Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

Burp Browser fails Cloudflare Turnstile verification

Reza | Last updated: Aug 19, 2024 02:29PM UTC

Hi, I would like to know if there are any way that I can get Burp Browser to pass Cloudflare Turnstile verification. The website I am testing (www.example.com) uses an OAuth2.0 login from a different site (id.example.com) with Cloudflare Turnstile. I have to pass the Turnstile verification to submit the login. I have done the following but have no success: - Excluded from scope: - challenges.cloudflare.com - challenges-staging.cloudflare.com - id.example.com - TLS passthrough - challenges.cloudflare.com - challenges-staging.cloudflare.com - id.example.com - Disabled Burp Suite Browser Extension - Disabled Privacy Sandbox Are there any other things I could try?

Reza | Last updated: Aug 19, 2024 02:30PM UTC

Note: When I perform the Turnstile verification, there will be an error: api.js?compat=recaptcha:1 Uncaught TurnstileError: [Cloudflare Turnstile] Error: 600010. at v (api.js?compat=recaptcha:1:10199) at D (api.js?compat=recaptcha:1:33642)

Reza | Last updated: Aug 19, 2024 02:30PM UTC

Note: When I perform the Turnstile verification, there will be an error: api.js?compat=recaptcha:1 Uncaught TurnstileError: [Cloudflare Turnstile] Error: 600010. at v (api.js?compat=recaptcha:1:10199) at D (api.js?compat=recaptcha:1:33642)

Reza | Last updated: Aug 19, 2024 02:34PM UTC

My versions: MacOS 14.6.1 Burp Suite Professional Version 2024.6.6 Chromium Version 127.0.6533.100 (Official Build) (arm64) I have no issues with Safari, Chrome, Brave, and Chrome Canary

Michelle, PortSwigger Agent | Last updated: Aug 20, 2024 12:53PM UTC

Hi Thanks for getting in touch. Is the site where you're seeing this issue publicly available? Are you using Burp's embedded browser when you proxy via Burp? If you use an external browser do you see the same thing? Could you email support@portswigger.net with a screen recording of accessing the site directly and accessing it via Burp?

Reza | Last updated: Sep 26, 2024 04:05AM UTC

Hello, I have resolved this issue currently after I noticed that we can challenge the Turnstile result, by clicking the provide feedback link on the Turnstile widget and sending the appropriate information. At least, I did that and after that my browser was able to succeed the check. The site was not publicly available, but I can share you a link privately. I will email you shortly.

Michelle, PortSwigger Agent | Last updated: Sep 26, 2024 09:28AM UTC

Hi We've got your email so we'll take a look through the details and be in touch soon.

Reza | Last updated: Oct 03, 2024 09:59AM UTC

After more tests, I found that the Burp browser only fails the check when I am in a VPN. Now I have the Burp browse passing the check after excluding the CloudFlare domains from the VPN. If you are using OpenVPN, this can be done by updating the OpenVPN profile with the following: ``` redirect-gateway def1 route 104.18.95.41 255.255.255.255 net_gateway # challenges.cloudflare.com route 104.18.94.41 255.255.255.255 net_gateway route 104.18.10.67 255.255.255.255 net_gateway # challenges-staging.cloudflare.com route 104.18.11.67 255.255.255.255 net_gateway ``` Remember to restart your VPN session after updating the file and try again.

Michelle, PortSwigger Agent | Last updated: Oct 04, 2024 08:36AM UTC

Thanks for posting this here :) It sounds like the combination of the user agent and the IP address tipped the score into a level that means it would fail the Cloudflare verification. We do have some changes coming that might help with this kind of fingerprinting, although I can't guarantee at this stage that it will definitely fix this particular scenario as Cloudflare will also be continually monitoring and updating their criteria for how they fingerprint connections.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.