Bypassing Cloudflare

I use to automate many tasks in the web (such as triggering news and sorting them according to my interests) and some times I hit with Cloudflare’s DDoS protection, I mean client-side, I guess they will have some real DDoS protection server-side, as the client-side is very easy to break.
They use to change their algorithms from time to time, but the basics are always the same:

  1. curl the protected page and you will get an invisible form which auto-sends itself after making some client-side calculations. Currently this form is called challenge-form and has three hidden fields called jschl_vc, pass and jschl_answer.
  2. Compute the javascript you find in the curl-ed page and send the form (the results of the calculations will be populated to the jschl_answer field). You can emulate these calculations in your favorite language (Python, AppleScript, PHP, whatever) or have a JS engine to execute the scripts. I’ve used node for this, which is available as a command-line tool you can install and execute easilly.
  3. If everything is OK, you will have now two cookies: __cfduid and cf_clearance. Using that cookies, you can now surf freely the website.

The details may change from time to time, as Cloudflare updates their methods, but it’s been very similar across the years. Just take a look in your regular browser/developer tools and find the magic under the hoods.


eBay endorses fraud

Steps to reproduce the issue:

1. Crash your graphics card and try to find a replacement in eBay =>

2. Contact a seller which lists such item as New, which according to means “A brand-new, unused, unopened, undamaged item in its original packaging (where packaging is applicable). Packaging should be the same as what is found in a retail store, unless the item is handmade or was packaged by the manufacturer in non-retail packaging, such as an unprinted box or plastic bag. See the seller’s listing for full details.”:

3. When you go to the details, you can read in a tiny bullet inside a long list: “Used! 90% New”.

4. Contact the seller and ask for a clarification. What does it mean 90% new???

OK, not so difficult to understand: 90% new means 90% new, like renewed (???), so it’s more than new. It’s new renewed. However, that doesn’t sound like brand-new, unused, unopened, undamaged.

However, this isn’t the part related to the apparent endorsement of fraud from the point of view of eBay. Just read the same message focusing on certain keywords:

Also, I’ve reviewed the contact/help pages on eBay, and there is no apparent decent way to contact and REPORT FRAUD. My only chance was calling to an international? phone number, after waiting for (estimate) 34 minutes. No mail, no easy way to report a FRAUDULENT item.

The programmers or the CEO @ eBay, though, seems to suggest that the default behaviour is asking the buyer to buy whatever. Endorsement messages, a mechanism to include a special offers (2% discount)… Very smart.

Insolvable and slow recaptchas fixed (jDownloader Mac)

Launching jDownloader captcha’s solver in a Chrome incognito window (easilly adaptable to other browser?). Look in Advanced prefs for “BrowseCaptchaSolver: Browser Commandline” and enter the following =>

[ "/Applications/Google Chrome", "-incognito", "%s" ]

This will fix the issue of insolvable and slow recaptchas (maybe some kind of conflict between your google id and the process of solving captchas).

The same should work without jDownloader: just solve your captcha in a incognito window.

AppleScript, mother tongue of Mac’rs

Before you were a Codewarrior addict, later Carbon libraries consumer, then Cocoa, then Obj-c, then iPhone developer, then what!

If you are a Mac user (not developer, being old or new to the business), AppleScript is your friend. In fact, any OSA-based language or “dialect” if I can call it so (such as appscript by Has or some handmade experiments by Phillip Aker). Apple Events. Application Intercommunication. Sounds like simple, but it’s the marmalade (not to talk about glue) of the daily workflow of hundreds of thousands of Mac users.

Come to mind other “experiments”, like “basic” (being Real or MS) or JavaScript for apps (such as Adobe’s apps or Air), but that is just System/App communication. It’s fine, but not in any way a checkpoint.

Although Qilania lives in a Ubuntu-driven server, many automation tasks are done in various “slave” machines, and many of them are driven by AppleScript, specially mirroring and db integration. For example, you can make tiny changes to a SWF file, and see them live in a few seconds. First, on the local server. Then, in the live server. And also changes are propagated to backup disks and so on. Magic under a double-click. Lots of technology involved: network connections, remote servers via ssh or sftp or scp, various desktop applications, etc. And one scripting language to rule them all: AppleScript.

I can ensure today, Sep 10th 2010, there is not programming language to acomplish most of these tasks we solve in a few seconds in Qilania, not in Mac nor in Win or *nix.

AppleScript, the marmalade and mother tongue of all Mac users.