Good Carder
Professional
- Messages
- 753
- Reaction score
- 493
- Points
- 63
Introduction: Why Classical Methods No Longer Work
By 2026, modern WAFs had evolved into complex systems that analyzed not only headers but the entire "trace" of an automated session.Experts estimate that approximately 20% of all websites on the internet use Cloudflare, and bypassing this protection is becoming increasingly difficult.
Modern WAFs have evolved far beyond simple User-Agent checking. Today, they are comprehensive systems that analyze six independent detection layers:
| Layer | What is being checked? | Technical implementation |
|---|---|---|
| 1. The navigator.webdriver flag | A flag that headless Chrome sets to true by default | JavaScript check on any protected page |
| 2. User-Agent и HeadlessChrome | The presence of the "HeadlessChrome" substring in UA, consistency of headers | Cloudflare Basic Check |
| 3. Canvas / WebGL fingerprint | Pixel hash from off-screen canvas render | DataDome, PerimeterX, Shape |
| 4. WebRTC local IP leak | RTCPeerConnection revealing real LAN IP | Incapsula, DataDome |
| 5. TLS/JA3 handshake | Client Hello Server Fingerprint | Cloudflare Turnstile, modern WAFs |
| 6. Behavioral patterns | Cursor entropy, timings, scrolls | Cloudflare Bot Fight, Turnstile v2 |
These layers work sequentially: completing one doesn't guarantee completion of the next. In this article, we'll explore how to complete each one.
Part 1. How Modern WAFs Work: From Header Analysis to Behavioral Scripts
Modern WAFs are multi-level systems where blocking decisions are made based on scoring.1.1 Header Analysis (Layer 1–2)
Most WAFs check not only the presence of headers but also their consistency. For example, if the User-Agent indicates Windows, but the Sec-Ch-Ua-Platform header points to macOS, the profile is immediately flagged.1.2. Behavioral scripts and captchas (Layer 3–4)
Modern WAFs execute JavaScript on the page, which collects hundreds of signals about your environment. These signals include the order of ciphers in the TLS handshake, HTTP/2 compression methods, header consistency, and browser APIs.1.3. Turnstile: Cloudflare's New Paradigm
Cloudflare is actively implementing Turnstile, a CAPTCHA solution that focuses on behavioral analysis rather than puzzle solving. Turnstile analyzes how the client establishes a TLS connection, how it sends HTTP frames, and how it interacts with the browser API after the page loads.1.4. AI Labyrinth: A New Trap for 2026
In 2026, Cloudflare implemented AI Labyrinth, a honeypot system that generates a 200 OK response when a bot is detected, but fills the page entirely with synthetic AI data. When bypassing a WAF, always inspect the page content and don't rely solely on the response status.Part 2. Specifics of DataDome, Shape, and PerimeterX solutions
Each of these solutions has its own unique detection mechanisms, requiring specific approaches to bypassing.2.1. DataDome: ML-scoring on edges
DataDome is a solution that processes bot traffic decisions in less than 2 milliseconds on the edge network. DataDome combines residential and mobile proxies, headless browser rotation, and CAPTCHA challenge passing.Technical analysis of DataDome deobfuscation:
DataDome uses heavily obfuscated JavaScript bundles that are updated daily. The modern deobfuscator for DataDome processes:
- captcha.js (Webpack/Browserify bundle that DataDome serves on the captcha page)
- interstitial.js (bundle on WAF pages)
The deobfuscation process involves hex name cleaning, module separation, IIFE untangling, and control stream analysis to extract the WASM payload.
2.2. Shape Security (F5 Distributed Cloud Bot Defense)
Shape Security is one of the most sophisticated detection systems. Its key mechanisms are:Dynamic obfuscation virtual machine:
Shape creates a custom JavaScript virtual machine with randomized opcodes that constantly change. Even if you manage to decrypt one packet, the algorithm will change within a few minutes.
Multi-layered sensor data encryption:
Sensor data passes through superpack, Shape's proprietary encoding format, then is encrypted using randomized seeds that rotate throughout the session.
Chrome DevTools Protocol (CDP) detection:
The system detects Runtime.enable commands and other CDP artifacts. Even "undetected" browsers leave such traces. Opening DevTools on a test page immediately flags you as automated.
