JS Challenge changes GET request to POST

With the CF JS Challenge feature enabled on our site, in case the JS challenge is successful, the CF resends the original request with a __cf_chl_jschl_tk__ query param added to it. However, the problem is that the original request being a GET, cloudflare sends it back as a POST, hence changing the original method. And since no POST method is defined for that endpoint on our end, our server responds with a 404, obviously!

example:

GET: https://test.com/path/to/something-awesome

then CF js-challenges this request and adds the token for the successful challenge and does the following:

POST: https://test.com/path/to/something-awesome?__cf_chl_jschl_tk__=123456abcdef

Could you guide us on how to configure it to send back the original request with the original method?

1 Like

CORRECTION: That sounds exactly like this one:

yeah, it is the same issue. Any resolution for this issue?

According to @mdemoura’s description, your server should be getting the GET request. But you say that’s not the case?

yes, we are not getting the GET, it is sending it as POST.
And I am wondering if there is some magic config somewhere in CF settings to tune it up.
If not then, is it a bug on CF side?

To test and confirm this on our side, I added a POST method to one of the endpoints and tested that endpoint with a GET request, then got challenged, then the subsequent POST request by CF got through with a 200 response this time (because I made that endpoint to accept POST as well) … however I can’t add POST method to all our endpoints. I would prefer CF to repeat the original request method.

there seems to be a form in the response for the GET request. The response code we get is 503 for the initial GET request.
And there is a form embedded in the response with hardcoded POST method:

<form class="challenge-form" id="challenge-form" action="/SOME-AWESOME-ENDPOINT?__cf_chl_jschl_tk__=SOME-TOKEN" method="POST" enctype="application/x-www-form-urlencoded">

<input type="hidden" name="r" value="SOME-VALUE"/>
<input type="hidden" value="some-value-here" id="jschl-vc" name="jschl_vc"/>
<!-- <input type="hidden" value="some-value-here" id="jschl-vc" name="jschl_vc"/> -->
<input type="hidden" name="pass" value="some-value-here"/>
<input type="hidden" id="jschl-answer" name="jschl_answer"/>
</form>

any idea?

That is correct, the request that got challenged is “replayed”.

Where are you seeing that it’s sending a POST?

Also, could you provide steps to reproduce the issue?

1 Like

here are the steps to reproduce it:

  1. get the Tor Browser up and running and open the network tools
  2. go to this url:
    https://www.sammobile.com/news/galaxy-z-flip-3-benchmark-important-specs

you will get a 503, then it will do the challenge (probably it will do it multiple times)…
then, look at the first 503 response payload and you will see the following:

<!DOCTYPE HTML>
<html lang="en-US">
<head>
  <meta charset="UTF-8" />
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  <meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
  <meta name="robots" content="noindex, nofollow" />
  <meta name="viewport" content="width=device-width,initial-scale=1" />
  <title>Just a moment...</title>
  <style type="text/css">
    html, body {width: 100%; height: 100%; margin: 0; padding: 0;}
    body {background-color: #ffffff; color: #000000; font-family:-apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, "Helvetica Neue",Arial, sans-serif; font-size: 16px; line-height: 1.7em;-webkit-font-smoothing: antialiased;}
    h1 { text-align: center; font-weight:700; margin: 16px 0; font-size: 32px; color:#000000; line-height: 1.25;}
    p {font-size: 20px; font-weight: 400; margin: 8px 0;}
    p, .attribution, {text-align: center;}
    #spinner {margin: 0 auto 30px auto; display: block;}
    .attribution {margin-top: 32px;}
    @keyframes fader     { 0% {opacity: 0.2;} 50% {opacity: 1.0;} 100% {opacity: 0.2;} }
    @-webkit-keyframes fader { 0% {opacity: 0.2;} 50% {opacity: 1.0;} 100% {opacity: 0.2;} }
    #cf-bubbles > .bubbles { animation: fader 1.6s infinite;}
    #cf-bubbles > .bubbles:nth-child(2) { animation-delay: .2s;}
    #cf-bubbles > .bubbles:nth-child(3) { animation-delay: .4s;}
    .bubbles { background-color: #f58220; width:20px; height: 20px; margin:2px; border-radius:100%; display:inline-block; }
    a { color: #2c7cb0; text-decoration: none; -moz-transition: color 0.15s ease; -o-transition: color 0.15s ease; -webkit-transition: color 0.15s ease; transition: color 0.15s ease; }
    a:hover{color: #f4a15d}
    .attribution{font-size: 16px; line-height: 1.5;}
    .ray_id{display: block; margin-top: 8px;}
    #cf-wrapper #challenge-form { padding-top:25px; padding-bottom:25px; }
    #cf-hcaptcha-container { text-align:center;}
    #cf-hcaptcha-container iframe { display: inline-block;}
  </style>

