Is there a solution to bypass Captcha verification to access sites? [duplicate] - captcha

This question already has answers here:
How can I bypass the Google CAPTCHA with Selenium and Python?
(6 answers)
Closed 2 years ago.
I want to login on a WordPress site. When i try to accesss to login on a WordPress site, it say me "Checking your browser before accessing", why i see the link "DDoS Protection by Cloudflare"? Additionally, a CAPTCHA is required to access this site. How to bypass Captcha verification in order to access sites? Here's the images links:
https://i.stack.imgur.com/Ju3f7.png
https://i.stack.imgur.com/Vrhi4.png

Ways to bypass captcha which come to my mind:
Talk to guys of site or service in question if you have good reason to get exception based on IP or similar
Use some coding to automatically solve captcha for you. Often captcha is made so simple to be solved by some simple algorithm.
If none of the above works (which I think is your case), create porn site where users need to solve captchas to see the content. Make a system which automatically reroutes captchas annoying you to users who want to watch porn. If done properly, all works as charm.
PS: Actually captchas are there with reason and usually it is not nice to cheat here but I explained how it technically possible. Do not judge me for not judging others at this. SO asked me to be nice to newcomer.
PS2: Avoiding, breaking or otherwise messing up with access control security can be illegal in some jurisdictions. Especially if it caused harm to site but overloading it and thus making unavailable. For techie this may look stupid but sometime things go this way in real world.

That is because your IP address is suspicious!
Cloudflare detects your IP address as potential bots or other malicious software.
Don't worry! usually your IP address will change after a while (24 hours or so).
In the mean time you can use another network to access the site or use a VPN service to change your IP address (a VPN extension will be the best choice in your case.)

Related

How to bypass Captcha while Web Scraping

I am trying to scrape the car details from this site using Selenium: https://www.autoscout24.ch/de/autos/alle-marken?vehtyp=10
Approximately every 30 pages I have to verify that I am not a robot,
even though I have included in my code:
driver.implicitly_wait(20)
Is there any way to overcome this?
CAPTCHA is meant for those reasons. There is no co-relation with it being removed due to use of waits in Selenium script. The use of CAPTCHA is to detect that bots/automated systems are not crawling the web page.
Unless you disable it, I don't think that it is the right approach to automate it. Although you may find some tutorials on web to overcome it, but they are very patchy and do not cover all the use cases.
2 options come to mind on how to solve your issue, which one you'll choose depends on what you need.
Option 1 will be cheaper and probably easier, but you can just make your script wait when the Captcha is detected, and play a sound when it's shown so you can manually do the captcha yourself, after the captcha has been dealt with you can let the script continue doing it's thing.
The second option would be to use a captcha solving service, you would need to pay a little but would not need to manually do anything.
I'm not a robot
The "I'm not a robot" checkbox, commonly known as reCAPTCHA v2 is one of the security measure in practice for implementing challenge-response authentication. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) mainly helps to protect the applications and the systems from spam and password decryption by asking to complete a simple test that proves it's a human and not a computer trying to access into a password protected account. In short CAPTCHA is implemented to help prevent unauthorized account entry.
So neither of the wait mechanism Implicit wait or Explicit wait would be of any help to avoid CAPTCHA
Solution
An ideal approach would be to disable the CAPTCHA for the AUT (Application Under Test) within Testing / Stagging environment and enable it only in production environment.
References
You can find a couple of relevant detailed discussions in:
How does reCAPTCHA 3 know I'm using Selenium/chromedriver?
How can I bypass the Google CAPTCHA with Selenium and Python?

googleads.g.doubleclick.net Asking for Username and Password

Today, out of the blue on the google page, a window popped up asking me for my username and password. It didn't say what it was for, just googleads.g.doubleclick.net. It then happened on my phone which is linked to the same account. I was wondering if anyone else has had this issue and if anyone could help me. I am really worried. Thanks.
Others have seen it. I did, when I opened Google Chrome. I was just on the new tab page, not even an actual website! Many people seem to have encountered this in the past 24 hours:
https://security.stackexchange.com/questions/127667/what-should-i-do-about-gmail-ad-asking-me-for-password
https://superuser.com/questions/1092011/firefox-googleads-g-doubleclick-net-basic-authentication-prompt
https://nz.answers.yahoo.com/question/index?qid=20160621202130AAxY0F2
https://steamcommunity.com/discussions/forum/11/358415738179518104/
https://productforums.google.com/forum/#!msg/chrome/Rt3zSPiSyHk/zdB52fBqAQAJ
http://forums.windowscentral.com/windows-10/429066-edge-wants-me-login-googleads-g-doubleclick-net.html
https://techreport.com/forums/viewtopic.php?f=1&t=118101
https://forums-windowscentral-com.blogspot.com/2016/06/edge-wants-me-to-login-to.html
The best response I've found is over on the security stack exchange:
https://security.stackexchange.com/a/127668/43188
To summarize, yesterday, googleads.g.doubleclick.net (a Google domain that serves ads) either was briefly compromised by an attacker seeking people's passwords, or a Google engineer messed up and it's a result of a mistake in their servers.
The answer on the security stack exchange suggests changing your password, even if you didn't fill it in the popup. The suggest this because, if it's an attack, and the attacker is able to create the popup, they could have added malicious code you didn't see.
Also, though in principle I'm not a fan of ad blocking, I've recently realized it's probably necessary these days for security. This incident only demonstrates this. I recommend uBlock Origin, but Adblock Plus is also popular.

