turnstile api.js
[ok]https://challenges.cloudflare.com/turnstile/v0/api.js ↗
- last ran
- 2026-06-29 19:21 utc
- (6d ago)
- last updated
- 2026-06-29 19:21 utc
- (6d ago)
- size
- 65.5kb
- sha256
- 9715b51191ac
- apis touched
- 226
- 226 raw
- bot tells
- 34
- sinks
- 4
- 0 leaked
- hazards
- 0
- structural
- 1
- anti-debug
- 0
- L3/L4 hazards
- consistency
- 0
- cross-checks
- providers
- 0
categories probed (9)
click a row to drill into every api the script probes in that category.
[+] introspection
14 apis · 2 tells · 139 hits[+] Function.toStringhigh · bot-tell×1
details + source hits (1)
[+] Object.definePropertymedium×84
details + source hits (84)
[+] Object.getOwnPropertyDescriptormedium · bot-tell×10
details + source hits (10)
[+] *.__proto__medium×2
details + source hits (2)
[+] Object.getOwnPropertyDescriptorsmedium×2
details + source hits (2)
[+] Object.getPrototypeOfmedium×2
details + source hits (2)
[+] Object.setPrototypeOfmedium×2
details + source hits (2)
[+] Symbol.hasInstancemedium×2
details + source hits (2)
[+] *.toStringlow×5
details + source hits (5)
[+] *.constructorlow×4
details + source hits (4)
[+] Object.createlow×3
details + source hits (3)
[+] Reflect.deletePropertylow×3
details + source hits (3)
[+] *.hasOwnPropertylow×1
details + source hits (1)
[+] Symbol.iteratorinfo×18
details + source hits (18)
[+] document
6 apis · 2 tells · 20 hits[+] *.contentWindowhigh · bot-tell×3
details + source hits (3)
[+] document.currentScriptmedium · bot-tell×1
details + source hits (1)
[+] document.createElementlow×10
details + source hits (10)
[+] document.createElementNSlow×4
details + source hits (4)
[+] document.referrerlow×1
details + source hits (1)
[+] document.bodyinfo×1
details + source hits (1)
[+] events
5 apis · 2 tells · 25 hits[+] *.isTrustedhigh · bot-tell×1
details + source hits (1)
[+] *.codelow · bot-tell×14
details + source hits (14)
[+] *.keylow×2
details + source hits (2)
[+] *.addEventListenerinfo×6
details + source hits (6)
[+] *.datainfo×2
details + source hits (2)
[+] anti-debug
3 apis · 2 tells · 6 hits[+] console.logmedium · bot-tell×1
details + source hits (1)
[+] console.warnmedium · bot-tell×1
details + source hits (1)
[+] consolelow×4
details + source hits (4)
[+] window
2 apis · 1 tells · 5 hits[+] innerWidthlow · bot-tell×2
details + source hits (2)
[+] location.hrefinfo×3
details + source hits (3)
[+] storage
6 apis · 0 tells · 21 hits[+] *.haslow×7
details + source hits (7)
[+] *.keyslow×4
details + source hits (4)
[+] localStoragelow×4
details + source hits (4)
[+] *.postMessagelow×3
details + source hits (3)
[+] *.openlow×1
details + source hits (1)
[+] *.deleteinfo×2
details + source hits (2)
[+] timing
3 apis · 0 tells · 7 hits[+] performance.getEntriesByTypelow×1
details + source hits (1)
[+] Dateinfo×4
details + source hits (4)
[+] Date.nowinfo×2
details + source hits (2)
[+] navigator
1 apis · 0 tells · 2 hits[+] navigator.sendBeaconmedium×2
details + source hits (2)
[+] dom-layout
1 apis · 0 tells · 1 hits[+] *.getBoundingClientRectmedium×1
details + source hits (1)
bot-detection tells (9)
strong indicators of bot-detection intent. drill into the categories section below to inspect description, evasion notes, and source snippets for any tell.
structural findings (1)
multi-node patterns the api catalog can't express by itself. vm-bytecode dispatch tables, consistency cross-checks, cognitive honeypots, high-res-timer reconstructions, favicon cache probes. these are the strongest signal a script is doing more than vanilla feature-detection.
[+] cognitive-honeypotdiv-honeypothigh · L1:15834
Transparent / off-screen DOM element with a click listener attached. VLM-agent honeypot pattern (SoK §3.4 L3). A real user can't see or click this element; an automation agent that picks targets from the layout tree will.
- tagName: div
- varName: A
- evidence: {"transparent":true,"clickListener":true,"fixedOrAbsolute":true,"offscreenOrViewport":true}
document.createElement("div")
network sinks (4)
every place the script could ship data off the page. expand a row to see headers and the traced payload entries.
[+] sendBeaconPOST kno leaks
url source · k
location · L1:12604
payload · shape formdata
- consent: literal on
- origin: arguments
- issue: literal auto-troubleshoot-click
- description: literal
- rayId: this.isSmallerFeedback
- sitekey: <dynamic>
- rcV: <dynamic>
- cfChlOut: <dynamic>
- cfChlOutS: <dynamic>
- mode: <dynamic>
- errorCode: <dynamic>
- frMd: literal https://challenges.cloudflare.com
- displayLanguage: <dynamic>
w
navigator.sendBeacon(k,w)
[+] fetchGET kno leaks
url source · k
location · L1:12763
fetch(k,Te({body:w,keepalive:!0,method:"POST",mode:"no-cors"},Zr()))[+] fetchGET kno leaks
url source · k
location · L1:12963
fetch(k,Te({body:w,method:"POST",mode:"no-cors"},Zr()))[+] fetchPOST teno leaks
url source · te
location · L1:37330
headers
- Content-Type: application/json
payload · shape json
- secondaryToken: b
- sitekey: T
JSON.stringify({secondaryToken:b,sitekey:T})fetch(te,{body:JSON.stringify({secondaryToken:b,sitekey:T}),headers:{"Content-Type":"application/json"},method:"POST",redirect:"manual"})