      <meta http-equiv="refresh" content="3">
  <script type="text/javascript">
    //<![CDATA[
    (function(){
      
      window._cf_chl_opt={
        cvId: "2",
        cType: "non-interactive",
        cNounce: "92226",
        cRay: "68795cf6aed193ca",
        cHash: "2cdf835c3bd3924",
        cFPWv: "b",
        cTTimeMs: "1000",
        cRq: {
          ru: "aHR0cHM6Ly93d3cuc2FtbW9iaWxlLmNvbS9uZXdzL2dhbGF4eS16LWZsaXAtMy1iZW5jaG1hcmstaW1wb3J0YW50LXNwZWNz",
          ra: "TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgcnY6NzguMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC83OC4w",
          rm: "R0VU",
          d: "Wd1L0zhbHMtFZU3NGNltRdk0j3Ay7SpH2VRwDsmfDOFQ5OErcoTlo1kfwTtnaf3sUfUxX8U8sVfvVwLP2ckBU9HyNW43UfYyDwvz/zixov9fiEhpgFkR1pSs8iuJwJ8K1x01FHLGGhhLyMiQiBje+C00P3YEITj4UDZ6OPHk1z45YG71v5i8fy6RN8MM2qw+Q/wl7texFrgCv8IqkuLq7oC9SK2mmUWkAPf3j+3ywNXLHR6ouhCDHfy5cxezoqYS9I0i3FGJ6YFjBmv8ADsf1ngetA/lpT/B1xdKhvdGEA5O5K/u5JEmmYZtOFMuFi9vzKehLyeJjW4m7qQfKkFH03wj3i6Jz0EpSomASvrYOFuU5x6daPYc3NZQ+LIq0ye6dyR36cMD5EIKTXchsiQv1tGQXUyip9EPhUwu93Iwh9Oosr1Zor4t3Ur1GJJmLc5ZuEdqMR2LzQhnZEVi32/YjqhAiBqmEnepfRPtlaHEGno0Vg1ve26DwleG97ph02l1Yo8e3Qo8XyV0NzEWGP2bvUml+6QNra+sDjiSV/meRd1My7FvcjqK80XVhtIwjyB+5Qsiu2PUzlGjOFx/EN4w3g==",
          t: "MTYzMDQ0NTQ1OC45OTUwMDA=",
          m: "FKL4fLZhLKX6YHJ/nNYXg7FbrjFOHSb/+uh+lbNv9yA=",
          i1: "JQ5jF5tk7XP6dyF1IkBdgA==",
          i2: "/herDAWv1+Q3LGySQq/2sw==",
          zh: "Z/shDSnwqChX0o+C4AKBNy181+0IE7rxalFrBpJqv7c=",
          uh: "+rnbsRCVcUrGxHU35z7gykz0xIkIJNrS7fhWQzLCkTQ=",
          hh: "VgDrATLgKUqq3hB3y/H0yUUAzE+hU27nhfhhGMgJIn0=",
        }
      }
      window._cf_chl_enter = function(){window._cf_chl_opt.p=1};
      
    })();
    //]]>
  </script>
  

</head>
<body>
  <table width="100%" height="100%" cellpadding="20">
    <tr>
      <td align="center" valign="middle">
          <div class="cf-browser-verification cf-im-under-attack">
  <noscript>
    <h1 data-translate="turn_on_js" style="color:#bd2426;">Please turn JavaScript on and reload the page.</h1>
  </noscript>
  <div id="cf-content" style="display:none">
    
    <div id="cf-bubbles">
      <div class="bubbles"></div>
      <div class="bubbles"></div>
      <div class="bubbles"></div>
    </div>
    <h1><span data-translate="checking_browser">Checking your browser before accessing</span> sammobile.com.</h1>
    
    <div id="no-cookie-warning" class="cookie-warning" data-translate="turn_on_cookies" style="display:none">
      <p data-translate="turn_on_cookies" style="color:#bd2426;">Please enable Cookies and reload the page.</p>
    </div>
    <p data-translate="process_is_automatic">This process is automatic. Your browser will redirect to your requested content shortly.</p>
    <p data-translate="allow_5_secs" id="cf-spinner-allow-5-secs" >Please allow up to 5 seconds&hellip;</p>
    <p data-translate="redirecting" id="cf-spinner-redirecting" style="display:none">Redirecting&hellip;</p>
  </div>
   
