Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Endless challenge at Cloudflare Verification #1765

Open
Aydinv13 opened this issue May 24, 2023 · 7 comments
Open

Endless challenge at Cloudflare Verification #1765

Aydinv13 opened this issue May 24, 2023 · 7 comments
Labels
Priority: P4

Comments

@Aydinv13
Copy link

@aliafshany commented on Sat May 13 2023

AdGuard version

Version 2.10.1.1277 nightly

Browser version

Version 0.103.0 (38794), chrome Version 113.0.5672.92 (Official Build) (arm64)

OS version

ventura 13.3.1

What filters do you have enabled?

AdGuard Annoyances filter, EasyList, Adblock Warning Removal List, Online Malicious URL Blocklist, Iranian filter

What Stealth Mode options do you have enabled?

No response

Support ticket ID

No response

Issue Details

Steps to reproduce:

  1. go to a site that has a Cloudflare anti-robot verification like vultr.com, ping.pe
  2. you would check the checkbox over and over but it won't verify you.
  3. turn AG totally off and then refresh the page and verify that, It woks then!

Expected Behavior

Cloudflare won't verify you.

Actual Behavior

Cloudflare won't verify you unles you turn AG off

Screenshots

cf.mp4

Additional Information

No response

@aliafshany commented on Sat May 13 2023

my settings in Adguard:

AG.mp4

@ZeroClover commented on Mon May 15 2023

Same here.

After repeated testing, I found that keeping the following AdGuard Stealth Mode features disabled avoids this issue:

  • Block Push API
  • Block Location API
  • Block Java
  • Hide your User-Agent
  • Remove X-Client-Data Header

I have set one of my test sites to always return to the challenge page (interactive challenge) to facilitate testing.

https://turnstile.zeroclover.io/

@aliafshany commented on Mon May 15 2023

@ZeroClover
thank you for testing and sharing the results.

Unfortunately, Block Location API and Block Java are important for me to hide any IP leaks that might occur.
Hope the Devs find a good solution for this.

@Aydinv13 commented on Tue May 23 2023

@aliafshany @ZeroClover Hi, sorry for the late reply.

Most likely Cloudflare is asking you to enter captcha/wait because the User-Agent is incorrect or typed in by hand - that's a reason to be suspicious. Such User-Agent will not match the TLS fingerprint with the browser, therefore there may be issues such as endless checks.

@ZeroClover commented on Tue May 23 2023

@Aydinv13

User-Agent is part of the reason for this issue, but not the decisive factor.

Even without disguising the User-Agent, blocking access to a browser's Push/Location/Java API will cause Cloudflare to endlessly challenge.

Cloudflare CAPTCHA (Turnstile) uses browser fingerprints and functions to identify legitimate users and bots. Unfortunately, most pre-compiled headless browsers (widely used by crawlers) do not implement the aforementioned APIs mentioned above.
@Aydinv13 Aydinv13 mentioned this issue May 24, 2023
Closed
@adguard-bot adguard-bot assigned zzebrum and grumaxxx and unassigned zzebrum May 24, 2023
@grumaxxx
Copy link

@aliafshany @ZeroClover Hello, could you tell me if adding the following rule solves this problem on your side?

@@*.io^$header=cf-mitigated:challenge,stealth

@ZeroClover
Copy link

@grumaxxx Hi,

It's work on my side. And I haven't updated to the nightly version, so it seems like this is a mitigation that already existed in previous versions?

@grumaxxx
Copy link

This rule disables the stealth module for queries that contains "cf-mitigated" header. But in the current version, you cannot generalize it to all domains and use it as

@@*$header=cf-mitigated:challenge,stealth"

This will be possible with the release of version 1.12 (#1762).
As a temporary solution, you can use the rule from the previous comment.

@dnmTX
Copy link

dnmTX commented Jun 13, 2023
edited
Loading

@grumaxxx the rule(s) that you posted don't really help. Site to test: my.roommates.com. Most likely have to open a account
which is free and then by clicking on any user's room add will triger the cloudflare challenge,which will just spin endlessly.
What helped me so far is to whitelist the entire site: @@||roommates.com^. With this rule in place i can pass through that challenge and this is just one example out of many.
Different solution is needed to mitigate this without exposing the end user so much!!!!!!!

@sfionov
Copy link
Member

sfionov commented Sep 25, 2023

@dnmTX Adguard for Mac 2.12 is released with new CL1.12.

Can you please check if rule

@@*$header=cf-mitigated:challenge,stealth

helps in your case?

@dnmTX
Copy link

dnmTX commented Sep 25, 2023
edited
Loading

@sfionov i'm experiencing this on AG for Windows and so far adding this rule: @@||domain.com^$stealth=useragent to the affected sites helps. Is your rule applicable for Mac users only or...?

Edit: Nope,that rule doesn't work on my end 😞

@sfionov
Copy link
Member

sfionov commented Oct 9, 2023
edited
Loading

Many stealthmode features adds suspictibility for Anti-DDoS services. Please consider to turn off some of these features for services you have problems with.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority: P4
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@sfionov @ZeroClover @adguard-bot @dnmTX @zzebrum @Aydinv13 @grumaxxx