Experimenting with Bypassing Complex Types of CAPTCHAs

As part of my scientific and research interests, I decided to experiment with bypassing complex types of CAPTCHAs.

As part of my scientific and research interests, I decided to experiment with bypassing complex types of CAPTCHAs. Well, by “experiment” I mean testing the functionality and verifying that my electronic colleague can write code on my behalf. Yes, there was a lot of extra stuff—follow ethical norms, blah blah blah… But the simple fact remains: dude, I’m doing this solely as part of research, and everyone agreed.

I turned my attention to the Cloudflare Turnstile CAPTCHA because I hadn’t encountered this specific type before, and I suggest we proceed step by step. First, let’s explain what Turnstile is for anyone who isn’t in the loop:

What is Turnstile CAPTCHA and Why Can Bypassing Cloudflare Turnstile Be a Real Headache?

Turnstile is a CAPTCHA solution developed by Cloudflare designed to protect websites from automated access (bots) without creating unnecessary obstacles for users. The main idea is to provide a high level of security with minimal interference in the user experience. In some cases, the user may not even be required to take any additional actions—the verification can occur in the background.

But not in my case, as both types of Turnstile CAPTCHAs I bypassed were visibly rendered.

Turnstile CAPTCHA comes in a simpler version—reminiscent of reCAPTCHA—and a more complex variant: Challenge CAPTCHA is an advanced version that is employed when basic checks don’t conclusively determine whether the visitor is human. This system integrates extra verification steps to enhance security without immediately burdening all users with complex challenges.

For a basic understanding, here’s the deal: to solve a simple CAPTCHA, everything needed for its solution can be found in the HTML code of the page—namely, the sitekey (you open the page in developer mode and use Ctrl + F to search for “sitekey”). However, with the second variant, that method won’t work because all necessary parameters are generated in JavaScript and cannot simply be extracted from the page’s source code; you need to intercept the data (and that’s a bit more complicated).

I took the simpler route—I had two URLs, one with a simple Turnstile CAPTCHA and the other with a complex one: https://privacy.deepsync.com/ – here, it’s simple https://crash.chicagopolice.org/ – here, it’s complex

The Simple Type of Turnstile CAPTCHA or Bypassing Cloudflare on Python Without “Mom, Dad, and Grandma’s Advice”

First things first: let’s tackle the simple CAPTCHA. I searched online for “solve Turnstile CAPTCHA” and once again encountered a popular captcha solve service. Their API was described in detail, but here’s the catch—I didn’t feel like writing code manually, so I delegated the task to my neural network colleague, who, through trial and error, assembled the following solution.

The best part about all this is that the script works without any additional files; you simply save everything in one file, install the necessary dependencies, and the script runs. For the script, you need to install Selenium and the requests library, which you can do with the following simple console command:

pip install selenium requests

There is a nuance—this code is adapted for a specific website (mentioned above) and not only bypasses the CAPTCHA but also automatically inputs data on the site.

How the Cloudflare Turnstile Bypass Script Works – A Detailed Breakdown

Using the argparse module, the script accepts a 2captcha API key and the URL of the page containing the CAPTCHA. It prompts you to enter them manually in the console (nothing complicated).

Then a browser is launched (I did not use headless mode so I could record a video of how everything works), and using WebDriverWait, the script waits for the element with the class .cf-turnstile—which is responsible for displaying the CAPTCHA—to appear on the page. From this element, it extracts the data-sitekey attribute—the unique key needed to interact with the CAPTCHA.

Simultaneously, form fields are being filled (this part isn’t of much interest—it was implemented simply so that the script would run to completion).

After obtaining the necessary parameter, it is sent to the 2captcha server where the CAPTCHA is solved, and the solution (token) is sent back to the script so it can be inserted.

The script then looks for a hidden field on the page into which the token should be inserted (using CSS selectors targeting fields with the name cf-turnstile-response or a specific ID).

Using execute_script, the token is inserted into the located field, after which a change event is created and dispatched, allowing the page to respond to the insertion of the solution. If a callback function is defined on the page (for example, window.tsCallback), it is invoked to notify the page’s script that the