We’re seeing a few XHR requests that end up being flagged as challenge allow by the cloudflare WAF. As these are requests sent through JS, the user is never presented with the captcha. Is there a suggestion on how to detect a XHR that receives the captcha challenge and display it to the user so the user can submit the captcha somehow?
There’s no easy way of doing this - since completing the captcha requires a full rendering of the page in a browser. The best thing to do would be to tune the WAF for those endpoints that are triggering false positives. Depending on what payloads your application sends, it might be doing things that “look like” XSS, for example.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.