cloudflare turnstile

bot-detector intel
  • turnstile api.js

    [ok]

    https://challenges.cloudflare.com/turnstile/v0/api.js

    last ran
    2026-06-29 19:21 utc
    (6d ago)
    last updated
    2026-06-29 19:21 utc
    (6d ago)
    size
    65.5kb
    sha256
    9715b51191ac
    apis touched
    226
    226 raw
    bot tells
    34
    sinks
    4
    0 leaked
    hazards
    0
    structural
    1
    anti-debug
    0
    L3/L4 hazards
    consistency
    0
    cross-checks
    providers
    0

    categories probed (9)

    click a row to drill into every api the script probes in that category.

    • [+] introspection14 apis · 2 tells · 139 hits
      • [+] Function.toStringhigh · bot-tell×1
        details + source hits (1)
      • [+] Object.definePropertymedium×84
        details + source hits (84)
      • [+] Object.getOwnPropertyDescriptormedium · bot-tell×10
        details + source hits (10)
      • [+] *.__proto__medium×2
        details + source hits (2)
      • [+] Object.getOwnPropertyDescriptorsmedium×2
        details + source hits (2)
      • [+] Object.getPrototypeOfmedium×2
        details + source hits (2)
      • [+] Object.setPrototypeOfmedium×2
        details + source hits (2)
      • [+] Symbol.hasInstancemedium×2
        details + source hits (2)
      • [+] *.toStringlow×5
        details + source hits (5)
      • [+] *.constructorlow×4
        details + source hits (4)
      • [+] Object.createlow×3
        details + source hits (3)
      • [+] Reflect.deletePropertylow×3
        details + source hits (3)
      • [+] *.hasOwnPropertylow×1
        details + source hits (1)
      • [+] Symbol.iteratorinfo×18
        details + source hits (18)
    • [+] document6 apis · 2 tells · 20 hits
      • [+] *.contentWindowhigh · bot-tell×3
        details + source hits (3)
      • [+] document.currentScriptmedium · bot-tell×1
        details + source hits (1)
      • [+] document.createElementlow×10
        details + source hits (10)
      • [+] document.createElementNSlow×4
        details + source hits (4)
      • [+] document.referrerlow×1
        details + source hits (1)
      • [+] document.bodyinfo×1
        details + source hits (1)
    • [+] events5 apis · 2 tells · 25 hits
      • [+] *.isTrustedhigh · bot-tell×1
        details + source hits (1)
      • [+] *.codelow · bot-tell×14
        details + source hits (14)
      • [+] *.keylow×2
        details + source hits (2)
      • [+] *.addEventListenerinfo×6
        details + source hits (6)
      • [+] *.datainfo×2
        details + source hits (2)
    • [+] anti-debug3 apis · 2 tells · 6 hits
      • [+] console.logmedium · bot-tell×1
        details + source hits (1)
      • [+] console.warnmedium · bot-tell×1
        details + source hits (1)
      • [+] consolelow×4
        details + source hits (4)
    • [+] window2 apis · 1 tells · 5 hits
      • [+] innerWidthlow · bot-tell×2
        details + source hits (2)
      • [+] location.hrefinfo×3
        details + source hits (3)
    • [+] storage6 apis · 0 tells · 21 hits
      • [+] *.haslow×7
        details + source hits (7)
      • [+] *.keyslow×4
        details + source hits (4)
      • [+] localStoragelow×4
        details + source hits (4)
      • [+] *.postMessagelow×3
        details + source hits (3)
      • [+] *.openlow×1
        details + source hits (1)
      • [+] *.deleteinfo×2
        details + source hits (2)
    • [+] timing3 apis · 0 tells · 7 hits
      • [+] performance.getEntriesByTypelow×1
        details + source hits (1)
      • [+] Dateinfo×4
        details + source hits (4)
      • [+] Date.nowinfo×2
        details + source hits (2)
    • [+] navigator1 apis · 0 tells · 2 hits
      • [+] navigator.sendBeaconmedium×2
        details + source hits (2)
    • [+] dom-layout1 apis · 0 tells · 1 hits
      • [+] *.getBoundingClientRectmedium×1
        details + source hits (1)

    bot-detection tells (9)

    strong indicators of bot-detection intent. drill into the categories section below to inspect description, evasion notes, and source snippets for any tell.

    structural findings (1)

    multi-node patterns the api catalog can't express by itself. vm-bytecode dispatch tables, consistency cross-checks, cognitive honeypots, high-res-timer reconstructions, favicon cache probes. these are the strongest signal a script is doing more than vanilla feature-detection.

    • [+] cognitive-honeypotdiv-honeypothigh · L1:15834

      Transparent / off-screen DOM element with a click listener attached. VLM-agent honeypot pattern (SoK §3.4 L3). A real user can't see or click this element; an automation agent that picks targets from the layout tree will.

      • tagName: div
      • varName: A
      • evidence: {"transparent":true,"clickListener":true,"fixedOrAbsolute":true,"offscreenOrViewport":true}
      document.createElement("div")

    network sinks (4)

    every place the script could ship data off the page. expand a row to see headers and the traced payload entries.

    • [+] sendBeaconPOST kno leaks

      url source · k

      location · L1:12604

      payload · shape formdata

      • consent: literal on
      • origin: arguments
      • issue: literal auto-troubleshoot-click
      • description: literal
      • rayId: this.isSmallerFeedback
      • sitekey: <dynamic>
      • rcV: <dynamic>
      • cfChlOut: <dynamic>
      • cfChlOutS: <dynamic>
      • mode: <dynamic>
      • errorCode: <dynamic>
      • frMd: literal https://challenges.cloudflare.com
      • displayLanguage: <dynamic>
      w
      navigator.sendBeacon(k,w)
    • [+] fetchGET kno leaks

      url source · k

      location · L1:12763

      fetch(k,Te({body:w,keepalive:!0,method:"POST",mode:"no-cors"},Zr()))
    • [+] fetchGET kno leaks

      url source · k

      location · L1:12963

      fetch(k,Te({body:w,method:"POST",mode:"no-cors"},Zr()))
    • [+] fetchPOST teno leaks

      url source · te

      location · L1:37330

      headers

      • Content-Type: application/json

      payload · shape json

      • secondaryToken: b
      • sitekey: T
      JSON.stringify({secondaryToken:b,sitekey:T})
      fetch(te,{body:JSON.stringify({secondaryToken:b,sitekey:T}),headers:{"Content-Type":"application/json"},method:"POST",redirect:"manual"})

related instruments