turnstile api.js
[ok]https://challenges.cloudflare.com/turnstile/v0/api.js ↗
- last ran
- 2026-05-19 22:32 utc
- (2d ago)
- last updated
- 2026-05-19 22:32 utc
- (2d ago)
- size
- 62.7kb
- sha256
- 1d4276207f51
- apis touched
- 152
- 152 raw
- bot tells
- 31
- sinks
- 4
- 0 leaked
- hazards
- 0
- structural
- 1
- anti-debug
- 0
- L3/L4 hazards
- consistency
- 0
- cross-checks
- providers
- 0
categories probed (9)
click a row to drill into every api the script probes in that category.
[+] introspection
14 apis · 2 tells · 70 hits[+] Function.toStringhigh · bot-tell×1
details + source hits (1)
[+] Object.definePropertymedium×19
details + source hits (19)
[+] Object.getOwnPropertyDescriptormedium · bot-tell×10
details + source hits (10)
[+] *.__proto__medium×2
details + source hits (2)
[+] Object.getOwnPropertyDescriptorsmedium×2
details + source hits (2)
[+] Object.getPrototypeOfmedium×2
details + source hits (2)
[+] Object.setPrototypeOfmedium×2
details + source hits (2)
[+] Symbol.hasInstancemedium×2
details + source hits (2)
[+] *.toStringlow×5
details + source hits (5)
[+] *.constructorlow×4
details + source hits (4)
[+] Object.createlow×3
details + source hits (3)
[+] Reflect.deletePropertylow×3
details + source hits (3)
[+] *.hasOwnPropertylow×1
details + source hits (1)
[+] Symbol.iteratorinfo×14
details + source hits (14)
[+] document
7 apis · 2 tells · 21 hits[+] *.contentWindowhigh · bot-tell×3
details + source hits (3)
[+] document.currentScriptmedium · bot-tell×1
details + source hits (1)
[+] document.createElementlow×10
details + source hits (10)
[+] document.createElementNSlow×4
details + source hits (4)
[+] document.referrerlow×1
details + source hits (1)
[+] document.styleSheetslow×1
details + source hits (1)
[+] document.bodyinfo×1
details + source hits (1)
[+] events
5 apis · 2 tells · 22 hits[+] *.isTrustedhigh · bot-tell×1
details + source hits (1)
[+] *.codelow · bot-tell×11
details + source hits (11)
[+] *.keylow×2
details + source hits (2)
[+] *.addEventListenerinfo×6
details + source hits (6)
[+] *.datainfo×2
details + source hits (2)
[+] anti-debug
3 apis · 2 tells · 6 hits[+] console.logmedium · bot-tell×1
details + source hits (1)
[+] console.warnmedium · bot-tell×1
details + source hits (1)
[+] consolelow×4
details + source hits (4)
[+] window
2 apis · 1 tells · 5 hits[+] innerWidthlow · bot-tell×2
details + source hits (2)
[+] location.hrefinfo×3
details + source hits (3)
[+] storage
6 apis · 0 tells · 18 hits[+] *.haslow×6
details + source hits (6)
[+] *.keyslow×4
details + source hits (4)
[+] localStoragelow×4
details + source hits (4)
[+] *.openlow×1
details + source hits (1)
[+] *.postMessagelow×1
details + source hits (1)
[+] *.deleteinfo×2
details + source hits (2)
[+] timing
3 apis · 0 tells · 7 hits[+] performance.getEntriesByTypelow×1
details + source hits (1)
[+] Dateinfo×4
details + source hits (4)
[+] Date.nowinfo×2
details + source hits (2)
[+] navigator
1 apis · 0 tells · 2 hits[+] navigator.sendBeaconmedium×2
details + source hits (2)
[+] dom-layout
1 apis · 0 tells · 1 hits[+] *.getBoundingClientRectmedium×1
details + source hits (1)
bot-detection tells (9)
strong indicators of bot-detection intent. drill into the categories section below to inspect description, evasion notes, and source snippets for any tell.
- *.contentWindow ×3
- *.isTrusted ×1
- Function.toString ×1
- Object.getOwnPropertyDescriptor ×10
- console.log ×1
- console.warn ×1
- document.currentScript ×1
- *.code ×11
- innerWidth ×2
structural findings (1)
multi-node patterns the api catalog can't express by itself. vm-bytecode dispatch tables, consistency cross-checks, cognitive honeypots, high-res-timer reconstructions, favicon cache probes. these are the strongest signal a script is doing more than vanilla feature-detection.
[+] cognitive-honeypotinput-honeypothigh · L1:31574
Transparent / off-screen DOM element with a click listener attached. VLM-agent honeypot pattern (SoK §3.4 L3). A real user can't see or click this element; an automation agent that picks targets from the layout tree will.
- tagName: input
- varName: b
- evidence: {"transparent":true,"clickListener":true,"fixedOrAbsolute":true,"offscreenOrViewport":true}
document.createElement("input")
network sinks (4)
every place the script could ship data off the page. expand a row to see headers and the traced payload entries.
[+] sendBeaconPOST Sno leaks
url source · S
location · L1:13226
payload · shape formdata
- consent: literal on
- origin: arguments
- issue: literal auto-troubleshoot-click
- description: literal
- rayId: this.isSmallerFeedback
- sitekey: <dynamic>
- rcV: <dynamic>
- cfChlOut: <dynamic>
- cfChlOutS: <dynamic>
- mode: <dynamic>
- errorCode: <dynamic>
- frMd: literal https://challenges.cloudflare.com
- displayLanguage: <dynamic>
b
navigator.sendBeacon(S,b)
[+] fetchGET Sno leaks
url source · S
location · L1:13385
fetch(S,Re({body:b,keepalive:!0,method:"POST",mode:"no-cors"},Yr()))[+] fetchGET Sno leaks
url source · S
location · L1:13585
fetch(S,Re({body:b,method:"POST",mode:"no-cors"},Yr()))[+] fetchPOST Zno leaks
url source · Z
location · L1:36149
headers
- Content-Type: application/json
payload · shape json
- secondaryToken: _
- sitekey: R
JSON.stringify({secondaryToken:_,sitekey:R})fetch(Z,{body:JSON.stringify({secondaryToken:_,sitekey:R}),headers:{"Content-Type":"application/json"},method:"POST",redirect:"manual"})