search

titaniumnetwork-dev / Ultraviolet

A highly sophisticated proxy used for evading internet censorship or accessing websites in a controlled sandbox using the power of service-workers. Works by intercepting HTTP requests with a service worker script that follows the TompHTTP specifications.
https://docs.titaniumnetwork.org/proxies/ultraviolet
GNU Affero General Public License v3.0
458 stars 3.68k forks source link

Cloudflare Turnstile fails (true domain leaked?) ("Verifying you are human" page) #121

Open itschasa opened 5 months ago

itschasa commented 5 months ago

will always get stuck on this page:

image

the captcha doesnt load, if anyone has any other results, please share.

Percslol commented 4 months ago

known bug, will keep this issue open for discussion and possible fixes

itschasa commented 4 months ago

seems like turnstile still works whilst inside an iframe, so this could be a fixable issue, however, is likely to be a cat and mouse game with captcha providers

image

madeline-yana commented 4 months ago

I think this is an issue if you are deploying via a known big server provider (e.g. if the provider uses Hetzner), Cloudflare probably just blocks the IPs.

itschasa commented 4 months ago

i see this in console when a captcha is attempted: [Cloudflare Turnstile] Ignored message from wrong origin: https://*site with captcha*. image

maybe turnstile is getting the actual domain of the proxy, and using that to check Message events follow the corrent origin as part of a check? (or just because it uses postMessage to do the challenge)

this might be solvable, if we can find how turnstile is getting the true domain of the proxy

Percslol commented 4 months ago

i see this in console when a captcha is attempted: [Cloudflare Turnstile] Ignored message from wrong origin: https://*site with captcha*. image

maybe turnstile is getting the actual domain of the proxy, and using that to check Message events follow the corrent origin as part of a check? (or just because it uses postMessage to do the challenge)

this might be solvable, if we can find how turnstile is getting the true domain of the proxy

yeah i just checked this, seems to be reproducible

fixing this might also solve #128

Percslol commented 4 months ago

yeah the iframe is sending the wrong location in the post message

image

Percslol commented 4 months ago

image

itschasa commented 4 months ago

yeah the iframe is sending the wrong location in the post message

image

would this be due to a bad rewrite of the captcha's js? they are heavily obfuscated so it'd make sense

itschasa commented 3 months ago

overriding the origin might need to be changed

https://github.com/titaniumnetwork-dev/Ultraviolet/blob/1d38959da170abb1c195187100aef5134967e023/src/client/message.js#L105