Rapid machine learning:
Shape's ML models adapt to new evasion techniques within 24-48 hours.
Basic bypass with curl_cffi:
For many Shape-protected endpoints, browser automation can be bypassed using curl_cffi, which simulates accurate TLS fingerprinting of the browser.
2.3. PerimeterX
PerimeterX (now part of Human Security) uses device fingerprinting and behavioral analysis to classify traffic. The platform provides developers with tools for collecting metrics, including checkStatus, getStatus, and setCustomData, allowing websites to configure security thresholds.Since PerimeterX actively collects device data via JavaScript, the key to evasion is using a clean browser environment (antidetect) and simulating real behavior. PerimeterX is less aggressive in detecting CDPs, but its behavioral patterns require careful emulation.
Part 3: Using Legitimate Browser Fingerprints with Puppeteer Stealth
3.1 Why the classic Puppeteer Stealth is obsolete
The standard puppeteer-extra-plugin-stealth hasn't received significant updates for over three years. Research from 2026 shows that "Vanilla Puppeteer" fails five out of six detection tests. Puppeteer + stealth-plugin passes only three out of six.3.2. Working Alternatives for 2026
| Tool | Success | Peculiarity |
|---|---|---|
| Byparr | 92.16% | The Best Open-Source Cloudflare Bypass Tool |
| FlareSolverr | 90.38% | A proxy server for solving JS challenges, running as a local service |
| Camoufox | 88.58% | Optimized for Turnstile-heavy targets |
| SeleniumBase UC Mode | 80.76% | Undetected Chrome Mode with automatic CDP patching |
3.3. curl_cffi: A library for simulating TLS
curl_cffi is a Python library that simulates TLS/JA3 fingerprints of real browsers:
Python:
from curl_cffi import requests
# Имитация Chrome 132 в Windows
response = requests.get(
'https://target-site.com',
impersonate='chrome132',
proxies={'https': 'http://user:pass@proxy:port'}
)The full list of available imprints for imitation as of late 2025 – early 2026 includes:
- Chrome: versions 99–133 for Windows, macOS, Linux
- Safari: versions 15–18, including mobile fingerprinting
- Edge: versions 99–133
- Firefox: versions 102–135
For Python developers, tls-client (a Go library with a Python wrapper) is also available, providing pre-built profiles for Chrome, Firefox, Safari, and Opera.
3.4 Advanced Cloudflare Turnstile Bypass Script with Puppeteer
JavaScript:
const puppeteer = require('puppeteer-extra');
const StealthPlugin = require('puppeteer-extra-plugin-stealth');
const RecaptchaPlugin = require('puppeteer-extra-plugin-recaptcha');
puppeteer.use(StealthPlugin());
puppeteer.use(RecaptchaPlugin({
provider: { id: '2captcha', token: 'YOUR_API_KEY' },
visualFeedback: true
}));
(async () => {
const browser = await puppeteer.launch({
headless: false,
args: [
'--no-sandbox',
'--disable-setuid-sandbox',
'--disable-dev-shm-usage',
'--disable-accelerated-2d-canvas',
'--disable-gpu',
'--window-size=1920,1080',
'--start-maximized'
]
});
const page = await browser.newPage();
await page.setViewport({ width: 1920, height: 1080 });
await page.setUserAgent('Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/132.0.0.0 Safari/537.36');
await page.goto('https://target-site.com', { waitUntil: 'networkidle2', timeout: 60000 });
try {
await page.solveRecaptchas();
} catch (e) {
console.log('CAPTCHA solving failed:', e);
}
const cookies = await page.cookies();
const cf_clearance = cookies.find(c => c.name === 'cf_clearance');
console.log('cf_clearance:', cf_clearance?.value);
await browser.close();
})();3.5. Solving captchas with 2captcha and Capsolver
Paid services solve captchas automatically.CapSolver integration with Puppeteer:
JavaScript:
const CapSolver = require('capsolver');
const solver = new CapSolver('YOUR_API_KEY');
async function solveTurnstile(page, siteKey, pageUrl) {
const solution = await solver.turnstile({
websiteURL: pageUrl,
websiteKey: siteKey,
metadata: { action: 'login' }
});
await page.evaluate(token => {
document.querySelector('[name="cf-turnstile-response"]').value = token;
