惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

雷峰网
雷峰网
N
Netflix TechBlog - Medium
博客园_首页
J
Java Code Geeks
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Y
Y Combinator Blog
腾讯CDC
V
V2EX
Microsoft Security Blog
Microsoft Security Blog
大猫的无限游戏
大猫的无限游戏
Cyberwarzone
Cyberwarzone
N
News and Events Feed by Topic
L
LINUX DO - 最新话题
Schneier on Security
Schneier on Security
Microsoft Azure Blog
Microsoft Azure Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Hacker News: Ask HN
Hacker News: Ask HN
Martin Fowler
Martin Fowler
Google DeepMind News
Google DeepMind News
G
Google Developers Blog
U
Unit 42
WordPress大学
WordPress大学
N
News and Events Feed by Topic
S
Schneier on Security
T
The Blog of Author Tim Ferriss
B
Blog
博客园 - 叶小钗
Forbes - Security
Forbes - Security
F
Fortinet All Blogs
Project Zero
Project Zero
K
Kaspersky official blog
Apple Machine Learning Research
Apple Machine Learning Research
L
LINUX DO - 热门话题
The GitHub Blog
The GitHub Blog
H
Hacker News: Front Page
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
PCI Perspectives
PCI Perspectives
The Register - Security
The Register - Security
www.infosecurity-magazine.com
www.infosecurity-magazine.com
W
WeLiveSecurity
C
Cyber Attacks, Cyber Crime and Cyber Security
罗磊的独立博客
S
Security @ Cisco Blogs
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Tailwind CSS Blog
P
Proofpoint News Feed
S
SegmentFault 最新的问题
D
Docker
量子位
M
MIT News - Artificial intelligence

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
How next-generation captchas work and why it matters for automation
Sid Wudraq · 2026-05-21 · via DEV Community

Modern captchas aren't the simple puzzle-clicking tests anymore. They're full-blown behavioral and environmental verification systems. They look at everything — your browser fingerprint, device parameters, how you move your mouse, how you interact with the page. That little box you tick or the traffic lights you click? Just the final layer of a much deeper process.

If you're building scrapers, automation scripts, or working with anti-detect browsers, you need to understand how these things actually work under the hood. In practice, captcha handling comes down to two things:

  • Scoring — who calculates your risk score and what model they use.
  • Signals — what data gets collected from your browser and how it's sent to the verification server.

Different captcha providers do this differently. In this article, we break down three of the most common and technically advanced ones: reCAPTCHA v3, Cloudflare Turnstile, and hCaptcha. We'll look at how each one is built, what signals they grab, and how they decide whether you're a human or a bot.

How captchas work

1. reCAPTCHA v3 (Google)

A classic example of an invisible scoring model. The browser silently collects behavioral data — how you move your mouse, scroll, interact with elements — and exchanges it with Google for a token.

That token is then sent to the website's backend. The server makes a separate request to Google's verification endpoint, passing the token along with a secret key. Google responds with a JSON payload containing a risk score between 0.0 (bot) and 1.0 (human), plus an action label that matches the one you sent.

If the score comes back low (typically below 0.5), it's up to the website owner to decide what happens next. Some sites block the request entirely. Others fall back to a visible reCAPTCHA v2 challenge — those familiar grids of traffic lights, bridges, or storefronts.

Integration example. On a page that includes a captcha, you load the script like this:

<script src="https://www.google.com/recaptcha/api.js?render=Your_site_key">

When the target action occurs (for example, when clicking the “Login” button), the following method is called

grecaptcha.execute('YOUR_SITE_KEY', {action: 'login'}).then(function(token) {
     // This token is sent to the website backend along with the form data
 });

Enter fullscreen mode Exit fullscreen mode

how recaptcha v3 works

The token is valid for only 2 minutes and can be used for verification only once.

Important nuance for scrapers: the score isn't just about behavior — Google also considers the website's enterprise tier. When they increased the weight of TLS ClientHello fingerprints, the score drops below 0.1 even with a valid token if your request doesn't mimic Chrome 122+ (JA3 hash).

