Most webmasters are using Google ReCaptcha as protection against automations. But this is not the only solution on the market. One of the most popular alternatives is hCaptcha. Now it's used by Cloudflare, a leader on the Anti-DDoS market and one of major CDN providers at the moment. It means that if Cloudflare finds you suspicious, sooner or later you will meet hCaptcha.

Cloudflare happily announced that they are moving from Google ReCaptcha to Intuition Machines's hCaptcha. The move helped big time with data confidentiality concerns and captcha flexibility. Now attack protection is even more adaptive. This will affect all Cloudflare customers.

Also, hCaptcha

• unlike Google, it doesn't gather personal data;
• due to worldwide distributed CDN, captcha works fast and flawless;
• compatible with ReCaptcha so it is very easy to migrate;
• suitable for people with disabilities.

Sounds great, doesn't it? But what about bypassing hCaptcha on Cloudflare?

For fast hCaptcha automation, we will use the 2captcha-python module. It requires Python 3.x and could be installed with pip

pip3 install 2captcha-python

or you may clone a repository, but don’t forget to install a requests module beforehand.

git clone https://github.com/2captcha/2captcha-python.git

Preparation

We will need to create a new instance of 2Captcha class sending your API key.

from 2captcha import 2Captcha #module import
solver = 2Captcha('YOUR_API_KEY') #your 2captcha API key

Captcha resolution

Now let’s create a captcha resolution algorithm.

result = solver.hcaptcha(sitekey='10000000-ffff-ffff-ffff-000000000001',
                            url='https://www.site.com/page/', 
                            proxy={
                                'type': 'HTTPS',
                                'uri': 'username:password@1.2.3.4:1234'
                            })

Please note that Cloudflare checks IP address during hCaptcha token verification. So now, the captcha should be solved from the same IP address you submit it from. To successfully bypass hCaptcha on Cloudflare you should send your proxy along with other captcha parameters.

This call will return a token to bypass a captcha.

{'captchaId': '64793693810', 'code': 'P0_eyJ0eXAiOiJKV1QiLCJhbGciOiJIUz...'} 

Using a solution

The token from code is then submitted to a website in h-captcha-response and g-recaptcha-response fields. The easiest way to do that is using JavaScript if you are using a browser. Otherwise, send the token in an appropriate HTTP request.

let submitToken = (token) => {
   document.querySelector('[name=g-recaptcha-response]').innerText = token
   document.querySelector('[name=h-captcha-response]').innerText = token
   document.querySelector('.challenge-form').submit()
}
submitToken('TOKEN_STRING')

Is it worth the time spent? In our opinion, absolutely yes. A couple of lines of code will save you a lot of time. And, if you decide to run a self-hosted solution, 2captcha will be even more profitable.