}, solution.token);
}Part 4: A Practical Guide to Debugging with mitmproxy
mitmproxy allows you to intercept, inspect, and modify traffic in real time, a critical tool for understanding how AJAX calls and sensor data work.4.1. EvilWAF: An Advanced MITM Tool for 2026
EvilWAF operates at the transport layer and doesn't touch the payload from your tools, allowing you to analyze requests in their pure form. It's compatible with any tools like sqlmap or ffuf.4.2. Intercepting Shape Security sensors via mitmproxy
Python:
# addon.py for mitmproxy
import json
from mitmproxy import http
def response(flow: http.HTTPFlow) -> None:
if 'shape.com/sensor' in flow.request.url:
# Store encrypted sensor data for analysis
sensor_data = flow.request.headers.get('X-Sensor-Data')
if sensor_data:
with open('shape_sensors.log', 'a') as f:
f.write(f"{flow.request.timestamp_start}: {sensor_data}\n")
# Modify the response if a fingerprint needs to be replaced
if flow.response and flow.response.text:
modified = flow.response.text.replace('"is_bot":true', '"is_bot":false')
flow.response.text = modified
def request(flow: http.HTTPFlow) -> None:
# Add the correct headers for browser emulation
flow.request.headers['Accept-Language'] = 'en-US,en;q=0.9'
flow.request.headers['Sec-Ch-Ua'] = '"Chromium";v="132"'Run mitmproxy with a custom addon: mitmproxy -s addon.py
4.3. Extracting Request Parameters via MitM to Bypass WAF
When working with solutions such as the WAF, an approach based on a combination of browser automation and MITM interception is used:- Browser solves JavaScript challenge.
- The interceptor (mitmproxy/Burp Suite) intercepts the request and extracts valid parameters.
- The extracted parameters are used for relaying through high-performance HTTP clients.
Part 5. Summary: WAF Bypass Strategies in 2026
| WAF/System | The main mechanism | Bypass method |
|---|---|---|
| Cloudflare (Turnstile/Bot Fight) | JA3/JA4 analysis, behavioral scoring | curl_cffi + Antidetect Browser + Turnstile Solution |
| DataDome | ML solutions in <2 ms, JS/WASM obfuscation | Proxy rotation + deobfuscation + head browsers |
| Shape Security (F5) | Virtual machine, CDP detection, ML in 24-48 hours | curl_cffi for TLS spoofing or a custom browser engine |
| PerimeterX | Device fingerprinting + behavioral analysis | Behavior emulation (mouse, scrolling) + clean fingerprint |
| Akamai (Bot Manager) | TLS analysis, HTTP/2 assessment, behavioral scoring | JA4 Profiling + High-Quality Residential Proxies |
Part 6. OPSEC Checklist: How to Avoid Being Blocked
Before starting a session:- Select a current bypass method (Byparr/Camoufox for 2026, not Puppeteer Stealth)
- Configure curl_cffi with the current browser fingerprint (Chrome 132+, Edge 131+)
- Prepare a pool of residential proxies with a fraud rate of no more than 30
During the session:
- Imitate natural delays: 3-5 seconds between actions
- Add "human noise": random mouse movements, scrolls
- Rotate TLS fingerprints between requests at high volumes
After the session:
- Save a valid cf_clearance cookie for reuse in the HTTP client
- Analyze errors: If you see cf-mitigated: challenge, Cloudflare still sees you as a bot.
Conclusion: The arms race continues
In 2026, the WAF industry transitioned from static rules to dynamic, AI-driven threat analysis. Simultaneously, evasion tools evolved from simple plugins to full-fledged solutions for simulating browsers at the TLS and hardware levels.Three key findings:
- Puppeteer Stealth is deprecated. Use Byparr, Camoufox, or SeleniumBase UC Mode for 2026.
- JA3/JA4 fingerprints are everything. curl_cffi with current Chrome 132+ profiles is a new minimum.
- Mitmproxy is critical. The ability to intercept, analyze, and modify traffic provides insight into how protection works and how to bypass it.
A quick one-line reminder:
"In 2026, WAFs don't read headers, they read the soul of your TLS. Replace requests with curl_cffi and puppeteer-stealth with Byparr — and maybe they'll let you through."