Backend verification example:

import requests

# client_ip must be obtained from request.remote_addr or headers 
response = requests.post('https://www.google.com/recaptcha/api/siteverify', data={
    'secret': 'YOUR_SECRET_KEY',
    'response': token,
    'remoteip': client_ip 
}).json()

score = response.get('score', 0) 
if score < 0.5:
    # Fallback to v2 or blocking
    pass

Enter fullscreen mode Exit fullscreen mode

2. Cloudflare Turnstile

A verification platform with no visual puzzles. Instead of showing you a CAPTCHA, it runs a dynamic set of background checks inside your browser. Most users never notice anything — no clicking, no image selection, no explicit actions at all.

cloudflare turnstile

Main check types:

  • Proof-of-work. The browser gets a hashing task to solve. Short CPU spike. Doesn't hurt real users but makes mass automated requests more expensive to run.
  • Environment integrity. Turnstile compares declared params (User-Agent, platform, etc.) against what the browser engine can actually do. Mismatch = higher risk score.
  • API availability. Checks for modern web standards — Canvas, WebAudio, WebRTC, etc. Bots running on stripped-down or outdated engines often fail here because they don't fully implement these APIs.
  • Implementation validation. Not just whether an API exists, but whether it behaves like a real browser. For example: does Canvas rendering match Chrome's reference profile, or does it have artifacts from virtualized or spoofed drivers?
  • Turnstile also checks Battery API and Permissions Policy. Node.js bots in headless mode often screw up navigator.getBattery(). Common patch via puppeteer-extra:
await page.evaluateOnNewDocument(() => {
  const originalQuery = window.navigator.permissions.query;
  window.navigator.permissions.query = (parameters) => originalQuery(parameters).then(() => ({ state: 'granted' }));
});

Enter fullscreen mode Exit fullscreen mode

After these checks, ML models are applied to evaluate the results and a short-lived one-time token is issued.

The script connection works similarly to reCAPTCHA. Example integration:

<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>

Widget element:

<div class="cf-turnstile" data-sitekey="yourSiteKey"></div>

Turnstile modes:

  1. Managed — a widget appears on the page, but in most cases it auto-verifies and turns green instantly. No user interaction required.
  2. Invisible — runs entirely in the background. No widget, no UI, no user involvement at all.

If Turnstile detects elevated risk or weird signals, it escalates. The user might see a checkbox to tick. In rare cases, it can fall back to a full visual challenge, but that's not the default behavior.

cloudflare turnstile modes explained

Once verification is complete, the widget drops the token into a hidden form field named cf-turnstile-response. The website's backend then takes that token and sends a POST request to Cloudflare at https://challenges.cloudflare.com/turnstile/v0/siteverify, passing two parameters:secret and response=token.

Like reCAPTCHA, the token is single-use. However, it has a longer lifespan — 5 minutes. If the response contains "success": false, the error-codes field will explain why. For instance, invalid-input-response means the token expired or was tampered with.

3. hCaptcha

A hybrid verification model that serves as a privacy-focused alternative to Google's solutions. In its basic setup, it presents the familiar "I am human" checkbox. When the system picks up suspicious signals, it escalates — showing more complex visual challenges that are typically harder than Google's.

hCapthca example

Beyond the standard setup, hCaptcha also offers Invisible and Passive modes, where verification happens with little to no user interaction. Enterprise clients get access to a scoring mechanism similar to Google's — risk assessment without any interactive challenges.

Example integration:

<script src="https://js.hcaptcha.com/1/api.js" async defer></script>
 <div class="h-captcha" data-sitekey="YOUR_SITE_KEY"><

Enter fullscreen mode Exit fullscreen mode

After passing the captcha, a hidden field h-captcha-response appears in the form. The website server verifies it with a POST request: https://api.hcaptcha.com/siteverify. Parameters: secret, response, and preferably remoteip.

hCaptcha explained

Server response: In the free version everything is straightforward:

{
   "success": true,  // or false
   "challenge_ts": "..."
 }

Enter fullscreen mode Exit fullscreen mode

In the Enterprise version, the JSON contains additional fields with a risk score and rejection reasons.

Comparison table by criteria

all captcha compared

*If you're looking an anti-detect browser for automation, you can test Octo Browser for free with a promo code DEVTO. *

Captcha bypass strategies

When you're dealing with large-scale scraping, multi-accounting, or heavy web automation, you've got three main options for handling captchas. Which one you pick depends on your traffic volume, how stable you need things to be, and how aggressive the target site's protection is.

Delegating: using an intermediary service

The most popular approach for scalable systems. You don't solve the captcha yourself — you send it to a third-party service that solves it and hands you back a token.

But getting the token is only half the battle. The website won't know the captcha has been solved until you actually apply it. This usually means injecting it via JavaScript.