Keep track of a user 100% sure

I am trying to ban users that spam my service by logging their IP and blocking it.
Of course this isn't safe at all, because of dynamic IP addresses.
Is there a way to identify a user that's 100% safe?
I've heard about something called evercookie, but I was easily able to delete that, and I guess that anyone capable of changing their IP can also keep their PC clean..
Are there any other options? Or is it just not possible?
A cookie will prevent the same browser from visiting your site as long as the user doesn't delete it, or turn off cookies, or use a different browser, or reinstall their browser, or use another machine, etc.
There is no such thing as 100% safe. Spam is an ongoing problem that most websites just have to learn to deal with.
There are numerous highly secure options, mostly relying on multi-factor authentication and physical key generators like the ones RSA markets. But the real question is an economic one. The more draconian the authentication mechanism, the more quickly you kill your website as you scare off all your visitors.
More practical solutions involve CAPTCHA, forum moderation, spam-reporting affordances, etc. One particularly effective technique is to block offending content from every IP address except the one that originated it. That way, the original spammer thinks their content is still there, oblivious to the fact that no one else can see it.
Alright I get that it's impossible to 100% identify a unique visitor.
What are the things that I could do to:
- find whether someone (anonymous) is using lots of different proxies to see my content (problem here is that cookies would land on the machine of the proxy? and not the actual visitors PC?)
- identify unique (anonymous) visitors with a dynamic IP

Keeping a troll out - IP bans considered harmful? What to use instead? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 5 years ago.
Improve this question
I run the technical side of a discussion forum, which is plagued by a troll (a single physical person, as far as I can tell). It seems that the community has exhausted all means of communication (it is, beyond reasonable doubt, a net.troll, not a clueless user), including face-to-face.
I may need to block that person from visiting the site, but I'm not sure how (it already refused to leave of its own accord). The site needs registration with an e-mail address, which gets you a username. I could block the username, but the troll could just as easily register a new one.
Now, there are plenty of Q&A on "how to do an IP ban and at what layer", but is it worth the hassle?
Would an IP ban be useful for blocking a troll? If not, what? Or, could I combine an IP ban with some other form of protection?
The issues I have with IP bans are numerous:
the troll comes in from several different IP blocks (home/school/open wifi/...?)
the IP addresses seem to be dynamically assigned (usual with DSL here)
I suspect sock-puppetting with new accounts, possibly through proxies and/or VPN
at least in one case, there are other users coming in from the same IP (I suspect a large NAT - confirmed: in this case, there's a whole university accessing the web from behind a single public IP addresss)
It seems that I'll be fighting a social issue through technological means, and the prospects of that seem bleak.
Can you implement a "global ignore"? At its finest, this lets the troll see its own posts, but nobody else sees them at all. This gives the troll no feedback from outraged community members, but no clue that the reason is the posts can't be seen. I have seen this work, meaning that the bad behaviour stopped.
Think of as many ways as possible to identify the user, and try to use them all. Also, make it hard for the user to test your systems - e.g. if you detect him, block all signups and posting from that IP block for 60 minutes.
Some ways to identify a user:
E-mail address
IP address
IP address block
Cookies
Flash supercookies
Windows Media Player unique ID (if enabled)
HTTP headers (browser version etc)
See https://panopticlick.eff.org/
Ban all the account information, so when an account is banned, so is for example the email address.
Won't stop them but opening multiple email accounts as well as having to sign up again has to get pretty annoying.. if they create their own mail server, ban the domain?
If you prevent users from registering with free e-mail accounts (create a ban list of e-mail domains), you can cut down on the ability for the troll to re-register every time a username is banned. Of course, that can make it harder for legitimate users to register. If possible, you could combine techniques (require approval for free e-mail addresses).
You could require moderator approval for accounts, but the effectiveness of this depends on how large your community has grown. For a small community, have the trolls queue up at the gates makes them lose interest very quickly, especially if you're looking for patterns in account signup information.
For large communities, the effectiveness of techniques used depends on how well they are used. Shadow banning aka muting the troll, can backfire if it is an innocent bystander. One effective way of handling this is to not mute the troll, but to ensure that bans on accounts are not made public; one wouldnt want to drag the community into it.

Apple Developer Connection log-in problems

Is there a trick to logging in to Apple Developer Connection? For the past two weeks, out of about 100 tries, I've been able to log in three times. Every other time, after a successful entry of my username and password, it takes me back to the login screen.
This happens to me on both my Macs, on Safari and Firefox, so I'm not hopeful of a solution. But I have a hard time believing that the situation is really this bad...
I am having the same problem, I have narrowed down to a problem with my ISP. Of course they will not acknowledge it, but the problem only arises when I attempt a login from home. I think they are probably using a caching proxy and something in the scheme used by apple to login->access the content makes the proxy believe it's only visiting content that is still valid. I am going slightly mad because of this.
This question and the related discussion clued me in to how to fix my problem with the same symptoms on developer.apple.com. In my case, I have multiple "teams," so after entering in my Apple ID, it takes me to a team selection page. After selecting a team, I'd just be redirected back to the login/Apple ID page.
Turns out, the login is done over HTTPS, while the team selection (and probably the bulk of other activities on developer.apple.com) are over HTTP. Our firewall load balances over a couple of Internet connections, and the HTTPS traffic was passing over a different interface than the HTTP. Evidently, this was confusing Apple's authentication mechanism. It also explains why I was occasionally able to get through -- sometimes all traffic would end up on the same interface.
Ultimately, my solution was to add a rule to the firewall to send all 17.0.0.0/8 traffic (Apple's legacy class A network) over the same interface.
Hopefully this helps someone else with a frustratingly endless login loop.