AWS WAF Captcha

Automated solving of Amazon AWS WAF Captcha

A comprehensive overview of AWS WAF CAPTCHA protection technology, how it works, and methods for automated solving.

What is AWS WAF Captcha

AWS WAF Captcha is a component of the Amazon Web Services Web Application Firewall. The system is designed to protect websites and APIs from bots, automated scraping, credential stuffing, and spam. Unlike traditional text based verification, AWS WAF offers visual puzzles and silent challenges that confirm the request is being sent by a real human from a genuine browser.

The system randomly generates challenges and rotates them so that each user receives a unique puzzle. In addition to visual puzzles, the CAPTCHA script collects data about the client environment to verify that the challenge is being completed by a human and to prevent replay attacks.

🧩

Visual Puzzles

Image grids, fragment matching, and correct object selection instead of outdated text based captchas.

🛡️

Silent Challenge

Background verification: the system determines whether the client is a real browser or a bot.

⚡

Adaptive Difficulty

The challenge difficulty adjusts based on the visitor's real time suspicion score.

How AWS WAF CAPTCHA Protection Works

The mechanism is based on two types of rule actions: CAPTCHA and Challenge. The CAPTCHA action presents the user with a visual puzzle that must be solved manually. The Challenge action performs a silent verification that does not require user interaction, allowing bots to be filtered out without degrading the user experience.

When a page loads, the AWS WAF widget generates a client environment fingerprint and checks for a valid token. If the token is missing or expired, the system returns an HTTP 405 response and injects an interstitial page containing the puzzle. Upon successful completion, the token is written to a cookie and sent with subsequent requests, allowing the user to pass verification without repeated challenges until the immunity time expires.

💡 AWS WAF CAPTCHA is used on major enterprise websites, financial services, gaming platforms, and government resources hosted on Amazon infrastructure, making the ability to solve this captcha critical for automation workflows.

Solving via Image Click Recognition

This method allows you to solve AWS WAF CAPTCHA by performing precise clicks on the required areas of the image. The service analyzes the image, identifies the object displayed in the captcha, and returns the coordinates of the point that needs to be clicked. Multiple versions of Amazon visual challenges are supported, including slider based tasks. Supported task types include: "Place a dot at the end of the car's path", "Slide the image to complete the pyramid", "...the knot", "...the cone", "...the cube", "...the ball", "...the cylinder", "...the donut", and many others.

Extract Parameters

Capture the full captcha image and the instruction text specifying which images to click. The image can be submitted as a file (multipart) or in base64 format.

Submit the Task

Send a POST request to the API at http://api2.cap.guru/in.php. In the textinstructions parameter, specify the task text, for example: "Amazon,Place a dot at the end of the car's path". Set the click parameter to "oth". The server will return the task ID.

Retrieve the Solution

Wait 5 seconds and send a GET request to http://api2.cap.guru/res.php to obtain the result. If the task is solved, the server will return coordinates in the format "coordinate:x=44,y=32", where x=0,y=0 corresponds to the upper left corner of the image. If the task is not yet solved, you will receive CAPCHA_NOT_READY.

Apply the Coordinates

To complete the challenge, sequentially click on the returned coordinates within the captcha image.

We provide ready made examples for solving. Learn more in our documentation

Best Practices

For reliable AWS WAF CAPTCHA solving, follow these guidelines. First, always submit the task text (textinstructions) in English only, as challenges are supported exclusively in this format. Second, use up to date proxy servers and IP rotation to reduce the likelihood of blocking. Third, simulate natural user behavior by adding delays between actions and using realistic request headers. Additionally, always verify the validity of the browser fingerprint.

Following these recommendations significantly increases the success rate and reduces costs associated with repeated attempts.