What do the CloudFlare CAPTCHA and Challenge pages look like for users?

captcha firewall cloudflare
17,063

Solution 1

I tried setting up a challenge for my own IP address and this is what I got:

Cloudflare Firewall Challenge Captcha

Another test shows sometimes the Google reCAPTCHA system is used:

Google reCAPTCHA from CloudFlare

That appears to be the default challenge page, but if you are using a paid plan there are options to customize the following error pages:

  • IP/Country Block
  • WAF Block
  • 500 Class Errors
  • Enable Origin Error Pages
  • 1000 Class Errors
  • Always Online™ Error
  • Basic Security Challenge
  • WAF Challenge
  • Country Challenge
  • I'm Under Attack Mode™ Challenge

In the firewall section you can also change how often the CAPTCHA will appear (from 5 minutes up to 1 year).

Also it appears that the CAPTCHA response is saved per domain (likely using a cookie), and completing a challenge will allow access to that domain and all sub-domains. Also the challenge page is displayed to the user with a 403 Forbidden response code which can cause issues with javascript/css if you load those from another domain behind Cloudflare and that domain is included in the challenge with no way to complete the CAPTCHA.

Also I just found out that the CAPTCHA challenge can change for IPs with higher threat scores or JavaScript/cookies disabled:

@wiretapped The captchas are from Google's reCaptcha. The higher the threat score with the IP = a harder challenge page.

This may or may not occur with IP bans, but here is an example from tor accessing stackoverflow.com with noscript blocking JavaScript:

CloudFlare Tor High Threat CAPTCHA with JavaScript disabled

Solution 2

Recently CloudFlare added another option to their Firewall section called JavaScript Challenge, which will display a loading page with three animated dots for up to 5 seconds:

CloudFlare JavaScript Challenge

It appears to also use cookies to save the results and allow future access without re-testing.

Solution 3

Cloudflare switched from Google ReCAPTCHA to hcaptcha.

https://www.hcaptcha.com/

https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/

There is a picture of what it looks like at the bottom of the cloudflare blog link.

Share:
17,063
Greg Bray
Author by

Greg Bray

Google Cloud Engineer, Retail Select Team Formerly: SRE for reddit.com, Torbit Edge Platform/CDN team @WalmartLabs, Site Reliability Engineer at Stack Overflow, Software Engineer at 3M HIS/Caradigm/GE Healthcare Twitter: @GBrayUT CodeBlog: http://codeblog.theg2.net Blog: http://blog.theg2.net About Me: http://theg2.net Resume: https://stackoverflow.com/cv/gregbray

Updated on June 14, 2022

Comments

  • Greg Bray
    Greg Bray almost 2 years

    In the CloudFlare Web Application Firewall you are able to block, whitelist, CAPTCHA, or JavaScript Challenge traffic based on IP address, country name, or ASN. The only note provided on the CAPTCHA section is:

    If you are unsure whether suspicious web visitor behavior is illegitimate traffic, you can set up a challenge page. This page asks visitors to submit a CAPTCHA successfully to continue their action. If the web visitor fails the challenge, they will be blocked from your website.

    What do the CAPTCHA and challenge pages looks like?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Selenium app redirect to Cloudflare page when hosted on Heroku
Is there any possible ways to bypass cloudflare security checks?
Unhandled Exception: SocketException: Failed host lookup: (OS Error: No address associated with hostname, errno = 7)
UFW as an active service on Ubuntu
MVC 4 - Captcha.Mvc
windows 7 block UDP broadcast message
how to avoid google search detect selenium webdriver as unusual behaviour?
captcha creation for nodejs
MySQL remote connection [not as usual]
How to Integrate JCaptcha in Spring Security