  <form class="challenge-form" id="challenge-form" action="/news/galaxy-z-flip-3-benchmark-important-specs?__cf_chl_jschl_tk__=pmd_Uhr9IqvxBEN1RqpHOlkjY.O27LtwW.VnlT_gOnSvsbc-1630445458-0-gqNtZGzNAhCjcnBszQgR" method="POST" enctype="application/x-www-form-urlencoded">
    <input type="hidden" name="md" value="cDSdvVhGt1cYjdEPucdUzxJFOCRmzaSCFNvqhfoQvf4-1630445458-0-AUijQG7CWqKQ2AUvIBOjQWe_3XjEAtbZRLAhhgZA1W6R_I4-r3XOXbQ-zB5EC_HTia8mJHGebZ7koFR-OGfpLnRQiEl2Svys-WjcpRsldwy1cjHK8_EEQpJqY7uEbtohrGrQq4S8SoVO-UKuBF_-0hdBnwoNR90t3Eep8cFYPfhLlrgOWmMYNg1O4uexSjZp2B279M9Yh7-8qbgag0rBssC8pb1PF9XPmAQO3gh2bf-WD4hYkLNquNri_vU5607yimWyjxPegbIp3BVI3zaTNbCE3t28Le0ilMvz-yghCsnWCuAeGQng-2Ubmlh01gCOllbCysnDdScp1C37UYwKFGptYeNxGdzkjO33T6EYmJ55QzhbGCrdPtQNwyQW-Z1iQ3ZJOsQnUUinr1a5VhyQud8rE-WUBgw67QyBHnmljQRwLU2Mr3Cxb1HQorTW8GEq7FhcX47Movb28G0CeOFrdsU" />
    <input type="hidden" name="r" value="1Xco8WNQsc17yO0DQyW25IgiQcP1cGI_O.Tm9xZKzKU-1630445458-0-AQQiVrzr4NmMDbB11LAj/+mn48ULxWzBQlv8+LUVoWx2K6btLSsv0rI1Qcq5Y653PfT2dSglixqoH8WFRrnmQaL0haYoKDGm/SPHXVQQ2jWcNjujRoFnu8e3Ui5xXBvoPNWbIEYxGokOaVxvTyjx49Jh2E/YYNBE33UI8z5l1Obq+v5eIjd48ekZxLcsK8m9vaRCslzhhu8Zhv95r2Vxov0MJqJKM+65wChYRKnxsekfoPWstuebjAQz6w9JPnftiakgBnoKpacWXeq3JdywuGn4dpDByIjcT355YoQuXJH5S61EtIpK8E4lElds3VkuODeWzvmY/QPry/dIuDHuDTQH2ZM7xul1TMpMFMfPH3a83Gi9j/u1uZyozzR8DzrTTqBRyOCJTZexfQPL8i2Xykh81dEvIt3ViyMZGfqqRlygUlFmYRu+JXzt0SvfWRN8Vlqlhn2DU+rHzF53khA27QIT7PlSm96aWQN/DEIWoYAB/6Nxp6/B+Nay7zWiPJZN+BALq0ZlOk0Ql7HLNeSAyLxz8z2FQIhRMjksuK+ZTYeYsZZYo+/jG01BkkRIvISQf4q4qUY9/akaCo1EHh1fh2iak7p3IvMCDH+N7r+3PBc8KUZs599K3QW05rGrvrX0X6bBZkq2g7BMjHf2llrjYSzYyYnrVdIvqr7CyWaftKNRCKUSA32yjuQWuSoldBhntZFRLNSmc1mW8i0yf2rVkAQlJftLB5IpbSVoYNH7NiZcLvhZYsIexNCT1LaZm3b1X5+RkmsJKncaiOe6oqO2Fpeo5KoGB/2DDm/h83VJiyoYGtQE4SI1MGRcf3OlRrsbQGjvizPjPM+VWUIInx34QG2/bkCxUv0qQ5t5zbmDVeXgG3lt6URqge7UHu6F2cOT35YtQOcLxr7VuZ2cmE0yqPrrKT3SXv6Cw1st2cgbsetkwdnkr5MEzAgXGtxOEpvlRdXbNAo36X5PDQhozCZZkob/ECu3I4v83bLzZpK1AzOO9hKSFfW+rB+kPTCMO2PMvLs7hboju5P2WEJdti341c4fs9dw/bTwbIzIWO6AQSOiqYVI5goxiSEyPUbweAaaeyVDznFvWU7guTuL2ErkSgbJ9oqrFoMPir9KSrRIG+d32gOVl55zFBTFUlCxFK7/6/xFzec8hRB+uPDqyRGRpxI7CCTKBG495HbHuMW9WJOcqmM/4YkFv2HtyMo5pSpDIXNGTwPmcDCHNiVL3VagC3UbM86jLk4wIRWKDbc41wXajnmBYHowo8Wk1pH6PjRsuYPX7OC/oG7pOBI7DAMFEETvKG6O5nI5wn/KZesM8anhqyJlkqpMpe5ITg5uTm0pAkqv9eJEkn+7zD+wT9duiPlwS+CaX+hrbkfUl3CiDbK+DK430JXqlX9L3Zh/vMrTTC6gJ2I5/HzpKWcqBIRhTv8HJPQdDB1o6U3yvHh2vFalzIfFCIW2Q3tuWREieHq2e8OpoJIQqayi8gWxgR2TvwafEUovHPAX7PZTDO1u7V7SslpQSDZ+7iUqChWStcg8t0vwlMVh9j5SVa+Vg1h6qHG3nF3OYeQJD8CXvyA07NRk+4VjmpucIljstZlzQhsVSrYwSgIgSK3OlUuNuGV6VotXKvTDSua3YM4dTMAV2MKHVJdZ+lxQceYdqwFnW34Pj0BMxzTTIz3Isls63OsZgN8Y+TuuUNWmQu2IRt1oNxZL8nbJGms/bblSOrJjeZPwkiBz6YlDYKVmOxA8yxwrsGVjfnfEn3Ep+WFkOShJJmBpL54KuI+3hzqqdrFgo6bNeLGoJH14aGqKZfy+PEoJtTzXh929yuVgzXKkNjuvbZqFBgTK+xKjTsAcxSoQH+f2zp7csTnpSdbI1ayu42+oi6DPPEoAQ4Q7XLoNeuMqQn5Nr6gjXbLAALQlV1liLVZj7fxFlWVZqNS5g4o7hAcBO46yOTd2NKR5n9nM3Vu0wlx51kZpwbOSayTrrQFfkx15deV/Tv1BM0Jz/ZLy1nKvzqI="/>
    <input type="hidden" value="254a269480526b463baa1eaaf982cf7f" id="jschl-vc" name="jschl_vc"/>
    <!-- <input type="hidden" value="" id="jschl-vc" name="jschl_vc"/> -->
    <input type="hidden" name="pass" value="1630445459.995-CJo+J4a30n"/>
    <input type="hidden" id="jschl-answer" name="jschl_answer"/>
  </form>
     