  1. Locate the hidden field — typically named g-recaptcha-response — and insert the token there.
  2. The critical part: you also need to trigger the callback function that kicks off server-side verification. Skip this, and the "Submit" button might stay disabled.

how to bypass captchas

# Insert token into hidden field
driver.execute_script("document.getElementsByName('g-recaptcha-response')[0].value = arguments[0];", token)
# Call the callback function (a trigger for the website)
driver.execute_script(f"submitCallback('{token}');")

Enter fullscreen mode Exit fullscreen mode

Possible pitfalls:

  1. User-Agent matching. The User-Agent string used by the solving service must match the one you use when submitting the token. If the service solved the captcha with Chrome 139 but you submit the token with Chrome 140 headers, the token gets rejected. This is especially critical for Turnstile.

  2. Proxy matching. For reCAPTCHA v3 and hCaptcha Enterprise, you really want to send your proxy to the recognition service. The captcha should be solved from the same IP address you'll use to access the site. Otherwise, Google detects the mismatch.

  3. Dynamic parameters. Sometimes the SiteKey alone isn't enough. Take Google SERP or other heavily protected systems — they often require a data-s parameter that's dynamically generated on each page load. If you just send the SiteKey to the solving service without this parameter, you'll get a valid token, but the website won't accept it.

Browser emulation (Puppeteer/Selenium + Stealth)

This approach is necessary when the target site strictly checks the JS environment — Turnstile and hCaptcha Enterprise fall into this category. Standard Puppeteer or Selenium gets detected immediately because navigator.webdriver is set to true.

So you need additional tools: Puppeteer-extra-plugin-stealth, Undetected Chromedriver, or Octo Browser via API.

The core idea is that the browser runs on a modified Chromium kernel that spoofs critical fingerprints — Canvas, WebGL, WebRTC, Audio — at the native C++ code level, not through JS injections.

This is the key difference. Turnstile looks for traces of JS-level interference. Octo has none. The browser introduces unique hardware noise and parameters, passes integrity checks, and you get the token automatically.

The downside: this method eats RAM and CPU. Not suitable for thousands of threads. But for 50–100 threads, it's optimal.

If you need 100+ threads, combine it with Docker and flags like --no-sandbox --disable-gpu. With Playwright, a stealth plugin, and residential proxies, expect around a 70% success rate bypassing Turnstile. Alternatively, use the Octo Browser API in headless mode.

HTTP-level requests (TLS fingerprinting)

This is an advanced approach for high-volume scraping, using languages like Go, Python (Requests), or C#. No browser involved. Instead, you reproduce the network fingerprint of a real browser.

The catch: standard HTTP libraries like Python Requests do TLS handshakes differently than browsers. Different order of parameters, different connection signature. Cloudflare spots these discrepancies and can block your request before the captcha script even loads.

But there are libraries that can mimic the TLS fingerprint of an actual browser. With those, you can pass Cloudflare Turnstile checks without spinning up a browser at all.

Why your bot receives a low score or a ban

If you sent the captcha to a solving service, injected the token, and still can't get in — the issue is probably not the captcha itself. Check these instead:

  1. Dirty proxies. Datacenter IPs are flagged as high risk by Google and Cloudflare right out of the gate. The fix? Use mobile or residential proxies.

  2. Lack of profile preparation (reCAPTCHA v3 specific). You're hitting the site with a clean, empty profile — no history, no cookies. To reCAPTCHA v3, that screams "bot". You need properly prepared profiles with saved SID/HSID cookies from an authenticated Google session.

  3. Header inconsistency. The order of your request headers doesn't match what a real browser sends. Chrome, for example, has a specific order: Host -> Connection -> sec-ch-ua... If your library sends headers in a different sequence, anti-fraud systems will notice.

Conclusion

By 2026, automation isn't just about writing scripts — it's about building a solid architecture and staying in control at every level of interaction.

reCAPTCHA v3 isn't really beaten by solving challenges. It's all about reputation management: high-quality profiles, consistent interaction history, and a stable environment.

Cloudflare Turnstile is strict about environment integrity. Any mismatch in JS behavior, API responses, or TLS fingerprints will lower your trust score and trigger escalation.

hCaptcha leans more on visual tasks, which actually makes it easier to bypass with modern computer vision models compared to the other two.

Bottom line: beating captchas today means understanding how anti-bot systems think and managing your digital fingerprint at every single step.