/lwthiker/curl-impersonate |
|||
Mar. 20, 2022, 04:22 PM
(This post was last modified: Mar. 20, 2022 04:35 PM by cattleyavns.)
Post: #14
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
mitmproxy devs are trying to figure out how to deal with TLS Fingerprint, I think they had some ideas about handling User-Agent: https://github.com/mitmproxy/mitmproxy/issues/4575
If I understand correctly, just make a pair of Cipher and User-Agent. Related Articles: - https://httptoolkit.tech/blog/tls-finger...g-node-js/ - https://hacker-news.news/post/30378562 (Comment section is pretty interesting) |
|||
Mar. 22, 2022, 03:02 AM
(This post was last modified: Mar. 22, 2022 03:22 AM by cattleyavns.)
Post: #15
|
|||
|
|||
RE: Cloudflare captcha [split] prox-config-sidki_2019-01-26b1
I've managed to beat TLS Fingerprint with python urllib3 + override DEFAULT_CIPHERS in Lib\site-packages\urllib3\util\_ssl.py with Pale Moon/any browser's ciphersuite and change User-Agent to match Pale Moon/any browser. And the final result, my transparent local proxy can now bypass CloudFlare's TLS Fingerprint!
Should I share the whole progress ? I don't know, I just afraid CloudFlare will just patch this exploit (and it's very easy to block because OpenSSL always send TLS_EMPTY_RENEGOTIATION_INFO_SCSV, and real Pale Moon/web browser doesn't, so they can easily block my fingerprint by checking User-Agent and TLS_EMPTY_RENEGOTIATION_INFO_SCSV, if it's Pale Moon+TLS_EMPTY_RENEGOTIATION_INFO_SCSV then block). Basically I did: - I used Wireshark to capture real Pale Moon's ciphersuite in Client Hello packet (Pale Moon is my main browser), then converted Pale Moon's ciphersuite format to Python's ciphersuite format, override DEFAULT_CIPHERS in Lib\site-packages\urllib3\util\_ssl.py with my new ciphersuite. This is my video (tested on alternativeto.net) https://streamable.com/btr8f8 |
|||
The following 1 user says Thank You to cattleyavns for this post: amy |
« Next Oldest | Next Newest »
|