search

AdguardTeam / CoreLibs

Core Adguard libraries
https://adguard.com/
Apache License 2.0
39 stars 7 forks source link

Endless challenge at Cloudflare Verification #1765

Open Aydinv13 opened 1 year ago

Aydinv13 commented 1 year ago

@aliafshany commented on Sat May 13 2023

AdGuard version

Version 2.10.1.1277 nightly

Browser version

Version 0.103.0 (38794), chrome Version 113.0.5672.92 (Official Build) (arm64)

OS version

ventura 13.3.1

What filters do you have enabled?

AdGuard Annoyances filter, EasyList, Adblock Warning Removal List, Online Malicious URL Blocklist, Iranian filter

What Stealth Mode options do you have enabled?

No response

Support ticket ID

No response

Issue Details

Steps to reproduce:

  1. go to a site that has a Cloudflare anti-robot verification like vultr.com, ping.pe
  2. you would check the checkbox over and over but it won't verify you.
  3. turn AG totally off and then refresh the page and verify that, It woks then!

Expected Behavior

Cloudflare won't verify you.

Actual Behavior

Cloudflare won't verify you unles you turn AG off

Screenshots

https://github.com/AdguardTeam/AdguardForMac/assets/40741745/ab1b3895-fa8f-4f55-9847-34a667cbcbf4

Additional Information

No response

@aliafshany commented on Sat May 13 2023

my settings in Adguard:

https://github.com/AdguardTeam/AdguardForMac/assets/40741745/8bbc4baa-670d-43ea-8af9-4860f33aca9c

@ZeroClover commented on Mon May 15 2023

Same here.

After repeated testing, I found that keeping the following AdGuard Stealth Mode features disabled avoids this issue:

I have set one of my test sites to always return to the challenge page (interactive challenge) to facilitate testing.

https://turnstile.zeroclover.io/

@aliafshany commented on Mon May 15 2023

@ZeroClover thank you for testing and sharing the results.

Unfortunately, Block Location API and Block Java are important for me to hide any IP leaks that might occur. Hope the Devs find a good solution for this.

@Aydinv13 commented on Tue May 23 2023

@aliafshany @ZeroClover Hi, sorry for the late reply.

Most likely Cloudflare is asking you to enter captcha/wait because the User-Agent is incorrect or typed in by hand - that's a reason to be suspicious. Such User-Agent will not match the TLS fingerprint with the browser, therefore there may be issues such as endless checks.

@ZeroClover commented on Tue May 23 2023

@Aydinv13

User-Agent is part of the reason for this issue, but not the decisive factor.

Even without disguising the User-Agent, blocking access to a browser's Push/Location/Java API will cause Cloudflare to endlessly challenge.

Cloudflare CAPTCHA (Turnstile) uses browser fingerprints and functions to identify legitimate users and bots. Unfortunately, most pre-compiled headless browsers (widely used by crawlers) do not implement the aforementioned APIs mentioned above.

grumaxxx commented 1 year ago

@aliafshany @ZeroClover Hello, could you tell me if adding the following rule solves this problem on your side?

@@*.io^$header=cf-mitigated:challenge,stealth
ZeroClover commented 1 year ago

@grumaxxx Hi,

It's work on my side. And I haven't updated to the nightly version, so it seems like this is a mitigation that already existed in previous versions?

grumaxxx commented 1 year ago

This rule disables the stealth module for queries that contains "cf-mitigated" header. But in the current version, you cannot generalize it to all domains and use it as 

@@*$header=cf-mitigated:challenge,stealth"

This will be possible with the release of version 1.12 (#1762). As a temporary solution, you can use the rule from the previous comment.

dnmTX commented 1 year ago

@grumaxxx the rule(s) that you posted don't really help. Site to test: my.roommates.com. Most likely have to open a account which is free and then by clicking on any user's room add will triger the cloudflare challenge,which will just spin endlessly. What helped me so far is to whitelist the entire site: @@||roommates.com^. With this rule in place i can pass through that challenge and this is just one example out of many. Different solution is needed to mitigate this without exposing the end user so much!!!!!!!

sfionov commented 1 year ago

@dnmTX Adguard for Mac 2.12 is released with new CL1.12.

Can you please check if rule

@@*$header=cf-mitigated:challenge,stealth

helps in your case?

dnmTX commented 1 year ago

@sfionov i'm experiencing this on AG for Windows and so far adding this rule: @@||domain.com^$stealth=useragent to the affected sites helps. Is your rule applicable for Mac users only or...?

Edit: Nope,that rule doesn't work on my end 😞

sfionov commented 12 months ago

Many stealthmode features adds suspictibility for Anti-DDoS services. Please consider to turn off some of these features for services you have problems with.