    <script type="text/javascript">
      //<![CDATA[
      (function(){
          var a = document.getElementById('cf-content');
          a.style.display = 'block';
          var isIE = /(MSIE|Trident\/|Edge\/)/i.test(window.navigator.userAgent);
          var trkjs = isIE ? new Image() : document.createElement('img');
          trkjs.setAttribute("src", "/cdn-cgi/images/trace/jschal/js/transparent.gif?ray=68795cf6aed193ca");
          trkjs.id = "trk_jschal_js";
          trkjs.setAttribute("alt", "");
          document.body.appendChild(trkjs);
          var cpo=document.createElement('script');
          cpo.type='text/javascript';
          cpo.src="/cdn-cgi/challenge-platform/h/b/orchestrate/jsch/v1?ray=68795cf6aed193ca";
          document.getElementsByTagName('head')[0].appendChild(cpo);
        }());
      //]]>
    </script>
  

  
  <div id="trk_jschal_nojs" style="background-image:url('/cdn-cgi/images/trace/jschal/nojs/transparent.gif?ray=68795cf6aed193ca')"> </div>
</div>

          
          <div class="attribution">
            DDoS protection by <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing/" target="_blank">Cloudflare</a>
            <br />
            <span class="ray_id">Ray ID: <code>68795cf6aed193ca</code></span>
          </div>
      </td>
     
    </tr>
  </table>
</body>
</html>

as you can see in this html, there is a form with POST method.
now, CF replays the same original GET url as a POST, lets go to the last POST request to the same URL in the network tab, to which CF has responded with a 301…

as you can see there is headers location that will redirect finally to the original URL. However, if that endpoint hadn’t had the POST method associated with it, it would have rejected it with a 404.

@mdemoura / @sdayman
Any idea on this?
i included the steps to reproduce the bug above.

Can you only reproduce this with the Tor Browser?

you can reproduce this easily with the Tor browser, but you need to be lucky to get JS challenged in normal browser on a regular basis. I guess your IP should be one of those problematic ones in order to get challenged in a normal browser…
that is why I used Tor to get the challenge every time I wanted.

We’re experiencing the same issue and can reproduce it consistently on Brave and Google Chrome.

I have the same issue. After passing CAPTCHA, I get an 405 “Method is now allowed” error, because backend is not configured to serve POST requests. In my NGINX logs I can see unexpected POST requests with CF added query parameters. JS challenge works fine.

Steps to reproduce:

  1. Configure an URI to serve GET requests ONLY
  2. Enable Under attack mode OR CAPTCHA challenge for that URI
  3. Navigate to the URI
  4. Solve CAPTCHA
  5. See Cloudflare error:
# Oops! An Error Occurred

## The server returned a "405 Method Not Allowed".

Something is broken. Please let us know what you were doing when this error occurred. We will fix it as soon as possible. Sorry for any inconvenience caused.
  1. See error in Nginx logs: “POST /some/example/uri?_cf_xxxxxx…” 405

We’re looking into this issue, thanks for reporting!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.